On 12/2/2019 5:19 AM, Thierry Carrez wrote: > I'll defer to nova experts, but yes, it's a trade-off that depends on > how much has already been migrated, and how often the remaining rootwrap > commands are called. Looking at nova compute node it only has a couple > of rootwrap filters left[1], but maybe the performance loss of dropping > daemon mode there is acceptable. > > [1] > https://opendev.org/openstack/nova/src/branch/master/etc/nova/rootwrap.d/compute.filters I want to say mikal converted everything native to nova from rootwrap to privsep and that was completed in Train: https://docs.openstack.org/releasenotes/nova/train.html#security-issues "The transition from rootwrap (or sudo) to privsep has been completed for nova. The only case where rootwrap is still used is to start privsep helpers. All other rootwrap configurations for nova may now be removed." Looking at what's in the compute.filters file looks like it's all stuff for os-brick, but I though os-brick was fully using privsep natively as well? Maybe it's just a matter of someone working on this TODO: https://opendev.org/openstack/nova/src/branch/master/etc/nova/rootwrap.d/compute.filters#L16 -- Thanks, Matt