Matt Riedemann wrote:
[...] I want to say mikal converted everything native to nova from rootwrap to privsep and that was completed in Train:
https://docs.openstack.org/releasenotes/nova/train.html#security-issues
"The transition from rootwrap (or sudo) to privsep has been completed for nova. The only case where rootwrap is still used is to start privsep helpers. All other rootwrap configurations for nova may now be removed."
Looking at what's in the compute.filters file looks like it's all stuff for os-brick, but I though os-brick was fully using privsep natively as well? Maybe it's just a matter of someone working on this TODO:
https://opendev.org/openstack/nova/src/branch/master/etc/nova/rootwrap.d/com...
That's great news! I'll have a deeper look and propose changes if appropriate.
Cheers,