Matt Riedemann wrote:
> [...]
> I want to say mikal converted everything native to nova from rootwrap to
> privsep and that was completed in Train:
>
> https://docs.openstack.org/releasenotes/nova/train.html#security-issues
>
> "The transition from rootwrap (or sudo) to privsep has been completed
> for nova. The only case where rootwrap is still used is to start privsep
> helpers. All other rootwrap configurations for nova may now be removed."
>
> Looking at what's in the compute.filters file looks like it's all stuff
> for os-brick, but I though os-brick was fully using privsep natively as
> well? Maybe it's just a matter of someone working on this TODO:
>
> https://opendev.org/openstack/nova/src/branch/master/etc/nova/rootwrap.d/compute.filters#L16

That's great news! I'll have a deeper look and propose changes if
appropriate.

Cheers,

--
Thierry Carrez (ttx)