Matt Riedemann wrote: > [...] > I want to say mikal converted everything native to nova from rootwrap to > privsep and that was completed in Train: > > https://docs.openstack.org/releasenotes/nova/train.html#security-issues > > "The transition from rootwrap (or sudo) to privsep has been completed > for nova. The only case where rootwrap is still used is to start privsep > helpers. All other rootwrap configurations for nova may now be removed." > > Looking at what's in the compute.filters file looks like it's all stuff > for os-brick, but I though os-brick was fully using privsep natively as > well? Maybe it's just a matter of someone working on this TODO: > > https://opendev.org/openstack/nova/src/branch/master/etc/nova/rootwrap.d/compute.filters#L16 That's great news! I'll have a deeper look and propose changes if appropriate. Cheers, -- Thierry Carrez (ttx)