Now repushed as https://review.openstack.org/#/c/81295/ -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1081795 Title: oslo.rootwrap IpFilter fails to prevent ip netns exec Status in Oslo - a Library of Common OpenStack Code: In Progress Bug description: This is an oslo.rootwrap bug. IpFilter is designed to allow any ip command, unless the second parameter is "netns" (in which case you only allow ip netns {list,add,delete}. The trick is it's trivial to work around this (just run 'ip -s netns exec'). Once that's fixed, Nova should update from using a CommandFilter to using the IpFilter for calling 'ip'. To manage notifications about this bug go to: https://bugs.launchpad.net/oslo/+bug/1081795/+subscriptions