Root wrapper for OpenStack services
Filters which commands a service is allowed to run as another user.
To use this with cinder, you should set the following in cinder.conf: rootwrap_config=/etc/cinder/rootwrap.conf
You also need to let the cinder user run cinder-rootwrap as root in sudoers: cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap
/etc/cinder/rootwrap.conf *
Service packaging should deploy .filters files only on nodes where they are needed, to avoid allowing more than is necessary.