# ps -ef | grep quantum-ns-metadata-proxy
root 10239 1 0 19:01 ? 00:00:00 python /usr/bin/quantum-ns-metadata-proxy --pid_file=/var/lib/quantum/external/pids/7a44de32-3ac0-4f3e-92cc-1a37d8211db8.pid --router_id=7a44de32-3ac0-4f3e-92cc-1a37d8211db8 --state_path=/var/lib/quantum --debug --log-file=quantum-ns-metadata-proxy7a44de32-3ac0-4f3e-92cc-1a37d8211db8.log --log-dir=/var/log/quantum
Root is needed to open the namespace, but the quantum-ns-metadata-proxy does not need root - it listens on 9697 by default not 80.
I tried changing /etc/quantum/rootwrap.d/l3.filters for it to run as quantum instead:
metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy, quantum
but it still runs as root.
This is a known operation state in released code. I'm not sure it makes sense to keep this private as there is not a vulnerability to exploit. Are you ok making this a regular bug to make the proxy run with reduced perms?