Comment 6 for bug 1055384

I have confirmed.

A simple way to reproduce the problem is as follows:

Works:

 sudo /opt/stack/quantum/bin/quantum-rootwrap /etc/quantum/rootwrap.conf QUANTUM_RELAY_SOCKET_PATH=/opt/stack/data/dhcp/lease_relay QUANTUM_NETWORK_ID=133c6ebb-43ca-4617-a288-466e0353f08f ip netns exec qdhcp-133c6ebb-43ca-4617-a288-466e0353f08f dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap952501ed-cc --except-interface=lo --domain=openstacklocal --pid-file=/opt/stack/data/dhcp/133c6ebb-43ca-4617-a288-466e0353f08f/pid --dhcp-hostsfile=/opt/stack/data/dhcp/133c6ebb-43ca-4617-a288-466e0353f08f/host --dhcp-optsfile=/opt/stack/data/dhcp/133c6ebb-43ca-4617-a288-466e0353f08f/opts --dhcp-script=/opt/stack/quantum/bin/quantum-dhcp-agent-dnsmasq-lease-update --leasefile-ro --dhcp-range=set:tag0,10.0.0.0,static,120s

Fails:
sudo /opt/stack/quantum/bin/quantum-rootwrap /etc/quantum/rootwrap.conf QUANTUM_RELAY_SOCKET_PATH=/opt/stack/data/dhcp/lease_relay QUANTUM_NETWORK_ID=133c6ebb-43ca-4617-a288-466e0353f08f dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap952501ed-cc --except-interface=lo --domain=openstacklocal --pid-file=/opt/stack/data/dhcp/133c6ebb-43ca-4617-a288-466e0353f08f/pid --dhcp-hostsfile=/opt/stack/data/dhcp/133c6ebb-43ca-4617-a288-466e0353f08f/host --dhcp-optsfile=/opt/stack/data/dhcp/133c6ebb-43ca-4617-a288-466e0353f08f/opts --dhcp-script=/opt/stack/quantum/bin/quantum-dhcp-agent-dnsmasq-lease-update --leasefile-ro --dhcp-range=set:tag0,10.0.0.0,static,120s

Problem is that the rootwrap filters are defined as follows:

ip_exec_dnsmasq: DnsmasqFilter, /sbin/ip, root
dnsmasq: DnsmasqFilter, /sbin/dnsmasq, root
dnsmasq_usr: DnsmasqFilter, /usr/sbin/dnsmasq, root

So when no namespaces are used the first match is returned.