Comment 4 for bug 1507915

After digging deeper I'm now unsure if rootwrap is a practical solution. Apparently "nova.utils.execute(run_as_root=True)" is used to request a command to be passed through rootwrap -- but the code running the commands (python-guestfs) is actually a system-level Python package which imports a C library. Nova just imports the guestfs Python package and uses its API. It doesn't appear that Nova has the opportunity to execute anything using rootwrap -- the guestfs code itself would need to be modified.

In OpenStack-Ansible I have proposed the workaround of just modifying file permissions on the kernel:
https://review.openstack.org/#/c/451971/

This all works once the kernel is made readable to the nova user.