After digging deeper I'm now unsure if rootwrap is a practical solution. Apparently "nova.utils.execute(run_as_root=True)" is used to request a command to be passed through rootwrap -- but the code running the commands (python-guestfs) is actually a system-level Python package which imports a C library. Nova just imports the guestfs Python package and uses its API. It doesn't appear that Nova has the opportunity to execute anything using rootwrap -- the guestfs code itself would need to be modified.
After digging deeper I'm now unsure if rootwrap is a practical solution. Apparently "nova.utils. execute( run_as_ root=True) " is used to request a command to be passed through rootwrap -- but the code running the commands (python-guestfs) is actually a system-level Python package which imports a C library. Nova just imports the guestfs Python package and uses its API. It doesn't appear that Nova has the opportunity to execute anything using rootwrap -- the guestfs code itself would need to be modified.
In OpenStack-Ansible I have proposed the workaround of just modifying file permissions on the kernel: /review. openstack. org/#/c/ 451971/
https:/
This all works once the kernel is made readable to the nova user.