Comment 5 for bug 1394279

Ideally Neutron would just run neutron-ns-metadata-proxy as the neutron user and be able to kill it without requiring root rights. However Neutron starts neutron-ns-metadata-proxy as root, then drops to configurable metadata_proxy_user / metadata_proxy_group... hence the need to run the kill as root to be sure to kill it.

What looks like a security feature (configurable user) actually weakens the security (require allowing escalation to root to kill it)... not even mentioning corner cases like this bug.

Fixing it in Neutron would cause a backward incompatible change though, so I'd recommend the following workaround: add the following filter to your rootwrap filter definitions (probably in a file in /etc/neutron/rootwrap.d):

kill_venvmetadata: KillFilter, root, /opt/openstack/venv/neutron/bin/python, -9

That way you specifically allow this, without weakening your secure_path config.