Ideally Neutron would just run neutron-ns-metadata-proxy as the neutron user and be able to kill it without requiring root rights. However Neutron starts neutron-ns-metadata-proxy as root, then drops to configurable metadata_proxy_user / metadata_proxy_group... hence the need to run the kill as root to be sure to kill it.
What looks like a security feature (configurable user) actually weakens the security (require allowing escalation to root to kill it)... not even mentioning corner cases like this bug.
Fixing it in Neutron would cause a backward incompatible change though, so I'd recommend the following workaround: add the following filter to your rootwrap filter definitions (probably in a file in /etc/neutron/rootwrap.d):
Ideally Neutron would just run neutron- ns-metadata- proxy as the neutron user and be able to kill it without requiring root rights. However Neutron starts neutron- ns-metadata- proxy as root, then drops to configurable metadata_proxy_user / metadata_ proxy_group. .. hence the need to run the kill as root to be sure to kill it.
What looks like a security feature (configurable user) actually weakens the security (require allowing escalation to root to kill it)... not even mentioning corner cases like this bug.
Fixing it in Neutron would cause a backward incompatible change though, so I'd recommend the following workaround: add the following filter to your rootwrap filter definitions (probably in a file in /etc/neutron/ rootwrap. d):
kill_venvmetadata: KillFilter, root, /opt/openstack/ venv/neutron/ bin/python, -9
That way you specifically allow this, without weakening your secure_path config.