From c425977a55dde6b99b07c716dc3cf82990bd4fa2 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Wed, 8 Jun 2016 16:53:06 +0100
Subject: [PATCH] nova.conf: set privsep helper command for os-vif plugins

privsep will default to invoking privsep-helper directly
via sudo, which won't work for people with a locked down
sudo config. To deal with this we should explicitly
configure the os-vif plugins to use nova-rootwrap for
running privsep-helper. This change makes such a change
for the two official in-tree os-vif plugins.

Change-Id: I3d26251206a57599385f2b9f3e0ef7d91daafe35
---
 lib/nova | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/nova b/lib/nova
index af5d1222a0..65609369a9 100644
--- a/lib/nova
+++ b/lib/nova
@@ -483,6 +483,9 @@ function create_nova_conf {
 
     iniset $NOVA_CONF privsep_osbrick helper_command "sudo nova-rootwrap \$rootwrap_config privsep-helper --config-file $NOVA_CONF"
 
+    iniset $NOVA_CONF vif_plug_ovs_privileged helper_command "sudo nova-rootwrap \$rootwrap_config privsep-helper --config-file $NOVA_CONF"
+    iniset $NOVA_CONF vif_plug_linux_bridge_privileged helper_command "sudo nova-rootwrap \$rootwrap_config privsep-helper --config-file $NOVA_CONF"
+
     if is_service_enabled n-api; then
         if is_service_enabled n-api-meta; then
             # If running n-api-meta as a separate service