Comment 12 for bug 1417331

We ran into this problem yesterday.

On our compute host we have venvs for both neutron and nova, and under
/etc/sudoers.d/ we had a file for each projects rootwrap. And in those files
we specified a secure path.

/etc/sudoers.d/neutron-rootwrap
Defaults secure_path="/opt/openstack/neutron/venv/bin:..."
neutron ALL=(root) NOPASSWD: /opt/openstack/neutron/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *

/etc/sudoers.d/nova-rootwrap
Defaults secure_path="/opt/openstack/nova/venv/bin:..."
nova ALL=(root) NOPASSWD: /opt/openstack/nova/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *

But only one of those 'secure_path' takes preference, in our case nova which
meant that 'neutron-ns-metadata-proxy' was out of our path again.

Wouldn't it just be better if we just set the environment PATH to the
exec_dirs, since that's where we'll be searching for the executables.
This would also result in less places to maintain your paths.

oslo_rootwrap/wrapper.py
if config.has_option("DEFAULT", "exec_dirs"):
  self.exec_dirs = config.get("DEFAULT", "exec_dirs").split(",")
  # Replace PATH with exec_dirs if specified
  os.putenv("PATH", ":".join(self.exec_dirs))