Comment 2 for bug 1014812

(Note: when I say "rootwrap framework fully supports it", I actually mean the upcoming version of rootwrap fully supports it -- the current version could prevent nova-api from running root commands on a host where nova-compute is installed, but would not prevent nova-compute from running volume commands on a host where nova-volume is installed).