OpenStack listens to requests over the network, and (when appropriate) performs operations on the host that require root superpowers. Following best-practice design, most of the code runs as an unprivileged user and only the code that needs additional powers runs as root using a tool called "rootwrap".
This talk discusses the evolution that led to the current rootwrap design, why it has proven to be completely inadequate in practice, and presents a new "privsep" alternative currently being worked on within Oslo.
Angus has done a bit of everything: Written Visual Basic code for Windows 3.1, taught Linux TAFE courses, uploaded possibly the first native app on the Android market, packaged the Rust compiler for Debian, driven across the desert to install Linux-based satellite routers, been interviewed by Messrs Reeves and Fishburne for character profiles for the first Matrix movie, and fixed the IPv6 Internet (with some help).
Most recently he is working for Rackspace on upstream OpenStack.