diff --git a/deployment/puppet/openstack/files/limits.conf b/deployment/puppet/openstack/files/limits.conf
index 3a17f73b3d..055018b02c 100644
--- a/deployment/puppet/openstack/files/limits.conf
+++ b/deployment/puppet/openstack/files/limits.conf
@@ -1,3 +1,5 @@
-# Raising open file limit for OpenStack services 
+# Raising open file limit for OpenStack services
+root      soft    nofile          102400
+root      hard    nofile          112640
 *         soft    nofile          102400
 *         hard    nofile          112640
diff --git a/files/fuel-ha-utils/ocf/ns_dns b/files/fuel-ha-utils/ocf/ns_dns
index d1ae35d6ee..cdd814ccb2 100644
--- a/files/fuel-ha-utils/ocf/ns_dns
+++ b/files/fuel-ha-utils/ocf/ns_dns
@@ -201,7 +201,7 @@ dnsmasq_start()
   fi
 
   # run the dnsmasq binary
-        ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}"
+  ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}"
   if [ $? -ne 0 ]; then
     ocf_log err "Error. dnsmasq daemon returned error $?."
     return $OCF_ERR_GENERIC
diff --git a/files/fuel-ha-utils/ocf/ns_haproxy b/files/fuel-ha-utils/ocf/ns_haproxy
index c13f2d003b..b87b4a4948 100755
--- a/files/fuel-ha-utils/ocf/ns_haproxy
+++ b/files/fuel-ha-utils/ocf/ns_haproxy
@@ -440,7 +440,7 @@ haproxy_start()
 	fi
 
 	# run the haproxy binary
-	ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}"
+	ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}"
 	if [ $? -ne 0 ]; then
 		ocf_log err "Error. haproxy daemon returned error $?."
 		return $OCF_ERR_GENERIC
@@ -472,7 +472,7 @@ haproxy_reload()
           ocf_log warn "Cannot block all SYN for the Haproxy reload operation!"
       fi
       # reload haproxy binary replacing the old process
-      ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}"
+      ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}"
       rc=$?
       unblock_client_access
       ocf_log info "Unblocked all SYN for the Haproxy reload operation"
diff --git a/files/fuel-ha-utils/ocf/ns_ntp b/files/fuel-ha-utils/ocf/ns_ntp
index 86755a02b8..352621e15e 100644
--- a/files/fuel-ha-utils/ocf/ns_ntp
+++ b/files/fuel-ha-utils/ocf/ns_ntp
@@ -191,7 +191,7 @@ ntp_start()
   fi
 
   # run the ntp binary
-  ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}"
+  ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}"
   if [ "${?}" -ne "0" ]; then
     ocf_log err "Error. ntp daemon returned error $?."
     return "${OCF_ERR_GENERIC}"
diff --git a/files/fuel-ha-utils/ocf/ocf-fuel-funcs b/files/fuel-ha-utils/ocf/ocf-fuel-funcs
index dc7e1d8e70..8470036b09 100644
--- a/files/fuel-ha-utils/ocf/ocf-fuel-funcs
+++ b/files/fuel-ha-utils/ocf/ocf-fuel-funcs
@@ -179,3 +179,19 @@ proc_stop()
     ocf_log info "${LH} Stopped ${service_name}"
     return "${OCF_SUCCESS}"
 }
+
+###########################################################
+# Runs a process as root via su to get the whole PAM stack
+# executed.
+#
+# Globals:
+#   none
+# Arguments:
+#   $* - ocf_run arguments
+# Returns:
+#   Return code of the ocf_run invocation.
+###########################################################
+ocf_run_as_root()
+{
+    ocf_run su - root -c "$(printf '%q ' "$@")"
+}