diff --git a/docker/swift/swift-account/Dockerfile.j2 b/docker/swift/swift-account/Dockerfile.j2
index 3023147c53..0d418dfbc9 100644
--- a/docker/swift/swift-account/Dockerfile.j2
+++ b/docker/swift/swift-account/Dockerfile.j2
@@ -18,3 +18,5 @@ RUN apt-get install -y --no-install-recommends \
 {% endif %}
 
 {{ include_footer }}
+
+USER swift
diff --git a/docker/swift/swift-base/Dockerfile.j2 b/docker/swift/swift-base/Dockerfile.j2
index 50a5f899b1..a4bd69f9ca 100644
--- a/docker/swift/swift-base/Dockerfile.j2
+++ b/docker/swift/swift-base/Dockerfile.j2
@@ -40,5 +40,19 @@ RUN ln -s swift-base-source/* swift \
 
 {% endif %}
 
+RUN pip install oslo.rootwrap
+
+COPY swift-rootwrap /var/lib/kolla/venv/bin/swift-rootwrap
+COPY rootwrap.conf /etc/swift/rootwrap.conf
+RUN chmod 755 /var/lib/kolla/venv/bin/swift-rootwrap \
+    && chmod 644 /etc/swift/rootwrap.conf \
+    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/swift/rootwrap.conf
+
+COPY swift_sudoers /etc/sudoers.d/swift_sudoers
+RUN chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/swift_sudoers
+
 COPY build-swift-ring.py /usr/local/bin/kolla_build_swift_ring
 RUN mkdir -p /opt/swift
+
+RUN usermod -a -G kolla swift
diff --git a/docker/swift/swift-base/rootwrap.conf b/docker/swift/swift-base/rootwrap.conf
new file mode 100644
index 0000000000..270dcc974a
--- /dev/null
+++ b/docker/swift/swift-base/rootwrap.conf
@@ -0,0 +1,34 @@
+# Configuration for swift-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/swift/rootwrap.d,/usr/share/swift/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
+
+[xenapi]
+# XenAPI configuration is only required by the L2 agent if it is to
+# target a XenServer/XCP compute host's dom0.
+xenapi_connection_url=<None>
+xenapi_connection_username=root
+xenapi_connection_password=<None>
diff --git a/docker/swift/swift-base/swift-rootwrap b/docker/swift/swift-base/swift-rootwrap
new file mode 100644
index 0000000000..3839c9a8dc
--- /dev/null
+++ b/docker/swift/swift-base/swift-rootwrap
@@ -0,0 +1,10 @@
+#!/usr/bin/python2
+# PBR Generated from u'console_scripts'
+
+import sys
+
+from oslo_rootwrap.cmd import main
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/docker/swift/swift-base/swift_sudoers b/docker/swift/swift-base/swift_sudoers
new file mode 100644
index 0000000000..b20ac15fb8
--- /dev/null
+++ b/docker/swift/swift-base/swift_sudoers
@@ -0,0 +1 @@
+swift ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/swift-rootwrap /etc/swift/rootwrap.conf *
diff --git a/docker/swift/swift-container/Dockerfile.j2 b/docker/swift/swift-container/Dockerfile.j2
index 126818e29b..90d240d53e 100644
--- a/docker/swift/swift-container/Dockerfile.j2
+++ b/docker/swift/swift-container/Dockerfile.j2
@@ -18,3 +18,5 @@ RUN apt-get install -y --no-install-recommends \
 {% endif %}
 
 {{ include_footer }}
+
+USER swift
diff --git a/docker/swift/swift-object/Dockerfile.j2 b/docker/swift/swift-object/Dockerfile.j2
index 344d470417..3a55e901e8 100644
--- a/docker/swift/swift-object/Dockerfile.j2
+++ b/docker/swift/swift-object/Dockerfile.j2
@@ -18,3 +18,5 @@ RUN apt-get install -y --no-install-recommends \
 {% endif %}
 
 {{ include_footer }}
+
+USER swift
diff --git a/docker/swift/swift-proxy-server/Dockerfile.j2 b/docker/swift/swift-proxy-server/Dockerfile.j2
index d168705b6e..71481aa22f 100644
--- a/docker/swift/swift-proxy-server/Dockerfile.j2
+++ b/docker/swift/swift-proxy-server/Dockerfile.j2
@@ -18,3 +18,5 @@ RUN apt-get install -y --no-install-recommends \
 {% endif %}
 
 {{ include_footer }}
+
+USER swift
diff --git a/docker/swift/swift-rsyncd/Dockerfile.j2 b/docker/swift/swift-rsyncd/Dockerfile.j2
index fbe19b0af4..8c6cc6ff2f 100644
--- a/docker/swift/swift-rsyncd/Dockerfile.j2
+++ b/docker/swift/swift-rsyncd/Dockerfile.j2
@@ -15,7 +15,10 @@ RUN apt-get install -y --no-install-recommends \
 
 {% endif %}
 
+RUN setcap 'cap_net_bind_service=+ep' /usr/bin/rsync
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {{ include_footer }}
+
+USER swift