diff --git a/docker/sahara/sahara-api/Dockerfile.j2 b/docker/sahara/sahara-api/Dockerfile.j2
index c821695749..bc09b28ad9 100644
--- a/docker/sahara/sahara-api/Dockerfile.j2
+++ b/docker/sahara/sahara-api/Dockerfile.j2
@@ -11,8 +11,8 @@ MAINTAINER {{ maintainer }}
 RUN {{ macros.install_packages(sahara_api_packages | customizable("packages")) }}
 {% endif %}
 
-COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start
+COPY extend_start.sh /usr/local/bin/kolla_sahara_extend_start
+RUN chmod 755 /usr/local/bin/kolla_sahara_extend_start
 
 {% block sahara_api_footer %}{% endblock %}
 {% block footer %}{% endblock %}
diff --git a/docker/sahara/sahara-api/extend_start.sh b/docker/sahara/sahara-api/extend_start.sh
index d3d2c316e6..8054dd698c 100644
--- a/docker/sahara/sahara-api/extend_start.sh
+++ b/docker/sahara/sahara-api/extend_start.sh
@@ -3,6 +3,6 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
-    sahara-manage db_sync
+    sahara-db-manage --config-file /etc/sahara/sahara.conf upgrade head
     exit 0
 fi
diff --git a/docker/sahara/sahara-base/Dockerfile.j2 b/docker/sahara/sahara-base/Dockerfile.j2
index 1104a76cf4..755421b8da 100644
--- a/docker/sahara/sahara-base/Dockerfile.j2
+++ b/docker/sahara/sahara-base/Dockerfile.j2
@@ -10,7 +10,7 @@ MAINTAINER {{ maintainer }}
 {% elif base_distro in ['ubuntu'] %}
     {% set sahara_base_packages = ['sahara-common'] %}
 {% endif %}
-RUN {{ macros.install_packages(sahara_base_packages | customizable("packages")) }}
+{{ macros.install_packages(sahara_base_packages | customizable("packages")) }}
 
 {% elif install_type == 'source' %}
 
@@ -19,12 +19,21 @@ RUN ln -s sahara-base-source/* sahara \
     && useradd --user-group sahara \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /sahara \
     && mkdir -p /etc/sahara /var/log/sahara /home/sahara \
-    && cp -r /sahara/etc/* /etc/sahara/ \
-    && chown -R sahara: /etc/sahara /var/log/sahara /home/sahara
+    && cp -r /sahara/etc/sahara/* /etc/sahara/ \
+    && chown -R sahara: /etc/sahara /var/log/sahara /home/sahara \
+    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/sahara/rootwrap.conf
 
 {% endif %}
 
 RUN usermod -a -G kolla sahara
 
+COPY sahara_sudoers /etc/sudoers.d/kolla_sahara_sudoers
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+
+RUN usermod -a -G kolla sahara \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 640 /etc/sudoers.d/kolla_sahara_sudoers \
+    && touch /usr/local/bin/kolla_sahara_extend_start \
+    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_sahara_extend_start
+
 {% block sahara_base_footer %}{% endblock %}
-{% block footer %}{% endblock %}
diff --git a/docker/sahara/sahara-base/sahara_sudoers b/docker/sahara/sahara-base/sahara_sudoers
new file mode 100644
index 0000000000..bd8bfeebd4
--- /dev/null
+++ b/docker/sahara/sahara-base/sahara_sudoers
@@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/sahara-rootwrap /etc/sahara/rootwrap.conf *