diff --git a/defaults/main.yml b/defaults/main.yml
index b9e95cc1..042c25cd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -266,5 +266,6 @@ glance_glance_registry_conf_overrides: {}
 glance_glance_scrubber_conf_overrides: {}
 glance_glance_scheme_json_overrides: {}
 glance_glance_swift_store_conf_overrides: {}
+glance_glance_rootwrap_conf_overrides: {}
 glance_policy_overrides: {}
 glance_api_uwsgi_ini_overrides: {}
diff --git a/tasks/glance_post_install.yml b/tasks/glance_post_install.yml
index e3a9b2b7..230d2296 100644
--- a/tasks/glance_post_install.yml
+++ b/tasks/glance_post_install.yml
@@ -67,6 +67,10 @@
       dest: "/etc/glance/schema-image.json"
       config_overrides: "{{ glance_glance_scheme_json_overrides }}"
       config_type: "json"
+    - src: "rootwrap.conf.j2"
+      dest: "/etc/glance/rootwrap.conf"
+      config_overrides: "{{ glance_glance_rootwrap_conf_overrides }}"
+      config_type: "ini"
   notify:
     - Restart glance services
 
diff --git a/templates/rootwrap.conf.j2 b/templates/rootwrap.conf.j2
new file mode 100644
index 00000000..290338eb
--- /dev/null
+++ b/templates/rootwrap.conf.j2
@@ -0,0 +1,27 @@
+# Configuration for glance-rootwrap
+# This file should be owned by (and only-writable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs={{ glance_bin }},/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR