Deferred Delete for Instances
Instances can be accidentally deleted. To prevent serious repurcussions because of this, we propose that the DELETE verb on /servers/{id} actually suspend the selected server for a period of time (configurable by the Nova administrator). After that time has elapsed, a separate process will perform the actual deletion.
When a user deletes their instance today, the instance's disk is torn down immediately. As a safety feature, we should allow an operator a configurable setting that would allow the system to mark a image as deleted from the user's perspective but allow an administrator or operator to restore the instance.
The image should not return from the api lists from the user's perspective, but could return 'queued-for-delete' or 'delayed-delete' in the action status field. An administrator should be able to restore the instance to a running state from the admin-api by issuing an action on the deleted instance. The administrator should also be able to force a deletion of a queued instance.
Any IP addresses in use by the server should be retained and then released when the disk is purged from the host machine.
Host space (RAM, disk, cores) should be considered reserved while the server is pending-delete, and no new VMs should re-use that space.
Blueprint information
- Status:
- Complete
- Approver:
- Vish Ishaya
- Priority:
- Low
- Drafter:
- Glen Campbell
- Direction:
- Approved
- Assignee:
- Johannes Erdfelt
- Definition:
- Approved
- Series goal:
- Accepted for essex
- Implementation:
-
Implemented
- Milestone target:
-
2012.1
- Started by
- Vish Ishaya
- Completed by
- Vish Ishaya
Whiteboard
+1 At the very least we can leave disk files around for a bit for forensics and recovery and clean them up with a reaper process/cron job.
Rather than a 2nd process to manage, I'd vote for just adding it to compute's periodic_tasks (comstud)
Gerrit topic: https:/
Addressed by: https:/
Fix some minor issues due to premature merge of original code.
