Defer all instance deletion for a configurable interval
Defer instance deletion for a period of time rather than immediately purging them from disk
There are three types of "erroneous deletion" that we've seen in production:
1. User error, e.g., People clicking on "Terminate" by mistake
2. Software bugs, e.g., Live migrations get confused and claim success, when the instance on the remote side is nowhere near usable
3. Confusing API behavior, e.g., Calling "stop" and then "start" is destructive to the instance as a side-effect, which catches people by surprise
Currently, the "soft delete" functionality only protects against Condition #1. We propose adding an additional "deferred delete" functionality that protects against them all by using whatever data protection features the storage drivers see fit to postpone purging the bits off of disk for a user-specified length of time. There would also be a periodic job on the compute node that would periodically run the corresponding purges on the appropriate storage drivers as needed.
We are willing to implement the framework for the feature, as well as the functionality for the libvirt driver.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- Chet Burgess
- Definition:
- Drafting
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Gerrit topic: https:/
If you are still working on this, please re-submit via nova-specs. If not, please mark as obsolete, and add a quick comment to describe why. --johnthetubaguy (20th April 2014)
