Bug 1041253

Summary: [RFE][nova]: Defer all instance deletion for a configurable interval
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: markmc, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/nova/+spec/deferred-instance-deletes
Whiteboard: upstream_milestone_none upstream_status_unknown upstream_definition_drafting
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-19 17:04:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 14:05:42 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/nova/+spec/deferred-instance-deletes.

Description:

Defer instance deletion for a period of time rather than immediately purging them from disk

There are three types of "erroneous deletion" that we've seen in production:

1.  User error, e.g., People clicking on "Terminate" by mistake

2.  Software bugs, e.g., Live migrations get confused and claim success, when the instance on the remote side is nowhere near usable

3.  Confusing API behavior, e.g., Calling "stop" and then "start" is destructive to the instance as a side-effect, which catches people by surprise

Currently, the "soft delete" functionality only protects against Condition #1.  We propose adding an additional "deferred delete" functionality that protects against them all by using whatever data protection features the storage drivers see fit to postpone purging the bits off of disk for a user-specified length of time.  There would also be a periodic job on the compute node that would periodically run the corresponding purges on the appropriate storage drivers as needed.

We are willing to implement the framework for the feature, as well as the functionality for the libvirt driver.

Specification URL (additional information):

None