Cloned from launchpad blueprint https://blueprints.launchpad.net/nova/+spec/deferred-instance-deletes.

Description:

Defer instance deletion for a period of time rather than immediately purging them from disk

There are three types of "erroneous deletion" that we've seen in production:

1.  User error, e.g., People clicking on "Terminate" by mistake

2.  Software bugs, e.g., Live migrations get confused and claim success, when the instance on the remote side is nowhere near usable

3.  Confusing API behavior, e.g., Calling "stop" and then "start" is destructive to the instance as a side-effect, which catches people by surprise

Currently, the "soft delete" functionality only protects against Condition #1.  We propose adding an additional "deferred delete" functionality that protects against them all by using whatever data protection features the storage drivers see fit to postpone purging the bits off of disk for a user-specified length of time.  There would also be a periodic job on the compute node that would periodically run the corresponding purges on the appropriate storage drivers as needed.

We are willing to implement the framework for the feature, as well as the functionality for the libvirt driver.

Specification URL (additional information):

None