[openstack-dev] [heat] suggestion for lock/protect stack blueprint

KOFFMAN, Noa (Noa) noa.koffman at alcatel-lucent.com
Wed Apr 8 12:43:06 UTC 2015


I would like to suggest a blueprint to allow locking/protecting a 
stack. Similar to: nova server "lock" or glance-image "--is-protected" 
Once a stack is locked, the only operation allowed on the stack is 
"unlock" - heat engine should reject any stack operations and ignore 
signals that modify the stack (such as scaling).

The lock operation should have a "lock_resources" flag (default = True):
When True: perform heat lock and enable lock/protect for each stack 
resource that supports it (nova server, glance image,...).
when False: perform heat lock - which would lock the stack and all 
nested stacks (actions on resources will not be effected).

1. we received several requests from application vendors, to allow 
"maintenance mode" for the application. When in maintenance no topology 
changes are permitted. For example a maintenance mode is required for 
a clustered DB app that needs a manual reboot of one of its servers - 
when the server reboots all the other servers are redistributing the 
data among themselves which causes high CPU levels which in turn might 
cause an undesired scale out (which will cause another CPU spike and so 
2. some cloud-admins have a configuration stack that initializes the 
cloud (Creating networks, flavors, images, ...) and these resources 
should always exist while the cloud exists. Locking these configuration 
stacks, will prevent someone from accidently deleting/modifying the 
stack or its resources.

This feature might even raise in significance, once convergence phase 2 
is in place, and many other automatic actions are performed by heat. 
The ability to manually perform admin actions on the stack with no 
interruptions is important.

Any thoughts/comments/suggestions are welcome.

Noa Koffman.

More information about the OpenStack-dev mailing list