(Just addressing the specific Glance questions, not taking a position on the proposal.) On 12/6/18 7:45 AM, Matt Riedemann wrote:
I came across this bug during triage today:
https://bugs.launchpad.net/nova/+bug/1807110
They are advocating that nova/glance somehow keep a shelved server snapshot image from being inadvertently deleted by the user since it could result in data loss as they can't unshelve the server later (there is metadata in nova that links the shelved server to the snapshot image in glance which is used during unshelve).
I don't see a base description field on images but I suppose nova could write a description property that explains what the snapshot is and warn against deleting it.
Yes, any user can add a 'description' property (unless prohibited by property protections).
Going a step further, nova could potentially set the protected flag to true so the image cannot be deleted, but I have two concerns about that:
1. I don't see any way to force delete a protected image in glance - does that exist or has it been discussed before?
You cannot force delete a protected image in glance, but an admin can PATCH the image to update 'protected' to false, and then delete the image, which is functionally the same thing.
2. Would the user be able to PATCH the image to change the protected value to false and then delete the image if they really wanted to?
Yes, replacing the value of the 'protected' property on an image can be done by the image owner. (There is no specific policy for this other than the generic "modify_image" policy. I guess I should mention that there's also a "delete_image" policy. The default value for both policies is unrestricted ("").)
The other problem with nova marking the image as protected is that if the user deletes the server, the compute API tries to delete the snapshot image [1] which would fail if it's still protected, and then we could see snapshot images getting orphaned in glance. Arguably nova could detect this situation, update the protected field to false, and then delete the image.
Other thoughts? Has this come up before?
[1] https://github.com/openstack/nova/blob/c9dca64fa64005e5bea327f06a7a3f4821ab7...