so in genreal no. for security reasons we do not allow humans, even admins to detach volume via the cidner api. https://security.openstack.org/ossa/OSSA-2023-003.html we have locked down access to deletating a volume attachment requests that have a service user token. https://security.openstack.org/ossa/OSSA-2023-003.html#configuration-change while an admid coudl impersonate nova with curl you intentially cannot craft a request like this with the openstack commandlien client. if you were to do that and not also manually clean the compute host you would make the cloud vulnerable to the cve again. any combination of commands that allow a normal user to bypass this protection would be a CVE so be very careful with seculating in public about that. if you find one please report it privately https://security.openstack.org/reporting.html On Fri, 2025-03-21 at 15:02 +0000, Eugen Block wrote:
I don’t know if it would enable you to attach the volume to a different vm, but you can change a volume‘s database status to detached and available (check out ‚openstack help volume set‘).
Zitat von Arnaud Morin <arnaud.morin@gmail.com>:
Hey team,
Is there any way to force detach a volume when the nova compute service is down? Like when the hypervisor is off, we want to detach the volume and attach it to another instance. you only reall option if the hypervior is dead woudl be to evacuate the instance and then detach it after the evacuation. that still not advisable but might work for your usecase.
Maybe I'm missing the way to do it, but detach action on nova side seems a synchronous task that I can't force without admin creds.
correct we need to do clean up on the compute host in almost all cases (all excpet ceph) to prevetn unatuorised access to the volume. if that does not succesedd we will potionally leak data or currpt the volume.
Thanks for any help,
Regards, Arnaud