[openstack-dev] [nova] locked instances and snaphot

melanie witt melwitt at outlook.com
Mon Jun 16 19:28:16 UTC 2014

Hi all,

Recently a nova bug [1] was opened where the user describes a scenario where an instance that is locked is still able to be snapshotted (create image and backup). In the case of Trove, instances are locked "...to ensure integrity and protect secrets which are needed by the resident Trove Agent." However, the end-user can still take a snapshot of the instance to create an image while it's locked, and restore the image later. The end-user then has access to the restored image.

During the patch review, a reviewer raised a concern about the purpose of instance locking and whether prevention of snapshot while an instance is locked is appropriate. From what we understand, instance lock is meant to prevent unwanted modification of an instance. Is snapshotting considered a logical modification of an instance? That is, if an instance is locked to a user, they take a snapshot, create another instance using that snapshot, and modify the instance, have they essentially modified the original locked instance?

I wanted to get input from the ML on whether it makes sense to disallow snapshot an instance is locked.


[1] https://bugs.launchpad.net/nova/+bug/1314741

More information about the OpenStack-dev mailing list