[openstack-dev] [nova] locked instances and snaphot

Michael Still mikal at stillhq.com
Mon Jun 16 20:56:09 UTC 2014

On Tue, Jun 17, 2014 at 5:28 AM, melanie witt <melwitt at outlook.com> wrote:
> Hi all,
> Recently a nova bug [1] was opened where the user describes a scenario where an instance that is locked is still able to be snapshotted (create image and backup). In the case of Trove, instances are locked "...to ensure integrity and protect secrets which are needed by the resident Trove Agent." However, the end-user can still take a snapshot of the instance to create an image while it's locked, and restore the image later. The end-user then has access to the restored image.
> During the patch review, a reviewer raised a concern about the purpose of instance locking and whether prevention of snapshot while an instance is locked is appropriate. From what we understand, instance lock is meant to prevent unwanted modification of an instance. Is snapshotting considered a logical modification of an instance? That is, if an instance is locked to a user, they take a snapshot, create another instance using that snapshot, and modify the instance, have they essentially modified the original locked instance?
> I wanted to get input from the ML on whether it makes sense to disallow snapshot an instance is locked.

Thanks for sending this email.

It is certainly my belief that the lock functionality for instances is
about avoiding accidental changes to the instance itself, not the
contents of the instance. I personally think that snapshots aren't a
change to the instance and therefore should be allowed, but I'd be
interested in other people's thoughts on this.


> [1] https://bugs.launchpad.net/nova/+bug/1314741

Rackspace Australia

More information about the OpenStack-dev mailing list