[openstack-dev] [nova] locked instances and snaphot

Andrew Laski andrew.laski at rackspace.com
Tue Jun 17 20:34:05 UTC 2014 

On 06/17/2014 03:03 PM, melanie witt wrote:
> On Jun 16, 2014, at 13:56, Michael Still <mikal at stillhq.com> wrote:
>
>> It is certainly my belief that the lock functionality for instances is
>> about avoiding accidental changes to the instance itself, not the
>> contents of the instance. I personally think that snapshots aren't a
>> change to the instance and therefore should be allowed, but I'd be
>> interested in other people's thoughts on this.
> Thank you for sharing your view. I'm also interested in hearing other thoughts -- if the consensus is to allow snapshot of a locked instance, I can close the loop on the lp bug for the reporter.
>
> If anyone else has some input on snapshotting locked instances, please chime in!

It appears that locking was added in 2010 
(8aea573bd2e44e152fb4ef1627640bab1818dede), at which time commit 
messages weren't nearly as clear and helpful as they now are so there's 
not much insight from that.  But the lock checking methods added at that 
time have a docstring that includes "decorator used for preventing 
action against locked instances".  So the original intent seems to be 
that API actions would not be allowed against locked instances.  From 
that point of view snapshotting should be disallowed.

Having said that, the main reason that I've heard for locks being used 
is to prevent accidental deletes.  And I've heard requests for locks 
that only prevent deletes.  So in my experience users want more granular 
locks, not more inclusive locking.  So I wouldn't consider it a bug that 
snapshots are allowed while an instance is locked.

But getting back to the original issue, I'm not sure locking snapshots 
is going to help.  The intent seems to be keeping users from gaining 
access to data that's within the instance.  But locks don't keep a user 
from seeing what's on the instance, or doing something like an LVM 
snapshot of the data from within the instance.




>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140617/d8cfbcea/attachment.html>

More information about the OpenStack-dev mailing list