[dev][nova][glance] Interesting bug about deleting shelved server snapshot

Brian Rosmaita rosmaita.fossdev at gmail.com
Thu Dec 6 16:17:57 UTC 2018 

(Just addressing the specific Glance questions, not taking a position on
the proposal.)

On 12/6/18 7:45 AM, Matt Riedemann wrote:
> I came across this bug during triage today:
> 
> https://bugs.launchpad.net/nova/+bug/1807110
> 
> They are advocating that nova/glance somehow keep a shelved server
> snapshot image from being inadvertently deleted by the user since it
> could result in data loss as they can't unshelve the server later (there
> is metadata in nova that links the shelved server to the snapshot image
> in glance which is used during unshelve).
> 
> I don't see a base description field on images but I suppose nova could
> write a description property that explains what the snapshot is and warn
> against deleting it.

Yes, any user can add a 'description' property (unless prohibited by
property protections).

> Going a step further, nova could potentially set the protected flag to
> true so the image cannot be deleted, but I have two concerns about that:
> 
> 1. I don't see any way to force delete a protected image in glance -
> does that exist or has it been discussed before?

You cannot force delete a protected image in glance, but an admin can
PATCH the image to update 'protected' to false, and then delete the
image, which is functionally the same thing.

> 
> 2. Would the user be able to PATCH the image to change the protected
> value to false and then delete the image if they really wanted to?

Yes, replacing the value of the 'protected' property on an image can be
done by the image owner.  (There is no specific policy for this other
than the generic "modify_image" policy.  I guess I should mention that
there's also a "delete_image" policy.  The default value for both
policies is unrestricted ("").)

> 
> The other problem with nova marking the image as protected is that if
> the user deletes the server, the compute API tries to delete the
> snapshot image [1] which would fail if it's still protected, and then we
> could see snapshot images getting orphaned in glance. Arguably nova
> could detect this situation, update the protected field to false, and
> then delete the image.
> 
> Other thoughts? Has this come up before?
> 
> [1]
> https://github.com/openstack/nova/blob/c9dca64fa64005e5bea327f06a7a3f4821ab72b1/nova/compute/api.py#L1950
> 
>

More information about the openstack-discuss mailing list