Allowing target state for evacuate¶
https://blueprints.launchpad.net/nova/+spec/allowing-target-state-for-evacuate
In certain circumstances the operator may desire to evacuate running instances to stopped state regardless of the current state of the instance.
Problem description¶
The current evacuate instance API does not allow operators to set a desired target state to the evacuated instances. Restoring the original state of the instance when it was active on the source host may result in issues if the guest required a valid token to be started or prevent evacuation when using encrypted volumes.
Use Cases¶
As an operator, I would like to be able to evacuate instances to a shut-off state because my tenant workloads may have specific security requirements, that do not allow them to be started by the administrator.
As an operator, I would like to be able to evacuate VMs with encrypted volumes without making the barbican secret readable by admins and reducing the security.
As a user, if my instance is offline due to a host outage, I don’t necessarily want an admin evacuating it and bringing it back online without my knowledge as I may have already replaced it and the zombie coming back may cause a conflict.
Proposed change¶
As of the bumped version, the API will force the stopped state for evacuated instances. It is expected that before the bumped version the behavior stay the same, instances with state active or stopped will keep their state at destination.
With the new microversion nova will always evacuate the instance to SHUTOFF state.
The only way to keep the instance state after the evacuation is to use an older microversion.
Alternatives¶
It may be possible to enhance the API resetState to accept RUNNING and SHUTOFF.
It may be possible to allow stop’s action working with compute node down, But that would have created incoherence between the database and the real state of the instance.
Data model impact¶
None.
REST API impact¶
A microversion bump is expected. But no changes in the schema will appear.
POST /servers/{server_id}/action
{ "evacuate": { "host": "b419863b7d814906a68fb31703c0dbd6", } }
Security impact¶
None.
Notifications impact¶
None.
Other end user impact¶
The nova api-ref will be updated to reflect the changes.
Related to openstack client, nothing is expected to change instead of a noop bump.
Performance Impact¶
None.
Other deployer impact¶
None.
Developer impact¶
It has been agreed that this spec would not resolve the design issue whereby the evacuate server action starts the virtual machines and then stops it when the target state is stopped. An issue has been reported at:
Upgrade impact¶
Upgrade note will be added describing new behavior.
An RPC change is expected to make the compute manager handle the new target state, resulting in the version being incremented.
At API level, a min version check will ensure that all services are new enough to accept the request, if not the request will be rejected with a NotSupported exception.
Implementation¶
Assignee(s)¶
- Primary assignee:
sahid-ferdjaoui
- Other contributors:
None
Feature Liaison¶
- Feature liaison:
None
Work Items¶
API changes with microversion
Testing for the changes.
Dependencies¶
None.
Testing¶
Unit and functional testing for API change.
Documentation Impact¶
The api-ref will be updated to reflect the changes.
References¶
History¶
Release Name |
Description |
---|---|
2023.1 - Antelope |
First introduction |