Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-184

Evacuate to STOPPED

XMLWordPrintable

    • Evacuate to STOPPED
    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • Committed
    • Committed
    • To Do
    • OSP-14490 - Large scale scheduling
    • openstack-nova-27.1.1-18.0.20230930093334.a869ab1.el9ost
    • Committed
    • Committed
    • 25% To Do, 0% In Progress, 75% Done
    • Hide
      .Evacuate to STOPPED with v2.95

      Starting with the v2.95 micro version, any evacuated instance will be stopped at the destination. Operators can still continue using the previous behaviour by selecting a microversion below v2.95.
      Prior to v2.95, if the VM was active prior to the evacuation, it was restored to the active state following a failed evacuation. If the workload encountered I/O corruption as a result of the hypervisor outage, this could potentially make recovery effort harder or cause further issues if the workload was a clustered application that tolerated the failure of a single VM. For this reason, it is considered safer to always evacuate to Stopped and allow the tenant to decide how to recover the VM.
      Show
      .Evacuate to STOPPED with v2.95 Starting with the v2.95 micro version, any evacuated instance will be stopped at the destination. Operators can still continue using the previous behaviour by selecting a microversion below v2.95. Prior to v2.95, if the VM was active prior to the evacuation, it was restored to the active state following a failed evacuation. If the workload encountered I/O corruption as a result of the hypervisor outage, this could potentially make recovery effort harder or cause further issues if the workload was a clustered application that tolerated the failure of a single VM. For this reason, it is considered safer to always evacuate to Stopped and allow the tenant to decide how to recover the VM.
    • Enhancement
    • Done
    • Automated
    • Compute

      Problem description

      The current evacuate instance API does not allow operators to set a desired target state to the evacuated instances. Restoring the original state of the instance when it was active on the source host may result in issues if the guest required a valid token to be started or prevent evacuation when using encrypted volumes.

      Use Cases

      • As an operator, I would like to be able to evacuate instances to a shut-off state because my tenant workloads may have specific security requirements, that do not allow them to be started by the administrator.
      • As an operator, I would like to be able to evacuate VMs with encrypted volumes without making the barbican secret readable by admins and reducing the security.
      • As a user, if my instance is offline due to a host outage, I don’t necessarily want an admin evacuating it and bringing it back online without my knowledge as I may have already replaced it and the zombie coming back may cause a conflict.

      Proposed change

      As of the bumped version, the API will force the stopped state for evacuated instances. It is expected that before the bumped version the behavior stay the same, instances with state active or stopped will keep their state at destination.

      With the new microversion nova will always evacuate the instance to SHUTOFF state.

      The only way to keep the instance state after the evacuation is to use an older microversion.

            rh-ee-auniyal Amit Uniyal
            alifshit@redhat.com Artom Lifshitz
            rhos-dfg-compute
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: