summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwangxiyuan <wangxiyuan@huawei.com>2017-09-11 09:51:13 +0800
committerwangxiyuan <wangxiyuan@huawei.com>2018-03-07 09:29:49 +0800
commite997a573c4d20645b004f101a10038adb1d98c18 (patch)
tree4b6f647ec96f7a0268c502c844f5274d102d05cc
parentef0df98f9e89225661ecfabc66babce2a5b47304 (diff)
Pending-delete rollback ability
Glance support soft delete images with delayed_delete feature. If this feature is open, when users delete a image, the image will first be in a special 'pending_delete' status that is not displayed in the API response. And then the image will be deleted by glance-scrubber process. But currently, there is no way to revert the pending-delete images. Once the admin operators want to revert the delete action, Glance should give them this kind of ability. This patch will enhance the glance-scrubber tool to support restoring the image from pending-delete to active. Although, whether the rollback of a particular image is possible or not depends upon Glance configuration option settings and quick operator action. Change-Id: I0202b754815a3d2133a57ef987741c7b12c29ff3 blueprint: pending-delete-rollback
Notes
Notes (review): Code-Review+2: Brian Rosmaita <rosmaita.fossdev@gmail.com> Code-Review+2: Abhishek Kekane <akekane@redhat.com> Workflow+1: Abhishek Kekane <akekane@redhat.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 09 Mar 2018 07:08:36 +0000 Reviewed-on: https://review.openstack.org/502367 Project: openstack/glance-specs Branch: refs/heads/master
-rw-r--r--specs/rocky/approved/glance/Support-revert-pending-delete.rst186
1 files changed, 186 insertions, 0 deletions
diff --git a/specs/rocky/approved/glance/Support-revert-pending-delete.rst b/specs/rocky/approved/glance/Support-revert-pending-delete.rst
new file mode 100644
index 0000000..caed5ef
--- /dev/null
+++ b/specs/rocky/approved/glance/Support-revert-pending-delete.rst
@@ -0,0 +1,186 @@
1..
2 This work is licensed under a Creative Commons Attribution 3.0 Unported
3 License.
4
5 http://creativecommons.org/licenses/by/3.0/legalcode
6
7===================================
8Support revert pending delete image
9===================================
10
11https://blueprints.launchpad.net/glance/+spec/pending-delete-rollback
12
13Glance support soft delete images. If this feature is enabled, when users
14delete an image, the image and its locations will first be in a special
15`pending_delete` status that is not displayed in the API response. Then the
16image will be deleted by ``glance-scrubber`` process in period. But now, there
17is no way to revert/rollback the `pending_delete` images to `active`.
18
19
20Problem description
21===================
22
23Delayed_delete feature is usually used when the image is too large to delete at
24once. With this feature, then the image data will not be deleted at once and
25will be cleaned by ``glance-scrubber`` process. The problem is that there is no
26way to revert the delete action if the image is deleted by mistake. The only
27way admin operator can do is to wait until the image data is deleted and then
28reupload image data again.
29
30
31Proposed change
32===============
33
34This proposal aims to recover an image which is in `pending_delete` state so
35as to provide the revert capability for the purposes of allowing emergency
36operational action to recover an accidental delete. It is important to keep in
37mind, however, that whether the recovery of a particular image will be possible
38or not depends upon Glance configuration option settings and quick operator
39action.
40
41Since the `pending_delete` image will be only deleted by ``glance-scrubber``
42and it's an admin action, there is no need to expose a new API. A better way is
43to enhance ``glance-scrubber`` to support restoring the image from
44`pending_delete` status to `active`.
45
46A new parameter called `--restore` will be added to ``glance-scrubber``
47command. The usage is like: `glance-scrubber --restore <image_id>`.
48``glance-scrubber`` first checks to see if the scrubber process is running, if
49so, an error message that there is a scrubber currently running and you must
50kill it first & scrubber terminates will be raised to admin. If not, scrubber
51will switch image status from `pending_delete` to `active`.
52
53Please be sure that the ``glance-scrubber`` daemon is killed before restore
54the `pending_delete` image to avoid image data inconsistency. After restoring
55the image, ``glance-scrubber`` daemon can be restarted.
56
57Limitations
58-----------
59
60This is intended as an emergency operation for the use case where an operator
61inadvertently deletes an important image and immediately realizes the mistake
62and takes action within the ``scrub_time`` seconds set in the glance-api.conf
63file. The `pending-delete` status is a purely internal Glance status and the
64image still shows as being in `deleted` status in API responses. Thus there is
65no way to tell via the API whether an image may be restorable or not.
66
67Further, when the image is restored, some of its metadata is irrecoverable. Any
68additional properties, tags, or members will not be restored. In other words,
69this is purely a possible data recovery operation, not a full image restore.
70
71Alternatives
72------------
73
74The alternative way which is not recommend is to create a new API to revert the
75`pending_delete` images:::
76
77 POST /v2/images/{images_id}/actions/revert
78
79The response body could be like:::
80
81 Response: 200 OK
82 {
83 "status":"active",
84 "name":"cirros-0.3.1-x86_64-uec",
85 "tags":[
86 ],
87 "kernel_id":"be50418b-a03c-4947-9122-b80a57f47ac4",
88 "container_format":"ami",
89 "created_at":"2017-09-11T08:42:14Z",
90 "ramdisk_id":"e1256074-9f7b-4067-8356-4a5759c1db11",
91 "disk_format":"ami",
92 "updated_at":"2017-09-11T08:42:16Z",
93 "visibility":"public",
94 "self":"/v2/images/26c16e07-24ca-4abc-a523-bec068012363",
95 "protected":false,
96 "id":"26c16e07-24ca-4abc-a523-bec068012363",
97 "file":"/v2/images/26c16e07-24ca-4abc-a523-bec068012363/file",
98 "checksum":"f8a2eeee2dc65b3d9b6e63678955bd83",
99 "min_disk":0,
100 "size":25165824,
101 "min_ram":0,
102 "schema":"/v2/schemas/image"
103 }
104
105
106Data model impact
107-----------------
108
109Allow image status changing from `pending_delete` to `active`.
110
111REST API impact
112---------------
113
114None.
115
116Security impact
117---------------
118
119This is an administrator action. No security impact at all.
120
121Notifications impact
122--------------------
123
124None.
125
126Other end user impact
127---------------------
128
129There is no impact for non-admin users. For administrators, they'll have the
130ability to rollback the image's status from `pending_delete` to `active` by
131``glance-scrubber`` tool.
132
133Performance Impact
134------------------
135
136None
137
138Other deployer impact
139---------------------
140
141None
142
143Developer impact
144----------------
145
146None
147
148
149Implementation
150==============
151
152Assignee(s)
153-----------
154
155wangxiyuan(wangxiyuan@huawei.com)
156
157Work Items
158----------
159
160* change ``glance-scrubber`` to include the `--restore <image_id>` option.
161* change the image status transition to allow: `pending_delete` -> `active`
162* Update the related documentation and test.
163* Release note should be added.
164
165Dependencies
166============
167
168None
169
170
171Testing
172=======
173
174Related unit test should be added.
175
176
177Documentation Impact
178====================
179
180Related doc should be updated.
181
182
183References
184==========
185
186None.