Did we really need another top-level thread for this? > 1. _destroy_evacuated_instances() should do a better job of sanity > checking before performing such a drastic action.
I agree, and no amount of hostname checking will actually address this problem. If we don't have a record of an evacuate having been scheduled for the host, then there is no legitmate reason to delete data, IMHO. > 2. The underlying issue is the definition and use of instance.host, > instance.node, compute_node.host and compute_node.hypervisor_hostname. I disagree. I think the underlying issues are: 1. Evacuate assumes too much 2. Nova has a model of one compute per hypervisor and we have some drivers that make it easy to violate that in dangerous ways, and which don't do their due diligence to avoid catastrophe. > Note that in the above case the libvirt driver changed the hypervisor > identifier despite the fact that the hypervisor had not changed, only > its communication endpoint. I'd argue they're one and the same, and that's just fine. We just shouldn't erroneously delete things when that happens unexpectedly. > VMware and Ironic don't require any changes here. But they're broken! If they are managing things from another point that can be duplicated and they don't provide assurances that it's not being done twice, then that's a problem. I (and others) have argued that nova's model is one compute per hypervisor. I don't think it should be up to nova to ensure that, I think it should be up to the driver. Nova needs to stop deleting things based on cheap guessing. However, if two hypervisor drivers claim they're different and that they have deleted running instances (which is what is going on here), I have little sympathy. > Other drivers will need to be modified so that get_available_nodes() > returns a persistent value rather than just the hostname. -1 on making the non-problematic drivers (potentially) maintain state and leaving the problematic ones unchanged. > A reasonable default implementation of this would be to write a uuid > to a file which lives with VM data and return its contents. If the > hypervisor has a native concept of a globally unique identifier, > that should be used instead. Those drivers shouldn't have to maintain state. And they already have a unique identifier: the hostname. --Dan
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev