commit 922148ac45c5a70da8969815b4f47e3c758d6974
Author: Dan Smith <email address hidden>
Date: Fri Feb 27 07:30:10 2015 -0800
Allow disabling the evacuate cleanup mechanism in compute manager
This mechanism attempts to destroy any locally-running instances on
startup if instance.host != self.host. The assumption is that the
instance has been evacuated and is safely running elsewhere. This is
a dangerous assumption to make, so this patch adds a configuration
variable to disable this behavior if it's not desired.
Note that disabling it may have implications for the case where
instances *were* evacuated, given potential shared resources.
To counter that problem, this patch also makes _init_instance()
skip initialization of the instance if it appears to be owned
by another host, logging a prominent warning in that case.
As a result, if you have destroy_after_evacuate=False and you start
a nova compute with an incorrect hostname, or run it twice from
another host, then the worst that will happen is you get log
warnings about the instances on the host being ignored. This should
be an indication that something is wrong, but still allow for
fixing it without any loss. If the configuration option is disabled
and a legitimate evacuation does occur, simply enabling it and then
restarting the compute service will cause the cleanup to occur.
This is added to the workarounds config group because it is really
only relevant while evacuate is fundamentally broken in this way.
It needs to be refactored to be more robust, and once that is done,
this should be able to go away.
DocImpact: New configuration option, and peril warning
Partial-Bug: #1419785
Change-Id: Ib9a3c72c096822dd5c65c905117ae14994c73e99
Reviewed: https:/ /review. openstack. org/159890 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=922148ac45c 5a70da8969815b4 f47e3c758d6974
Committed: https:/
Submitter: Jenkins
Branch: master
commit 922148ac45c5a70 da8969815b4f47e 3c758d6974
Author: Dan Smith <email address hidden>
Date: Fri Feb 27 07:30:10 2015 -0800
Allow disabling the evacuate cleanup mechanism in compute manager
This mechanism attempts to destroy any locally-running instances on
startup if instance.host != self.host. The assumption is that the
instance has been evacuated and is safely running elsewhere. This is
a dangerous assumption to make, so this patch adds a configuration
variable to disable this behavior if it's not desired.
Note that disabling it may have implications for the case where
instances *were* evacuated, given potential shared resources.
To counter that problem, this patch also makes _init_instance()
skip initialization of the instance if it appears to be owned
by another host, logging a prominent warning in that case.
As a result, if you have destroy_ after_evacuate= False and you start
a nova compute with an incorrect hostname, or run it twice from
another host, then the worst that will happen is you get log
warnings about the instances on the host being ignored. This should
be an indication that something is wrong, but still allow for
fixing it without any loss. If the configuration option is disabled
and a legitimate evacuation does occur, simply enabling it and then
restarting the compute service will cause the cleanup to occur.
This is added to the workarounds config group because it is really
only relevant while evacuate is fundamentally broken in this way.
It needs to be refactored to be more robust, and once that is done,
this should be able to go away.
DocImpact: New configuration option, and peril warning dd5c65c905117ae 14994c73e99
Partial-Bug: #1419785
Change-Id: Ib9a3c72c096822