Comment 4 for bug 1947753

I think nova only destroys evacuated instances during init_host[1] and does not do it periodically. So this is not a race.

I do agree that if instances are evacuated without the compute node is properly fenced that could lead to VM duplication and corruption.

I think we should at least discuss if we want to call _destroy_evacuated_instances() from a periodic to somehow mitigate the issue. But it would be racy as you noted above.

Another option is to only allow evacuation if the operator first forced the compute down via the API to make it explicit that the node need to be fenced before it can be evacuated. However this would be an API semantic change.

[1] https://github.com/openstack/nova/blob/00452a403b57723b364477082ce1587a909b2a6b/nova/compute/manager.py#L1440