Mirantis Training Blog: User Deletion and User VMs
Welcome to Mirantis Training’s monthly Q&A section. Here we answer questions that we have collected from students within our OpenStack courses over time. If you have a question that you would like a Mirantis technical instructor to answer, feel free to post your comments in the section below. We will do our best to cover your question in next month's post.
Are users’ VMs automatically deleted when the user is deleted in OpenStack?
No, virtual machines belonging to a particular user are not deleted when that user’s account is deleted in keystone. In fact, very few resources attributed to an individual user are removed when the user is deleted. The reason behind this is that, without a way to restore resources to their original state or validate the decision before execution (through business logic or human intervention), the act of proactively deleting these resources could be incredibly damaging. Since OpenStack is generally intended to be used in a multi-tenant deployment, there’s a high likelihood that the VMs from one user are currently being (or will one day be) used by other users with access to the same project. In addition, there’s always a chance of accidental user deletion, in which case an operator would hope for a way to re-create the user and return ownership of those resources.
Having said all that, the OpenStack development community is aware of the need to “clean up” resources deployed by a user after that user is intentionally removed. There are related blueprints and bugs detailing the efforts and considerations; for instance in Horizon and Neutron (additional blueprints for Neutron). These conversations only begin to touch the surface of this complicated problem, as there are potentially multiple different types of resources that could be tied to a user and many different ways to measure whether or not resources are still in use. Considering the fact that, in a simple environment, a user could provision several networks via Neutron, block storage devices via Cinder, virtual machines via Nova and object stores via Swift, unplanned removal of all those resources could have disastrous results.
Looking at this from different perspective, this problem could be solved with policies outlined and enforced by the OpenStack “Policy as a Service” project Congress. Based on the Kilo release, there is enough functionality to deliver an after-the-fact cleanup by checking whether the assets can still be accessed by any active accounts, etc. Additionally, for operators that need to remove resources after account deletion, there are some external “clean up” approaches that are available. For example, CloudWatt has written a client-side script called OSPurge (detailed in this blog post). Although VMs (and other resources) are not automatically cleaned up when a user account is deleted, you can see that there are multiple ways to programmatically remove and reclaim these resources. The best choice among these will be different from one environment to the next, but luckily there are many options available!
If you have additional questions about OpenStack, take a look at the OpenStack courses Mirantis Training offers. Our training is 100% vanilla OpenStack, with no vendor specific versions and/or proprietary implementations. Unlock your OpenStack skills by registering for a course today.