Check for mounted volumes when adding VMs to a new vmgroup on create. #1190
Conversation
|
Fixes #1189 |
|
Can you elaborate what is the problem ? The bug description is not clear on this (too many symptoms and conditions). It is also not clear why a VM with volumes mounted should be blocked from moving to a group.... I thought unmount() is unrelated to specific tenant location and access right ? |
Sorry Mark for the confusion. I have updated the bug description to reduce the confusion ( #1189 ). @govint has summarize at #1189 (comment) |
|
This PR is only to handle the check for mounted volumes in a VM when a vmgroup is being created. The check is done for vmgroup replace and vmgroup rm commands. _DEFAULT is a vmgroup in itself so, trying to create a new vmgroup from VMs in _DEFAULT (added by default btw) should make the same check that volumes aren't already attached to those VMs. The issue with using VM uuid is a separate issue addressed via #1188. |
|
I still do not understand what is the issue with placing a VM with an attached volime in a group |
|
@govint, I have an offline chat with @msterin and summarizing the discussion here for your reference. It would be a troublesome for admin by blocking "vmgroup creation with vms having volumes mounted". There are two proposed approaches while dealing with VMs having volumes mounted on. Approach #1: Block the request at first attempt and allow Admin to perform the operation (if still wants) by supporting usability feature of Approach #2: Let the request go through and perform necessary cleanup/update at metadata file (KV file) whenever getting the unmount request after the operation (moving vm across vmgroup). An approach#1 would be preferable for the admin to decide whether moving VMs across vmgroups is desirable at any given point (when volumes are still in use by some of the vms). It would be troublesome for the admin if we stop the operation until VMs are freed up. By supplying While going with Approach #2 (current behavior), we may run into some corner cases (unknown at this point) to maintain consistency. By simply blocking/stopping the request doesn't sound convincing by taking account of usability from an admin point of view. @msterin, Please update as per necessity if I have misunderstood any part. |
|
Can I suggest the approach as proposed which matches the behavior in the
documentation. Flexibility to move a VM is still there to create a
vmgroup but allowing a force option will need kludge's in the service
coffee to handle such cases. Prefer keeping the behavior based on use
case vs. by testing which is a continuous feature creep.
.
|
|
Plus, adding a VM to create a vmgroup has to be done on the specific esx
host where the VM runs. Which itself is cumbersome. To avoid any issue with
trying to verify the VM with it's uuid.
.
|
|
I don't think documentation is our north star. Good user experience is. I simply do not understand what an admin is supposed to do if she wants to change a VM membership in a group, and is blocked by "volumes attached" error message. |
|
This check is in place for these actions on a vmgroup - replace, remove. And the doc says no VM in a vmgroup is allowed to have volumes in datastores not assigned to the VMgroup. User is expected to have stopped using the volumes in the datastore of the old group before assigning. |
|
Please do answer my question. I am the admin. I receive this error. What do I do next ? |
|
@msterin I think admin can first get ensure the volumes aren't attached (may be stop the containers) and then change the membership? what do you think? |
@pshahzeb Does it show how many volumes are currently attached to which vms? Let's say in the large scale setup 10 VMs are there and some of them are having volumes mounted. There is a requirement to move 10 VM from what is the expected behavior for |
|
@pshahzeb - which containers ? How does the admin finds them ? Specific steps/commands please. FWIW I don't think it's trivial or obvious, which is why I think --force option is goodness. But if we decide against it, we need step by step instructions on how to find offending containers. |
|
It's actually not about which containers. The VM is being moved and it
can't have volumes mounted. The same applies to VM group remove and replace
of vms
…On May 2, 2017 6:51 AM, "Mark Sterin" ***@***.***> wrote:
@pshahzeb <https://github.com/pshahzeb> - which containers ? How does the
admin finds them ? Specific steps/commands please. FWIW I don't think it's
trivial or obvious, which is why I think --force option is goodness. But if
we decide against it, we need step by step instructions on how to find
offending containers.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1190 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/APHseHH1HzaH29O8AzdzkY-G9e67QEIEks5r1oUwgaJpZM4NHfba>
.
|
esx_service/utils/auth_api.py
Outdated
| @@ -472,6 +472,12 @@ def _tenant_create(name, default_datastore, description="", vm_list=None, privil | |||
| if error_info: | |||
| return error_info, None | |||
|
|
|||
| error_info = vmdk_utils.check_volumes_mounted(vms) | |||
| if error_info: | |||
| error_info.msg = "VMs already have volumes in use, cannot add VMs to vmgroup. " + error_info.msg | |||
There was a problem hiding this comment.
error_info.msg = "Cannot add VM to vmgroup " + error_info.msg
to be consistent with other error message and error could be "VM not found"
esx_service/utils/auth_api.py
Outdated
| @@ -692,6 +698,12 @@ def _tenant_vm_add(name, vm_list): | |||
| if error_info: | |||
| return error_info | |||
|
|
|||
| error_info = vmdk_utils.check_volumes_mounted(vms) | |||
| if error_info: | |||
| error_info.msg = "VMs already have volumes in use, cannot add VMs to vmgroup. " + error_info.msg | |||
There was a problem hiding this comment.
Same thing.
error_info.msg = "Cannot complete vmgroup add " + error_info.msg
|
@msterin Agree. Admin experience isn't ideal. However, this is defensive edge case. Generally you would expect Admin to create vmgroup first before handing over control to developers. If needed we can document (KB) this error case. |
|
User experience is even worse if some containers are running in the VM and we force move the VM to another vmgroup with volumes attached and end up unmounting the volumes and making those containers fail in any way. The flip side is to allow access automatically in the target VM group for the datastores on which the volumes in use are located. Which is not desireable at all. Thats not the user intention to move a VM and the target group automatically gets access to some datastores. And as VMs get added to a certain group it starts accquiring access to all datastores? From the service logs, the error was the target vmgroup refused the detach request on unmount because the vmgroup didn't have those rights on the datastore. Supporting a force option will need intrusive special casing for these scenarios. |
|
@pdhamdhere I agree that user experience being bad in edge case is acceptable, that's why I asked to document step by step what is the manual actions the admin needs to take if she does want to move the VM. IMO the end result of this will be killing containers (if she finds them) which is similar to --force option but more complex and unpredictable. |
|
@msterin @pdhamdhere I'll make a doc PR to describe how vmgroup migration can be done. |
Added check in auth.api.py:_tenant_create() to check for volumes mounted before allowing to move the VMs into the VM group being created.
Test: