Virtual Machine Deletion Protection

[abudhu]

Feature Requests -

Application: Cockpit-Machines

Requests: On a virtual machine, a settings flag which prevents deletion of the machine. This should only be able to be set by the administrator of the virtual machine.

Why: To prevent accidental deletion of Virtual Machines by users (any or self). Currently, the delete screen prompts - yes, but it would be better if the user can simply be denied the ability to delete the VM at all. Something akin to "VM is Protected and cannot be deleted. Please contact Administrator"

[martinpitt]

Sorry, this isn't going to happen. libvirt does not have an API for this, and either way it does not really make much sense: If you can create a VM, you are the administrator. On qemu:///system you need to be a sudoer, and on qemu:///session you are the sole owner.

[abudhu]

Fair. Would it have to be an ability through LibVirt though? Can it not be a flag set via Cockpit that simply prevents the action from taking place?

If cockpit-vm-protect-flag = true, then deny libvirt action delete?

Further, the prevention deletion of VMs is something that all major Cloud Providers offer, so it's not unheard of. Not sure why the use case wouldn't make sense here as well.

[KKoukiou]

Hi @abudhu. I see what you talk about, it's something like https://cloud.google.com/compute/docs/instances/preventing-accidental-vm-deletion

The issue I see here is that there is way to offer real protection via cockpit.

The user who has enough permissions to manipulate the VM, start/stop etc (who is eventually the one we want to prevent from deleting the VM) can also modify the VMs XML in order to set the cockpit-vm-protect-flag=false in the metadata, and then delete the VM with the normal workflow.

If you want to give some more insight of how these would be possible in a really safe implementation, I am happy to hear, but I also don't feel that's something for the cockpit-machines world.

[martinpitt]

Well, the request was for accidental deletion, not malicious. As you say, there is no way to really prevent it, one can just make it a bit harder. But if it happens that someone accidentally deletes a machine through a mis-click, then we have an UI problem anyway. (I don't believe we do, though). So I suppose this isn't for a mouse slip, but the admin really wanted to delete the selected machine, but didn't realize that it was important?

[abudhu]

Apologies, I am not talking about malicious intent. Completely agree, that if you are the admin you can and will find a way to remove and delete whatever you need. This request was purely to prevent accidental deletion.

Perhaps something more akin to Azure, where it is a simple Locking mechanism:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

In the Azure world, yes an Administrator can remove the lock and delete the VM. That's fine. However, it prevents even the admin or any user from deleting the VM without removing the lock. This ensures certain systems (like AD) cannot simply be accidentally removed by a fat finger, mouse slip, or wayward script.

For example:

The other day I was spinning up and down VMs. I do have "production"-alized VMs running. I came very close to just deleting a production machine. Additionally, you can think of a scenario where I would want to script mass creations/deletions. If I fat figure my code, I would want some level of ability to prevent a VM from being removed.