Skip to content

Skip deleting instance with delete protection during account cleanup#12901

Draft
sudo87 wants to merge 1 commit intoapache:4.22from
shapeblue:honorDeleteProtection
Draft

Skip deleting instance with delete protection during account cleanup#12901
sudo87 wants to merge 1 commit intoapache:4.22from
shapeblue:honorDeleteProtection

Conversation

@sudo87
Copy link
Contributor

@sudo87 sudo87 commented Mar 27, 2026

Description

This PR address #12895 by skipping Instances having deleteProtection enabled.

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • Build/CI
  • Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

@boring-cyborg boring-cyborg bot added component:marvin Python Warning... Python code Ahead! labels Mar 27, 2026
@sudo87 sudo87 force-pushed the honorDeleteProtection branch from c3ab6eb to 6569709 Compare March 27, 2026 08:40
@sudo87 sudo87 requested review from Copilot and weizhouapache March 27, 2026 08:40
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes account/domain cleanup behavior to honor VM “delete protection” by skipping destruction/expunge of protected instances during account cleanup (addresses issue #12895).

Changes:

  • Skip destroy/expunge for instances that have deleteProtection enabled during cleanupAccount.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

server/src/main/java/com/cloud/user/AccountManagerImpl.java
for (UserVmVO vm : vms) {
if (vm.isDeleteProtection()) {
logger.warn("Instance [id = {}, name = {}] has delete protection enabled and cannot be deleted.",
vm.getUuid(), vm.getName());
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When a VM has delete protection enabled, this loop now continues without destroying/expunging it, but it also leaves accountCleanupNeeded unchanged. That means the cleanup can still be marked as complete (needsCleanup=false) even though protected instances remain under a removed account, potentially leaving orphaned VMs/resources with no follow-up cleanup attempts (e.g., in basic/shared-network setups where later network cleanup may still succeed).

Consider treating this as an incomplete cleanup: set accountCleanupNeeded = true when delete-protected VMs are found and/or fail the account/domain deletion with a clear error so operators can remove protection first, rather than silently completing cleanup.

Suggested change
vm.getUuid(), vm.getName());
vm.getUuid(), vm.getName());
accountCleanupNeeded = true;

Copilot uses AI. Check for mistakes.
server/src/main/java/com/cloud/user/AccountManagerImpl.java
Comment on lines +1003 to +1007
if (vm.isDeleteProtection()) {
logger.warn("Instance [id = {}, name = {}] has delete protection enabled and cannot be deleted.",
vm.getUuid(), vm.getName());
continue;
}
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change introduces new behavior for account cleanup when deleteProtection is enabled, but there is no unit test covering it. Please add a test (e.g., in server/src/test/java/com/cloud/user/AccountManagerImplTest) that provides a UserVmVO with isDeleteProtection()==true and asserts the VM is not expunged (and that the account is handled as expected, e.g., marked for cleanup or the delete operation fails).

Copilot uses AI. Check for mistakes.
@codecov
Copy link

codecov bot commented Mar 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.60%. Comparing base (c1af36f) to head (6569709).

Files with missing lines Patch % Lines
...c/main/java/com/cloud/user/AccountManagerImpl.java 0.00% 3 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               4.22   #12901      +/-   ##
============================================
- Coverage     17.61%   17.60%   -0.01%     
+ Complexity    15676    15670       -6     
============================================
  Files          5917     5917              
  Lines        531537   531541       +4     
  Branches      64985    64986       +1     
============================================
- Hits          93610    93567      -43     
- Misses       427369   427421      +52     
+ Partials      10558    10553       -5
Flag Coverage Δ
uitests 3.70% <ø> (ø)
unittests 18.67% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sureshanaparti
Copy link
Contributor

sureshanaparti commented Mar 27, 2026
edited
Loading

@sudo87 is it good to check any instances with delete protection enabled before proceeding with account deletion, and fail the deletion with relevant msg, eg. "cannot delete account, there are some instances with delete protection enabled"? the user/operator can disable the delete protection and retry the account deletion. Check if there is any provision to list delete protection enabled instances for the account.

@weizhouapache
Copy link
Member

weizhouapache commented Mar 27, 2026

@sudo87 is it good to check any instances with delete protection enabled before proceeding with account deletion, and fail the deletion with relevant msg, eg. "cannot delete account, there are some instances with delete protection enabled"? the user/operator can disable the delete protection and retry the account deletion. Check if there is any provision to list delete protection enabled instances for the account.

agree

@sudo87
Copy link
Contributor Author

sudo87 commented Mar 27, 2026

@sureshanaparti @weizhouapache

Does this mean that account deletion should not be allowed if any VM/instance has delete protection enabled? If so, we can add an early validation check and return with an error.

@sureshanaparti
Copy link
Contributor

sureshanaparti commented Mar 27, 2026

@sureshanaparti @weizhouapache

Does this mean that account deletion should not be allowed if any VM/instance has delete protection enabled? If so, we can add an early validation check and return with an error.

yes @sudo87

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@weizhouapache weizhouapache Awaiting requested review from weizhouapache

Assignees

No one assigned

Labels

component:marvin Python Warning... Python code Ahead!

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sudo87 @sureshanaparti @weizhouapache