Skip to main content
IMHCloud Logo
Back to support home

Locking and Unlocking Instances in OpenStack

ComputeSecurity

Introduction

Instance locking in OpenStack provides an extra layer of protection against accidental modifications or deletions. When you lock an instance, it prevents most destructive operations from being performed, making it an essential safety feature for production workloads and critical infrastructure.

This guide walks through the process of locking and unlocking instances using both the OpenStack Dashboard (Horizon) and the command-line interface (CLI).

What Does Instance Locking Protect Against?

When an instance is locked, the following operations are blocked for non-administrative users:

  • Deleting the instance
  • Rebuilding the instance
  • Resizing or migrating the instance
  • Shelving or unshelving the instance
  • Pausing, suspending, or stopping the instance
  • Attaching or detaching volumes
  • Creating snapshots or backups
  • Changing instance metadata

Locking does not prevent administrative overrides. Users with administrative privileges can still perform these operations or unlock the instance.

Locking an Instance via OpenStack Dashboard

Follow these steps to lock an instance through the Horizon dashboard:

  1. Log in to your OpenStack Dashboard
  2. Navigate to Project > Compute > Instances
  3. Locate the instance you want to lock
  4. Click the Actions dropdown menu for that instance
  5. Select Lock Instance from the menu
  6. Confirm the lock operation when prompted

Once locked, you will see a small padlock icon next to the instance name, indicating its protected status.

Locking an Instance via OpenStack CLI

To lock an instance using the command-line interface:

1openstack server lock <instance-name-or-id>

Example:

1openstack server lock web-server-01

Verify the instance is locked:

1openstack server show <instance-name-or-id> | grep locked

Output should show:

1| locked | True |

Unlocking an Instance via OpenStack Dashboard

To unlock an instance through Horizon:

  1. Log in to your OpenStack Dashboard
  2. Navigate to Project > Compute > Instances
  3. Find the locked instance (indicated by a padlock icon)
  4. Click the Actions dropdown menu
  5. Select Unlock Instance
  6. Confirm the unlock operation

The padlock icon will disappear, and the instance will return to normal operational status.

Unlocking an Instance via OpenStack CLI

To unlock an instance using the CLI:

1openstack server unlock <instance-name-or-id>

Example:

1openstack server unlock web-server-01

Verify the instance is unlocked:

1openstack server show <instance-name-or-id> | grep locked

Output should show:

1| locked | False |

Administrative Override

Administrators with elevated privileges can override instance locks. If you need to perform maintenance on a locked instance, an administrator can:

  1. Force unlock the instance using administrative credentials
  2. Perform administrative operations even while the instance is locked

To force unlock as an administrator:

1openstack server unlock --os-compute-api-version 2.73 <instance-id>

Administrators can also perform most operations on locked instances without unlocking them first by using the --force flag where applicable.

Best Practices for Instance Locking

Lock production instances during critical periods Lock instances before scheduled maintenance windows, migrations, or major infrastructure changes to prevent accidental modifications.

Use locks for compliance requirements Some regulatory frameworks require change control procedures. Instance locks can serve as a technical control to enforce approval processes.

Document locked instances Maintain a record of which instances are locked and why. This helps team members understand the protection status without attempting operations.

Combine with IAM policies Use instance locks alongside Identity and Access Management (IAM) policies to create defense-in-depth for critical resources.

Review lock status regularly Periodically audit locked instances to ensure locks are still necessary and remove them when protection is no longer required.

Troubleshooting Common Issues

Cannot perform operation on instance If you receive an error stating that an operation is not permitted, check if the instance is locked using the openstack server show command.

Lock status not visible in dashboard Refresh your browser or clear the cache. The padlock icon should appear next to locked instances.

Administrative override not working Ensure you are using administrative credentials with the correct policy permissions in your OpenStack environment.

Automated scripts failing on locked instances Update automation scripts to check lock status before performing operations, or explicitly unlock instances as part of the workflow.

When to Contact Support

If you encounter any of the following situations, reach out to InMotion Cloud support:

  • Unable to unlock an instance despite having proper permissions
  • Lock status inconsistencies between dashboard and CLI
  • Permissions errors when attempting administrative overrides
  • Need assistance implementing lock policies across your project

Summary

Instance locking is a straightforward yet powerful feature in OpenStack that protects critical workloads from accidental modification or deletion. By incorporating locks into your operational procedures, you add an important safety layer to your cloud infrastructure. Remember that locks are designed to prevent accidents, not to serve as the primary security mechanism. Combine instance locking with proper IAM policies, role-based access control, and regular security audits for comprehensive protection.