High risk of dataloss through human oversight

S

Sascha

New Member
Sep 16, 2010
26
0
1
Hello,

at first: Proxmox 2 looks great, thank you so far...

I sadly have to announce a small mistake in the conceptual design of the Proxmox web GUI:

The "remove" button for removing VMs is located at the very top right corner of the Proxmox administrations webpage (in the near of the star, stop and console buttons).
And at top of some property pages (e.g. Virtual Machine -> Hardware) besides another "remove" button for removing ressources (e.g. hardware ressources).

While working with the console, starting/shutting down VMs and removing some virtual hardware, I accidently deleted whole virtual machines. And if one had created logical volumes by hand, Proxmox shouldnt delete them automatically while deleting VMs.

So, I think there is a high risk of human caused data-loss while working extensively on the Proxmoxs GUI.

Regards,
Sascha
 
Last edited:
Sascha said:
...

So, I think there is a high risk of human caused data-loss while working extensively on the Proxmoxs GUI.

Regards,
Sascha
Click to expand...

yes, live is dangerous. it always ends with the death ...

all remove actions of VM´s are asking again with a warning "Are you sure you want to remove VM xxx? This will permanently erase all VM data."

So its a double check which is the common way. If you click yes, data is gone. I doubt that it will be better if we ask a third time. better: create a user without permission to delete VM´s.

If you remove a harddisk from the VM via the options tab, only the config is removed and the disk show as "unused" and can be still added again.
 
Last edited:
Sure, Proxmox asks again before deleting VMs. But it also asks the same way before deleting tiny things like virtual network-cards... And this cases of deletion are not equivalent in view of their consequences.

And yes, life is dangerous, but I'm still living many years instead of keeping the VMs data for a couple of days. The whole data (incl. all logical volumes which I manually added) have been deleted. And I'm sure, that I'm not the only one who will have experienced this problem.

I'm not having problems to get rid of this situation. Just wanted to help and let you know... I think it would be great to place a checkbox into the "Are you sure?"-qustion or at least renaming the Button "remove" => "remove VM+LVs"
 
Last edited:
Sascha said:
Sure, Proxmox asks again before deleting VMs. But it also asks the same way before deleting tiny things like virtual network-cards... And this cases of deletion are not equivalent in view of their consequences.

And yes, life is dangerous, but I'm still living many years instead of keeping the VMs data for a couple of days. The whole data (incl. all logical volumes which I manually added) have been deleted. And I'm sure, that I'm not the only one who will have experienced this problem.

I'm not having problems to get rid of this situation. Just wanted to help and let you know... I think it would be great to place a checkbox into the "Are you sure?"-qustion or at least renaming the Button "remove" => "remove VM+LVs"
Click to expand...

Asking a third time is very annoying for 99 % of the users. Asking multiple times just the same question is waste of time. For daily use, create a user with minimal rights.
 
tom said:
Asking a third time is very annoying for 99 % of the users. Asking multiple times just the same question is waste of time. For daily use, create a user with minimal rights.
Click to expand...

The most users won't intend to delete VMs very often. As I said... just renaming the buttons would be enough... Placing a checkbox into the "Are you sure?"-question would be most sophisticated.

I renamed my buttons... I think this should be a serious topic for the developers as well - among all efforts to achieve technical reliability...
 
Last edited:
Sascha -
make sure backups are done often and rsynced to other server disks. We also use usbmount and a script to copy to usb for offsite backup.

I have no problem with the PVE interface. I do have problems with sometimes working too long and making mistakes.
 
bread-baker said:
Sascha -
I have no problem with the PVE interface. I do have problems with sometimes working too long and making mistakes.
Click to expand...
dito. Nevertheless, professional software like Proxmox should not unnecessarily bring forward crucial human mistakes which could end up in data-loss...

Think probabilistic... Compare expectation value (for the whole mass of users) and cost of correction for this tiny problem...

I had a backup, solved the problem by myself and just wanted to help.
 
You could write an add on for people who click a warning with out paying attention to it. some kind of sensor that checks the length of time between the amount of time between the pop up and doing a click. check out the patch submitter process.
 
When deleting hardware the dialog box says:
Code: 
Are you sure you want to remove entry 'XXXXXXXXX'

When deleting the VM the dialog box says:
Code: 
Are you sure you want to remove VM XXX? This will permanently erase all VM data.

The warnings are clear and "all VM data" would include the logical volumes even if you created them on your own.
So I do not see anything wrong with the VM removal process, you press a button then it explains the action asking if you are sure.
If someone is going to blindly press yes, they will also blindly tick a checkbox and press yes.
The GUI can not force people to read the dialog boxes.....

But there is a problem with the GUI and I agree it should be fixed.
When looking at a VMs hardware tab there are two "remove" buttons, one to remove hardware and one to remove the VM.
Yes they are in different locations, however they are both named remove and that can easily confuse someone.
The GUI should never confuse the user and when looking at the Hardware tab of a VM seeing two remove buttons is confusing:
removebuttons.png

It is not intuitive what remove button does what.
The only reason I know what button does what is because I already know, a user who is unfamiliar with the GUI could easily be confused.
 
Lol... I rebooted a hardware node though exactly the same sort of 'user error'

When under pressure.... Mistakes happen!


Sent from my iPhone using Tapatalk
 
e100 said:
...
If someone is going to blindly press yes, they will also blindly tick a checkbox and press yes.
The GUI can not force people to read the dialog boxes.....
Click to expand...
At this point I don't agree. The warnings are only clear in juristic way. If you delete a bunch of Hardware in several VMs/CTs, a "Are you sure..."-question is appearing in every single hardware deletion case - looking quiete similar like the question which pops up while deleting virtual machines. Therefore, if you add/delete hardware very often, you won't read this message anymore.

So, if you accidentaly click the wrong remove-button then something eye-catching has to happen. e.g. red text, checkbox or something like that. Anyway, such buttons should never have the same caption and should not be positioned on the main screen + far away from the VM/CT list

So, just implementing one of the above suggestions would improve the situation - whereby there exist several other small solutions. I simply renamed the buttons in my Proxmox.

I agree in that point that asking two times is not the solution, because its nasty and even not eye-catching enough.

The only reason I know what button does what is because I already know, a user who is unfamiliar with the GUI could easily be confused.
Click to expand...
The human brain doesn't work like that - it mainly works intuitive. Therefore, you might fall into the trap even if you know... Its just a matter of probability...

And the standard-value in critical confirmations shouldn't be "YES"... If the removeVM button is selected (simply press 3 times tab after selection of VM/CT in the list), it even could accidentally happen that you delete all your data (just press 2 times space).

All this seems unprofessional concerning the data safety. Genuinely... This should be improved.
 
Sascha said:
Therefore, if you add/delete hardware very often, you won't read this message anymore.
Click to expand...

Well I always read them because I do not like making mistakes.
Doing things right the first time is always more productive than doing them fast and making mistakes.

If your argument is that "you won't read this message anymore" then why have the message at all?
Make it red with blinking text, add a skull and cross bone icon, have it cover the whole screen and someone, somewhere, will still not read it and blindly click yes.

I think the "remove" VM button should be named "Destroy VM" I think that would clear up this issue good enough.
Remove hardware vs Destroy VM, seems intuitive enough to me.

I would also be ok with placing the remove VM button in some other place.
Why does it need to be so prominent with common functions like start/stop?
Too easy to press Remove vs Restart for example.
 
okay... On the other hand... a programmer should not expect that a user reads important messages among hundreds of unimportant messages which look similar. This would also call the sense of proxmox in question. In essential, Proxmox is a GUI, which helps to control KVM/OpenVZ...

I think it would be clear... Nevertheless... best wishes and thank you for the feedback anyway.
 
I think that renaming the button ("destroy vm") and/or putting a RED background colour in the dialog box would be great. Of course put a second confirmation dialog will not help since no one reads them in any case ;P
Seems we are in one of the many situations described by Alan Cooper in the book "Inmates are running the asylum" (a book I suggest to anyone involved in software), where developers defend their implementation against the fact that a change could help users a lot. But I have hope proxmox team is different and at the end will fix it :)
 
mmenaz said:
I think that renaming the button ("destroy vm") and/or putting a RED background colour in the dialog box would be great. Of course put a second confirmation dialog will not help since no one reads them in any case ;P
Seems we are in one of the many situations described by Alan Cooper in the book "Inmates are running the asylum" (a book I suggest to anyone involved in software), where developers defend their implementation against the fact that a change could help users a lot. But I have hope proxmox team is different and at the end will fix it :)
Click to expand...

The idea is to choose the best way, making the majority happy. I am 100 % sure if we ask a third time before we delete anything more than 90 % are against it. so I do not see that this is something we should "fix".
 
Sascha said:
okay... On the other hand... a programmer should not expect that a user reads important messages among hundreds of unimportant messages which look similar
Click to expand...

Really (I wonder why I added all those confirmation dialogs)?
 
I vote to rename the string on the Button 'Remove VM', to differentiate. I agree it can happen when 'automatically' repeting tasks, that such errors are possible, and having a different name for such a dangerous button would help.

Just my advice !

Alain
 
any suggestion for the rename? also think of easy and clear translations to different languages.
 
You must log in or register to reply here.
Top Bottom