Difference between revisions of "DomainQuotaManagementAndEnforcement"
Yehia-beyh (talk | contribs) (→Usage Tracking and Limit Checking) |
Yehia-beyh (talk | contribs) (→Usage Tracking and Limit Checking) |
||
| Line 163: | Line 163: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | + | === Usage Tracking and Limit Checking === | |
Domain quotas require changes to the implementation of operations that can modify a service property that has a quota limit. The list of operations include allocate a new floating IP address, create a server, delete a network etc. | Domain quotas require changes to the implementation of operations that can modify a service property that has a quota limit. The list of operations include allocate a new floating IP address, create a server, delete a network etc. | ||
Revision as of 17:03, 6 March 2013
Introduction
In Keystone v3 (Grizzly release), the Domains feature encapsulates users and projects into logical entities that can represent accounts, organizations, etc. However, currently there is no capability or mechanism to manage or enforce quotas at the domain level. Assigning or updating quota values or limits to a domain will allow the cloud administrator to evaluate domain lists and consumption. In order to achieve these capabilities it will be required to implement quota management and quota monitoring for Keystone domains, by which domain usage can be managed and enforced.
The goal of this blueprint is to support quotas at the OpenStack Domain level. The design of the feature models, as far as possible, the style of project (tenant) quotas.
Openstack Quotas
A quota sets a limit on the value of some property of an OpenStack service, e.g. In Nova the number of instances that can be created. Currently in OpenStack, quotas are applied at the project or tenant level. There is also a Grizzly blueprint to introduce quotas at the user level.
Nova
For projects, quota controls are available to limit the
- Number of instances which may be launched
- Number of processor cores which may be allocated
- Publicly accessible IP addresses
- Amount of RAM that can be allocated in MB
- Number of files that can be injected
- Maximal size of injected files in bytes
- Number of security groups that may be created
- Number of rules per security group
Cinder
From Folsom onwards, the following quotas are managed by Cinder not Nova.
- Number of volumes which may be created
- Total size of all volumes within a project as measured in GB
Quantum Quotas
For projects, quota controls are available to limit the number of
- networks allowed per tenant
- subnets allowed per tenant,
- ports allowed per tenant,
- routers allowed per tenant
- floating IPs allowed per tenant
Swift Quotas
Swift Quota is a production-ready project that is mainly used for controlling the usage of account and containers in OpenStack Swift.
- Number of containers per account (example: an account cannot have more than 5 containers)
- Number of objects per container (example: a container cannot have more than 100 objects)
- Storage capacity per container (example: the size of a container cannot be larger than 100 GB)
User Stories
- As cloud administrator Paul, I want to limit resource usage for a given Organization represented as a Domain.
- As cloud administrator Paul, I want to manage resource usage for each Organization.
- As organization administrator Mary, I want to track resource usage for my Organization
Design
Usage against Quota limits must be tracked, so if there is a Domain Limit on some property then there must be a corresponding and Domain Usage. Thus, for a Domain Quota, if there is Nova Limit there must also be a Nova Usage and similarly for Cinder and Quantum.
Domain Quotas Conceptual Model
Quota Operations on Domains
The quota operations for domains will be part of the Keystone api. This is because domains can span services that are installed on different regions, and it is Keystone that maintains the service catalog of endpoints. This is in contrast to the existing project (tenant) quota operations which are tied to a single service because projects do not span services. Quota Setting Operations
These operations use quota-sets and usage-sets. A quota_set is a set of name-value pairs that define the domain limits for on service properties. A usage_set is a time-stamped set of name-value pairs that show the actual usage of the quota-limited service properties.
Create Domain Quota
| Verb | URI | Description |
|---|---|---|
| POST | v3/{domain_id}/os-domain-quotas | Uses the request body quota-set to create a quota_set and a corresponding empty usage_set for the domain. Fails if an attempt is to set some quota lower than the current usage. Can be called by Cloud admin only. |
Normal Response Code: 200. Error Response Codes: Unauthorized (401), Forbidden (403), Conflict (409) This operation requires a request body. This operation returns a response.
Show Domain Quota
| Verb | URI | Description |
|---|---|---|
| GET | v3/{domain_id}/os-domain-quotas | Returns the current quota-set for the domain. Can only be called by cloud admin or an admin for the domain. |
Normal Response Code: 200. Error Response Codes: Unauthorized (401), Forbidden (403) This operation does not require a request body. This operation returns a response.
Update Domain Quota
| Verb | URI | Description |
|---|---|---|
| PATCH | v3/{domain_id}/os-domain-quotas | Uses the request body quota-set to update the quota_set for the domain. Fails if an attempt is to set some quota lower than the current usage. Can be called by Cloud admin only. |
Normal Response Code: 200. Error Response Codes: Unauthorized (401), Forbidden (403), Conflict (409) This operation requires a request body. This operation returns a response.
Example 1. quota-set Response: JSON
{'quota_set': {'domain_id': 72415820-8b69-11e0-9b19-734f6acf67565,
{'nova_quota_set':
{'volumes': 200,
'floating_ips': 100,
'instances': 500,
'injected_files': 50,
'cores': 600}},
{'cinder_quota_set':
{'volumes': 100,
'gigabytes': 120000}},
{'quantum_quota_set':
{'networks': 150,
'subnets': 150,
'routers': 30}},
{'swift_quota_set':
{'containers': 20,
'objects': 100
'storage_capacity': 1000}}
}
}
Delete Domain Quota
| Verb | URI | Description |
|---|---|---|
| DELETE | v3/{domain_id}/os-domain-quotas | Deletes any existing quota_set and usage_set for the domain. Can be called by Cloud admin only. |
Normal Response Code: 200. Error Response Codes: Unauthorized (401), Forbidden (403). This operation does not require a request body. This operation does not return a response.
Show Domain Usage
| Verb | URI | Description |
|---|---|---|
| GET | v3/{domain_id}/os-domain-usage | Returns the usage_set for the domain. Can be called by Cloud admin or an admin for the domain. |
Normal Response Code: 200. Error Response Codes: Unauthorized (401), Forbidden (403) This operation does not require a request body. This operation returns a response.
Example 2. usage-set Response: JSON
{'usage_set': {'domain_id': 83201710-7d95-71d0-2b23-834f6daf59571,
'timestamp': 2013-01-05T10:45:00Z,
{'nova_usage_set':
{'volumes': 20,
'floating_ips': 90,
'instances': 234,
'injected_files': 22,
'cores': 234}},
{'cinder_usage_set':
{'volumes': 70,
'gigabytes': 95000}},
{'quantum_usage_set':
{'networks': 23,
'subnets': 23,
'routers': 23}},
{'swift_usage_set':
{'containers': 11,
'objects': 76
'storage_capacity': 145}}
}
}
Usage Tracking and Limit Checking
Domain quotas require changes to the implementation of operations that can modify a service property that has a quota limit. The list of operations include allocate a new floating IP address, create a server, delete a network etc.
Each operation will require two changes. Firstl, each operation that can modify a service property has to record the change in usage table for the appropriate domain. Second, before a service property can be increased, the current usage must be checked against the quota limit for the domain.
Open Stack Quota References
This is a list of URLs of work on quotas within OpenStack.
