CL110 - ch02s05

Bookmark this page

Configuring Resource Limits in Projects

Objectives

After completing this section, you should be able to manage resource quotas for an individual project, to ensure sufficient resource availability and protection from misuse.

Introduction to Project Quotas

Domain operators manage limits for all projects in their domain, unless that role is delegated to a more appropriate user. All cloud users (project owners, application developers, scientific researchers (High Performance Computing), and application architects) should be experienced and capable enough to manage their project quota, because they are the subject matter expert for the application they are creating or managing. Abusing the privilege by increasing project quotas is unlikely to happen, due to the visibility of resource usage.

Red Hat OpenStack Platform project quotas are similar to operating system resource quotas. An OpenStack administrator can configure quotas to prevent system resources from being exhausted. Project quotas are set on a per project basis, and limit the resources that can be assigned. These operational limits give cloud administrators finite control over OpenStack projects, such as defining a quota based on the amount of RAM allocated to a project. This can prevent clients from committing more memory than necessary, or using more resources than defined in their service agreement. Every project has a basic set of quotas with default values. These defaults can be modified when creating projects and edited for existing projects.

Hierarchical Limits

If your organization is complex and uses several layers of nested projects, the limits applied to the parent project could be expected to include any child projects. Unfortunately hierarchical limits are not yet available in Red Hat OpenStack 16, and each child project has its own set of limits independent of the parent.

To work with limits in hierarchical projects at this time, you must perform the calculations manually to ensure the combined limits of parent and child projects do not exceed your allocation. Limits set in a project only apply to resources consumed within that project.

Default Project Quotas

Red Hat OpenStack Platform has default quota values that provide quota restrictions for projects. The default quota can be modified to provide more or less resources for project deployments as needed.

To view the default quotas using the CLI, run the openstack quota show --default command as a user with admin privileges.

[user@demo ~(admin)]$ openstack quota show --default
+-----------------------+------------------------+
| Field                 | Value                  |
+-----------------------+------------------------+
| backup-gigabytes      | 1000                   |
| backups               | 10                     |
| cores                 | 20                     |
| fixed-ips             | -1                     |
| floating-ips          | 50                     |
...output omitted...
| secgroups             | 10                     |
| server-group-members  | 10                     |
| server-groups         | 10                     |
| snapshots             | 10                     |
| subnet_pools          | -1                     |
| subnets               | 100                    |
| volumes               | 10                     |
+-----------------------+------------------------+

To view the default quotas in the Dashboard, log in as a user with admin privileges and navigate to Admin → System → Defaults. The Defaults tab displays the default limits.

Figure 2.4: Displaying the default limits for compute

The default quotas can be updated to set new quota limits for all projects. A user with the project-scope admin role can update the default project quotas using the openstack quota set command. Use the --class option to utilize the default quota class. For example, run the following command to set the maximum number of instances quota to 20:

[user@demo ~(admin)]$ openstack quota set --instances 20 --class default

For the Dashboard, log in as a user with the admin role, and navigate to Admin → System → Defaults. Click Update Defaults to update the default project quotas. Note that not all quota items may be listed, as the Dashboard is developed as a separate project.

Project Quotas

When projects are created, the project quotas can be defined to override the default values. Using the CLI, use the openstack quota set command to set the new quota values. For example, to set the memory to 10240 MB in the demo-project project, use the following command:

[user@demo ~(admin)]$ openstack quota set --ram 10240 demo-project

The following message displays if you attempt to exceed the quota:

Quota exceeded for ram: Requested 2048, but already used 10240 of 10240 ram (HTTP 403) (Request-ID: req-cfca3d6b-340d-481d-976b-2de7c40c2089)

The following list describes some less obvious quota parameters:

Quota Parameters

Server Groups: The number of server groups per project. Server groups are used to control the affinity and anti-affinity scheduling policy for a group of instances. All instances in a single affinity group run on the same hypervisor. Instances in an anti-affinity group run on different hypervisors.
Server Group Members: The number of servers in a single server group. Unlimited anti-affinity could allow a user to derive information about the overall size of the cloud, which is generally considered private information of the cloud provider. Unlimited server groups could be used as a DoS attack against systems not protected by an API rate limiter. For instance, a user could create groups until the identity database fills up.
Injected Files: The number of injected files allowed per project. The process of putting a file into an instance image before the instance is started is termed file injection.
Metadata Items: The number of metadata items allowed per instance. Metadata items are instance properties given in key-value pairs.

References

Additional information is available in the section on Project Management in the Users and Identity Management Guide for Red Hat OpenStack Platform, which can be found at https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html-single/users_and_identity_management_guide

Discuss Red Hat OpenStack Administration I: Core Operations for Domain Operators

Go to community

Red Hat OpenStack Administration I: Core Operations for Domain Operators (CL110)

Haley_Ruccio

1 sie 2023

Learn to operate a Red Hat® OpenStack Platform private cloud and manage domain resources to secure and deploy modern, scalable cloud applications, networks and storageRed Hat OpenStack Administration I: Core Operations for Domain Operators (CL110) teaches you how to operate and manage a production Red Hat OpenStack Platform (RHOSP) single-site overcloud. You will learn how to create secure project environments in which to provision resources and manage security privileges that cloud users need to deploy scalable cloud applications. You will learn about OpenShift integration with load balancers, identity management, monitoring, proxies, and storage. You will also develop more troubleshooting and Day 2 operations skills in this course.This course is based on Red Hat OpenStack Platform 16.1.Course content summaryStudents in the Red Hat OpenStack Administration I: Core Operations for Domain Operators (CL110) course will focus on performing both routine and specialized tasks that are necessary to manage a production OpenStack overcloud domain. Students will manage OpenStack using both web-based and command-line interfaces. Essential skills covered in the course include the following:Launch instances to satisfy various use case examples.Manage domains, projects, users, roles, and quota in a multitenant environment.Manage networks, subnets, routers, and floating IP addresses.Manage instance security with group rules and access keys.Create and manage block, object and shared storage within OpenStack.Perform instance launch customization with cloud-init.Deploy scalable applications using stack templates.Audience for this courseThis course is designed for cloud users who deploy application instances and stacks, domain operators who manage resources and security for cloud users, and any other cloud personnel interested in, or responsible for, maintaining applications on private or hybrid OpenStack clouds. Any cloud persona, or personnel with roles that include performing technology evaluation, should attend this course to learn RHOSP operation and application deployment methods.Prerequisites for this courseBecome a Red Hat Certified System Administrator (RHCSA) or demonstrate equivalent experienceIf you are not a RHCSA, you can take a skill assessment to gauge your level of knowledge.

Welcome to the Red Hat OpenStack Administration I (CL110) group in the Red Hat Learning Community!

Syed

31 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course CL110! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to CL110.Read more about Red Hat OpenStack Administration I: Core Operations for Domain Operators here.

Revision: cl110-16.1-4c76154