Atom feed of this document
 

 Configure the Compute API

The Compute API, run by the nova-api daemon, is the component of OpenStack Compute that receives and responds to user requests, whether they be direct API calls, or via the CLI tools or dashboard.

 Configure Compute API password handling

The OpenStack Compute API enables users to specify an administrative password when they create or rebuild a server instance. If the user does not specify a password, a random password is generated and returned in the API response.

In practice, how the admin password is handled depends on the hypervisor in use and might require additional configuration of the instance. For example, you might have to install an agent to handle the password setting. If the hypervisor and instance configuration do not support setting a password at server create time, the password that is returned by the create API call is misleading because it was ignored.

To prevent this confusion, use the enable_instance_password configuration option to disable the return of the admin password for installations that do not support setting instance passwords.

 Configure Compute API rate limiting

OpenStack Compute supports API rate limiting for the OpenStack API. The rate limiting allows an administrator to configure limits on the type and number of API calls that can be made in a specific time interval.

When API rate limits are exceeded, HTTP requests return an error with a status code of 413 Request entity too large, and includes an HTTP Retry-After header. The response body includes the error details and the delay before you should retry the request.

Rate limiting is not available for the EC2 API.

 Define limits

To define limits, set these values:

  • The HTTP method used in the API call, typically one of GET, PUT, POST, or DELETE.

  • A human readable URI that is used as a friendly description of where the limit is applied.

  • A regular expression. The limit is applied to all URIs that match the regular expression and HTTP method.

  • A limit value that specifies the maximum count of units before the limit takes effect.

  • An interval that specifies time frame to which the limit is applied. The interval can be SECOND, MINUTE, HOUR, or DAY.

Rate limits are applied in relative order to the HTTP method, going from least to most specific. For example, although the default threshold for POST to */servers is 50 each day, you cannot POST to */servers more than 10 times in a single minute because the rate limits for any POST is 10 each minute.

 Default limits

Normally, you install OpenStack Compute with the following limits enabled:

Table 2.14. Default API rate limits
HTTP method API URI API regular expression Limit
POST any URI (*) .* 10 per minute
POST /servers ^/servers 50 per day
PUT any URI (*) .* 10 per minute
GET *changes-since* .*changes-since.* 3 per minute
DELETE any URI (*) .* 100 per minute

 Configure and change limits

As part of the WSGI pipeline, the etc/nova/api-paste.ini file defines the actual limits.

To enable limits, include the ratelimit' filter in the API pipeline specification. If the ratelimit filter is removed from the pipeline, limiting is disabled. You must also define the rate limit filter. The lines appear as follows:

[pipeline:openstack_compute_api_v2]
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2

[pipeline:openstack_volume_api_v1]
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1

[filter:ratelimit]
paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory

To modify the limits, add a limits specification to the [filter:ratelimit] section of the file. Specify the limits in this order:

  1. HTTP method

  2. friendly URI

  3. regex

  4. limit

  5. interval

The following example shows the default rate-limiting values:

[filter:ratelimit]
paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
limits =(POST, "*", .*, 10, MINUTE);(POST, "*/servers", ^/servers, 50, DAY);(PUT, "*", .*, 10, MINUTE);(GET, "*changes-since*", .*changes-since.*, 3, MINUTE);(DELETE, "*", .*, 100, MINUTE)

 Configuration reference

The following table lists the Compute API configuration options:

Table 2.15. Description of configuration options for api
Configuration option=Default value Description
enable_new_services=True (BoolOpt) Services to be added to the available pool on create
enabled_apis=ec2,osapi_compute,metadata (ListOpt) a list of APIs to enable by default
enabled_ssl_apis= (ListOpt) a list of APIs with enabled SSL
instance_name_template=instance-%08x (StrOpt) Template string to be used to generate instance names
multi_instance_display_name_template=%(name)s-%(uuid)s (StrOpt) When creating multiple instances with a single request using the os-multiple-create API extension, this template will be used to build the display name for each instance. The benefit is that the instances end up with different hostnames. To restore legacy behavior of every instance having the same name, set this option to "%(name)s". Valid keys for the template are: name, uuid, count.
non_inheritable_image_properties=cache_in_nova,bittorrent (ListOpt) These are image properties which a snapshot should not inherit from an instance
null_kernel=nokernel (StrOpt) kernel image that indicates not to use a kernel, but to use a raw disk image instead
osapi_compute_ext_list= (ListOpt) Specify list of extensions to load when using osapi_compute_extension option with nova.api.openstack.compute.contrib.select_extensions
osapi_compute_extension=['nova.api.openstack.compute.contrib.standard_extensions'] (MultiStrOpt) osapi compute extension to load
osapi_compute_link_prefix=None (StrOpt) Base URL that will be presented to users in links to the OpenStack Compute API
osapi_compute_listen=0.0.0.0 (StrOpt) IP address for OpenStack API to listen
osapi_compute_listen_port=8774 (IntOpt) list port for osapi compute
osapi_compute_workers=None (IntOpt) Number of workers for OpenStack API service
osapi_hide_server_address_states=building (ListOpt) List of instance states that should hide network info
servicegroup_driver=db (StrOpt) The driver for servicegroup service (valid options are: db, zk, mc)
snapshot_name_template=snapshot-%s (StrOpt) Template string to be used to generate snapshot names
use_forwarded_for=False (BoolOpt) Treat X-Forwarded-For as the canonical remote address. Only enable this if you have a sanitizing proxy.
use_tpool=False (BoolOpt) Enable the experimental use of thread pooling for all DB API calls

Log a bug against this page


loading table of contents...