Atom feed of this document
  
 

 Manage quotas

To prevent system capacities from being exhausted without notification, you can set up quotas. Quotas are operational limits. For example, the number of gigabytes allowed for each tenant can be controlled so that cloud resources are optimized. Quotas can be enforced at both the tenant (or project) and the tenant-user level.

Using the command-line interface, you can manage quotas for the OpenStack Compute service, the OpenStack Block Storage service, and the OpenStack Networking service.

The cloud operator typically changes default values because a tenant requires more than ten volumes or 1 TB on a compute node.

[Note]Note

To view all tenants (projects), run:

$ keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| e66d97ac1b704897853412fc8450f7b9 |  admin   |   True  |
| bf4a37b885fe46bd86e999e50adad1d3 | services |   True  |
| 21bd1c7c95234fd28f589b60903606fa | tenant01 |   True  |
| f599c5cd1cba4125ae3d7caed08e288c | tenant02 |   True  |
+----------------------------------+----------+---------+

To display all current users for a tenant, run:

$ keystone user-list --tenant-id tenantID
+----------------------------------+--------+---------+-------+
|                id                |  name  | enabled | email |
+----------------------------------+--------+---------+-------+
| ea30aa434ab24a139b0e85125ec8a217 | demo00 |   True  |       |
| 4f8113c1d838467cad0c2f337b3dfded | demo01 |   True  |       |
+----------------------------------+--------+---------+-------+

 Manage Compute service quotas

As an administrative user, you can use the nova quota-* commands, which are provided by the python-novaclient package, to update the Compute service quotas for a specific tenant or tenant user, as well as update the quota defaults for a new tenant.

Table 2.4. Compute quota descriptions
Quota name Description

cores

Number of instance cores (VCPUs) allowed per tenant.

fixed-ips

Number of fixed IP addresses allowed per tenant. This number must be equal to or greater than the number of allowed instances.

floating-ips

Number of floating IP addresses allowed per tenant.

injected-file-content-bytes

Number of content bytes allowed per injected file.

injected-file-path-bytes

Length of injected file path.

injected-files

Number of injected files allowed per tenant.

instances

Number of instances allowed per tenant.

key-pairs

Number of key pairs allowed per user.

metadata-items

Number of metadata items allowed per instance.

ram

Megabytes of instance ram allowed per tenant.

security-groups

Number of security groups per tenant.

security-group-rules

Number of rules per security group.

 View and update Compute quotas for a tenant (project)

 

To view and update default quota values

  1. List all default quotas for all tenants, as follows:

    $ nova quota-defaults

    For example:

    $ nova quota-defaults
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 10    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+
  2. Update a default value for a new tenant, as follows:

    $ nova quota-class-update --key value default

    For example:

    $ nova quota-class-update --instances 15 default
 

To view quota values for an existing tenant (project)

  1. Place the tenant ID in a usable variable, as follows:

    $ tenant=$(keystone tenant-list | awk '/tenantName/ {print $2}')
  2. List the currently set quota values for a tenant, as follows:

    $ nova quota-show --tenant $tenant

    For example:

    $ nova quota-show --tenant $tenant
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 10    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+
 

To update quota values for an existing tenant (project)

  1. Obtain the tenant ID, as follows:

    $ tenant=$(keystone tenant-list | awk '/tenantName/ {print $2}')
  2. Update a particular quota value, as follows:

    $ nova quota-update --quotaName quotaValue tenantID

    For example:

    $ nova quota-update --floating-ips 20 $tenant
    $ nova quota-show --tenant $tenant
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 20    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+
    
    [Note]Note

    To view a list of options for the quota-update command, run:

    $ nova help quota-update

 View and update Compute quotas for a tenant user

 

To view quota values for a tenant user

  1. Place the user ID in a usable variable, as follows:

    $ tenantUser=$(keystone user-list | awk '/userName/ {print $2}')
  2. Place the user's tenant ID in a usable variable, as follows:

    $ tenant=$(keystone tenant-list | awk '/tenantName/ {print $2}')
  3. List the currently set quota values for a tenant user, as follows:

    $ nova quota-show --user $tenantUser --tenant $tenant 

    For example:

    $ nova quota-show --user $tenantUser --tenant $tenant
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 20    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+
    
 

To update quota values for a tenant user

  1. Place the user ID in a usable variable, as follows:

    $ tenantUser=$(keystone user-list | awk '/userName/ {print $2}')
  2. Place the user's tenant ID in a usable variable, as follows:

    $ tenant=$(keystone tenant-list | awk '/userName/ {print $2}')
  3. Update a particular quota value, as follows:

    $ nova quota-update  --user $tenantUser --quotaName quotaValue $tenant

    For example:

    $ nova quota-update --user $tenantUser --floating-ips 12 $tenant
    $ nova quota-show --user $tenantUser --tenant $tenant
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 12    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+
    
    [Note]Note

    To view a list of options for the quota-update command, run:

    $ nova help quota-update

 Manage Block Storage service quotas

As an administrative user, you can update the OpenStack Block Storage service quotas for a project. You can also update the quota defaults for a new project.

Table 2.5. Block Storage quotas
Property name Defines the number of

gigabytes

Volume gigabytes allowed for each tenant.

snapshots

Volume snapshots allowed for each tenant.

volumes

Volumes allowed for each tenant.

 View and update Block Storage service quotas

As an administrative user, you can view and update Block Storage service quotas.

  1. List the default quotas for all projects, as follows:

    $ cinder quota-defaults
    +-----------+-------+
    |  Property | Value |
    +-----------+-------+
    | gigabytes |  1000 |
    | snapshots |   10  |
    |  volumes  |   10  |
    +-----------+-------+
  2. To update a default value for a new project, update the property in the /etc/cinder/cinder.conf file.

  3. View Block Storage service quotas for a project, as follows:

    $ cinder quota-show TENANT_NAME

    For example:

    $ cinder quota-show tenant01
    +-----------+-------+
    |  Property | Value |
    +-----------+-------+
    | gigabytes |  1000 |
    | snapshots |   10  |
    |  volumes  |   10  |
    +-----------+-------+
  4. To update Block Storage service quotas, place the tenant ID in a usable variable, as follows:

    $ tenant=$(keystone tenant-list | awk '/tenantName/ {print $2}')
  5. Update a particular quota value, as follows:

    $ cinder quota-update --quotaName NewValue tenantID

    For example:

    $ cinder quota-update --volumes 15 $tenant
    $ cinder quota-show tenant01
    +-----------+-------+
    |  Property | Value |
    +-----------+-------+
    | gigabytes |  1000 |
    | snapshots |   10  |
    |  volumes  |   15  |
    +-----------+-------+

 Manage Networking service quotas

A quota limits the number of available resources. A default quota might be enforced for all tenants. When you try to create more resources than the quota allows, an error occurs:

$ neutron net-create test_net
Quota exceeded for resources: ['network']

Per-tenant quota configuration is also supported by the quota extension API. See Per-tenant quota configuration for details.

 Basic quota configuration

In the Networking default quota mechanism, all tenants have the same quota values, such as the number of resources that a tenant can create.

The quota value is defined in the OpenStack Networking neutron.conf configuration file. To disable quotas for a specific resource, such as network, subnet, or port, remove a corresponding item from quota_items. This example shows the default quota values:

[quotas]
# resource name(s) that are supported in quota features
quota_items = network,subnet,port

# number of networks allowed per tenant, and minus means unlimited
quota_network = 10

# number of subnets allowed per tenant, and minus means unlimited
quota_subnet = 10

# number of ports allowed per tenant, and minus means unlimited
quota_port = 50

# default driver to use for quota checks
quota_driver = neutron.quota.ConfDriver

OpenStack Networking also supports quotas for L3 resources: router and floating IP. Add these lines to the quotas section in the neutron.conf file.

[quotas]
# number of routers allowed per tenant, and minus means unlimited
quota_router = 10

# number of floating IPs allowed per tenant, and minus means unlimited
quota_floatingip = 50
[Note]Note

The quota_items option does not affect these quotas.

OpenStack Networking also supports quotas for security group resources: number of security groups and the number of rules for each security group. Add these lines to the quotas section in the neutron.conf file:

[quotas]
# number of security groups per tenant, and minus means unlimited
quota_security_group = 10

# number of security rules allowed per tenant, and minus means unlimited
quota_security_group_rule = 100
[Note]Note

The quota_items option does not affect these quotas.

 Configure per-tenant quotas

OpenStack Networking also supports per-tenant quota limit by quota extension API.

Use these commands to manage per-tenant quotas:

  • neutron quota-delete. Deletes defined quotas for a specified tenant.

  • neutron quota-list. Lists defined quotas for all tenants.

  • neutron quota-show. Shows quotas for a specified tenant.

  • neutron quota-update. Updates quotas for a specified tenant.

Only users with the admin role can change a quota value. By default, the default set of quotas are enforced for all tenants, so no quota-create command exists.

  1. Configure Networking to show per-tenant quotas

    Set the quota_driver option in the neutron.conf file:

    quota_driver = neutron.db.quota_db.DbQuotaDriver

    When you set this option, the output for Networking commands shows quotas.

  2. List Networking extensions

    To list the Networking extensions, run this command:

    $ neutron ext-list -c alias -c name

    The command shows the quotas extension, which provides per-tenant quota management support:

    +-----------------+--------------------------+
    | alias           | name                     |
    +-----------------+--------------------------+
    | agent_scheduler | Agent Schedulers         |
    | security-group  | security-group           |
    | binding         | Port Binding             |
    | quotas          | Quota management support |
    | agent           | agent                    |
    | provider        | Provider Network         |
    | router          | Neutron L3 Router        |
    | lbaas           | LoadBalancing service    |
    | extraroute      | Neutron Extra Route      |
    +-----------------+--------------------------+
  3. Show information for the quotas extension

    To show information for the quotas extension, run this command:

    $ neutron ext-show quotas
    +-------------+------------------------------------------------------------+
    | Field       | Value                                                      |
    +-------------+------------------------------------------------------------+
    | alias       | quotas                                                     |
    | description | Expose functions for quotas management per tenant          |
    | links       |                                                            |
    | name        | Quota management support                                   |
    | namespace   | http://docs.openstack.org/network/ext/quotas-sets/api/v2.0 |
    | updated     | 2012-07-29T10:00:00-00:00                                  |
    +-------------+------------------------------------------------------------+
    [Note]Note

    Only some plug-ins support per-tenant quotas. Specifically, Open vSwitch, Linux Bridge, and VMware NSX support them, but new versions of other plug-ins might bring additional functionality. See the documentation for each plug-in.

  4. List tenants who have per-tenant quota support

    The quota-list command lists tenants for which the per-tenant quota is enabled. The command does not list tenants with default quota support. You must be an administrative user to run this command:

    $ neutron quota-list
    +------------+---------+------+--------+--------+----------------------------------+
    | floatingip | network | port | router | subnet | tenant_id                        |
    +------------+---------+------+--------+--------+----------------------------------+
    |         20 |       5 |   20 |     10 |      5 | 6f88036c45344d9999a1f971e4882723 |
    |         25 |      10 |   30 |     10 |     10 | bff5c9455ee24231b5bc713c1b96d422 |
    +------------+---------+------+--------+--------+----------------------------------+
  5. Show per-tenant quota values

    The quota-show reports the current set of quota limits for the specified tenant. Non-administrative users can run this command without the --tenant_id parameter. If per-tenant quota limits are not enabled for the tenant, the command shows the default set of quotas:

    $ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723
    +------------+-------+
    | Field      | Value |
    +------------+-------+
    | floatingip | 20    |
    | network    | 5     |
    | port       | 20    |
    | router     | 10    |
    | subnet     | 5     |
    +------------+-------+

    The following command shows the command output for a non-administrative user:

    $ neutron quota-show
    +------------+-------+
    | Field      | Value |
    +------------+-------+
    | floatingip | 20    |
    | network    | 5     |
    | port       | 20    |
    | router     | 10    |
    | subnet     | 5     |
    +------------+-------+
  6. Update quota values for a specified tenant

    Use the quota-update command to update a quota for a specified tenant:

    $ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 5
    +------------+-------+
    | Field      | Value |
    +------------+-------+
    | floatingip | 50    |
    | network    | 5     |
    | port       | 50    |
    | router     | 10    |
    | subnet     | 10    |
    +------------+-------+

    You can update quotas for multiple resources through one command:

    $ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --subnet 5 --port 20
    +------------+-------+
    | Field      | Value |
    +------------+-------+
    | floatingip | 50    |
    | network    | 5     |
    | port       | 20    |
    | router     | 10    |
    | subnet     | 5     |
    +------------+-------+

    To update the limits for an L3 resource such as, router or floating IP, you must define new values for the quotas after the -- directive.

    This example updates the limit of the number of floating IPs for the specified tenant:

    $ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 -- --floatingip 20
    +------------+-------+
    | Field      | Value |
    +------------+-------+
    | floatingip | 20    |
    | network    | 5     |
    | port       | 20    |
    | router     | 10    |
    | subnet     | 5     |
    +------------+-------+

    You can update the limits of multiple resources by including L2 resources and L3 resource through one command.

    $ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 3 --subnet 3 --port 3 -- --floatingip 3 --router 3
    +------------+-------+
    | Field      | Value |
    +------------+-------+
    | floatingip | 3     |
    | network    | 3     |
    | port       | 3     |
    | router     | 3     |
    | subnet     | 3     |
    +------------+-------+
  7. Delete per-tenant quota values

    To clear per-tenant quota limits, use the quota-delete command:

    $ neutron quota-delete --tenant_id 6f88036c45344d9999a1f971e4882723
    Deleted quota: 6f88036c45344d9999a1f971e4882723

    After you run this command, you can see that quota values for the tenant are reset to the default values:

    $ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723
    +------------+-------+
    | Field      | Value |
    +------------+-------+
    | floatingip | 50    |
    | network    | 10    |
    | port       | 50    |
    | router     | 10    |
    | subnet     | 10    |
    +------------+-------+
Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...