To prevent system capacities from being exhausted without notification, you can set up quotas. Quotas are operational limits. For example, the number of gigabytes allowed for each tenant can be controlled so that cloud resources are optimized. Quotas can be enforced at both the tenant (or project) and the tenant-user level.
Using the command-line interface, you can manage quotas for the OpenStack Compute service, the OpenStack Block Storage service, and the OpenStack Networking service.
The cloud operator typically changes default values because a tenant requires more than ten volumes or 1 TB on a compute node.
Note | |
---|---|
To view all tenants (projects), run: $ keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | e66d97ac1b704897853412fc8450f7b9 | admin | True | | bf4a37b885fe46bd86e999e50adad1d3 | services | True | | 21bd1c7c95234fd28f589b60903606fa | tenant01 | True | | f599c5cd1cba4125ae3d7caed08e288c | tenant02 | True | +----------------------------------+----------+---------+
To display all current users for a tenant, run:
$ keystone user-list --tenant-id
|
As an administrative user, you can use the nova quota-*
commands, which are provided by the python-novaclient
package, to update the Compute service quotas for a specific tenant or
tenant user, as well as update the quota defaults for a new tenant.
Quota name | Description |
---|---|
|
Number of instance cores (VCPUs) allowed per tenant. |
|
Number of fixed IP addresses allowed per tenant. This number must be equal to or greater than the number of allowed instances. |
|
Number of floating IP addresses allowed per tenant. |
|
Number of content bytes allowed per injected file. |
|
Length of injected file path. |
|
Number of injected files allowed per tenant. |
|
Number of instances allowed per tenant. |
|
Number of key pairs allowed per user. |
|
Number of metadata items allowed per instance. |
|
Megabytes of instance ram allowed per tenant. |
|
Number of security groups per tenant. |
|
Number of rules per security group. |
To view and update default quota values
List all default quotas for all tenants, as follows:
$ nova quota-defaults
For example:
$ nova quota-defaults +-----------------------------+-------+ | Quota | Limit | +-----------------------------+-------+ | instances | 10 | | cores | 20 | | ram | 51200 | | floating_ips | 10 | | fixed_ips | -1 | | metadata_items | 128 | | injected_files | 5 | | injected_file_content_bytes | 10240 | | injected_file_path_bytes | 255 | | key_pairs | 100 | | security_groups | 10 | | security_group_rules | 20 | +-----------------------------+-------+
Update a default value for a new tenant, as follows:
$ nova quota-class-update --
key
value
defaultFor example:
$ nova quota-class-update --instances 15 default
To view quota values for an existing tenant (project)
Place the tenant ID in a usable variable, as follows:
$ tenant=$(keystone tenant-list | awk '/
tenantName
/ {print $2}')List the currently set quota values for a tenant, as follows:
$ nova quota-show --tenant $tenant
For example:
$ nova quota-show --tenant $tenant +-----------------------------+-------+ | Quota | Limit | +-----------------------------+-------+ | instances | 10 | | cores | 20 | | ram | 51200 | | floating_ips | 10 | | fixed_ips | -1 | | metadata_items | 128 | | injected_files | 5 | | injected_file_content_bytes | 10240 | | injected_file_path_bytes | 255 | | key_pairs | 100 | | security_groups | 10 | | security_group_rules | 20 | +-----------------------------+-------+
To update quota values for an existing tenant (project)
Obtain the tenant ID, as follows:
$ tenant=$(keystone tenant-list | awk '/
tenantName
/ {print $2}')Update a particular quota value, as follows:
$ nova quota-update --
quotaName
quotaValue
tenantID
For example:
$ nova quota-update --floating-ips 20 $tenant $ nova quota-show --tenant $tenant +-----------------------------+-------+ | Quota | Limit | +-----------------------------+-------+ | instances | 10 | | cores | 20 | | ram | 51200 | | floating_ips | 20 | | fixed_ips | -1 | | metadata_items | 128 | | injected_files | 5 | | injected_file_content_bytes | 10240 | | injected_file_path_bytes | 255 | | key_pairs | 100 | | security_groups | 10 | | security_group_rules | 20 | +-----------------------------+-------+
Note To view a list of options for the quota-update command, run:
$ nova help quota-update
To view quota values for a tenant user
Place the user ID in a usable variable, as follows:
$ tenantUser=$(keystone user-list | awk '/
userName
/ {print $2}')Place the user's tenant ID in a usable variable, as follows:
$ tenant=$(keystone tenant-list | awk '/
tenantName
/ {print $2}')List the currently set quota values for a tenant user, as follows:
$ nova quota-show --user $tenantUser --tenant $tenant
For example:
$ nova quota-show --user $tenantUser --tenant $tenant +-----------------------------+-------+ | Quota | Limit | +-----------------------------+-------+ | instances | 10 | | cores | 20 | | ram | 51200 | | floating_ips | 20 | | fixed_ips | -1 | | metadata_items | 128 | | injected_files | 5 | | injected_file_content_bytes | 10240 | | injected_file_path_bytes | 255 | | key_pairs | 100 | | security_groups | 10 | | security_group_rules | 20 | +-----------------------------+-------+
To update quota values for a tenant user
Place the user ID in a usable variable, as follows:
$ tenantUser=$(keystone user-list | awk '/
userName
/ {print $2}')Place the user's tenant ID in a usable variable, as follows:
$ tenant=$(keystone tenant-list | awk '/
userName
/ {print $2}')Update a particular quota value, as follows:
$ nova quota-update --user $tenantUser --
quotaName
quotaValue
$tenantFor example:
$ nova quota-update --user $tenantUser --floating-ips 12 $tenant $ nova quota-show --user $tenantUser --tenant $tenant +-----------------------------+-------+ | Quota | Limit | +-----------------------------+-------+ | instances | 10 | | cores | 20 | | ram | 51200 | | floating_ips | 12 | | fixed_ips | -1 | | metadata_items | 128 | | injected_files | 5 | | injected_file_content_bytes | 10240 | | injected_file_path_bytes | 255 | | key_pairs | 100 | | security_groups | 10 | | security_group_rules | 20 | +-----------------------------+-------+
Note To view a list of options for the quota-update command, run:
$ nova help quota-update
As an administrative user, you can update the OpenStack Block Storage service quotas for a project. You can also update the quota defaults for a new project.
Property name | Defines the number of |
---|---|
gigabytes |
Volume gigabytes allowed for each tenant. |
snapshots |
Volume snapshots allowed for each tenant. |
volumes |
Volumes allowed for each tenant. |
As an administrative user, you can view and update Block Storage service quotas.
List the default quotas for all projects, as follows:
$ cinder quota-defaults
+-----------+-------+ | Property | Value | +-----------+-------+ | gigabytes | 1000 | | snapshots | 10 | | volumes | 10 | +-----------+-------+
To update a default value for a new project, update the property in the
/etc/cinder/cinder.conf
file.View Block Storage service quotas for a project, as follows:
$ cinder quota-show
TENANT_NAME
For example:
$ cinder quota-show tenant01
+-----------+-------+ | Property | Value | +-----------+-------+ | gigabytes | 1000 | | snapshots | 10 | | volumes | 10 | +-----------+-------+
To update Block Storage service quotas, place the tenant ID in a usable variable, as follows:
$ tenant=$(keystone tenant-list | awk '/
tenantName
/ {print $2}')Update a particular quota value, as follows:
$ cinder quota-update --
quotaName
NewValue
tenantID
For example:
$ cinder quota-update --volumes 15 $tenant
$ cinder quota-show tenant01
+-----------+-------+ | Property | Value | +-----------+-------+ | gigabytes | 1000 | | snapshots | 10 | | volumes | 15 | +-----------+-------+
A quota limits the number of available resources. A default quota might be enforced for all tenants. When you try to create more resources than the quota allows, an error occurs:
$ neutron net-create test_net
Quota exceeded for resources: ['network']
Per-tenant quota configuration is also supported by the quota extension API. See Per-tenant quota configuration for details.
In the Networking default quota mechanism, all tenants have the same quota values, such as the number of resources that a tenant can create.
The quota value is defined in the OpenStack Networking
neutron.conf
configuration file. To
disable quotas for a specific resource, such as network, subnet,
or port, remove a corresponding item from
quota_items
. This example shows the default
quota values:
[quotas] # resource name(s) that are supported in quota features quota_items = network,subnet,port # number of networks allowed per tenant, and minus means unlimited quota_network = 10 # number of subnets allowed per tenant, and minus means unlimited quota_subnet = 10 # number of ports allowed per tenant, and minus means unlimited quota_port = 50 # default driver to use for quota checks quota_driver = neutron.quota.ConfDriver
OpenStack Networking also supports quotas for L3 resources:
router and floating IP. Add these lines to the
quotas
section in the
neutron.conf
file.
[quotas] # number of routers allowed per tenant, and minus means unlimited quota_router = 10 # number of floating IPs allowed per tenant, and minus means unlimited quota_floatingip = 50
Note | |
---|---|
The |
OpenStack Networking also supports quotas for security group
resources: number of security groups and the number of rules for
each security group. Add these lines to the
quotas
section in the
neutron.conf
file:
[quotas] # number of security groups per tenant, and minus means unlimited quota_security_group = 10 # number of security rules allowed per tenant, and minus means unlimited quota_security_group_rule = 100
Note | |
---|---|
The |
OpenStack Networking also supports per-tenant quota limit by quota extension API.
Use these commands to manage per-tenant quotas:
neutron quota-delete. Deletes defined quotas for a specified tenant.
neutron quota-list. Lists defined quotas for all tenants.
neutron quota-show. Shows quotas for a specified tenant.
neutron quota-update. Updates quotas for a specified tenant.
Only users with the admin
role
can change a quota value. By default, the default set of quotas
are enforced for all tenants, so no
quota-create command exists.
Configure Networking to show per-tenant quotas
Set the
quota_driver
option in theneutron.conf
file:quota_driver = neutron.db.quota_db.DbQuotaDriver
When you set this option, the output for Networking commands shows
quotas
.List Networking extensions
To list the Networking extensions, run this command:
$ neutron ext-list -c alias -c name
The command shows the
quotas
extension, which provides per-tenant quota management support:+-----------------+--------------------------+ | alias | name | +-----------------+--------------------------+ | agent_scheduler | Agent Schedulers | | security-group | security-group | | binding | Port Binding | | quotas | Quota management support | | agent | agent | | provider | Provider Network | | router | Neutron L3 Router | | lbaas | LoadBalancing service | | extraroute | Neutron Extra Route | +-----------------+--------------------------+
Show information for the quotas extension
To show information for the
quotas
extension, run this command:$ neutron ext-show quotas
+-------------+------------------------------------------------------------+ | Field | Value | +-------------+------------------------------------------------------------+ | alias | quotas | | description | Expose functions for quotas management per tenant | | links | | | name | Quota management support | | namespace | http://docs.openstack.org/network/ext/quotas-sets/api/v2.0 | | updated | 2012-07-29T10:00:00-00:00 | +-------------+------------------------------------------------------------+
Note Only some plug-ins support per-tenant quotas. Specifically, Open vSwitch, Linux Bridge, and VMware NSX support them, but new versions of other plug-ins might bring additional functionality. See the documentation for each plug-in.
List tenants who have per-tenant quota support
The quota-list command lists tenants for which the per-tenant quota is enabled. The command does not list tenants with default quota support. You must be an administrative user to run this command:
$ neutron quota-list
+------------+---------+------+--------+--------+----------------------------------+ | floatingip | network | port | router | subnet | tenant_id | +------------+---------+------+--------+--------+----------------------------------+ | 20 | 5 | 20 | 10 | 5 | 6f88036c45344d9999a1f971e4882723 | | 25 | 10 | 30 | 10 | 10 | bff5c9455ee24231b5bc713c1b96d422 | +------------+---------+------+--------+--------+----------------------------------+
Show per-tenant quota values
The quota-show reports the current set of quota limits for the specified tenant. Non-administrative users can run this command without the
--tenant_id
parameter. If per-tenant quota limits are not enabled for the tenant, the command shows the default set of quotas:$ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723
+------------+-------+ | Field | Value | +------------+-------+ | floatingip | 20 | | network | 5 | | port | 20 | | router | 10 | | subnet | 5 | +------------+-------+
The following command shows the command output for a non-administrative user:
$ neutron quota-show
+------------+-------+ | Field | Value | +------------+-------+ | floatingip | 20 | | network | 5 | | port | 20 | | router | 10 | | subnet | 5 | +------------+-------+
Update quota values for a specified tenant
Use the quota-update command to update a quota for a specified tenant:
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 5 +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 50 | | network | 5 | | port | 50 | | router | 10 | | subnet | 10 | +------------+-------+
You can update quotas for multiple resources through one command:
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --subnet 5 --port 20 +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 50 | | network | 5 | | port | 20 | | router | 10 | | subnet | 5 | +------------+-------+
To update the limits for an L3 resource such as, router or floating IP, you must define new values for the quotas after the
--
directive.This example updates the limit of the number of floating IPs for the specified tenant:
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 -- --floatingip 20
+------------+-------+ | Field | Value | +------------+-------+ | floatingip | 20 | | network | 5 | | port | 20 | | router | 10 | | subnet | 5 | +------------+-------+
You can update the limits of multiple resources by including L2 resources and L3 resource through one command.
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 3 --subnet 3 --port 3 -- --floatingip 3 --router 3 +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 3 | | network | 3 | | port | 3 | | router | 3 | | subnet | 3 | +------------+-------+
Delete per-tenant quota values
To clear per-tenant quota limits, use the quota-delete command:
$ neutron quota-delete --tenant_id 6f88036c45344d9999a1f971e4882723
Deleted quota: 6f88036c45344d9999a1f971e4882723
After you run this command, you can see that quota values for the tenant are reset to the default values:
$ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723
+------------+-------+ | Field | Value | +------------+-------+ | floatingip | 50 | | network | 10 | | port | 50 | | router | 10 | | subnet | 10 | +------------+-------+