2e8693e3a0
This copies the guide from openstack-manuals [1] which should have been done with the manuals docs migration in Pike. The only content change is a todo is added to migrate the guide from using the deprecated neutron CLIs to the openstack CLIs. [1] https://docs.openstack.org/ocata/admin-guide/cli-networking-advanced-quotas.html Change-Id: Ia0cad1ea0c27067bc257c1fc8e05299052e35e1b Closes-Bug: #1834068
12 KiB
Manage Networking service quotas
A quota limits the number of available resources. A default quota might be enforced for all projects. When you try to create more resources than the quota allows, an error occurs:
$ openstack network create test_net
Quota exceeded for resources: ['network']Per-project quota configuration is also supported by the quota
extension API. See cfg_quotas_per_tenant for details.
Basic quota configuration
In the Networking default quota mechanism, all projects have the same quota values, such as the number of resources that a project can create.
The quota value is defined in the OpenStack Networking
/etc/neutron/neutron.conf configuration file. This example
shows the default quota values:
[quotas]
# number of networks allowed per tenant, and minus means unlimited
quota_network = 10
# number of subnets allowed per tenant, and minus means unlimited
quota_subnet = 10
# number of ports allowed per tenant, and minus means unlimited
quota_port = 50
# default driver to use for quota checks
quota_driver = neutron.quota.ConfDriverOpenStack Networking also supports quotas for L3 resources: router
and floating IP. Add these lines to the quotas section in
the /etc/neutron/neutron.conf file:
[quotas]
# number of routers allowed per tenant, and minus means unlimited
quota_router = 10
# number of floating IPs allowed per tenant, and minus means unlimited
quota_floatingip = 50OpenStack Networking also supports quotas for security group
resources: number of security groups and the number of rules for each
security group. Add these lines to the quotas section in
the /etc/neutron/neutron.conf file:
[quotas]
# number of security groups per tenant, and minus means unlimited
quota_security_group = 10
# number of security rules allowed per tenant, and minus means unlimited
quota_security_group_rule = 100Configure per-project quotas
OpenStack Networking also supports per-project quota limit by quota extension API.
This document needs to be migrated to using openstack
commands rather than the deprecated neutron commands.
Use these commands to manage per-project quotas:
- neutron quota-delete
-
Delete defined quotas for a specified project
- neutron quota-list
-
Lists defined quotas for all projects
- neutron quota-show
-
Shows quotas for a specified project
- neutron quota-default-show
-
Show default quotas for a specified tenant
- neutron quota-update
-
Updates quotas for a specified project
Only users with the admin role can change a quota value.
By default, the default set of quotas are enforced for all projects, so
no quota-create
command exists.
Configure Networking to show per-project quotas
Set the
quota_driveroption in the/etc/neutron/neutron.conffile.quota_driver = neutron.db.quota_db.DbQuotaDriverWhen you set this option, the output for Networking commands shows
quotas.List Networking extensions.
To list the Networking extensions, run this command:
$ openstack extension list --networkThe command shows the
quotasextension, which provides per-project quota management support.Note
Many of the extensions shown below are supported in the Mitaka release and later.
+------------------------+------------------------+--------------------------+ | Name | Alias | Description | +------------------------+------------------------+--------------------------+ | ... | ... | ... | | Quota management | quotas | Expose functions for | | support | | quotas management per | | | | tenant | | ... | ... | ... | +------------------------+------------------------+--------------------------+Show information for the quotas extension.
To show information for the
quotasextension, run this command:$ neutron ext-show quotas +-------------+------------------------------------------------------------+ | Field | Value | +-------------+------------------------------------------------------------+ | alias | quotas | | description | Expose functions for quotas management per tenant | | links | | | name | Quota management support | | namespace | https://docs.openstack.org/network/ext/quotas-sets/api/v2.0 | | updated | 2012-07-29T10:00:00-00:00 | +-------------+------------------------------------------------------------+Note
Only some plug-ins support per-project quotas. Specifically, Open vSwitch, Linux Bridge, and VMware NSX support them, but new versions of other plug-ins might bring additional functionality. See the documentation for each plug-in.
List projects who have per-project quota support.
The
neutron quota-listcommand lists projects for which the per-project quota is enabled. The command does not list projects with default quota support. You must be an administrative user to run this command:$ neutron quota-list +------------+---------+------+--------+--------+----------------------------------+ | floatingip | network | port | router | subnet | tenant_id | +------------+---------+------+--------+--------+----------------------------------+ | 20 | 5 | 20 | 10 | 5 | 6f88036c45344d9999a1f971e4882723 | | 25 | 10 | 30 | 10 | 10 | bff5c9455ee24231b5bc713c1b96d422 | +------------+---------+------+--------+--------+----------------------------------+Show per-project quota values.
The
neutron quota-showcommand reports the current set of quota limits for the specified project. Non-administrative users can run this command without the--tenant_idparameter. If per-project quota limits are not enabled for the project, the command shows the default set of quotas.Note
Additional quotas added in the Mitaka release include
security_group,security_group_rule,subnet, andsubnetpool.$ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723 +---------------------+-------+ | Field | Value | +---------------------+-------+ | floatingip | 50 | | network | 10 | | port | 50 | | rbac_policy | 10 | | router | 10 | | security_group | 10 | | security_group_rule | 100 | | subnet | 10 | | subnetpool | -1 | +---------------------+-------+The following command shows the command output for a non-administrative user.
$ neutron quota-show +---------------------+-------+ | Field | Value | +---------------------+-------+ | floatingip | 50 | | network | 10 | | port | 50 | | rbac_policy | 10 | | router | 10 | | security_group | 10 | | security_group_rule | 100 | | subnet | 10 | | subnetpool | -1 | +---------------------+-------+Update quota values for a specified project.
Use the
neutron quota-updatecommand to update a quota for a specified project.$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 5 +---------------------+-------+ | Field | Value | +---------------------+-------+ | floatingip | 50 | | network | 5 | | port | 50 | | rbac_policy | 10 | | router | 10 | | security_group | 10 | | security_group_rule | 100 | | subnet | 10 | | subnetpool | -1 | +---------------------+-------+You can update quotas for multiple resources through one command.
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --subnet 5 --port 20 +---------------------+-------+ | Field | Value | +---------------------+-------+ | floatingip | 50 | | network | 5 | | port | 20 | | rbac_policy | 10 | | router | 10 | | security_group | 10 | | security_group_rule | 100 | | subnet | 5 | | subnetpool | -1 | +---------------------+-------+To update the limits for an L3 resource such as, router or floating IP, you must define new values for the quotas after the
--directive.This example updates the limit of the number of floating IPs for the specified project.
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --floatingip 20 +---------------------+-------+ | Field | Value | +---------------------+-------+ | floatingip | 20 | | network | 5 | | port | 20 | | rbac_policy | 10 | | router | 10 | | security_group | 10 | | security_group_rule | 100 | | subnet | 5 | | subnetpool | -1 | +---------------------+-------+You can update the limits of multiple resources by including L2 resources and L3 resource through one command:
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 \ --network 3 --subnet 3 --port 3 --floatingip 3 --router 3 +---------------------+-------+ | Field | Value | +---------------------+-------+ | floatingip | 3 | | network | 3 | | port | 3 | | rbac_policy | 10 | | router | 3 | | security_group | 10 | | security_group_rule | 100 | | subnet | 3 | | subnetpool | -1 | +---------------------+-------+Delete per-project quota values.
To clear per-project quota limits, use the
neutron quota-deletecommand.$ neutron quota-delete --tenant_id 6f88036c45344d9999a1f971e4882723 Deleted quota: 6f88036c45344d9999a1f971e4882723After you run this command, you can see that quota values for the project are reset to the default values.
$ openstack quota show 6f88036c45344d9999a1f971e4882723 +---------------------+-------+ | Field | Value | +---------------------+-------+ | floatingip | 50 | | network | 10 | | port | 50 | | rbac_policy | 10 | | router | 10 | | security_group | 10 | | security_group_rule | 100 | | subnet | 10 | | subnetpool | -1 | +---------------------+-------+
Note
Listing defualt quotas with the OpenStack command line client will
provide all quotas for networking and other services. Previously, the
neutron quota-show --tenant_id would list only
networking quotas.