Manage Networking service quotas

Manage Networking service quotas A quota is a function used to limit the number of resources. A default quota may be enforced for all tenants. Attempting to create resources over the limit triggers an error. $ neutron net-create test_net Quota exceeded for resources: ['network'] Per-tenant quota configuration is also supported by the quota extension API. See Per-tenant quota configuration for details.

Basic quota configuration In the Networking default quota mechanism, all tenants have the same quota value, such as the number of resources that a tenant can create. This is enabled by default. The quota value is defined in the OpenStack Networking configuration file (neutron.conf). If you want to disable quotas for a specific resource (e.g., network, subnet, port), remove a corresponding item from quota_items. Each of the quota values in the example below is the default value. [quotas] # resource name(s) that are supported in quota features quota_items = network,subnet,port # number of networks allowed per tenant, and minus means unlimited quota_network = 10 # number of subnets allowed per tenant, and minus means unlimited quota_subnet = 10 # number of ports allowed per tenant, and minus means unlimited quota_port = 50 # default driver to use for quota checks quota_driver = neutron.quota.ConfDriver OpenStack Networking also supports quotas for L3 resources: router and floating IP. You can configure them by adding the following lines to quotas section in neutron.conf. (Note that quota_items does not affect these quotas.) [quotas] # number of routers allowed per tenant, and minus means unlimited quota_router = 10 # number of floating IPs allowed per tenant, and minus means unlimited quota_floatingip = 50 OpenStack Networking also supports quotas for security group resources: number of security groups and the number of rules per security group. You can configure them by adding the following lines to quotas section in neutron.conf. (Note that quota_items does not affect these quotas.) [quotas] # number of security groups per tenant, and minus means unlimited quota_security_group = 10 # number of security rules allowed per tenant, and minus means unlimited quota_security_group_rule = 100

Per-tenant quota configuration OpenStack Networking also supports per-tenant quota limit by quota extension API. To enable per-tenant quota, you need to set quota_driver in neutron.conf. For example: quota_driver = neutron.db.quota_db.DbQuotaDriver When per-tenant quota is enabled, the output of the following commands contain quotas. $ neutron ext-list -c alias -c name +-----------------+--------------------------+ | alias | name | +-----------------+--------------------------+ | agent_scheduler | Agent Schedulers | | security-group | security-group | | binding | Port Binding | | quotas | Quota management support | | agent | agent | | provider | Provider Network | | router | Neutron L3 Router | | lbaas | LoadBalancing service | | extraroute | Neutron Extra Route | +-----------------+--------------------------+ $ neutron ext-show quotas +-------------+------------------------------------------------------------+ | Field | Value | +-------------+------------------------------------------------------------+ | alias | quotas | | description | Expose functions for quotas management per tenant | | links | | | name | Quota management support | | namespace | http://docs.openstack.org/network/ext/quotas-sets/api/v2.0 | | updated | 2012-07-29T10:00:00-00:00 | +-------------+------------------------------------------------------------+ Per-tenant quotas are supported only supported by some plugins. At least Open vSwitch, Linux Bridge, and Nicira NVP are known to work but new versions of other plugins may bring additional functionality - consult the documentation for each plugin. There are four CLI commands to manage per-tenant quotas: neutron quota-delete - Delete defined quotas of a given tenant. neutron quota-list - List defined quotas of all tenants. neutron quota-show - Show quotas of a given tenant. neutron quota-update - Define tenant's quotas not to use defaults. Only users with 'admin' role can change a quota value. Note that the default set of quotas are enforced for all tenants by default, so there is no quota-create command. quota-list displays a list of tenants for which per-tenant quota is enabled. The tenants who have the default set of quota limits are not listed. This command is permitted to only 'admin' users. $ neutron quota-list +------------+---------+------+--------+--------+----------------------------------+ | floatingip | network | port | router | subnet | tenant_id | +------------+---------+------+--------+--------+----------------------------------+ | 20 | 5 | 20 | 10 | 5 | 6f88036c45344d9999a1f971e4882723 | | 25 | 10 | 30 | 10 | 10 | bff5c9455ee24231b5bc713c1b96d422 | +------------+---------+------+--------+--------+----------------------------------+ quota-show reports the current set of quota limits for the specified tenant. Regular (non-admin) users can call this command (without --tenant_id parameter). If per-tenant quota limits are not defined for the tenant, the default set of quotas are displayed. $ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723 +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 20 | | network | 5 | | port | 20 | | router | 10 | | subnet | 5 | +------------+-------+ The below is an example called by a non-admin user. $ neutron quota-show +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 20 | | network | 5 | | port | 20 | | router | 10 | | subnet | 5 | +------------+-------+ You can update a quota of the given tenant by quota-update command. Update the limit of network quota. $ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 5 +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 50 | | network | 5 | | port | 50 | | router | 10 | | subnet | 10 | +------------+-------+ You can update quotas of multiple resources in one command. $ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --subnet 5 --port 20 +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 50 | | network | 5 | | port | 20 | | router | 10 | | subnet | 5 | +------------+-------+ To update the limits of L3 resource (router, floating IP), we need to specify new values of the quotas after '--'. The example below updates the limit of the number of floating IPs for the given tenant. $ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 -- --floatingip 20 +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 20 | | network | 5 | | port | 20 | | router | 10 | | subnet | 5 | +------------+-------+ You can update the limits of multiple resources including L2 resources and L3 resource in one command. $ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 3 --subnet 3 --port 3 -- --floatingip 3 --router 3 +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 3 | | network | 3 | | port | 3 | | router | 3 | | subnet | 3 | +------------+-------+ To clear per-tenant quota limits, use quota-delete. After quota-delete, quota limits enforced to the tenant are reset to the default set of quotas. $ neutron quota-delete --tenant_id 6f88036c45344d9999a1f971e4882723 Deleted quota: 6f88036c45344d9999a1f971e4882723 $ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723 +------------+-------+ | Field | Value | +------------+-------+ | floatingip | 50 | | network | 10 | | port | 50 | | router | 10 | | subnet | 10 | +------------+-------+