<div dir="ltr"><div><span style="font-family:georgia,serif">IMHO for Magnum and Nested Quota we need more discussion before proceeding ahead because :-</span><br></div><div><font face="georgia, serif"><br></font></div><div><font face="georgia, serif">1. The main intent of hierarchical multi tenancy is creating a hierarchy of projects (so that its easier for the cloud provider to manage different projects) and nested quota driver being able to validate and impose those restrictions.</font></div><div><font face="georgia, serif">2. <span style="font-size:12.8px">The tenancy boundary in Magnum is the bay. </span><span style="font-size:12.8px">Bays offer both a management and security isolation between multiple tenants.</span></font></div><div><font face="georgia, serif">3. In Magnum t<span style="font-size:12.8px">here is no intent to share a single bay between multiple tenants. </span></font></div><div><span style="font-size:12.8px"><font face="georgia, serif"><br></font></span></div><div><span style="font-size:12.8px"><font face="georgia, serif">So I would like to have a discussion on whether Nested Quota approach fits in our/Magnum's design and how will the resources be distributed in the hierarchy. I will include it in our Magnum weekly meeting agenda.</font></span></div><div><span style="font-size:12.8px"><font face="georgia, serif"><br></font></span></div><div><font face="georgia, serif">I have in-fact drafted a blueprint for it sometime back [1].</font></div><div><font face="georgia, serif"><br></font></div><div><font face="georgia, serif">I am a huge supporter of hierarchical projects and nested quota approaches (as they if done correctly IMHO minimize admin pain of managing quotas) , just wanted to see a cleaner way we can get this done for Magnum. </font></div><div><span style="font-family:georgia,serif"><br></span></div><div><span style="font-family:georgia,serif">JFYI, I am the primary author of Cinder Nested Quota [2] and co-author of Nova Nested Quota[3] so I am familiar with the approach taken in both.</span><font face="georgia, serif"><br></font></div><div><font face="georgia, serif"><br></font></div><div><font face="georgia, serif">Thoughts ?</font></div><div><font face="georgia, serif"><br></font></div><div><font face="georgia, serif">-Vilobh</font></div><div><font face="georgia, serif"><br></font></div><div><font face="georgia, serif">[1] Magnum Nested Quota : <a href="https://blueprints.launchpad.net/magnum/+spec/nested-quota-magnum">https://blueprints.launchpad.net/magnum/+spec/nested-quota-magnum</a></font></div><div><font face="georgia, serif">[2] Cinder Nested Quota Driver : <a href="https://review.openstack.org/#/c/205369/">https://review.openstack.org/#/c/205369/</a></font></div><div><font face="georgia, serif">[3] Nova Nested Quota Driver : <a href="https://review.openstack.org/#/c/242626/">https://review.openstack.org/#/c/242626/</a></font></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 15, 2015 at 10:10 AM, Tim Bell <span dir="ltr"><<a href="mailto:Tim.Bell@cern.ch" target="_blank">Tim.Bell@cern.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-GB" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Thanks… it is really important from the user experience that we keep the nested quota implementations in sync so we don’t have different semantics.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Tim<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p><div style="border-style:none none none solid;border-left-color:blue;border-left-width:1.5pt;padding:0cm 0cm 0cm 4pt"><div><div style="border-style:solid none none;border-top-color:rgb(225,225,225);border-top-width:1pt;padding:3pt 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif"> Adrian Otto [mailto:<a href="mailto:adrian.otto@rackspace.com" target="_blank">adrian.otto@rackspace.com</a>] <br><b>Sent:</b> 15 December 2015 18:44<span class=""><br><b>To:</b> OpenStack Development Mailing List (not for usage questions) <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br></span><b>Cc:</b> OpenStack Mailing List (not for usage questions) <<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>><br><b>Subject:</b> Re: [openstack-dev] [openstack][magnum] Quota for Magnum Resources<u></u><u></u></span></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Vilobh, <u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Thanks for advancing this important topic. I took a look at what Tim referenced how Nova is implementing nested quotas, and it seems to me that’s something we could fold in as well to our design. Do you agree?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Adrian<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p><div><blockquote style="margin-top:5pt;margin-bottom:5pt"><div><p class="MsoNormal">On Dec 14, 2015, at 10:22 PM, Tim Bell <<a href="mailto:tim.bell@cern.ch" target="_blank">tim.bell@cern.ch</a>> wrote:<u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Can we have nested project quotas in from the beginning ? Nested projects are in Keystone V3 from Kilo onwards and retrofitting this is hard work.</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">For details, see the Nova functions at<span> </span><a href="https://review.openstack.org/#/c/242626/" target="_blank"><span style="color:purple">https://review.openstack.org/#/c/242626/</span></a>. Cinder now also has similar functions.</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Tim</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u></u><u></u></p></div><div style="border-style:none none none solid;border-left-color:blue;border-left-width:1.5pt;padding:0cm 0cm 0cm 4pt"><div><div style="border-style:solid none none;border-top-color:rgb(225,225,225);border-top-width:1pt;padding:3pt 0cm 0cm"><div><p class="MsoNormal"><b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif"> </span></span><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif">Vilobh Meshram [<a href="mailto:vilobhmeshram.openstack@gmail.com" target="_blank">mailto:vilobhmeshram.openstack@gmail.com</a>]<span> </span><br><b>Sent:</b><span> </span>15 December 2015 01:59<br><b>To:</b><span> </span>OpenStack Development Mailing List (not for usage questions) <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>>; OpenStack Mailing List (not for usage questions) <<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>><br><b>Subject:</b><span> </span>[openstack-dev] [openstack][magnum] Quota for Magnum Resources</span><u></u><u></u></p></div></div></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><div><div><p class="MsoNormal"><span style="font-family:Georgia,serif;color:rgb(51,51,51)">Hi All,</span><u></u><u></u></p></div></div><div><div><p class="MsoNormal" style="line-height:13.5pt"><span style="font-family:Georgia,serif;color:rgb(51,51,51)"> </span><u></u><u></u></p></div></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif;color:rgb(51,51,51)">Currently, it is possible to create unlimited number of resource like bay/pod/service/. In Magnum, there should be a limitation for user or project to create Magnum resource,<br>and the limitation should be configurable[1]. </span><u></u><u></u></p></div><div><div><div><p class="MsoNormal"> <u></u><u></u></p></div></div><div><div><p class="MsoNormal"><span style="font-family:Georgia,serif;color:rgb(51,51,51)">I proposed following design :-</span><u></u><u></u></p></div></div><div><div><p class="MsoNormal"> <u></u><u></u></p></div></div><div><div><p class="MsoNormal"><span style="font-family:Georgia,serif;color:rgb(51,51,51)">1. Introduce new table magnum.quotas</span><u></u><u></u></p></div></div><div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">+------------+--------------+------+-----+---------+----------------+</span><u></u><u></u></p></div></div><div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">| Field | Type | Null | Key | Default | Extra |</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">+------------+--------------+------+-----+---------+----------------+</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">| id | int(11) | NO | PRI | NULL | auto_increment |</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">| created_at | datetime | YES | | NULL | |</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">| updated_at | datetime | YES | | NULL | |</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">| deleted_at | datetime | YES | | NULL | |</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">| project_id | varchar(255) | YES | MUL | NULL | |</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">| resource | varchar(255) | NO | | NULL | |</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">| hard_limit | int(11) | YES | | NULL | |</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">| deleted | int(11) | YES | | NULL | |</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-family:Georgia,serif">+------------+--------------+------+-----+---------+----------------+</span><u></u><u></u></p></div><div><p class="MsoNormal">resource can be Bay, Pod, Containers, etc.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">2. API controller for quota will be created to make sure basic CLI commands work.<u></u><u></u></p></div><div><p class="MsoNormal">quota-show, quota-delete, quota-create, quota-update<u></u><u></u></p></div><div><p class="MsoNormal">3. When the admin specifies a quota of X number of resources to be created the code should abide by that. For example if hard limit for Bay is 5 (i.e. a project can have maximum 5 Bay's) if a user in a project tries to exceed that hardlimit it won't be allowed. Similarly goes for other resources. <u></u><u></u></p></div><div><p class="MsoNormal">4. Please note the quota validation only works for resources created via Magnum. Could not think of a way that Magnum to know if a COE specific utilities created a resource in background. One way could be to see the difference between whats stored in magnum.quotas and the information of the actual resources created for a particular bay in k8s/COE.<u></u><u></u></p></div><div><p class="MsoNormal">5. Introduce a config variable to set quotas values.<u></u><u></u></p></div><div><p class="MsoNormal">If everyone agrees will start the changes by introducing quota restrictions on Bay creation.<u></u><u></u></p></div><div><p class="MsoNormal">Thoughts ??<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">-Vilobh<u></u><u></u></p></div><div><p class="MsoNormal">[1] <a href="https://blueprints.launchpad.net/magnum/+spec/resource-quota" target="_blank"><span style="color:purple">https://blueprints.launchpad.net/magnum/+spec/resource-quota</span></a><u></u><u></u></p></div></div></div></div></div><p class="MsoNormal"><span style="font-size:9pt;font-family:Helvetica,sans-serif">__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org" target="_blank">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></span><u></u><u></u></p></div></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></div></div><br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>