Ask Your Question
1

inconsistent network quota in mitaka (nova, neutron or openstack CLI??)

asked 2016-11-22 02:36:36 -0500

theque42 gravatar image
 I am trying to make heads or tails out of the very weird quota configuration, depending on wether I use the openstack command, the nova command, or the neutron command.

Where the H....ECK, are they saved really, since it seems the havent really got the same view of whats actually configured for a project??

Check the below output, when using the different commands, for a normal user Student4, i project StackLab4.

The lab is running an up2date centos-release mitaka.

[root@ctrl ~(admin)]# openstack project show $LAB4
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | 224263ec11a04d0e8976634a3c755fce |
| enabled     | True                             |
| id          | 8cc512ce5b83485993cd1133d0de40e6 |
| is_domain   | False                            |
| name        | StackLab4                        |
| parent_id   | 224263ec11a04d0e8976634a3c755fce |
+-------------+----------------------------------+
[lab5]:admin@admin
[root@ctrl ~(admin)]# openstack quota set --secgroups 2 --secgroup-rules 6 $LAB4
[lab5]:admin@admin
[root@ctrl ~(admin)]# openstack quota show $LAB4 | grep sec
| secgroup-rules       | 100                              |
| secgroups            | 10                               |
[lab5]:admin@admin
[root@ctrl ~(admin)]# . keystone_student4
[lab5]:student4@StackLab4
[root@ctrl ~(student4)]# SOS
OS_AUTH_URL=http://10.10.15.100:35357/v3
OS_IDENTITY_API_VERSION=3
OS_IMAGE_API_VERSION=2
OS_PASSWORD=student4
OS_PROJECT_DOMAIN_NAME=StudentCloud
OS_PROJECT_NAME=StackLab4
OS_REGION_NAME=RegionOne
OS_USERNAME=student4
OS_USER_DOMAIN_NAME=StudentCloud
[lab5]:student4@StackLab4
[root@ctrl ~(student4)]# neutron quota-show | grep sec
| security_group      | 10    |
| security_group_rule | 100   |
[lab5]:student4@StackLab4
[root@ctrl ~(student4)]# nova quota-show | grep sec
| security_groups             | 2     |
| security_group_rules        | 6     |
[lab5]:student4@StackLab4
[root@ctrl ~(student4)]# . keystone_admin
[lab5]:admin@admin
[root@ctrl ~(admin)]# neutron quota-update --tenant-id $LAB4 --security-group 15 --security-group-rule 64
+---------------------+-------+
| Field               | Value |
+---------------------+-------+
| floatingip          | 50    |
| healthmonitor       | -1    |
| l7policy            | -1    |
| listener            | -1    |
| loadbalancer        | 10    |
| network             | 10    |
| pool                | 10    |
| port                | 50    |
| rbac_policy         | 10    |
| router              | 10    |
| security_group      | 15    |
| security_group_rule | 64    |
| subnet              | 10    |
| subnetpool          | -1    |
+---------------------+-------+
[lab5]:admin@admin
[root@ctrl ~(admin)]# openstack quota show $LAB4 | grep sec
| secgroup-rules       | 64                               |
| secgroups            | 15                               |
[lab5]:admin@admin
[root@ctrl ~(admin)]# nova quota-show --tenant $LAB4  | grep sec
| security_groups             | 2     |
| security_group_rules        | 6     |
[lab5]:admin@admin
[root@ctrl ~(admin)]# nova quota-show --tenant $LAB4 | grep sec
| security_groups             | 2     |
| security_group_rules        | 6     |
[lab5]:admin@admin
[root@ctrl ~(admin)]# openstack quota set --secgroups 5 --secgroup-rules 12 $LAB4
[lab5]:admin@admin
[root@ctrl ~(admin)]# nova quota-show --tenant $LAB4
| security_groups             | 5     |
| security_group_rules        | 12    |


[lab5]:admin@admin
[root@ctrl ~(admin)]# openstack quota show $LAB4 | grep sec
| secgroup-rules       | 64                               |
| secgroups            | 15                               |
[lab5]:admin@admin
[root@ctrl ~(admin)]#
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2016-11-24 11:05:49 -0500

volenbovsky gravatar image

there are two parts I think: -Openstack CLI supports change of quotas for security groups only recently from 2.5.0 version See http://docs.openstack.org/releasenote... (but quota-show was supported earlier)

-Nova will use Neutron 'in background' for security groups in case security_group_api in nova.conf is neutron. Otherwise Nova and Neutron will live in 'separate worlds' and your architecture is using Neutron I am pretty much sure and not nova-network.

My recommendations could be to upgrade OpenStack CLI and/or use Neutron CLI commands. Making it work with Nova should be dependent on configuration option specified above and/or some likely-known/likely-resolved bug.

edit flag offensive delete link more

Comments

Did you note my own answer below? The faulty once seems to be nova. The values showed by neutron and openstack are the ones actually being enforced. So I ask myself, where the heck is nova fetching its data from??

theque42 gravatar imagetheque42 ( 2016-11-24 12:22:07 -0500 )edit

I think that it tries to use nova-network (which is not used in your deployment as I see). See 'security_group_api' aspect above

volenbovsky gravatar imagevolenbovsky ( 2016-11-24 12:48:24 -0500 )edit

security_group_api is a deprecated option in mitaka, so I dont see how it would affect anything?

theque42 gravatar imagetheque42 ( 2017-03-16 05:55:47 -0500 )edit
0

answered 2016-11-22 03:11:15 -0500

theque42 gravatar image

updated 2016-11-22 03:13:01 -0500

After setting different values with nova, neutron, and openstack CLI, this seems like i bug in the nova CLI? The values set with neutron/openstack matches, and its those, that seem to be enforced.

[lab5]:student5@StackLab5
[root@ctrl ~(student5)]# openstack quota show $LAB5 | grep sec
| secgroup-rules       | 4                                |
| secgroups            | 2                                |
[lab5]:student5@StackLab5
[root@ctrl ~(student5)]# neutron quota-show --tenant-id $LAB5 | grep sec
| security_group      | 2     |
| security_group_rule | 4     |
[lab5]:student5@StackLab5
[root@ctrl ~(student5)]# nova quota-show --tenant $LAB5 | grep sec
| security_groups             | 9     |
| security_group_rules        | 9     |
[lab5]:student5@StackLab5
[root@ctrl ~(student5)]# nova secgroup-create arneIgen "MyIllegalSecurityGroup"
ERROR (Forbidden): Quota exceeded for resources: ['security_group'].
Neutron server returns request_ids: ['req-d91a6c58-cb24-4eaa-b8b2-f10988e1ce9f'] (HTTP 403) (Request-ID: req-29ddc0d5-d20f-4387-9697-ed3f9aeced7a)
[lab5]:student5@StackLab5
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2016-11-22 02:36:36 -0500

Seen: 228 times

Last updated: Nov 24 '16