3.10. Manage quotas

To prevent system capacities from being exhausted without notification, you can set up quotas. Quotas are operational limits. For example, the number of gigabytes allowed for each tenant can be controlled so that cloud resources are optimized. Quotas can be enforced at both the tenant (or project) and the tenant-user level.
Using the command-line interface, you can manage quotas for the OpenStack Compute Service, the OpenStack Block Storage Service, and the OpenStack Networking Service.
Typically, default values are changed because a tenant requires more than 10 volumes, or more than 1TB on a Compute node.

Note

To view all tenants (projects), run:
$ keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| e66d97ac1b704897853412fc8450f7b9 |  admin   |   True  |
| bf4a37b885fe46bd86e999e50adad1d3 | services |   True  |
| 21bd1c7c95234fd28f589b60903606fa | tenant01 |   True  |
| f599c5cd1cba4125ae3d7caed08e288c | tenant02 |   True  |
+----------------------------------+----------+---------+
To display all current users for a tenant, run:
$ keystone user-list --tenant-id tenantID
+----------------------------------+--------+---------+-------+
|                id                |  name  | enabled | email |
+----------------------------------+--------+---------+-------+
| ea30aa434ab24a139b0e85125ec8a217 | demo00 |   True  |       |
| 4f8113c1d838467cad0c2f337b3dfded | demo01 |   True  |       |
+----------------------------------+--------+---------+-------+

3.10.1. Manage Compute service quotas

As an administrative user, you can use the nova quota-* commands, which are provided by the python-novaclient package, to update the Compute Service quotas for a specific tenant or tenant user, as well as update the quota defaults for a new tenant.

Table 3.2. Compute Quota Descriptions

Quota Name Description
cores
Number of instance cores (VCPUs) allowed per tenant.
fixed-ips
Number of fixed IP addresses allowed per tenant. This number must be equal to or greater than the number of allowed instances.
floating-ips
Number of floating IP addresses allowed per tenant.
injected-file-content-bytes
Number of content bytes allowed per injected file.
injected-file-path-bytes
Number of bytes allowed per injected file path.
injected-files
Number of injected files allowed per tenant.
instances
Number of instances allowed per tenant.
key-pairs
Number of key pairs allowed per user.
metadata-items
Number of metadata items allowed per instance.
ram
Megabytes of instance ram allowed per tenant.
security-groups
Number of security groups per tenant.
security-group-rules
Number of rules per security group.

3.10.1.1. View and update Compute quotas for a tenant (project)

Procedure 3.10. To view and update default quota values

  1. List all default quotas for all tenants, as follows:
    $ nova quota-defaults
    For example:
    $ nova quota-defaults
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 10    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+
  2. Update a default value for a new tenant, as follows:
    $ nova quota-class-update --key value default
    For example:
    $ nova quota-class-update --instances 15 default

Procedure 3.11. To view quota values for an existing tenant (project)

  1. Place the tenant ID in a usable variable, as follows:
    $ tenant=$(keystone tenant-list | awk '/tenantName/ {print $2}')
  2. List the currently set quota values for a tenant, as follows:
    $ nova quota-show --tenant $tenant
    For example:
    $ nova quota-show --tenant $tenant
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 10    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+

Procedure 3.12. To update quota values for an existing tenant (project)

  1. Obtain the tenant ID, as follows:
    $ tenant=$(keystone tenant-list | awk '/tenantName/ {print $2}')
  2. Update a particular quota value, as follows:
    # nova quota-update --quotaName quotaValue tenantID
    For example:
    # nova quota-update --floating-ips 20 $tenant # nova quota-show --tenant $tenant
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 20    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+
    

    Note

    To view a list of options for the quota-update command, run:
    $ nova help quota-update

3.10.1.2. View and update Compute quotas for a tenant user

Procedure 3.13. To view quota values for a tenant user

  1. Place the user ID in a usable variable, as follows:
    $ tenantUser=$(keystone user-list | awk '/userName/ {print $2}')
  2. Place the user's tenant ID in a usable variable, as follows:
    $ tenant=$(keystone tenant-list | awk '/tenantName/ {print $2}')
  3. List the currently set quota values for a tenant user, as follows:
    $ nova quota-show --user $tenantUser --tenant $tenant
    For example:
    $ nova quota-show --user $tenantUser --tenant $tenant
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 20    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+
    

Procedure 3.14. To update quota values for a tenant user

  1. Place the user ID in a usable variable, as follows:
    $ tenantUser=$(keystone user-list | awk '/userName/ {print $2}')
  2. Place the user's tenant ID in a usable variable, as follows:
    $ tenant=$(keystone tenant-list | awk '/userName/ {print $2}')
  3. Update a particular quota value, as follows:
    # nova quota-update --user $tenantUser --quotaName quotaValue $tenant
    For example:
    # nova quota-update --user $tenantUser --floating-ips 12 $tenant # nova quota-show --user $tenantUser --tenant $tenant
    +-----------------------------+-------+
    | Quota                       | Limit |
    +-----------------------------+-------+
    | instances                   | 10    |
    | cores                       | 20    |
    | ram                         | 51200 |
    | floating_ips                | 12    |
    | fixed_ips                   | -1    |
    | metadata_items              | 128   |
    | injected_files              | 5     |
    | injected_file_content_bytes | 10240 |
    | injected_file_path_bytes    | 255   |
    | key_pairs                   | 100   |
    | security_groups             | 10    |
    | security_group_rules        | 20    |
    +-----------------------------+-------+
    

    Note

    To view a list of options for the quota-update command, run:
    $ nova help quota-update

3.10.2. Manage Block Storage service quotas

As an administrative user, you can update the Block Storage service quotas for a project. You can also update the quota defaults for a new project.

Table 3.3. Block Storage quotas

Property name Defines the number of
gigabytes
Volume gigabytes allowed for each tenant.
snapshots
Volume snapshots allowed for each tenant.
volumes
Volumes allowed for each tenant.

3.10.2.1. View and update Block Storage quotas

As an administrative user, you can view and update Block Storage quotas.
  1. List the default quotas for all projects, as follows:
    $ cinder quota-defaults
    +-----------+-------+
    |  Property | Value |
    +-----------+-------+
    | gigabytes |  1000 |
    | snapshots |   10  |
    |  volumes  |   10  |
    +-----------+-------+
  2. To update a default value for a new project, update the property in the /etc/cinder/cinder.conf file.
  3. View Block Storage quotas for a project, as follows:
    # cinder quota-show TENANT_NAME
    For example:
    # cinder quota-show tenant01
    +-----------+-------+
    |  Property | Value |
    +-----------+-------+
    | gigabytes |  1000 |
    | snapshots |   10  |
    |  volumes  |   10  |
    +-----------+-------+
  4. To update Block Storage service quotas, place the tenant ID in a usable variable, as follows:
    $ tenant=$(keystone tenant-list | awk '/tenantName/ {print $2}')
  5. Update a particular quota value, as follows:
    # cinder quota-update --quotaName NewValue tenantID
    For example:
    # cinder quota-update --volumes 15 $tenant
    # cinder quota-show tenant01
    +-----------+-------+
    |  Property | Value |
    +-----------+-------+
    | gigabytes |  1000 |
    | snapshots |   10  |
    |  volumes  |   15  |
    +-----------+-------+

3.10.3. Manage Networking service quotas

A quota is a function used to limit the number of resources. A default quota may be enforced for all tenants. Attempting to create resources over the limit triggers an error.
$ neutron net-create test_net
Quota exceeded for resources: ['network']
Per-tenant quota configuration is also supported by the quota extension API. See Per-tenant quota configuration for details.

3.10.3.1. Basic quota configuration

In the Networking default quota mechanism, all tenants have the same quota value, such as the number of resources that a tenant can create. This is enabled by default.
The quota value is defined in the OpenStack Networking configuration file (neutron.conf). If you want to disable quotas for a specific resource (e.g., network, subnet, port), remove a corresponding item from quota_items. Each of the quota values in the example below is the default value.
[quotas]
# resource name(s) that are supported in quota features
quota_items = network,subnet,port

# number of networks allowed per tenant, and minus means unlimited
quota_network = 10

# number of subnets allowed per tenant, and minus means unlimited
quota_subnet = 10

# number of ports allowed per tenant, and minus means unlimited
quota_port = 50

# default driver to use for quota checks
quota_driver = neutron.quota.ConfDriver
OpenStack Networking also supports quotas for L3 resources: router and floating IP. You can configure them by adding the following lines to the quotas section in neutron.conf. (Note that quota_items does not affect these quotas.)
[quotas]
# number of routers allowed per tenant, and minus means unlimited
quota_router = 10

# number of floating IPs allowed per tenant, and minus means unlimited
quota_floatingip = 50
OpenStack Networking also supports quotas for security group resources: number of security groups and the number of rules per security group. You can configure them by adding the following lines to the quotas section in neutron.conf. (Note that quota_items does not affect these quotas.)
[quotas]
# number of security groups per tenant, and minus means unlimited
quota_security_group = 10

# number of security rules allowed per tenant, and minus means unlimited
quota_security_group_rule = 100

3.10.3.2. Per-tenant quota configuration

OpenStack Networking also supports per-tenant quota limit by quota extension API. To enable per-tenant quota, you need to set quota_driver in neutron.conf. For example:
quota_driver = neutron.db.quota_db.DbQuotaDriver
When per-tenant quota is enabled, the output of the following commands contain quotas.
$ neutron ext-list -c alias -c name
+-----------------+--------------------------+
| alias           | name                     |
+-----------------+--------------------------+
| agent_scheduler | Agent Schedulers         |
| security-group  | security-group           |
| binding         | Port Binding             |
| quotas          | Quota management support |
| agent           | agent                    |
| provider        | Provider Network         |
| router          | Neutron L3 Router        |
| lbaas           | LoadBalancing service    |
| extraroute      | Neutron Extra Route      |
+-----------------+--------------------------+
$ neutron ext-show quotas
+-------------+------------------------------------------------------------+
| Field       | Value                                                      |
+-------------+------------------------------------------------------------+
| alias       | quotas                                                     |
| description | Expose functions for quotas management per tenant          |
| links       |                                                            |
| name        | Quota management support                                   |
| namespace   | http://docs.openstack.org/network/ext/quotas-sets/api/v2.0 |
| updated     | 2012-07-29T10:00:00-00:00                                  |
+-------------+------------------------------------------------------------+

Note

Per-tenant quotas are supported only supported by some plugins. At least Open vSwitch, Linux Bridge, and Nicira NVP are known to work but new versions of other plugins may bring additional functionality - consult the documentation for each plugin.
There are four CLI commands to manage per-tenant quotas:
  • neutron quota-delete - Delete defined quotas of a given tenant.
  • neutron quota-list - List defined quotas of all tenants.
  • neutron quota-show - Show quotas of a given tenant.
  • neutron quota-update - Define tenant's quotas not to use defaults.
Only users with the admin role can change a quota value. Note that the default set of quotas are enforced for all tenants by default, so there is no quota-create command.
quota-list displays a list of tenants for which per-tenant quota is enabled. The tenants who have the default set of quota limits are not listed. This command is permitted to only admin users.
$ neutron quota-list
+------------+---------+------+--------+--------+----------------------------------+
| floatingip | network | port | router | subnet | tenant_id                        |
+------------+---------+------+--------+--------+----------------------------------+
|         20 |       5 |   20 |     10 |      5 | 6f88036c45344d9999a1f971e4882723 |
|         25 |      10 |   30 |     10 |     10 | bff5c9455ee24231b5bc713c1b96d422 |
+------------+---------+------+--------+--------+----------------------------------+
quota-show reports the current set of quota limits for the specified tenant. Regular (non-admin) users can call this command (without the --tenant_id parameter). If per-tenant quota limits are not defined for the tenant, the default set of quotas are displayed.
$ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723
+------------+-------+
| Field      | Value |
+------------+-------+
| floatingip | 20    |
| network    | 5     |
| port       | 20    |
| router     | 10    |
| subnet     | 5     |
+------------+-------+
The below is an example called by a non-admin user.
$ neutron quota-show
+------------+-------+
| Field      | Value |
+------------+-------+
| floatingip | 20    |
| network    | 5     |
| port       | 20    |
| router     | 10    |
| subnet     | 5     |
+------------+-------+
You can update a quota of the given tenant by quota-update command.
Update the limit of network quota.
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 5
+------------+-------+
| Field      | Value |
+------------+-------+
| floatingip | 50    |
| network    | 5     |
| port       | 50    |
| router     | 10    |
| subnet     | 10    |
+------------+-------+
You can update quotas of multiple resources in one command.
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --subnet 5 --port 20
+------------+-------+
| Field      | Value |
+------------+-------+
| floatingip | 50    |
| network    | 5     |
| port       | 20    |
| router     | 10    |
| subnet     | 5     |
+------------+-------+
To update the limits of L3 resource (router, floating IP), we need to specify new values of the quotas after '--'. The example below updates the limit of the number of floating IPs for the given tenant.
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 -- --floatingip 20
+------------+-------+
| Field      | Value |
+------------+-------+
| floatingip | 20    |
| network    | 5     |
| port       | 20    |
| router     | 10    |
| subnet     | 5     |
+------------+-------+
You can update the limits of multiple resources including L2 resources and L3 resource in one command.
$ neutron quota-update --tenant_id 6f88036c45344d9999a1f971e4882723 --network 3 --subnet 3 --port 3 -- --floatingip 3 --router 3
+------------+-------+
| Field      | Value |
+------------+-------+
| floatingip | 3     |
| network    | 3     |
| port       | 3     |
| router     | 3     |
| subnet     | 3     |
+------------+-------+
To clear per-tenant quota limits, use quota-delete. After quota-delete, quota limits enforced to the tenant are reset to the default set of quotas.
$ neutron quota-delete --tenant_id 6f88036c45344d9999a1f971e4882723
Deleted quota: 6f88036c45344d9999a1f971e4882723
$ neutron quota-show --tenant_id 6f88036c45344d9999a1f971e4882723
+------------+-------+
| Field      | Value |
+------------+-------+
| floatingip | 50    |
| network    | 10    |
| port       | 50    |
| router     | 10    |
| subnet     | 10    |
+------------+-------+

3.10.4. Implementing a System-Wide Storage Quota

You can implement a system-wide storage quota for each user across all storage systems within the OpenStack deployment. This quota is enforced by the Image service; specifically, the openstack-glance-api component service.
To implement a system-wide storage quota, run:
# openstack-config --set /etc/glance/glance-api.conf \
    DEFAULT user_storage_quota B
Replace B with your desired quota (in bytes). A value of 0 means "unlimited", thereby removing the quota.