From 3d0dfb706ca336351cc1f25a2afa55c665e02258 Mon Sep 17 00:00:00 2001 From: German Eichberger Date: Wed, 30 May 2018 20:17:57 -0700 Subject: [PATCH] Set quota for octavia service project The default quotas are often not sufficient for a side wide load balancing service. This will adjust them to some more reasonable values. The os_quota module of ansible assumes an installed block storage service so it is not suitable for our tests which don't install cinder. Therefore we are using the openstack client straight. Change-Id: If85cc3862b9316d9bf43e025bfaab8e1b7fd5576 --- defaults/main.yml | 10 ++++++++++ .../notes/fix_quota-e3d4bf0b896dc393.yaml | 12 +++++++++++ tasks/octavia_security_group.yml | 20 +++++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 938de5d7..8d844eff 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -442,6 +442,16 @@ octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}" octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem" octavia_signing_digest: sha256 +# Quotas for the Octavia user - assuming active/passive topology +octavia_num_instances: 10000 # 5000 LB in active/passive +octavia_ram: "{{ octavia_num_instances*1024 }}" +octavia_num_server_groups: "{{ (octavia_num_instances*0.5)|int|abs }}" +octavia_num_server_group_members: 50 +octavia_num_cores: "{{ octavia_num_instances }}" +octavia_num_secgroups: "{{ octavia_num_instances*1.5|int|abs}}" # average 3 listener per lb +octavia_num_ports: "{{ octavia_num_instances*10 }}" # at least instances * 10 +octavia_num_security_group_rules: 100 + ## Tunable overrides octavia_octavia_conf_overrides: {} octavia_api_paste_ini_overrides: {} diff --git a/releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml b/releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml new file mode 100644 index 00000000..80d1e0d0 --- /dev/null +++ b/releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Octavia is creating vms, securitygroups, and other things in its + project. In most cases the default quotas are not big enough. This + will adjust them to (configurable) reasonable values. +security: + - | + Avoid setting the quotas too high for your cloud since this can + impact the performance of other servcies and lead to a potential + Denial-of-Service attack if Loadbalancer quotas are not set + properly or RBAC is not properly set up. \ No newline at end of file diff --git a/tasks/octavia_security_group.yml b/tasks/octavia_security_group.yml index f30d0efa..5e13588a 100644 --- a/tasks/octavia_security_group.yml +++ b/tasks/octavia_security_group.yml @@ -24,6 +24,26 @@ ansible_python_interpreter: >- {{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }} block: + - name: Setup the service project quota + # The os_quota module has a bug that it always requires a + # configured cinder service to work, so we use the CLI instead. + # TODO(_xgerman): + # Use the os_quota module once the issue is resolved. + shell: >- + openstack quota set + --os-cloud default + --cores {{ octavia_num_cores }} + --instances {{ octavia_num_instances }} + --ram {{ octavia_ram }} + --server-groups {{ octavia_num_server_groups }} + --server-group-members {{ octavia_num_server_group_members }} + --secgroups {{ octavia_num_secgroups }} + --ports {{ octavia_num_ports }} + --secgroup-rules {{ octavia_num_secgroups }} + {{ octavia_service_project_name }} + tags: + - skip_ansible_lint + - name: Create Octavia security group os_security_group: auth: