On Nov 17, 2014, at 5:49 PM, Salvatore Orlando <sorla...@nicira.com> wrote:
> Hi all, > > I am resuming this thread following the session we had at the summit in Paris > (etherpad here [1]) > > While there was some sort of consensus regarding what this library should do, > and how it should do it, the session ended with some open questions which we > need to address before finalising the specification. > > There was a rather large consensus that the only viable architecture would be > one where the quota management library owns resource usage data. However, > this raises further concerns around: > - ownership of resource usage records. As the quota library owns usage data, > it becomes the authoritative source of truth for it. This could be > problematic in some projects, particularly nova, where the resource tracker > currently own usage data. > - inserting quota-related db migrations in the consumer project timeline. > We'll need to solve this for both sqlalchemy.migrate and alembic (I seem to > recall Doug has a solution for this) > > While the proposed interface for quota enforcing was generally well received, > another open question is whether this library should also be responsible for > quota management. Each project currently exposes its own extension for > setting quotas for tenants, and this is rather bad from an usability > perspective. whether this should be responsibility of the quota library, > handle by a separate "quota service", or handled through keystone is > debatable. Personally I think the library should not get in the business of > defining APIs. However, it can define the business logic for managing tenant > quotas which can then be leveraged by the projects which will adopt it. > Either way, I reckon that we might be better off by limiting our scope to > quota enforcement for the first iteration of this library. > > The last, and possibly most important question, is whether this library > belongs to the oslo-incubator or should live into its own repository. I would > personally prefer the oslo incubator because its process makes adoption by > OpenStack projects fairly simple. On the other hand, I also understand the > concerns around a library that comes with its own data models and has the > potential of becoming something bigger than a simple library. I would like to > defer an answer to this question to the oslo core team, which are surely a > lot more experienced than me on the matter of the incubator. I’ve spent a bit of time thinking about the resource ownership issue. The challenge there is we don’t currently have any libraries that define tables in the schema of an application. I think that’s a good pattern to maintain, since it avoids introducing a lot of tricky issues like how to manage migrations for the library, how to ensure they are run by the application, etc. The fact that this common quota thing needs to store some data in a schema that it controls says to me that it is really an app and not a library. Making the quota manager an app solves the API definition issue, too, since we can describe a generic way to configure quotas and other applications can then use that API to define specific rules using the quota manager’s API. I don’t know if we need a new application or if it would make sense to, as with policy, add quota management features to keystone. A single well-defined app has some appeal, but there’s also a certain amount of extra ramp-up time needed to go that route that we wouldn’t need if we added the features directly to keystone. Doug > > To this aim, the proposed specification [2] has been temporarily put in WIP. > > A few more notes: > > 1) We agreed that we won't be constrained about saving any part of the > current module, since it's not used by any project. We will however reuse > whatever can be reused (mostly for not wasting time by writing the same thing > again) > > 2) As concerns data backends to support, we agreed that we would start with > the simplest possible solution. A single SQLalchemy-backed data source. > Potentially we won't even have a framework for plugging different kind of > data sources. However if contributors step in with support for multiple > backends, we will consider it. > > 3) The idea of having a quota engine leveraging "data sources" was quite > welcomed. Ideally it's not that different from the engine/driver model in the > current module, but there will be a cleaner separation of responsibilities. > > Salvatore > > [1] https://etherpad.openstack.org/p/kilo-oslo-common-quota-library > [2] https://review.openstack.org/#/c/132127/ > > On 15 October 2014 20:54, Doug Hellmann <d...@doughellmann.com> wrote: > We can make it support whatever we want! :-) > > The existing code almost certainly predates domain support in keystone, so I > think this is a case of needing to catch up not a conscious decision to leave > it out. > > Doug > > > On Oct 15, 2014, at 12:15 PM, Ajaya Agrawal <ajku....@gmail.com> wrote: > >> Hi, >> >> Would the new library support quota on domain level also? As it stands in >> oslo-incubator it only does quota enforcement on project level only. The use >> case for this is quota enforcement across multiple projects. For e.g. as a >> cloud provider, I would like my customer to create only #X volumes across >> all his projects. >> >> -Ajaya >> >> Cheers, >> Ajaya >> >> On Wed, Oct 15, 2014 at 7:04 PM, Doug Hellmann <d...@doughellmann.com> wrote: >> Sigh. Because I typed the wrong command. Thanks for pointing that out. >> >> I don’t see any instances of “quota” in openstack-common.conf files: >> >> $ grep quota */openstack-common.conf >> >> or in any projects under "openstack/“: >> >> $ ls */*/openstack/common/quota.py >> ls: cannot access */*/openstack/common/quota.py: No such file or directory >> >> I don’t know where manila’s copy came from, but if it has been copied from >> the incubator by hand and then changed we should fix that up. >> >> Doug >> >> On Oct 15, 2014, at 5:28 AM, Valeriy Ponomaryov <vponomar...@mirantis.com> >> wrote: >> >>> But why "policy" is being discussed on "quota" thread? >>> >>> On Wed, Oct 15, 2014 at 11:55 AM, Valeriy Ponomaryov >>> <vponomar...@mirantis.com> wrote: >>> Manila project does use "policy" common code from incubator. >>> >>> Our "small" wrapper for it: >>> https://github.com/openstack/manila/blob/8203c51081680a7a9dba30ae02d7c43d6e18a124/manila/policy.py >>> >>> >>> On Wed, Oct 15, 2014 at 2:41 AM, Salvatore Orlando <sorla...@nicira.com> >>> wrote: >>> Doug, >>> >>> I totally agree with your findings on the policy module. >>> Neutron already has some "customizations" there and we already have a few >>> contributors working on syncing it back with oslo-incubator during the Kilo >>> release cycle. >>> >>> However, my query was about the quota module. >>> From what I gather it seems not a lot of projects use it: >>> >>> $ find . -name openstack-common.conf | xargs grep quota >>> $ >>> >>> Salvatore >>> >>> On 15 October 2014 00:34, Doug Hellmann <d...@doughellmann.com> wrote: >>> >>> On Oct 14, 2014, at 12:31 PM, Salvatore Orlando <sorla...@nicira.com> wrote: >>> >>>> Hi Doug, >>>> >>>> do you know if the existing quota oslo-incubator module has already some >>>> active consumers? >>>> In the meanwhile I've pushed a spec to neutron-specs for improving quota >>>> management there [1] >>> >>> It looks like a lot of projects are syncing the module: >>> >>> $ grep policy */openstack-common.conf >>> barbican/openstack-common.conf:modules=gettextutils,jsonutils,log,local,timeutils,importutils,policy >>> ceilometer/openstack-common.conf:module=policy >>> cinder/openstack-common.conf:module=policy >>> designate/openstack-common.conf:module=policy >>> gantt/openstack-common.conf:module=policy >>> glance/openstack-common.conf:module=policy >>> heat/openstack-common.conf:module=policy >>> horizon/openstack-common.conf:module=policy >>> ironic/openstack-common.conf:module=policy >>> keystone/openstack-common.conf:module=policy >>> manila/openstack-common.conf:module=policy >>> neutron/openstack-common.conf:module=policy >>> nova/openstack-common.conf:module=policy >>> trove/openstack-common.conf:module=policy >>> tuskar/openstack-common.conf:module=policy >>> >>> I’m not sure how many are actively using it, but I wouldn’t expect them to >>> copy it in if they weren’t using it at all. >>> >>>> >>>> Now, I can either work on the oslo-incubator module and leverage it in >>>> Neutron, or develop the quota module in Neutron, and move it to >>>> oslo-incubator once we validate it with Neutron. The latter approach seems >>>> easier from a workflow perspective - as it avoid the intermediate steps of >>>> moving code from oslo-incubator to neutron. On the other hand it will >>>> delay adoption in oslo-incubator. >>> >>> The policy module is up for graduation this cycle. It may end up in its own >>> library, to allow us to build a review team for the code more easily than >>> if we put it in with some of the other semi-related modules like the server >>> code. We’re still working that out [1], and if you expect to make a lot of >>> incompatible changes we should delay graduation to make that simpler. >>> >>> Either way, since we have so many consumers, I think it would be easier to >>> have the work happen in Oslo somewhere so we can ensure those changes are >>> useful to and usable by all of the existing consumers. >>> >>> Doug >>> >>> [1] https://etherpad.openstack.org/p/kilo-oslo-library-proposals >>> >>>> >>>> What's your opinion? >>>> >>>> Regards, >>>> Salvatore >>>> >>>> [1] https://review.openstack.org/#/c/128318/ >>>> >>>> On 8 October 2014 18:52, Doug Hellmann <d...@doughellmann.com> wrote: >>>> >>>> On Oct 8, 2014, at 7:03 AM, Davanum Srinivas <dava...@gmail.com> wrote: >>>> >>>> > Salvatore, Joe, >>>> > >>>> > We do have this at the moment: >>>> > >>>> > https://github.com/openstack/oslo-incubator/blob/master/openstack/common/quota.py >>>> > >>>> > — dims >>>> >>>> If someone wants to drive creating a useful library during kilo, please >>>> consider adding the topic to the etherpad we’re using to plan summit >>>> sessions and then come participate in the Oslo meeting this Friday 16:00 >>>> UTC. >>>> >>>> https://etherpad.openstack.org/p/kilo-oslo-summit-topics >>>> >>>> Doug >>>> >>>> > >>>> > On Wed, Oct 8, 2014 at 2:29 AM, Salvatore Orlando <sorla...@nicira.com> >>>> > wrote: >>>> >> >>>> >> On 8 October 2014 04:13, Joe Gordon <joe.gord...@gmail.com> wrote: >>>> >>> >>>> >>> >>>> >>> On Fri, Oct 3, 2014 at 10:47 AM, Morgan Fainberg >>>> >>> <morgan.fainb...@gmail.com> wrote: >>>> >>>> >>>> >>>> Keeping the enforcement local (same way policy works today) helps >>>> >>>> limit >>>> >>>> the fragility, big +1 there. >>>> >>>> >>>> >>>> I also agree with Vish, we need a uniform way to talk about quota >>>> >>>> enforcement similar to how we have a uniform policy language / >>>> >>>> enforcement >>>> >>>> model (yes I know it's not perfect, but it's far closer to uniform >>>> >>>> than >>>> >>>> quota management is). >>>> >>> >>>> >>> >>>> >>> It sounds like maybe we should have an oslo library for quotas? >>>> >>> Somewhere >>>> >>> where we can share the code,but keep the operations local to each >>>> >>> service. >>>> >> >>>> >> >>>> >> This is what I had in mind as well. A simple library for quota >>>> >> enforcement >>>> >> which can be used regardless of where and how you do it, which might >>>> >> depend >>>> >> on the application business logic, the WSGI framework in use, or other >>>> >> factors. >>>> >> >>>> >>> >>>> >>>> >>>> >>>> >>>> >>>> If there is still interest of placing quota in keystone, let's talk >>>> >>>> about >>>> >>>> how that will work and what will be needed from Keystone . The >>>> >>>> previous >>>> >>>> attempt didn't get much traction and stalled out early in >>>> >>>> implementation. If >>>> >>>> we want to revisit this lets make sure we have the resources needed >>>> >>>> and >>>> >>>> spec(s) in progress / info on etherpads (similar to how the >>>> >>>> multitenancy >>>> >>>> stuff was handled at the last summit) as early as possible. >>>> >>> >>>> >>> >>>> >>> Why not centralize quota management via the python-openstackclient, >>>> >>> what >>>> >>> is the benefit of getting keystone involved? >>>> >> >>>> >> >>>> >> Providing this through the openstack client in my opinion has the >>>> >> disadvantage that users which either use the REST API direct or write >>>> >> their >>>> >> own clients won't leverage it. I don't think it's a reasonable >>>> >> assumption >>>> >> that everybody will use python-openstackclient, is it? >>>> >> >>>> >> Said that, storing quotas in keystone poses a further challenge to the >>>> >> scalability of the system, which we shall perhaps address by using >>>> >> appropriate caching strategies and leveraging keystone notifications. >>>> >> Until >>>> >> we get that, I think that the openstack client will be the best way of >>>> >> getting a unified quota management experience. >>>> >> >>>> >> Salvatore >>>> >> >>>> >> >>>> >>>> >>>> >>>> Cheers, >>>> >>>> Morgan >>>> >>>> >>>> >>>> Sent via mobile >>>> >>>> >>>> >>>> >>>> >>>> On Friday, October 3, 2014, Salvatore Orlando <sorla...@nicira.com> >>>> >>>> wrote: >>>> >>>>> >>>> >>>>> Thanks Vish, >>>> >>>>> >>>> >>>>> this seems a very reasonable first step as well - and since most >>>> >>>>> projects would be enforcing quotas in the same way, the shared >>>> >>>>> library would >>>> >>>>> be the logical next step. >>>> >>>>> After all this is quite the same thing we do with authZ. >>>> >>>>> >>>> >>>>> Duncan is expressing valid concerns which in my opinion can be >>>> >>>>> addressed >>>> >>>>> with an appropriate design - and a decent implementation. >>>> >>>>> >>>> >>>>> Salvatore >>>> >>>>> >>>> >>>>> On 3 October 2014 18:25, Vishvananda Ishaya <vishvana...@gmail.com> >>>> >>>>> wrote: >>>> >>>>>> >>>> >>>>>> The proposal in the past was to keep quota enforcement local, but to >>>> >>>>>> put the resource limits into keystone. This seems like an obvious >>>> >>>>>> first >>>> >>>>>> step to me. Then a shared library for enforcing quotas with decent >>>> >>>>>> performance should be next. The quota calls in nova are extremely >>>> >>>>>> inefficient right now and it will only get worse when we try to add >>>> >>>>>> hierarchical projects and quotas. >>>> >>>>>> >>>> >>>>>> Vish >>>> >>>>>> >>>> >>>>>> On Oct 3, 2014, at 7:53 AM, Duncan Thomas <duncan.tho...@gmail.com> >>>> >>>>>> wrote: >>>> >>>>>> >>>> >>>>>>> Taking quota out of the service / adding remote calls for quota >>>> >>>>>>> management is going to make things fragile - you've somehow got to >>>> >>>>>>> deal with the cases where your quota manager is slow, goes away, >>>> >>>>>>> hiccups, drops connections etc. You'll also need some way of >>>> >>>>>>> reconciling actual usage against quota usage periodically, to >>>> >>>>>>> detect >>>> >>>>>>> problems. >>>> >>>>>>> >>>> >>>>>>> On 3 October 2014 15:03, Salvatore Orlando <sorla...@nicira.com> >>>> >>>>>>> wrote: >>>> >>>>>>>> Hi, >>>> >>>>>>>> >>>> >>>>>>>> Quota management is currently one of those things where every >>>> >>>>>>>> openstack >>>> >>>>>>>> project does its own thing. While quotas are obviously managed in >>>> >>>>>>>> a >>>> >>>>>>>> similar >>>> >>>>>>>> way for each project, there are subtle differences which >>>> >>>>>>>> ultimately >>>> >>>>>>>> result >>>> >>>>>>>> in lack of usability. >>>> >>>>>>>> >>>> >>>>>>>> I recall that in the past there have been several calls for >>>> >>>>>>>> unifying >>>> >>>>>>>> quota >>>> >>>>>>>> management. The blueprint [1] for instance, hints at the >>>> >>>>>>>> possibility >>>> >>>>>>>> of >>>> >>>>>>>> storing quotas in keystone. >>>> >>>>>>>> On the other hand, the blazar project [2, 3] seems to aim at >>>> >>>>>>>> solving >>>> >>>>>>>> this >>>> >>>>>>>> problem for good enabling resource reservation and therefore >>>> >>>>>>>> potentially >>>> >>>>>>>> freeing openstack projects from managing and enforcing quotas. >>>> >>>>>>>> >>>> >>>>>>>> While Blazar is definetely a good thing to have, I'm not entirely >>>> >>>>>>>> sure we >>>> >>>>>>>> want to make it a "required" component for every deployment. >>>> >>>>>>>> Perhaps >>>> >>>>>>>> single >>>> >>>>>>>> projects should still be able to enforce quota. On the other hand, >>>> >>>>>>>> at least >>>> >>>>>>>> on paper, the idea of making Keystone "THE" endpoint for managing >>>> >>>>>>>> quotas, >>>> >>>>>>>> and then letting the various project enforce them, sounds >>>> >>>>>>>> promising >>>> >>>>>>>> - is >>>> >>>>>>>> there any reason for which this blueprint is stalled to the point >>>> >>>>>>>> that it >>>> >>>>>>>> seems forgotten now? >>>> >>>>>>>> >>>> >>>>>>>> I'm coming to the mailing list with these random questions about >>>> >>>>>>>> quota >>>> >>>>>>>> management, for two reasons: >>>> >>>>>>>> 1) despite developing and using openstack on a daily basis I'm >>>> >>>>>>>> still >>>> >>>>>>>> confused by quotas >>>> >>>>>>>> 2) I've found a race condition in neutron quotas and the fix is >>>> >>>>>>>> not >>>> >>>>>>>> trivial. >>>> >>>>>>>> So, rather than start coding right away, it might probably make >>>> >>>>>>>> more >>>> >>>>>>>> sense >>>> >>>>>>>> to ask the community if there is already a known better approach >>>> >>>>>>>> to >>>> >>>>>>>> quota >>>> >>>>>>>> management - and obviously enforcement. >>>> >>>>>>>> >>>> >>>>>>>> Thanks in advance, >>>> >>>>>>>> Salvatore >>>> >>>>>>>> >>>> >>>>>>>> [1] >>>> >>>>>>>> https://blueprints.launchpad.net/keystone/+spec/service-metadata >>>> >>>>>>>> [2] https://wiki.openstack.org/wiki/Blazar >>>> >>>>>>>> [3] https://review.openstack.org/#/q/project:stackforge/blazar,n,z >>>> >>>>>>>> >>>> >>>>>>>> _______________________________________________ >>>> >>>>>>>> OpenStack-dev mailing list >>>> >>>>>>>> OpenStack-dev@lists.openstack.org >>>> >>>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> -- >>>> >>>>>>> Duncan Thomas >>>> >>>>>>> >>>> >>>>>>> _______________________________________________ >>>> >>>>>>> OpenStack-dev mailing list >>>> >>>>>>> OpenStack-dev@lists.openstack.org >>>> >>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> _______________________________________________ >>>> >>>>>> OpenStack-dev mailing list >>>> >>>>>> OpenStack-dev@lists.openstack.org >>>> >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>>>> >>>> >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> >>>> OpenStack-dev mailing list >>>> >>>> OpenStack-dev@lists.openstack.org >>>> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> >>>> >>> >>>> >>> >>>> >>> _______________________________________________ >>>> >>> OpenStack-dev mailing list >>>> >>> OpenStack-dev@lists.openstack.org >>>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>> >>>> >> >>>> >> >>>> >> _______________________________________________ >>>> >> OpenStack-dev mailing list >>>> >> OpenStack-dev@lists.openstack.org >>>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >> >>>> > >>>> > >>>> > >>>> > -- >>>> > Davanum Srinivas :: https://twitter.com/dims >>>> > >>>> > _______________________________________________ >>>> > OpenStack-dev mailing list >>>> > OpenStack-dev@lists.openstack.org >>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> >>>> _______________________________________________ >>>> OpenStack-dev mailing list >>>> OpenStack-dev@lists.openstack.org >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> _______________________________________________ >>>> OpenStack-dev mailing list >>>> OpenStack-dev@lists.openstack.org >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> OpenStack-dev@lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> OpenStack-dev@lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >>> >>> >>> -- >>> Kind Regards >>> Valeriy Ponomaryov >>> www.mirantis.com >>> vponomar...@mirantis.com >>> >>> >>> >>> -- >>> Kind Regards >>> Valeriy Ponomaryov >>> www.mirantis.com >>> vponomar...@mirantis.com >>> _______________________________________________ >>> OpenStack-dev mailing list >>> OpenStack-dev@lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
