Set quota for octavia service project

The default quotas are often not sufficient for a side wide load balancing service. This will adjust them to some more reasonable values. The os_quota module of ansible assumes an installed block storage service so it is not suitable for our tests which don't install cinder. Therefore we are using the openstack client straight. Change-Id: If85cc3862b9316d9bf43e025bfaab8e1b7fd5576
2018-05-30 20:17:57 -07:00 · 2018-05-30 20:17:57 -07:00 · 3d0dfb706c
commit 3d0dfb706c
parent 14d5186079
3 changed files with 42 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -442,6 +442,16 @@ octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}"
 octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem"
 octavia_signing_digest: sha256

+# Quotas for the Octavia user - assuming active/passive topology
+octavia_num_instances: 10000 # 5000 LB in active/passive
+octavia_ram: "{{ octavia_num_instances*1024 }}"
+octavia_num_server_groups: "{{ (octavia_num_instances*0.5)|int|abs }}"
+octavia_num_server_group_members: 50
+octavia_num_cores: "{{ octavia_num_instances }}"
+octavia_num_secgroups: "{{ octavia_num_instances*1.5|int|abs}}" # average 3 listener per lb
+octavia_num_ports: "{{ octavia_num_instances*10 }}" # at least instances * 10
+octavia_num_security_group_rules: 100
+
 ## Tunable overrides
 octavia_octavia_conf_overrides: {}
 octavia_api_paste_ini_overrides: {}
--- a/releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml
+++ b/releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml
@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Octavia is creating vms, securitygroups, and other things in its
+    project. In most cases the default quotas are not big enough. This
+    will adjust them to (configurable) reasonable values.
+security:
+  - |
+    Avoid setting the quotas too high for your cloud since this can
+    impact the performance of other servcies and lead to a potential
+    Denial-of-Service attack if Loadbalancer quotas are not set
+    properly or RBAC is not properly set up.
--- a/tasks/octavia_security_group.yml
+++ b/tasks/octavia_security_group.yml
@ -24,6 +24,26 @@
    ansible_python_interpreter: >-
      {{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
  block:
+    - name: Setup the service project quota
+      # The os_quota module has a bug that it always requires a
+      # configured cinder service to work, so we use the CLI instead.
+      # TODO(_xgerman):
+      # Use the os_quota module once the issue is resolved.
+      shell: >-
+        openstack quota set
+        --os-cloud default
+        --cores {{ octavia_num_cores }}
+        --instances {{ octavia_num_instances }}
+        --ram {{ octavia_ram }}
+        --server-groups {{ octavia_num_server_groups }}
+        --server-group-members {{ octavia_num_server_group_members }}
+        --secgroups {{ octavia_num_secgroups }}
+        --ports {{ octavia_num_ports }}
+        --secgroup-rules {{ octavia_num_secgroups }}
+        {{ octavia_service_project_name }}
+      tags:
+        - skip_ansible_lint
+
    - name: Create Octavia security group
      os_security_group:
        auth: