Merge "Set quota for octavia service project"
This commit is contained in:
Zuul
Gerrit Code Review
commit
b686871752
@ -442,6 +442,16 @@ octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}"
|
|||||||
octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem"
|
octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem"
|
||||||
octavia_signing_digest: sha256
|
octavia_signing_digest: sha256
|
||||||
|
|
||||||
|
# Quotas for the Octavia user - assuming active/passive topology
|
||||||
|
octavia_num_instances: 10000 # 5000 LB in active/passive
|
||||||
|
octavia_ram: "{{ octavia_num_instances*1024 }}"
|
||||||
|
octavia_num_server_groups: "{{ (octavia_num_instances*0.5)|int|abs }}"
|
||||||
|
octavia_num_server_group_members: 50
|
||||||
|
octavia_num_cores: "{{ octavia_num_instances }}"
|
||||||
|
octavia_num_secgroups: "{{ octavia_num_instances*1.5|int|abs}}" # average 3 listener per lb
|
||||||
|
octavia_num_ports: "{{ octavia_num_instances*10 }}" # at least instances * 10
|
||||||
|
octavia_num_security_group_rules: 100
|
||||||
|
|
||||||
## Tunable overrides
|
## Tunable overrides
|
||||||
octavia_octavia_conf_overrides: {}
|
octavia_octavia_conf_overrides: {}
|
||||||
octavia_api_paste_ini_overrides: {}
|
octavia_api_paste_ini_overrides: {}
|
||||||
|
|||||||
12
releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml
Normal file
12
releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Octavia is creating vms, securitygroups, and other things in its
|
||||||
|
project. In most cases the default quotas are not big enough. This
|
||||||
|
will adjust them to (configurable) reasonable values.
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Avoid setting the quotas too high for your cloud since this can
|
||||||
|
impact the performance of other servcies and lead to a potential
|
||||||
|
Denial-of-Service attack if Loadbalancer quotas are not set
|
||||||
|
properly or RBAC is not properly set up.
|
||||||
@ -24,6 +24,26 @@
|
|||||||
ansible_python_interpreter: >-
|
ansible_python_interpreter: >-
|
||||||
{{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
|
{{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
|
||||||
block:
|
block:
|
||||||
|
- name: Setup the service project quota
|
||||||
|
# The os_quota module has a bug that it always requires a
|
||||||
|
# configured cinder service to work, so we use the CLI instead.
|
||||||
|
# TODO(_xgerman):
|
||||||
|
# Use the os_quota module once the issue is resolved.
|
||||||
|
shell: >-
|
||||||
|
openstack quota set
|
||||||
|
--os-cloud default
|
||||||
|
--cores {{ octavia_num_cores }}
|
||||||
|
--instances {{ octavia_num_instances }}
|
||||||
|
--ram {{ octavia_ram }}
|
||||||
|
--server-groups {{ octavia_num_server_groups }}
|
||||||
|
--server-group-members {{ octavia_num_server_group_members }}
|
||||||
|
--secgroups {{ octavia_num_secgroups }}
|
||||||
|
--ports {{ octavia_num_ports }}
|
||||||
|
--secgroup-rules {{ octavia_num_secgroups }}
|
||||||
|
{{ octavia_service_project_name }}
|
||||||
|
tags:
|
||||||
|
- skip_ansible_lint
|
||||||
|
|
||||||
- name: Create Octavia security group
|
- name: Create Octavia security group
|
||||||
os_security_group:
|
os_security_group:
|
||||||
auth:
|
auth:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user