Merge "Set quota for octavia service project"

2018-08-20 19:20:34 +00:00 · 2018-08-20 19:20:34 +00:00 · b686871752
commit b686871752
parent f431b2262d 3d0dfb706c
3 changed files with 42 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -442,6 +442,16 @@ octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}"
 octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem"
 octavia_signing_digest: sha256

+# Quotas for the Octavia user - assuming active/passive topology
+octavia_num_instances: 10000 # 5000 LB in active/passive
+octavia_ram: "{{ octavia_num_instances*1024 }}"
+octavia_num_server_groups: "{{ (octavia_num_instances*0.5)|int|abs }}"
+octavia_num_server_group_members: 50
+octavia_num_cores: "{{ octavia_num_instances }}"
+octavia_num_secgroups: "{{ octavia_num_instances*1.5|int|abs}}" # average 3 listener per lb
+octavia_num_ports: "{{ octavia_num_instances*10 }}" # at least instances * 10
+octavia_num_security_group_rules: 100
+
 ## Tunable overrides
 octavia_octavia_conf_overrides: {}
 octavia_api_paste_ini_overrides: {}
--- a/releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml
+++ b/releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml
@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Octavia is creating vms, securitygroups, and other things in its
+    project. In most cases the default quotas are not big enough. This
+    will adjust them to (configurable) reasonable values.
+security:
+  - |
+    Avoid setting the quotas too high for your cloud since this can
+    impact the performance of other servcies and lead to a potential
+    Denial-of-Service attack if Loadbalancer quotas are not set
+    properly or RBAC is not properly set up.
--- a/tasks/octavia_security_group.yml
+++ b/tasks/octavia_security_group.yml
@ -24,6 +24,26 @@
    ansible_python_interpreter: >-
      {{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
  block:
+    - name: Setup the service project quota
+      # The os_quota module has a bug that it always requires a
+      # configured cinder service to work, so we use the CLI instead.
+      # TODO(_xgerman):
+      # Use the os_quota module once the issue is resolved.
+      shell: >-
+        openstack quota set
+        --os-cloud default
+        --cores {{ octavia_num_cores }}
+        --instances {{ octavia_num_instances }}
+        --ram {{ octavia_ram }}
+        --server-groups {{ octavia_num_server_groups }}
+        --server-group-members {{ octavia_num_server_group_members }}
+        --secgroups {{ octavia_num_secgroups }}
+        --ports {{ octavia_num_ports }}
+        --secgroup-rules {{ octavia_num_secgroups }}
+        {{ octavia_service_project_name }}
+      tags:
+        - skip_ansible_lint
+
    - name: Create Octavia security group
      os_security_group:
        auth: