Hi all,
After investigating it a bit, I've found several bugs in that area :-P
the most significant one is not checking whether the assigned quota can be consumed by the
user,
as you mentioned.
I've proposed a fix for it:
http://gerrit.ovirt.org/19994
@Mitja, I really appreciate your effort and time :-)
Thanks,
Gilad.
----- Original Message -----
From: "Doron Fediuck" <dfediuck(a)redhat.com>
To: "Einav Cohen" <ecohen(a)redhat.com>
Cc: "Gilad Chaplik" <gchaplik(a)redhat.com>, users(a)ovirt.org
Sent: Monday, October 7, 2013 3:19:52 PM
Subject: Re: [Users] Quota for VMs created from templates
----- Original Message -----
> From: "Einav Cohen" <ecohen(a)redhat.com>
> To: "Gilad Chaplik" <gchaplik(a)redhat.com>
> Cc: users(a)ovirt.org
> Sent: Monday, October 7, 2013 2:39:29 PM
> Subject: Re: [Users] Quota for VMs created from templates
>
> > ----- Original Message -----
> > From: "Gilad Chaplik" <gchaplik(a)redhat.com>
> > Sent: Sunday, October 6, 2013 5:30:54 AM
> >
> > Einav, Thanks for the questions, see inline.
> >
> > >
> > > @Gilad:
> > >
> > > 1. Does the 'VmCreator' Role contain the 'consume-quota'
action? so
> > > when
> > > granting "VmCreator"
> > > on Data Center "DC1" to user "User1",
"User1" can automatically consume
> > > any
> > > quota defined
> > > in "DC1" (including, for example, "TemplateQuota", in
Mitja's case)?
> >
> > No, only SuperUser and DataCenterAdmin roles contains consume_quota
> > action.
> >
> > >
> > > 2. Related to both your previous reply and my previous reply: Can a
> > > user
> > > associate a CPU/RAM
> > > Quota to a VM that he is now *creating*, even if he doesn't have
> > > consume-quota permissions
> > > on that CPU/RAM Quota? In Mitja's case, he attempted to create a VM
> > > associated with both
> > > "TemplateQuota" and "UserQuota", while the user (maybe
- depends on
> > > answer
> > > to
> > > 1) didn't
> > > have permission to consume "TemplateQuota", and the VM creation
> > > succeeded.
> > > Is
> > > that OK?
> >
> > Yes, you should be able to assign a VM to a CPU/RAM quota, without
> > being a consumer of that quota, the check is done only when running the
> > VM
> > (when the resources are consumed).
>
> so let's say that user 'a' has permissions to consume the quota and
user
> 'b'
> doesn't have permissions to consume that quota, but both 'a' and
'b' have
> permissions to run the VM. only 'a' will succeed running the VM?
> so if I am a team leader (power user) and I want to create VMs to be used
> by
> my team members ('simple' users), I have to grant them permissions on the
> VM,
> as well as permissions to consume the relevant CPU/RAM quota?...
>
Generally speaking yes, but let's clarify it for the rest of the readers;
There are 2 different cases here-
1. An admin creates everything, including a template using template-quota.
In this case users will create VMs for themselves in the power user portal
and should have VMCreator and consumption right only to the user-quota.
So during creation the template-quota should disappear as the user does not
have any rights for it.
2. Admin creates template using template-quota and a user quota.
In this case helpdesk or team-leader have vm-creator, plus a permission
on the user-quota, and also a consumption right on the user quota.
In this case the helpdesk / team-leader can create a VM for a user,
using the user-quota and assign permission for the relevant user / group
on the newly created VMs.
2 things worth mentioning here:
- Disk quota is being consumed during VM creation (and snapshotting, copy,
etc).
- RAM/CPU quota is being consumed only when the VM is running.
> >
> > There is a difference between User and Admin Portal: in User portal quota
> > list is being
> > populated by quota that can be consumed by the user, so leaving the quota
> > unchanged will selected an appropriate
> > quota; also while creating a VM, disk's quota is set in 'Resource
> > Allocation'
> > tab (see image).
> >
> > @Mitja,
> >
> > Please check which quota(s) are assigned to VM while consuming the
> > resources,
> > and who is the user performing the task.
> >
> > >
> > > [if the answer to both questions is "no", there is a chance that
Mitja
> > > discovered a bug]
> > >
> > > ----
> > > Thanks,
> > > Einav
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Mitja Mihelič" <mitja.mihelic(a)arnes.si>
> > > > To: "Einav Cohen" <ecohen(a)redhat.com>
> > > > Cc: users(a)ovirt.org
> > > > Sent: Friday, October 4, 2013 8:14:10 AM
> > > > Subject: Re: [Users] Quota for VMs created from templates
> > > >
> > > > In addition to the described setup:
> > > > The user was also given a permission on the data center with the
role
> > > > VmCreator.
> > > > The user is not listed as a consumer of TemplateQuota, but they have
> > > > an
> > > > inherited role VmCreator in the permissions tab.
> > > > Could this permission be the reason the user can create and run VMs
> > > > that
> > > > are associated with TemplateQuota?
> > > >
> > > > Regards,
> > > > Mitja
> > > >
> > > > --
> > > > Mitja Mihelič
> > > > ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> > > > tel: +386 1 479 8877, fax: +386 1 479 88 78
> > > >
> > > > On 10/03/2013 05:06 PM, Einav Cohen wrote:
> > > > > AFAIK, a user cannot create a VM that is associated with one
(or
> > > > > more)
> > > > > quota objects on which he doesn't
> > > > > have consumer permissions.
> > > > > i.e. if the VM was created successfully by the user, and this VM
is
> > > > > associated with TemplateQuota, and
> > > > > with the quota that has been created for the user (let's
call it
> > > > > UserQuota), it means that the user has
> > > > > consumer permissions on both TemplateQuota and UserQuota.
> > > > > If the user doesn't have permissions on one of these Quota
objects
> > > > > -
> > > > > the
> > > > > fact that the VM has been created
> > > > > successfully sounds like a bug to me.
> > > > >
> > > > > ----
> > > > > Thanks,
> > > > > Einav
> > > > >
> > > > > ----- Original Message -----
> > > > >> From: "Mitja Mihelič"
<mitja.mihelic(a)arnes.si>
> > > > >> To: users(a)ovirt.org
> > > > >> Sent: Thursday, October 3, 2013 9:59:06 AM
> > > > >> Subject: [Users] Quota for VMs created from templates
> > > > >>
> > > > >> Hi!
> > > > >>
> > > > >> We are running engine version 3.3.0 on CentOS6 and we have
come
> > > > >> across
> > > > >> a
> > > > >> problem, possibly a bug.
> > > > >> When a user creates a VM from a template, the template's
quota is
> > > > >> assigned to the VM.
> > > > >>
> > > > >> Here is the setup:
> > > > >> - quota is set to Enforced on the data center
> > > > >> - quota is created for template purposes (TemplateQuota)
> > > > >> - a template is created from a sealed VM with TemplateQuota
> > > > >> assigned
> > > > >> to
> > > > >> it
> > > > >> - quota is created for a user, the user is set as its
consumer
> > > > >> - the user creates a VM from the mentioned template and
leaves the
> > > > >> quota
> > > > >> unchanged
> > > > >> - the created VM consumes the user's storage quota but
does not
> > > > >> consume
> > > > >> their memory and CPU quota
> > > > >>
> > > > >> This way a user can create and run an arbitrary number of
VMs as
> > > > >> long
> > > > >> they stay within their storage quota.
> > > > >> No errors are reported in the logs.
> > > > >>
> > > > >> Kind regards,
> > > > >> Mitja Mihelic
> > > > >>
> > > > >> --
> > > > >> --
> > > > >> Mitja Mihelič
> > > > >> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana,
Slovenia
> > > > >> tel: +386 1 479 8877, fax: +386 1 479 88 78
> > > > >>