Re: [Users] Quota for VMs created from templates

From: "Einav Cohen" <ecohen(a)redhat.com&gt; To: "Gilad Chaplik" <gchaplik(a)redhat.com&gt; Cc: users(a)ovirt.org Sent: Monday, October 7, 2013 2:39:29 PM Subject: Re: [Users] Quota for VMs created from templates > ----- Original Message ----- > From: "Gilad Chaplik" <gchaplik(a)redhat.com&gt; > Sent: Sunday, October 6, 2013 5:30:54 AM > > Einav, Thanks for the questions, see inline. > > > > > @Gilad: > > > > 1. Does the 'VmCreator' Role contain the 'consume-quota' action? so when > > granting "VmCreator" > > on Data Center "DC1" to user "User1", "User1" can automatically consume > > any > > quota defined > > in "DC1" (including, for example, "TemplateQuota", in Mitja's case)? > > No, only SuperUser and DataCenterAdmin roles contains consume_quota action. > > > > > 2. Related to both your previous reply and my previous reply: Can a user > > associate a CPU/RAM > > Quota to a VM that he is now *creating*, even if he doesn't have > > consume-quota permissions > > on that CPU/RAM Quota? In Mitja's case, he attempted to create a VM > > associated with both > > "TemplateQuota" and "UserQuota", while the user (maybe - depends on > > answer > > to > > 1) didn't > > have permission to consume "TemplateQuota", and the VM creation > > succeeded. > > Is > > that OK? > > Yes, you should be able to assign a VM to a CPU/RAM quota, without > being a consumer of that quota, the check is done only when running the VM > (when the resources are consumed). so let's say that user 'a' has permissions to consume the quota and user 'b' doesn't have permissions to consume that quota, but both 'a' and 'b' have permissions to run the VM. only 'a' will succeed running the VM? so if I am a team leader (power user) and I want to create VMs to be used by my team members ('simple' users), I have to grant them permissions on the VM, as well as permissions to consume the relevant CPU/RAM quota?...

> > There is a difference between User and Admin Portal: in User portal quota > list is being > populated by quota that can be consumed by the user, so leaving the quota > unchanged will selected an appropriate > quota; also while creating a VM, disk's quota is set in 'Resource > Allocation' > tab (see image). > > @Mitja, > > Please check which quota(s) are assigned to VM while consuming the > resources, > and who is the user performing the task. > > > > > [if the answer to both questions is "no", there is a chance that Mitja > > discovered a bug] > > > > ---- > > Thanks, > > Einav > > > > > > ----- Original Message ----- > > > From: "Mitja Mihelič" <mitja.mihelic(a)arnes.si&gt; > > > To: "Einav Cohen" <ecohen(a)redhat.com&gt; > > > Cc: users(a)ovirt.org > > > Sent: Friday, October 4, 2013 8:14:10 AM > > > Subject: Re: [Users] Quota for VMs created from templates > > > > > > In addition to the described setup: > > > The user was also given a permission on the data center with the role > > > VmCreator. > > > The user is not listed as a consumer of TemplateQuota, but they have an > > > inherited role VmCreator in the permissions tab. > > > Could this permission be the reason the user can create and run VMs > > > that > > > are associated with TemplateQuota? > > > > > > Regards, > > > Mitja > > > > > > -- > > > Mitja Mihelič > > > ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia > > > tel: +386 1 479 8877, fax: +386 1 479 88 78 > > > > > > On 10/03/2013 05:06 PM, Einav Cohen wrote: > > > > AFAIK, a user cannot create a VM that is associated with one (or > > > > more) > > > > quota objects on which he doesn't > > > > have consumer permissions. > > > > i.e. if the VM was created successfully by the user, and this VM is > > > > associated with TemplateQuota, and > > > > with the quota that has been created for the user (let's call it > > > > UserQuota), it means that the user has > > > > consumer permissions on both TemplateQuota and UserQuota. > > > > If the user doesn't have permissions on one of these Quota objects - > > > > the > > > > fact that the VM has been created > > > > successfully sounds like a bug to me. > > > > > > > > ---- > > > > Thanks, > > > > Einav > > > > > > > > ----- Original Message ----- > > > >> From: "Mitja Mihelič" <mitja.mihelic(a)arnes.si&gt; > > > >> To: users(a)ovirt.org > > > >> Sent: Thursday, October 3, 2013 9:59:06 AM > > > >> Subject: [Users] Quota for VMs created from templates > > > >> > > > >> Hi! > > > >> > > > >> We are running engine version 3.3.0 on CentOS6 and we have come > > > >> across > > > >> a > > > >> problem, possibly a bug. > > > >> When a user creates a VM from a template, the template's quota is > > > >> assigned to the VM. > > > >> > > > >> Here is the setup: > > > >> - quota is set to Enforced on the data center > > > >> - quota is created for template purposes (TemplateQuota) > > > >> - a template is created from a sealed VM with TemplateQuota assigned > > > >> to > > > >> it > > > >> - quota is created for a user, the user is set as its consumer > > > >> - the user creates a VM from the mentioned template and leaves the > > > >> quota > > > >> unchanged > > > >> - the created VM consumes the user's storage quota but does not > > > >> consume > > > >> their memory and CPU quota > > > >> > > > >> This way a user can create and run an arbitrary number of VMs as > > > >> long > > > >> they stay within their storage quota. > > > >> No errors are reported in the logs. > > > >> > > > >> Kind regards, > > > >> Mitja Mihelic > > > >> > > > >> -- > > > >> -- > > > >> Mitja Mihelič > > > >> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia > > > >> tel: +386 1 479 8877, fax: +386 1 479 88 78 > > > >>