[Users] Quota for VMs created from templates

Mon Oct 7 12:19:52 UTC 2013

----- Original Message -----
> From: "Einav Cohen" <ecohen at redhat.com>
> To: "Gilad Chaplik" <gchaplik at redhat.com>
> Cc: users at ovirt.org
> Sent: Monday, October 7, 2013 2:39:29 PM
> Subject: Re: [Users] Quota for VMs created from templates
> 
> > ----- Original Message -----
> > From: "Gilad Chaplik" <gchaplik at redhat.com>
> > Sent: Sunday, October 6, 2013 5:30:54 AM
> > 
> > Einav, Thanks for the questions, see inline.
> > 
> > > 
> > > @Gilad:
> > > 
> > > 1. Does the 'VmCreator' Role contain the 'consume-quota' action? so when
> > > granting "VmCreator"
> > > on Data Center "DC1" to user "User1", "User1" can automatically consume
> > > any
> > > quota defined
> > > in "DC1" (including, for example, "TemplateQuota", in Mitja's case)?
> > 
> > No, only SuperUser and DataCenterAdmin roles contains consume_quota action.
> > 
> > > 
> > > 2. Related to both your previous reply and my previous reply: Can a user
> > > associate a CPU/RAM
> > > Quota to a VM that he is now *creating*, even if he doesn't have
> > > consume-quota permissions
> > > on that CPU/RAM Quota? In Mitja's case, he attempted to create a VM
> > > associated with both
> > > "TemplateQuota" and "UserQuota", while the user (maybe - depends on
> > > answer
> > > to
> > > 1) didn't
> > > have permission to consume "TemplateQuota", and the VM creation
> > > succeeded.
> > > Is
> > > that OK?
> > 
> > Yes, you should be able to assign a VM to a CPU/RAM quota, without
> > being a consumer of that quota, the check is done only when running the VM
> > (when the resources are consumed).
> 
> so let's say that user 'a' has permissions to consume the quota and user 'b'
> doesn't have permissions to consume that quota, but both 'a' and 'b' have
> permissions to run the VM. only 'a' will succeed running the VM?
> so if I am a team leader (power user) and I want to create VMs to be used by
> my team members ('simple' users), I have to grant them permissions on the VM,
> as well as permissions to consume the relevant CPU/RAM quota?...
> 

Generally speaking yes, but let's clarify it for the rest of the readers;
There are 2 different cases here-

1. An admin creates everything, including a template using template-quota.
In this case users will create VMs for themselves in the power user portal
and should have VMCreator and consumption right only to the user-quota.
So during creation the template-quota should disappear as the user does not
have any rights for it.

2. Admin creates template using template-quota and a user quota. 
In this case helpdesk or team-leader have vm-creator, plus a permission
on the user-quota, and also a consumption right on the user quota.
In this case the helpdesk / team-leader can create a VM for a user,
using the user-quota and assign permission for the relevant user / group
on the newly created VMs.

2 things worth mentioning here:
- Disk quota is being consumed during VM creation (and snapshotting, copy, etc).
- RAM/CPU quota is being consumed only when the VM is running.

> > 
> > There is a difference between User and Admin Portal: in User portal quota
> > list is being
> > populated by quota that can be consumed by the user, so leaving the quota
> > unchanged will selected an appropriate
> > quota; also while creating a VM, disk's quota is set in 'Resource
> > Allocation'
> > tab (see image).
> > 
> > @Mitja,
> > 
> > Please check which quota(s) are assigned to VM while consuming the
> > resources,
> > and who is the user performing the task.
> > 
> > > 
> > > [if the answer to both questions is "no", there is a chance that Mitja
> > > discovered a bug]
> > > 
> > > ----
> > > Thanks,
> > > Einav
> > > 
> > > 
> > > ----- Original Message -----
> > > > From: "Mitja Mihelič" <mitja.mihelic at arnes.si>
> > > > To: "Einav Cohen" <ecohen at redhat.com>
> > > > Cc: users at ovirt.org
> > > > Sent: Friday, October 4, 2013 8:14:10 AM
> > > > Subject: Re: [Users] Quota for VMs created from templates
> > > > 
> > > > In addition to the described setup:
> > > > The user was also given a permission on the data center with the role
> > > > VmCreator.
> > > > The user is not listed as a consumer of TemplateQuota, but they have an
> > > > inherited role VmCreator in the permissions tab.
> > > > Could this permission be the reason the user can create and run VMs
> > > > that
> > > > are associated with TemplateQuota?
> > > > 
> > > > Regards,
> > > > Mitja
> > > > 
> > > > --
> > > > Mitja Mihelič
> > > > ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> > > > tel: +386 1 479 8877, fax: +386 1 479 88 78
> > > > 
> > > > On 10/03/2013 05:06 PM, Einav Cohen wrote:
> > > > > AFAIK, a user cannot create a VM that is associated with one (or
> > > > > more)
> > > > > quota objects on which he doesn't
> > > > > have consumer permissions.
> > > > > i.e. if the VM was created successfully by the user, and this VM is
> > > > > associated with TemplateQuota, and
> > > > > with the quota that has been created for the user (let's call it
> > > > > UserQuota), it means that the user has
> > > > > consumer permissions on both TemplateQuota and UserQuota.
> > > > > If the user doesn't have permissions on one of these Quota objects -
> > > > > the
> > > > > fact that the VM has been created
> > > > > successfully sounds like a bug to me.
> > > > >
> > > > > ----
> > > > > Thanks,
> > > > > Einav
> > > > >
> > > > > ----- Original Message -----
> > > > >> From: "Mitja Mihelič" <mitja.mihelic at arnes.si>
> > > > >> To: users at ovirt.org
> > > > >> Sent: Thursday, October 3, 2013 9:59:06 AM
> > > > >> Subject: [Users] Quota for VMs created from templates
> > > > >>
> > > > >> Hi!
> > > > >>
> > > > >> We are running engine version 3.3.0 on CentOS6 and we have come
> > > > >> across
> > > > >> a
> > > > >> problem, possibly a bug.
> > > > >> When a user creates a VM from a template, the template's quota is
> > > > >> assigned to the VM.
> > > > >>
> > > > >> Here is the setup:
> > > > >> - quota is set to Enforced on the data center
> > > > >> - quota is created for template purposes (TemplateQuota)
> > > > >> - a template is created from a sealed VM with TemplateQuota assigned
> > > > >> to
> > > > >> it
> > > > >> - quota is created for a user, the user is set as its consumer
> > > > >> - the user creates a VM from the mentioned template and leaves the
> > > > >> quota
> > > > >> unchanged
> > > > >> - the created VM consumes the user's storage quota but does not
> > > > >> consume
> > > > >> their memory and CPU quota
> > > > >>
> > > > >> This way a user can create and run an arbitrary number of VMs as
> > > > >> long
> > > > >> they stay within their storage quota.
> > > > >> No errors are reported in the logs.
> > > > >>
> > > > >> Kind regards,
> > > > >> Mitja Mihelic
> > > > >>
> > > > >> --
> > > > >> --
> > > > >> Mitja Mihelič
> > > > >> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> > > > >> tel: +386 1 479 8877, fax: +386 1 479 88 78
> > > > >>