[Users] Quota for VMs created from templates

Tue Oct 8 14:56:54 UTC 2013

Hi all, 

After investigating it a bit, I've found several bugs in that area :-P
the most significant one is not checking whether the assigned quota can be consumed by the user, 
as you mentioned.

I've proposed a fix for it: http://gerrit.ovirt.org/19994

@Mitja, I really appreciate your effort and time :-)

Thanks, 
Gilad.

----- Original Message -----
> From: "Doron Fediuck" <dfediuck at redhat.com>
> To: "Einav Cohen" <ecohen at redhat.com>
> Cc: "Gilad Chaplik" <gchaplik at redhat.com>, users at ovirt.org
> Sent: Monday, October 7, 2013 3:19:52 PM
> Subject: Re: [Users] Quota for VMs created from templates
> 
> 
> 
> ----- Original Message -----
> > From: "Einav Cohen" <ecohen at redhat.com>
> > To: "Gilad Chaplik" <gchaplik at redhat.com>
> > Cc: users at ovirt.org
> > Sent: Monday, October 7, 2013 2:39:29 PM
> > Subject: Re: [Users] Quota for VMs created from templates
> > 
> > > ----- Original Message -----
> > > From: "Gilad Chaplik" <gchaplik at redhat.com>
> > > Sent: Sunday, October 6, 2013 5:30:54 AM
> > > 
> > > Einav, Thanks for the questions, see inline.
> > > 
> > > > 
> > > > @Gilad:
> > > > 
> > > > 1. Does the 'VmCreator' Role contain the 'consume-quota' action? so
> > > > when
> > > > granting "VmCreator"
> > > > on Data Center "DC1" to user "User1", "User1" can automatically consume
> > > > any
> > > > quota defined
> > > > in "DC1" (including, for example, "TemplateQuota", in Mitja's case)?
> > > 
> > > No, only SuperUser and DataCenterAdmin roles contains consume_quota
> > > action.
> > > 
> > > > 
> > > > 2. Related to both your previous reply and my previous reply: Can a
> > > > user
> > > > associate a CPU/RAM
> > > > Quota to a VM that he is now *creating*, even if he doesn't have
> > > > consume-quota permissions
> > > > on that CPU/RAM Quota? In Mitja's case, he attempted to create a VM
> > > > associated with both
> > > > "TemplateQuota" and "UserQuota", while the user (maybe - depends on
> > > > answer
> > > > to
> > > > 1) didn't
> > > > have permission to consume "TemplateQuota", and the VM creation
> > > > succeeded.
> > > > Is
> > > > that OK?
> > > 
> > > Yes, you should be able to assign a VM to a CPU/RAM quota, without
> > > being a consumer of that quota, the check is done only when running the
> > > VM
> > > (when the resources are consumed).
> > 
> > so let's say that user 'a' has permissions to consume the quota and user
> > 'b'
> > doesn't have permissions to consume that quota, but both 'a' and 'b' have
> > permissions to run the VM. only 'a' will succeed running the VM?
> > so if I am a team leader (power user) and I want to create VMs to be used
> > by
> > my team members ('simple' users), I have to grant them permissions on the
> > VM,
> > as well as permissions to consume the relevant CPU/RAM quota?...
> > 
> 
> Generally speaking yes, but let's clarify it for the rest of the readers;
> There are 2 different cases here-
> 
> 1. An admin creates everything, including a template using template-quota.
> In this case users will create VMs for themselves in the power user portal
> and should have VMCreator and consumption right only to the user-quota.
> So during creation the template-quota should disappear as the user does not
> have any rights for it.
> 
> 2. Admin creates template using template-quota and a user quota.
> In this case helpdesk or team-leader have vm-creator, plus a permission
> on the user-quota, and also a consumption right on the user quota.
> In this case the helpdesk / team-leader can create a VM for a user,
> using the user-quota and assign permission for the relevant user / group
> on the newly created VMs.
> 
> 2 things worth mentioning here:
> - Disk quota is being consumed during VM creation (and snapshotting, copy,
> etc).
> - RAM/CPU quota is being consumed only when the VM is running.
> 
> > > 
> > > There is a difference between User and Admin Portal: in User portal quota
> > > list is being
> > > populated by quota that can be consumed by the user, so leaving the quota
> > > unchanged will selected an appropriate
> > > quota; also while creating a VM, disk's quota is set in 'Resource
> > > Allocation'
> > > tab (see image).
> > > 
> > > @Mitja,
> > > 
> > > Please check which quota(s) are assigned to VM while consuming the
> > > resources,
> > > and who is the user performing the task.
> > > 
> > > > 
> > > > [if the answer to both questions is "no", there is a chance that Mitja
> > > > discovered a bug]
> > > > 
> > > > ----
> > > > Thanks,
> > > > Einav
> > > > 
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Mitja Mihelič" <mitja.mihelic at arnes.si>
> > > > > To: "Einav Cohen" <ecohen at redhat.com>
> > > > > Cc: users at ovirt.org
> > > > > Sent: Friday, October 4, 2013 8:14:10 AM
> > > > > Subject: Re: [Users] Quota for VMs created from templates
> > > > > 
> > > > > In addition to the described setup:
> > > > > The user was also given a permission on the data center with the role
> > > > > VmCreator.
> > > > > The user is not listed as a consumer of TemplateQuota, but they have
> > > > > an
> > > > > inherited role VmCreator in the permissions tab.
> > > > > Could this permission be the reason the user can create and run VMs
> > > > > that
> > > > > are associated with TemplateQuota?
> > > > > 
> > > > > Regards,
> > > > > Mitja
> > > > > 
> > > > > --
> > > > > Mitja Mihelič
> > > > > ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> > > > > tel: +386 1 479 8877, fax: +386 1 479 88 78
> > > > > 
> > > > > On 10/03/2013 05:06 PM, Einav Cohen wrote:
> > > > > > AFAIK, a user cannot create a VM that is associated with one (or
> > > > > > more)
> > > > > > quota objects on which he doesn't
> > > > > > have consumer permissions.
> > > > > > i.e. if the VM was created successfully by the user, and this VM is
> > > > > > associated with TemplateQuota, and
> > > > > > with the quota that has been created for the user (let's call it
> > > > > > UserQuota), it means that the user has
> > > > > > consumer permissions on both TemplateQuota and UserQuota.
> > > > > > If the user doesn't have permissions on one of these Quota objects
> > > > > > -
> > > > > > the
> > > > > > fact that the VM has been created
> > > > > > successfully sounds like a bug to me.
> > > > > >
> > > > > > ----
> > > > > > Thanks,
> > > > > > Einav
> > > > > >
> > > > > > ----- Original Message -----
> > > > > >> From: "Mitja Mihelič" <mitja.mihelic at arnes.si>
> > > > > >> To: users at ovirt.org
> > > > > >> Sent: Thursday, October 3, 2013 9:59:06 AM
> > > > > >> Subject: [Users] Quota for VMs created from templates
> > > > > >>
> > > > > >> Hi!
> > > > > >>
> > > > > >> We are running engine version 3.3.0 on CentOS6 and we have come
> > > > > >> across
> > > > > >> a
> > > > > >> problem, possibly a bug.
> > > > > >> When a user creates a VM from a template, the template's quota is
> > > > > >> assigned to the VM.
> > > > > >>
> > > > > >> Here is the setup:
> > > > > >> - quota is set to Enforced on the data center
> > > > > >> - quota is created for template purposes (TemplateQuota)
> > > > > >> - a template is created from a sealed VM with TemplateQuota
> > > > > >> assigned
> > > > > >> to
> > > > > >> it
> > > > > >> - quota is created for a user, the user is set as its consumer
> > > > > >> - the user creates a VM from the mentioned template and leaves the
> > > > > >> quota
> > > > > >> unchanged
> > > > > >> - the created VM consumes the user's storage quota but does not
> > > > > >> consume
> > > > > >> their memory and CPU quota
> > > > > >>
> > > > > >> This way a user can create and run an arbitrary number of VMs as
> > > > > >> long
> > > > > >> they stay within their storage quota.
> > > > > >> No errors are reported in the logs.
> > > > > >>
> > > > > >> Kind regards,
> > > > > >> Mitja Mihelic
> > > > > >>
> > > > > >> --
> > > > > >> --
> > > > > >> Mitja Mihelič
> > > > > >> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> > > > > >> tel: +386 1 479 8877, fax: +386 1 479 88 78
> > > > > >>
> 