Usage Quotas¶

The quota system tracks user and group usage of system resources, and allows the system administrator to set limits on the usage of these resources. Quota limits can be set for:

users, to individually limit the usage made by a given user.
groups, to limit the overall usage made by all the users in a given group. This can be of special interest for the OpenNebula Zones and Virtual Data Center (VDC) components.

Resource Limits¶

The quota system allows you to track and limit usage on:

Datastores, to control the amount of storage capacity allocated to each user/group for each datastore.
Compute, to limit the overall memory, cpu or VM instances.
Network, to limit the number of IPs a user/group can get from a given network. This is specially interesting for networks with public IPs, which usually are a limited resource.
Images, you can limit the how many VM instances from a given user/group are using a given image. You can take advantage of this quota when the image contains consumable resources (e.g. software licenses).

Defining User/Group Quotas¶

Usage quotas are set in the OpenNebula template syntax (either plain text or XML). The following tables summarizes the attributes to define a quota for each resource type.

Datastore Quotas¶

The attribute name is DATASTORE.

DATASTORE Attribute	Description
ID	ID of the Datastore to set the quota for
SIZE	Maximum size in MB that can be used in the datastore. It includes size of images and their snapshots.
IMAGES	Maximum number of images that can be created in the datastore

Compute Quotas¶

The attribute name is VM

VM Attribute	Description
VMS	Maximum number of VMs that can be created
MEMORY	Maximum memory in MB that can be requested by user/group VMs
CPU	Maximum CPU capacity that can be requested by user/group VMs
RUNNING VMS	Maximum number of VMs that can be running
RUNNING MEMORY	Maximum memory in MB that can be running by user/group VMs
RUNNING CPU	Maximum CPU capacity that can be running by user/group VMs
SYSTEM_DISK_SIZE	Maximum size (in MB) of system disks that can be requested by user/group VMs. It includes size of volatile and non-persistent disks (including disk snapshots) and VM snapshots (reduced by VM_SNAPSHOT_FACTOR).

The actual size accounted on the system and image datastores depends on the storage driver used. The behavior of the driver is described by the CLONE_TARGET and LN_TARGET attributes, see Transfer Driver configuration

Important

Running quotas will be increased or decreased depending on the state of the Virtual Machine. The states in which the machine is counted as “Running” are ACTIVE , HOLD, PENDING and CLONING.

Generic Quotas¶

Administrators have the capability to expand Compute Quotas by introducing the QUOTA_VM_ATTRIBUTE into the OpenNebula configuration file. This attribute allows any numerical attribute from the Virtual Machine Template or User Template to serve as a generic quota.

As an example, one could categorize each VM template into a specific Quality of Service (QoS) category based on attributes like CPU and append a metric to denote this:

CPU    = 12
MEMORY = 4096

...

GOLD_QOS = 1

Subsequently, a quota can be enforced for a user, e.g. GOLD_QOS = 5, signifying that the user is restricted to a maximum of 5 VMs within the GOLD_QOS category. Administrators have the flexibility to determine which VMs fall under a category by utilizing any combination of VM attributes. Similarly, limitations can be set on the number of PCI passthrough GPUs by adding GPU = 1 to templates incorporating such devices…

Each generic quota is also automatically prefixed with RUNNING_. For instance, RUNNING_GOLD_QOS would specify the number of VMs in an ACTIVE state with the GOLD_QOS attribute. This allows the establishment of quotas specifically tailored for running VMs.

Additionally, it’s important to note that each generic quota defined via QUOTA_VM_ATTRIBUTE is automatically included in the VM_RESTRICTED_ATTR set. This inclusion prevents regular users from circumventing the quota system by altering the attributes related to these generic quotas.

Network Quotas¶

The attribute name is NETWORK.

NETWORK Attribute	Description
ID	ID of the Network to set the quota for
LEASES	Maximum IPs that can be leased from the Network

Image Quotas¶

The attribute name is IMAGE.

IMAGE Attribute	Description
ID	ID of the Image to set the quota for
RVMS	Maximum VMs that can used this image at the same time

Quota Limits and Usage¶

For each quota, there are two special limits:

-1 means that the default quota will be used
-2 means unlimited

Warning

Each quota has an usage counter associated named <QUOTA_NAME>_USED. For example MEMORY_USED means the total memory used by user/group VMs, and its associated quota is MEMORY.

The following template shows a quota example for a user in plain text. It limits the overall usage in Datastore 0 to 20Gb (for an unlimited number of images); the number of VMs that can be created to 4 with a maximum memory to 2G and 5 CPUs; the number of leases from network 1 to 4; and image 1 can only be used by 3 VMs at the same time:

DATASTORE=[
  ID="1",
  IMAGES="-2",
  SIZE="20480"
]

VM=[
  CPU="5",
  MEMORY="2048",
  VMS="4",
  SYSTEM_DISK_SIZE="-1"
]

NETWORK=[
  ID="1",
  LEASES="4"
]

IMAGE=[
  ID="1",
  RVMS="3"
]

IMAGE=[
  ID="2",
  RVMS="-2"
]

Warning

Note that whenever a network, image, datastore or VM is used the corresponding quota counters are created for the user with an unlimited value. This allows to track the usage of each user/group even when quotas are not used.

Setting User/Group Quotas¶

User/group quotas can be easily set up either through the command line interface or Sunstone. Note that you need MANAGE permissions to set a quota of user, and ADMIN permissions to set the quota of a group. In this way, by default, only oneadmin can set quotas for a group, but if you define a group manager she can set specific usage quotas for the users on her group (so distributing resources as required). You can always change this behavior setting the appropriate ACL rules.

To set the quota for a user, e.g. userA, just type:

oneuser quota userA

This will open an editor session to edit a quota template (with some tips about the syntax).

Warning

Usage metrics are included for information purposes (e.g. CPU_USED, MEMORY_USED, LEASES_USED…) you cannot modify them

Warning

You can add as many resource quotas as needed even if they have not been automatically initialized.

Similarly, you can set the quotas for group A with:

onegroup quota groupA

There is a batchquota command that allows you to set the same quotas for several users or groups:

oneuser batchquota userA,userB,35
onegroup batchquota 100..104

Setting Default Quotas¶

There are two default quota limit templates, one for users and another for groups. This template applies to all users/groups, unless they have an individual limit set.

Use the oneuser/onegroup defaultquota command.

oneuser defaultquota

By default, the defaultquota is set to unlimited. Once the editor opens after issuing oneuser defaultquota you’ll see comments regarding how to set the quotas and no quota template. Setting a quota with a template using unlimited values will translate to a blank quota. If you issue oneuser defaultquota again, you’ll see the same comments with blank quota. If you set a non unlimited quota, you’ll see the value of the quota that is established as default.

Checking User/Group Quotas¶

Quota limits and usage for each user/group is included as part of its standard information, so it can be easily check with the usual commands. Check the following examples:

oneuser show uA
USER 2 INFORMATION
ID             : 2
NAME           : uA
GROUP          : gA
PASSWORD       : a9993e364706816aba3e25717850c26c9cd0d89d
AUTH_DRIVER    : core
ENABLED        : Yes

USER TEMPLATE


VMS USAGE & QUOTAS

          VMS               MEMORY                  CPU     SYSTEM_DISK_SIZE
  1 /       4        1M /        -      2.00 /        -        0M /        -

VMS USAGE & QUOTAS - RUNNING

    RUNNING VMS       RUNNING MEMORY          RUNNING CPU
    1 /       -        1M /       2M      2.00 /        -

DATASTORE USAGE & QUOTAS

NETWORK USAGE & QUOTAS

IMAGE USAGE & QUOTAS

And for the group:

onegroup show gA
GROUP 100 INFORMATION
ID             : 100
NAME           : gA

USERS
ID
2
3

VMS USAGE & QUOTAS

          VMS               MEMORY                  CPU     SYSTEM_DISK_SIZE
  1 /       4        1M /        -      2.00 /        -        0M /        -

VMS USAGE & QUOTAS - RUNNING

    RUNNING VMS       RUNNING MEMORY          RUNNING CPU
    1 /       -        1M /       2M      2.00 /        -

DATASTORE USAGE & QUOTAS

NETWORK USAGE & QUOTAS

IMAGE USAGE & QUOTAS

Managing Quotas with Sunstone¶

You can easily set the user/group quotas in Sunstone through the user/group tab. Similarly, usage and quota information is also available as part of the user/group information: