Introduction
Quota service while allowing for scalability will make sure that the cloud is not exploited by attacks, careless use and program errors. To address this problem, we propose to employ a quota-enforcement service that allows resource usage within certain bounds as defined by policies and available quotas for various entities.
Quota service extends the functionality of usage server to provide a measurement for the resources used by the accounts and domains using a common unit referred to as cloud currency in this document. It can be configured to ensure that your usage won’t exceed the budget allocated to accounts/domain in cloud currency.
It will let user know how much of the cloud resources he is using. It will help the cloud admins, if they want, to ensure that a user does not go beyond his allocated quota. Per usage cycle if a account is found to be exceeding its quota then it is locked. Locking an account means that it will not be able to initiat
e a new resource allocation request, whether it is more storage or an additional ip. Needless to say quota service as well as any action on the account is configurable.
Use Cases
- Mapping of cloud resources to a single unit of cloud currency.
- Assigning of quotas in terms of cloud currency to the accounts.
- View by domain/account of the use in cloud currency.
- To block new demands based on reaching 100% of the quota assigned in terms of cloud currency
- On exhausting the credits the account or all the accounts in a domain will be locked so that no new request for resources can be made.
- A method to add more credits and unlock account/domain
- A method to remove credits and disable accounts
- To send an alert by e-mail to the domain administrator/consumption account of the budget, e.g.: 80% and 90%; and issue monthly expenses report in terms of cloud currency.
Design Description
The implementation will be using usage server as the one providing the measurement. In addition to measurement (as done by usage server) mapping to cloud currency, generation of statement in terms of a cloud currency( common denominator) and control will be added by the quota service. Quota service will also provide configuration of cloud currency symbols so that the statements are more readable.
- This section describes the parameters that will be used to configure the quota service. Some of these parameters are already there. All these usage/quota related variables can be listed as a group and selected under the Global Settings page.
- Already existing global variables to configure usage server
- enable.usage.server: existing: Whether the usage server is active
- usage.stats.job.exec.time: existing: Time when the usage server processing will start
- usage.execution.timezone : existing: Timezone for usage.stats.job.exec.time
- usage.stats.job.aggregation.range: existing: time zone for usage records
- Additional global parameters to configure the quota service
- quota.enable.service: Enable quota service by default all of this functionality is disabled.
quota.period.type : Quota period type: 1 for every x days, 2 for certain day of the month, 3 for yearly on activation day - default usage reporting cycle. [ Unimplemented: period type is calendar month ] quota.period.config : The value for the above quota period type [ Unimplemented: period type is calendar month ]- quota.period.type : This variables define the statement generation interval. Values correspond to bimonthly=1, monthly=2, quarterly=3, half yearly=4 and annually=5.
- quota.activity.generate : Set “Y” to enable a detailed log of the quota usage, rating and billing activity, on daily basis. Valid values (“Y”, “N”); [ Unimplemented: Can be part of next set of changes ]
- quota.email.outgoing.record: Boolean, yes means all the emails sent out will be stored in local DB, by default it is no. [ Unimplemented: Can be part of next set of changes, nice to have the records. ]
- quota.enable.enforcement : Enable the usage quota enforcement, i.e. on true exceeding quota the respective account will be locked.
- quota.currency.symbol : The symbol for the currency in use to measure usage.
- quota.limit.critical: A percentage limit for quota when it is reached user is sent and alert. [ Unimplemented: The functionality to provide critical limit is per account ]
- quota.limit.incremental: A percentage incremental limit that is added to criticalLimit in this increments, when breached a email is send to the user with details. [ Unimplemented: The functionality to provide critical limit is per account ]
- Variables for setting up auto emailer
- quota.usage.smtp.host : SMTP host for sending emails
- quota.usage.smtp.connection.timeout: SMTP server timeout
- quota.usage.smtp.user:
- quota.usage.smtp.password
- quota.usage.smtp.port
- quota.usage.smtp.useAuth
- This section describes the quota related policies in terms of fair use and limits. Most of this configuration already exists.
- Global limits, these already exists in cloudstack and are measured per account by usage server. These will form the foundation of resources that quota service will manage. APPENDIX A.
- APPENDIX B list down various limits that are set at various levels to ensure fair usage of resources across accounts. These settings already exists.
- In section 1. and 2. we described the basic configuration and policy guidelines for resource usage. To enforce a quota for accounts and domains we should be able to map various resource usage to a common cloud currency, so that it is easier to manage the quotas for various accounts. In cloudstack each resource comes with a unit of its own like a running vm resource is measured in terms of time while the storage is measured in terms of space measure in MB or GB. This API will let the operator map the resource usage unit to a common currency. We will refer this currency to cloud currency. Configure the mapping for resource, units and price
Following resources are measured by usage server and managed by quota service
Usage Type | Usage generated In | Predefined Scales | Descriminator | Cloud Currency | Description |
RUNNING_VM | Compute-Hours | Compute-Days | HA Enabled Guest OS ISO Image | x1 | Tracks the total running time of a VM per usage record period. |
ALLOCATED_VM | Compute-Hours | Compute-Days | HA Enabled Guest OS ISO Image | x2 | Tracks the total time the VM has been created to the time when it has been destroyed. |
IP_ADDRESS | IP-Hours | IP-Days IP-Months | | x3 | Tracks the public IP address owned by the account. |
NETWORK_BYTES_SENT | Bytes | GB TB | Redundant Router VLAN Enabled Network Type | x4 | Tracks the total number of bytes sent by all the VMs for an account. |
NETWORK_BYTES_RECEIVED | Bytes | GB TB | Redundant Router VLAN Enabled Network Type | x4 | Tracks the total number of bytes received by all the VMs for an account. |
VOLUME | Byte-Hours | GB-Months TB-Months GB-Days RB-Days | Pool Type Volume Tag | x6 | Tracks the total time a disk volume has been created to the time when it has been destroyed. |
TEMPLATE | Byte-Hours | GB-Months TB-Months GB-Days RB-Days | | x7 | Tracks the total time a template (either created from a snapshot or uploaded to the cloud) has been created to the time it has been destroyed. The size of the template is also returned. |
ISO | Byte-Hours | GB-Months TB-Months GB-Days RB-Days | | x8 | Tracks the total time an ISO has been uploaded to the time it has been removed from the cloud. The size of the ISO is also returned. |
SNAPSHOT | Byte-Hours | GB-Months TB-Months GB-Days RB-Days | | x9 | Tracks the total time from when a snapshot has been created to the time it have been destroyed. |
LOAD_BALANCER_POLICY | Policy-Hours | Rule-Hours Rule-Months | | x10 | Tracks the total time a load balancer policy has been created to the time it has been removed. |
PORT_FORWARDING_RULE | Policy-Hours | Rule-Hours Rule-Months | | x11 | Tracks the time from when a port forwarding rule was created until the time it was removed. |
NETWORK_OFFERING | Policy-Hours | Policy-DAYS Policy-MONTHS | | x12 | The time from when a network offering was assigned to a VM until it is removed. |
VPN_USERS | VPN-Hours | VPN-Days VPN-Months | | x13 | The time from when a VPN user is created until it is removed. |
- Price is provided in Cloud currency. The scale and ratios are defined by the operator. The operator can decide how much a single GB of secondary storage costs in terms of cloud currency. Compared to how much an ip will cost in the same currency.
- A new method is added to cloudstack API to map the resource scale and corresponding currency costs. This method is called quotaMapResourcesToCurrency().
- A configuration for cloud currency representation will be provided so that the quota statements are readable.
- quota.currency.symbol: This variable will point to the index of selected currency of the quota_currency_symbols table.
- A new account state "nocredit" is introduced that signals that there is no quota for an account. The login for the account is disabled and appropriate message is flagged to the user. Cloudstack as of now has not API classification that classify a resource request vs a plain operation request. This is the reason locking account due to "nocredit" is the most feasible option. There is still a bit of discrepancy where in the sense a "nocredit" account will still be consuming resources in terms of a running VM or stored snapshots. He can though send an email to admin requesting more credits or removal of his account. Deletion of an account is already provided by cloudstack.
- API to get statement: quotaStatement(startData, endDate, resourceName, accountId, domainId). This will return a map that contains
- Usage of given or all resource for a given period
- Remaining Cloud currency credits available
- The UI should let user browse thru his past quota statements
- An admin API to Credit/Debit Cloud currency to a account
- Credit and enable the account if disabled due to lack of credits
- Debit Cloud currency and disable the account if no Cloud currency is available
- An API to customise various email templates that are available in with the quota service.
- Email template to update/alert user when the quota usage reaches a critical limit and then when it hits incremental limits.
- A Email to alert that the account has exceeded the quota and will is not locked.
- Billing email for billing period
- The tariff changes can be scheduled in future.
Quota Plugin
The main quota plugin will be a DB plugin interacting with usage tables mainly and usage server. There will be a UI plugin too, to customise, to manage quotas, to generate reports and to customise email templates.
A new account state will be introduced to represent that the account has run out of the quota. If more granular control is required on resource changing APIs then we will need some kind of classification (annotation) to make the APIs as resource acquiring, resource releasing or query only. At this point we are not planning for such fine grained control but just to mark the account state as "no quota credit" if an account runs out of quota and quota service is enabled.
Database changes
- quota_configuration : This is the global mapping of currency to the resources identified in section 3.
- quota_consumption : table to define quotas for various users. This table will be updated on adding or using up the quotas. This table will also keep a record of accounts that are locked and have run out of their allocated quotas
- quota_email_templates: A list of customisable email templates used to send emails
- quota_email_sent: A record of emails that is sent to the users.
- quota_currency_symbols: List of various real currencies that are there.
UI Changes
The quota UI is representational, will be implemented as a UI plugin.
- Global Settings for configuring quota service
2. Global settings for quota mapping for various usage items
Third column above (label.quota.value) mapping to the cloud currency. The root admin can edit these values. By default it will be 0 for all mappings.
3. For each account and domain there will be an additional UI to see the current quotas and to get the current quota statement. This will become part of account and domain UI.
a. Quota button on accounts tab:
b. Sample Quota Statement
4. A locked account due to quota
APPENDIX A
Global limits, these already exists in cloudstack and are measured per account by usage server. These will form the foundation of resources that quota service will manage.
- max.account.public.ips: Number of public IP addresses that can be owned by an account
- max.account.snapshots: Number of snapshots that can exist for an account
- max.account.templates: Number of templates that can exist for an account
- max.account.user.vms: Number of virtual machine instances that can exist for an account
- max.account.volumes: Number of disk volumes that can exist for an account
- max.template.iso.size: Maximum size for a downloaded template or ISO in GB
- max.volume.size.gb: Maximum size for a volume in GB
- network.throttling.rate: Default data transfer rate in megabits per second allowed per user (supported on XenServer)
- snapshot.max.hourly: Maximum recurring hourly snapshots to be retained for a volume. If the limit is reached, early snapshots from the start of the hour are deleted so that newer ones can be saved. This limit does not apply to manual snapshots. If set to 0, recurring hourly snapshots can not be scheduled
- snapshot.max.daily: Maximum recurring daily snapshots to be retained for a volume. If the limit is reached, snapshots from the start of the day are deleted so that newer ones can be saved. This limit does not apply to manual snapshots. If set to 0, recurring daily snapshots can not be scheduled
- snapshot.max.weekly: Maximum recurring weekly snapshots to be retained for a volume. If the limit is reached, snapshots from the beginning of the week are deleted so that newer ones can be saved. This limit does not apply to manual snapshots. If set to 0, recurring weekly snapshots can not be scheduled
- snapshot.max.monthly: Maximum recurring monthly snapshots to be retained for a volume. If the limit is reached, snapshots from the beginning of the month are deleted so that newer ones can be saved. This limit does not apply to manual snapshots. If set to 0, recurring monthly snapshots can not be scheduled.
APPENDIX B
Following are various limits specified at various level to keep resource usage in check:
- Limit resource usage
- max.account.cpus : Maximum number of CPU cores that can be used for an account. Default is 40.
- max.account.ram: Maximum RAM that can be used for an account. Default is 40960MB
- max.account.primary.storage: Maximum primary storage space that can be used for an account. Default is 200GB.
- max.account.secondary.storage: Maximum secondary storage space that can be used for an account. Default is 400GB.
- max.project.cpus: Maximum number of CPU cores that can be used for an account. Default is 40.
- max.project.ram: Maximum RAM that can be used for an account. Default is 40960MB.
- max.project.primary.storage : Maximum primary storage space that can be used for an account. Default is 200GB.
- max.project.secondary.storage: Maximum secondary storage space that can be used for an account. Default is 400GB.
- Some of these limits can additionally be configured at account level
- Instance limits: Default 20
- Public ip limit: 20
- Volume limits: 20
- Snapshot limits: 20
- Template limits: 20
- VPC limits: 20
- CPU limits: 40
- Memory limits: 40960 MB
- PS limits: 200GB
- SS limits: 400GB
- Domain level configurable limits
- Instance limits:
- Public ip limit:
- Volume limits:
- Snapshot limits:
- Template limits:
- VPC limits:
- CPU limits:
- Memory limits:
- PS limits:
- SS limits:
REF: Usage: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Usage+and+Usage+Events
Accounts: https://kb.leaseweb.com/display/KB/Accounts%3A+CloudStack
Domains: https://kb.leaseweb.com/display/KB/Domains%3A+CloudStack
Projects: https://kb.leaseweb.com/display/KB/Projects%3A+CloudStack
Usage limits: http://cloudstack-administration.readthedocs.org/en/latest/usage.html