neutron

No way to set quotas for neutron-vpnaas resources using openstack CLI tool

Bug #1967142 reported by Anton Kurbatov
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
New
Medium
Unassigned
python-openstackclient
New
Undecided
Unassigned

Bug Description

I can't find a way to set up VPN quotas using the CLI tools: neither the openstack CLI nor deprecated neutron CLI has this feature.

I can only update VPN quotas using a direct API request (e.g. via curl).
And can only list VPN quotas using neutron CLI tool.

[root@node4578 ~]# curl -ks -H "x-auth-token: $token" -X PUT https://192.168.1.10:9696/v2.0/quotas/e28d46f9ce084b21a163f72ce1a49adf -d '{"quota": {"ipsec_site_connection": 5}}'
{"quota": {"subnet": -1, "ikepolicy": -1, "subnetpool": -1, "network": -1, "ipsec_site_connection": 5, "endpoint_group": -1, "ipsecpolicy": -1, "security_group_device": -1, "security_group_rule": -1, "vpnservice": -1, "floatingip": -1, "security_group": -1, "router": -1, "rbac_policy": -1, "port": -1}}
[root@node4578 ~]#
[root@node4578 ~]# neutron quota-show e28d46f9ce084b21a163f72ce1a49adf
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+-----------------------+-------+
| Field | Value |
+-----------------------+-------+
| endpoint_group | -1 |
| floatingip | -1 |
| ikepolicy | -1 |
| ipsec_site_connection | 5 |
| ipsecpolicy | -1 |
| network | -1 |
| port | -1 |
| rbac_policy | -1 |
| router | -1 |
| security_group | -1 |
| security_group_device | -1 |
| security_group_rule | -1 |
| subnet | -1 |
| subnetpool | -1 |
| vpnservice | -1 |
+-----------------------+-------+
[root@node4578 ~]# openstack quota list --network --detail --project e28d46f9ce084b21a163f72ce1a49adf
+----------------------+--------+----------+-------+
| Resource | In Use | Reserved | Limit |
+----------------------+--------+----------+-------+
| subnets | 0 | 0 | -1 |
| routers | 0 | 0 | -1 |
| security_group_rules | 0 | 0 | -1 |
| subnet_pools | 0 | 0 | -1 |
| security_groups | 0 | 0 | -1 |
| rbac_policies | 0 | 0 | -1 |
| floating_ips | 0 | 0 | -1 |
| networks | 0 | 0 | -1 |
| ports | 0 | 0 | -1 |
+----------------------+--------+----------+-------+
[root@node4578 ~]#

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hello Anton:

"neutron-vpnaas" registers two quotas:
* Vpn_endpoint_groups: https://github.com/openstack/neutron-vpnaas/blob/f82e5c7415646844654ffb97c02f52541be0c906/neutron_vpnaas/extensions/vpn_endpoint_groups.py#L83
* Vpnaas: https://github.com/openstack/neutron-vpnaas/blob/f82e5c7415646844654ffb97c02f52541be0c906/neutron_vpnaas/extensions/vpnaas.py#L499

These values are present in the API. Actually "neutron" CLI commands shows it because it prints what the API call returns.

However OSC sets a static list of resources [1] for "network" quotas. Those 9 elements are in the "openstack quota list" output you printed. What you need is to improve OSC, reading what is returned in the API call and adding new elements that could be freely registered, as Neutron quota engine allows. BTW, you'll probably need to add those new parameters to [2], that is the Network Quota resource object the API is using to return the information.

I'll add OSC to this bug.

Regards.

[1]https://github.com/openstack/python-openstackclient/blob/8f07476e53c8dd9ddeb4bd13f8e186c920eba1ee/openstackclient/common/quota.py#L69-L79
[2]https://github.com/openstack/openstacksdk/blob/master/openstack/network/v2/quota.py

Changed in neutron:
importance: Undecided → Medium
Revision history for this message
Anton Kurbatov (akurbatov) wrote :

Hello Rodolfo

Yes, I already fixed locally CLI tools to make it working for me. But it looks to me like a temporary solution.
AFAIU neutron project allows to extend its functionality using extension mechanism: you just need to install the correct extension on the node and adjust neutron.conf. That's how neutron-vpnaas extension works actually.
Now let's assume there are different neutron extensions. And for each extension we need to patch CLI tools.
May be the correct way to fix the issue is to make a separate client extension. Just my assumption.

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hello Anton:

I don't understand the last statement, "to make a separate client extension". Do you mean to create another quota topic apart from network, compute and volume? You can propose it to the community.

Why do you say that fixing the CLI is a temporary solution? If you have a project and you are registering a new parameter to the quota engine, it makes sense that you need also to implement it in SDK/OSC.

Do you have the patches of your implementation? Just for documentation purposes.

Thanks and regards.

Revision history for this message
Anton Kurbatov (akurbatov) wrote (last edit ):

Ok let me say it a little differently.
My reasoning is based on the idea that the user does not need commands to work with vpn if the vpn extension is not installed, and vice versa.
This is how it is possible with octavia, when the user has to additionally install the octaviaclient package in order to work with load balancers.
Thus, by the words "to make a separate client extension" I mean to move the vpn commands from the neutronclient package into a separate package, which will need to be installed separately and which will provide all the commands for working with VPNaaS objects.

The file 'openstackclient/common/quota.py' could be fixed to deal with quotas from plugins in a generic way, just as an example:

https://github.com/openstack/python-openstackclient/blob/8f07476e53c8dd9ddeb4bd13f8e186c920eba1ee/openstackclient/common/quota.py#L477

def _build_options_list(self):
    ...
    for mod in clientmanager.PLUGIN_MODULES:
        quota_items = getattr(mod, 'QUOTA_ITEMS', {})
        rets.extend(
            [(k, v, help_fmt % v) for k, v in quota_items.items()])
    return rets

It's just my idea of where to go. I see a lot of work in putting clients for extensions into separate packages. But I don't know what to do in this case, so that in the future we would not come to this problem again but for other objects from other extensions.

> Why do you say that fixing the CLI is a temporary solution?

I'm talking about the NETWORK_QUOTAS extension as a temporary solution. Because I don't know how many plugins (custom plugins) for neutron exist that also register objects with quotas.

I haven't a patch and fixed the issue locally just by fixing NETWORK_QUOTAS dict.

In any case, I don't mind a patch with a fixing NETWORK_QUOTAS dict as a fix for VPN objects.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.