16:03:44 #startmeeting hierarchical_multitenancy 16:03:45 Meeting started Fri Aug 1 16:03:44 2014 UTC and is due to finish in 60 minutes. The chair is raildo. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:03:46 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:03:48 The meeting name has been set to 'hierarchical_multitenancy' 16:03:50 yes 16:04:21 #topic bp nova 16:04:28 #link https://review.openstack.org/#/c/110639/ 16:05:05 Joe Gordon gave a -2 in review 16:05:13 yes 16:05:45 sajeesh: Any response from him after vinod replied? 16:05:53 not yet 16:06:10 yesterday there was no nova meeting 16:06:15 maybe you should ping him in #openstack-nova 16:06:28 ok 16:06:32 rodrigods: +1 16:06:44 or send a email 16:06:49 ok 16:07:16 raildo,what is juno-2 and juno-3 16:07:44 #action sajeesh should talk to joe gordon in #openstack-nova or send a email 16:08:00 sajeesh: #link https://wiki.openstack.org/wiki/Juno_Release_Schedule 16:08:26 raildo,ok I will check 16:09:03 raildo,so we have a chance to get into juno-3 right ? 16:09:10 sajeesh: FeatureProposalFreeze for the juno-3 is August 21 16:09:13 sajeesh: yes 16:09:25 ok 16:10:09 #topic option --force in Quota 16:10:46 Ulrich sent me the following sentence "One issue which is cooking up right now is if we can support the --force option to set quota below the current usage. We have a good use case for that but it can be tricky and needs to be carefully thought about so that users cannot cheat. " 16:11:15 ok 16:11:28 Nirbhay_: you could better explain this option --force? 16:11:40 yes 16:11:56 but ulrich has agreed to leave for time being 16:12:07 ok 16:12:43 raildo,for the time being we can keep our bp as simple as possible 16:12:52 sajeesh, ++ 16:12:56 yes ++ 16:13:23 and there are chances in which user can cheat 16:13:37 I u want i can explain that 16:13:55 Sorry, If you want ** 16:14:02 #agree There will not be the option - force 16:14:37 raildo,I will test your setup this weekend 16:14:39 ok 16:14:48 Nirbhay_: If you can explain, I wonder how it would work, can be useful in the future 16:14:54 sajeesh: great 16:15:05 No it has drawback.. 16:15:28 let's say we have tree like A->B->C 16:15:44 ok 16:15:54 And quota limit for A is 100, for B 50 and C 20 16:16:01 ok 16:16:24 Assume A and B are not using any resouce 16:16:32 ok 16:16:33 and C is using 10 16:16:51 so if we have reduce quota on C to 10 then is ok 16:16:55 right 16:17:08 ok 16:17:10 becuase C has free quota as 10 16:17:34 ok 16:17:50 now let's say B admin created new project D, C's sibling 16:18:06 ok 16:18:16 how much max quota can be given to D ?can you calculate 16:18:31 If C's quota is 10 16:18:43 and B has 50, nothing used in B 16:18:47 50-10 16:18:50 yes 16:19:00 But now D needs more 16:19:21 but C is using 10 resources so it can not be decreased 16:19:52 in force option B admin can make quota of C to 5 and then add addtional 5 to D 16:20:03 ok 16:20:05 you all got it 16:20:30 yes 16:20:30 this feature is what ulrich wanted 16:20:35 but there is issue 16:21:27 so lets say C is using 10 with quota limit 5 and D is using 45 with quota limit 45 16:21:29 ok 16:21:30 OK, I understand better this function :) 16:22:03 but now B admin can missuse force option 16:22:18 ok 16:22:41 he can reduce the quota of D to 10 let's say. And create 35 new instances in B itself 16:23:53 Then below B total 1in 10(C) + 45(D) + 35(B)= 90 instances are running with quota of B as 50 16:24:37 This happpens then what is meaning of having quota 16:25:53 In case where cloud service sets quota for a company then manager of that can create or let create has many instances as he wants... 16:26:07 nirbhay,if possible can you please send a mail regarding this 16:26:13 ok 16:26:16 +1 16:26:30 raildo,in keystone have you taken care of the backward compatibilty..I mean other services currently doesn't know about nested projects ,incuding nova 16:26:54 yes 16:26:59 ok 16:27:14 We are developing an extension for OS-inherit 16:27:20 ok 16:27:26 http://docs.openstack.org/api/openstack-identity-service/3/content/api-1.html 16:27:41 ok,I will check it 16:27:45 raildo: we also need to discuss what to do when project is deleted 16:27:52 and this needs to be enable in keystone.conf 16:27:58 ok 16:28:03 Nirbhay_: yes 16:28:21 #topic deleting project 16:28:36 by default quota =0 only solves case of project creation... 16:29:07 yes 16:30:05 raildo: can you suggest any thing on deletion of projects 16:30:39 how should nova adjust quota of parent when child is deleted 16:31:03 right now nova will not come to know abt project deletion in keystone.. 16:31:39 The existing bug about notification impacts exactly this point 16:31:57 ok 16:31:57 We have to resolve this bug, or find a WA for that. 16:32:12 ok 16:32:30 but then we to read notification in nova 16:33:34 #link https://bugs.launchpad.net/keystone/+bug/967832 16:33:38 Launchpad bug 967832 in neutron "Resources owned by a project/tenant are not cleaned up after that project is deleted from keystone" [Undecided,In progress] 16:33:50 ok 16:34:20 yes I have seen it 16:34:36 IMO, if I delete a project, I must delete all instances contained in it 16:35:35 raildo: here issue is not of deleting instances 16:36:10 if I forgot to reduce quota then, even if I have deleted instances 16:36:36 parent will not update is allocate quota.. 16:37:22 *** its allocated quota value 16:38:32 well, if a child project is deleted, the parent quota should be updated. I believe that the child used quota, should enter in free-quota in parent project. 16:38:36 raildo,sorry I am connecting from an outside centre which will close now.I will check the logs. I will send you a detailed mail. 16:38:42 yes 16:38:48 ok sajeesh 16:38:49 bye 16:38:53 bye all 16:39:11 sajeesh: bye 16:40:48 According to the email I sent, we saw that the Keystone sends the notification. The question is how the Nova'll consume it 16:40:56 yes 16:41:07 I believe we should look like ceilometer uses this notification 16:41:13 yes 16:41:31 i remember in mail have given link for that 16:41:36 I do not see another way to solve this problem. 16:41:44 yes me too 16:42:09 or other for the time being is to neglect deltion of project.. 16:42:45 # action to investigate how the ceilometer consumes Keystone's notifications and find a way of Nova makingthe same . 16:42:56 making the same thing* 16:43:11 yes 16:43:52 deletion of project without freeing its quota will lead to quota leak, just like memory leak we have when we do not free RAM 16:44:34 Nirbhay_: yes 16:44:40 raildo: for time being we can go ahead with current design and neglect the effect of deletion of a project 16:45:32 Making a brainstorm. Is not there a way to Nova check if the project still exist? 16:45:49 we can check that 16:46:07 I vinod knows better on this 16:46:33 before any update on we check that all child of project exist or not 16:46:50 try to do a Get Project , if he does not return, deletes instances, liberates the quota ... 16:47:14 before any update on **quota** we can heck that all child of project exist or not 16:47:23 yes 16:47:28 +! 16:47:29 Nirbhay_: for now, that's a good WA 16:47:31 +1 16:47:36 Nirbhay: that is possible.... 16:47:57 In nova, with the token, a query to Keystone can be sent using its API to check the project existence 16:48:08 #agree before any update on **quota** we can check that all child of project exist or not 16:48:23 VINOD_: ++ 16:48:35 The only problem i could see is RBAC rules... 16:49:27 raildo: ur BP has answer for vinod's doubt 16:49:30 If lets say a user with a role "xyz" is allowed to update the quota (in policy.json file of nova)...but the same role cannot list the projects (in policy.json file of kEYSTONE) 16:49:48 a token to parent can be used to get token for child if role is inheritable 16:50:09 Nirbhay_: yes 16:50:50 then it should work 16:51:07 By default, all users can list projects and how it is configured, I believe it is not a problem. 16:51:18 I had given a different scenario....The admin of Keystone and the admin of Nova can modify their own policy.json files... 16:51:25 raildo: yes...you are right... 16:52:09 but what i am saying is the case when the policy files updated in the way i had told in the above example... 16:53:50 vinod: token contains list of child project why we need to go to keystone again 16:54:22 VINOD_: I don't see any solution in mind now. I'll think a bit more on this point. 16:54:57 Nirbhay: I thought you were asking the possibility of getting list at runtime in Nova 16:55:04 we get scoped token to parent, if we find any child missing in token list then can make its quota as zero..and update of quota of child whose is requested 16:55:09 raildo: I will check and will get back to you 16:55:19 VINOD_: thanks :) 16:55:31 not at runtime 16:55:52 Nirbhay: Last week also we discussed problem with this...the race conditions.... 16:56:15 Then what about in the delete case 16:56:29 ok yes race condition may happen 16:56:57 Also, if a child is missing in the token....you are saying to set it to zero...but how you can be sure that the admin has given right query... 16:57:05 yes 16:57:23 The time the meeting ended. We can discuss the rest by email. 16:57:24 i mean if hierarchy A->B->C->D.....in the token at B, C is listed has child...but if i ask to update the quota of D.... 16:57:28 ok 16:57:31 raildo: ok 16:57:36 ok bye to all 16:57:40 bye 16:57:44 #endmeeting