Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Per-project uplink IP quotas #14631

Merged
merged 10 commits into from
Jan 27, 2025
Merged

Per-project uplink IP quotas #14631

merged 10 commits into from
Jan 27, 2025

Conversation

hamistao
Copy link
Contributor

@hamistao hamistao commented Dec 10, 2024
edited
Loading

Introduces per-network project uplink IP limits, adding a limits.networks.uplink_ips.NETWORK_NAME configuration key to projects.
This config key defines the maximum value of IPs made available on a network named NETWORK_NAME to be assigned as uplink IPs for entities inside a cetain project.

@github-actions github-actions bot added Documentation Documentation needs updating API Changes to the REST API labels Dec 10, 2024
@hamistao hamistao force-pushed the project_uplink_ip_quotas branch 5 times, most recently from c83d52d to d9df773 Compare December 10, 2024 12:17
minaelee
minaelee reviewed Dec 10, 2024
View reviewed changes
lxd/api_project.go Outdated Show resolved Hide resolved
lxd/network/driver_ovn.go Outdated Show resolved Hide resolved
lxd/network/driver_ovn.go Outdated Show resolved Hide resolved
lxd/network/driver_ovn.go Outdated Show resolved Hide resolved
lxd/network/driver_ovn.go Outdated Show resolved Hide resolved
lxd/network/driver_ovn.go Outdated Show resolved Hide resolved
@hamistao hamistao force-pushed the project_uplink_ip_quotas branch from d9df773 to ad6e23d Compare December 10, 2024 19:42
@hamistao
Copy link
Contributor Author

@minaelee Thanks for the early review, every comment was addressed as you suggested.

@minaelee
Copy link
Contributor

@minaelee Thanks for the early review, every comment was addressed as you suggested.

Thanks! Sorry, I missed that it was marked as Draft. Looks great!

@hamistao hamistao force-pushed the project_uplink_ip_quotas branch from ad6e23d to cf466fa Compare December 11, 2024 04:08
@hamistao hamistao marked this pull request as ready for review December 11, 2024 04:28
@hamistao
Copy link
Contributor Author

@tomponline @markylaing Some observations on this:

  • I did not consider bridge network forwards as something that is taking away IPs from another network, as it would be more tricky to check if they are taking IPs from other managed networks and they are exclusive to the default project. If needed we can add this check in the future.
  • Project uplink IP limits are exclusive to projects with features.networks
  • I am not currently distinguishing between ipv6 and ipv4. Maybe I am not 100% clear on the details of the use case of this feature, as that could help decide how to approach the different protocols.
  • Tests are in the works and should be added to lxd CI shortly.

Manual tests are looking fine so far so I am opening this for review, feel free to look whenever you are able.

@tomponline
Copy link
Member

I am not currently distinguishing between ipv6 and ipv4. Maybe I am not 100% clear on the details of the use case of this feature, as that could help decide how to approach the different protocols.

I think we should have separate ipv4 and ipv6 quotas as the routes on the uplinks are defined per protocol.

@tomponline
Copy link
Member

  • I did not consider bridge network forwards as something that is taking away IPs from another network, as it would be more tricky to check if they are taking IPs from other managed networks and they are exclusive to the default project. If needed we can add this check in the future.

I'm not quite following here. We aren't checking if IPs are being taken away from other networks, but rather whether the quota for the project that the IP usage has exceeded the quota.

For any managed networks in the default project they should still be limited by the quota set on the default project (which is likely to be nothing).

Project uplink IP limits are exclusive to projects with features.networks

I think that probably makes sense. The default project has features.networks so that should be fine.

@hamistao
Copy link
Contributor Author

I'm not quite following here. We aren't checking if IPs are being taken away from other networks, but rather whether the quota for the project that the IP usage has exceeded the quota.

Let's make this a topic for our one to one tomorrow so I can better explain.

@hamistao hamistao marked this pull request as draft December 12, 2024 17:18
@hamistao
Copy link
Contributor Author

hamistao commented Dec 12, 2024
edited
Loading

Going back to draft to implement suggested changes.

@hamistao hamistao force-pushed the project_uplink_ip_quotas branch 5 times, most recently from 1a05029 to 41d59cd Compare January 22, 2025 14:24
@hamistao hamistao mentioned this pull request Jan 22, 2025
Merged
@hamistao hamistao force-pushed the project_uplink_ip_quotas branch from 41d59cd to 1b11281 Compare January 23, 2025 04:33
@hamistao hamistao marked this pull request as ready for review January 23, 2025 04:48
@hamistao hamistao requested a review from tomponline January 23, 2025 05:12
tomponline added a commit that referenced this pull request Jan 24, 2025
@tomponline
Network: Factor out uplink validation logic (#14846)
077aaf7 
Pre-requisite for #14631
tomponline added a commit to canonical/lxd-ci that referenced this pull request Jan 24, 2025
@tomponline
Fix echo string in ovn tests (#390)
a5e286c 
This originally contained tests for
canonical/lxd#14631, but we moved the tests to
the lxd ovn test suite and this was repurposed to just fix a wrong
string that refers to a bridge network as physical.
@hamistao hamistao mentioned this pull request Jan 24, 2025
Merged
@hamistao hamistao force-pushed the project_uplink_ip_quotas branch from 8cd98b6 to d630e2a Compare January 24, 2025 13:57
tomponline added a commit that referenced this pull request Jan 24, 2025
@tomponline
Network: De-duplicate uplink address allocation logic (#14848)
a055765 
This factors out common logic for allocating uplink addresses to network
forwards and load balancers.
Pre-requisite for #14631
@hamistao hamistao force-pushed the project_uplink_ip_quotas branch 7 times, most recently from 2c3824c to 3cc7b25 Compare January 25, 2025 19:28
hamistao added 10 commits January 26, 2025 20:15
@hamistao
api: Add projects_limits_uplink_ips extension
3e24001 
Signed-off-by: hamistao <[email protected]>
@hamistao
lxd/project/limits: Create UplinkAddressQuotasExceeded
f9ab285 
Signed-off-by: hamistao <[email protected]>
@hamistao
lxd/api_project: Add projectName argument to projectValidateConfig
eae4216 
Signed-off-by: hamistao <[email protected]>
@hamistao
lxd/api_project: Create uplinkIPLimitValidator
8bde800 
We check for the current uplink IP usage on the validator function for
two reasons:
 - Show a more informative error message in case the provided value is not appropriate.
 - Avoing doing the expensive computation of uplink IP usage unless a config key was provided
   for a valid uplink network.

Signed-off-by: hamistao <[email protected]>
@hamistao
lxd/api_project: Introduce limits.networks.uplink_ips.* config keys…
84dd9ab 
… to projects

Signed-off-by: hamistao <[email protected]>
@hamistao
lxd/network/common: Create projectUplinkIPQuotaAvailable
b4e83fe 
Signed-off-by: hamistao <[email protected]>
@hamistao
lxd/network/ovn: Check uplink IP limits on allocateUplinkAddress
21c95ca 
Signed-off-by: hamistao <[email protected]>
@hamistao
lxd/network/ovn: Check uplink IP limits on allocateUplinkPortIPs
a0e8a62 
This is useful to prevent newly created ovn networks to exceed the
allowed quota for uplink IPs in its project

Signed-off-by: hamistao <[email protected]>
@hamistao
make update-metadata
46bf593 
Signed-off-by: hamistao <[email protected]>
@hamistao
test/suites: Add tests for project uplink IP limits
2e5ca4f 
It has a couple lines of unrelated tests thrown in as well, such as testing a forward/load-balancer can't use listen addresses outside uplink routes.

Signed-off-by: hamistao <[email protected]>
@hamistao hamistao force-pushed the project_uplink_ip_quotas branch from 3cc7b25 to 2e5ca4f Compare January 26, 2025 23:26
@hamistao hamistao marked this pull request as ready for review January 26, 2025 23:26
tomponline
tomponline approved these changes Jan 27, 2025
View reviewed changes
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@tomponline tomponline merged commit c7770ec into canonical:main Jan 27, 2025
28 checks passed
@hamistao hamistao deleted the project_uplink_ip_quotas branch January 27, 2025 13:25
@hamistao hamistao mentioned this pull request Jan 27, 2025
Merged
tomponline added a commit that referenced this pull request Jan 31, 2025
@tomponline
Projects: Deny restricting a project that is using a forbidden uplink (
3cdcc02 
…#14867)

As discussed in
#14631 (comment).

Changes to LXD CI tests will probably be needed in order to reflect
these changes.

Pre-requisite for #14882, for the
sole reason I used the `checkUplinkUse` in my follow up implementation.
MusicDin
MusicDin reviewed Feb 3, 2025
View reviewed changes
lxd/api_project.go
Comment on lines +1491 to +1492
// shortdesc: Quota of IPv4 addresses from a specified uplink network that can be used by entities in this project
projectConfigKeys["limits.networks.uplink_ips.ipv6."+networkName] = validate.Optional(uplinkIPLimitValidator(s, projectName, networkName, "ipv6"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caught while writing weekly news, there is a typo in short description: IPv4 -> IPv6

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching this, will fix in a minute

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@minaelee minaelee minaelee left review comments

@MusicDin MusicDin MusicDin left review comments

@tomponline tomponline tomponline approved these changes

Assignees
No one assigned
Labels
API Changes to the REST API Documentation Documentation needs updating
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hamistao @minaelee @tomponline @MusicDin