XFS quota for emptyDir volumes #9261
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
| You can use the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/ch-xfs[XFS quota subsystem] | ||
| to limit the size of `emptyDir` volumes and volumes based on an `emptyDir` volume, such as secrets and configmaps, on each node. | ||
|
|
||
| Enable a quota on local storage use per unique FSGroup ID usin g the *_/var/lib/origin/openshift.local.volumes/volume-config.yaml_* file. |
| --- | ||
|
|
||
| <1> Contains options for controlling local volume quota on the node. | ||
| <2> Set this value to a resource quantity representing the desired quota per |
There was a problem hiding this comment.
Due to some complications in the code, this value is now numeric, not a resource quantity. It is the quota in GBs.
| <1> Contains options for controlling local volume quota on the node. | ||
| <2> Set this value to a resource quantity representing the desired quota per | ||
| xref:../install_config/persistent_storage/pod_security_context.adoc#fsgroup[FSGroup], per node (such as 1Gi, 512Mi, etc). | ||
| Requires the *volumeDirectory* to be on an XFS filesystem mounted with the 'gquota' option. The matching security context contraint *fsGroup* type must be |
There was a problem hiding this comment.
s/gquota/grpquota/
gquota is a alias for grpquota, but grpquota is the real option
|
Thanks @mburke5678 for the quick response on this! Look good overall. I had a few comments. |
|
@sjenning Is the |
mburke5678
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
standby on this. we might be changing how this is done. https://bugzilla.redhat.com/show_bug.cgi?id=1572285#c5 i'll keep you posted. |
|
follow-on PR openshift/origin#19773
|
|
@sjenning I changed the parameter to |
|
@mdshuai Can someone on your team review this PR? |
1 similar comment
|
@mdshuai Can someone on your team review this PR? |
| @@ -262,7 +262,7 @@ be configured: | |||
| NOTE: If the XFS filesystem hosting that folder is mounted with the | |||
| `gquota` option in the `/etc/fstab` | |||
| * the matching security context contraint’s `fsGroup` type set to `MustRunAs` | |||
| * The `/etc/origin/node/node-config.yml` is configured as: | |||
| * The xref:../install_config/master_node_configuration.adoc#node-config-volume-config`/var/lib/origin/openshift.local.volumes/volume-config.yaml` is configured] as: | |||
There was a problem hiding this comment.
This file is now /etc/origin/node/volume-config.yaml
| apiVersion: kubelet.config.openshift.io/v1 | ||
| kind: VolumeConfig | ||
| localQuota: <1> | ||
| perFSGroup: 50 <2> |
There was a problem hiding this comment.
needs a unit. use 1Gi or 512Mi as an example
| --- | ||
|
|
||
| <1> Contains the options for controlling local volume quota on the node. | ||
| <2> Sets the maximum number of `emptyDir` volumes for each unique FSGroup ID. |
There was a problem hiding this comment.
this is not right.
Specifies the maximum amount of storage that can be used for disk-based emptyDir volumes on the node for each unique FSGroup ID
|
We just got tasked with auditing the docs for references to Instead, cluster ops should edit the Really the same thing applies for this as it will be deployed using the |
| to limit the number of `emptyDir` volumes and volumes based on an `emptyDir` volume, such as secrets and configmaps, on each node. | ||
|
|
||
| Enable a quota on local storage for each unique xref:../architecture/additional_concepts/authorization.adoc#security-context-constraints[FSGroup ID] | ||
| using the *_/etc/origin/node/volume-config.yaml_* file. |
There was a problem hiding this comment.
Probably add this here:
NOTE: The volume-config.yaml file should not be edited directly as it is created from the node-config-compute configmap in the openshift-node namespace. Creating or editing volume-config.yaml should be done via the configmap and not directly on the node.
There was a problem hiding this comment.
@sjenning What does the code in the config map configure perFSGroup look like?
There was a problem hiding this comment.
An example:
apiVersion: kubelet.config.openshift.io/v1
kind: VolumeConfig
localQuota:
perFSGroup: 1Gi
|
@sjenning What does the code in the config map configure perFSGroup look like? |
|
@chao007 PTAL |
| <2> Set this value to a resource quantity representing the desired quota per | ||
| xref:../install_config/persistent_storage/pod_security_context.adoc#fsgroup[FSGroup], per node (such as 1Gi, 512Mi, etc). | ||
| Requires the *volumeDirectory* to be on an XFS filesystem mounted with the 'gquota' option. The matching security context contraint *fsGroup* type must be | ||
| <2> Set ththe desired quota per |
|
@chao007 I do not see |
|
|
||
| [NOTE] | ||
| ==== | ||
| You should not edit the *_/var/lib/origin/openshift.local.volumes/volume-config.yaml_* file directly. The file is created from the *_node-config-compute_* configuration map. |
| kind: VolumeConfig | ||
| localQuota: <1> | ||
| perFSGroupInGiB: 1Gi <2> | ||
| ---- |
There was a problem hiding this comment.
@chao007 Fixed. Changed to perFSGroup: 1Gi per Seth's comment. #9261 (comment)
|
lgtm, thanks 👍 |
mburke5678
force-pushed
the
XFS-quota
branch
3 times, most recently
from
fe6aab1 to
1eca68c
Compare
|
@openshift/team-documentation PTAL |
| @@ -260,9 +260,9 @@ is lost. The location of the data in the *{rhocp}* node is located in | |||
| be configured: | |||
|
|
|||
| NOTE: If the XFS filesystem hosting that folder is mounted with the | |||
| `gquota` option in the `/etc/fstab` | |||
| `grpquota` option in the `/etc/fstab` | |||
| * the matching security context contraint’s `fsGroup` type set to `MustRunAs` | |||
There was a problem hiding this comment.
The structure of this list is confusing, and I'm not sure what you mean by "The using the ... configuration map."
Maybe
grpquota option in the /etc/fstab file:
- Set the matching security context contraint’s
fsGrouptype toMustRunAs. - xref:../install_config/master_node_configuration.adoc#node-config-volume-config[Configure the volume] using the node-config-compute configuration map in the openshift-node project.
(and remove the example volumeconfig because it's not really helping here.)
There was a problem hiding this comment.
@kalexand-rh Looking around, I don't think this topic is being used at this time. It was existing text. I made your changes, but did not remove the example. I am not sure why it is there.
I did a search and found gquota and changed to grpquota per Seth's comment.
There was a problem hiding this comment.
Thanks, @mburke5678!
@bfallonf, do you know if this file should be used or removed? It looks like it was commented out of the day_two_guide/host_level_tasks topic.
|
|
||
| <1> Contains options for controlling local volume quota on the node. | ||
| <2> Set this value to a resource quantity representing the desired quota per | ||
| [FSGroup], per node, such as 1Gi, 512Mi, and so forth. |
There was a problem hiding this comment.
I'd set the values off in backticks to emphasize that they're example parameter values. (Otherwise, you need spaces between the value and abbreviation because of Style.)
|
|
||
| [NOTE] | ||
| ==== | ||
| You should not edit the *_/etc/origin/node/volume-config.yaml_* file directly. The file is created from the *_node-config-compute_* configuration map. |
| [NOTE] | ||
| ==== | ||
| You should not edit the *_/etc/origin/node/volume-config.yaml_* file directly. The file is created from the *_node-config-compute_* configuration map. | ||
| Use the *_node-config-compute_* configuration map to create or edit the paramaters in the *_volume-config.yaml_*. |
There was a problem hiding this comment.
s/volume-config.yaml/volume-config.yaml file
| @@ -1082,13 +1082,10 @@ If -1, there is no limit on requests. | |||
| |A boolean to enable or disable dynamic provisioning. Default is *true*. | |||
|
|
|||
| |FSGroup | |||
There was a problem hiding this comment.
I'd consider adding emphasis on FSGroup.
| @@ -1082,13 +1082,10 @@ If -1, there is no limit on requests. | |||
| |A boolean to enable or disable dynamic provisioning. Default is *true*. | |||
|
|
|||
| |FSGroup | |||
| |Can be specified to enable a quota on local storage use per unique FSGroup ID. | |||
| |Can be specified to xref:node-config-volume-config[enable a quota on local storage] use per unique FSGroup ID. | |||
There was a problem hiding this comment.
This is confusing. Do you mean "Can be specified to xref:node-config-volume-config[enable a quota on local storage]. You must enable quota for each unique FSGroup ID." ?
There was a problem hiding this comment.
The feature sets a blanket quota for all FSgroups on each node.
"Enables xref:node-config-volume-config[local storage quotas] on each node for each FSGroup."
kalexand-rh
added
the
peer-review-done
|
/cherrypick enterprise-3.10 |
|
@mburke5678: new pull request created: #9907 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Seth:
As of 3.10, we no longer use the atomic-openshift-node binary. All the functions it wrapped (ovn, ovs, kubelet) have all been broken out into separate services. The kubelet is now the hyperkube binary built from openshift/kubernetes.
This means all the custom stuff we had wrapping the kubelet for our purposes is no long in effect. The node-config.yaml file is not used directly by anything. The "openshift start --write-flags" command is used to convert the node-config.yaml into a list of flags appropriate for the kubelet. Among these patched-in features that don't translate in the new setup is XFS quota via the LocalQuota option in the node-config.yaml
https://docs.openshift.com/container-platform/3.9/install_config/master_node_configuration.html#master-node-config-volume-config
https://docs.openshift.com/container-platform/3.9/install_config/master_node_configuration.html#node-configuration-files
I converted that patch to a carry in our openshift/kubernetes in this PR
openshift/origin#19533
However, because the kubelet does not understand the node-config.yaml and there is no flag by which the XFS quota configuration can be conveyed, the patch reads a new config file at a fixed location to configure the XFS quota.
The new config file path is
/var/lib/origin/openshift.local.volumes/volume-config.yaml
The file has the format:
apiVersion: kubelet.config.openshift.io/v1
kind: VolumeConfig
localQuota:
perFSGroupInGiB: 1
This feature is very lightly documented. The only two places I can find it mentioned are the links above. The primary user, to our knowledge, is Online.
Michael, can you open a PR for 3.10 that updates the documentation to reflect this change?
Thanks and let me know if you have any questions.
FYI @sjenning