[pve-devel] [PATCH v2 access-control 1/1] pools: define resource limits

Daniel Kral d.kral at proxmox.com
Thu Dec 19 17:01:07 CET 2024 

On 16/04/2024 14:20, Fabian Grünbichler wrote:
> and handle them when parsing/writing user.cfg
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> 
> Notes:
>     - make limit schema public for pve-guest-common usage
> 
>  src/PVE/AccessControl.pm  | 42 +++++++++++++++++++++++++++++++++++++--
>  src/test/parser_writer.pl | 14 ++++++-------
>  2 files changed, 47 insertions(+), 9 deletions(-)
> 
> diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
> index 21f93ff..f1863c8 100644
> --- a/src/PVE/AccessControl.pm
> +++ b/src/PVE/AccessControl.pm
> @@ -72,6 +72,36 @@ sub pve_verify_realm {
>      PVE::Auth::Plugin::pve_verify_realm(@_);
>  }
>  
> +our $pool_limits_desc = {
> +    "mem-config" => {
> +	type => 'integer',
> +	description => "Sum of memory (in MB) guests in this pools can be configured with.",

I think this should be in MiB.

Also, I think it's a little bit more readable if we'd rephase it to use
either "maximum amount of" or "upper limit for", e.g.:

"The maximum amount of memory (in MiB), which can be configured for all
guests in this pool."

> +	optional => 1,
> +    },
> +    "mem-run" => {
> +	type => 'integer',
> +	description => "Sum of memory (in MB) guests in this pools can be started with.",

I think this should be in MiB.

Similar changes as to 'mem-config', e.g.:

"The maximum amount of memory (in MiB), which can be configured for
running guests in this pool at the same time."

And maybe append something like:

"This amount must be lower than 'mem-config'."

I thought about using "allocated to" instead of "configured for", but
this would likely cause readers to believe that it's the actual
allocated amount of memory.

> +	optional => 1,
> +    },
> +    "cpu-config" => {
> +	type => 'integer',
> +	description => "Sum of (virtual) cores guests in this pools can be configured with.",

Similar to 'mem-config':

"The maximum amount of virtual CPU cores, which can be configured for
all guests in this pool."

> +	optional => 1,
> +    },
> +    "cpu-run" => {
> +	type => 'integer',
> +	description => "Sum of (virtual) cores guests in this pools can be started with.",

Similar to 'mem-run':

"The maximum amount of virtual CPU cores, which can be configured for
running guests in this pool at the same time. This amount must be lower
than 'cpu-config'."

> +	optional => 1,
> +    },
> +};
> +
> +PVE::JSONSchema::register_format('pve-pool-limits', $pool_limits_desc);
> +PVE::JSONSchema::register_standard_option('pve-pool-limits', {
> +    type => 'string',
> +    format => $pool_limits_desc,
> +    optional => 1,
> +});
> +
>  # Locking both config files together is only ever allowed in one order:
>  #  1) tfa config
>  #  2) user config
> @@ -1524,7 +1554,7 @@ sub parse_user_config {
>  		warn "user config - ignore invalid path in acl '$pathtxt'\n";
>  	    }
>  	} elsif ($et eq 'pool') {
> -	    my ($pool, $comment, $vmlist, $storelist) = @data;
> +	    my ($pool, $comment, $vmlist, $storelist, $limits) = @data;
>  
>  	    if (!verify_poolname($pool, 1)) {
>  		warn "user config - ignore pool '$pool' - invalid characters in pool name\n";
> @@ -1575,6 +1605,13 @@ sub parse_user_config {
>  		}
>  		$cfg->{pools}->{$pool}->{storage}->{$storeid} = 1;
>  	    }
> +
> +	    if ($limits) {
> +		my $parsed_limits = eval { PVE::JSONSchema::parse_property_string($pool_limits_desc, $limits) };
> +		warn "Failed to parse pool limits for '$pool' - $@\n" if $@;
> +
> +		$cfg->{pools}->{$pool}->{limits} = $parsed_limits;
> +	    }
>  	} elsif ($et eq 'token') {
>  	    my ($tokenid, $expire, $privsep, $comment) = @data;
>  
> @@ -1656,7 +1693,8 @@ sub write_user_config {
>  	my $vmlist = join (',', sort keys %{$d->{vms}});
>  	my $storelist = join (',', sort keys %{$d->{storage}});
>  	my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : '';
> -	$data .= "pool:$pool:$comment:$vmlist:$storelist:\n";
> +	my $limits = $d->{limits} ? PVE::JSONSchema::print_property_string($d->{limits}, $pool_limits_desc) : '';
> +	$data .= "pool:$pool:$comment:$vmlist:$storelist:$limits:\n";
>      }
>  
>      $data .= "\n";
> diff --git a/src/test/parser_writer.pl b/src/test/parser_writer.pl
> index 80c346b..2e6eb61 100755
> --- a/src/test/parser_writer.pl
> +++ b/src/test/parser_writer.pl
> @@ -431,12 +431,12 @@ my $default_raw = {
>  	'test_role_privs_invalid' => 'role:testrole:VM.Invalid,Datastore.Audit,VM.Allocate:',
>      },
>      pools => {
> -	'test_pool_empty' => 'pool:testpool::::',
> -	'test_pool_invalid' => 'pool:testpool::non-numeric:inval!d:',
> -	'test_pool_members' => 'pool:testpool::123,1234:local,local-zfs:',
> -	'test_pool_duplicate_vms' => 'pool:test_duplicate_vms::123,1234::',
> -	'test_pool_duplicate_vms_expected' => 'pool:test_duplicate_vms::::',
> -	'test_pool_duplicate_storages' => 'pool:test_duplicate_storages:::local,local-zfs:',
> +	'test_pool_empty' => 'pool:testpool:::::',
> +	'test_pool_invalid' => 'pool:testpool::non-numeric:inval!d::',
> +	'test_pool_members' => 'pool:testpool::123,1234:local,local-zfs::',
> +	'test_pool_duplicate_vms' => 'pool:test_duplicate_vms::123,1234:::',
> +	'test_pool_duplicate_vms_expected' => 'pool:test_duplicate_vms:::::',
> +	'test_pool_duplicate_storages' => 'pool:test_duplicate_storages:::local,local-zfs::',
>      },
>      acl => {
>  	'acl_simple_user' => 'acl:1:/:test at pam:PVEVMAdmin:',
> @@ -1018,7 +1018,7 @@ my $tests = [
>  	       'user:test at pam:0:0::::::'."\n".
>  	       'token:test at pam!test:0:0::'."\n\n".
>  	       'group:testgroup:::'."\n\n".
> -	       'pool:testpool::::'."\n\n".
> +	       'pool:testpool:::::'."\n\n".
>  	       'role:testrole::'."\n\n",
>      },
>  ];
> -- 
> 2.39.2

More information about the pve-devel mailing list