2017-10-16 18:17:04 +00:00
|
|
|
---
|
|
|
|
layout: "guides"
|
|
|
|
page_title: "Resource Quotas"
|
2019-05-08 21:40:38 +00:00
|
|
|
sidebar_current: "guides-governance-and-policy-quotas"
|
2017-10-16 18:17:04 +00:00
|
|
|
description: |-
|
2017-11-17 23:07:05 +00:00
|
|
|
Nomad Enterprise provides support for resource quotas, which allow operators
|
2017-10-16 18:17:04 +00:00
|
|
|
to restrict the aggregate resource usage of namespaces.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Resource Quotas
|
|
|
|
|
2019-05-08 21:40:38 +00:00
|
|
|
[Nomad Enterprise](https://www.hashicorp.com/products/nomad/) provides support
|
|
|
|
for resource quotas, which allow operators to restrict the aggregate resource
|
2017-11-17 23:07:05 +00:00
|
|
|
usage of namespaces.
|
2017-10-16 18:17:04 +00:00
|
|
|
|
|
|
|
~> **Enterprise Only!** This functionality only exists in Nomad Enterprise.
|
|
|
|
This is not present in the open source version of Nomad.
|
|
|
|
|
|
|
|
## Use Case
|
|
|
|
|
|
|
|
When many teams or users are sharing Nomad clusters, there is the concern that a
|
|
|
|
single user could use more than their fair share of resources. Resource quotas
|
2017-10-16 20:39:56 +00:00
|
|
|
provide a mechanism for cluster administrators to restrict the resources that a
|
2018-06-22 20:54:48 +00:00
|
|
|
[namespace](/guides/security/namespaces.html) has access to.
|
2017-10-16 18:17:04 +00:00
|
|
|
|
|
|
|
## Quotas Objects
|
|
|
|
|
|
|
|
Quota specifications are first class objects in Nomad. A quota specification
|
|
|
|
has a unique name, an optional human readable description and a set of quota
|
|
|
|
limits. The quota limits defines the allowed resource usage within a region.
|
|
|
|
|
|
|
|
Quota objects are shareable among namespaces. This allows an operator to define
|
|
|
|
higher level quota specifications, such as a `prod-api` quota, and multiple
|
|
|
|
namespaces can apply the `prod-api` quota specification.
|
|
|
|
|
|
|
|
When a quota specification is attached to a namespace, all resource usage by
|
|
|
|
jobs in the namespaces are accounted toward the quota limits. If the resource is
|
|
|
|
exhausted, allocations with the namespaces will be queued until resources become
|
|
|
|
available by either other jobs finishing or the quota being expanded.
|
|
|
|
|
|
|
|
## Working with Quotas
|
|
|
|
|
|
|
|
For specific details about working with quotas, see the [quotas
|
2017-10-19 23:39:16 +00:00
|
|
|
commands](/docs/commands/quota.html) and [HTTP API](/api/quotas.html)
|
2017-10-16 18:17:04 +00:00
|
|
|
documentation.
|
|
|
|
|
|
|
|
### Creating quotas:
|
|
|
|
|
|
|
|
Resource quotas can be interacted with using the `nomad quota` subcommand. To
|
|
|
|
get started with creating a quota specification, run `nomad quota init` which
|
|
|
|
produces an example quota specification:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ nomad quota init
|
|
|
|
Example quota specification written to spec.hcl
|
|
|
|
|
|
|
|
$ cat spec.hcl
|
|
|
|
name = "default-quota"
|
|
|
|
description = "Limit the shared default namespace"
|
|
|
|
|
|
|
|
# Create a limit for the global region. Additional limits may
|
|
|
|
# be specified in-order to limit other regions.
|
|
|
|
limit {
|
|
|
|
region = "global"
|
|
|
|
region_limit {
|
|
|
|
cpu = 2500
|
|
|
|
memory = 1000
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
A quota specification is composed of one or more resource limits. Each limit
|
|
|
|
applies to a particular Nomad region. Within the limit object, operators can
|
2017-11-05 08:39:42 +00:00
|
|
|
specify the allowed CPU and memory usage.
|
2017-10-16 18:17:04 +00:00
|
|
|
|
|
|
|
To create the particular quota, it is as simple as running:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ nomad quota apply spec.hcl
|
|
|
|
Successfully applied quota specification "default-quota"!
|
|
|
|
|
|
|
|
$ nomad quota list
|
|
|
|
Name Description
|
|
|
|
default-quota Limit the shared default namespace
|
|
|
|
api-prod Production instances of backend API servers
|
|
|
|
api-qa QA instances of backend API servers
|
|
|
|
web-prod Production instances of webservers
|
|
|
|
web-qa QA instances of webservers
|
|
|
|
```
|
|
|
|
|
|
|
|
### Attaching Quotas to Namespaces
|
|
|
|
|
|
|
|
In order for a quota to be enforced, we have to attach the quota specification
|
|
|
|
to a namespace. This can be done using the `nomad namespace apply` command.
|
|
|
|
We could add the quota specification we just created to the `default` namespace
|
|
|
|
as follows:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ nomad namespace apply -quota default-quota default
|
|
|
|
Successfully applied namespace "default"!
|
|
|
|
```
|
|
|
|
|
|
|
|
### Viewing Quotas
|
|
|
|
|
|
|
|
Lets now run a job in the default namespace now that we have attached a quota:
|
|
|
|
|
|
|
|
```
|
2018-03-22 20:39:18 +00:00
|
|
|
$ nomad job init
|
2017-10-16 18:17:04 +00:00
|
|
|
Example job file written to example.nomad
|
|
|
|
|
2018-03-22 20:39:18 +00:00
|
|
|
$ nomad job run -detach example.nomad
|
2017-10-16 18:17:04 +00:00
|
|
|
Job registration successful
|
|
|
|
Evaluation ID: 985a1df8-0221-b891-5dc1-4d31ad4e2dc3
|
|
|
|
|
|
|
|
$ nomad quota status default-quota
|
|
|
|
Name = default-quota
|
|
|
|
Description = Limit the shared default namespace
|
|
|
|
Limits = 1
|
|
|
|
|
|
|
|
Quota Limits
|
|
|
|
Region CPU Usage Memory Usage
|
|
|
|
global 500 / 2500 256 / 1000
|
|
|
|
```
|
|
|
|
|
|
|
|
We can see the newly created job is accounted against the quota specification
|
|
|
|
since it is being run in a namespace that has attached the quota. Now let us
|
|
|
|
scale up the job from `count = 1` to `count = 4`:
|
|
|
|
|
|
|
|
```
|
|
|
|
# Change count
|
2018-03-22 20:39:18 +00:00
|
|
|
$ nomad job run -detach example.nomad
|
2017-10-16 18:17:04 +00:00
|
|
|
Job registration successful
|
|
|
|
Evaluation ID: ce8e1941-0189-b866-3dc4-7cd92dc38a69
|
|
|
|
|
|
|
|
$ nomad status example
|
|
|
|
ID = example
|
|
|
|
Name = example
|
|
|
|
Submit Date = 10/16/17 10:51:32 PDT
|
|
|
|
Type = service
|
|
|
|
Priority = 50
|
|
|
|
Datacenters = dc1
|
|
|
|
Status = running
|
|
|
|
Periodic = false
|
|
|
|
Parameterized = false
|
|
|
|
|
|
|
|
Summary
|
|
|
|
Task Group Queued Starting Running Failed Complete Lost
|
|
|
|
cache 1 0 3 0 0 0
|
|
|
|
|
|
|
|
Placement Failure
|
|
|
|
Task Group "cache":
|
|
|
|
* Quota limit hit "memory exhausted (1024 needed > 1000 limit)"
|
|
|
|
|
|
|
|
Latest Deployment
|
|
|
|
ID = 7cd98a69
|
|
|
|
Status = running
|
|
|
|
Description = Deployment is running
|
|
|
|
|
|
|
|
Deployed
|
|
|
|
Task Group Desired Placed Healthy Unhealthy
|
|
|
|
cache 4 3 0 0
|
|
|
|
|
|
|
|
Allocations
|
|
|
|
ID Node ID Task Group Version Desired Status Created At
|
|
|
|
6d735236 81f72d90 cache 1 run running 10/16/17 10:51:32 PDT
|
|
|
|
ce8e1941 81f72d90 cache 1 run running 10/16/17 10:51:32 PDT
|
|
|
|
9b8e185e 81f72d90 cache 1 run running 10/16/17 10:51:24 PDT
|
|
|
|
```
|
|
|
|
|
|
|
|
Here we can see Nomad created two more allocations but did not place the fourth
|
|
|
|
allocation since that would cause the quota to be oversubscribed on memory.
|
|
|
|
|
|
|
|
### ACLs
|
|
|
|
|
2018-06-22 20:54:48 +00:00
|
|
|
Access to quotas can be restricted using [ACLs](/guides/security/acl.html). As an
|
2017-10-16 18:17:04 +00:00
|
|
|
example we could create an ACL policy that allows read-only access to quotas.
|
|
|
|
|
|
|
|
```
|
|
|
|
# Allow read only access to quotas.
|
|
|
|
quota {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2017-10-16 19:40:41 +00:00
|
|
|
Creating or modifying quotas should typically be guarded by ACLs such that users
|
|
|
|
can not bypass enforcement by simply increasing or removing the quota
|
|
|
|
specification.
|
|
|
|
|
2017-10-16 18:17:04 +00:00
|
|
|
## Resource Limits
|
|
|
|
|
|
|
|
When specifying resource limits the following enforcement behaviors are defined:
|
|
|
|
|
|
|
|
* `limit < 0`: A limit less than zero disallows any access to the resource.
|
|
|
|
|
|
|
|
* `limit == 0`: A limit of zero allows unlimited access to the resource.
|
|
|
|
|
2017-10-16 20:39:56 +00:00
|
|
|
* `limit > 0`: A limit greater than zero enforces that the consumption is less
|
2017-10-16 18:17:04 +00:00
|
|
|
than or equal to the given limit.
|
|
|
|
|
|
|
|
## Federation
|
|
|
|
|
|
|
|
Nomad makes working with quotas in a federated cluster simple by replicating
|
2018-03-11 17:42:05 +00:00
|
|
|
quota specifications from the [authoritative Nomad
|
2018-06-22 20:54:48 +00:00
|
|
|
region](/docs/configuration/server.html#authoritative_region). This allows
|
2017-10-16 18:17:04 +00:00
|
|
|
operators to interact with a single cluster but create quota specifications that
|
|
|
|
apply to all Nomad clusters.
|
|
|
|
|
|
|
|
As an example, we can create a quota specification that applies to two regions:
|
|
|
|
|
|
|
|
```
|
|
|
|
name = "federated-example"
|
|
|
|
description = "A single quota spec effecting multiple regions"
|
|
|
|
|
|
|
|
# Create a limits for two regions
|
|
|
|
limit {
|
|
|
|
region = "europe"
|
|
|
|
region_limit {
|
|
|
|
cpu = 20000
|
|
|
|
memory = 10000
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
limit {
|
|
|
|
region = "asia"
|
|
|
|
region_limit {
|
|
|
|
cpu = 10000
|
|
|
|
memory = 5000
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
If we apply this, and attach it to a namespace with jobs in each region, we can
|
|
|
|
see how the enforcement applies across federated clusters.
|
|
|
|
|
|
|
|
```
|
|
|
|
$ nomad quota apply spec.hcl
|
|
|
|
Successfully applied quota specification "federated-example"!
|
|
|
|
|
2017-10-16 23:05:01 +00:00
|
|
|
$ nomad quota status federated-example
|
2017-10-16 18:17:04 +00:00
|
|
|
Name = federated-example
|
|
|
|
Description = A single quota spec effecting multiple regions
|
|
|
|
Limits = 2
|
|
|
|
|
|
|
|
Quota Limits
|
|
|
|
Region CPU Usage Memory Usage
|
|
|
|
asia 2500 / 10000 1000 / 5000
|
|
|
|
europe 8800 / 20000 6000 / 10000
|
|
|
|
```
|