[ceph.git] / ceph / doc / cephfs / quota.rst

Quotas
======

CephFS allows quotas to be set on any directory in the system.  The
quota can restrict the number of *bytes* or the number of *files*
stored beneath that point in the directory hierarchy.

Limitations
-----------

#. *Quotas are cooperative and non-adversarial.* CephFS quotas rely on
   the cooperation of the client who is mounting the file system to
   stop writers when a limit is reached.  A modified or adversarial
   client cannot be prevented from writing as much data as it needs.
   Quotas should not be relied on to prevent filling the system in
   environments where the clients are fully untrusted.

#. *Quotas are imprecise.* Processes that are writing to the file
   system will be stopped a short time after the quota limit is
   reached.  They will inevitably be allowed to write some amount of
   data over the configured limit.  How far over the quota they are
   able to go depends primarily on the amount of time, not the amount
   of data.  Generally speaking writers will be stopped within 10s of
   seconds of crossing the configured limit.

#. *Quotas are implemented in the kernel client 4.17 and higher.*
   Quotas are supported by the userspace client (libcephfs, ceph-fuse).
   Linux kernel clients >= 4.17 support CephFS quotas but only on
   mimic+ clusters.  Kernel clients (even recent versions) will fail
   to handle quotas on older clusters, even if they may be able to set
   the quotas extended attributes.

#. *Quotas must be configured carefully when used with path-based
   mount restrictions.* The client needs to have access to the
   directory inode on which quotas are configured in order to enforce
   them.  If the client has restricted access to a specific path
   (e.g., ``/home/user``) based on the MDS capability, and a quota is
   configured on an ancestor directory they do not have access to
   (e.g., ``/home``), the client will not enforce it.  When using
   path-based access restrictions be sure to configure the quota on
   the directory the client is restricted too (e.g., ``/home/user``)
   or something nested beneath it.

   In case of a kernel client, it needs to have access to the parent
   of the directory inode on which quotas are configured in order to
   enforce them. If quota is configured on a directory path
   (e.g., ``/home/volumes/group``), the kclient needs to have access
   to the parent (e.g., ``/home/volumes``).

   An example command to create such an user is as below::

     $ ceph auth get-or-create client.guest mds 'allow r path=/home/volumes, allow rw path=/home/volumes/group' mgr 'allow rw' osd 'allow rw tag cephfs metadata=*' mon 'allow r'

   See also: https://tracker.ceph.com/issues/55090

#. *Snapshot file data which has since been deleted or changed does not count
   towards the quota.* See also: http://tracker.ceph.com/issues/24284

Configuration
-------------

Like most other things in CephFS, quotas are configured using virtual
extended attributes:

 * ``ceph.quota.max_files`` -- file limit
 * ``ceph.quota.max_bytes`` -- byte limit

If the attributes appear on a directory inode that means a quota is
configured there.  If they are not present then no quota is set on
that directory (although one may still be configured on a parent directory).

To set a quota::

  setfattr -n ceph.quota.max_bytes -v 100000000 /some/dir     # 100 MB
  setfattr -n ceph.quota.max_files -v 10000 /some/dir         # 10,000 files

To view quota settings::

  getfattr -n ceph.quota.max_bytes /some/dir
  getfattr -n ceph.quota.max_files /some/dir

Note that if the value of the extended attribute is ``0`` that means
the quota is not set.

To remove a quota::

  setfattr -n ceph.quota.max_bytes -v 0 /some/dir
  setfattr -n ceph.quota.max_files -v 0 /some/dir
Commit	Line	Data
7c673cae FG	1	Quotas
	2	======
	3
	4	CephFS allows quotas to be set on any directory in the system. The
	5	quota can restrict the number of bytes or the number of files
	6	stored beneath that point in the directory hierarchy.
	7
	8	Limitations
	9	-----------
	10
	11	#. Quotas are cooperative and non-adversarial. CephFS quotas rely on
	12	the cooperation of the client who is mounting the file system to
	13	stop writers when a limit is reached. A modified or adversarial
	14	client cannot be prevented from writing as much data as it needs.
	15	Quotas should not be relied on to prevent filling the system in
	16	environments where the clients are fully untrusted.
	17
	18	#. Quotas are imprecise. Processes that are writing to the file
	19	system will be stopped a short time after the quota limit is
	20	reached. They will inevitably be allowed to write some amount of
	21	data over the configured limit. How far over the quota they are
	22	able to go depends primarily on the amount of time, not the amount
	23	of data. Generally speaking writers will be stopped within 10s of
	24	seconds of crossing the configured limit.
	25
11fdf7f2 TL	26	#. Quotas are implemented in the kernel client 4.17 and higher.
	27	Quotas are supported by the userspace client (libcephfs, ceph-fuse).
	28	Linux kernel clients >= 4.17 support CephFS quotas but only on
	29	mimic+ clusters. Kernel clients (even recent versions) will fail
	30	to handle quotas on older clusters, even if they may be able to set
	31	the quotas extended attributes.
7c673cae FG	32
	33	#. *Quotas must be configured carefully when used with path-based
	34	mount restrictions.* The client needs to have access to the
	35	directory inode on which quotas are configured in order to enforce
	36	them. If the client has restricted access to a specific path
	37	(e.g., ``/home/user``) based on the MDS capability, and a quota is
	38	configured on an ancestor directory they do not have access to
	39	(e.g., ``/home``), the client will not enforce it. When using
	40	path-based access restrictions be sure to configure the quota on
	41	the directory the client is restricted too (e.g., ``/home/user``)
	42	or something nested beneath it.
	43
2a845540 TL	44	In case of a kernel client, it needs to have access to the parent
	45	of the directory inode on which quotas are configured in order to
	46	enforce them. If quota is configured on a directory path
	47	(e.g., ``/home/volumes/group``), the kclient needs to have access
	48	to the parent (e.g., ``/home/volumes``).
	49
	50	An example command to create such an user is as below::
	51
	52	$ ceph auth get-or-create client.guest mds 'allow r path=/home/volumes, allow rw path=/home/volumes/group' mgr 'allow rw' osd 'allow rw tag cephfs metadata=*' mon 'allow r'
	53
	54	See also: https://tracker.ceph.com/issues/55090
	55
11fdf7f2 TL	56	#. *Snapshot file data which has since been deleted or changed does not count
	57	towards the quota.* See also: http://tracker.ceph.com/issues/24284
	58
7c673cae FG	59	Configuration
	60	-------------
	61
	62	Like most other things in CephFS, quotas are configured using virtual
	63	extended attributes:
	64
	65	* ``ceph.quota.max_files`` -- file limit
	66	* ``ceph.quota.max_bytes`` -- byte limit
	67
	68	If the attributes appear on a directory inode that means a quota is
	69	configured there. If they are not present then no quota is set on
	70	that directory (although one may still be configured on a parent directory).
	71
	72	To set a quota::
	73
	74	setfattr -n ceph.quota.max_bytes -v 100000000 /some/dir # 100 MB
	75	setfattr -n ceph.quota.max_files -v 10000 /some/dir # 10,000 files
	76
	77	To view quota settings::
	78
	79	getfattr -n ceph.quota.max_bytes /some/dir
	80	getfattr -n ceph.quota.max_files /some/dir
	81
	82	Note that if the value of the extended attribute is ``0`` that means
	83	the quota is not set.
	84
	85	To remove a quota::
	86
	87	setfattr -n ceph.quota.max_bytes -v 0 /some/dir
	88	setfattr -n ceph.quota.max_files -v 0 /some/dir