Limiting the rate of calls made to API services can make operations more reliable and reduce the incidence of orphaned objects during high load.

If a client exceeds the rate limit, it receives an HTTP 429 Too Many Requests response. The Retry-After header in the response indicates how long the client must wait before making further calls.

You can enable rate limiting by service. For example, you might want to throttle Nova API service calls more tightly than Neutron API service calls.

Procedure

  1. Log in to the OpenStack Management Server as viouser.
  2. If your deployment is not using a custom.yml file, copy the template custom.yml file to the /opt/vmware/vio/custom directory.
    sudo mkdir -p /opt/vmware/vio/custom
    sudo cp /var/lib/vio/ansible/custom/custom.yml.sample /opt/vmware/vio/custom/custom.yml
  3. Open the /opt/vmware/vio/custom/custom.yml file in a text editor.
  4. Uncomment the haproxy_throttle_period parameter and set it to the number of seconds that clients must wait if a rate limit is exceeded.
  5. If you want to configure rate limits for specific APIs, uncomment the max_requests and request_period parameters for those services and configure them as desired.

    The APIs that can be rate limited and the corresponding parameters are listed as follows.

    Option

    Description

    haproxy_keystone_max_requests

    haproxy_keystone_request_period

    Keystone API

    haproxy_keystone_admin_max_requests

    haproxy_keystone_admin_request_period

    Keystone administrator API

    haproxy_glance_max_requests

    haproxy_glance_request_period

    Glance API

    haproxy_nova_max_requests

    haproxy_nova_request_period

    Nova API

    haproxy_nova_placement_max_requests

    haproxy_nova_placement_request_period

    Nova placement API

    haproxy_cinder_max_requests

    haproxy_cinder_request_period

    Cinder API

    haproxy_designate_max_requests

    haproxy_designate_request_period

    Designate API

    haproxy_neutron_max_requests

    haproxy_neutron_request_period

    Neutron API

    haproxy_heat_max_requests

    haproxy_heat_request_period

    Heat API

    haproxy_heat_cfn_max_requests

    haproxy_heat_cfn_request_period

    Heat CloudFormation API

    haproxy_heat_cloudwatch_max_requests

    haproxy_heat_cloudwatch_request_period

    Heat CloudWatch API

    haproxy_ceilometer_max_requests

    haproxy_ceilometer_request_period

    Ceilometer API

    haproxy_aodh_max_requests

    haproxy_aodh_request_period

    Aodh API

    haproxy_panko_max_requests

    haproxy_panko_request_period

    Panko API

  6. Deploy the updated configuration.
    sudo viocli deployment configure --limit lb

    Deploying the configuration briefly interrupts OpenStack services.

Limiting Calls to the Neutron Public API

The following configuration limits calls to the Neutron public API. If a single source IP address sends more than 50 requests to the Neutron public API in a 10 second period, the load balancers will return HTTP 429 errors to all subsequent requests from that source address for a period of 60 seconds. After 60 seconds have passed, the source address can resume sending requests to the Neutron public API.

haproxy_throttle_period: 60
haproxy_neutron_max_requests: 50
haproxy_neutron_request_period: 10