Machine reservation and multi-tenancy in MAAS

Christian Reis

Christian Reis

on 20 December 2017

As product manager for MAAS, a common request MAAS end-users bring is multi-tenancy, which in its more fundamental form can be understood as the ability to reserve machines for certain sets of users. This is common when you have a central MAAS which is managing multiple parts of your datacenter; it applies less when you are using MAAS dedicated to a deployment, such as we use in a typical starter OpenStack build.

Let’s discuss that use case in a bit more detail. It boils down to:

  1. You have a MAAS which centralizes hardware meant for multiple teams
  2. You’d like to avoid the teams being able to take hardware which is not meant for them

MAAS currently implements a feature called Machine Reservation — in essence, pre-allocating machines to users. Typically in a MAAS machines are left unassigned; once commissioned, they are only assigned on-demand, when a request to deploy a new machine comes in from the API or Web UI. But with machine reservations, you can obtain the fundamental effect of multi-tenancy in a very simple manner: you simply pre-assign machines to your users and as they request machines, they will get chosen from that assigned set.

Here’s an image showing a MAAS installation where 5 groups of users — prod, qa, staging, sandbox and admin — are each assigned of a set of machines:

MAAS listing with machines with prod, qa, staging, sandbox and admin owners.

The full listing above is only visible to administrators; machines assigned to specific users are not visible to other users when logged into the system. In other words, MAAS administrators can see the complete set of machines enlisted in MAAS, but regular users see only their own. Following on from the example above, when the prod user is logged in, they will see this:

This simple example should bring up a few questions, which I’ll cover in the next sections.

1. What happens when you run out of machines in the assigned set?

The way MAAS satisfies a user’s request to deploy a machine is pretty simple:

  1. It looks for a free machine in the set of machines assigned to the user.
  2. If there are machines available, it picks one for deployment.
  3. If there are no machines available, it looks at the set of machines not assigned to anyone.
  4. If there are machines available, it picks one for deployment.
  5. Otherwise, it returns an error.

This leaves it up to you to decide what sort of policy to put in place:

  • For a hard allocation policy, where every single machine belongs to a specific user, ensure that as new machines are commissioned in MAAS they are immediately assigned to the right user.
  • If instead you would like to have spare capacity available to whoever requests machines first, then you can leave some or all of your machines unassigned and they will be allocated in a First Come, First Served basis.

2. How do I assign machines to a group of users?

The current implementation of MAAS does not model groups; that’s on the roadmap, as is using LDAP as the source for its users and groups.

However, there is a simple way to get most of that benefit, which is to create accounts in MAAS to represent your groups, assign machines to those accounts, and hand out API keys to users within those groups. If you require users to access the Web UI, then you’ll need to share passwords between them, which is not an ideal setup, but which for certain environments is an acceptable compromise.

3. What happens when I add new machines to MAAS?

As hinted at in question 1, when new machines are added and commissioned, they are put in the globally available pool. If you are operating with a policy where all machines are always allocated to users, then ensure that you assign the new machines as soon as commissioning ends. There is a small race condition there, and one which we are also investigating how to address as part of our multi-tenancy roadmap work, but this should not generally be a major concern for most IT environments where users are trusted to a reasonable degree.

MAAS is already in use in large environments using this model, and we are welcoming input and feedback on how well it works. If you would like to add to the discussion, join the maas-devel mailing list and share your thoughts. See you there!

Ubuntu cloud

Ubuntu offers all the training, software infrastructure, tools, services and support you need for your public and private clouds.

Sign up for email updates

Choose the topics you're interested in


Related posts

MAAS 2.4.0 Alpha 2 released!

This originally appeared on Andres Rodriguez’s blog Hello MAASters! I’m happy to announce that MAAS 2.4.0 alpha 2 has now been released and is available for Ubuntu Bionic. MAAS Availability MAAS 2.4.0 alpha 1 is available in the…

MAAS for the home

This article originally appeared on Chris Sanders’ blog MAAS is designed to run in a data center where it expects to have control of DNS and DHCP. The use of an external DHCP server is listed as ‘may work but not supported’ in the…

Deploying Ubuntu OpenStack to ARM64 servers

At Canonical, we’ve been doing work to make sure Ubuntu OpenStack deploys on ARM servers as easily as on x86. Whether you have Qualcomm 2400 REP boards, Cavium ThunderX boards, HiSilicon D05 boards, or other Ubuntu …