Groups, VDCs, or Clusters? Best practices wanted


I am a bit puzzled on when to use groups, and when VDCs or clusters (or even ACLs, but for most of my cases I have ruled them out so far). Some of my use cases are:

  • the default group for which most of the resources would be accessible, mainly for temporary and experimental VMs. All users would be members of this group. The default ONe group “users” is probably what I want.

  • some additional groups of users (I think the best way would be to represent them as ONe groups, but I am open to suggestions):

  • group of users with access to a particular template/image/… (think VM with non-free software installed)

  • group of users with access to a particular security-sensitve VNet or a VNet with public IPv4 addresses

  • group of privileged users with somewhat bigger quota on CPUs/memory/etc.: is this even possible in ONe? Note that I am not talking about quota on the group as a whole (i.e. sum of all resources used by users in this group). I am talking about per-user quotas, maybe group-specific default quotas?

  • I want to have a separate set of physical hosts with access to “restricted” security-sensitive VLANs (does this require a separate cluster? But I want to share the CEPH datastore with the “bulk” hosts, which is currently not possible for different clusters). Only privileged users should be able to schedule VMs on these hosts, and these hosts would be inaccessible for “bulk” temporary and experimental VMs.

Any suggestions? Thanks!

A brief hints:

1.- ACLs are low level, it can be used to finegrain access rules.
Housekeeping is manual
2.- User groups are used to group users and apply to them common access
3.- Clusters are close to a physical representation are used to: (i)
automatically schedule VMs on a set of compatible resources
(hosts+datastores+vnets) (ii) add common configuration attributes for hosts
4.- VDCs is a high level interface for ACLs a VDC represents a set of
resources that a group can access to, in this case housekeeping is

Hope it helps


As for VDCs - how does user put the VM into a particular VDC, if he has access to more than one VDC? My use case is that all users would be members of the “users” group, so all will have access to the same set of resources, and some of them should have access to additional resources (VNETs, maybe SSD-backed CEPH pool).

Also, is it possible to have per-group default quotas?

Hello, sorry to bring this up again, but I am still interested in the answer:

  • is it possible to set up per-group default user quotas? Such as:

    • members of group “default” can have at most 1 lease on a VNet with public IPv4 addresses
    • members of group “staff” (which are also members of group “default”) can have at most 5 leases on that net
  • how can I find out which VDC a particular VM resides in? How can I put it in a particular VDC? I would like for example to distinguish between production VMs and throwaway temporary/experimental VMs by having a separate VDC for these types of VM.



Hello Yenya,

I have the same question.
Could you please explain how did you solve this in the end?

Thank you in advance

Bernhard J. M. Grün


still no final solution here. So far I don’t have VDCs, and I use labels for marking the VMs as production (but any user can override this, so this is not ideal). As for leases, per-group quotas, etc.: I have users and groups in a central database outside of ONe (some data is exported to LDAP, Kerberos, etc.), and I plan to write a maintenance script, which would set individual quotas based on group membership, prune the VMs of users which no longer have an active account, suspend/undeploy VMs which are not labeled as production and which are running longer than given time quota, etc.

Another problem to solve is how to do IP address leases for static addresses - I want to be able to permanently assign an IP address to a production VM, but I don’t want to let the owner of that VM to delete it and use the address for another purposes. So far I instantiate such VM under oneadmin and then change the owner. It probably can be done with reservations, but I probably don’t want to have hundreds of single-address reservations.


Replying to my historic thread, as apparently I still don’t have a solution of my problem.

What I have is a set of physical hosts connected to some VLANs and some datastores, all in one cluster. Now I want to have the default group “users”, with members of this group being able to use all hosts in this cluster for their VMs, all datastores (create images, use publicly readable images, etc.), and connect their VMs to a single “default_net” VNET.

Then I want to add more groups with access to more resources, mainly VNETs other than the default. So I want to have a group “students attending seminar X”, with group membership allowing them to use also VNET “seminar_X” (they still be members of the group “users”, so I hope they retain the default permissions). Then I want to have a group “owners of the VMs with public IPs”, with group membership allowing the to use VNET “public_IPs”.

How can I do that?

If I create a VDC for group “users”, check [x] All hosts, the “default_net” VNET and some datastores, users are not able to instantiate any new VM, as the scheduler cannot find a suitable host. When I also add my only cluster to that VDC, it works, but now every user has access to every VNET defined in that cluster, which is not what I want.

How to set up these VDCs, clusters, groups, etc., when all I want is to limit the access to some VNETs based on a group membership?

Also, the problem giving user access to a single public IP address remains unsolved.

Thanks for any hints!


Update - further progress and one more problem:
I have added the cluster to the VDC, manually selected all hosts one by one, and removed the cluster from VDC, I was able to schedule VMs. Then I checked [x]All hosts in the VDC setup, and after saving the VDC configuration again, I am still able to schedule new VMs. I am not sure what made the difference.

The problem: now I want to add a group of the “students of seminar X” type. I don’t want any special permissions for it - it will not be a primary group for any user, and I plan to add a single ACL rule permitting the members of this group to use the VNet dedicated for “seminar X”. So I click on [+] to create a new group, and in the Permissions tab, I un-check all checkboxes (VMs, VNets, Security groups, etc.). When I try to create the group, I get the following error:

Error creating group ACL's: [one.acl.addrule] Rule @113 /* CREATE * is malformed: [resource] type is missing

I am able to create a new group only after checking at least one checkbox in the Permissions tab.

And a final question: how do I know which ACLs have been created manually, and which have been added automatically when creating a group, assigning it to a VDC, or whatever.

It looks like I have a completely different use case than other ONe users…


FWIW, I have created a Github issue with the above ACL problem: