Re: [openstack-dev] [all] [ptls] The Czar system, or how to scale PTLs

2014-08-22 Thread Rochelle.RochelleGrober
/flame-on
Ok, this is funny to some of us in the community.  The general populace of this 
community is so against the idea of management that they will use the term for 
a despotic dictator as a position name rather than manager.  Sorry, but this 
needed to be said.
/flame-off

Specific comments in line:

Thierry Carrez wrote:
 
 Hi everyone,
 
 We all know being a project PTL is an extremely busy job. That's
 because
 in our structure the PTL is responsible for almost everything in a
 project:
 
 - Release management contact
 - Work prioritization
 - Keeping bugs under control
 - Communicate about work being planned or done
 - Make sure the gate is not broken
 - Team logistics (run meetings, organize sprints)
 - ...
 

Point of clarification:  I've heard PTL=Project Technical Lead and PTL=Program 
Technical Lead. Which is it?  It is kind of important as OpenStack grows, 
because the first is responsible for *a* project, and the second is responsible 
for all projects within a program.

I'd also like to set out as an example of a Program that is growing to 
encompass multiple projects, the Neutron Program.  Look at how it is expanding:

Multiple sub-teams for:  LBAAS, DNAAS, GBP, etc.  This model could be extended 
such that:  
- the subteam is responsible for code reviews, including the first +2 for 
design, architecture and code of the sub-project, always also keeping an eye 
out that the sub-project code continues to both integrate well with the 
program, and that the program continues to provide the needed code bits, 
architecture modifications and improvements, etc. to support the sub-project.
- the final +2/A would be from the Program reviewers to ensure that all 
integrate nicely together into a single, cohesive program.  
- This would allow sub-projects to have core reviewers, along with the program 
and be a good separation of duties.  It would also help to increase the number 
of reviews moving to merged code.
- Taken to a logical stepping stone, you would have project technical leads for 
each project, and they would make up a program council, with the program 
technical lead being the chair of the council.

This is a way to offload a good chunk of PTL tactical responsibilities and help 
them focus more on the strategic.

 They end up being completely drowned in those day-to-day operational
 duties, miss the big picture, can't help in development that much
 anymore, get burnt out. Since you're either the PTL or not the PTL,
 you're very alone and succession planning is not working that great
 either.
 
 There have been a number of experiments to solve that problem. John
 Garbutt has done an incredible job at helping successive Nova PTLs
 handling the release management aspect. Tracy Jones took over Nova bug
 management. Doug Hellmann successfully introduced the concept of Oslo
 liaisons to get clear point of contacts for Oslo library adoption in
 projects. It may be time to generalize that solution.
 
 The issue is one of responsibility: the PTL is ultimately responsible
 for everything in a project. If we can more formally delegate that
 responsibility, we can avoid getting up to the PTL for everything, we
 can rely on a team of people rather than just one person.
 
 Enter the Czar system: each project should have a number of liaisons /
 official contacts / delegates that are fully responsible to cover one
 aspect of the project. We need to have Bugs czars, which are
 responsible
 for getting bugs under control. We need to have Oslo czars, which serve
 as liaisons for the Oslo program but also as active project-local oslo
 advocates. We need Security czars, which the VMT can go to to progress
 quickly on plugging vulnerabilities. We need release management czars,
 to handle the communication and process with that painful OpenStack
 release manager. We need Gate czars to serve as first-line-of-contact
 getting gate issues fixed... You get the idea.
 
/flame-on
Let's call spades, spades here.  Czar is not only overkill, but the wrong 
metaphor.
/flame-off

Each position suggested here exists in corporate development projects:
- Bug czar == bug manager/administrator/QA engineer/whatever - someone in 
charge of making sure bugs get triages, assigned and completed
- Oslo czar == systems engineers/project managers who make sure that the 
project is in line with the rest of the projects that together make an 
integrated release.  This position needs to stretch beyond just Oslo to 
encompass all the cross-project requirements and will likely be its own 
committee
- Gate Czar == integration engineer(manager)/QA engineer(manager)/build-release 
engineer.  This position would also likely be a liaison to Infra.
- Security Czar == security guru (that name takes me back ;-)
- Release management Czar == Project release manager
- Doc Czar == tech editor
- Tempest Czar == QA engineer(manager)

Yes, programs are now mostly big enough to require coordination and management. 
 The roles are long defined, so 

Re: [openstack-dev] [all] [ptls] The Czar system, or how to scale PTLs

2014-08-25 Thread Rochelle.RochelleGrober


Zane Bitter wrote:
 On 22/08/14 21:02, Anne Gentle wrote:
  I'm with Rocky on the anti-czar-as-a-word camp. We all like clever
 names to
  shed the corporate stigma but this word ain't it. Liaison or lead?
 
 +1. The only time you hear the word 'czar' in regular life (outside of
 references to pre-revolutionary Russia) it means that the government is
 looking for a cheap PR win that doesn't require actually doing/changing
 anything.
 
 Liaison or Contact would be fine choices IMHO.

Or, how about Secretary?  Such as part of a cabinet?  Secretary of bugs is 
kinda cool in that they collect info and report, troubleshoot, etc., but final 
decisions are directed by PTL.

--Rocky

 
 cheers,
 Zane.



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [all] [ptls] The Czar system, or how to scale PTLs

2014-08-25 Thread Rochelle.RochelleGrober
Zane Bitter [August 25, 2014 1:38 PM] wrote:

. . .

snip


 
 I'd say we've done fairly well, but I would attribute that at least in
 part to the fact that we've treated the PTL as effectively the
 temporary
 release management contact more than the guy who will resolve
 disputes for us. In other words, despite rather than because of the
 requirement to have a PTL.
 
 I do think that having a PTL with no actual responsibilities runs the
 risk of having it be seen as a trophy rather than a service to the
 community. The good PTLs - which so far is all of them - are likely to
 respond by volunteering for just as many things as they were doing
 before, so that will tend to counteract the goal of preventing burnout.

I don't think anyone is saying or even really believes that distributing the 
workload would result in a PTL no actual responsibilities.  There is just so 
much to do as a PTL for the larger projects that even having a team focused on 
ensuring the tactical activities happen will still leave the PTL with a 
superhuman workload: planning, coordinating, correcting, driving, regrouping, 
focusing, liaising, etc.  

As I said in my previous mail (got lost in the conversation about what to call 
these team members), To keep growing quality, communications, contributions and 
the health of the projects and OpenStack as an ecosystem, the PTLs must not 
only be strategic thinkers, but strategic actors.  And it's pretty darn hard to 
be strategic when you're down in the tactical, day-to-day weeds.  All of it is 
important, but the only way to keep OpenStack growing *and* healthy is to start 
to specialize in organizational areas, not just code areas.

Look at the organic growth of technical projects in general.  When you start 
with just a few people, communication is easy.  Everyone knows the whole 
project and it's easy to stay on the same page.  New people come on board and 
now you need to document design, operation and organizational lore.  More 
people come on board and you need to track bugs, maybe features, and maybe 
split into groups, which means a leader needs to arise in each group such that 
the multiple groups can stay in sync and integrate their components.  And it 
continues to grow.  Some OpenStack projects have reached the state where each 
of them are really multiple projects, each with a lead.  Neutron and TripleO 
both address this situation, empowering the internal projects and project 
leads, with the PTLs becoming more strategic and more focused on the ecosystem 
of the subprojects.

I bet Kyle Mestery, Jay Pipes and Robert Collins would be happy to dissuade you 
of the idea that they don't have any responsibilities ;-)

--Rocky


  I'm open to the alternative solution (which would be for programs
 which
  are not interested in having a PTL to just not have one). But then if
  things go badly wrong, you require the TC to step in with threats of
  removal of OpenStack and/or to force an election/vote in the middle
 of
  the crisis. I'm really failing to see how that would result, in those
  hypothetical crisis scenarios, in a better outcome.
 
 I don't think there are any good scenarios if you get to that crisis
 point. Imagine a scenario where the community is more or less evenly
 split and neither side is willing to back down even after seeking
 guidance from the TC, the PTL breaks the deadlock by fiat in lieu of
 consensus, followed by an unusually high number of spelling mistakes
 corrections in the source code, a single-issue election, potentially a
 reversal of the decision and possibly a fork that will force the TC to
 step in and choose a side. (Note: not choosing is also a choice.)
 That's
 pretty much an unmitigated disaster too.
 
 Our goal must be to avoid reaching the crisis point, and it seems to me
 that it is actually helpful to make clear to projects that their
 choices
 are:
 Option A: reach consensus
 Option B: there is no Option B
 
 cheers,
 Zane.
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [all] The future of the integrated release

2014-08-26 Thread Rochelle.RochelleGrober


On August 26, 2014, Anne Gentle wrote:
On Mon, Aug 25, 2014 at 8:36 AM, Sean Dague 
s...@dague.netmailto:s...@dague.net wrote:
On 08/20/2014 12:37 PM, Zane Bitter wrote:
 On 11/08/14 05:24, Thierry Carrez wrote:
 So the idea that being (and remaining) in the integrated release should
 also be judged on technical merit is a slightly different effort. It's
 always been a factor in our choices, but like Devananda says, it's more
 difficult than just checking a number of QA/integration checkboxes. In
 some cases, blessing one project in a problem space stifles competition,
 innovation and alternate approaches. In some other cases, we reinvent
 domain-specific solutions rather than standing on the shoulders of
 domain-specific giants in neighboring open source projects.

 I totally agree that these are the things we need to be vigilant about.

 Stifling competition is a big worry, but it appears to me that a lot of
 the stifling is happening even before incubation. Everyone's time is
 limited, so if you happen to notice a new project on the incubation
 trajectory doing things in what you think is the Wrong Way, you're most
 likely to either leave some drive-by feedback or to just ignore it and
 carry on with your life. What you're most likely *not* to do is to start
 a competing project to prove them wrong, or to jump in full time to the
 existing project and show them the light. It's really hard to argue
 against the domain experts too - when you're acutely aware of how
 shallow your knowledge is in a particular area it's very hard to know
 how hard to push. (Perhaps ironically, since becoming a PTL I feel I
 have to be much more cautious in what I say too, because people are
 inclined to read too much into my opinion - I wonder if TC members feel
 the same pressure.) I speak from first-hand instances of guilt here -
 for example, I gave some feedback to the Mistral folks just before the
 last design summit[1], but I haven't had time to follow it up at all. I
 wouldn't be a bit surprised if they showed up with an incubation
 request, a largely-unchanged user interface and an expectation that I
 would support it.

 The result is that projects often don't hear the feedback they need
 until far too late - often when they get to the incubation review (maybe
 not even their first incubation review). In the particularly unfortunate
 case of Marconi, it wasn't until the graduation review. (More about that
 in a second.) My best advice to new projects here is that you must be
 like a ferret up the pant-leg of any negative feedback. Grab hold of any
 criticism and don't let go until you have either converted the person
 giving it into your biggest supporter, been converted by them, or
 provoked them to start a competing project. (Any of those is a win as
 far as the community is concerned.)

 Perhaps we could consider a space like a separate mailing list
 (openstack-future?) reserved just for announcements of Related projects,
 their architectural principles, and discussions of the same?  They
 certainly tend to get drowned out amidst the noise of openstack-dev.
 (Project management, meeting announcements, and internal project
 discussion would all be out of scope for this list.)

 As for reinventing domain-specific solutions, I'm not sure that happens
 as often as is being made out. IMO the defining feature of IaaS that
 makes the cloud the cloud is on-demand (i.e. real-time) self-service.
 Everything else more or less falls out of that requirement, but the very
 first thing to fall out is multi-tenancy and there just aren't that many
 multi-tenant services floating around out there. There are a couple of
 obvious strategies to deal with that: one is to run existing software
 within a tenant-local resource provisioned by OpenStack (Trove and
 Sahara are examples of this), and the other is to wrap a multi-tenancy
 framework around an existing piece of software (Nova and Cinder are
 examples of this). (BTW the former is usually inherently less
 satisfying, because it scales at a much coarser granularity.) The answer
 to a question of the form:

 Why do we need OpenStack project $X, when open source project $Y
 already exists?

 is almost always:

 Because $Y is not multi-tenant aware; we need to wrap it with a
 multi-tenancy layer with OpenStack-native authentication, metering and
 quota management. That even allows us to set up an abstraction layer so
 that you can substitute $Z as the back end too.

 This is completely uncontroversial when you substitute X, Y, Z = Nova,
 libvirt, Xen. However, when you instead substitute X, Y, Z =
 Zaqar/Marconi, Qpid, MongoDB it suddenly becomes *highly* controversial.
 I'm all in favour of a healthy scepticism, but I think we've passed that
 point now. (How would *you* make an AMQP bus multi-tenant?)

 To be clear, Marconi did made a mistake. The Marconi API presented
 semantics to the user that excluded many otherwise-obvious choices of
 back-end plugin (i.e. Qpid/RabbitMQ). It 

Re: [openstack-dev] [all] Design Summit reloaded

2014-08-27 Thread Rochelle.RochelleGrober
On August 27, 2014 3:26 PM Clint Byrum wrote: 
Excerpts from Thierry Carrez's message of 2014-08-27 05:51:55:
 Hi everyone,
 
 I've been thinking about what changes we can bring to the Design Summit
 format to make it more productive. I've heard the feedback from the
 mid-cycle meetups and would like to apply some of those ideas for Paris,
 within the constraints we have (already booked space and time). Here is
 something we could do:
 
 Day 1. Cross-project sessions / incubated projects / other projects
 
 I think that worked well last time. 3 parallel rooms where we can
 address top cross-project questions, discuss the results of the various
 experiments we conducted during juno. Don't hesitate to schedule 2 slots
 for discussions, so that we have time to come to the bottom of those
 issues. Incubated projects (and maybe other projects, if space allows)
 occupy the remaining space on day 1, and could occupy pods on the
 other days.
 

I like it. The only thing I would add is that it would be quite useful if
the use of pods were at least partially enhanced by an unconference style
interest list.  What I mean is, on day 1 have people suggest topics and
vote on suggested topics to discuss at the pods, and from then on the pods
can host these topics. This is for the other things that aren't well
defined until the summit and don't have their own rooms for days 2 and 3.


[Rocky Grober] +100  the only thing I would add is that each morning, the 
unconference could vote for that day (or half day for that matter), that way, 
if a session or sessions from the day before generated greater interest in 
something either not listed or with low votes, the morning vote could shift 
priorities towards the now higher interest topic.

--Rocky


This is driven by the fact that the pods in Atlanta were almost always
busy doing something other than whatever the track that owned them
wanted. A few projects pods grew to 30-40 people a few times, eating up
all the chairs for the surrounding pods. TripleO often sat at the Heat
pod because of this for instance.

I don't think they should be fully scheduled. They're also just great
places to gather and have a good discussion, but it would be useful to
plan for topic flexibility and help coalesce interested parties, rather
than have them be silos that get taken over randomly. Especially since
there is a temptation to push the other topics to them already.



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [all] Design Summit reloaded

2014-08-27 Thread Rochelle.RochelleGrober


From: Chris Jones [mailto:c...@tenshu.net] 

Hi Anita

Your impromptu infra-clue-dissemination talks sound interesting (I'd like to 
see the elastic recheck fingerprint one, for example). Would it make sense to 
amplify your reach, by making some short screencasts of these sorts of things?

Cheers,
--
Chris Jones

[Rocky Grober] +1 or a session at Paris that is recorded?


 On 27 Aug 2014, at 21:48, Anita Kuno ante...@anteaya.info wrote:
 
 On 08/27/2014 02:46 PM, John Griffith wrote:
 On Wed, Aug 27, 2014 at 9:25 AM, Flavio Percoco fla...@redhat.com wrote:
 
 On 08/27/2014 03:26 PM, Sean Dague wrote:
 On 08/27/2014 08:51 AM, Thierry Carrez wrote:
 Hi everyone,
 
 I've been thinking about what changes we can bring to the Design Summit
 format to make it more productive. I've heard the feedback from the
 mid-cycle meetups and would like to apply some of those ideas for Paris,
 within the constraints we have (already booked space and time). Here is
 something we could do:
 
 Day 1. Cross-project sessions / incubated projects / other projects
 
 I think that worked well last time. 3 parallel rooms where we can
 address top cross-project questions, discuss the results of the various
 experiments we conducted during juno. Don't hesitate to schedule 2 slots
 for discussions, so that we have time to come to the bottom of those
 issues. Incubated projects (and maybe other projects, if space allows)
 occupy the remaining space on day 1, and could occupy pods on the
 other days.
 
 Day 2 and Day 3. Scheduled sessions for various programs
 
 That's our traditional scheduled space. We'll have a 33% less slots
 available. So, rather than trying to cover all the scope, the idea would
 be to focus those sessions on specific issues which really require
 face-to-face discussion (which can't be solved on the ML or using spec
 discussion) *or* require a lot of user feedback. That way, appearing in
 the general schedule is very helpful. This will require us to be a lot
 stricter on what we accept there and what we don't -- we won't have
 space for courtesy sessions anymore, and traditional/unnecessary
 sessions (like my traditional release schedule one) should just move
 to the mailing-list.
 
 Day 4. Contributors meetups
 
 On the last day, we could try to split the space so that we can conduct
 parallel midcycle-meetup-like contributors gatherings, with no time
 boundaries and an open agenda. Large projects could get a full day,
 smaller projects would get half a day (but could continue the discussion
 in a local bar). Ideally that meetup would end with some alignment on
 release goals, but the idea is to make the best of that time together to
 solve the issues you have. Friday would finish with the design summit
 feedback session, for those who are still around.
 
 
 I think this proposal makes the best use of our setup: discuss clear
 cross-project issues, address key specific topics which need
 face-to-face time and broader attendance, then try to replicate the
 success of midcycle meetup-like open unscheduled time to discuss
 whatever is hot at this point.
 
 There are still details to work out (is it possible split the space,
 should we use the usual design summit CFP website to organize the
 scheduled time...), but I would first like to have your feedback on
 this format. Also if you have alternative proposals that would make a
 better use of our 4 days, let me know.
 
 I definitely like this approach. I think it will be really interesting
 to collect feedback from people about the value they got from days 2  3
 vs. Day 4.
 
 I also wonder if we should lose a slot from days 1 - 3 and expand the
 hallway time. Hallway track is always pretty interesting, and honestly
 at a lot of interesting ideas spring up. The 10 minute transitions often
 seem to feel like you are rushing between places too quickly some times.
 
 +1
 
 Last summit, it was basically impossible to do any hallway talking and
 even meet some folks face-2-face.
 
 Other than that, I think the proposal is great and makes sense to me.
 
 Flavio
 
 --
 @flaper87
 Flavio Percoco
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 
 ​Sounds like a great idea to me:
 +1​
 
 
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 
 I think this is a great direction.
 
 Here is my dilemma and it might just affect me. I attended 3 mid-cycles
 this release: one of Neutron's (there were 2), QA/Infra and Cinder. The
 Neutron and Cinder ones were mostly in pursuit of figuring out third
 party and exchanging information surrounding that (which I feel was
 successful). The QA/Infra one was, well even though I feel like I have
 been awol, I still consider this my home.
 
 From my perspective and check with Neutron 

Re: [openstack-dev] [nova][neutron][cinder] Averting the Nova crisis by splitting out virt drivers

2014-09-10 Thread Rochelle.RochelleGrober
-Original Message-
From: Daniel P. Berrange [mailto:berra...@redhat.com] 
Sent: Wednesday, September 10, 2014 1:45 AM

On Tue, Sep 09, 2014 at 05:14:43PM -0700, Stefano Maffulli wrote:
  To me, this means you don't really want a sin bin where you dump
  drivers and tell them not to come out until they're fit to be
  reviewed by the core; You want a trusted driver community which does
  its own reviews and means the core doesn't have to review them.
 
 I think we're going somewhere here, based on your comment and other's:
 we may achieve some result if we empower a new set of people to manage
 drivers, keeping them in the same repositories where they are now. This
 new set of people may not be the current core reviewers but other with
 different skillsets and more capable of understanding the driver's
 ecosystem, needs, motivations, etc.
 
 I have the impression this idea has been circling around for a while but
 for some reason or another (like lack of capabilities in gerrit and
 other reasons) we never tried to implement it. Maybe it's time to think
 about an implementation. We have been thinking about mentors
 https://wiki.openstack.org/wiki/Mentors, maybe that's a way to go?
 Sub-team with +1.5 scoring capabilities?

I think that setting up subteams is neccessary to stop us imploding but
I don't think it is enough. As long as we have one repo we're forever
going to have conflict  contention in deciding which features to accept,
which is a big factor in problems today. I favour the strong split of the
drivers into separate repositories to remove the contente between the
teams as much as is practical.

[Rocky Grober]  
+100

There is a huge benefit to getting the drivers into separate repositories.  
Once the APIs/interfaces in Nova are clean enough to support the move, they 
will stay cleaner than if the drivers are in the same repository.  And the 
subteams will ensure that the drivers are to their level of quality.  The CI 
system will be easier to manage with thirdparty CIs for each of the drivers.  
And to get changes into Nova Core, the subteams will need to cooperate, as any 
core change that affects one driver will most likely affect others, so it will 
be in the subteams' best interests to keep the driver/core APIs clean and free 
of special cases.

From Kyle's later mail:
I think that is absolutely the case: sub-team leaders need to be vetted based 
on their upstream communication skills. I also think what we're looking at in 
Neutron is giving sub-teams a shelf-life, and spinning them down rather than 
letting them live long-term, lose focus, and wander aimlessly.

This is also a very important point that I'd like to expand on.  The subteams 
really should form a drivers team composed of each subteams' PTLs.  This 
drivers team would be the interface to Nova Core and would need those upstream 
communications skills.  This team could also be the place Nova Core/Driver API 
changes get discussed and finalized from the drivers' perspective.  Maybe the 
Drivers PTL team should even start with electing a Nova Core from its PTLs as 
the Drivers team lead.  This team would also be the perfect place for Nova PTL 
and team to work with Drivers teams to collaborate on specs and issues.

Unlike in Neutron, the subteams wouldn't roll back into the Nova core, as their 
charter/purpose will continue to develop as hypervisors, containers, bare metal 
and other new virtual control planes develop.  Getting these teams right will 
mean more agility, higher quality and better consistency within the Nova 
ecosystem.  The drivers team should become strong partners with Nova core in 
allowing Nova to innovate more quickly while addressing technical debt to 
increase quality around the Nova/drivers interactions.

--Rocky
[/Rocky Grober]

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [all] OpenStack bootstrapping hour - Friday Sept 19th - 3pm EST

2014-09-15 Thread Rochelle.RochelleGrober
+1000
This is *great*.  Not only for newbies, but refreshers, learning different 
approaches, putting faces to the signatures, etc.  And Mock best practices is a 
brilliant starting place for developers.

I'd like to vote for a few others:
- Development environment (different ones: PyCharms, Eclipse, IDE for Docs, etc)
- Tracking down a bug: log searching, back tracing, etc.
- Fixing a bug:  From assigning in Launchpad through clone, fix, git review, 
etc.
- Writing an integrated test: setup, data recording/collection/clean tear down.

Sorry to have such a big wish list, but for people who learn experientially, 
this will be immensely useful.

--Rocky

-Original Message-
From: Sean Dague [mailto:s...@dague.net] 
Sent: Monday, September 15, 2014 3:56 PM
To: openstack-dev@lists.openstack.org
Subject: [openstack-dev] [all] OpenStack bootstrapping hour - Friday Sept 19th 
- 3pm EST

A few of us have decided to pull together a regular (cadence to be
determined) video series taking on deep dives inside of OpenStack,
looking at code, explaining why things work that way, and fielding
questions from anyone interested.

For lack of a better title, I've declared it OpenStack Bootstrapping Hour.

Episode 0 - Mock best practices will kick off this Friday, Sept 19th,
from 3pm - 4pm EST. Our experts for this will be Jay Pipes and Dan
Smith. It will be done as a Google Hangout on Air, which means there
will be a live youtube stream while it's on, and a recorded youtube
video that's publicly accessible once we're done.

We'll be using an etherpad during the broadcast to provide links to the
content people are looking at, as well as capture questions. That will
be our backchannel, and audience participation forum, with the advantage
that it creates a nice concise document at the end of the broadcast that
pairs well with the video. (Also: the tech test showed that while code
examples are perfectly viewable during in the final video, during the
live stream they are a little hard to read, etherpad links will help
people follow along at home).

Assuming this turns out to be useful, we're thinking about lots of other
deep dives. The intent is that these are indepth dives. We as a
community have learned so many things over the last 4 years, but as
OpenStack has gotten so large, being familiar with more than a narrow
slice is hard. This is hopefully a part of the solution to address that.
As I've told others, if nothing else, I'm looking forward to learning a
ton in the process.

Final links for the hangout + etherpad will be posted a little later in
the week. Mostly wanted to make people aware it was coming.

-Sean

-- 
Sean Dague
http://dague.net

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


[openstack-dev] Log Rationalization -- Bring it on!

2014-09-17 Thread Rochelle.RochelleGrober
TL;DR:  I consider the poor state of log consistency a major impediment for 
more widespread adoption of OpenStack and would like to volunteer to own this 
cross-functional process to begin to unify and standardize logging messages and 
attributes for Kilo while dealing with the most egregious issues as the 
community identifies them.



Recap from some mail threads:



From Sean Dague on Kilo cycle goals:

2. Consistency in southbound interfaces (Logging first)



Logging and notifications are south bound interfaces from OpenStack providing 
information to people, or machines, about what is going on.

There is also a 3rd proposed south bound with osprofiler.



For Kilo: I think it's reasonable to complete the logging standards and 
implement them. I expect notifications (which haven't quite kicked off) are 
going to take 2 cycles.



I'd honestly *really* love to see a unification path for all the the southbound 
parts, logging, osprofiler, notifications, because there is quite a bit of 
overlap in the instrumentation/annotation inside the main code for all of these.


And from Doug Hellmann:
1. Sean has done a lot of analysis and started a spec on standardizing logging 
guidelines where he is gathering input from developers, deployers, and 
operators [1]. Because it is far enough for us to see real progress, it's a 
good place for us to start experimenting with how to drive cross-project 
initiatives involving code and policy changes from outside of a single project. 
We have a couple of potentially related specs in Oslo as part of the oslo.log 
graduation work [2] [3], but I think most of the work will be within the 
applications.

[1] https://review.openstack.org/#/c/91446/
[2] 
https://blueprints.launchpad.net/oslo.log/+spec/app-agnostic-logging-parameters
[3] https://blueprints.launchpad.net/oslo.log/+spec/remove-context-adapter



And from James Blair:

1) Improve log correlation and utility



If we're going to improve the stability of OpenStack, we have to be able to 
understand what's going on when it breaks.  That's both true as developers when 
we're trying to diagnose a failure in an integration test, and it's true for 
operators who are all too often diagnosing the same failure in a real 
deployment.  Consistency in logging across projects as well as a cross-project 
request token would go a long way toward this.

While I am not currently managing an OpenStack deployment, writing tests or 
code, or debugging the stack, I have spent many years doing just that.  Through 
QA, Ops and Customer support, I have come to revel in good logging and log 
messages and curse the holes and vagaries in many systems.

Defining/refining logs to be useful and usable is a cross-functional effort 
that needs to include:

· Operators

· QA

· End Users

· Community managers

· Tech Pubs

· Translators

· Developers

· TC (which provides the forum and impetus for all the projects to 
cooperate on this)

At the moment, I think this effort may best work under the auspices of Oslo 
(oslo.log), I'd love to hear other proposals.

Here is the beginnings of my proposal of how to attack and subdue the painful 
state of logs:


· Post this email to the MLs (dev, ops, enduser) to get feedback, 
garner support and participants in the process
(Done;-)

· In parallel:

o   Collect up problems, issues, ideas, solutions on an etherpad 
https://etherpad.openstack.org/p/Log-Rationalization where anyone in the 
communities can post.

o   Categorize  reported Log issues into classes (already identified classes):

§  Format Consistency across projects

§  Log level definition and categorization across classes

§  Time syncing entries across tens of logfiles

§  Relevancy/usefulness of information provided within messages

§  Etc (missing a lot here, but I'm sure folks will speak up)

o   Analyze existing log message formats, standards across integrated projects

o   File bugs where issues identified are actual project bugs

o   Build a session outline for F2F working session at the Paris Design Summit

· At the Paris Design Summit, use a session and/or pod discussions to 
set priorities, recruit contributors, start and/or flesh out specs and 
blueprints

· Proceed according to priorities, specs, blueprints, contributions and 
changes as needed as the work progresses.

· Keep an active and open rapport and reporting process for the user 
community to comment and participate in the processes.
Measures of success:

· Log messages provide consistency of format enough for productive 
mining through operator writable scripts

· Problem debugging is simplified through the ability to trust 
timestamps across all OpenStack logs (and use scripts to get to the time you 
want in any/all of the logfiles)

· Standards for format, content, levels and translations have been 
proposed and agreed to be adopted across all 

Re: [openstack-dev] [Nova] [All] API standards working group (was: Some ideas for micro-version implementation)

2014-09-23 Thread Rochelle.RochelleGrober




jaypi...@gmail.commailto:jaypi...@gmail.com on Tuesday, September 23, 2014 
9:09 AM wrote:


_Snip



I'd like to say finally that I think there should be an OpenStack API

working group whose job it is to both pull together a set of OpenStack

API practices as well as evaluate new REST APIs proposed in the

OpenStack ecosystem to provide guidance to new projects or new

subprojects wishing to add resources to an existing REST API.



Best,

-jay



[Rocky Grober] ++

Jay, are you volunteering to head up the working group? Or at least be an 
active member?  I'll certainly follow with interest, but I think I have my 
hands full with the log rationalization working group.



--Rocky
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [Fwd: Change in openstack/neutron[master]: Kill dnsmasq and ns-meta softly]

2014-01-28 Thread Rochelle.RochelleGrober
+1 anyway.  Sometimes I feel like we've lost the humor in our work, but at 
least I see it on IRC and now here.

Thanks for the humanity check!

--Rocky

From: Salvatore Orlando [mailto:sorla...@nicira.com]
Sent: Tuesday, January 28, 2014 1:05 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Fwd: Change in openstack/neutron[master]: Kill 
dnsmasq and ns-meta softly]

It might be creative, but it's a shame that it did not serve the purpose.
At least it confirmed the kernel bug was related to process termination in 
network namespaces but was due to SIGKILL exlusively, as it occurred with 
SIGTERM as well.

On the bright side, Mark has now pushed another patch which greatly reduces the 
occurence of bug 1273386 [1]
We are also working with the ubuntu kernel team to assess whether a kernel fix 
is needed.

Salvatore

[1] https://review.openstack.org/#/c/69653/

On 28 January 2014 18:13, Edgar Magana 
emag...@plumgrid.commailto:emag...@plumgrid.com wrote:
No doubt about it!!!

Edgar

On 1/28/14 8:45 AM, Jay Pipes jaypi...@gmail.commailto:jaypi...@gmail.com 
wrote:

This might just be the most creative commit message of the year.

-jay
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [PTL] Designating required use upstream code

2014-02-05 Thread Rochelle.RochelleGrober
On Wed, Feb 5, 2014 at 12:05 PM, Russell Bryant 
rbry...@redhat.commailto:rbry...@redhat.com wrote:
On 02/05/2014 11:22 AM, Thierry Carrez wrote:
 (This email is mostly directed to PTLs for programs that include one
 integrated project)

 The DefCore subcommittee from the OpenStack board of directors asked the
 Technical Committee yesterday about which code sections in each
 integrated project should be designated sections in the sense of [1]
 (code you're actually needed to run or include to be allowed to use the
 trademark). That determines where you can run alternate code (think:
 substitute your own private hypervisor driver) and still be able to call
 the result openstack.

 [1] https://wiki.openstack.org/wiki/Governance/CoreDefinition

 PTLs and their teams are obviously the best placed to define this, so it
 seems like the process should be: PTLs propose designated sections to
 the TC, which blesses them, combines them and forwards the result to the
 DefCore committee. We could certainly leverage part of the governance
 repo to make sure the lists are kept up to date.

 Comments, thoughts ?

The process you suggest is what I would prefer.  (PTLs writing proposals
for TC to approve)

Using the governance repo makes sense as a means for the PTLs to post
their proposals for review and approval of the TC.

+1

+1

Who gets final say if there's strong disagreement between a PTL and the
TC?  Hopefully this won't matter, but it may be useful to go ahead and
clear this up front.

The Board has some say in this, too, right? The proposal [1] is for a set of 
tests to be proposed and for the Board to approve (section 8).

What is the relationship between that test suite and the designated core areas? 
It seems that anything being tested would need to be designated as core. What 
about the inverse?

The test suite should validate that the core 
capabilities/behaviors/functionality behave as expected (positive and negative 
testing in an integrated environment).  So, the test suites would need to be 
reviewed for applicability.  Maybe, like Gerrit, there would be voting and 
nonvoting parts of tests based on whether something outside of core gets 
exercised in the process of running some tests.  Whatever the case, I doubt 
that the tests would generate a simple yes/no, but rather a score.  An 
discussion of one of the subsets of capabilities for Nova might start with the 
capabilities highlighted on this page:
https://wiki.openstack.org/wiki/HypervisorSupportMatrix

The test suite would need to exercise the capabilities in these sorts of 
matrices and might product the A/B/C grades as the rest of the page elucidates.

--Rocky

Doug

[1] https://wiki.openstack.org/wiki/Governance/CoreDefinition



--
Russell Bryant

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [Nova] RFC: Generate API sample files from API schemas

2014-02-06 Thread Rochelle.RochelleGrober
+1

Really lots more than just +1

This leads to so many more efficiencies and increase in effectiveness.

--Rocky

-Original Message-
From: Vishvananda Ishaya [mailto:vishvana...@gmail.com] 
Sent: Thursday, February 06, 2014 10:17 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Nova] RFC: Generate API sample files from API 
schemas


On Feb 6, 2014, at 5:38 AM, Kenichi Oomichi oomi...@mxs.nes.nec.co.jp wrote:

 
 Hi,
 
 I'd like to propose one idea that autogenerates API sample files from 
 API schema for Nova v3 API.
 
 We are working on API validation for v3 API, the works require API 
 schema which is defined with JSONSchema for each API. On the other 
 hand, API sample files of v3 API are autogenerated from the template 
 files of v3 API under nova/tests/integrated/v3/api_samples, as api_samples's 
 README.rst[1].
 The API schema files are similar to the template files, because both 
 represent the API parameter structures and each API name.
 
 For example, the template file of keypairs is
 --
 
  {
  keypair: {
  name: %(keypair_name)s
  }
  }
 --
 
 
 and the API schema file is
 --
 
  create = {
  'type': 'object',
  'properties': {
  'keypair': {
  'type': 'object',
  'properties': {
  'name': {
  'type': 'string', 'minLength': 1, 'maxLength': 255,
  'pattern': '^[a-zA-Z0-9 _-]+$'
  },
  'public_key': {'type': 'string'},
  },
  'required': ['name'],
  'additionalProperties': False,
  },
  },
  'required': ['keypair'],
  'additionalProperties': False,
  }
 --
 
 
 When implementing new v3 API, we need to write/review both files and 
 that would be hard works. For reducing the workload, I'd like to 
 propose one idea[2] that autogenerates API sample files from API 
 schema instead of template files. We would not need to write a template file 
 of a request.

+1

The template files were there because we didn't have a clear schema defined.

It would be awesome to get rid of the templates.

Vish

 
 The XML support is dropped from Nova v3 API, and the decision could 
 make this implementation easier. The NOTE is that we still need 
 response template files even if implementing this idea, because API 
 schema files of response don't exist.
 
 Any comments are welcome.
 
 
 Thanks
 Ken'ichi Ohmichi
 
 ---
 [1]: 
 https://github.com/openstack/nova/blob/master/nova/tests/integrated/ap
 i_samples/README.rst
 [2]: https://review.openstack.org/#/c/71465/
 
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [openstack-qa] Graduation Requirements + Scope of Tempest

2014-03-20 Thread Rochelle.RochelleGrober


 -Original Message-
 From: Malini Kamalambal [mailto:malini.kamalam...@rackspace.com]
 Sent: Thursday, March 20, 2014 12:13 PM
 
 'project specific functional testing' in the Marconi context is
 treating
 Marconi as a complete system, making Marconi API calls  verifying the
 response - just like an end user would, but without keystone. If one of
 these tests fail, it is because there is a bug in the Marconi code ,
 and
 not because its interaction with Keystone caused it to fail.
 
 That being said there are certain cases where having a project
 specific
 functional test makes sense. For example swift has a functional test
 job
 that
 starts swift in devstack. But, those things are normally handled on a
 per
 case
 basis. In general if the project is meant to be part of the larger
 OpenStack
 ecosystem then Tempest is the place to put functional testing. That way
 you know
 it works with all of the other components. The thing is in openstack
 what
 seems
 like a project isolated functional test almost always involves another
 project
 in real use cases. (for example keystone auth with api requests)
 
 
 
 One of the concerns we heard in the review was 'having the functional
 tests elsewhere (I.e within the project itself) does not count and they
 have to be in Tempest'.
 This has made us as a team wonder if we should migrate all our
 functional
 tests to Tempest.
 But from Matt's response, I think it is reasonable to continue in our
 current path  have the functional tests in Marconi coexist  along with
 the tests in Tempest.
 

I think that what is being asked, really is that the functional tests could be 
a single set of tests that would become a part of the tempest repository and 
that these tests would have an ENV variable as part of the configuration that 
would allow either no Keystone or Keystone or some such, if that is the 
only configuration issue that separates running the tests isolated vs. 
integrated.  The functional tests need to be as much as possible a single set 
of tests to reduce duplication and remove the likelihood of two sets getting 
out of sync with each other/development.  If they only run in the integrated 
environment, that's ok, but if you want to run them isolated to make debugging 
easier, then it should be a configuration option and a separate test job.

So, if my assumptions are correct, QA only requires functional tests for 
integrated runs, but if the project QAs/Devs want to run isolated for dev and 
devtest purposes, more power to them.  Just keep it a single set of functional 
tests and put them in the Tempest repository so that if a failure happens, 
anyone can find the test and do the debug work without digging into a separate 
project repository.

Hopefully, the tests as designed could easily take a new configuration 
directive and a short bit of work with OS QA will get the integrated FTs 
working as well as the isolated ones.

--Rocky

 On 3/20/14 1:59 PM, Matthew Treinish mtrein...@kortar.org wrote:
 
 On Thu, Mar 20, 2014 at 11:35:15AM +, Malini Kamalambal wrote:
  Hello all,
 
  I have been working on adding tests in Tempest for Marconi, for the
 last few months.
  While there are many amazing people to work with, the process has
 been
 more difficult than I expected.
 
  Couple of pain-points and suggestions to make the process easier for
 myself  future contributors.
 
  1. The QA requirements for a project to graduate needs details
 beyond
 the Project must have a *basic* devstack-gate job set up
  2. The scope of Tempest needs clarification  - what tests should be
 in
 Tempest vs. in the individual projects? Or should they be in both
 tempest and the project?
 
  See details below.
 
  1. There is little documentation on graduation requirement from a QA
 perspective beyond 'Project must have a basic devstack-gate job set
 up'.
 
  As a result, I hear different interpretations on what a basic
 devstack
 gate job is.
  This topic was discussed in one of the QA meetings a few weeks back
 [1].
  Based on the discussion there, having a basic job - such as one that
 will let us know 'if a keystone change broke marconi' was  good
 enough.
  My efforts in getting Marconi meet graduation requirements w.r.t
 Tempest was based on the above discussion.
 
  However, my conversations with the TC during Marconi's graduation
 review  lead me to believe that these requirements aren't yet
 formalized.
  We were told that we needed to have more test coverage in tempest, 
 having them elsewhere (i.e. functional tests in the Marconi project
 itself) was not good enough.
 
 So having only looked at the Marconi ML thread and not the actual TC
 meeting
 minutes I might be missing the whole picture. But, from what I saw
 when I
 looked
 at both a marconi commit and a tempest commit is that there is no
 gating
 marconi
 devstack-gate job on marconi commits. It's only non-voting in the
 check
 pipeline.
 Additionally, there isn't a non-voting job on tempest or 

Re: [openstack-dev] [openstack-qa] Graduation Requirements + Scope of Tempest

2014-03-21 Thread Rochelle.RochelleGrober

 From: Malini Kamalambal [mailto:malini.kamalam...@rackspace.com]
snip
 
 We are talking about different levels of testing,
 
 1. Unit tests - which everybody agrees should be in the individual
 project
 itself
 2. System Tests - 'System' referring to ( limited to), all the
 components
 that make up the project. These are also the functional tests for the
 project.
 3. Integration Tests - This is to verify that the OS components
 interact
 well and don't break other components -Keystone being the most obvious
 example. This is where I see getting the maximum mileage out of
 Tempest.
 
 I see value in projects taking ownership of the System Tests - because
 if
 the project is not 'functionally ready', it is not ready to integrate
 with
 other components of Openstack.
 But for this approach to be successful, projects should have diversity
 in
 the team composition - we need more testers who focus on creating these
 tests.
 This will keep the teams honest in their quality standards.

+1000  I love your approach to this.  You are right.  Functional tests for the 
project, that exist in an environment, but that exercise the intricacies of 
just the project aren't there for most projects, but really should be.  And 
these tests should be exercised against new code before the code enters the 
gerrit/Jenkins stream. But, as Malini points out, it's at most a dream for most 
projects as the test developers just aren't part of most projects.


 As long as individual projects cannot guarantee functional test
 coverage,
 we will need more tests in Tempest.
 But that will shift focus away from Integration Testing, which can be
 done
 ONLY in Tempest.

+1  This is also an important point.  If functional testing belonged to the 
projects, then most of these tests would be run before a tempest test was ever 
run and would not need to be part of the integrated tests, except as a subset 
that demonstrate the functioning integration with other projects.

 
 Regardless of whatever we end up deciding, it will be good to have
 these
 discussions sooner than later.
 This will help at least the new projects to move in the right
 direction.

Maybe a summit topic?  How do we push functional testing into the project level 
development?

--Rocky

 
 -Malini
 
 
 
 
 
 
 
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [RFC] Tempest without branches

2014-04-04 Thread Rochelle.RochelleGrober
(easier to insert my questions at top of discussion as they are more general)


How would test deprecations work in a branchless Tempest?  Right now, there is 
the discussion on removing the XML tests from Tempest, yet they are still valid 
for Havana and Icehouse.  If they get removed, will they still be accessible 
and runnable for Havana version tests?  I can see running from a tagged version 
for Havana, but if you are *not* running from the tag, then the files would be 
gone.  So, I'm wondering how this would work for Refstack, testing backported 
bugfixes, etc.

Another related question arises from the discussion of Nova API versions.  
Tempest tests are being enhanced to do validation, and the newer API versions  
(2.1,  3.n, etc. when the approach is decided) will do validation, etc.  How 
will these backward incompatible tests be handled if the test that works for 
Havana gets modified to work for Juno and starts failing Havana code base?

With the discussion of project functional tests that could be maintained in one 
place, but run in two (maintenance location undecided, run locale local and 
Tempest/Integrated), how would this cross project effort be affected by a 
branchless Tempest?

Maybe we need some use cases to ferret out the corner cases of a branchless 
Tempest implementation?  I think we need to get more into some of the details 
to understand what would be needed to be added/modified/ removed to make this 
design proposal work.

--Rocky



From: David Kranz [mailto:dkr...@redhat.com]
Sent: Friday, April 04, 2014 6:10 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [RFC] Tempest without branches

On 04/04/2014 07:37 AM, Sean Dague wrote:

An interesting conversation has cropped up over the last few days in -qa

and -infra which I want to bring to the wider OpenStack community. When

discussing the use of Tempest as part of the Defcore validation we came

to an interesting question:



Why does Tempest have stable/* branches? Does it need them?



Historically the Tempest project has created a stable/foo tag the week

of release to lock the version of Tempest that will be tested against

stable branches. The reason we did that is until this cycle we had

really limited nobs in tempest to control which features were tested.

stable/havana means - test everything we know how to test in havana. So

when, for instance, a new API extension landed upstream in icehouse,

we'd just add the tests to Tempest. It wouldn't impact stable/havana,

because we wouldn't backport changes.



But is this really required?



For instance, we don't branch openstack clients. They are supposed to

work against multiple server versions. Tempest, at some level, is

another client. So there is some sense there.



Tempest now also have flags on features, and tests are skippable if

services, or even extensions aren't enabled (all explicitly setable in

the tempest.conf). This is a much better control mechanism than the

course grained selection of stable/foo.





If we decided not to set a stable/icehouse branch in 2 weeks, the gate

would change as follows:



Project masters: no change

Project stable/icehouse: would be gated against Tempest master

Tempest master: would double the gate jobs, gate on project master and

project stable/icehouse on every commit.



(That last one needs infra changes to work right, those are all in

flight right now to assess doability.)



Some interesting effects this would have:



 * Tempest test enhancements would immediately apply on stable/icehouse *



... giving us more confidence. A large amount of tests added to master

in every release are enhanced checking for existing function.



 * Tempest test changes would need server changes in master and

stable/icehouse *



In trying tempest master against stable/havana we found a number of

behavior changes in projects that there had been a 2 step change in the

Tempest tests to support. But this actually means that stable/havana and

stable/icehouse for the same API version are different. Going forward

this would require master + stable changes on the projects + Tempest

changes. Which would provide much more friction in changing these sorts

of things by accident.



 * Much more stable testing *



If every Tempest change is gating on stable/icehouse, the week long

stable/havana can't pass tests won't happen. There will be much more

urgency to keep stable branches functioning.





If we got rid of branches in Tempest the path would be:

 * infrastructure to support this in infra - in process, probably

landing today

 * don't set stable/icehouse - decision needed by Apr 17th

 * changes to d-g/devstack to be extra explicit about what features

stable/icehouse should support in tempest.conf

 * see if we can make master work with stable/havana to remove the

stable/havana Tempest branch (if this is doable in a month, great, if

not just wait for havana to age out).




Re: [openstack-dev] [nova] stable branches failure to handle review backlog

2014-07-30 Thread Rochelle.RochelleGrober
 From: Gary Kotton [mailto:gkot...@vmware.com] 
 
 On 7/30/14, 8:22 PM, Kevin L. Mitchell kevin.mitch...@rackspace.com
 wrote:
 
 On Wed, 2014-07-30 at 09:01 +0200, Flavio Percoco wrote:
  As a stable-maint, I'm always hesitant to review patches I've no
  understanding on, hence I end up just checking how big is the patch,
  whether it adds/removes new configuration options etc but, the real
  review has to be done by someone with good understanding of the
 change.
 
  Something I've done in the past is adding the folks that had
 approved
  the patch on master to the stable/maint review. They should know
 that
  code already, which means it shouldn't take them long to review it.
 All
  the sanity checks should've been done already.
 
  With all that said, I'd be happy to give *-core approval permissions
 on
  stable branches, but I still think we need a dedicated team that has
 a
  final (or at least relevant) word on the patches.
 
 Maybe what we need to do is give *-core permission to +2 the patches,
 but only stable/maint team has *approval* permission.  Then, the cores
 can review the code, and stable/maint only has to verify applicability
 to the stable branchŠ
 
 +1


+1

This approach guarantees final say by the stable/maint team, but lets any core 
validate that the patch is appropriate from the project's technical 
perspective.  It keeps the balance but broadens the validation pool.

--Rocky 

 --
 Kevin L. Mitchell kevin.mitch...@rackspace.com
 Rackspace
 
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [Neutron][LBaaS] SSL re-encryption scenario question

2014-04-18 Thread Rochelle.RochelleGrober
+1 for the discussion

Remember, a cloud does not always have all its backend co-located.  There are 
sometimes AZs and often other hidden network hops.  

And, to ask the obvious, what do you think the response is when you whisper 
NSA in a crowded Google data center?

--Rocky

-Original Message-
From: Jorge Miramontes [mailto:jorge.miramon...@rackspace.com] 
Sent: Friday, April 18, 2014 2:13 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Neutron][LBaaS] SSL re-encryption scenario 
question

+1 for German's use cases. We need SSL re-encryption for decisions the
load balancer needs to make at the l7 layer as well. Thanks Clint, for
your thorough explanation from a security standpoint.

Cheers,
--Jorge




On 4/18/14 1:38 PM, Clint Byrum cl...@fewbar.com wrote:

Excerpts from Stephen Balukoff's message of 2014-04-18 10:36:11 -0700:
 Dang.  I was hoping this wasn't the case.  (I personally think it's a
 little silly not to trust your service provider to secure a network when
 they have root access to all the machines powering your cloud... but I
 digress.)
 

No one person or even group of people on the operator's network will have
full access to everything. Security is best when it comes in layers. Area
51 doesn't just have a guard shack and then you drive right into the
hangars with the UFO's and alien autopsies. There are sensors, mobile
guards, secondary checkpoints, locks on the outer doors, and locks on
the inner doors. And perhaps most importantly, the MP who approves your
entry into the first gate, does not even have access to the next one.

Your SSL terminator is a gate. What happens once an attacker (whoever
that may be, your disgruntled sysadmin, or rogue hackers) is behind that
gate _may_ be important.

 Part of the reason I was hoping this wasn't the case, isn't just
because it
 consumes a lot more CPU on the load balancers, but because now we
 potentially have to manage client certificates and CA certificates (for
 authenticating from the proxy to back-end app servers). And we also
have to
 decide whether we allow the proxy to use a different client cert / CA
per
 pool, or per member.
 
 Yes, I realize one could potentially use no client cert or CA (ie.
 encryption but no auth)...  but that actually provides almost no extra
 security over the unencrypted case:  If you can sniff the traffic
between
 proxy and back-end server, it's not much more of a stretch to assume you
 can figure out how to be a man-in-the-middle.


A passive attack where the MITM does not have to witness the initial
handshake or decrypt/reencrypt to sniff things is quite a bit easier to
pull off and would be harder to detect. So almost no extra security
is not really accurate. But this is just one point of data for risk
assessment.

 Do any of you have a use case where some back-end members require SSL
 authentication from the proxy and some don't? (Again, deciding whether
 client cert / CA usage should attach to a pool or to a member.)
 
 It's a bit of a rabbit hole, eh.


Security turns into an endless rat hole when you just look at it as a
product, such as A secure load balancer.

If, however, you consider that it is really just a process of risk
assessment and mitigation, then you can find a sweet spot that works
in your business model. How much does it cost to mitigate the risk
of unencrypted backend traffic from the load balancer?  What is the
potential loss if the traffic is sniffed? How likely is it that it will
be sniffed? .. Those are ongoing questions that need to be asked and
then reevaluated, but they don't have a fruitless stream of what-if's
that have to be baked in like the product discussion. It's just part of
your process, and processes go on until they aren't needed anymore.

IMO a large part of operating a cloud is decoupling the ability to setup
a system from the ability to enable your business with a system. So
if you can communicate the risks of doing without backend encryption,
and charge the users appropriately when they choose that the risk is
worth the added cost, then I think it is worth it to automate the setup
of CA's and client certs and put that behind an API. Luckily, you will
likely find many in the OpenStack community who can turn that into a
business opportunity and will help.

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [qa] QA Summit Meet-up Atlanta

2014-04-30 Thread Rochelle.RochelleGrober
+1 but I don't get in until late Sunday :-(  Any chance you could do this 
sometime Monday?  I'd like to meet the people behind the IRC names and email 
addresses.

--Rocky

-Original Message-
From: Ken'ichi Ohmichi [mailto:ken1ohmi...@gmail.com] 
Sent: Wednesday, April 30, 2014 6:29 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [qa] QA Summit Meet-up Atlanta

2014-04-30 19:11 GMT+09:00 Koderer, Marc m.kode...@telekom.de:
 Hi folks,

 last time we met one day before the Summit started for a short meet-up.
 Should we do the same this time?

 I will arrive Saturday to recover from the jet lag ;) So Sunday 11th would be 
 fine for me.

I may be in the jet lag Sunday, but the meet-up would be nice for me;-)

Thanks
Ken'ichi Ohmichi

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [Ironic] handling drivers that will not be third-party tested

2014-05-21 Thread Rochelle.RochelleGrober
+1 for community contribs and a common place for them to be sourced.

From: Devananda van der Veen [mailto:devananda@gmail.com]
Sent: Wednesday, May 21, 2014 5:03 PM
To: OpenStack Development Mailing List
Subject: [openstack-dev] [Ironic] handling drivers that will not be third-party 
tested

I'd like to bring up the topic of drivers which, for one reason or another, are 
probably never going to have third party CI testing.

Take for example the iBoot driver proposed here:
  https://review.openstack.org/50977

I would like to encourage this type of driver as it enables individual 
contributors, who may be using off-the-shelf or home-built systems, to benefit 
from Ironic's ability to provision hardware, even if that hardware does not 
have IPMI or another enterprise-grade out-of-band management interface. 
However, I also don't expect the author to provide a full third-party CI 
environment, and as such, we should not claim the same level of test coverage 
and consistency as we would like to have with drivers in the gate.

As it is, Ironic already supports out-of-tree drivers. A python module that 
registers itself with the appropriate entrypoint will be made available if the 
ironic-conductor service is configured to load that driver. For what it's 
worth, I recall Nova going through a very similar discussion over the last few 
cycles...

So, why not just put the driver in a separate library on github or stackforge?


-Devananda
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [oslo] logging around olso lockutils

2014-09-25 Thread Rochelle.RochelleGrober
+1

Exactly what I was thinking.  Semaphore races and deadlocks are important to be 
able to trace, but the normal production cloud doesn't want to see those 
messages.  

What might be even better would be to also put a counter on the semaphores so 
that if they ever are 1 or 0 they report an error on normal log levels.  I'm 
assuming it would be an error.  I can't see why it would be just a warn or 
info, but, I don't know the guts of the code here.

--Rocky

-Original Message-
From: Joshua Harlow [mailto:harlo...@outlook.com] 
Sent: Thursday, September 25, 2014 12:23 PM
To: openst...@nemebean.com; OpenStack Development Mailing List (not for usage 
questions)
Subject: Re: [openstack-dev] [oslo] logging around olso lockutils

Or how about we add in a new log level?

A few libraries I have come across support the log level 5 (which is less than 
debug (10) but greater than notset (0))...

One usage of this is in the multiprocessing library in python itself @

https://hg.python.org/releasing/3.4/file/8671f89107c8/Lib/multiprocessing/util.py#l34

Kazoo calls it the 'BLATHER' level @

https://github.com/python-zk/kazoo/blob/master/kazoo/loggingsupport.py

Since these messages can be actually useful for lock_utils developers it could 
be useful to keep them[1]?

Just a thought...

[1] Ones mans DEBUG is another mans garbage, ha.

On Sep 25, 2014, at 12:06 PM, Ben Nemec openst...@nemebean.com wrote:

 On 09/25/2014 07:49 AM, Sean Dague wrote:
 Spending a ton of time reading logs, oslo locking ends up basically
 creating a ton of output at DEBUG that you have to mentally filter to
 find problems:
 
 2014-09-24 18:44:49.240 DEBUG nova.openstack.common.lockutils
 [req-d7443a9c-1eb5-42c3-bf40-aadd20f0452f
 ListImageFiltersTestXML-1316776531 ListImageFiltersTestXML-132181290]
 Created new semaphore iptables internal_lock
 /opt/stack/new/nova/nova/openstack/common/lockutils.py:206
 2014-09-24 18:44:49.240 DEBUG nova.openstack.common.lockutils
 [req-d7443a9c-1eb5-42c3-bf40-aadd20f0452f
 ListImageFiltersTestXML-1316776531 ListImageFiltersTestXML-132181290]
 Acquired semaphore iptables lock
 /opt/stack/new/nova/nova/openstack/common/lockutils.py:229
 2014-09-24 18:44:49.240 DEBUG nova.openstack.common.lockutils
 [req-d7443a9c-1eb5-42c3-bf40-aadd20f0452f
 ListImageFiltersTestXML-1316776531 ListImageFiltersTestXML-132181290]
 Attempting to grab external lock iptables external_lock
 /opt/stack/new/nova/nova/openstack/common/lockutils.py:178
 2014-09-24 18:44:49.240 DEBUG nova.openstack.common.lockutils
 [req-d7443a9c-1eb5-42c3-bf40-aadd20f0452f
 ListImageFiltersTestXML-1316776531 ListImageFiltersTestXML-132181290]
 Got file lock /opt/stack/data/nova/nova-iptables acquire
 /opt/stack/new/nova/nova/openstack/common/lockutils.py:93
 2014-09-24 18:44:49.240 DEBUG nova.openstack.common.lockutils
 [req-d7443a9c-1eb5-42c3-bf40-aadd20f0452f
 ListImageFiltersTestXML-1316776531 ListImageFiltersTestXML-132181290]
 Got semaphore / lock _do_refresh_provider_fw_rules inner
 /opt/stack/new/nova/nova/openstack/common/lockutils.py:271
 2014-09-24 18:44:49.244 DEBUG nova.compute.manager
 [req-b91cb1c1-f211-43ef-9714-651eeb3b2302
 DeleteServersAdminTestXML-1408641898
 DeleteServersAdminTestXML-469708524] [instance:
 98eb8e6e-088b-4dda-ada5-7b2b79f62506] terminating bdm
 BlockDeviceMapping(boot_index=0,connection_info=None,created_at=2014-09-24T18:44:42Z,delete_on_termination=True,deleted=False,deleted_at=None,destination_type='local',device_name='/dev/vda',device_type='disk',disk_bus=None,guest_format=None,id=43,image_id='262ab8a2-0790-49b3-a8d3-e8ed73e3ed71',instance=?,instance_uuid=98eb8e6e-088b-4dda-ada5-7b2b79f62506,no_device=False,snapshot_id=None,source_type='image',updated_at=2014-09-24T18:44:42Z,volume_id=None,volume_size=None)
 _cleanup_volumes /opt/stack/new/nova/nova/compute/manager.py:2407
 2014-09-24 18:44:49.248 DEBUG nova.openstack.common.lockutils
 [req-d7443a9c-1eb5-42c3-bf40-aadd20f0452f
 ListImageFiltersTestXML-1316776531 ListImageFiltersTestXML-132181290]
 Released file lock /opt/stack/data/nova/nova-iptables release
 /opt/stack/new/nova/nova/openstack/common/lockutils.py:115
 2014-09-24 18:44:49.248 DEBUG nova.openstack.common.lockutils
 [req-d7443a9c-1eb5-42c3-bf40-aadd20f0452f
 ListImageFiltersTestXML-1316776531 ListImageFiltersTestXML-132181290]
 Releasing semaphore iptables lock
 /opt/stack/new/nova/nova/openstack/common/lockutils.py:238
 2014-09-24 18:44:49.249 DEBUG nova.openstack.common.lockutils
 [req-d7443a9c-1eb5-42c3-bf40-aadd20f0452f
 ListImageFiltersTestXML-1316776531 ListImageFiltersTestXML-132181290]
 Semaphore / lock released _do_refresh_provider_fw_rules inner
 
 Also readable here:
 http://logs.openstack.org/01/123801/1/check/check-tempest-dsvm-full/b5f8b37/logs/screen-n-cpu.txt.gz#_2014-09-24_18_44_49_240
 
 (Yes, it's kind of ugly)
 
 What occured to me is that in debugging locking issues what we actually
 care about is 2 things semantically:
 
 #1 - tried to get a lock, but someone else has 

Re: [openstack-dev] Thoughts on OpenStack Layers and a Big Tent model

2014-09-26 Thread Rochelle.RochelleGrober
Robert Collins on Friday, September 26, 2014 3:33 PM wrote:
 On 27 September 2014 09:43, Jay Pipes jaypi...@gmail.com wrote:
  Hi James, thanks for the corrections/explanations. A comment inline
 (and a
  further question) :)
 
  Oh, good to know. Sorry, my information about Triple-O's undercloud
 setup is
  clearly outdated. I thought that the undercloud was build from source
  repositories devstack-style. Thanks for hitting me with a cluestick.
 :)
 
 Thats one installation strategy :).
 
  Even when not installing via a distribution, and either directly
 from
  trunk or the integrated release tarballs, I don't know that any
  TripleO opinion enters into it. TripleO uses the integrated projects
  of OpenStack to deploy an overcloud. In an overcloud, you may see
  support for some incubated projects, depending on if there's
 interest
  from the community for that support.
 
 
  OK, interesting. So, in summary, Triple-O really doesn't offer much
 of a
  this is production-ready stamp to anything based on whether it
 deploys a
  project or not. So, operators who deploy with Triple-O would be in
 the
  you're on your own camp from the bulleted list above. Would that be
 a fair
  statement?
 
 TripleO upstream doesn't offer a production-ready stamp for the
 workload clouds; for deploy clouds we do - simply because you can't
 use non-production-ready services to do your deploy... some of our
 stamps have substantial caveats today (e.g. Heat) - but they are being
 worked on.
 
 But then Nova upstream doesn't offer production-ready stamps either.
 Are cells production ready? Instance groups? Or generally any new
 feature?
 
 *distributions* of TripleO offer production ready stamps.
 
 RDO offers one
 HP Helion offers one.
 
 In exactly the same way that distributions offer production stamps
 about Nova, distributions that use TripleO offer production stamps
 about Nova :).
 
 And I think this is James's point. Your category 2 above saying that
 TripleO is different is just confused: TripleO is a deployment
 architecture [evolving into a set of such], *not* a distribution
 channel. 1 and 3 are distribution channels.

[Rocky] I'd like to make a couple of points; first is how many commercial 
deployers/operators would consider any of OpenStack production ready and if 
they do, what would that subset actually be? ( a little snarky, but not really)

Second, I'd like to point out that Defcore is attempting to provide guidance 
along these lines, but may be considered a bit more strict than a Production 
Ready label.  Then again, it may be less strict, depending on test coverage;-)

Check out the scoring criteria here:   
https://wiki.openstack.org/wiki/Governance/CoreCriteria

In principle, OpenStack functionality has to have been production tested with 
a fairly large distribution base, along with a number of other criteria.  As 
defined, it would definitely be a subset of production ready but it would be 
a reasonably safe subset that could then be built upon.

Beyond the DefCore criteria, RefStack is heading towards the point where any 
operator could run all of Tempest or any selection of Tempest tests against 
his/her installed cloud and view all the results.  They could even save them to 
do trend analysis.

But, this still begs the question of what is production ready especially for 
Open Source code.

Perhaps we need the release notes to be very specific on which APIs, features 
and/or projects are new/radically altered in a specific release. This could 
allow operators to install Juno release/Icehouse functionality which would 
theoretically be much better than Icehouse Release which is what a lot of 
shops would do, reasoning that Icehouse has been out six months, so the gotchas 
are known and patches have been released to fix the worst issues.  Whereas, I 
think that most people in QA and/or deep in the various projects would say that 
the functionality that was released in Icehouse that also is in Juno would be 
more performant and less buggy than the Icehouse release.

So really, the question might really be:  how do you get deployers who want 
greater stability to actually get it by deploying the current release with past 
release's functionality subset?  And how do you communicate that some of the 
past release's functionality is still not production ready?

Hard problem.  


 
 -Rob
 
 --
 Robert Collins rbtcoll...@hp.com
 Distinguished Technologist
 HP Converged Cloud
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [tempest] [devstack] Generic scripts for Tempest configuration

2014-10-24 Thread Rochelle.RochelleGrober
Hi, Timur.

Check out [1].   Boris Pavlovic has been working towards what you want for more 
than a full release cycle.  There are still major issues to be conquered, but 
having something that gets us part of the way there and can identify what can’t 
be determined so that the humans have only a subset to work out would be a 
great first step.

There are also other reviews out there that need to come together to really 
make this work.  And projects that would be the better for it (Refstack and 
Rally).  These are [2] allowing Tempest tests to run as non-admin, [3] making 
Tempest pluggable, [4] refactoring the client manager to be more flexible.

I think some others may have merged already.  The  bottom line is to refactor 
tempest such that there is a test server with the necessary tools and 
components to make it work, and a tempest lib such that writing tests can 
benefit from common procedures.

Enjoy the reading.

--Rocky


[1] https://review.openstack.org/#/c/94473/
[2] https://review.openstack.org/#/c/86967/
[3] https://review.openstack.org/#/c/89322/
[4] https://review.openstack.org/#/c/92804/


From: Timur Nurlygayanov [mailto:tnurlygaya...@mirantis.com]
Sent: Friday, October 24, 2014 4:05 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] [tempest] [devstack] Generic scripts for Tempest 
configuration

Hi all,
we are using Tempest tests to verify every changes in different OpenStack 
components and we have scripts in devstack, which allow to configure Tempest.
We want to use Tempest tests to verify different clouds, not only installed 
with devstack and to do this we need to configure Tempest manually (or with 
some no-generic scripts, which allow to configure tempest for specific lab 
configuration).
Looks like we can improve these scripts for configuration of the Tempest, which 
we have in devstack repository now and create generic scripts for Tempest, 
which can be used by devstack scripts or manually, to configure Tempest for any 
private/public OpenStack clouds. These scripts should allow to easily configure 
Tempest: user should provide only Keystone endpoint and logins/passwords, other 
parameters can be optional and can be configured automatically.

The idea is to have the generic scripts, which will allow to easily configure 
Tempest from-the-box, without deep inspection of lab configuration (but with 
the ability to change optional parameters too, if it is required).

--

Timur,
Senior QA Engineer
OpenStack Projects
Mirantis Inc
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev