14:00:07 #startmeeting releaseteam 14:00:08 Meeting started Fri Jun 24 14:00:07 2016 UTC and is due to finish in 60 minutes. The chair is dhellmann. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:09 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:12 The meeting name has been set to 'releaseteam' 14:00:18 courtesy ping: ttx, dims, lifeless, tonyb, stevemar, fungi 14:00:25 yuppp 14:00:32 our agenda is under R-15 in https://etherpad.openstack.org/p/newton-relmgt-tracking 14:01:31 * dhellmann suspects he has trained ttx to expect this meeting to start late 14:01:43 #topic automation update 14:01:44 o/ 14:01:56 fungi, how're things looking? 14:02:02 let's see 14:02:42 #link https://review.openstack.org/333065 Add a node for artifact signing jobs 14:02:55 that looks ready to merge (along with a cleanup it depends-on) 14:03:07 \o/ 14:03:36 i've got the signing subkey distribution automation worked out and tested, next up is writing some more detailed documentation on generating/rotating/signing/revoking keys each cycle 14:04:03 #link https://review.openstack.org/#/c/332447/ import the release scripts we need to run on the secure nodes 14:04:04 though there's already some basic prose documentation in there about the intended process, just nothing cut-n-paste worthy yet 14:04:17 k 14:04:35 when 333065 lands, are we ready to start writing the job definition to do the tagging? 14:04:44 but as soon as 333065 merges i can build the server in a matter of minutes 14:04:53 pretty much, yep 14:04:57 excellent 14:05:15 I'll be at the TC training thing next week, but I'll plan to start working on that job the following week 14:05:27 i'll want to do a couple final pre-flight checks on the server to make sure gpg --sign operations work as expected without having to tweak anything 14:05:42 sure 14:05:49 but i have confidence my prior testing will be consistent 14:05:58 and the first version of the job will only actually do work for the openstack/release-test repo so we can get the kinks worked out 14:06:07 perfect! 14:06:13 we'll continue tagging everything else by hand in the mean time 14:06:14 i didn't realize you had that repo 14:06:27 yeah, we set that up late last cycle specifically for testing some of these scripts 14:07:09 the other addition i'll want to make to that manifest in a folow-up patch (simple enough) is to add the gerrit ssh keys for the "proposal bot" account, or we can create a separate account specifically for tags 14:07:37 but i wanted to make sure the gpg bits were working correctly before i went further on the puppet end 14:07:47 makes sense 14:08:01 and I can see pros/cons to setting up a separate account 14:08:06 same 14:08:23 should we work through that now, or is that a discussion for later? 14:08:52 we can try to hack through to a decision quickly now if it won't derail your planned meeting agenda 14:09:06 let's take 5 min 14:09:35 aside from having to manage another set of keys and another identity in gerrit, what's the biggest con to setting up a "release bot" account? 14:09:41 i think the main reason for a separate account is because the proposal bot currently has no special privileges, just "brand recognition" 14:10:15 biggest con is probably having to make sure places we account for the proposal bot as a non-human actor would need updating for the second account 14:10:34 in scripting? or in acls? 14:10:39 for example, summit invites/electoral rolls, people's custom mail filters, whatever 14:11:09 true 14:11:19 if we want the proposal bot to push tags, it needs to be in a group which has push-signed-tag access to every release-managed repo 14:11:30 oh, here's another: the release.sh script proposes a change to the requirements repo to update it for new versions of libs 14:11:38 so that job is both tagging and proposing 14:12:17 * stevemar sneaks in 14:12:40 true. for that case we could either 1) have the proposals associated with that use the tag bot account, or 2) write the job to use two accounts (one for the tag, one for the change) 14:13:07 having them use the tag bot account seems reasonable 14:13:30 the main risk is that the proposal bot account is used by lots of other jobs which don't need elevated privs, so granting it tag access to every repo is an increase in our risk profile 14:13:31 otoh, if setting up a separate account is going to delay implementation I may be more inclined to just use the existing account 14:13:59 yeah, the security side of it was one reason I was initially leaning toward having a new account 14:14:03 well, that and branding 14:14:04 it wouldn't really delay implementation. i can create additional gerrit accounts quite quickly/easily 14:14:09 ok, cool 14:14:28 the brand recognition is the only remaining sticking point really 14:14:31 and those other things like summit invitations and elections we can deal with as they come up? 14:14:55 right, those two tasks are handled by one script, and it's already extensible to allow us to specify a list of account ids to ignore 14:14:59 just need to add one more to that list 14:15:03 ok, so not that big of a deal 14:15:25 so I think I'm on the side of a new account, unless there's a significant blocker for some reason. 14:15:57 as much as I'd love to come up with a clever name, something like "OpenStack Release Bot" is probably better 14:16:04 right, so it comes down to elevated privs for proposal bot plus tags aren't really being "proposed," vs people might wonder who this is pushing tags and what these update proposals are coming from this new account 14:16:35 also worth noting, the signing key being used is (currently) named like "OpenStack Infra (Newton Cycle) 14:16:37 " 14:16:53 #link http://p80.pool.sks-keyservers.net/pks/lookup?op=vindex&search=0x64DBB05ACC5E7C28&fingerprint=on&exact=on newton cycle artifact signing key 14:16:54 \o/ 14:17:09 ok, we should get the release team to sign that 14:17:48 yep, also i want it signed by a majority of infra-root sysadmins before we start using it seriously 14:17:54 yep 14:17:58 ok, I think that's settled? 14:18:06 i just need to write up the instructions on how they can validate the key fingerprint locally on our management bastion 14:18:17 (part of the instructions i'm already working on) 14:18:31 should we wait for that, too? 14:18:40 not for testing, no 14:19:21 I meant for signing 14:19:28 so anyway, i guess the plan is to make a separate gerrit account "OpenStack Release Bot " and push tags and the associated proposals for release updates with it 14:19:51 yes, that seems best 14:20:05 #agreed requirements team spin out (dims) 14:20:06 dhellmann: you might want to hold off havign the release team sign it until we have a bunch of infra-root signatures published for it, just so you can be comfortable signing. since you don't have an out-of-band mechanism to verify the key 14:20:08 #undo 14:20:09 Removing item from minutes: 14:20:22 #agreed make a separate gerrit account "OpenStack Release Bot " and push tags and the associated proposals for release updates with it 14:20:31 fungi : good point 14:20:45 that's all i have 14:20:50 cool, thanks 14:20:53 sorry to suck up a big chunk of the meeting 14:21:13 oh, no worries, this is our major initiative this cycle so it's good to spend the time on it 14:21:15 #topic requirements team spin out (dims) 14:21:29 I didn't see dims raise his hand as present 14:21:51 It feels like this is well in progress 14:22:05 I know he had signed up a bunch of new folks for the review team, and was working on cajoling some of them to run for ptl 14:22:13 I don't think it's blocked on anything at the moment 14:22:21 #topic ACL dance process final review (ttx) 14:22:56 I summarized the plan in the etherpad 14:23:07 let me fetch that 14:23:23 #link https://etherpad.openstack.org/p/newton-relmgt-plan 14:23:28 https://etherpad.openstack.org/p/newton-relmgt-plan under Final Release Process Improvements 14:23:34 item 9 14:23:51 how much of that do you anticipate being able to script? 14:24:02 dhellmann: see actions 14:24:15 ideally everything 14:24:20 k 14:24:30 but we may do eth ACL patches be hand this time around 14:24:35 by* 14:24:42 ok 14:24:54 i'll try to cover all those step 14:24:55 s 14:25:23 if we're not going to automate it to start, good instructions will help us build a script next cycle 14:25:38 dhellmann: do you agree with the action plan ? 14:25:44 yes, this plan looks good 14:25:59 this is the sort of thing that I was thinking we'd want in a release manager's guide 14:26:18 so when we start that, we can add the instructions to it 14:26:32 * dhellmann notes that's on his todo list still 14:26:44 anything else on this? 14:27:00 no, copying the action list to my todo 14:27:08 ok, moving on then 14:27:09 #topic Release model changes 14:27:15 #link aodh https://review.openstack.org/#/c/331212/ 14:27:22 #link searchlight-ui https://review.openstack.org/#/c/333420/ 14:27:34 both of these make sense, and I've voted +1 on them 14:27:54 yep so the first one makes aodh independent 14:28:15 or just the client? 14:28:21 oh, just the client 14:28:53 dhellmann: IIRC there was some issue with making clients independent 14:29:02 oh, hmm, I didn't look at that as closely as I should, I thought it was the whole project 14:29:12 yeah, I don't think we want to do this 14:30:01 what's the issue with making clients independent when servers are managed? 14:30:15 just curious 14:30:21 fungi: trying to remember 14:30:24 heh 14:30:50 they want to not create stable branches, which means we have to allow new versions from master into the server stable branch dependency list 14:30:51 basically for oslo libs and clients, independent makes sense. yet we don't make them independent, because... 14:31:55 oh, got it 14:31:58 and that means that the new master release of the client, which may try to raise minimum versions of other dependencies, may cause issues in the stable branch test environments 14:32:00 fungi: that's how it was and we changed it 14:32:04 yeah, that becomes a mess 14:32:18 now I think the telemetry team has been removing themselves from the requirements sync list, but I don't know if that's the case here 14:32:32 i missed that release:independent meant that they _wouldn't_ have stable branches 14:32:40 but it does mean that at some point we have to cap or exclude new versions 14:32:47 fungi: if you do, that means you're with-intermediary really 14:32:51 fungi : they can, but this patch says they don't plan to (that's the justification for the change) 14:32:57 right 14:33:03 right 14:33:23 sorry to derail with questions 14:33:24 dhellmann: I'll let you argue that one, my week is almost over 14:33:30 fungi: no they help 14:33:32 yeah, I'll post on the review after the meeting 14:33:34 jd__ : ^^ 14:33:46 the other one is no brainer 14:33:47 the searchlight-ui change is less controversial 14:33:49 yeah 14:33:57 ttx : dhellmann : taking delivery of a sofa :) 14:34:01 basically it might work _if_ they're not used by any other projects and we choose not to add them to global reqs in the future 14:34:01 so under the new rules I think it's safe for you to approve that 14:34:03 so not really here :) 14:34:10 yep 14:34:13 dims : ack, np 14:34:37 fungi : I don't think that applies to aodh 14:34:50 but yeah, in general, a completely independent thing can do this 14:35:06 fungi: that works if we don't have crazy requirements and if stable/* things just cap the client if needed 14:35:08 IIUC 14:35:21 and right, aodhclient is still in the global requirements list right now 14:35:25 aodhclient is not widely used but it might be used by Heat at some point 14:36:14 jd__: well, the challenge becomes how to apply security updates to a version of aodh used (and capped) by stable branch projects if there are any, without making stable branches for aodhclient 14:36:24 fungi: right 14:36:38 does that work if I said we decided not to implement security flaws? 14:36:45 and there's no real control over that other than taking it out of global requirements and making sure it doesn't get added back 14:36:55 yeah, I think we need aodhclient to go ahead and continue to create stable branches, even if you leave them largely unmaintained 14:37:24 if you have no backports, that's no big deal 14:37:31 but if you do, and there's no branch, that's all sorts of trouble 14:37:54 * jd__ nods 14:37:57 and having it in global requirements means other projects _can_ depend on it without you necessarily even finding out 14:38:02 right 14:38:18 yeah that sounds fair enough 14:38:24 so we don't know we've gotten into a sticky situation until it's too late and we have to try hacky workarounds 14:38:48 we were mostly worried that people would keep on stable/* branch of aodhclient and except us to backport fixes and all, and we'll never do that unfortunately (unless we become very rich) 14:38:58 (granted, our requirements management is already a pile of hacky workarounds, just not as bad as the ones we might have to fall back on) 14:39:13 jd__ : it's not uncommon to have very inactive client stable branches 14:39:25 i cite swift 14:39:31 good to know 14:39:47 in fact, most of the clients have very inactive stable branches 14:39:49 fungi : I'd have to look, but I think most of them are pretty inactive 14:40:00 yeah, we don't get a lot of call for stable client releases 14:40:10 yeah, i wouldn't be surprised if the majority still have the branch tip as a release tag from before they branches 14:40:13 branched 14:40:28 cool, I guess I'll just abandon the patch :) 14:40:34 so this is just a safety measure for when we need it, but jd__ I don't think you need to worry about downstream expectations of a lot of maintenance on your part 14:40:38 ok, cool 14:40:44 * jd__ nods 14:40:48 thanks! 14:41:01 * dhellmann makes a note to document the reasoning for this *somewhere* 14:41:09 that'd be a good idea indeed :) 14:41:26 dhellmann: PTG maybe in the section about choosing models ? 14:41:31 ttx: good thinking 14:41:54 ok, moving on 14:41:57 #topic moving release tools 14:42:07 #link remove from release-tools https://review.openstack.org/#/c/332448/ 14:42:23 the patch to add the scripts to project-config has already merged, so it should be safe to remove them from release-tools 14:42:38 yeah, I'm resisting the move because we are still supposed to run the scripts by hand 14:42:51 yes, but I want to make sure we aren't maintaining 2 copies 14:43:03 so we'd run them from project-config ? 14:43:09 and I also want to make sure the new copies have all of their dependencies set correctly 14:43:17 add an extra step to the manual process to clone project-config and copy/link there? 14:43:24 ttx: yes, I've done that for one tag this week and it seemed to work fine, but you know how many edge cases there are 14:43:53 dhellmann: hmm 14:44:18 how are we getting the right deps in venv there.. let me check 14:44:23 fungi : it should only be necessary to check it out once, as long as that repo is dept up to date 14:44:37 ttx: there's a requirements.txt file in the jenkins/scripts/release-tools directory 14:44:57 the scripts don't create their own virtualenv, because when they run on the secure node they need to use system packages 14:44:59 ah. 14:45:05 I'll need to get help setting that up when I define the job 14:45:47 dhellmann: maybe update the instructions at the top of the README then 14:45:54 so theoretically you *should* be able to do the same thing you do now 14:45:56 good idea 14:46:34 just need to create an additional venv under that project-config subdir 14:46:53 ttx: I'm ok holding off on deleting the files until we get back from ann arbor next week, if you'd prefer that 14:46:57 right, we don't want to be pip installing anything on that machine if we can help it 14:47:08 even in a venv 14:47:26 dhellmann: I'm fine approving the move if the instructions are clear enough for me to be able to survive it 14:47:29 yeah, I'm fairly sure we established that all of these things are available in system packages, so we just need to use pip for manual runs 14:47:30 (well, more that we don't want to be _using_ pip-installed anything on that machine with access to the private key) 14:47:37 ttx: ok, I'll work on that 14:48:15 fungi : yep 14:48:30 we have a couple of other quick items 14:48:32 reduces the number of parties we need to trust with the ability to backdoor us to our cloud provider, our distro, and our team 14:48:58 when the time comes, I'll just need a pointer to an example of how to declare those dependencies properly. I guess using bindep? 14:49:53 for this we're using puppet, but we can just put a list of package names into the puppet manifest 14:50:03 sounds good 14:50:07 #topic stop merging tags 14:50:12 i'm happy to add them as long as you give me a list of the names of teh packages on ubuntu trusty 14:50:13 #link https://review.openstack.org/#/c/333421/ 14:50:33 fungi : ok, I'll work that list out when I sit down to write the job 14:50:57 so this is the project-config patch to remove the job for merging tags from stable branches into master 14:51:00 so we have consensus on 333421? 14:51:15 That was my impression of the ML discussion, yes. 14:51:58 since mordred and ttx were the original drivers for that being added, and have both expressed consent, and i don't see any dissent, i'm happy to merge it now or whenever you want it to land 14:52:12 now seems as good a time as any :-) 14:52:26 fire in the hole 14:52:32 we definitely want it before we start doing final tags this cycle 14:52:34 cool 14:52:39 one more item 14:52:45 #topic pbr / reno integration 14:52:49 #link https://review.openstack.org/#/c/330814/ 14:53:07 there's something weird going on with the integration job there, and I need to look into it 14:53:15 but reviews are welcome in the mean time 14:53:50 and that's it for the formal agenda 14:53:53 #topic open discussion 14:54:24 note for the record: all 3 of the release team are traveling next week 14:54:43 I included that in the countdown email yesterday 14:55:13 I'll try to do some releases monday morning before going to the airport, and I don't know what the break schedule for the leadership training thing is going to be like 14:55:52 if there's nothing else we can stop a few minutes early 14:56:00 i got nothin' 14:56:37 ok, good time before my next meeting :-) 14:56:39 thanks everyone! 14:56:51 #endmeeting