[tripleo] moving tripleo-ipsec to independent release model
hello TripleO, per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1]. The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!). Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4]. Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue. If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo. please voice any objections here or go and comment on the proposal at [6] thanks for reading! regards, marios [1] https://review.opendev.org/c/openstack/releases/+/772570 [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master [3] http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h... [4] https://review.opendev.org/c/openstack/releases/+/772995 [5] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel... [6] https://review.opendev.org/c/openstack/releases/+/775395
Hi, On Fri, Feb 12, 2021 at 3:32 PM Marios Andreou <marios@redhat.com> wrote:
hello TripleO,
per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1].
The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!).
Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4].
Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue.
If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo.
please voice any objections here or go and comment on the proposal at [6]
The plan is to support any new tripleo-ipsec release on all supported openstack releases or just for master? Just be aware that by default RDO follows stable branches for stable releases as it's not recommended to follow master branches in stable releases (although it may be justified in some cases). For projects with independent model you have two options to specify the version used on each stable release: - Adding it to upper-constraints.txt as RDO follows the versions listed in that file. - Pinning to specific commit or tag in rdoinfo for each release and manually proposing version bumps when needed. Independent releases need a bit more attention in terms of deciding which version to use on each RDO release, I'm not saying it's a blocker but something to take into account after moving it to independent. Regards, Alfredo thanks for reading!
regards, marios
[1] https://review.opendev.org/c/openstacreleasereleasek/releases/+/772570 <https://review.opendev.org/c/openstack/releases/+/772570> [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master [3] http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h... [4] https://review.opendev.org/c/openstack/releases/+/772995 [5] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel... [6] https://review.opendev.org/c/openstack/releases/+/775395
On Fri, Feb 12, 2021 at 5:22 PM Alfredo Moralejo Alonso <amoralej@redhat.com> wrote:
Hi,
On Fri, Feb 12, 2021 at 3:32 PM Marios Andreou <marios@redhat.com> wrote:
hello TripleO,
per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1].
The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!).
Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4].
Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue.
If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo.
please voice any objections here or go and comment on the proposal at [6]
The plan is to support any new tripleo-ipsec release on all supported openstack releases or just for master?
honestly I don't expect many/any release requests here. After a while we can likely move this to retirement if no one is using and or maintaining it. But to answer your question and in the general case for any repo, 'I guess not' i.e. we would likely pin for each release as you propose below.
Just be aware that by default RDO follows stable branches for stable releases as it's not recommended to follow master branches in stable releases (although it may be justified in some cases). For projects with independent model you have two options to specify the version used on each stable release:
- Adding it to upper-constraints.txt as RDO follows the versions listed in that file. - Pinning to specific commit or tag in rdoinfo for each release and manually proposing version bumps when needed.
Independent releases need a bit more attention in terms of deciding which version to use on each RDO release, I'm not saying it's a blocker but something to take into account after moving it to independent.
thanks very much for your helpful comments. I think pinning is the way to go here. For this particular repo I don't expect much/any activity to be honest so the overhead of updating/bumping versions will be minimal/non existent. Can you point me to the file and I'll propose a review with the commits? thanks, marios
Regards,
Alfredo
thanks for reading!
regards, marios
[1] https://review.opendev.org/c/openstacreleasereleasek/releases/+/772570 <https://review.opendev.org/c/openstack/releases/+/772570> [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master [3] http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h... [4] https://review.opendev.org/c/openstack/releases/+/772995 [5] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel... [6] https://review.opendev.org/c/openstack/releases/+/775395
On Mon, Feb 15, 2021 at 8:49 AM Marios Andreou <marios@redhat.com> wrote:
On Fri, Feb 12, 2021 at 5:22 PM Alfredo Moralejo Alonso < amoralej@redhat.com> wrote:
Hi,
On Fri, Feb 12, 2021 at 3:32 PM Marios Andreou <marios@redhat.com> wrote:
hello TripleO,
per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1].
The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!).
Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4].
Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue.
If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo.
please voice any objections here or go and comment on the proposal at [6]
The plan is to support any new tripleo-ipsec release on all supported openstack releases or just for master?
honestly I don't expect many/any release requests here. After a while we can likely move this to retirement if no one is using and or maintaining it. But to answer your question and in the general case for any repo, 'I guess not' i.e. we would likely pin for each release as you propose below.
Just be aware that by default RDO follows stable branches for stable releases as it's not recommended to follow master branches in stable releases (although it may be justified in some cases). For projects with independent model you have two options to specify the version used on each stable release:
- Adding it to upper-constraints.txt as RDO follows the versions listed in that file. - Pinning to specific commit or tag in rdoinfo for each release and manually proposing version bumps when needed.
Independent releases need a bit more attention in terms of deciding which version to use on each RDO release, I'm not saying it's a blocker but something to take into account after moving it to independent.
thanks very much for your helpful comments. I think pinning is the way to go here. For this particular repo I don't expect much/any activity to be honest so the overhead of updating/bumping versions will be minimal/non existent. Can you point me to the file and I'll propose a review with the commits?
For victoria: https://github.com/redhat-openstack/rdoinfo/blob/master/tags/victoria.yml#L1... you need to add (check for examples in the same file): source-branch: <hash or tag> Similar for ussuri.yml and train.yml under tags folder. thanks, marios
Regards,
Alfredo
thanks for reading!
regards, marios
[1] https://review.opendev.org/c/openstacreleasereleasek/releases/+/772570 <https://review.opendev.org/c/openstack/releases/+/772570> [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master [3] http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h... [4] https://review.opendev.org/c/openstack/releases/+/772995 [5] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel... [6] https://review.opendev.org/c/openstack/releases/+/775395
On Mon, Feb 15, 2021 at 12:07 PM Alfredo Moralejo Alonso < amoralej@redhat.com> wrote:
On Mon, Feb 15, 2021 at 8:49 AM Marios Andreou <marios@redhat.com> wrote:
On Fri, Feb 12, 2021 at 5:22 PM Alfredo Moralejo Alonso < amoralej@redhat.com> wrote:
Hi,
On Fri, Feb 12, 2021 at 3:32 PM Marios Andreou <marios@redhat.com> wrote:
hello TripleO,
per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1].
The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!).
Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4].
Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue.
If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo.
please voice any objections here or go and comment on the proposal at [6]
The plan is to support any new tripleo-ipsec release on all supported openstack releases or just for master?
honestly I don't expect many/any release requests here. After a while we can likely move this to retirement if no one is using and or maintaining it. But to answer your question and in the general case for any repo, 'I guess not' i.e. we would likely pin for each release as you propose below.
Just be aware that by default RDO follows stable branches for stable releases as it's not recommended to follow master branches in stable releases (although it may be justified in some cases). For projects with independent model you have two options to specify the version used on each stable release:
- Adding it to upper-constraints.txt as RDO follows the versions listed in that file. - Pinning to specific commit or tag in rdoinfo for each release and manually proposing version bumps when needed.
Independent releases need a bit more attention in terms of deciding which version to use on each RDO release, I'm not saying it's a blocker but something to take into account after moving it to independent.
thanks very much for your helpful comments. I think pinning is the way to go here. For this particular repo I don't expect much/any activity to be honest so the overhead of updating/bumping versions will be minimal/non existent. Can you point me to the file and I'll propose a review with the commits?
For victoria:
https://github.com/redhat-openstack/rdoinfo/blob/master/tags/victoria.yml#L1...
you need to add (check for examples in the same file):
source-branch: <hash or tag>
Similar for ussuri.yml and train.yml under tags folder.
thank you - posted there https://review.rdoproject.org/r/#/c/31975/ In some cases used the stable/branch since it is newer than the latest tagged version for that branch. thanks,marios
thanks, marios
Regards,
Alfredo
thanks for reading!
regards, marios
[1] https://review.opendev.org/c/openstacreleasereleasek/releases/+/772570 <https://review.opendev.org/c/openstack/releases/+/772570> [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master [3] http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h... [4] https://review.opendev.org/c/openstack/releases/+/772995 [5] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel... [6] https://review.opendev.org/c/openstack/releases/+/775395
Is this thing still even used? I thought it was a temporary thing until TLS everywhere was finished. If it's not used we should just retire it. On Fri, Feb 12, 2021 at 7:35 AM Marios Andreou <marios@redhat.com> wrote:
hello TripleO,
per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1].
The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!).
Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4].
Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue.
If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo.
please voice any objections here or go and comment on the proposal at [6]
thanks for reading!
regards, marios
[1] https://review.opendev.org/c/openstack/releases/+/772570 [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master [3] http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h... [4] https://review.opendev.org/c/openstack/releases/+/772995 [5] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel... [6] https://review.opendev.org/c/openstack/releases/+/775395
I have been in pre-deployment discussions with a couple of operators over the last 18 months or so when it came up. I think the intent was to use IPSEC hardware offload using the NIC, but I don't know if they ended up using TLS in production once they learned that TLS was a vastly more common option. I think at the very least the presence of the IPSEC code and the fact that it's being maintained gives the impression that it is a valid option. There may be environments where IPSEC is used outside the OpenStack deployment, and a desire for consistency. There may even be some operators that would want to use both for the added layers of defense, possibly using IPSEC offload to offset the performance impact. I wouldn't be against deprecating it, but I think that the IPSEC code still has some mind-share. -Dan On 2/15/21 6:39 AM, Alex Schultz wrote:
Is this thing still even used? I thought it was a temporary thing until TLS everywhere was finished. If it's not used we should just retire it.
On Fri, Feb 12, 2021 at 7:35 AM Marios Andreou <marios@redhat.com <mailto:marios@redhat.com>> wrote:
hello TripleO,
per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1].
The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!).
Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4].
Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue.
If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo.
please voice any objections here or go and comment on the proposal at [6]
thanks for reading!
regards, marios
[1] https://review.opendev.org/c/openstack/releases/+/772570 <https://review.opendev.org/c/openstack/releases/+/772570> [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master <https://opendev.org/openstack/tripleo-ipsec/commits/branch/master> [3] http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h... <http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.html> [4] https://review.opendev.org/c/openstack/releases/+/772995 <https://review.opendev.org/c/openstack/releases/+/772995> [5] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel... <http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-release.2021-02-12.log.html> [6] https://review.opendev.org/c/openstack/releases/+/775395 <https://review.opendev.org/c/openstack/releases/+/775395>
On Tue, Feb 16, 2021 at 1:20 AM Dan Sneddon <dsneddon@redhat.com> wrote:
I have been in pre-deployment discussions with a couple of operators over the last 18 months or so when it came up. I think the intent was to use IPSEC hardware offload using the NIC, but I don't know if they ended up using TLS in production once they learned that TLS was a vastly more common option.
I think at the very least the presence of the IPSEC code and the fact that it's being maintained gives the impression that it is a valid option. There may be environments where IPSEC is used outside the OpenStack deployment, and a desire for consistency. There may even be some operators that would want to use both for the added layers of defense, possibly using IPSEC offload to offset the performance impact.
I wouldn't be against deprecating it, but I think that the IPSEC code still has some mind-share.
Thanks for the input Dan - more comments in response to Alex below:
-Dan
On 2/15/21 6:39 AM, Alex Schultz wrote:
Is this thing still even used? I thought it was a temporary thing until TLS everywhere was finished. If it's not used we should just retire it.
o/ good question. The repo hasn't had any action in over a year (ignoring top two commits to tox.ini). We do carry a tripleo-heat-templates file for it @ [1] and environment [2] so there may well be folks using it. However as noted by Dan we really *should* deprecate it if no-one is maintaining this code. Right now we need to move to independent, both to unblock the release jobs, but also so that we as tripleo are no longer required to create a stable branch for this repo. We can still tag a version if that is needed by someone, but no longer tied to a particular release/branch. Moving forward we can start a conversation around deprecating and ultimately removing it in the next cycle, assuming there are no objections to that (i.e. folks using that). regards, marios [1] https://opendev.org/openstack/tripleo-heat-templates/src/commit/8d612ea015c0... [2] https://opendev.org/openstack/tripleo-heat-templates/src/commit/8d612ea015c0...
On Fri, Feb 12, 2021 at 7:35 AM Marios Andreou <marios@redhat.com <mailto:marios@redhat.com>> wrote:
hello TripleO,
per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1].
The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!).
Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4].
Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue.
If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo.
please voice any objections here or go and comment on the proposal at [6]
thanks for reading!
regards, marios
[1] https://review.opendev.org/c/openstack/releases/+/772570 <https://review.opendev.org/c/openstack/releases/+/772570> [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master <https://opendev.org/openstack/tripleo-ipsec/commits/branch/master> [3]
http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h...
<
http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h...
[4] https://review.opendev.org/c/openstack/releases/+/772995 <https://review.opendev.org/c/openstack/releases/+/772995> [5]
http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel...
<
http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel...
[6] https://review.opendev.org/c/openstack/releases/+/775395 <https://review.opendev.org/c/openstack/releases/+/775395>
participants (4)
-
Alex Schultz
-
Alfredo Moralejo Alonso
-
Dan Sneddon
-
Marios Andreou