Re: CI and PRs
As Marco has open sourced the bulk of the CI infrastructure donated from Amazon to the community, I would like to raise the recommendation that the community takes action to help volunteers working on the CI have a better experience. In the past, it's my impression that there hasn't been much action granting PMC or committer privileges to engineers volunteering to help CI other than Marco. This would encourage more contributions and help expedite critical fixes and corrective actions. I think this has not properly enabled those individuals to be as effective as they could, as well as the lack of recognition for such a critical activity. I'm not sure about the cause but I believe this is something that should be rectified for future contributions and help on the CI front if improvements are desired. In spanish we have a saying: "es de bien nacido ser agradecido". Pedro. On Fri, Aug 16, 2019 at 4:03 PM Pedro Larroy wrote: > Hi Aaron. This is difficult to diagnose, because I don't know what to do > when the hash of the layer in docker doesn't match and decides to rebuild > it. the r script seems not to have changed. I have observed this in the > past and I think is due to bugs in docker. Maybe Kellen is able to give > some tips here. > > In this case you should use -R which is already in master. (you can always > copy the script on top if you are in an older revision). > > Another thing that worked for me in the past was to completely nuke the > docker cache, so it redonwloads from the CI repo. After that it worked fine > in some cases. > > These two workarounds are not ideal, but should unblock you. > > Pedro. > > On Fri, Aug 16, 2019 at 11:39 AM Aaron Markham > wrote: > >> Is -R already in there? >> >> Here's an example of it happening to me right now I am making >> minor changes to the runtime_functions logic for handling the R docs >> output. I pull the fix, then run the container, but I see the R deps >> layer re-running. I didn't touch that. Why it that running again? >> >> From https://github.com/aaronmarkham/incubator-mxnet >>f71cc6d..deec6aa new_website_pipeline_2_aaron_rdocs -> >> origin/new_website_pipeline_2_aaron_rdocs >> Updating f71cc6d..deec6aa >> Fast-forward >> ci/docker/runtime_functions.sh | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> (base) ubuntu@ip-172-31-47-182:~/aaron/ci$ ./build.py >> --docker-registry mxnetci --platform ubuntu_cpu_r >> --docker-build-retries 3 --shm-size 500m /work/runtime_functions.sh >> build_r_docs >> build.py: 2019-08-16 18:34:44,639Z INFO MXNet container based build tool. >> build.py: 2019-08-16 18:34:44,641Z INFO Docker cache download is >> enabled from registry mxnetci >> build.py: 2019-08-16 18:34:44,641Z INFO Loading Docker cache for >> mxnetci/build.ubuntu_cpu_r from mxnetci >> Using default tag: latest >> latest: Pulling from mxnetci/build.ubuntu_cpu_r >> Digest: >> sha256:7dc515c288b3e66d96920eb8975f985a501bb57f70595fbe0cb1c4fcd8d4184b >> Status: Downloaded newer image for mxnetci/build.ubuntu_cpu_r:latest >> build.py: 2019-08-16 18:34:44,807Z INFO Successfully pulled docker cache >> build.py: 2019-08-16 18:34:44,807Z INFO Building docker container >> tagged 'mxnetci/build.ubuntu_cpu_r' with docker >> build.py: 2019-08-16 18:34:44,807Z INFO Running command: 'docker build >> -f docker/Dockerfile.build.ubuntu_cpu_r --build-arg USER_ID=1000 >> --build-arg GROUP_ID=1000 --cache-from mxnetci/build.ubuntu_cpu_r -t >> mxnetci/build.ubuntu_cpu_r docker' >> Sending build context to Docker daemon 289.8kB >> Step 1/15 : FROM ubuntu:16.04 >> ---> 5e13f8dd4c1a >> Step 2/15 : WORKDIR /work/deps >> ---> Using cache >> ---> afc2a135945d >> Step 3/15 : COPY install/ubuntu_core.sh /work/ >> ---> Using cache >> ---> da2b2e7f35e1 >> Step 4/15 : RUN /work/ubuntu_core.sh >> ---> Using cache >> ---> d1e88b26b1d2 >> Step 5/15 : COPY install/deb_ubuntu_ccache.sh /work/ >> ---> Using cache >> ---> 3aa97dea3b7b >> Step 6/15 : RUN /work/deb_ubuntu_ccache.sh >> ---> Using cache >> ---> bec503f1d149 >> Step 7/15 : COPY install/ubuntu_r.sh /work/ >> ---> c5e77c38031d >> Step 8/15 : COPY install/r.gpg /work/ >> ---> d8cdbf015d2b >> Step 9/15 : RUN /work/ubuntu_r.sh >> ---> Running in c6c90b9e1538 >> ++ dirname /work/ubuntu_r.sh >> + cd /work >> + echo 'deb http://cran.rstudio.com/bin/linux/ubuntu trusty/' >> + apt-key add r.gpg >> OK >> + add-apt-repository 'deb [arch=amd64,i386] >> https://cran.rstudio.com/bin/linux/ubuntu xenial/' >> + apt-get update >> Ign:1 http://cran.rstudio.com/bin/linux/ubuntu trusty/ InRelease >> >> On Fri, Aug 16, 2019 at 11:32 AM Pedro Larroy >> wrote: >> > >> > Also, I forgot, another workaround is that I added the -R flag to the >> build >> > logic (build.py) so the container is not rebuilt for manual use. >> > >> > On Fri, Aug 16, 2019 at 11:18 AM Pedro Larroy < >> pedro.larroy.li...@gmail.com> >> > wrote: >> > >> > > >> > > Hi Aaron. >> > > >> > > As Marco explained, if you are in master the cache usu
Re: CI and PRs
I've heard this request multiple times and so far, I'm having issues understanding the direct correlation between having committer permissions and being able to manage CI. When I designed the CI, one of the tenets was maintainability and accessbility for the community: I wanted to avoid that somebody needs certain privileges in order to execute regular actions. The result was the strong usage of Jenkinsfiles, Dockerfiles and the runtime functions. The combination of these techniques allowed somebody to create a job from the process flow level (Jenkinsfile), over the environment level (Dockerfile) to the individual action level (runtime functions). This design basically gives the community full access over the entire flow. The jobs that are configured to source only Jenkinsfile. Jenkins supports a lot of different ways how to define pipelines, but I have made sure to encourage everybody to use only Jenkinsfiles. This makes sure that no configuration is done in the web-interface. This firs of all alleviates the permission issue since there's literally no config in the web interface and second it allows auditing since all changes have to be done in the MXNet GitHub repository. Committers have elevated permissions in Jenkins. These contain the permission to run, stop and configure jobs. All other permissions are restricted to system administrators for the sake of ensuring stability of the system. On the dev-CI on the other hand, we're happy to add people so they can experiment as much as they want. The transition to prod-CI is then assisted by me to ensure smooth operations and adhering to the best practices (like using our Jenkinsfiles and Docker structure, for example). The only case where somebody would need elevated permissions is if they would like to change system settings. But at that point, we're talking about instance settings and AWS account configuration. Since that now reaches into the next permission level, which is restricted to the donor of the CI system - Amazon Web Services - this is something that not even PMC members will receive. The same policy is in place for the official Apache CI: Committers/PMCs can configure their job, but don't have system level access to either Jenkins or the underlying AWS account for obvious reasons. We're trying to stay in line with the same policy, but in the past I've granted Jenkins administrator access to people who required elevated access to properly do their job - Aaron Markham with regards to the website being one example. This means that the only case when a contributor needs committer assistance is the moment when somebody would like to set up a new Jenkins job. It would be a matter of setting up the job to point to the persons branch - Jenkins will then automatically pull the Jenkinsfile and thus no further configuration is necessary and updates are directly consumed. Such a request IMO is on the same level as us having to cut a ticket to Apache INFRA to create a new job. With regards to speed: So far, I was the only "CI-Person" with committer privileges. But due to our 4-eye-rule for PRs, I wasn't able to merge my own changes anyways - most of them were reviewed by Sheng, for example. In an emergency, I'm sure that somebody can be reached to assist since we currently have 39 PMC members and 20 committers spanning multiple timezones. For these reasons, I don't agree with the sentiment that contributors are unable to effectively work with the CI system unless they have committer privileges. Best regards, Marco On Fri, Aug 23, 2019 at 10:33 AM Pedro Larroy wrote: > As Marco has open sourced the bulk of the CI infrastructure donated from > Amazon to the community, I would like to raise the recommendation that the > community takes action to help volunteers working on the CI have a better > experience. In the past, it's my impression that there hasn't been much > action granting PMC or committer privileges to engineers volunteering to > help CI other than Marco. This would encourage more contributions and help > expedite critical fixes and corrective actions. I think this has not > properly enabled those individuals to be as effective as they could, as > well as the lack of recognition for such a critical activity. I'm not sure > about the cause but I believe this is something that should be rectified > for future contributions and help on the CI front if improvements are > desired. > > In spanish we have a saying: "es de bien nacido ser agradecido". > > Pedro. > > On Fri, Aug 16, 2019 at 4:03 PM Pedro Larroy > > wrote: > > > Hi Aaron. This is difficult to diagnose, because I don't know what to do > > when the hash of the layer in docker doesn't match and decides to rebuild > > it. the r script seems not to have changed. I have observed this in the > > past and I think is due to bugs in docker. Maybe Kellen is able to give > > some tips here. > > > > In this case you should use -R which is already in master. (you can > always > > copy the sc
Re: CI and PRs
Thanks for your response Marco, I think you have totally missed my original point which was basically that someone volunteering effort on the CI is as important as someone contributing a feature. From my perspective this hasn't been the case, and we had to rely a lot on you and Sheng to submit fixes which required access, also to relay communication with Apache infra. Also in many cases we had to rely on you to channel fixes, PRs, disable tests etc. If the community is fine having this kind of bottleneck, fine with me. From my point of view and the feedback from myself and other people which contributed to CI this was not always a good experience. Having a welcoming and inclusive community is very important. I don't want to start a discussion on this, but invite the community to do a bit of soul searching on this topic, now that the infrastructure is open source. Also I find surprising that you claim that you designed the CI yourself, when this was a joint work of many individuals, including the old Apache CI and additional contributions and code reviewers, people who were oncall for this service or the autoscaling approach which if I remember correctly came from a humble servant. Kellen did a lot of pair programming and code reviews. Obviously you have a done a lot of work on CI which has had a huge positive impact on the project and your recognition is well deserved. The technical details you mention on your email are perfectly true and valid. Below is a rough list of individuals who contributed to CI, I would like to thank all of them since without this work, we wouldn't be able to deliver with the quality that we have done in the past. pllarroy@mac:0: ~/d/m/ci [fc_higher_order_grad_2]> git log --pretty=format:%aN . | sort | uniq -c | sort -n | tail -n 10 6 Zach Kimberg 6 stu1130 7 Jake Lee 8 Aaron Markham 11 Lanking 12 Anton Chernov 13 perdasilva 26 Kellen Sunderland 34 Marco de Abreu 46 Pedro Larroy pllarroy@mac:0: ~/d/mxnet_ci_general [master]> git log --pretty=format:%aN | sort | uniq -c | sort -n 1 Gavin M. Bell 1 de Abreu 6 Bair 7 Kellen Sunderland 8 Jose Luis Contreras 14 perdasilva 20 Per Goncalves da Silva 29 Anton Chernov 39 Chance Bair 96 Pedro Larroy 209 Marco de Abreu Pedro. On Fri, Aug 23, 2019 at 3:18 PM Marco de Abreu wrote: > I've heard this request multiple times and so far, I'm having issues > understanding the direct correlation between having committer permissions > and being able to manage CI. > > When I designed the CI, one of the tenets was maintainability and > accessbility for the community: I wanted to avoid that somebody needs > certain privileges in order to execute regular actions. The result was the > strong usage of Jenkinsfiles, Dockerfiles and the runtime functions. The > combination of these techniques allowed somebody to create a job from the > process flow level (Jenkinsfile), over the environment level (Dockerfile) > to the individual action level (runtime functions). This design basically > gives the community full access over the entire flow. > > The jobs that are configured to source only Jenkinsfile. Jenkins supports a > lot of different ways how to define pipelines, but I have made sure to > encourage everybody to use only Jenkinsfiles. This makes sure that no > configuration is done in the web-interface. This firs of all alleviates the > permission issue since there's literally no config in the web interface and > second it allows auditing since all changes have to be done in the MXNet > GitHub repository. > > Committers have elevated permissions in Jenkins. These contain the > permission to run, stop and configure jobs. All other permissions are > restricted to system administrators for the sake of ensuring stability of > the system. On the dev-CI on the other hand, we're happy to add people so > they can experiment as much as they want. The transition to prod-CI is then > assisted by me to ensure smooth operations and adhering to the best > practices (like using our Jenkinsfiles and Docker structure, for example). > > The only case where somebody would need elevated permissions is if they > would like to change system settings. But at that point, we're talking > about instance settings and AWS account configuration. Since that now > reaches into the next permission level, which is restricted to the donor of > the CI system - Amazon Web Services - this is something that not even PMC > members will receive. The same policy is in place for the official Apache > CI: Committers/PMCs can configure their job, but don't have system level > access to either Jenkins or the underlying AWS account for obvious reasons. > We're trying to stay in line with the same policy, but in the past I've > granted Jenkins administrator access to people who required elevated access > to properly do their job - Aaron Markham with regards to the website being > one example. > > This means that the only case when a contributor
Re: CI and PRs
Pedro, I don’t see where Marco says that he “designed and implemented all aspects of CI by himself”. I do think, however, that it’s fair to say that Marco was in charge of the design and most likely made the majority of design decisions as the CI was being built, especially around those tenents that he mentioned. I know this because before I submitted Marco as a committer, I asked some his teammates whether Marco was really responsible for CI and the answer by all I asked were that CI was Marco's baby and he did most of it by some large margin (I am paraphrasing). Taking other design inputs and examples (i.e. Apache CI) is all part of any responsible design process. In addition, I am not understanding the obfuscation of “people who contributed to CI”, “person/people who designed CI”, or even "person who oversees CI" as it is weaponized in your email. Again, nowhere did Marco say that he did everything back then or since then. I don't think it's fair to try to modify what Marco wrote and then try to turn it against him. Reminds me of the techniques of network news these days, quite frankly (whichever side you're "on" doesn't matter, because both sides do it). -Chris On Fri, Aug 23, 2019 at 3:56 PM Pedro Larroy wrote: > Thanks for your response Marco, I think you have totally missed my original > point which was basically that someone volunteering effort on the CI is as > important as someone contributing a feature. From my perspective this > hasn't been the case, and we had to rely a lot on you and Sheng to submit > fixes which required access, also to relay communication with Apache infra. > Also in many cases we had to rely on you to channel fixes, PRs, disable > tests etc. If the community is fine having this kind of bottleneck, fine > with me. From my point of view and the feedback from myself and other > people which contributed to CI this was not always a good experience. > Having a welcoming and inclusive community is very important. I don't want > to start a discussion on this, but invite the community to do a bit of soul > searching on this topic, now that the infrastructure is open source. > > Also I find surprising that you claim that you designed the CI yourself, > when this was a joint work of many individuals, including the old Apache CI > and additional contributions and code reviewers, people who were oncall for > this service or the autoscaling approach which if I remember correctly came > from a humble servant. Kellen did a lot of pair programming and code > reviews. Obviously you have a done a lot of work on CI which has had a huge > positive impact on the project and your recognition is well deserved. The > technical details you mention on your email are perfectly true and valid. > > Below is a rough list of individuals who contributed to CI, I would like to > thank all of them since without this work, we wouldn't be able to deliver > with the quality that we have done in the past. > > > pllarroy@mac:0: ~/d/m/ci [fc_higher_order_grad_2]> git log > --pretty=format:%aN . | sort | uniq -c | sort -n | tail -n 10 >6 Zach Kimberg >6 stu1130 >7 Jake Lee >8 Aaron Markham > 11 Lanking > 12 Anton Chernov > 13 perdasilva > 26 Kellen Sunderland > 34 Marco de Abreu > 46 Pedro Larroy > > pllarroy@mac:0: ~/d/mxnet_ci_general [master]> git log --pretty=format:%aN > | sort | uniq -c | sort -n >1 Gavin M. Bell >1 de Abreu >6 Bair >7 Kellen Sunderland >8 Jose Luis Contreras > 14 perdasilva > 20 Per Goncalves da Silva > 29 Anton Chernov > 39 Chance Bair > 96 Pedro Larroy > 209 Marco de Abreu > > > > Pedro. > > On Fri, Aug 23, 2019 at 3:18 PM Marco de Abreu > wrote: > > > I've heard this request multiple times and so far, I'm having issues > > understanding the direct correlation between having committer permissions > > and being able to manage CI. > > > > When I designed the CI, one of the tenets was maintainability and > > accessbility for the community: I wanted to avoid that somebody needs > > certain privileges in order to execute regular actions. The result was > the > > strong usage of Jenkinsfiles, Dockerfiles and the runtime functions. The > > combination of these techniques allowed somebody to create a job from the > > process flow level (Jenkinsfile), over the environment level (Dockerfile) > > to the individual action level (runtime functions). This design basically > > gives the community full access over the entire flow. > > > > The jobs that are configured to source only Jenkinsfile. Jenkins > supports a > > lot of different ways how to define pipelines, but I have made sure to > > encourage everybody to use only Jenkinsfiles. This makes sure that no > > configuration is done in the web-interface. This firs of all alleviates > the > > permission issue since there's literally no config in the web interface > and > > second it allows auditing since all changes have to be done in the MXNet > > GitHub repository. > > > > C
Pull Request review bot
Hello dev@, at the moment, the user experience when submitting a Pull Request has quite a few issues and discourages people from further contributions. To improve the situation, I made a design for a Pull Request review bot that will introduce a process for PRs and also assist maintaining it. I'd appreciate it if everyone could review my design [1] and give some feedback. Thanks in advance! Best regards, Marco [1]: https://cwiki.apache.org/confluence/display/MXNET/Pull+Request+review+bot
