#kimchi log

13:00:10 <aglitke> #startmeeting
13:00:10 <kimchi-bot> Meeting started Wed Jul 31 13:00:10 2013 UTC.  The chair is aglitke. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:10 <kimchi-bot> Useful Commands: #action #agreed #help #info #idea #link #topic.
13:00:17 <aglitke> #meetingname scrum
13:00:17 <kimchi-bot> The meeting name has been set to 'scrum'
13:00:33 <AdamKingIT> Yes. I made the req, I'll fup and get it
13:00:46 <aglitke> Hi everyone :)  Thanks for joining the scrum.
13:00:52 <aglitke> #info Agenda
13:01:06 <aglitke> #info Build system and rename changes
13:01:27 <aglitke> #info Planning for the September Release
13:01:44 <aglitke> #info Roundtable / Open Discussion
13:01:49 <aglitke> Anything else?
13:02:05 <zhoumeina> can we talk about what browser we support?
13:02:22 <zhoumeina> and version
13:02:36 <aglitke> sure... added.
13:02:45 <alinefm> more people reviewing patches
13:02:47 <alinefm> ?
13:02:59 <aglitke> alinefm: Yes.  I might as well just mention that now.
13:03:25 <aglitke> Right now our model for the most part is that everyone submits patches and I review and apply them when I have time.
13:03:43 <aglitke> There are some exceptions and a few people who are reviewing more code.
13:03:59 <aglitke> What I would like to see is more patch series being reviewed by multiple people.
13:04:14 <aglitke> Especially the more complex series that implement larger features.
13:04:33 <aglitke> It's hard for me to catch everything and review everything.
13:04:51 <sming> aglitke, agree.
13:05:00 <zhoumeina> there is a problem that we UI developers don't understand the backend logic,
13:05:05 <alinefm> as with more people reviewing patches they can come upstream faster
13:05:08 <aglitke> So I will ask everyone to give me a hand with reviews.  It will make all of our patches flow into the tree faster.
13:05:12 <zhoumeina> can we do something about it?
13:05:34 <aglitke> zhoumeina: Reviewing patches is one of the best ways to begin to understand new code.
13:05:40 <aglitke> zhoumeina: Start with simple ones.
13:05:50 <aglitke> and you can work to the more complex ones.
13:06:00 <sming> aglitke, do we have a way to honor the people who comments the code but not signed with reviewed-by.
13:06:10 <bing_bu> zhoumeina: I do not think the UI developers should struggling to review the backend code.
13:06:15 <aglitke> I have learned a lot about UI design and code since reviewing lots of patches.
13:06:18 <sming> aglitke, you know give negative comments may take more time.
13:07:17 <aglitke> sming: I am not really going to be tracking it like with ovirt.  In general, when I see someone very actively reviewing code I am more likely to focus review on their work.
13:07:31 <aglitke> So that is one way we can all encourage each other to review more.
13:08:01 <aglitke> If someone reviews your patch, try to find one or more of their patches to review in return.
13:08:37 <aglitke> sming: A positive Reviewed-by should take as much time as negative comments because you are making sure the code will work if it is applied.
13:09:21 <aglitke> ok... I think that covers that topic.
13:09:40 <aglitke> #topic Build system and rename changes
13:10:00 <zhoumeina> what about review by pairs, and take turns
13:10:03 <aglitke> Thanks for bearing with the large changes.  They are behind us now :)
13:10:22 <aglitke> zhoumeina: If that works for you guys then give it a try.
13:10:23 <zhoumeina> hehe
13:10:45 <aglitke> I have pushed two follow-up patches this morning to resolve issues.
13:11:02 <aglitke> One from me to update the readme.  One from shaohef to distribute a missing file.
13:11:47 <aglitke> If anyone else encounters issues feel free to ask here in IRC and we'll find the solution and get the patch merged.
13:11:47 <zhoumeina> I send a patch to update readme
13:12:19 <aglitke> Now that the renames are behind us I will consider some of the other pending patches.
13:12:48 <aglitke> Anything else on this topic?
13:13:13 <aglitke> 1...
13:13:16 <aglitke> 2...
13:13:19 <aglitke> 3...
13:13:21 <aglitke> ok :)
13:13:30 <aglitke> #topic Planning for the September Release
13:13:39 <aglitke> #link https://github.com/kimchi-project/kimchi/wiki/Todo
13:13:55 <aglitke> Everyone, please see the above link.  I would like to step through it.
13:14:15 <aglitke> Category: Guests
13:14:23 <aglitke> display storage usage
13:14:59 <aglitke> As per discussions on the mailing list, since the storage stat is not meaningful we are proposing to remove it.
13:15:01 <alinefm> after our discussion in the mail list I sent a patch to remove it from UI
13:15:13 <bing_bu> aglitke: ACK.
13:15:33 <aglitke> bing_bu: Please respond with that in reply to alinefm's patch
13:15:43 <AdamKingIT> The goal of the KPI section of the UI is to give the admin an idea how the VM is behaving
13:15:51 <alinefm> zhoumeina, I could review it as well. It is UI related
13:15:52 <aglitke> I would like to call on others to participate in this as well.
13:16:01 <shaohef> bing_bu is expert on storage
13:16:16 <AdamKingIT> removing rather than replacing will negativly affect the goal as well as the symetry
13:16:26 <zhoumeina> alinefm: OK
13:16:30 <royce> Sorry for late, caught in the rain...
13:16:36 <aglitke> But the current pegged stats are not suitable for a 1.0 release.
13:16:46 <aglitke> nor is a misleading one.
13:16:46 <AdamKingIT> ie I'd rather replace it than cut it off
13:17:12 <aglitke> AdamKingIT: It's easy to carve out the space again for the box when we have something to put there.
13:17:13 <shaohef> royce: the rain is so heavy.
13:17:26 <shaohef> royce: I come home just now.
13:17:31 <AdamKingIT> so we go back to the 1st goal of presenting the admin an idea of how the VM is performing,. Are there other ways we can achieve that goal?
13:17:50 <royce> shaohef, yes, thunder storm
13:17:55 <aglitke> cpu and screenshots are pretty good.
13:17:59 <alinefm> AdamKingIT, thinking...
13:18:21 <aglitke> libvirt provides other stats APIs
13:18:52 <aglitke> But I wonder if that's the right amount of space allocated to this in the UI anyway.
13:19:21 <AdamKingIT> I suspect cutting down to 1 kpi will throw the symmetry off, but we can look at it if there isn't a better way to communicate an overview
13:19:27 <aglitke> We could divide one of those boxes into thirds and present three bars to indicate the same info in much less space.
13:20:02 <bing_bu> I think the space can be filled with icons of disks
13:20:04 <aglitke> Actually, I miss the compact icon display from the dev ui.
13:20:05 <AdamKingIT> The design has a 'list view' that when implemented will minimize screen real estate consumption, for the more text oriented admin
13:20:11 <zhoumeina> can we make some report about that,  to give a performance score
13:20:39 <royce> what about provide like network flow instead of disk cosupution?
13:20:51 <aglitke> royce: That is an option
13:21:01 <AdamKingIT> the difficulty w/ scores is that you have to explain the score calculation if its not a standard metric to people
13:21:01 <bing_bu> royce: network flow is too complex
13:21:04 <aglitke> storage bandwidth (like a disk led)
13:21:23 <aglitke> maybe we could have disk and network activity lights
13:21:31 <bing_bu> aglitke: do you mean the disk usage activity?
13:21:40 <aglitke> bing_bu: Yes, IO
13:21:44 <aglitke> not capacitty
13:21:57 <AdamKingIT> Sounds promising. The blinky disk light is one of the best user feedback devices ever (IMO)
13:21:57 <bing_bu> Good option, like LED on laptop
13:22:29 <aglitke> but ours would only refresh every 5 sec so we would use a meter instead of a light
13:22:42 <AdamKingIT> right, we'd want to put a # to it
13:23:00 <aglitke> So maybe for now we should blank the boxes for storage and memory kpi
13:23:01 <AdamKingIT> which could be graphed, or shown numerically in the list view mode
13:23:05 <aglitke> but keep them in place?
13:23:40 <bing_bu> aglitke: AdamKingIT: maybe can be a disk histogram
13:24:07 <AdamKingIT> I would leave  them alone until we swap them for something meaningful sometime in the aug iteration
13:24:59 <aglitke> So...I think we should set people off on working this via two angles:  1) blank the current meaningless KPI slots but keep them in the UI 2) Add a 1.0 task for discovering and adding 2 new KPI measures.
13:25:53 <AdamKingIT> by blank, you mean white out that spot in the UI?
13:26:09 <aglitke> Right, no circle with fake number and no title
13:26:15 <aglitke> just the box with background
13:26:26 <aglitke> as if no KPI was selected to occupy that slot yet.
13:26:33 <sming> There?
13:27:01 <AdamKingIT> Selfishly, can we do them in reverse order... Identify the useful KPIs we think we can implement w/out a guest agent, then swap the mocked KPI for the new ones?
13:27:58 <aglitke> OK.  I will defer to the UI team on leaving the mocked numbers in place.
13:28:06 <bing_bu> sorry,what is KPI? ")
13:28:09 <bing_bu> :)
13:28:21 <AdamKingIT> np Key Performance Indicators
13:28:34 <shaohef> got it
13:28:38 <royce> I think the IO and network activity make sense, if we add tune in place, we can see the tune result...
13:28:39 <aglitke> Ok.  On to Templates section
13:28:56 <aglitke> The main one here is local iso scanning,
13:29:08 <aglitke> I want to briefly share an idea I have on how to do this better.
13:29:16 <aglitke> Royce is already working on it.
13:29:19 <aglitke> for the backend.
13:29:47 <aglitke> The idea is that (at first) we only scan Storage Pools for iso images.
13:30:18 <aglitke> The Storage Volume Resource will be extended to include os_distro and os_version and bootable info for volumes that are iso images.
13:30:51 <aglitke> so the UI can synchronously fetch /storagepools/poolid/storagevolumes
13:31:01 <aglitke> and display a UI of found iso images.
13:31:41 <aglitke> in this mode, the user would highlight the iso images (with distro icons) for the isos to be made into templates and click OK
13:31:59 <aglitke> all of those selected will be added as templates and the process is done.
13:32:12 <aglitke> We still want to have a scan mode.
13:32:16 <aglitke> For this.
13:32:37 <aglitke> The UI can call a new API which creates a temporary Storage Pool
13:32:59 <aglitke> The backend will create symlinks to all found ISOs in the the temp Storage Pool Directoryt.
13:33:29 <bing_bu> aglitke: yeah, I discussed with royce about this, it make sense adding some optional additional information for storagevol if it is a ISO.
13:33:34 <aglitke> When this process completes, (or concurrently) the UI can display the same dialog as above but using the temp storage pool instead.
13:33:34 <royce> aglitke, I tried fedora and RHEL6.3 for slnk today, fedora works fine creating vm with slnk iso, but RHEL6.3 fails
13:33:37 <sming> I was wondering if a installed os image can be scanned as a iso image.
13:34:19 <aglitke> sming: I think we'll just identify iso images by filename extension and then by the isoinfo scanner.
13:34:21 <bing_bu> royce: maybe a issue of libvirt
13:34:31 <aglitke> It's an SELinux issue.
13:34:48 <royce> bing_bu, the same parameter with qemu
13:35:05 <aglitke> I wonder if we can install a selinux policy extension or something.
13:35:08 <royce> aglitke, but I have selinux enforced for fedora too?
13:35:20 <aglitke> royce: The policy is probably different.
13:35:27 <aglitke> less hardened.
13:36:00 <aglitke> Anyway... AdamKingIT zhoumeina what do you guys think about this proposal from a UI perspective?
13:36:10 <royce> I'm not sure, I started with qemu-kvm --cdrom symlink, it works
13:36:35 <aglitke> royce: I think libvirt might be configured to drop permissions.
13:36:37 <royce> but with the parameter formed by our template, qemu fails
13:36:38 <zhoumeina> Ui should show a brief information about each ISO just like cpu memory ,so the user will easily select the one he wants
13:37:03 <sming> aglitke, not sure what is the temp storage pool.  When will the pool be removed.
13:37:03 <aglitke> zhoumeina: I was thinking we could show distro and version plus the icon.
13:37:13 <AdamKingIT> I think the approach will work pretty well
13:37:26 <zhoumeina> aglitke: I agree
13:37:35 <AdamKingIT> Seems like we can use it to implement the mockup as is
13:37:49 <aglitke> sming: We can have the UI remove it and maybe also have a timeout when it will be removed.
13:37:52 <sming> aglitke, When will the pool be removed if it is a temp one?
13:38:05 <AdamKingIT> Only issue I can think is how the temp storage pool gets cleaned up
13:38:35 <royce> remove and rescan is time consuming
13:38:58 <aglitke> interesting.
13:38:59 <royce> We can rescan when forced by user
13:39:00 <AdamKingIT> We could/should clean up the temp pool when the user session ends
13:39:13 <aglitke> maybe we can just have a "special" storage pool called kimchi-isos
13:39:22 <bing_bu> why not reserve the temp pool but invisible for user?
13:39:25 <aglitke> that never goes away
13:39:30 <aglitke> a scan just refreshes it.
13:39:44 <bing_bu> yeah, refresh the pool
13:39:45 <aglitke> to refresh, first you remove any links that are broken
13:39:47 <royce> +1
13:39:50 <aglitke> then you scan for new ones.
13:39:51 <AdamKingIT> The nice think about the temp pool is that 2 admins can scan diff areas and get diff results
13:40:04 <AdamKingIT> 2 scans, 2 temp pools
13:40:07 <aglitke> AdamKingIT: true
13:40:17 <aglitke> also you can have concurrent scanning.
13:41:05 <royce> scan diff areas? I assume we don't give user the choice about what directories they will scan
13:41:07 <aglitke> royce: maybe you can implement it in a way that allows us to decide later if we want the temp pool model or the special pool model.
13:41:20 <aglitke> royce: For now, I think we don't
13:41:40 <royce> got u, aglitke
13:41:47 <AdamKingIT> Scan would always scan the whole file system?
13:41:48 <aglitke> There may be two options: 1) scan only local filesystems 2) scan local and network filesystems
13:42:03 <bing_bu> aglitke: I think the feature you mentioned is advanced one :)
13:42:18 <royce> temporarily, yes ,AdamKingIT
13:42:32 <aglitke> AdamKingIT: I can't think of a better way to do it without exposing filesystem heirarchy details to the user.
13:42:49 <aglitke> bing_bu: by net filesystems I mean only those which are currently mounted,.
13:43:00 <bing_bu> royce: no deep scan or shallow scan?
13:43:02 <aglitke> we would not try to discover or mount new ones.
13:43:08 <sming> I think we can look iso images as system resources. And two users scanning process should be serialized .
13:43:10 <bing_bu> aglitke: got it
13:43:24 <AdamKingIT> k, I suggest we design for either, which should be minimal overhead.. and we can decide later...
13:43:33 <aglitke> a shallow scan is the one the UI can do by just looking in existing storage pools
13:43:56 <aglitke> a deep scan is the one that uses the whole fs and a temp storage pool
13:44:02 <AdamKingIT> if scan always scans the whole system, then the special pool will work, If we want to allow diff concurrent scans, then temp pool will be required
13:44:33 <aglitke> the nice thing about a persisting the scan pool is that a future "shallow scan" could look in that pool and benefit from the deep scan.
13:45:00 <aglitke> So royce, I think we need to design with some flexibility in mind.
13:45:15 <aglitke> make it easy to switch between multiple temp pools or a single special pool
13:45:35 <royce> that's reasonable
13:45:56 <zhoumeina> sorry to interrupt, why not share a open folder for iso files? all?
13:46:03 <aglitke> for now I think we start with a special pool that we create in /var/kimchi/kimchi-iso-pool
13:46:22 <aglitke> zhoumeina: Because we cannot move isos around.
13:46:32 <aglitke> we need to leave them where the admin has placed them.
13:47:14 <zhoumeina> aglitke: oh, got it
13:47:15 <aglitke> royce: Also, when you convert an iso from the special pool to the template, the template should use the target of the link, not the special pool for the iso filename.
13:47:28 <aglitke> that way we can delete the special pool without breaking the templates.
13:47:43 <royce> aglitke, yes, of course, some isos with wrong permission also be ignored
13:47:54 <aglitke> ok... We should move on... Looking forward to some patches!
13:48:31 <aglitke> These minutes will be uploaded to the web so we can reference the discussion there.
13:48:57 <aglitke> Is anyone working on authentication?
13:49:16 <zhoumeina> I think not yet
13:49:22 <aglitke> That is a dependency for language selection.
13:49:38 <aglitke> I think we need to start on it if we have any hope of completing it in time for 1.0
13:49:59 <aglitke> AdamKingIT: would you mind leading the charge on this one?
13:51:02 <aglitke> Hmm, no objection! :)
13:51:05 <AdamKingIT> The idea here is that any req to access Kimchi would be met with a forms based authentication chalenge
13:51:35 <AdamKingIT> Authentication would occur through PAM (which I can only spell)
13:51:44 <aglitke> ok.  Will that work in the REST API?
13:51:46 <sming> I think authentication have several meanings,  authentication to REST APIs. authentication on VM operations
13:51:54 <sming> &etc
13:52:04 <AdamKingIT> Authentication is separate from authorization...
13:52:20 <AdamKingIT> For Sept we are just talking about authentication. Authorization is more complicated...
13:52:34 <aglitke> ACK
13:52:49 <bing_bu> authentication means user/passwd, right? ;-)
13:52:56 <sming> So is is just a login authentication to Kimchi UI?
13:53:00 <AdamKingIT> The idea is that to use Kimchi you would have to authenticate with a uid/pwd known to the linux install, and in the admins group
13:53:02 <aglitke> so any authenticated user (in the admin group) has access to do anything on kimchi
13:53:16 <aglitke> sming: REST and UI
13:53:32 <shaohef> AdamKingIT: we need session for  authentication？
13:53:41 <AdamKingIT> if the linux install is configured to authenticate against LDAP then the uid/pwd would be authenticated against that through PAM
13:53:54 <AdamKingIT> Not necessarily, though you need some token...
13:54:05 <sming> aglitke: Thanks. So we need not to consider libvirt authentication to manage VM now.
13:54:21 <AdamKingIT> My xp here is in the J2EE space, but a similar approach could apply here...
13:54:54 <AdamKingIT> Once authenticated the server issues the user a token (stored in a cookie) which must be presented w/ each request for the duration of the token validity
13:55:16 <aglitke> AdamKingIT: Is that how poster works?
13:55:26 <aglitke> The FF extension?
13:55:33 <AdamKingIT> if the token is expired, or not present, the user  is challenged again
13:55:43 <aglitke> I assume the authentication works via a cookie
13:55:44 <AdamKingIT> Not familiar, but I can read up
13:55:52 <aglitke> I can test it out.
13:56:12 <aglitke> Would be cool if you could hack something up and post to the list for us to try.
13:56:14 <alinefm> yeap. I've already implemented it using cookie
13:56:30 <alinefm> when cookie expired the session will finished
13:56:35 <sming> AdamKingIT, how to companion the PAM credentials with REST API calls? How kimchi check those credentials for each REST API?
13:56:39 <aglitke> Once we have this, then we need SSL to avoid sending machine passwords in clear text
13:57:24 <aglitke> AdamKingIT: Wouldn't a REST API user be able to pass credentials as HTTP headers?
13:57:38 <AdamKingIT> The PAM check could be isolated to the authenticate flow, all the other flows look for a valid token
13:57:59 <AdamKingIT> Putting the credentials in the header is basic auth, and generally not considered secure
13:57:59 <aglitke> That's how the BSO challenge works I believe
13:58:14 <aglitke> but if it happens over SSL then it is ok
13:58:52 <AdamKingIT> I am fairly sure that BSO issues you a token
13:59:14 <aglitke> But the first challenge just returns 400 Not authorized
13:59:21 <aglitke> when I use wget
13:59:23 <AdamKingIT> Even over SSL its not considered safe I think because proxies can cache it
13:59:30 <aglitke> hmm
13:59:46 <aglitke> ok... I guess the best thing is for you to send us a prototype to play with
13:59:59 <AdamKingIT> You overestimate my PAM knowledge
14:00:10 <aglitke> I am mostly concerned with the HTTP side
14:00:23 <aglitke> your pam check can just be a 'return True' for now
14:00:52 <aglitke> or 'if user == root and password == passw0rd return true
14:01:01 <aglitke> just to demo the http tech
14:01:08 <aglitke> then we can wire in the pam support next
14:01:15 <AdamKingIT> They'll never crack that one ;-)
14:01:27 <AdamKingIT> Let me look at it and see what I can come up w/
14:01:40 <aglitke> I just want to see how the authentication scheme behaves with standard tools
14:01:44 <aglitke> cool.
14:02:03 <AdamKingIT> I may need a little advice on the server side, the http bits I am good
14:02:06 <aglitke> Well, that brings us to the end of the meeting.  Anyone want to bring up any quick topics?
14:02:25 <zhoumeina> oh
14:02:28 <aglitke> zhoumeina: for browser support.
14:02:35 <zhoumeina> yeah
14:02:39 <aglitke> I think we can add a section in the readme.
14:02:47 <zhoumeina> what kind of , and version
14:02:49 <aglitke> Perhaps it can be:
14:02:57 <aglitke> Supported browsers
14:02:58 <aglitke> ----------------------
14:03:12 <bing_bu> aglitke: what the RFD V2 new adding iscsi and nfs storage support ?https://groups.google.com/forum/#!topic/project-kimchi/2MUTewMEJzg
14:03:12 <aglitke> The following browsers are tested and known to work well with kimchi
14:03:30 <aglitke> zhoumeina: Then set the list to ones we know about
14:03:37 <AdamKingIT> FF 17ESR +, IE 8(?) +, Chrome (version changes so rapidly its hard to pick), Safari (a little less rapid change)
14:03:38 <aglitke> you can send a patch for this
14:03:52 <AdamKingIT> Do we have any constraints from jQuery?
14:03:57 <aglitke> Just say CHrome 56+ :)
14:04:26 <aglitke> bing_bu: I don't know if that is really high prio for 1.0
14:04:31 <AdamKingIT> The Dojo project I work with is constrained by the Dojo version
14:04:41 <aglitke> AdamKingIT: I am not sure.
14:04:44 <AdamKingIT> not sure if jQuery imposes similar
14:04:46 <aglitke> would be good to check.
14:04:55 <zhoumeina> I will check it
14:05:11 <aglitke> zhoumeina: Perhaps you can just add a conservative list to start with and we can modify it later as more info comes in.
14:05:19 <bing_bu> I think it is easier to add than network, so I do this first..
14:06:04 <aglitke> bing_bu: I think we are going to want a UI to manage the storage domains first.
14:06:25 <aglitke> bing_bu: let me look at the patches.
14:06:38 <aglitke> If they are backend only and safe, then they may be mergeable.
14:07:01 <aglitke> ok...  Want to respect everyone's time.  This was a very productive meeting.  Thanks for joining everyone!
14:07:05 <aglitke> #endmeeting