[00:48] [ANN] juju-core 1.9.3 has been released [00:48] https://lists.ubuntu.com/archives/juju-dev/2012-December/000333.html [04:56] davecheney: g'day, i have a problem you might me able to help me solve if you have a moment to take a look. [05:09] wallyworld_: shoot [05:10] davecheney: see https://codereview.appspot.com/6874049/patch/1/7, the TODO about 2/3 of the way down // TODO: WHY DOESN't THIS WORK? [05:10] you may not have an idea of what's wrong. i can't see it right now [05:10] the array ends up filled with the last id [05:11] so if there are 2 servers, the array becomes [id2, id2] instead of [id1, id1] [05:11] [id1, id2] i mean [05:11] wallyworld_: yes, this is one of two gotchas with go [05:11] only 2? [05:11] (the other is also to do with scoping of variables [05:12] (well, two that I consider gotchas) [05:12] so what am i missing? [05:13] i use append elsewhere in similar circumstances and it seems to work [05:13] if you do s := server ; insts = append( ...) [05:13] it will work [05:14] wtf? why? [05:14] hold on, i'll explain [05:14] just looking at why you're doing := range *servers [05:14] ok [05:15] the api returns a pointer to an array of structs [05:15] due to that big discussion i had on irc last week [05:15] about returning nil if the json failed [05:15] ok, i don't want to get into that [05:15] me either :-) [05:15] just providing context [05:16] as to why it is a pointer [05:16] if we break down the for loop, what is happening behind hte scenes you're getting [05:16] var server Nova.server [05:16] for i := 0 ; i < len(*servers); i++ { [05:16] server = *servers[j] [05:16] ... then your code [05:16] } [05:17] (this is part of the explanation) [05:17] *servers[i]? [05:17] do you agree that this can be subtituted for the range above [05:17] yes [05:17] with the i [05:17] yes, sorry [05:17] np, just making sure [05:17] so inside each loop iteration it becomes [05:18] server = *servers[i] (hidden) [05:18] insts = append(insts, &instance{e, &server}) [05:19] &server is capturing the address of the local server variable every time [05:19] the same local server variable [05:19] which is why they all end up as the last value assigned to it [05:20] * wallyworld_ thinks [05:21] davecheney: so by doing s:= server, it forces a copy to be made? [05:21] yes [05:22] ok, i think i get it. is the moral of the story not to use loop variables in certain circumstances? [05:22] when taking their address [05:22] sadly this is just one thing you have to be ever vigilant for [05:23] right, ok. thanks so much. i wasted a loooong time on this [05:23] sorry, it is one of the rights of passage [05:23] lol [05:24] i still don't feel like Go is "native" just yet, but it's getting there [05:24] that's good to hear [05:24] i'm constantly amazed at how quickly can pick up the language [05:24] it tells me it's doing something right [05:25] yeah, there's some stuff i don't like, but it's interesting to work with [05:25] wallyworld_: btw, do you feel that any sort of decision was reached about the 'when and how should we meet' discussion ? [05:25] in the meeting I got the impression, and looking at the notes, that the decision to not change anything was made [05:25] my understanding was alternating times 21:00UTC and 09:00UTC [05:25] then the day after Mark posted an email saying we're going to do that [05:26] alternating times ?! [05:26] i read that as two meetings [05:26] it was explained to me as alternating and you would make whichever meeting you could [05:26] or both [05:26] but, alternating every other week ? [05:26] yes [05:27] unless i am mistaken [05:27] so we can go an entire milestone cycle without meeting or feedback ? [05:27] is each milestone cycle 2 weeks? [05:27] i think for you and me we can make both [05:27] you can see we run a pretty loose ship on juju-core, but yes, ish [05:28] to be honest, the current one that is 10pm for me i can make most weeks [05:28] it's 11pm for me [05:28] yeah, DST :-) [05:28] and i'm getting pressure from home [05:28] which i guess is why they changed it [05:29] timezones suck sometimes [05:29] happy wife, happy life [05:29] i'm not sure if tomorrow's meeting is still at 0pm, will have to check [05:33] DST is bitch if you need to coordinate with western europe [05:33] 7pm UK time is 6am AEST [05:33] (or is that AEDT [05:34] i thought it was 7am AEST [05:35] nup [05:35] http://everytimezone.com/ [05:35] not 7pm, 9pm [05:35] 21:00UTC [05:35] so +10 is 7am for me [06:50] Morning [06:51] morning [06:51] davecheney: Had a nice weekend? === TheMue_ is now known as TheMue [08:34] morning all === rogpeppe2 is now known as rogpeppe [08:40] Hiya rogpeppe [08:45] rogpeppe, TheMue, heyhey [08:45] rogpeppe, TheMue: I would appreciate your opinions on the Living interface [08:45] fwereade: Hi [08:46] fwereade: just jotting down some thoughts i had over the weekend. will have a look in a bit, thanks for the heads up. [08:46] rogpeppe, TheMue: it only seems to be used for the tests [08:46] rogpeppe, TheMue: and I have slight concern that it doesn't really fit our needs [08:46] fwereade: what CL are we talking about? [08:47] rogpeppe, it's a piece that's already in place [08:47] fwereade: ah [08:47] rogpeppe, state/life.go [08:47] rogpeppe, it has EnsureDying/EnsureDead [08:47] fwereade: you're objecting to those methods? [08:47] rogpeppe, we took those methods off Relation because they didn't make sense [08:48] fwereade: If you say you have concerns that it fits our needs, then please start by definig what you think our needs are. [08:48] rogpeppe, and while they're ok for unit they don't express enough [08:48] fwereade: do you think Unit needs a richer interface than a simple "EnsureDead"? [08:49] fwereade: or EnsureDying [08:49] rogpeppe, yeah -- remove-unit --force [08:49] rogpeppe, we need a way to say, politely, "please kill yourself"; a way to say politely "I'm done, clean me up"; and a way to force dead immediately [08:50] fwereade: ah, so EnsureDying isn't allowed to take account of things that might block the EnsureDying [08:50] rogpeppe, yeah, nothing should block an EnsureDying [08:50] fwereade: emr [08:50] rogpeppe, depending on the circumstances, the existence of subordinates may or may not want to block EnsureDead [08:50] erm [08:51] fwereade: istm that EnsureDying *is* a way to say, politely, "please kill yourself" [08:51] fwereade: and that EnsureDead *is* a way to force dead immediately [08:51] rogpeppe: That's how I understood it too. [08:51] rogpeppe, yes... we have 3 things to express, and 2 0-arg methods [08:52] fwereade: that doesn't sound like the current interface is wrong, but that some things may need more [08:53] rogpeppe, maybe [08:53] fwereade: Please match the current methods to your three sentences above to make sure which one you don't see covered. [08:53] rogpeppe, bear in mind that it was already dropped from relation because it's useless [08:54] fwereade: how do you remove a relation then? [08:54] rogpeppe, TheMue: EnsureDying=please kill yourself, EnsureDead=die immediately; no way to politely signal your own death [08:54] rogpeppe, it depends [08:54] rogpeppe, I ca dredge up the details if you like [08:55] fwereade: by "signal your own death", do you mean there's no way to tell others when you've died? [08:55] rogpeppe, there is no convenient way for me to coordinate the unit's death amongst various tasks [08:55] fwereade: So you want a kind of destructor. But that is something the entitiy has to signal. It isn't signalled from the outside to the entitiy. [08:55] fwereade: i'm not sure what you mean by that [08:57] rogpeppe, ok, maybe I should shift perspective around and see what sorts of statements we agree on [08:57] rogpeppe, the only thing that can sanely set a machine to Dead is a machine agent; agreed? [08:57] rogpeppe, and the only thing that can sanely set it to Dying is the user [08:58] fwereade: How would you name that third method? And who will call it? [08:58] fwereade: i'm not sure. what if the machine has gone away and isn't coming back? [08:58] rogpeppe, do you mean the "instance" [08:58] fwereade: yeah [08:58] rogpeppe, I don't think that's relevant then? [08:58] rogpeppe, juju will provision a new one and put the machine agent on it [08:59] fwereade: do we have to resurrect the instance and its machine agent in order to kill the Machine? [09:00] * TheMue still thinks it's a wrong perspective. The first two methods are telling the entity that it has something to to, the missing one is used by the entity itself to signal the outer world that a state is reached and the outer world has something to do. [09:00] s/to to/to do/ [09:00] rogpeppe, you're talking like we can *stop* juju from provisioning a new instance for a broken machine? [09:01] TheMue, ok [09:01] TheMue, what does service.EnsureDead do? [09:02] TheMue, btw you are wrong re methods: if an entity is dead, it must *not* do anything, and in the normal case of affairs it doesn't even see itself become dead because it sets and terminates itself [09:02] fwereade: It sets the entity to dead. [09:03] TheMue, the notion of EnsureDead from outside the entity is only sane in the case of units, and that's only because we carved out an exception for remove-unit--force [09:03] TheMue, ok, and what happens when you do that? [09:04] TheMue, and more to the point, when is it ok to do that? [09:04] fwereade: what if an instance goes down and the user calls terminate-machine before it's been reprovisioned? [09:05] fwereade: I would have to take a look what's done today. But IMHO after an entity is marked as dead it can be cleaned up. [09:05] rogpeppe, if we can detect that for sure, then we can remove it; no reason to make it dead [09:05] TheMue, think through what will happen if we set a service to Dead [09:05] TheMue, what should happen to the units of that service? [09:05] fwereade: I'm currently looking from a more abstracte perspective about where methods have to apply. [09:05] fwereade: doesn't it have to be dead before we remove it? [09:06] rogpeppe, not at all, we don't do that with relations [09:06] fwereade: IMHO they should be set to dead too, before the service is marked as dead. [09:06] rogpeppe, I'm not sure the Dead state is even meaningful for relations or services [09:06] TheMue, how will you craft your request to set 100k units to Dead? [09:08] fwereade: I have no quick answer. But logically, if a service shall be set to dead, shouldn't the units be dead too? [09:08] TheMue, using the txn package, remember [09:08] TheMue, logically, yes [09:08] TheMue, but there are 2 possibilities here [09:08] TheMue, we can set services to dead, and get crack, or wee can admit that service.EnsureDead is (probably) crack [09:08] fwereade: anyway, sorry that was a derail. say, for the sake of argument, we accept that only a machine agent can set its machine to dead. what then? [09:09] fwereade: are you saying that if we set something to dead, we may as well just remove it? [09:09] rogpeppe, ok, so machines are easy: Dying from outside, Dead from inside [09:09] rogpeppe: Do we mix topics here? [09:10] rogpeppe, not at all -- I'm saying that relations and services have no use for a Dead state, because we can just remove when appropriate [09:10] rogpeppe, units and machines *do* have a use for the dead state [09:11] * TheMue would like to stay on the path what should happen to units, independent of their number, when their service is said that it shall die. [09:11] rogpeppe, but the agreement thus far has been that the only one we should be setting to dead from outside was unit, and that in a not-especially-high-priority feature [09:11] TheMue, what we do is set the service to Dying [09:11] TheMue, every unit is the responsible for setting itself to dying and cleaning itself up [09:12] TheMue, the units' deployer waits for it to become dead [09:12] fwereade: Is every unit watching it's services' lifecycle? [09:12] TheMue, yes [09:12] fwereade: Ah, ok, missed that, thanks. [09:13] fwereade: it sounds like you're arguing for removing EnsureDead [09:13] sorry 1 sec [09:13] rogpeppe, I'm not stronly arguing *for* anything, I'm just trying to raise the topic for discussion in the hope something will be synthesized therefrom [09:13] TheMue, to continue: then the deployer removes the unit [09:14] fwereade: And markes it as dead? [09:14] TheMue, the unit marked itself as dead [09:14] TheMue, the deployer is then responsible for uninstalling it and removing it from state [09:14] fwereade: How does it mark itself as dead? [09:14] TheMue, and removing its service from state if it was the last member of a dying unit [09:15] TheMue, at the moment it calls EnsureDead [09:15] fwereade: The unit calls EnsureDead() on itself? Aha. [09:15] TheMue, but this will not work correctly in the presence of subordinates [09:15] TheMue, yes [09:15] TheMue, in general only an entity is meant to declare itself dead [09:16] fwereade: Could you give me a hint where in the code this happens? [09:16] TheMue, the EnsureDead? worker/uniter/modes.go [09:16] TheMue, ModeStop or something? ModeDie? [09:16] fwereade: So the uniter calls it, not the unit. [09:16] TheMue, what part of the unit has its own volition if not the uniter? [09:16] back in a mo [09:17] fwereade: It's only the wording I want to get sure. If I talk about Unit it's state.Unit. Not about the uniter. [09:18] TheMue, sure, sorry, I didn't mean to be unclear [09:18] fwereade: I only wanted to clear that to not be confused. [09:18] fwereade: I never been deep in the uniter. So that's important to me to get a similar context. [09:18] TheMue, I think of a Unit as a dumb type manipulated by interesting clients -- the clients are the agents and the command line [09:19] back [09:19] fwereade: OK, now it's more clear, thanks. [09:20] rogpeppe, actually, how do you expect we will set a machine to dead? thinking about it, that sounds like a job for the machiner [09:20] rogpeppe, and it sounds like exactly the same problem as the uniter has [09:20] fwereade: is the provisioner right to allocate a new instance for a machine that's set to dying? [09:21] rogpeppe, if it's still meant to be running a unit, yes, unless you have a better idea [09:21] rogpeppe, but I forget: did we agree that we couldn't set a machine to dying until it had no assigned units? [09:22] fwereade: i thought we could always set something to *dying* [09:22] rogpeppe, I haven't thought so much about machine lifecycles, which is probably why I perceive them as a simple problem.. I bet they aren't really ;p [09:23] fwereade: i have a suspicion we have some muddy thinking about the machine/instance/unit relationship [09:23] rogpeppe, ok, so terminate-machine shouldn't actually terminate the machine? [09:24] rogpeppe, ok, please explain your view of the situation [09:24] rogpeppe, is it your position that terminate-machine should also terminate all the units on that machine? [09:24] fwereade: i don't have a strong notion of *how* our thinking is muddy, just that i don't clearly understand things, and i'm not sure anyone else does [09:24] rogpeppe, beacuse it has hitherto meant "I will never use this unused machine again", and been blocked by the machine's having units deployed [09:25] fwereade: ok, well that sounds reasonable [09:25] rogpeppe, ok, you know what? this makes me question EnsureDying/EnsureDead still more [09:26] fwereade: so... say a machine is unused but its instance has just died; someone calls terminate-machine before the provisioner has noticed that the instance is dead. [09:26] fwereade: when the provisioner notices that the instance is dead, should it allocate another one? [09:27] fwereade: i don't see any question about EnsureDying [09:28] fwereade: EnsureDead seems to be the problematic part of the interface [09:29] rogpeppe, ok, what does it do? [09:29] rogpeppe, please describe the chain of consequences from EnsureDying [09:30] fwereade: the provisioner can see when an instance dies, right? [09:31] rogpeppe, yeah, I think so, roughly [09:31] fwereade: (i'm not actually sure that it can, tbh, but this we seem to believe it) [09:31] s/this we/we/ [09:31] rogpeppe, I think it s possible to infer it anyway [09:31] fwereade: i'm not sure it is [09:31] fwereade: in the presence of network failures [09:32] fwereade: anyway, assuming we can [09:32] fwereade: when the provisioner sees an instance go down, it allocates a new one and assigns the old Machine to it, right? [09:32] rogpeppe, yeah [09:33] fwereade: so if someone has called EnsureDying on that machine, should the provisioner really allocate a new instance for the machine? [09:33] fwereade: (surely not?!) [09:34] rogpeppe, if a machine is Dying it means "I will set myself to Dead when I have disacharged my responsibilities" [09:34] fwereade: what is a machine without an instance? [09:35] rogpeppe, I am reluctant to stipulate that the machine agent can die with no responsibilities undischarged [09:35] fwereade: what responsibilities does a machine agent have if it has no units? [09:36] rogpeppe, I suspect storage handling will come into play mostly at the machine agent level [09:37] rogpeppe, but, ok -- that's a potential derail [09:37] fwereade: i just think it's weird that we'd allocate a new instance only to shut it down immediately [09:37] rogpeppe, what you say makes sense, but you're not taking it far enough [09:37] fwereade: i think the provisioner can proxy for the machine agent in this instance [09:38] rogpeppe, what does Dying actually mean if the unit agent can only go to Dying when it has no responsibilities left to discharge? [09:38] rogpeppe, it means Dying is not a sane state for a Machine to have [09:39] rogpeppe, it will become so if/when we change the rules ofc... [09:39] fwereade: sorry, you're mixing up machine dying and unit dying in a way i don't quite understand [09:40] rogpeppe, shit sorry s/unit/machine/ [09:40] s/unit agent/machine/ actually [09:40] fwereade: it sounds reasonably sane to me [09:41] rogpeppe, what is the distinction between Dying and Dead for a machine? [09:42] fwereade: i think it's a pity we haven't actually implemented terminate-machine yet... [09:43] rogpeppe, although, sorry, I'm derailing a little and I have no particular interest in fighting this one -- I take a similar Dying shortcut in the Deployer, actually [09:43] rogpeppe, but I'm actually questioning it [09:44] fwereade: because you're saying that a machine can only go to Dying when it has no responsibilities left to discharge, but that's not the case currently [09:44] fwereade: anyone can set a machine to dying at any time [09:44] rogpeppe, ok, well then that is surely crack [09:44] rogpeppe, why timebomb your machines like that? [09:44] fwereade: i'm not sure why [09:45] fwereade: you might have a good reason [09:45] fwereade: you might not want a new machine to be allocated [09:45] rogpeppe, the only thing that does is to say "keep this machine around for an arbitrary length of time, but don't forget the irrevocable kill command that will take effect when its current purpose is fulfilled" [09:45] fwereade: so calling terminate-machine before removing a unit means that we can ensure that's true [09:46] fwereade: that seems quite plausibly useful to me [09:46] rogpeppe, but you're also suggesting that the unit should get no opportunity to shut down cleanly if the instance goes away [09:46] rogpeppe, it's a total niche case [09:46] rogpeppe, defaulting to shutting down machines when unused would be moreuseful [09:46] rogpeppe, weeks-delayed kill commands are pretty esoteric ;) [09:47] fwereade: if we think that automatically shutting down a machine when it's unused is a good thing, then sure. but i think we've decided that it's not. [09:47] rogpeppe, I am working on the asusmption that we will have some sort of persistent storage generally available, such that moving from one instance to another can be accomplished almost trivially [09:48] rogpeppe, my point is that if we're going to get clever about machine termination, delayed-kill is not the top priority [09:48] fwereade: well maybe, but there is overhead in starting an instance, and state in an instance that may not be easily stored. [09:48] fwereade: i think it falls out naturally from our model. [09:48] rogpeppe, yeah, depends on the provider [09:49] fwereade: and it *is* potentially useful behaviour [09:49] rogpeppe, it is potentially useful behaviour that we should restrain ourselves from implementing until we understand the use cases [09:51] rogpeppe, you know what [09:52] rogpeppe, Unit.EnsureDead, implemented correctly, is just *horribly* complex [09:53] fwereade: because it's hard to check all the unit's dependencies before setting state to dead? [09:53] rogpeppe, it needs to clean up some or all of: machine assignment, subordinates Dead-setting, relation removal, and service removal [09:53] rogpeppe, if we do it correctly, we have to just build up some monster transaction [09:54] rogpeppe, not to mention just cleaning up relation membership [09:54] fwereade: that's not Unit.EnsureDead - that's RemoveUnit [09:54] fwereade: EnsureDead and EnsureDying don't do anything other than set life state [09:54] rogpeppe, ok, drop service removal [09:54] rogpeppe, that's the only one [09:55] fwereade: it's up to the caller to make sure that the other invariants are preserved correctly. [09:55] rogpeppe, ha ha [09:55] rogpeppe, how is that possible? [09:56] fwereade: well usually we do that be not allowing new things to be added when something is in a dying state. [09:56] rogpeppe, to make sane transitions in system state we have to do these things as single transactions [09:56] good morning [09:56] Aram: hiya! [09:56] Aram, heyhey [09:56] Aram, nice holiday? [09:56] yeah. [09:56] Aram, cool [09:57] Aram: is your holiday finished now? [09:57] yeah. [09:57] Aram, I landed your watchers -- we've identified the firewaller bug and TheMue is looking into it this week AIUI [09:57] fwereade, Aram: +1 [09:57] fwereade, could you please link me to the commit that fixed it? [09:57] Aram: Hello btw. [09:57] hi. [09:58] fwereade: i'm not sure we do need to do these things as single transactions [09:58] fwereade: and that's why we have the dying/dead distinction [09:58] rogpeppe, Dying/Dead is about handover of responsibility surely [09:58] Aram: It's not yet fixed, only better identified. I'm now working on it with two CLs. [09:59] rogpeppe, but any time we want to make a change to the state, we need to do it as a single transation [09:59] rogpeppe, or write a CA [09:59] fwereade: CA? [09:59] rogpeppe, Corrective Agent ;) [09:59] fwereade: ha [09:59] Aram: And LXC is right now stopped, one CL has gone in, two are open. MAAS has gotten higher priority. [09:59] fwereade: but that's not true. we don't need to make every change to the state as a single transaction [09:59] fwereade, I've seen a proposal to replace int with string, excellent. [10:00] Aram, (there was a MUW bug that was contributing to that test failing, I'll find that commit, just a mo) [10:00] fwereade: and in this case, after the unit is set to dying, if we use several transactions to find that all its dependencies have gone away and it's in dying state, then we know we can remove it [10:00] fwereade: or set it to dead [10:01] meh, the damn unity panel can't be set in a different position, and auto hide doesn't work in vmware. [10:03] Aram: so run ubuntu natively :-) [10:07] I bought a new mac. [10:08] Aram: It's possible to auto-hide it, have to find the switch again. Somwhere in the settings. [10:09] TheMue, it's possible to auto hide it, it's impossible to appear again after you've done so. [10:09] that's because compiz is too smart for its own good. [10:09] *lol [10:09] it calculates how hard you've hit the screen edge. [10:10] since vmware won't deliver mouse events after you've hit the edge, it can't calculate how hard you hit it. [10:10] so it won't show up. === Aram2 is now known as Aram [11:00] so, hey again all [11:01] fwereade: your network connection die? [11:01] rogpeppe, power cut [11:01] fwereade: ah, not useful [11:02] rogpeppe, didn't last long :0 [11:05] rogpeppe, ok, so, the trouble with lifecycle discussions is that there are in the end fewer commonalities than one might think [11:05] fwereade: did you see my last commend ("... or set it to dead")? [11:05] comment [11:05] rogpeppe, ah, sorry, I didn't [11:05] fwereade: ah [11:05] [09:59:49] fwereade: but that's not true. we don't need to make every change to the state as a single transaction [11:05] [10:00:36] fwereade: and in this case, after the unit is set to dying, if we use several transactions to find that all its dependencies have gone away and it's in dying state, then we know we can remove it [11:06] [10:00:42] fwereade: or set it to dead [11:06] rogpeppe, ok, so what's the scenario you're considering there? [11:07] fwereade: i was replying to your "but any time we want to make a change to the state, we need to do it as a single transation" comment [11:07] rogpeppe, yeah, and you're explaining a situation in which we don't have to worry about it, and I'm asking for more details [11:07] rogpeppe, I think :) [11:07] rogpeppe, who is setting the unit to dying, and why? [11:08] fwereade: i was talking about setting the unit to dead, not dying [11:08] fwereade: anyone can set the unit to dying [11:08] network here is a bit flakey, but I'm around again for the next few hours today, and then traveling back to the US tomorrow. [11:08] mramm: i guess you'll miss the meeting then [11:08] dimitern: want to catch up, even though it'll only be us two? [11:08] rogpeppe: yea [11:09] rogpeppe: I also need to figure out better meeting times [11:09] rogpeppe, ok, yes, that is true; it is not hard to set a unit to dead once we know it's done everything [11:09] rogpeppe, but the tricky case is EnsureDead from the outside [11:10] fwereade: i don't see that's a problem. the only thing that can call EnsureDead is something that knows it can act for the object. [11:10] fwereade: which is usually the agent responsible for the object, but may not be, in some cases. [11:11] rogpeppe, ok, so when someone uses remove-unit --force... [11:11] rogpeppe, that client is basically taking on all the responsibilities of the unit agent, right? [11:11] fwereade: i'm not sure [11:12] rogpeppe, well, the UA won't do anything else after it's dead [11:12] fwereade: i don't think the client can call EnsureDead in that case [11:12] mgz: sure, i'm starting mumble now [11:12] rogpeppe, its responsibilities must either be transferred elsewhere, or discharged, in the same transaction that makes it Dead [11:12] fwereade: i think it just means "unit: please remove yourself regardless of the dependencies" [11:13] rogpeppe, I don't think there's any command that means "please corrupt state" [11:13] fwereade: i don't see why it all needs to happen in the same transaction [11:13] rogpeppe, ok, so what happens when the first change is made and then the connection is dropped? [11:14] fwereade: all we need to do is set the unit to dying and some flag, say "force" that means that the unit will kill itself even when it has relations etc. [11:14] s/"force"/"force",/ [11:15] rogpeppe, please expand on what you mean by "kill itself" [11:15] rogpeppe, it needs to exit the relations even if it isn't running hooks [11:15] fwereade: well, perhaps it might be good if you could explain the sematics of remove-unit --force. [11:16] rogpeppe, the idea was from possibly the first lisbon [11:16] semantics [11:17] rogpeppe, make the unit Dead [11:17] rogpeppe, the trouble is that "make the unit Dead" is not necessarily a simple change to state [11:17] fwereade: at a higher level, why do we want this? [11:17] rogpeppe, because a broken UA is a hugely awful failure, that otherwise blocks the removal of machines, services, and relations [11:18] rogpeppe, it's a feature we hope nobody will use [11:18] fwereade: ok. are we talking about a broken unit agent, or a dead instance? [11:18] rogpeppe, a broken unit agent [11:18] rogpeppe, that has bad code, and bad upgrading code too, and that we have no other way of removing [11:19] fwereade: so if we know it's broken, then we know we can act for it, right? [11:19] rogpeppe, sure, I'm 100% comfortable with the idea that we can tak on its responsibilities [11:20] rogpeppe, I'm just saying that if we do so we must either discharge them all, or transfer responsibility for doing so elsewhere, and that it must be done in the same transaction as that in which we set the unit to dead [11:20] fwereade: ok, so something else must take on its responsibilities for a while and see the unit through its last phases. [11:20] rogpeppe, so you want two different sorts of Dying state [11:20] fwereade: i still don't see that last point [11:21] fwereade: no, i don't [11:21] rogpeppe, we are talking about setting the unit to dead [11:21] rogpeppe, there are a potentially large number of things in state that need to be changed in order for the unit to become dead and state to remain consistent [11:21] fwereade: i thought we were talking about forcing the unit to die even when its agent is broken [11:22] fwereade: that's a somewhat different thing [11:22] rogpeppe, er, "setting the unit to dead" is what the unit agent would have done were it not broken, right? [11:22] fwereade: i suspect we might want another worker/agent to manage this [11:22] rogpeppe, the whole point is setting it to dead [11:23] rogpeppe, that is how we communicate that the unit agent can be safely trashed [11:23] fwereade: well, presumably the unit agent will manage the "potentially large number of things" along the road to deadness, yes? [11:23] fwereade: setting it to dead indicates that the unit agent *is already* trashed [11:23] rogpeppe, when we set Dying, that is exactly what the uniter does, yes [11:23] rogpeppe, not even slightly [11:24] rogpeppe, setting it to dead is what lets its deployer know that it can be trashed [11:24] fwereade: ok, so we need something else to take on the responsibility for the work that the unit agent normally does [11:24] rogpeppe, rogpeppe, its responsibilities must either be transferred elsewhere, or discharged, in the same transaction that makes it Dead [11:24] fwereade: ok, that's a different level of trashing [11:25] rogpeppe, ok: AIUI the deployer is responsible for both kinds [11:25] rogpeppe, once something is Dead, the thing responsible for it releases any underlying resources and removes it from state [11:25] fwereade: AFAICS the deployer is responsible for maintaining the container of the unit [11:26] fwereade: yes [11:26] fwereade: and that's not the problem. the problem is the transition to death [11:26] rogpeppe, to Dead? [11:26] fwereade: yeah [11:26] rogpeppe, yes [11:27] fwereade: and we can't solve that by simply charging in and calling EnsureDead [11:27] rogpeppe, depending on what EnsureDead means, bu yes [11:27] fwereade: but i don't see that it must all be called in the same transaction either [11:27] hotel wifi at 25% packet loss :( [11:28] rogpeppe, it sounds like yu are advocating for a corrective agent [11:28] rogpeppe, or task [11:29] fwereade: perhaps you could outline the things that the unit agent does after seeing Dying and before it calls EnsureDead? [11:29] rogpeppe, depart all its relations, basically [11:29] fwereade: perhaps; i'm not sure yet. [11:29] rogpeppe, this is not necessarily a simple operation [11:29] fwereade: each relation depart can be done as a single transaction? [11:29] rogpeppe, because some of those relations might themselves be dying [11:30] rogpeppe, yes, they could [11:30] fwereade: so esssentially it does: for r in relations {r.Depart()}; u.EnsureDead() ? [11:31] rogpeppe, you are proposing that we depart them each individually, and assuming that the unit agent is not currently running and will never come back? [11:31] rogpeppe, remove-unit --force needs to work even if the UA suddenly wakes up [11:31] rogpeppe, while the unit is not dead, the UA has responsibility for it [11:32] fwereade: if relation departing is idempotent, i think that could work [11:32] rogpeppe, I am open to discussion re when/how that responsibility is transferred/discharged [11:33] hotel wifi at 25% packet loss, falling back to cell phone data plan but on edge network, so only a half step above IPoAC [11:33] rogpeppe, I don't think so -- I can imagine a path by which the UA could rejoin one of those relations in between the depart and the ensuredead [11:33] fwereade: can a UA rejoin a relation when the unit is marked as dying? [11:33] rogpeppe, why would the unit be marked as dying? [11:33] fwereade: isn't that one of the transaction guards? [11:34] rogpeppe, we're talking about forcing Dead from any state [11:34] fwereade: because that's the first thing we must do when calling remove-unit --force, surely? [11:34] fwereade: that's how we manage to shut down cleanly in multiple transactions [11:36] rogpeppe, I guess that's probably not too harmful, although I am strongly -1 on state changes that are not expressed as single transactions [11:37] fwereade: How would the deployer even know to kill the unit if it wasn't market as dying [11:37] Good mornings, btw [11:37] niemeyer, heyhey [11:37] niemeyer: Morning [11:37] niemeyer, the deployer removes the unit's it's responsible for when they become Dead [11:37] niemeyer, they shouldn't care that their units are Dying [11:37] sorry errant ' [11:38] fwereade: Ah, right, okay [11:38] niemeyer, Dying is a signal to the UA to clean itself up and mark itself Dead when it's ready [11:38] fwereade: Yeah, you're right.. something else has to mark it as Dead in that edge case being debated [11:40] niemeyer, yeah, and the requirements for the two cases are rather different, so a single EnsureDead method with no parameters is not enough to express what we need to do [11:41] fwereade: if we want it to be expressed as a single transaction, then we need an agent to do the rest for us [11:41] fwereade: call it the CA if you want [11:41] niemeyer, in a clean shutdown, the uniter shouldn't set itself to Dead until it has no remaining subordinates [11:42] niemeyer, in a forced death, we need to make all the subordinates dead as well, I think -- but I guess that is a red herring, it's just where I started the conversation from [11:42] fwereade: i don't think that remove-unit --force should simply call EnsureDead to do the work [11:42] niemeyer, the relations question is much more interesting [11:43] fwereade: It's an interesting case, actually [11:43] rogpeppe, ok, sorry, I have been talking a lot [11:43] rogpeppe, would you outline how how would expect the feature to work? [11:43] s/how how/how you/ [11:44] fwereade: i'd expect the forced shutdown to go through the same phases as a non-forced shutdown [11:44] fwereade: and i would expect it to error out if the agent involved is actually alive. [11:44] rogpeppe, ok, but when the unit is Dying its agent is still the responsible entity [11:44] fwereade: mebbe [11:45] rogpeppe, shouldn't remove-unit --force be able to forcibly remove the unit whatever it's doing? [11:45] fwereade: yeah, probably [11:45] fwereade: in which case we need to make the shutdown phases work even when multiple entities are performing them [11:46] fwereade: It should, but if that's done when the unit is not even dying, it feels like we should do something to not create unnecessary harm [11:46] rogpeppe, well, we should have been doing so anyway, right, what with the txn runners [11:47] fwereade: yes, except you were saying you can't do it all in one transaction. which seems a reasonable issue. [11:47] niemeyer, rogpeppe: yeah, I think it's fine to start remove-unit --force by setting Dying [11:48] fwereade: and having a grace period, maybe [11:49] niemeyer, rogpeppe: I think it's ok to have remove-unit always set the unit to Dying [11:49] niemeyer: that, presumably, would mean that remove-unit --force would need to take as long as that grace period... or we'd need an agent to do it. [11:49] rogpeppe: Assuming the unit wasn't already Dying [11:49] niemeyer, rogpeppe: and then if --force is set, aggressively go around trashing its stuff until it can call EnsureDead (or finds that the unit has done so itself) [11:49] fwereade: that's what i'm thinking [11:50] niemeyer: if it is already dying, we ignore the grace period? [11:50] rogpeppe: Yeah, I think that sounds reasonable [11:50] niemeyer, I rather feel that the grace period is unnecessary -- if we're forcing then we're stating that we don't want or need a clean shutdown, we just want it gone [11:51] niemeyer: it seems slightly odd that. {remove-unit; remove-unit --force} is different from {remove-unit --force} [11:51] fwereade: That sounds like unnecessary mess in the system [11:51] Alternatively, we could disallow --force to be used without first calling without force [11:51] Which would set dying [11:51] THis would be a better teaching instrument than the grace period [11:52] niemeyer: yes, that sounds better [11:52] niemeyer, no remove-unit --force unless already dying SGTM [11:52] fwereade: Yeah [11:52] niemeyer: then the user can choose their own grace [11:52] rogpeppe: Right, the issue becomes obvious [11:52] * fwereade is a little worried that the UA *will* be going around re-entering relations [11:53] fwereade: can it reenter a relation if the unit is dying? [11:53] niemeyer, rogpeppe: and hence that --force might have to grind away at it a bit [11:53] * fwereade check [11:53] fwereade: How can it re-enter a relation if it's dying? [11:54] Erm.. what Roger siad [11:54] said [11:54] niemeyer, it shouldn't leave scope until it is completely done with the relation [11:55] fwereade: "leave scope"? [11:55] fwereade: I still don't get it [11:55] fwereade: How can it *re-enter* while dying? [11:56] niemeyer, because calling Join() when we're adding a relation we expect to do stuff with works right even if it's done twice [11:56] niemeyer, let me double-check when we leave [11:57] fwereade: I still don't see the reason why it works while Dying there [11:57] niemeyer, ok, do you agree that a unit should not leave a relation scope until it has run the relation-broken hook? [11:58] niemeyer, (possibly when UA is down something else may leave scope for it, that is ont the question right now) [11:58] fwereade: Okay [11:58] fwereade: I still don't see the connection though [11:59] niemeyer, the purpose of the scope doc is to indicate that a unit still needs the relation to be alive [11:59] fwereade: I understand that [11:59] niemeyer, a Dying unit that has not run all its hooks needs that relation to be alive [11:59] fwereade: Yes, and how did we get to re-entering relation [11:59] s [11:59] niemeyer, so when it comes up, it ensures that (if it knows itself to be part of the relation) its scope doc exists [12:00] fwereade: Yep [12:00] fwereade: So..? [12:00] niemeyer, with the proposed style of remove-unit, we will be leaving its scope from outside, and it will be erroring out, coming back up, and rejoining scopes we've already exited [12:00] niemeyer, the 5s break should be enough to make that only happen once [12:00] niemeyer, maybe not at all [12:00] fwereade: Do we allow it to create scope documents even when it is dying? [12:01] fwereade: *create* scope documents [12:01] niemeyer, there's no distinction at the API level -- EnterScope could be EnsureInScope [12:02] fwereade: Can you answer the question, for once? :-) [12:02] niemeyer, yes, we allow it to create scope documents at any time we are certain that it is appropriate for it to have a state document, which includes when the unit is Dying [12:02] s/state doc/scope doc/ [12:03] fwereade: Okay, i don't think we should allow it to create scope documents whne when it is dying [12:03] fwereade: It makes no sense to be establishing new participation in relations when the unit is dying [12:04] niemeyer, I could just as easily say it makes no sense to be messing around with a unit's state while the unit is Dying and still responsible for its own state [12:04] fwereade: You could, but I don't get what you mean by that [12:04] fwereade: I'm pinpointing a very specific case which I was hoping would be easy to agree or disagree on itself [12:05] fwereade: If the unit is not in a scope, and is in a dying state, it doesn't make sense to be joining relation it wasn't in, AFAICS [12:05] niemeyer, why are we even considering relations it's not already in? [12:06] * fwereade is a little worried that the UA *will* be going around re-entering relations [12:06] niemeyer, "at any time we are certain that it is appropriate for it to have a scope document" means "when we know we're already part of the relation" [12:06] niemeyer, if the unit agent is running and knows it should be in a relation it will call EnterScope [12:06] fwereade: There's someone else that disagreed meanwhile.. sounds like a straightforward race [12:07] fwereade: Yes, and then it's put to Dying, and that should fail [12:07] niemeyer, well, yeah, I am a bit blindsided by all of this [12:07] niemeyer, meh, no trouble, we can add that to the transaction [12:07] fwereade: Exactly [12:07] niemeyer, induce a few errors while it's going down is not really a big deal I guess [12:08] fwereade: We don't have to induce errors.. EnterScope already does verifications of that nature [12:08] fwereade: Since we already disallow entereing a dying relation [12:08] fwereade: For similar reasons, I suspect [12:08] niemeyer, we will absolutely be inducing errors by purposefully corrupting the uniter's state [12:09] fwereade: How's that "corrupting the uniter's state"? Putting a unit to dying is a normal condition [12:09] niemeyer, looping through all its relations, leaving scope for each, while the uniter is valiantly trying to run its hooks *is* corrupting the uniter's state [12:10] fwereade: I'm talking about the case above still [12:11] niemeyer, whether or not EnterScope should work when the unit is dying? I have no problem changing that, it's not a big deal, it will make no observable difference to the system AFAICT [12:11] niemeyer, meh, no trouble, we can add that to the transaction [12:11] fwereade: Exactly [12:11] niemeyer, induce a few errors while it's going down is not really a big deal I guess [12:11] niemeyer, sensible check, though, definitely a good thing [12:11] fwereade: That's the context in which you mentioned corrupting state and which I answered to [12:12] niemeyer, ok, AIUI you are advocating roger's proposed style of remove-unit --force [12:12] niemeyer, which is all about corrupting the unit's state as it runs [12:12] fwereade: I don't actually know. What was roger suggesting? [12:12] niemeyer, EnsureDying(); leave scope for each relation unit; EnsureDead [12:13] fwereade: Is there an alternative you were suggesting? [12:13] niemeyer, I had felt that the sane thing to do was to either have an EnsureDead transaction that cleans up the necessary state in one go [12:14] niemeyer, well, not necessarily sane [12:14] niemeyer, the alternatives I saw were: [12:14] niemeyer, 1) a potentially large and unwieldy transaction [12:15] niemeyer, 2) some complicated corrective agent [12:15] niemeyer, and I was not very happy with either [12:16] fwereade: I think there's another alternative that might be easier to implement [12:16] niemeyer, rogpeppe has suggested just taking joint responsibility while the UA is running, and trying to shut itself down cleanly, by shutting everything down for it -- surely inducing errors -- and then setting it to dead when that's done [12:16] niemeyer, I honestly don't like that solution much either [12:17] fwereade: Having the deployer being responsible for double-checking that the unit resources have been cleared if death was forced [12:18] fwereade: After killing the software, before removing from state [12:18] niemeyer, that STM like a special case of "complicated corrective agent" [12:18] niemeyer, but worth exploring, cool [12:18] fwereade: That sounds like cleaning resources to me.. [12:18] fwereade: Can't get simpler than that [12:18] fwereade: We can't clear resources without clearing resources [12:19] niemeyer, ok, this to me somewhat changes the balance of Dying/Dead [12:19] fwereade: How? It doesn't seem to change them at all to me [12:19] niemeyer, but could probably work very nicely, once we have containerisation in place [12:19] fwereade: I don't think waiting is necessary [12:20] niemeyer, I'm pretty sure we had agreed that eg a principal should not be able to become Dead while its subordinates were still around [12:20] niemeyer, because otherwise the subordinate would be holding a reference to a dead object it was not responsible for destroying [12:20] niemeyer, and that would be a Bad thing [12:20] fwereade: Hmm.. yeah.. so how does that change the picture? [12:21] niemeyer, so setting something to Dead, and having its deployer clean up the its various other connections of the system, seems wrong to me [12:22] fwereade: Sorry for being slow, but I don't understand the underlying point being made [12:22] niemeyer, I had been working from a picture in which Dead was as good as removed from the perspective of the single entity responsible for actual removal [12:22] fwereade: --force means the thing itself can't clean up its connection to the rest of the system [12:22] fwereade: Something has to do that [12:22] niemeyer, ok, you are saying that the deployer can clean up a unit's relations after the relation is dead? or not at all? [12:22] fwereade: If you want to do that at the command line, you'll be "corrupting the state" [12:22] fwereade: The only thing that can be sure the thing is actually dead is its runner [12:22] niemeyer, yes, it is something else's responsibility to do the cleaning up [12:22] fwereade: Which is the deployer [12:23] fwereade: So that's the place we can clean up without corrupting the state [12:23] fwereade: But you don't think that's right, because..? [12:23] niemeyer, a dead unit that's still participating in relations *is* corrupt state IMO [12:24] fwereade: We can ask the deployer to force its death without putting its status to Dead [12:25] BTW, just sent an e-mail with updated meeting times -- and moved them to thursday for this week since I'm traveling tomorrow. [12:25] mramm: Cool, cheers [12:25] mramm: saw that. won't be there for thursday (as I'm travelling) but the rest of our lot should be. [12:26] mgz: no problem. We are bound to be missing one or two folks most weeks in december! [12:26] niemeyer, ok, so: a flag on units, checked by their deployer, that when set (1) causes the uniter to treat its unit as Dead and (2) causes its deployer to clean up its state, setit to dead, and uninstall it? [12:26] mgz: probably more most weeks. [12:27] fwereade: The uniter doesn't have to change.. as far as it knows, it's already Dying, so it *should* be aborting its activities [12:27] niemeyer, and so it will be [12:27] fwereade: The force flag action would happen purely on the deployer [12:28] niemeyer, ok, isn't it better for the uniter to see that someone else has taken responsibility, and just stop doing things? [12:28] fwereade: It will stop doing things, because the deployer will shoot it in the head [12:28] fwereade: There's no point in sending him a postcard telling its being shot in the head :-) [12:29] (and by now I'm probably in a list of dangerous people somewhere) [12:29] niemeyer, haha [12:30] niemeyer, this somewhat complicates the UnitsWatcher [12:30] niemeyer, or the clients I guess, I just need it to send all changes [12:30] fwereade: I don't think it should change [12:30] niemeyer, ok, so the deployer needs to set up kill-switch watches on each of its units itself? [12:31] also, friendly reminder to folks: put your vacation on the Juju Calendar so we all know it. [12:31] fwereade: Although, don't we already monitor all changes [12:31] fwereade: On units [12:32] niemeyer, no, that watcher filters it to just lifecycle changes [12:32] fwereade: What does that mean in practice? Life is a field in the unit [12:33] niemeyer, yes, when it gets a unit change it discards it unless Life has changed [12:33] fwereade: Right [12:33] fwereade: That sounds like a life-related change, and is in the same place as the other settings [12:34] fwereade: We'd just be comparing Life+ForcedDeath or whatever, instead of Life [12:34] fwereade: (just a strawman for now) [12:34] niemeyer, sure, it's just a change to the watcher and a change to the deployer to handle the new possibilities [12:34] fwereade: Right [12:34] niemeyer, I'm not suggesting it's the end of the world :) [12:35] fwereade: Sure, I'm just testing waters by suggesting it's actually simple [12:35] fwereade: and looking at your face while doing that ;-) [12:35] niemeyer, it's not wrong, but it's not quite conventional either [12:36] niemeyer, eg, if we're doing that, we should be handling ports changes on the firewaller similarly [12:36] niemeyer, ie the MUW should be filtering for Life and Ports changes, not just life [12:37] niemeyer, hmm, that will save us a goroutine for every unit and probably save us a lot of complexity actually [12:37] fwereade: Uh.. that'd be a more controversial change [12:38] niemeyer, ok, this is interesting to me: what's the distinction? [12:38] fwereade: Ports are not lifecycle related [12:38] fwereade: Then we're designing an API purely based on how we designed who's using it [12:39] fwereade: Which is not generally a good idea, as it means high-coupling, and changes on one side cascade on meaningless changes on the other [12:39] niemeyer, ok, in that case all I'm really bothered about is the change to the lifecycle -- either by adding a flag, or by adding new states [12:39] niemeyer, neither fills me with joy [12:40] fwereade: Sure, but I've suggested the new flag to accommodate your other points.. we can't preserve the unit as dying, and yet know to kill its activities from outside, without knowing we should [12:42] niemeyer, I'm still not saying it's bad, just that I'm nervous about it :) [12:42] fwereade: and who kills the subordinates in such circumstance? [12:43] Must be the deployer as well, since the principal is out-of-action [12:43] niemeyer, this is entertaining, because it's actually a different deployer in that case [12:43] niemeyer, the principal had a deployer [12:43] fwereade: Well, not really [12:44] fwereade: Right [12:44] fwereade: Sorry, yes, a different deployer from the one that originally fired things [12:44] fwereade: Which brings back a point: the machiner is not necessarily exactly the same as a principaller (ugh) [12:45] niemeyer, so, all these concerns were what was leading me towards the idea that composing a transaction that asserted and did the Right Thing all in one place might be viable [12:45] fwereade: I don't understand what that means.. transactions asserting things don't solve any of the previous points I think [12:45] niemeyer, how many ops would you consider to be an unacceptably large transaction? [12:46] fwereade: You can assert whatever, and transact, whatever and it'd still be corrupting someone else's state (according to what you described as that meant) [12:46] niemeyer, composing a transaction that sets all the right things to Dead, and leaves their relation scopes, etc etc, is not intrinsically unreasonable, is it? [12:46] niemeyer, the uniter expects to become arbitrarily Dead at some point and stops calmly when it finds itself so to be [12:47] fwereade: Depends on what you consider unreasonable.. it seemed that you were unhappy about changing state underlying running software [12:47] fwereade: That's not solving anything about that [12:47] fwereade: It'll still catch all uniters off-guard [12:47] niemeyer, the uniters will hiccup once at most, and then return some specific error [12:48] niemeyer, but suddenly becoming Dead is not an unexpected occurrence [12:49] fwereade: Nothing is unexpected if we say we're fine with it :-) [12:49] niemeyer, right, we agreed some time ago that the uniter needed to cope with becoming unexpectedly dead, and that its role at that point was done [12:49] fwereade: Moments ago it sounded like there was some unhappiness about the fact the uniter is doing activities such as joining relations and whatnot while someone else was changing the game underlying it [12:50] is there a difference between foo := &SomeType{} and foo := new(SomeType) ? [12:50] dimitern: Now [12:50] dimitern: No [12:50] niemeyer, ok, there is state created by the uniter, that it considers itself to own [12:50] niemeyer: 10x [12:50] dimitern: We use the former [12:50] dimitern: Just out of convention [12:50] niemeyer, and there is other state that it doesn't change; it just responds to changes in it [12:50] niemeyer: ok [12:51] niemeyer, ok, bah, this is not true of Dead because it *does* set its unit to Dead: but at that point it also stops watching it, or doing anything at all, so it feels kinda sensible [12:52] niemeyer, I am opposed to changing the unit's relation state from to [12:53] fwereade: So the one-big-transaction idea doesn't solve it, right? [12:53] rogpeppe: ping [12:53] niemeyer: pong [12:54] niemeyer, in my mind it does, but you are correct to point out that it is a pretty fuzzy distinction, and I'm having trouble putting my finger on it [12:54] rogpeppe: Do you have a moment for a call at the top of the hour, with the cloud-green team, regarding some kind of interaction with the API? [12:54] niemeyer, I shall meditate upon this over lunch [12:54] niemeyer: yes [12:54] rogpeppe: Cool [12:54] rogpeppe: https://plus.google.com/hangouts/_/d94c1034338161320971329404422704b987f4f9 [12:54] rogpeppe: I'm not there yet [12:54] niemeyer: fetching macbook [12:55] fwereade: Sounds good, let's come back to it after lunch then [15:16] niemeyer, I just had a thought on subordinate names [15:17] niemeyer, at the moment it seems we have no way to guarantee via txn that only one subordinate can be created per principal unit [15:19] niemeyer, ie we can't assert that no document with the same service and principal exists, right? [15:19] niemeyer, but we could name them, eg, logging/wordpress/0 [15:19] niemeyer, which makes some sort of sense [15:20] fwereade: The two issues seem independent [15:20] niemeyer, and doesn'timpact anything else, because the only thing we can do to a unit is remove it [15:20] (late) lunchtime, biab [15:21] niemeyer, and there's no clear way to remove a subordinate without removing the relation [15:21] fwereade: bzr remove/destroy-unit? [15:21] Erm [15:21] juju [15:22] niemeyer, ok, sorry, how would you expect that to work? [15:22] fwereade: Ah, indeed.. [15:22] fwereade: But that sounds pretty independent from the original point [15:22] fwereade: We're again trying to solve three problems at once [15:22] niemeyer, yeah, just a supporting detail [15:23] fwereade: A) How to name units [15:23] fwereade: B) How to remove subordinate units [15:23] fwereade: C) How to limit a single subordinate unit per service [15:23] Per principal, rather [15:23] niemeyer, I don't think we need B at this point, but it may become relevant I suppose [15:24] fwereade: I don't think we need any of them right now [15:24] niemeyer, so I'm saying: C is a problem, A may be a solution [15:24] fwereade: Why is C a problem? [15:26] niemeyer, because I am terminally suspicious of things changing state I don't expect to change, and I want to write something that will react sanely if the subordinate that was trying to be added showed up from another source [15:27] fwereade: Sorry, I can't relate the answer to the question [15:28] niemeyer, I can check that no subordinate exists before I attempt the creation transaction, but I cannot assert within the transaction that no duplicate subordinate exists, and this leaves a window in which bad things can happen [15:28] niemeyer, what of the above statement seems lacking in appropriate sanity? [15:29] niemeyer, ofc we do not need to actually change unit names to do this [15:30] niemeyer, but I *think* we do need at least to change what we keep in the _id field [15:30] fwereade: That seems like a pretty radical change [15:30] niemeyer, sure, so let's drop that bit [15:30] fwereade: Should we try to look at the problem first? [15:31] niemeyer, yes [15:31] niemeyer, do you have any thoughts on it? [15:32] fwereade: So the idea is we want a subordinate service and a principal service to spawn a single subordinate unit for each principal unit. Is that a good way to put it? [15:32] niemeyer, that every principal unit creates its own subordinate, yes [15:32] fwereade: Hmm.. no, I didnt' say anything about who creates what yet [15:33] niemeyer, er, ok, what did you mean by "spawn" then? [15:33] fwereade: I mean existance [15:33] niemeyer, so did I... [15:34] fwereade: Stuff creating its own foo seems to indicate otherwise, but okay, I'll suppose we're in agreement [15:35] fwereade: So at which point the subordinate units do get created in the state? [15:36] niemeyer, I think it happens when a principal unit in a locally scoped relation successfully enters the relation's scope, and has no subordinate [15:36] niemeyer, and I'll just shut up now [15:37] niemeyer, I can check the principal unit doc's Subordinates, and I can assert no changes to the principal unit doc, and retry as appropriate [15:38] fwereade: Hmmm, sounds sensible [15:39] fwereade: It'd be nice if we could even assert specifically that there are no subordinates of the given service there [15:39] fwereade: But I guess the language doesn't allow us to match on a prefix of a sub-entry, maybe [15:39] * niemeyer looks [15:39] niemeyer, hmm, I'd expect we could but I'm not sure offhand [15:40] fwereade: Hmm.. equality does unwind the array.. I wonder if regexes work the same way [15:40] * niemeyer tries it [15:42] fwereade: Works! [15:42] fwereade: http://pastebin.ubuntu.com/1408009/ [15:43] niemeyer, awesome [15:43] niemeyer, right, well, I know what I'm doing re adding them, anyway :) [15:44] niemeyer, I feel like I still need to think a bit about removal based on the discussion earlier [15:44] niemeyer, I will try to grab you sometime later this evening if I can [15:44] niemeyer, thanks :) [15:44] fwereade: Actually, I think that's more like what we want: http://pastebin.ubuntu.com/1408022/ [15:45] fwereade: As we can assert it [15:45] niemeyer, yep, verytrue [15:51] blast, need to pop to the shops, back imminently === flaviamissi is now known as flaviamissi_ [17:43] fwereade_: Is there any follow up that justifies changing the type of relation ids to ints? [17:43] fwereade_: Or from ints, I guess [17:44] niemeyer, not imminent, I'm afraid [17:45] niemeyer, do you not feel the zero-value change is worth it? [17:45] fwereade_: If that's the motivation, just disallow 0? [17:45] fwereade_: I'm mainly trying to understand what's going on [17:45] fwereade_: It feels like we've been in a campaign against int keys, and I'm not sure why :) [17:45] niemeyer, also, it feels more consistent to me -- but I agree that this proposal doesn't have the weight behind it that machine ids have [17:47] niemeyer, it's fundamentally about making things that are similar look similar, because I believe that then the ways to use them better will be clearer [17:47] niemeyer, but honestly, relation ids are mainly a problem for me because of id/_id [17:48] fwereade_: I don't know.. I've never designed any software on which we had a database we tried to make ints look like strings so that they were similar [17:48] niemeyer, if we called it something other than Id, and disallowed 0, I'd probably be just as happy [17:50] consistent interfaces are a virtue, see OpenVMS vs. UNIX. [17:50] good night [17:52] Being a nice person too.. [17:52] niemeyer, whatever we call it I don't think we index it yet anyway [17:52] But that's harder to get right.. [17:54] niemeyer, I can understand him not wanting to get drawn into the argument :) [17:55] Sounding like an ass and then leaving is indeed a great way to make friends. [17:55] niemeyer, anyway, the more I think about the relation IDs the less I care what type they are, so long as we clearly disambiguate them for Key/_id [17:56] niemeyer, that#'t the core of my discombobulation here [18:08] fwereade_: If we were to unify things and interfaces, to be honest I'd try to do the opposite of what we've been doing.. I'd make everything have a surrogate key that is an integer [18:09] fwereade_: I appreciate the advantages of that novel idea that is binary numbers :) [18:10] fwereade_: 400kb holds 100 thousand ids, in a properly balanced and aligned tree. [18:10] niemeyer, do you recall me suggesting this when I first introduced the unification idea? [18:11] fwereade_: Hmm.. not with any emphasis [18:11] niemeyer, as it is, we have consistent string _ids throughout, and a surrogate integer key on relations [18:11] niemeyer, which, it crosses my mind, we probably ought to index ;) [18:11] fwereade_: Yep [18:12] niemeyer, so my own consistency hunger is actually largely assuaged -- I just don;t like the inconsistent and/or confusing terminology :) [18:13] niemeyer, ie Name/Id/Key for various types [18:13] niemeyer, and one with an extra Id that doesn't mean what the other id means [18:13] fwereade_: It was pretty consistent before [18:13] fwereade_: Id => int [18:13] fwereade_: Name => string [18:13] fwereade_: Now it's somewhat arbitrary or consistent, depending on how you slice it [18:15] niemeyer, I guess we place different weights on different kinds on consistency [18:15] niemeyer, although I note you don't mention Key in there [18:15] niemeyer, or the fact that a casual observer might expect that an Id would be indexed [18:16] fwereade_: A non-casual observer (me) would expect it to be indexed as well [18:16] niemeyer, so, well, there is at least agreement that we need to do that :) [18:17] fwereade_: To me having different types on primary keys is really not a big deal, if that's what you meant by the weights [18:18] fwereade_: Primary keys, at least where I've been lucky to observe, tend to reflect the application model [18:19] fwereade_: A person will generally have an id, or a username.. the id is generally an integer, not a string. [18:19] fwereade_: The username, if used, is a string [18:19] fwereade_: Etc [18:22] niemeyer, are you arguing that I should reverse the machine ID change? [18:22] niemeyer, because I am not actually arguing for a type change on relation id at the moment, just a name change [18:22] fwereade_: No, I'm having a pretty high-level conversation about what we're pursuing [18:23] fwereade_: Well, there's a branch to change it up for review.. that's as close to arguing about a change as it gets :-) [18:24] niemeyer, ISTM that you are clearly going to reject this change, and I've been fighting a desparate rearguard attempt to get you to admit that, at least for morons like me, it *is* confusing to have a field called Key that serializes as _id and one call Id that serializes as id [18:25] niemeyer, and that maybe we could change it, or you could explain how we benefit by this choice of names? [18:26] fwereade_: Right, that's where our conversation started.. [18:26] niemeyer, ok, you just told me that I had been arguing about the type of the field [18:27] niemeyer, I thought I had clearly conceded that point [18:27] fwereade_: You did, sorry [18:27] niemeyer, I apologise if this was unclear [18:27] fwereade_: It wasn't [18:28] niemeyer, ok -- so, I have no technical arguments for changing the type of relation.Id, but I would*really* like to change the field name [18:28] niemeyer, the Tag suggestion I made in the CL is pretty clearly bad [18:28] fwereade_: Okay, what if we introduced surrogate keys for all types [18:29] niemeyer, I would rather like that, I think, even if having separate getters might be slightly unattractive [18:29] fwereade_: Id/_id [18:29] fwereade_: ints [18:30] niemeyer, I thought the _id field would not be suitable, because we don't get the uniqueness verification from name collisions? [18:30] niemeyer, but I'd willing to skip that derail for now [18:31] fwereade_: We'll likely have to add some check on adds, yes [18:31] niemeyer, Id/_id and Name/name, each of which must be unique, would feel to me like a good thing [18:31] fwereade_: Right, and Name present only where it makes sense [18:32] fwereade_: We can also rule out zeros [18:32] niemeyer, are we thinking of a relation Key as a Name or not? :) [18:32] fwereade_: Yeah, I think that'd be fine [18:32] niemeyer, ok, cool [18:33] fwereade_: It sounds good actually, rather than just fine [18:33] niemeyer, so I *think* all the consequences here are good [18:33] fwereade_: I originally thought we could not remove the idea of machine zero, but I think any software that trusts it to be special is already broken since we don't offer this guarantee and will most certainly break it in the future [18:34] fwereade_: So we could start all valid counting from 1 [18:34] niemeyer, I'm +1 on making it completely unspecial :) [18:34] fwereade_: Well, it is special, as it'd become invalid :-) [18:34] niemeyer, I was sad to spot an explicit zero check in the code somewhere [18:34] niemeyer, haha, reverse special :) [18:35] fwereade_: Yeah, we've always had it, but it's always been consciously a temporary hack [18:36] niemeyer, ok, so a big Id/_id/int change would be for the better; I'm not sure how soon I can pick that up while still in the throes of subordinates [18:38] fwereade_: Understandable [18:38] niemeyer, ...and cath has just made supper, so I should leave you for a bit [18:38] niemeyer, I shall try to be on later, but no guarantees I'm afraid [18:38] fwereade_: np, thanks for the ideas [18:38] fwereade_: and have fun there [18:41] niemeyer, cheers, enjoy your evening :) [18:43] fwereade_: Thanks [18:44] i'm also off for the evening. [18:44] night all === flaviamissi_ is now known as flaviamissi [19:09] rogpeppe: Have a good one too === flaviamissi is now known as flaviamissi_ [22:09] davecheney: Morning! [22:09] niemeyer: howdy! [22:09] niemeyer: thanks for your suggestion [22:09] our replies crossed in the either [22:10] i'll look at that test now [22:10] davecheney: np, not sure if there's something there, but I think there might be a path towards a test [22:19] niemeyer: % time juju status -e ap-southeast-2 [22:19] machines: [22:19] "0": [22:19] agent-version: 1.9.4 [22:19] dns-name: ec2-54-252-2-107.ap-southeast-2.compute.amazonaws.com [22:19] instance-id: i-ff7b0ac5 [22:19] services: {} [22:19] real 0m2.231s [22:19] user 0m0.288s [22:19] sys 0m0.024s [22:19] 2 two seconds !! [22:20] davecheney: Woha! [22:20] davecheney: That's the fastest I've seen it run, ever! [22:20] so many fewer round trips [23:02] Okidoki [23:02] I'm heading off for the day [23:03] davecheney: Have a good time there