Thanks for that Dieu!

Is there work scheduled to get OS cf-release and associated documentation
into a state where Diego is the default, rather than deploying the DEA
architecture?

Regards,
Daniel Jones - CTO
+44 (0)79 8000 9153 <+44%207980%20009153>
@DanielJonesEB <https://twitter.com/DanielJonesEB>
*EngineerBetter* Ltd <http://www.engineerbetter.com> - UK Cloud Foundry
Specialists

On Thu, Oct 27, 2016 at 9:10 AM, Dieu Cao <dcao(a)pivotal.io> wrote:

Hello all,

The 2017 PaaS Certification Requirements is available here [1] and we
would appreciate questions/comments on the doc or in this thread.

I've also attached a PDF version for those of you that have difficulty
accessing google docs.

2 major changes from the 2016 certification requirements include requiring
Diego/Garden and also requiring the use of BOSH.

-Dieu Cao
Runtime PMC Lead

[1]
https://docs.google.com/document/d/1S9o4u65uG_YrVQAdg7nxw7BrXAiL64hFSWBNVKZCMNI/edit


--

Is the BOSH requirement something that affects everyone, or just
non-managed offerings? If the only BOSH isn't required to be provided to
users from a managed-offering, why require it to have been present in
building what was offered? Shouldn't the part that matters for consistency
be the CF experience in those situations?

On Oct 27, 2016, at 10:06 AM, Chip Childers <cchilders(a)cloudfoundry.org>
wrote:

Bundling up Dr. Nic's questions for a single reply... Great questions! I
did a bunch of the pre-work on behalf of the PMC Council on this topic, so
I have a bunch of the context loaded.

*Question #1:* To confirm - if a CF platform patches any CF components
outside of the biweekly or so release cycle that the components might have,
then they lose their certification status? I know some on-prem vendors
maintain private forks of cf-release and release patches of older versions
for their customers; is this allowed or not?

*Short Answer:* Yes

*Longer Answer:* "Offerings" should always be based on a specific
cf-release + recommended sub-components that aren't directly included in
the cf-release itself (really this will transition to cf-deployment once
that starts getting versioned "releases"). Bug fixes / vulnerability fixes
are allowed to be back-ported, based on the "Exceptions" listed. This
assumes that the fixes are in the upstream projects. Also notice the
section about "current versions". That's an important concept. In 2017, the
trademark license agreement that is used as the contractual vehicle for
certification will be a perpetual license to use the 2017 "certification
mark". The point here is that the upstream projects don't do LTS (long term
support), but vendors are allowed to. They just have to reference the
appropriate certification year for LTS versions.

*Question #2:* Why is "using BOSH" a requirement? As awesome as it is for
many things, it isn't perfect. If companies innovate/experiment with
alternate deployment systems why do they lose certification status?

*Short Answer:* Consistent operational experience and deployment platform
for services

*Long Answer: *I agree that BOSH can be better, as can all software ;-).
However, the certification process for offerings isn't about
experimentation in the ecosystem. It's about consistency across the
distributions. Requiring BOSH as the deployment method gives us two key
things: (1) much more consistency for operators of the platform and (2) a
consistent target (really a least common denominator) for ISV's packaging
software for backing services. The value of consistency year over year
doesn't diminish the value of experimentation outside of the certified
distributions.

*Question #3:* "For managed offerings, BOSH does not need to be exposed
to customers" - what is the origin & reason this is explicitly stated? Does
it infer that there is any scenario at all where BOSH must be exposed to
end users/customers?

*Short Answer:* It doesn't infer that for users.

*Long Answer:* That language was put in there to be specific that
offerings that are online PaaS services shouldn't be required to (and none
do) expose the BOSH layer to users of the Elastic Runtime layer (or
customers generally).

Hope that helps!

-chip


On Thu, Oct 27, 2016 at 5:29 AM Dr Nic Williams <drnicwilliams(a)gmail.com>
wrote:

Also, why is "using BOSH" a requirement? As awesome as it is for many
things, it isn't perfect. If companies innovate/experiment with alternate
deployment systems why do they lose certification status?






On Thu, Oct 27, 2016 at 6:11 PM +1000, "Dieu Cao" <dcao(a)pivotal.io> wrote:

Hello all,

The 2017 PaaS Certification Requirements is available here [1] and we
would appreciate questions/comments on the doc or in this thread.

I've also attached a PDF version for those of you that have difficulty
accessing google docs.

2 major changes from the 2016 certification requirements include requiring
Diego/Garden and also requiring the use of BOSH.

-Dieu Cao
Runtime PMC Lead

[1]
https://docs.google.com/document/d/1S9o4u65uG_YrVQAdg7nxw7BrXAiL64hFSWBNVKZCMNI/edit

--
Chip Childers
VP Technology, Cloud Foundry Foundation
1.267.250.0815 <(267)%20250-0815>


--

Bundling up Dr. Nic's questions for a single reply... Great questions! I
did a bunch of the pre-work on behalf of the PMC Council on this topic, so
I have a bunch of the context loaded.

*Question #1:* To confirm - if a CF platform patches any CF components
outside of the biweekly or so release cycle that the components might have,
then they lose their certification status? I know some on-prem vendors
maintain private forks of cf-release and release patches of older versions
for their customers; is this allowed or not?

*Short Answer:* Yes

*Longer Answer:* "Offerings" should always be based on a specific
cf-release + recommended sub-components that aren't directly included in
the cf-release itself (really this will transition to cf-deployment once
that starts getting versioned "releases"). Bug fixes / vulnerability fixes
are allowed to be back-ported, based on the "Exceptions" listed. This
assumes that the fixes are in the upstream projects. Also notice the
section about "current versions". That's an important concept. In 2017, the
trademark license agreement that is used as the contractual vehicle for
certification will be a perpetual license to use the 2017 "certification
mark". The point here is that the upstream projects don't do LTS (long term
support), but vendors are allowed to. They just have to reference the
appropriate certification year for LTS versions.

*Question #2:* Why is "using BOSH" a requirement? As awesome as it is for
many things, it isn't perfect. If companies innovate/experiment with
alternate deployment systems why do they lose certification status?

*Short Answer:* Consistent operational experience and deployment platform
for services

*Long Answer: *I agree that BOSH can be better, as can all software ;-).
However, the certification process for offerings isn't about
experimentation in the ecosystem. It's about consistency across the
distributions. Requiring BOSH as the deployment method gives us two key
things: (1) much more consistency for operators of the platform and (2) a
consistent target (really a least common denominator) for ISV's packaging
software for backing services. The value of consistency year over year
doesn't diminish the value of experimentation outside of the certified
distributions.

*Question #3:* "For managed offerings, BOSH does not need to be exposed
to customers" - what is the origin & reason this is explicitly stated? Does
it infer that there is any scenario at all where BOSH must be exposed to
end users/customers?

*Short Answer:* It doesn't infer that for users.

*Long Answer:* That language was put in there to be specific that
offerings that are online PaaS services shouldn't be required to (and none
do) expose the BOSH layer to users of the Elastic Runtime layer (or
customers generally).

Hope that helps!

-chip


On Thu, Oct 27, 2016 at 5:29 AM Dr Nic Williams <drnicwilliams(a)gmail.com>
wrote:

Also, why is "using BOSH" a requirement? As awesome as it is for many
things, it isn't perfect. If companies innovate/experiment with alternate
deployment systems why do they lose certification status?






On Thu, Oct 27, 2016 at 6:11 PM +1000, "Dieu Cao" <dcao(a)pivotal.io> wrote:

Hello all,

The 2017 PaaS Certification Requirements is available here [1] and we
would appreciate questions/comments on the doc or in this thread.

I've also attached a PDF version for those of you that have difficulty
accessing google docs.

2 major changes from the 2016 certification requirements include requiring
Diego/Garden and also requiring the use of BOSH.

-Dieu Cao
Runtime PMC Lead

[1]
https://docs.google.com/document/d/1S9o4u65uG_YrVQAdg7nxw7BrXAiL64hFSWBNVKZCMNI/edit

--
Chip Childers
VP Technology, Cloud Foundry Foundation
1.267.250.0815 <(267)%20250-0815>

RE: Question #2 below -

One of the things that we've been thinking about regarding operator
experiences with Cloud Foundry, and why standardizing on BOSH may be very
attractive, is figuring out how people that get skills in CF operations are
able to move between different environments (service providers / product
companies / enterprise users) and have relatively transferable skills
across installations.

This is something I'd like to test with feedback from the community. Does
it seem valuable to have consistency for operators? Would there actually be
consistency?

On Thu, Oct 27, 2016 at 10:06 AM Chip Childers <cchilders(a)cloudfoundry.org>
wrote:

Bundling up Dr. Nic's questions for a single reply... Great questions! I
did a bunch of the pre-work on behalf of the PMC Council on this topic, so
I have a bunch of the context loaded.

*Question #1:* To confirm - if a CF platform patches any CF components
outside of the biweekly or so release cycle that the components might have,
then they lose their certification status? I know some on-prem vendors
maintain private forks of cf-release and release patches of older versions
for their customers; is this allowed or not?

*Short Answer:* Yes

*Longer Answer:* "Offerings" should always be based on a specific
cf-release + recommended sub-components that aren't directly included in
the cf-release itself (really this will transition to cf-deployment once
that starts getting versioned "releases"). Bug fixes / vulnerability fixes
are allowed to be back-ported, based on the "Exceptions" listed. This
assumes that the fixes are in the upstream projects. Also notice the
section about "current versions". That's an important concept. In 2017, the
trademark license agreement that is used as the contractual vehicle for
certification will be a perpetual license to use the 2017 "certification
mark". The point here is that the upstream projects don't do LTS (long term
support), but vendors are allowed to. They just have to reference the
appropriate certification year for LTS versions.

*Question #2:* Why is "using BOSH" a requirement? As awesome as it is for
many things, it isn't perfect. If companies innovate/experiment with
alternate deployment systems why do they lose certification status?

*Short Answer:* Consistent operational experience and deployment platform
for services

*Long Answer: *I agree that BOSH can be better, as can all software ;-).
However, the certification process for offerings isn't about
experimentation in the ecosystem. It's about consistency across the
distributions. Requiring BOSH as the deployment method gives us two key
things: (1) much more consistency for operators of the platform and (2) a
consistent target (really a least common denominator) for ISV's packaging
software for backing services. The value of consistency year over year
doesn't diminish the value of experimentation outside of the certified
distributions.

*Question #3:* "For managed offerings, BOSH does not need to be exposed
to customers" - what is the origin & reason this is explicitly stated? Does
it infer that there is any scenario at all where BOSH must be exposed to
end users/customers?

*Short Answer:* It doesn't infer that for users.

*Long Answer:* That language was put in there to be specific that
offerings that are online PaaS services shouldn't be required to (and none
do) expose the BOSH layer to users of the Elastic Runtime layer (or
customers generally).

Hope that helps!

-chip


On Thu, Oct 27, 2016 at 5:29 AM Dr Nic Williams <drnicwilliams(a)gmail.com>
wrote:

Also, why is "using BOSH" a requirement? As awesome as it is for many
things, it isn't perfect. If companies innovate/experiment with alternate
deployment systems why do they lose certification status?






On Thu, Oct 27, 2016 at 6:11 PM +1000, "Dieu Cao" <dcao(a)pivotal.io> wrote:

Hello all,

The 2017 PaaS Certification Requirements is available here [1] and we
would appreciate questions/comments on the doc or in this thread.

I've also attached a PDF version for those of you that have difficulty
accessing google docs.

2 major changes from the 2016 certification requirements include requiring
Diego/Garden and also requiring the use of BOSH.

-Dieu Cao
Runtime PMC Lead

[1] https://docs.google.com/document/d/1S9o4u65uG_
YrVQAdg7nxw7BrXAiL64hFSWBNVKZCMNI/edit

--
Chip Childers
VP Technology, Cloud Foundry Foundation
1.267.250.0815 <(267)%20250-0815>

--
Chip Childers
VP Technology, Cloud Foundry Foundation
1.267.250.0815

2 major changes from the 2016 certification requirements include requiring
Diego/Garden and also requiring the use of BOSH.

On Donnerstag, 27. Oktober 2016 01:10:37 CEST Dieu Cao wrote:

2 major changes from the 2016 certification requirements include

requiring

Diego/Garden and also requiring the use of BOSH.

What does that mean for the stemcells? Is it required to use the stemcells
being officially released by the BOSH team, or is this one of the
"explicitly
defined plugin points" where it's ok to use an alternative?

On Fri, Oct 28, 2016 at 3:10 AM Cornelius Schumacher <cschum(a)suse.de> wrote:

On Donnerstag, 27. Oktober 2016 01:10:37 CEST Dieu Cao wrote:

2 major changes from the 2016 certification requirements include

requiring

Diego/Garden and also requiring the use of BOSH.

What does that mean for the stemcells? Is it required to use the stemcells
being officially released by the BOSH team, or is this one of the
"explicitly
defined plugin points" where it's ok to use an alternative?

What do you (or others) think would be the right approach?

On Fri, 28. Oktober 2016 14:15:22 CEST Chip Childers wrote:

On Fri, Oct 28, 2016 at 3:10 AM Cornelius Schumacher <cschum(a)suse.de>

wrote:

On Donnerstag, 27. Oktober 2016 01:10:37 CEST Dieu Cao wrote:

2 major changes from the 2016 certification requirements include

requiring

Diego/Garden and also requiring the use of BOSH.

What does that mean for the stemcells? Is it required to use the

stemcells

being officially released by the BOSH team, or is this one of the
"explicitly
defined plugin points" where it's ok to use an alternative?

What do you (or others) think would be the right approach?

I think it's good to keep some flexibility and openness, especially at such
integration points as the stemcell where there are defined interfaces and
tests.

This can help to accommodate customers who have specific needs, e.g.
because
of standardization on certain infrastructure components. An all-in-one
solution, while having its advantages, is just not always a viable option
from
an operational point of view, so having certain flexibility could increase
adoption.

I think it's also good from a community perspective as it results in a less
monolithic project and allows for wider cooperation around components with
well-defined integration points. It's easier to get involved and
contribute if
you can start with components and can keep some choices from where you are
coming from.

Requiring the use of BOSH already would be quite a strict requirement
because
there is overlap with other infrastructure and tools, which might already
be
in use. BOSH is a great way to deploy Cloud Foundry, but allowing for
alternatives as well might have some benefits, e.g. around innovation as
Dr.
Nic already mentioned.

So from my point of view it would be worth looking into ways how to keep
some
openness in the certification in these lower level areas which are not
directly related to the user experience and maybe require interfaces or
certain tests to be passed instead of specifying the exact implementation.

--
Cornelius Schumacher <cschum(a)suse.de>

It's about consistency across the distributions. Requiring BOSH as the
deployment method gives us two key things: (1) much more consistency for
operators of the platform and (2) a consistent target (really a least common
denominator) for ISV's packaging software for backing services. The value of
consistency year over year doesn't diminish the value of experimentation
outside of the certified distributions.

I have met folks who used non-BOSH Cloud Foundry solutions, and were
surprised when they hired people with "Cloud Foundry" on their resumes who
then had to start from scratch when debugging operational issues.

"I thought you operated Cloud Foundry in your last place?"
"I did, but none of the tools work on *this* one."

That's a marketing and reputation issue, right there.

*Long Answer: *I agree that BOSH can be better, as can all software ;-).
However, the certification process for offerings isn't about
experimentation in the ecosystem. It's about consistency across the
distributions. Requiring BOSH as the deployment method gives us two key
things: (1) much more consistency for operators of the platform and (2) a
consistent target (really a least common denominator) for ISV's packaging
software for backing services. The value of consistency year over year
doesn't diminish the value of experimentation outside of the certified
distributions.