Diff for "PolicyAndProcess/ZeroOOPSPolicy"

Not logged in - Log In / Register

Differences between revisions 3 and 8 (spanning 5 versions)
Revision 3 as of 2010-07-20 15:00:28
Size: 2611
Editor: lifeless
Comment: new burndown link
Revision 8 as of 2011-03-24 19:23:42
Size: 3204
Editor: lifeless
Comment: javascript oops
Deletions are marked like this. Additions are marked like this.
Line 12: Line 12:
stop-the-line event and should be fixed ASAP. stop-the-line event and should be fixed ASAP. This includes javascript errors
even though we do not currently record OOPS for them: Bug:741991.
Line 37: Line 38:
  it with priority of High. It should be tagged with either 'oops' or   it with priority of Critical. It should be tagged with either 'oops' or
Line 39: Line 40:
  * Fixing bugs tagged 'oops' and 'timeout' takes priority over any
  feature development.
  * We should deploy all possible OOPS fix to production.
  * Fixing critical bugs takes priority over all other bug fixing work (done
  by the interrupt squads).
     * Unless it's an operational incident, we should respect the
     work-in-process limit set through [[Kanban]]. But criticual bugs should be the first bugs to be pulled for development once capacity is available.
  * We should deploy all possible OOPS fix to production as rapidly as possible.
Line 49: Line 52:
== But All OOPSes are not equals == == But All OOPSes are not the same ==
Line 53: Line 56:
whatever reason, then it shouldn't record an OOPS. Change the exception
type so that it doesn't appear in these sections.
whatever reason, then the system should be changed to not record an OOPS.
Line 56: Line 58:
The end-goal is that the users don't get the BSOD pages and that the OOPS
report sections are empty. So that when something appears there, we know it's
a problem to fix. No sifting through many false positives.
One way to prevent an OOPS being visible is to change the exception
type so that it doesn't trigger the OOPS code.

The end goals are:
 * users are able to use the system
 * OOPSes are only recorded when something is wrong that developers need to know about.

The expected result of achieving these goals is that the system will generally be in good shape and if an OOPS is recorded its something important we should work on immediately - no sifting through many false positives.

  • Policy Name: Zero OOPS Policy

  • Policy Owner: Francis Lacoste

  • Parent Process/Activity: None

  • Supported Policy: None

Policy Overview

In a nutshell, this policy is about moving the tolerance-level for OOPSes to zero. This mean that any user-visible error happening in production is a stop-the-line event and should be fixed ASAP. This includes javascript errors even though we do not currently record OOPS for them: 741991.

The burndown charts are now private, sadly: https://lpstats.canonical.com/graphs/LPQA/ https://lpstats.canonical.com/graphs/LPQAByTeam/

Why this policy?

We should be proud of the service we build and deliver, and we cannot take pride in a low-quality product. Everytime an OOPS page reaches a user, whether because of a time out or an unhandled exception, we failed on the measure of quality. An OOPS page means that a user was prevented from completing their work, that's really bad.

Having zero tolerance for OOPSes in production means that we are putting actions behind our mantra of quality. An OOPS is basically an escaped defect, and we cannot tolerate that.

Daily we have between tens and hundreds of OOPS. This policy is basically about making sure that the Exceptions and Timeouts section of the report are empty.

What should be done about OOPSes

  • Everytime an OOPS is encountered in production, a bug should be filed for it with priority of Critical. It should be tagged with either 'oops' or 'timeout' on it.
  • Fixing critical bugs takes priority over all other bug fixing work (done by the interrupt squads).
    • Unless it's an operational incident, we should respect the

      work-in-process limit set through Kanban. But criticual bugs should be the first bugs to be pulled for development once capacity is available.

  • We should deploy all possible OOPS fix to production as rapidly as possible.

Once we achieve Zero-OOPS status:

  • Do root-cause analysis for every OOPS that occurs in production, to ensure that our process is really robust against escaped defects.

But All OOPSes are not the same

All OOPSes in the "Exceptions" and "Time outs" sections should be eliminated. If an OOPS isn't important - because it's only triggered by robots, or for whatever reason, then the system should be changed to not record an OOPS.

One way to prevent an OOPS being visible is to change the exception type so that it doesn't trigger the OOPS code.

The end goals are:

  • users are able to use the system
  • OOPSes are only recorded when something is wrong that developers need to know about.

The expected result of achieving these goals is that the system will generally be in good shape and if an OOPS is recorded its something important we should work on immediately - no sifting through many false positives.

When

We are starting this policy now.

Coming Soon

Burn down chart of the bugs with the "oops" and "timeout" tags.

PolicyAndProcess/ZeroOOPSPolicy (last edited 2011-09-14 20:39:02 by lifeless)