James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1 | :title: Project Configuration |
| 2 | |
| 3 | .. _project-config: |
| 4 | |
| 5 | Project Configuration |
| 6 | ===================== |
| 7 | |
| 8 | The following sections describe the main part of Zuul's configuration. |
| 9 | All of what follows is found within files inside of the repositories |
| 10 | that Zuul manages. |
| 11 | |
| 12 | Security Contexts |
| 13 | ----------------- |
| 14 | |
| 15 | When a system administrator configures Zuul to operate on a project, |
| 16 | they specify one of two security contexts for that project. A |
| 17 | *config-project* is one which is primarily tasked with holding |
| 18 | configuration information and job content for Zuul. Jobs which are |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 19 | defined in a config-project are run with elevated privileges, and all |
James E. Blair | 2bab6e7 | 2017-08-07 09:52:45 -0700 | [diff] [blame] | 20 | Zuul configuration items are available for use. Base jobs (that is, |
| 21 | jobs without a parent) may only be defined in config-projects. It is |
| 22 | expected that changes to config-projects will undergo careful scrutiny |
| 23 | before being merged. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 24 | |
| 25 | An *untrusted-project* is a project whose primary focus is not to |
| 26 | operate Zuul, but rather it is one of the projects being tested or |
| 27 | deployed. The Zuul configuration language available to these projects |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 28 | is somewhat restricted (as detailed in individual sections below), and |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 29 | jobs defined in these projects run in a restricted execution |
| 30 | environment since they may be operating on changes which have not yet |
| 31 | undergone review. |
| 32 | |
| 33 | Configuration Loading |
| 34 | --------------------- |
| 35 | |
| 36 | When Zuul starts, it examines all of the git repositories which are |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 37 | specified by the system administrator in :ref:`tenant-config` and |
| 38 | searches for files in the root of each repository. Zuul looks first |
| 39 | for a file named ``zuul.yaml`` or a directory named ``zuul.d``, and if |
| 40 | they are not found, ``.zuul.yaml`` or ``.zuul.d`` (with a leading |
| 41 | dot). In the case of an :term:`untrusted-project`, the configuration |
| 42 | from every branch is included, however, in the case of a |
| 43 | :term:`config-project`, only the ``master`` branch is examined. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 44 | |
| 45 | When a change is proposed to one of these files in an |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 46 | untrusted-project, the configuration proposed in the change is merged |
| 47 | into the running configuration so that any changes to Zuul's |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 48 | configuration are self-testing as part of that change. If there is a |
| 49 | configuration error, no jobs will be run and the error will be |
| 50 | reported by any applicable pipelines. In the case of a change to a |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 51 | config-project, the new configuration is parsed and examined for |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 52 | errors, but the new configuration is not used in testing the change. |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 53 | This is because configuration in config-projects is able to access |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 54 | elevated privileges and should always be reviewed before being merged. |
| 55 | |
| 56 | As soon as a change containing a Zuul configuration change merges to |
| 57 | any Zuul-managed repository, the new configuration takes effect |
| 58 | immediately. |
| 59 | |
Monty Taylor | db39bbb | 2017-08-23 17:24:00 -0400 | [diff] [blame] | 60 | .. _configuration-items: |
| 61 | |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 62 | Configuration Items |
| 63 | ------------------- |
| 64 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 65 | The ``zuul.yaml`` and ``.zuul.yaml`` configuration files are |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 66 | YAML-formatted and are structured as a series of items, each of which |
| 67 | is described below. |
| 68 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 69 | In the case of a ``zuul.d`` directory, Zuul recurses the directory and |
| 70 | extends the configuration using all the .yaml files in the sorted path |
| 71 | order. For example, to keep job's variants in a separate file, it |
| 72 | needs to be loaded after the main entries, for example using number |
| 73 | prefixes in file's names:: |
Tristan Cacqueray | 4a01583 | 2017-07-11 05:18:14 +0000 | [diff] [blame] | 74 | |
| 75 | * zuul.d/pipelines.yaml |
| 76 | * zuul.d/projects.yaml |
| 77 | * zuul.d/01_jobs.yaml |
| 78 | * zuul.d/02_jobs-variants.yaml |
| 79 | |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 80 | .. _pipeline: |
| 81 | |
| 82 | Pipeline |
| 83 | ~~~~~~~~ |
| 84 | |
| 85 | A pipeline describes a workflow operation in Zuul. It associates jobs |
| 86 | for a given project with triggering and reporting events. |
| 87 | |
| 88 | Its flexible configuration allows for characterizing any number of |
| 89 | workflows, and by specifying each as a named configuration, makes it |
| 90 | easy to apply similar workflow operations to projects or groups of |
| 91 | projects. |
| 92 | |
| 93 | By way of example, one of the primary uses of Zuul is to perform |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 94 | project gating. To do so, one can create a :term:`gate` pipeline |
| 95 | which tells Zuul that when a certain event (such as approval by a code |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 96 | reviewer) occurs, the corresponding change or pull request should be |
| 97 | enqueued into the pipeline. When that happens, the jobs which have |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 98 | been configured to run for that project in the gate pipeline are run, |
| 99 | and when they complete, the pipeline reports the results to the user. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 100 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 101 | Pipeline configuration items may only appear in :term:`config-projects |
| 102 | <config-project>`. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 103 | |
| 104 | Generally, a Zuul administrator would define a small number of |
| 105 | pipelines which represent the workflow processes used in their |
| 106 | environment. Each project can then be added to the available |
| 107 | pipelines as appropriate. |
| 108 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 109 | Here is an example :term:`check` pipeline, which runs whenever a new |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 110 | patchset is created in Gerrit. If the associated jobs all report |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 111 | success, the pipeline reports back to Gerrit with ``Verified`` vote of |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 112 | +1, or if at least one of them fails, a -1: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 113 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 114 | .. code-block:: yaml |
| 115 | |
| 116 | - pipeline: |
| 117 | name: check |
| 118 | manager: independent |
| 119 | trigger: |
| 120 | my_gerrit: |
| 121 | - event: patchset-created |
| 122 | success: |
| 123 | my_gerrit: |
| 124 | Verified: 1 |
| 125 | failure: |
| 126 | my_gerrit |
| 127 | Verified: -1 |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 128 | |
James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 129 | .. TODO: See TODO for more annotated examples of common pipeline configurations. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 130 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 131 | .. attr:: pipeline |
James E. Blair | 7145c58 | 2017-07-26 13:30:39 -0700 | [diff] [blame] | 132 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 133 | The attributes available on a pipeline are as follows (all are |
| 134 | optional unless otherwise specified): |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 135 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 136 | .. attr:: name |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 137 | :required: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 138 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 139 | This is used later in the project definition to indicate what jobs |
| 140 | should be run for events in the pipeline. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 141 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 142 | .. attr:: manager |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 143 | :required: |
James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 144 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 145 | There are currently two schemes for managing pipelines: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 146 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 147 | .. value:: independent |
James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 148 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 149 | Every event in this pipeline should be treated as independent |
| 150 | of other events in the pipeline. This is appropriate when |
| 151 | the order of events in the pipeline doesn't matter because |
| 152 | the results of the actions this pipeline performs can not |
| 153 | affect other events in the pipeline. For example, when a |
| 154 | change is first uploaded for review, you may want to run |
| 155 | tests on that change to provide early feedback to reviewers. |
| 156 | At the end of the tests, the change is not going to be |
| 157 | merged, so it is safe to run these tests in parallel without |
| 158 | regard to any other changes in the pipeline. They are |
| 159 | independent. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 160 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 161 | Another type of pipeline that is independent is a post-merge |
| 162 | pipeline. In that case, the changes have already merged, so |
| 163 | the results can not affect any other events in the pipeline. |
James E. Blair | 1761e86 | 2017-07-25 16:15:47 -0700 | [diff] [blame] | 164 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 165 | .. value:: dependent |
James E. Blair | 1761e86 | 2017-07-25 16:15:47 -0700 | [diff] [blame] | 166 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 167 | The dependent pipeline manager is designed for gating. It |
| 168 | ensures that every change is tested exactly as it is going to |
| 169 | be merged into the repository. An ideal gating system would |
| 170 | test one change at a time, applied to the tip of the |
| 171 | repository, and only if that change passed tests would it be |
| 172 | merged. Then the next change in line would be tested the |
| 173 | same way. In order to achieve parallel testing of changes, |
| 174 | the dependent pipeline manager performs speculative execution |
| 175 | on changes. It orders changes based on their entry into the |
| 176 | pipeline. It begins testing all changes in parallel, |
| 177 | assuming that each change ahead in the pipeline will pass its |
| 178 | tests. If they all succeed, all the changes can be tested |
| 179 | and merged in parallel. If a change near the front of the |
| 180 | pipeline fails its tests, each change behind it ignores |
| 181 | whatever tests have been completed and are tested again |
| 182 | without the change in front. This way gate tests may run in |
| 183 | parallel but still be tested correctly, exactly as they will |
| 184 | appear in the repository when merged. |
James E. Blair | 1761e86 | 2017-07-25 16:15:47 -0700 | [diff] [blame] | 185 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 186 | For more detail on the theory and operation of Zuul's |
| 187 | dependent pipeline manager, see: :doc:`gating`. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 188 | |
James E. Blair | 8eb564a | 2017-08-10 09:21:41 -0700 | [diff] [blame] | 189 | .. attr:: post-review |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 190 | :default: false |
James E. Blair | f17aa9c | 2017-07-05 13:21:23 -0700 | [diff] [blame] | 191 | |
James E. Blair | 8eb564a | 2017-08-10 09:21:41 -0700 | [diff] [blame] | 192 | This is a boolean which indicates that this pipeline executes |
| 193 | code that has been reviewed. Some jobs perform actions which |
| 194 | should not be permitted with unreviewed code. When this value |
| 195 | is ``false`` those jobs will not be permitted to run in the |
| 196 | pipeline. If a pipeline is designed only to be used after |
| 197 | changes are reviewed or merged, set this value to ``true`` to |
| 198 | permit such jobs. |
James E. Blair | f17aa9c | 2017-07-05 13:21:23 -0700 | [diff] [blame] | 199 | |
James E. Blair | 8eb564a | 2017-08-10 09:21:41 -0700 | [diff] [blame] | 200 | For more information, see :ref:`secret` and |
| 201 | :attr:`job.post-review`. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 202 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 203 | .. attr:: description |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 204 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 205 | This field may be used to provide a textual description of the |
| 206 | pipeline. It may appear in the status page or in documentation. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 207 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 208 | .. attr:: success-message |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 209 | :default: Build successful. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 210 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 211 | The introductory text in reports when all the voting jobs are |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 212 | successful. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 213 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 214 | .. attr:: failure-message |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 215 | :default: Build failed. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 216 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 217 | The introductory text in reports when at least one voting job |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 218 | fails. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 219 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 220 | .. attr:: merge-failure-message |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 221 | :default: Merge failed. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 222 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 223 | The introductory text in the message reported when a change |
| 224 | fails to merge with the current state of the repository. |
| 225 | Defaults to "Merge failed." |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 226 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 227 | .. attr:: footer-message |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 228 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 229 | Supplies additional information after test results. Useful for |
| 230 | adding information about the CI system such as debugging and |
| 231 | contact details. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 232 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 233 | .. attr:: trigger |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 234 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 235 | At least one trigger source must be supplied for each pipeline. |
| 236 | Triggers are not exclusive -- matching events may be placed in |
| 237 | multiple pipelines, and they will behave independently in each |
| 238 | of the pipelines they match. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 239 | |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 240 | Triggers are loaded from their connection name. The driver type |
| 241 | of the connection will dictate which options are available. See |
| 242 | :ref:`drivers`. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 243 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 244 | .. attr:: require |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 245 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 246 | If this section is present, it establishes prerequisites for |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 247 | any kind of item entering the Pipeline. Regardless of how the |
| 248 | item is to be enqueued (via any trigger or automatic dependency |
| 249 | resolution), the conditions specified here must be met or the |
James E. Blair | d134c6d | 2017-07-26 16:09:34 -0700 | [diff] [blame] | 250 | item will not be enqueued. These requirements may vary |
| 251 | depending on the source of the item being enqueued. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 252 | |
James E. Blair | d134c6d | 2017-07-26 16:09:34 -0700 | [diff] [blame] | 253 | Requirements are loaded from their connection name. The driver |
| 254 | type of the connection will dictate which options are available. |
| 255 | See :ref:`drivers`. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 256 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 257 | .. attr:: reject |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 258 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 259 | If this section is present, it establishes prerequisites that |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 260 | can block an item from being enqueued. It can be considered a |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 261 | negative version of :attr:`pipeline.require`. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 262 | |
James E. Blair | d134c6d | 2017-07-26 16:09:34 -0700 | [diff] [blame] | 263 | Requirements are loaded from their connection name. The driver |
| 264 | type of the connection will dictate which options are available. |
| 265 | See :ref:`drivers`. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 266 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 267 | .. attr:: dequeue-on-new-patchset |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 268 | :default: true |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 269 | |
| 270 | Normally, if a new patchset is uploaded to a change that is in a |
| 271 | pipeline, the existing entry in the pipeline will be removed |
| 272 | (with jobs canceled and any dependent changes that can no longer |
| 273 | merge as well. To suppress this behavior (and allow jobs to |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 274 | continue running), set this to ``false``. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 275 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 276 | .. attr:: ignore-dependencies |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 277 | :default: false |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 278 | |
| 279 | In any kind of pipeline (dependent or independent), Zuul will |
| 280 | attempt to enqueue all dependencies ahead of the current change |
| 281 | so that they are tested together (independent pipelines report |
| 282 | the results of each change regardless of the results of changes |
| 283 | ahead). To ignore dependencies completely in an independent |
| 284 | pipeline, set this to ``true``. This option is ignored by |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 285 | dependent pipelines. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 286 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 287 | .. attr:: precedence |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 288 | :default: normal |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 289 | |
| 290 | Indicates how the build scheduler should prioritize jobs for |
| 291 | different pipelines. Each pipeline may have one precedence, |
| 292 | jobs for pipelines with a higher precedence will be run before |
| 293 | ones with lower. The value should be one of ``high``, |
| 294 | ``normal``, or ``low``. Default: ``normal``. |
| 295 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 296 | .. _reporters: |
| 297 | |
| 298 | The following options configure :term:`reporters <reporter>`. |
| 299 | Reporters are complementary to triggers; where a trigger is an |
| 300 | event on a connection which causes Zuul to enqueue an item, a |
| 301 | reporter is the action performed on a connection when an item is |
| 302 | dequeued after its jobs complete. The actual syntax for a reporter |
| 303 | is defined by the driver which implements it. See :ref:`drivers` |
| 304 | for more information. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 305 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 306 | .. attr:: success |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 307 | |
| 308 | Describes where Zuul should report to if all the jobs complete |
| 309 | successfully. This section is optional; if it is omitted, Zuul |
| 310 | will run jobs and do nothing on success -- it will not report at |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 311 | all. If the section is present, the listed :term:`reporters |
| 312 | <reporter>` will be asked to report on the jobs. The reporters |
| 313 | are listed by their connection name. The options available |
| 314 | depend on the driver for the supplied connection. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 315 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 316 | .. attr:: failure |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 317 | |
| 318 | These reporters describe what Zuul should do if at least one job |
| 319 | fails. |
| 320 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 321 | .. attr:: merge-failure |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 322 | |
| 323 | These reporters describe what Zuul should do if it is unable to |
| 324 | merge in the patchset. If no merge-failure reporters are listed |
| 325 | then the ``failure`` reporters will be used to notify of |
| 326 | unsuccessful merges. |
| 327 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 328 | .. attr:: start |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 329 | |
| 330 | These reporters describe what Zuul should do when a change is |
| 331 | added to the pipeline. This can be used, for example, to reset |
| 332 | a previously reported result. |
| 333 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 334 | .. attr:: disabled |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 335 | |
| 336 | These reporters describe what Zuul should do when a pipeline is |
| 337 | disabled. See ``disable-after-consecutive-failures``. |
| 338 | |
| 339 | The following options can be used to alter Zuul's behavior to |
| 340 | mitigate situations in which jobs are failing frequently (perhaps |
| 341 | due to a problem with an external dependency, or unusually high |
| 342 | non-deterministic test failures). |
| 343 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 344 | .. attr:: disable-after-consecutive-failures |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 345 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 346 | If set, a pipeline can enter a *disabled* state if too many |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 347 | changes in a row fail. When this value is exceeded the pipeline |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 348 | will stop reporting to any of the **success**, **failure** or |
| 349 | **merge-failure** reporters and instead only report to the |
| 350 | **disabled** reporters. (No **start** reports are made when a |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 351 | pipeline is disabled). |
| 352 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 353 | .. attr:: window |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 354 | :default: 20 |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 355 | |
| 356 | Dependent pipeline managers only. Zuul can rate limit dependent |
| 357 | pipelines in a manner similar to TCP flow control. Jobs are |
| 358 | only started for items in the queue if they are within the |
| 359 | actionable window for the pipeline. The initial length of this |
| 360 | window is configurable with this value. The value given should |
| 361 | be a positive integer value. A value of ``0`` disables rate |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 362 | limiting on the :value:`dependent pipeline manager |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 363 | <pipeline.manager.dependent>`. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 364 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 365 | .. attr:: window-floor |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 366 | :default: 3 |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 367 | |
| 368 | Dependent pipeline managers only. This is the minimum value for |
| 369 | the window described above. Should be a positive non zero |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 370 | integer value. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 371 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 372 | .. attr:: window-increase-type |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 373 | :default: linear |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 374 | |
| 375 | Dependent pipeline managers only. This value describes how the |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 376 | window should grow when changes are successfully merged by zuul. |
| 377 | |
| 378 | .. value:: linear |
| 379 | |
| 380 | Indicates that **window-increase-factor** should be added to |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 381 | the previous window value. |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 382 | |
| 383 | .. value:: exponential |
| 384 | |
| 385 | Indicates that **window-increase-factor** should be |
| 386 | multiplied against the previous window value and the result |
| 387 | will become the window size. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 388 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 389 | .. attr:: window-increase-factor |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 390 | :default: 1 |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 391 | |
| 392 | Dependent pipeline managers only. The value to be added or |
| 393 | multiplied against the previous window value to determine the |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 394 | new window after successful change merges. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 395 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 396 | .. attr:: window-decrease-type |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 397 | :default: exponential |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 398 | |
| 399 | Dependent pipeline managers only. This value describes how the |
| 400 | window should shrink when changes are not able to be merged by |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 401 | Zuul. |
| 402 | |
| 403 | .. value:: linear |
| 404 | |
| 405 | Indicates that **window-decrease-factor** should be |
| 406 | subtracted from the previous window value. |
| 407 | |
| 408 | .. value:: exponential |
| 409 | |
| 410 | Indicates that **window-decrease-factor** should be divided |
| 411 | against the previous window value and the result will become |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 412 | the window size. |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 413 | |
James E. Blair | 9437591 | 2017-07-28 17:20:27 -0700 | [diff] [blame] | 414 | .. attr:: window-decrease-factor |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 415 | :default: 2 |
James E. Blair | 9fd98ab | 2017-07-26 14:15:26 -0700 | [diff] [blame] | 416 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 417 | :value:`Dependent pipeline managers |
| 418 | <pipeline.manager.dependent>` only. The value to be subtracted |
| 419 | or divided against the previous window value to determine the |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 420 | new window after unsuccessful change merges. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 421 | |
| 422 | |
| 423 | .. _job: |
| 424 | |
| 425 | Job |
| 426 | ~~~ |
| 427 | |
| 428 | A job is a unit of work performed by Zuul on an item enqueued into a |
| 429 | pipeline. Items may run any number of jobs (which may depend on each |
| 430 | other). Each job is an invocation of an Ansible playbook with a |
| 431 | specific inventory of hosts. The actual tasks that are run by the job |
| 432 | appear in the playbook for that job while the attributes that appear in the |
| 433 | Zuul configuration specify information about when, where, and how the |
| 434 | job should be run. |
| 435 | |
| 436 | Jobs in Zuul support inheritance. Any job may specify a single parent |
| 437 | job, and any attributes not set on the child job are collected from |
| 438 | the parent job. In this way, a configuration structure may be built |
| 439 | starting with very basic jobs which describe characteristics that all |
| 440 | jobs on the system should have, progressing through stages of |
| 441 | specialization before arriving at a particular job. A job may inherit |
| 442 | from any other job in any project (however, if the other job is marked |
Tobias Henkel | 8316762 | 2017-06-30 19:45:03 +0200 | [diff] [blame] | 443 | as :attr:`job.final`, jobs may not inherit from it). |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 444 | |
James E. Blair | 2bab6e7 | 2017-08-07 09:52:45 -0700 | [diff] [blame] | 445 | A job with no parent is called a *base job* and may only be defined in |
| 446 | a :term:`config-project`. Every other job must have a parent, and so |
| 447 | ultimately, all jobs must have an inheritance path which terminates at |
| 448 | a base job. Each tenant has a default parent job which will be used |
| 449 | if no explicit parent is specified. |
| 450 | |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 451 | Jobs also support a concept called variance. The first time a job |
| 452 | definition appears is called the reference definition of the job. |
| 453 | Subsequent job definitions with the same name are called variants. |
| 454 | These may have different selection criteria which indicate to Zuul |
| 455 | that, for instance, the job should behave differently on a different |
| 456 | git branch. Unlike inheritance, all job variants must be defined in |
Tobias Henkel | 8316762 | 2017-06-30 19:45:03 +0200 | [diff] [blame] | 457 | the same project. Some attributes of jobs marked :attr:`job.final` |
| 458 | may not be overidden |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 459 | |
| 460 | When Zuul decides to run a job, it performs a process known as |
| 461 | freezing the job. Because any number of job variants may be |
| 462 | applicable, Zuul collects all of the matching variants and applies |
| 463 | them in the order they appeared in the configuration. The resulting |
| 464 | frozen job is built from attributes gathered from all of the |
| 465 | matching variants. In this way, exactly what is run is dependent on |
| 466 | the pipeline, project, branch, and content of the item. |
| 467 | |
| 468 | In addition to the job's main playbook, each job may specify one or |
| 469 | more pre- and post-playbooks. These are run, in order, before and |
| 470 | after (respectively) the main playbook. They may be used to set up |
| 471 | and tear down resources needed by the main playbook. When combined |
| 472 | with inheritance, they provide powerful tools for job construction. A |
| 473 | job only has a single main playbook, and when inheriting from a |
| 474 | parent, the child's main playbook overrides (or replaces) the |
| 475 | parent's. However, the pre- and post-playbooks are appended and |
| 476 | prepended in a nesting fashion. So if a parent job and child job both |
| 477 | specified pre and post playbooks, the sequence of playbooks run would |
| 478 | be: |
| 479 | |
| 480 | * parent pre-run playbook |
| 481 | * child pre-run playbook |
| 482 | * child playbook |
| 483 | * child post-run playbook |
| 484 | * parent post-run playbook |
| 485 | |
| 486 | Further inheritance would nest even deeper. |
| 487 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 488 | Here is an example of two job definitions: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 489 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 490 | .. code-block:: yaml |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 491 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 492 | - job: |
| 493 | name: base |
| 494 | pre-run: copy-git-repos |
| 495 | post-run: copy-logs |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 496 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 497 | - job: |
| 498 | name: run-tests |
| 499 | parent: base |
James E. Blair | 7e3e688 | 2017-09-20 15:47:13 -0700 | [diff] [blame] | 500 | nodeset: |
| 501 | nodes: |
| 502 | - name: test-node |
| 503 | label: fedora |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 504 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 505 | .. attr:: job |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 506 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 507 | The following attributes are available on a job; all are optional |
| 508 | unless otherwise specified: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 509 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 510 | .. attr:: name |
| 511 | :required: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 512 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 513 | The name of the job. By default, Zuul looks for a playbook with |
| 514 | this name to use as the main playbook for the job. This name is |
| 515 | also referenced later in a project pipeline configuration. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 516 | |
James E. Blair | 2bab6e7 | 2017-08-07 09:52:45 -0700 | [diff] [blame] | 517 | .. TODO: figure out how to link the parent default to tenant.default.parent |
| 518 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 519 | .. attr:: parent |
James E. Blair | 2bab6e7 | 2017-08-07 09:52:45 -0700 | [diff] [blame] | 520 | :default: Tenant default-parent |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 521 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 522 | Specifies a job to inherit from. The parent job can be defined |
James E. Blair | 2bab6e7 | 2017-08-07 09:52:45 -0700 | [diff] [blame] | 523 | in this or any other project. Any attributes not specified on a |
| 524 | job will be collected from its parent. If no value is supplied |
| 525 | here, the job specified by :attr:`tenant.default-parent` will be |
| 526 | used. If **parent** is set to ``null`` (which is only valid in |
| 527 | a :term:`config-project`), this is a :term:`base job`. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 528 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 529 | .. attr:: description |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 530 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 531 | A textual description of the job. Not currently used directly |
| 532 | by Zuul, but it is used by the zuul-sphinx extension to Sphinx |
| 533 | to auto-document Zuul jobs (in which case it is interpreted as |
| 534 | ReStructuredText. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 535 | |
Tobias Henkel | 8316762 | 2017-06-30 19:45:03 +0200 | [diff] [blame] | 536 | .. attr:: final |
| 537 | :default: false |
| 538 | |
| 539 | To prevent other jobs from inheriting from this job, and also to |
| 540 | prevent changing execution-related attributes when this job is |
| 541 | specified in a project's pipeline, set this attribute to |
| 542 | ``true``. |
| 543 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 544 | .. attr:: success-message |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 545 | :default: SUCCESS |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 546 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 547 | Normally when a job succeeds, the string ``SUCCESS`` is reported |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 548 | as the result for the job. If set, this option may be used to |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 549 | supply a different string. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 550 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 551 | .. attr:: failure-message |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 552 | :default: FAILURE |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 553 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 554 | Normally when a job fails, the string ``FAILURE`` is reported as |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 555 | the result for the job. If set, this option may be used to |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 556 | supply a different string. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 557 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 558 | .. attr:: success-url |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 559 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 560 | When a job succeeds, this URL is reported along with the result. |
| 561 | If this value is not supplied, Zuul uses the content of the job |
| 562 | :ref:`return value <return_values>` **zuul.log_url**. This is |
| 563 | recommended as it allows the code which stores the URL to the |
| 564 | job artifacts to report exactly where they were stored. To |
| 565 | override this value, or if it is not set, supply an absolute URL |
| 566 | in this field. If a relative URL is supplied in this field, and |
| 567 | **zuul.log_url** is set, then the two will be combined to |
| 568 | produce the URL used for the report. This can be used to |
| 569 | specify that certain jobs should "deep link" into the stored job |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 570 | artifacts. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 571 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 572 | .. attr:: failure-url |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 573 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 574 | When a job fails, this URL is reported along with the result. |
| 575 | Otherwise behaves the same as **success-url**. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 576 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 577 | .. attr:: hold-following-changes |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 578 | :default: false |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 579 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 580 | In a dependent pipeline, this option may be used to indicate |
| 581 | that no jobs should start on any items which depend on the |
| 582 | current item until this job has completed successfully. This |
| 583 | may be used to conserve build resources, at the expense of |
| 584 | inhibiting the parallelization which speeds the processing of |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 585 | items in a dependent pipeline. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 586 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 587 | .. attr:: voting |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 588 | :default: true |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 589 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 590 | Indicates whether the result of this job should be used in |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 591 | determining the overall result of the item. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 592 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 593 | .. attr:: semaphore |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 594 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 595 | The name of a :ref:`semaphore` which should be acquired and |
| 596 | released when the job begins and ends. If the semaphore is at |
| 597 | maximum capacity, then Zuul will wait until it can be acquired |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 598 | before starting the job. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 599 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 600 | .. attr:: tags |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 601 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 602 | Metadata about this job. Tags are units of information attached |
| 603 | to the job; they do not affect Zuul's behavior, but they can be |
| 604 | used within the job to characterize the job. For example, a job |
| 605 | which tests a certain subsystem could be tagged with the name of |
| 606 | that subsystem, and if the job's results are reported into a |
| 607 | database, then the results of all jobs affecting that subsystem |
| 608 | could be queried. This attribute is specified as a list of |
| 609 | strings, and when inheriting jobs or applying variants, tags |
| 610 | accumulate in a set, so the result is always a set of all the |
| 611 | tags from all the jobs and variants used in constructing the |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 612 | frozen job, with no duplication. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 613 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 614 | .. attr:: branches |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 615 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 616 | A regular expression (or list of regular expressions) which |
| 617 | describe on what branches a job should run (or in the case of |
| 618 | variants: to alter the behavior of a job for a certain branch). |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 619 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 620 | If there is no job definition for a given job which matches the |
| 621 | branch of an item, then that job is not run for the item. |
| 622 | Otherwise, all of the job variants which match that branch (and |
| 623 | any other selection criteria) are used when freezing the job. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 624 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 625 | This example illustrates a job called *run-tests* which uses a |
| 626 | nodeset based on the current release of an operating system to |
| 627 | perform its tests, except when testing changes to the stable/2.0 |
| 628 | branch, in which case it uses an older release: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 629 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 630 | .. code-block:: yaml |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 631 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 632 | - job: |
| 633 | name: run-tests |
James E. Blair | 7e3e688 | 2017-09-20 15:47:13 -0700 | [diff] [blame] | 634 | nodeset: current-release |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 635 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 636 | - job: |
| 637 | name: run-tests |
| 638 | branch: stable/2.0 |
James E. Blair | 7e3e688 | 2017-09-20 15:47:13 -0700 | [diff] [blame] | 639 | nodeset: old-release |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 640 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 641 | In some cases, Zuul uses an implied value for the branch |
| 642 | specifier if none is supplied: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 643 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 644 | * For a job definition in a :term:`config-project`, no implied |
| 645 | branch specifier is used. If no branch specifier appears, the |
| 646 | job applies to all branches. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 647 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 648 | * In the case of an :term:`untrusted-project`, no implied branch |
| 649 | specifier is applied to the reference definition of a job. |
| 650 | That is to say, that if the first appearance of the job |
| 651 | definition appears without a branch specifier, then it will |
| 652 | apply to all branches. Note that when collecting its |
| 653 | configuration, Zuul reads the ``master`` branch of a given |
| 654 | project first, then other branches in alphabetical order. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 655 | |
James E. Blair | e74f571 | 2017-09-29 15:14:31 -0700 | [diff] [blame] | 656 | * In the case of a job variant defined within a :ref:`project`, |
| 657 | if the project definition is in a :term:`config-project`, no |
| 658 | implied branch specifier is used. If it appears in an |
| 659 | :term:`untrusted-project`, with no branch specifier, the |
| 660 | branch containing the project definition is used as an implied |
| 661 | branch specifier. |
| 662 | |
| 663 | * In the case of a job variant defined within a |
| 664 | :ref:`project-template`, if no branch specifier appears, the |
| 665 | implied branch specifier for the :ref:`project` definition which |
| 666 | uses the project-template will be used. |
| 667 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 668 | * Any further job variants other than the reference definition |
| 669 | in an untrusted-project will, if they do not have a branch |
James E. Blair | e74f571 | 2017-09-29 15:14:31 -0700 | [diff] [blame] | 670 | specifier, have an implied branch specifier for the current |
| 671 | branch applied. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 672 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 673 | This allows for the very simple and expected workflow where if a |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 674 | project defines a job on the ``master`` branch with no branch |
| 675 | specifier, and then creates a new branch based on ``master``, |
| 676 | any changes to that job definition within the new branch only |
| 677 | affect that branch. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 678 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 679 | .. attr:: files |
Tobias Henkel | 2aade26 | 2017-07-12 16:09:06 +0200 | [diff] [blame] | 680 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 681 | This attribute indicates that the job should only run on changes |
| 682 | where the specified files are modified. This is a regular |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 683 | expression or list of regular expressions. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 684 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 685 | .. attr:: irrelevant-files |
James E. Blair | 74a82cf | 2017-07-12 17:23:08 -0700 | [diff] [blame] | 686 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 687 | This is a negative complement of **files**. It indicates that |
| 688 | the job should run unless *all* of the files changed match this |
| 689 | list. In other words, if the regular expression ``docs/.*`` is |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 690 | supplied, then this job will not run if the only files changed |
| 691 | are in the docs directory. A regular expression or list of |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 692 | regular expressions. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 693 | |
James E. Blair | e19e88a | 2017-08-09 15:14:29 -0700 | [diff] [blame] | 694 | .. attr:: secrets |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 695 | |
James E. Blair | e19e88a | 2017-08-09 15:14:29 -0700 | [diff] [blame] | 696 | A list of secrets which may be used by the job. A |
| 697 | :ref:`secret` is a named collection of private information |
| 698 | defined separately in the configuration. The secrets that |
| 699 | appear here must be defined in the same project as this job |
| 700 | definition. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 701 | |
Monty Taylor | aff8b40 | 2017-08-16 18:40:41 -0500 | [diff] [blame] | 702 | Each item in the list may may be supplied either as a string, |
| 703 | in which case it references the name of a :ref:`secret` definition, |
| 704 | or as a dict. If an element in this list is given as a dict, it |
| 705 | must have the following fields. |
| 706 | |
| 707 | .. attr:: name |
| 708 | |
| 709 | The name to use for the Ansible variable into which the secret |
| 710 | content will be placed. |
| 711 | |
| 712 | .. attr:: secret |
| 713 | |
| 714 | The name to use to find the secret's definition in the configuration. |
| 715 | |
| 716 | For example: |
| 717 | |
| 718 | .. code-block:: yaml |
| 719 | |
| 720 | - secret: |
| 721 | important-secret: |
| 722 | key: encrypted-secret-key-data |
| 723 | |
| 724 | - job: |
| 725 | name: amazing-job: |
| 726 | secrets: |
| 727 | - name: ssh_key |
| 728 | secret: important-secret |
| 729 | |
| 730 | will result in the following being passed as a variable to the playbooks |
| 731 | in ``amazing-job``: |
| 732 | |
| 733 | .. code-block:: yaml |
| 734 | |
| 735 | ssh_key: |
| 736 | key: descrypted-secret-key-data |
| 737 | |
James E. Blair | 7e3e688 | 2017-09-20 15:47:13 -0700 | [diff] [blame] | 738 | .. attr:: nodeset |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 739 | |
James E. Blair | 7e3e688 | 2017-09-20 15:47:13 -0700 | [diff] [blame] | 740 | The nodes which should be supplied to the job. This parameter |
| 741 | may be supplied either as a string, in which case it references |
| 742 | a :ref:`nodeset` definition which appears elsewhere in the |
| 743 | configuration, or a dictionary, in which case it is interpreted |
| 744 | in the same way as a Nodeset definition, though the ``name`` |
| 745 | attribute should be omitted (in essence, it is an anonymous |
| 746 | Nodeset definition unique to this job). See the :ref:`nodeset` |
| 747 | reference for the syntax to use in that case. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 748 | |
James E. Blair | 7e3e688 | 2017-09-20 15:47:13 -0700 | [diff] [blame] | 749 | If a job has an empty or no nodeset definition, it will still |
| 750 | run and may be able to perform actions on the Zuul executor. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 751 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 752 | .. attr:: override-branch |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 753 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 754 | When Zuul runs jobs for a proposed change, it normally checks |
| 755 | out the branch associated with that change on every project |
| 756 | present in the job. If jobs are running on a ref (such as a |
| 757 | branch tip or tag), then that ref is normally checked out. This |
| 758 | attribute is used to override that behavior and indicate that |
| 759 | this job should, regardless of the branch for the queue item, |
| 760 | use the indicated branch instead. This can be used, for |
| 761 | example, to run a previous version of the software (from a |
| 762 | stable maintenance branch) under test even if the change being |
| 763 | tested applies to a different branch (this is only likely to be |
| 764 | useful if there is some cross-branch interaction with some |
| 765 | component of the system being tested). See also the |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 766 | project-specific :attr:`job.required-projects.override-branch` |
| 767 | attribute to apply this behavior to a subset of a job's |
| 768 | projects. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 769 | |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 770 | .. attr:: timeout |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 771 | |
James E. Blair | b0c8e7e | 2017-08-28 09:19:49 -0700 | [diff] [blame] | 772 | The time in seconds that the job should be allowed to run before |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 773 | it is automatically aborted and failure is reported. If no |
| 774 | timeout is supplied, the job may run indefinitely. Supplying a |
| 775 | timeout is highly recommended. |
| 776 | |
| 777 | .. attr:: attempts |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 778 | :default: 3 |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 779 | |
| 780 | When Zuul encounters an error running a job's pre-run playbook, |
| 781 | Zuul will stop and restart the job. Errors during the main or |
| 782 | post-run -playbook phase of a job are not affected by this |
| 783 | parameter (they are reported immediately). This parameter |
| 784 | controls the number of attempts to make before an error is |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 785 | reported. |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 786 | |
| 787 | .. attr:: pre-run |
| 788 | |
| 789 | The name of a playbook or list of playbooks without file |
| 790 | extension to run before the main body of a job. The full path |
| 791 | to the playbook in the repo where the job is defined is |
| 792 | expected. |
| 793 | |
| 794 | When a job inherits from a parent, the child's pre-run playbooks |
| 795 | are run after the parent's. See :ref:`job` for more |
| 796 | information. |
| 797 | |
| 798 | .. attr:: post-run |
| 799 | |
| 800 | The name of a playbook or list of playbooks without file |
| 801 | extension to run after the main body of a job. The full path to |
| 802 | the playbook in the repo where the job is defined is expected. |
| 803 | |
| 804 | When a job inherits from a parent, the child's post-run |
| 805 | playbooks are run before the parent's. See :ref:`job` for more |
| 806 | information. |
| 807 | |
| 808 | .. attr:: run |
| 809 | |
| 810 | The name of the main playbook for this job. This parameter is |
| 811 | not normally necessary, as it defaults to a playbook with the |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 812 | same name as the job inside of the ``playbooks/`` directory |
| 813 | (e.g., the ``foo`` job would default to ``playbooks/foo``. |
| 814 | However, if a playbook with a different name is needed, it can |
| 815 | be specified here. The file extension is not required, but the |
| 816 | full path within the repo is. When a child inherits from a |
| 817 | parent, a playbook with the name of the child job is implicitly |
| 818 | searched first, before falling back on the playbook used by the |
| 819 | parent job (unless the child job specifies a ``run`` attribute, |
| 820 | in which case that value is used). Example: |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 821 | |
| 822 | .. code-block:: yaml |
| 823 | |
| 824 | run: playbooks/<name of the job> |
| 825 | |
| 826 | .. attr:: roles |
| 827 | |
| 828 | A list of Ansible roles to prepare for the job. Because a job |
| 829 | runs an Ansible playbook, any roles which are used by the job |
| 830 | must be prepared and installed by Zuul before the job begins. |
| 831 | This value is a list of dictionaries, each of which indicates |
| 832 | one of two types of roles: a Galaxy role, which is simply a role |
| 833 | that is installed from Ansible Galaxy, or a Zuul role, which is |
| 834 | a role provided by a project managed by Zuul. Zuul roles are |
| 835 | able to benefit from speculative merging and cross-project |
| 836 | dependencies when used by playbooks in untrusted projects. |
| 837 | Roles are added to the Ansible role path in the order they |
| 838 | appear on the job -- roles earlier in the list will take |
| 839 | precedence over those which follow. |
| 840 | |
| 841 | In the case of job inheritance or variance, the roles used for |
| 842 | each of the playbooks run by the job will be only those which |
| 843 | were defined along with that playbook. If a child job inherits |
| 844 | from a parent which defines a pre and post playbook, then the |
| 845 | pre and post playbooks it inherits from the parent job will run |
| 846 | only with the roles that were defined on the parent. If the |
| 847 | child adds its own pre and post playbooks, then any roles added |
| 848 | by the child will be available to the child's playbooks. This |
| 849 | is so that a job which inherits from a parent does not |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 850 | inadvertently alter the behavior of the parent's playbooks by |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 851 | the addition of conflicting roles. Roles added by a child will |
| 852 | appear before those it inherits from its parent. |
| 853 | |
| 854 | A project which supplies a role may be structured in one of two |
| 855 | configurations: a bare role (in which the role exists at the |
| 856 | root of the project), or a contained role (in which the role |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 857 | exists within the ``roles/`` directory of the project, perhaps |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 858 | along with other roles). In the case of a contained role, the |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 859 | ``roles/`` directory of the project is added to the role search |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 860 | path. In the case of a bare role, the project itself is added |
| 861 | to the role search path. In case the name of the project is not |
| 862 | the name under which the role should be installed (and therefore |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 863 | referenced from Ansible), the ``name`` attribute may be used to |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 864 | specify an alternate. |
| 865 | |
| 866 | A job automatically has the project in which it is defined added |
| 867 | to the roles path if that project appears to contain a role or |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 868 | ``roles/`` directory. By default, the project is added to the |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 869 | path under its own name, however, that may be changed by |
| 870 | explicitly listing the project in the roles list in the usual |
| 871 | way. |
| 872 | |
| 873 | .. note:: Galaxy roles are not yet implemented. |
| 874 | |
| 875 | .. attr:: galaxy |
| 876 | |
| 877 | The name of the role in Ansible Galaxy. If this attribute is |
| 878 | supplied, Zuul will search Ansible Galaxy for a role by this |
| 879 | name and install it. Mutually exclusive with ``zuul``; |
| 880 | either ``galaxy`` or ``zuul`` must be supplied. |
| 881 | |
| 882 | .. attr:: zuul |
| 883 | |
| 884 | The name of a Zuul project which supplies the role. Mutually |
| 885 | exclusive with ``galaxy``; either ``galaxy`` or ``zuul`` must |
| 886 | be supplied. |
| 887 | |
| 888 | .. attr:: name |
| 889 | |
| 890 | The installation name of the role. In the case of a bare |
| 891 | role, the role will be made available under this name. |
| 892 | Ignored in the case of a contained role. |
| 893 | |
| 894 | .. attr:: required-projects |
| 895 | |
| 896 | A list of other projects which are used by this job. Any Zuul |
| 897 | projects specified here will also be checked out by Zuul into |
| 898 | the working directory for the job. Speculative merging and |
| 899 | cross-repo dependencies will be honored. |
| 900 | |
| 901 | The format for this attribute is either a list of strings or |
| 902 | dictionaries. Strings are interpreted as project names, |
| 903 | dictionaries, if used, may have the following attributes: |
| 904 | |
| 905 | .. attr:: name |
| 906 | :required: |
| 907 | |
| 908 | The name of the required project. |
| 909 | |
| 910 | .. attr:: override-branch |
| 911 | |
| 912 | When Zuul runs jobs for a proposed change, it normally checks |
| 913 | out the branch associated with that change on every project |
| 914 | present in the job. If jobs are running on a ref (such as a |
| 915 | branch tip or tag), then that ref is normally checked out. |
| 916 | This attribute is used to override that behavior and indicate |
| 917 | that this job should, regardless of the branch for the queue |
| 918 | item, use the indicated branch instead, for only this |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 919 | project. See also the :attr:`job.override-branch` attribute |
James E. Blair | 32c5248 | 2017-07-29 07:49:03 -0700 | [diff] [blame] | 920 | to apply the same behavior to all projects in a job. |
| 921 | |
| 922 | .. attr:: vars |
| 923 | |
| 924 | A dictionary of variables to supply to Ansible. When inheriting |
| 925 | from a job (or creating a variant of a job) vars are merged with |
| 926 | previous definitions. This means a variable definition with the |
| 927 | same name will override a previously defined variable, but new |
| 928 | variable names will be added to the set of defined variables. |
| 929 | |
| 930 | .. attr:: dependencies |
| 931 | |
| 932 | A list of other jobs upon which this job depends. Zuul will not |
| 933 | start executing this job until all of its dependencies have |
| 934 | completed successfully, and if one or more of them fail, this |
| 935 | job will not be run. |
| 936 | |
| 937 | .. attr:: allowed-projects |
| 938 | |
| 939 | A list of Zuul projects which may use this job. By default, a |
| 940 | job may be used by any other project known to Zuul, however, |
| 941 | some jobs use resources or perform actions which are not |
| 942 | appropriate for other projects. In these cases, a list of |
| 943 | projects which are allowed to use this job may be supplied. If |
| 944 | this list is not empty, then it must be an exhaustive list of |
| 945 | all projects permitted to use the job. The current project |
| 946 | (where the job is defined) is not automatically included, so if |
| 947 | it should be able to run this job, then it must be explicitly |
James E. Blair | 88d8424 | 2017-07-31 12:05:16 -0700 | [diff] [blame] | 948 | listed. By default, all projects may use the job. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 949 | |
James E. Blair | 8eb564a | 2017-08-10 09:21:41 -0700 | [diff] [blame] | 950 | .. attr:: post-review |
| 951 | :default: false |
James E. Blair | 892cca6 | 2017-08-09 11:36:58 -0700 | [diff] [blame] | 952 | |
James E. Blair | 8eb564a | 2017-08-10 09:21:41 -0700 | [diff] [blame] | 953 | A boolean value which indicates whether this job may only be |
| 954 | used in pipelines where :attr:`pipeline.post-review` is |
Monty Taylor | a49b0ea | 2017-10-05 16:16:19 -0500 | [diff] [blame] | 955 | ``true``. This is automatically set to ``true`` if this job |
| 956 | uses a :ref:`secret` and is defined in a :term:`untrusted-project`. |
| 957 | It may be explicitly set to obtain the same behavior for jobs |
| 958 | defined in :term:`config projects <config-project>`. Once this |
| 959 | is set to ``true`` anywhere in the inheritance hierarchy for a job, |
| 960 | it will remain set for all child jobs and variants (it can not be |
James E. Blair | 8eb564a | 2017-08-10 09:21:41 -0700 | [diff] [blame] | 961 | set to ``false``). |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 962 | |
| 963 | .. _project: |
| 964 | |
| 965 | Project |
| 966 | ~~~~~~~ |
| 967 | |
| 968 | A project corresponds to a source code repository with which Zuul is |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 969 | configured to interact. The main responsibility of the project |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 970 | configuration item is to specify which jobs should run in which |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 971 | pipelines for a given project. Within each project definition, a |
| 972 | section for each :ref:`pipeline <pipeline>` may appear. This |
| 973 | project-pipeline definition is what determines how a project |
| 974 | participates in a pipeline. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 975 | |
James E. Blair | 0b7dc85 | 2017-10-10 13:41:03 -0700 | [diff] [blame^] | 976 | Multiple project definitions may appear for the same project (for |
| 977 | example, in a central :term:`config projects <config-project>` as wall |
| 978 | as in a repo's own ``.zuul.yaml``). In this case, all of the project |
| 979 | definitions are combined (the jobs listed in all of the definitions |
| 980 | will be run). |
| 981 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 982 | Consider the following project definition:: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 983 | |
| 984 | - project: |
| 985 | name: yoyodyne |
| 986 | check: |
| 987 | jobs: |
| 988 | - check-syntax |
| 989 | - unit-tests |
| 990 | gate: |
| 991 | queue: integrated |
| 992 | jobs: |
| 993 | - unit-tests |
| 994 | - integration-tests |
| 995 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 996 | The project has two project-pipeline stanzas, one for the ``check`` |
| 997 | pipeline, and one for ``gate``. Each specifies which jobs should run |
| 998 | when a change for that project enters the respective pipeline -- when |
| 999 | a change enters ``check``, the ``check-syntax`` and ``unit-test`` jobs |
| 1000 | are run. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1001 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 1002 | Pipelines which use the dependent pipeline manager (e.g., the ``gate`` |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1003 | example shown earlier) maintain separate queues for groups of |
| 1004 | projects. When Zuul serializes a set of changes which represent |
| 1005 | future potential project states, it must know about all of the |
| 1006 | projects within Zuul which may have an effect on the outcome of the |
| 1007 | jobs it runs. If project *A* uses project *B* as a library, then Zuul |
| 1008 | must be told about that relationship so that it knows to serialize |
| 1009 | changes to A and B together, so that it does not merge a change to B |
| 1010 | while it is testing a change to A. |
| 1011 | |
| 1012 | Zuul could simply assume that all projects are related, or even infer |
| 1013 | relationships by which projects a job indicates it uses, however, in a |
| 1014 | large system that would become unwieldy very quickly, and |
| 1015 | unnecessarily delay changes to unrelated projects. To allow for |
| 1016 | flexibility in the construction of groups of related projects, the |
| 1017 | change queues used by dependent pipeline managers are specified |
| 1018 | manually. To group two or more related projects into a shared queue |
| 1019 | for a dependent pipeline, set the ``queue`` parameter to the same |
| 1020 | value for those projects. |
| 1021 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 1022 | The ``gate`` project-pipeline definition above specifies that this |
| 1023 | project participates in the ``integrated`` shared queue for that |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1024 | pipeline. |
| 1025 | |
James E. Blair | 9d4384d | 2017-08-01 15:54:50 -0700 | [diff] [blame] | 1026 | .. attr:: project |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1027 | |
James E. Blair | 0b7dc85 | 2017-10-10 13:41:03 -0700 | [diff] [blame^] | 1028 | The following attributes may appear in a project: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1029 | |
James E. Blair | 9d4384d | 2017-08-01 15:54:50 -0700 | [diff] [blame] | 1030 | .. attr:: name |
| 1031 | :required: |
| 1032 | |
| 1033 | The name of the project. If Zuul is configured with two or more |
| 1034 | unique projects with the same name, the canonical hostname for |
| 1035 | the project should be included (e.g., `git.example.com/foo`). |
| 1036 | |
| 1037 | .. attr:: templates |
| 1038 | |
| 1039 | A list of :ref:`project-template` references; the |
| 1040 | project-pipeline definitions of each Project Template will be |
| 1041 | applied to this project. If more than one template includes |
| 1042 | jobs for a given pipeline, they will be combined, as will any |
| 1043 | jobs specified in project-pipeline definitions on the project |
| 1044 | itself. |
| 1045 | |
| 1046 | .. attr:: merge-mode |
| 1047 | :default: merge-resolve |
| 1048 | |
| 1049 | The merge mode which is used by Git for this project. Be sure |
| 1050 | this matches what the remote system which performs merges (i.e., |
| 1051 | Gerrit or GitHub). Must be one of the following values: |
| 1052 | |
| 1053 | .. value:: merge |
| 1054 | |
| 1055 | Uses the default git merge strategy (recursive). |
| 1056 | |
| 1057 | .. value:: merge-resolve |
| 1058 | |
| 1059 | Uses the resolve git merge strategy. This is a very |
| 1060 | conservative merge strategy which most closely matches the |
| 1061 | behavior of Gerrit. |
| 1062 | |
| 1063 | .. value:: cherry-pick |
| 1064 | |
| 1065 | Cherry-picks each change onto the branch rather than |
| 1066 | performing any merges. |
| 1067 | |
| 1068 | .. attr:: <pipeline> |
| 1069 | |
| 1070 | Each pipeline that the project participates in should have an |
| 1071 | entry in the project. The value for this key should be a |
| 1072 | dictionary with the following format: |
| 1073 | |
| 1074 | .. attr:: jobs |
| 1075 | :required: |
| 1076 | |
| 1077 | A list of jobs that should be run when items for this project |
| 1078 | are enqueued into the pipeline. Each item of this list may |
| 1079 | be a string, in which case it is treated as a job name, or it |
| 1080 | may be a dictionary, in which case it is treated as a job |
| 1081 | variant local to this project and pipeline. In that case, |
| 1082 | the format of the dictionary is the same as the top level |
| 1083 | :attr:`job` definition. Any attributes set on the job here |
| 1084 | will override previous versions of the job. |
| 1085 | |
| 1086 | .. attr:: queue |
| 1087 | |
| 1088 | If this pipeline is a :value:`dependent |
| 1089 | <pipeline.manager.dependent>` pipeline, this specifies the |
| 1090 | name of the shared queue this project is in. Any projects |
| 1091 | which interact with each other in tests should be part of the |
| 1092 | same shared queue in order to ensure that they don't merge |
| 1093 | changes which break the others. This is a free-form string; |
| 1094 | just set the same value for each group of projects. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1095 | |
| 1096 | .. _project-template: |
| 1097 | |
| 1098 | Project Template |
| 1099 | ~~~~~~~~~~~~~~~~ |
| 1100 | |
| 1101 | A Project Template defines one or more project-pipeline definitions |
| 1102 | which can be re-used by multiple projects. |
| 1103 | |
| 1104 | A Project Template uses the same syntax as a :ref:`project` |
James E. Blair | aafabe9 | 2017-08-02 15:23:19 -0700 | [diff] [blame] | 1105 | definition, however, in the case of a template, the |
| 1106 | :attr:`project.name` attribute does not refer to the name of a |
| 1107 | project, but rather names the template so that it can be referenced in |
| 1108 | a `Project` definition. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1109 | |
| 1110 | .. _secret: |
| 1111 | |
| 1112 | Secret |
| 1113 | ~~~~~~ |
| 1114 | |
| 1115 | A Secret is a collection of private data for use by one or more jobs. |
| 1116 | In order to maintain the security of the data, the values are usually |
| 1117 | encrypted, however, data which are not sensitive may be provided |
| 1118 | unencrypted as well for convenience. |
| 1119 | |
| 1120 | A Secret may only be used by jobs defined within the same project. To |
James E. Blair | e19e88a | 2017-08-09 15:14:29 -0700 | [diff] [blame] | 1121 | use a secret, a :ref:`job` must specify the secret in |
| 1122 | :attr:`job.secrets`. Secrets are bound to the playbooks associated |
| 1123 | with the specific job definition where they were declared. Additional |
| 1124 | pre or post playbooks which appear in child jobs will not have access |
| 1125 | to the secrets, nor will playbooks which override the main playbook |
| 1126 | (if any) of the job which declared the secret. This protects against |
| 1127 | jobs in other repositories declaring a job with a secret as a parent |
| 1128 | and then exposing that secret. |
James E. Blair | 892cca6 | 2017-08-09 11:36:58 -0700 | [diff] [blame] | 1129 | |
| 1130 | It is possible to use secrets for jobs defined in :term:`config |
| 1131 | projects <config-project>` as well as :term:`untrusted projects |
| 1132 | <untrusted-project>`, however their use differs slightly. Because |
| 1133 | playbooks in a config project which use secrets run in the |
| 1134 | :term:`trusted execution context` where proposed changes are not used |
| 1135 | in executing jobs, it is safe for those secrets to be used in all |
| 1136 | types of pipelines. However, because playbooks defined in an |
| 1137 | untrusted project are run in the :term:`untrusted execution context` |
| 1138 | where proposed changes are used in job execution, it is dangerous to |
| 1139 | allow those secrets to be used in pipelines which are used to execute |
James E. Blair | 8eb564a | 2017-08-10 09:21:41 -0700 | [diff] [blame] | 1140 | proposed but unreviewed changes. By default, pipelines are considered |
| 1141 | `pre-review` and will refuse to run jobs which have playbooks that use |
| 1142 | secrets in the untrusted execution context to protect against someone |
| 1143 | proposing a change which exposes a secret. To permit this (for |
| 1144 | instance, in a pipeline which only runs after code review), the |
| 1145 | :attr:`pipeline.post-review` attribute may be explicitly set to |
| 1146 | ``true``. |
| 1147 | |
| 1148 | In some cases, it may be desirable to prevent a job which is defined |
| 1149 | in a config project from running in a pre-review pipeline (e.g., a job |
| 1150 | used to publish an artifact). In these cases, the |
| 1151 | :attr:`job.post-review` attribute may be explicitly set to ``true`` to |
| 1152 | indicate the job should only run in post-review pipelines. |
James E. Blair | 892cca6 | 2017-08-09 11:36:58 -0700 | [diff] [blame] | 1153 | |
| 1154 | If a job with secrets is unsafe to be used by other projects, the |
| 1155 | `allowed-projects` job attribute can be used to restrict the projects |
| 1156 | which can invoke that job. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1157 | |
James E. Blair | aafabe9 | 2017-08-02 15:23:19 -0700 | [diff] [blame] | 1158 | .. attr:: secret |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1159 | |
James E. Blair | aafabe9 | 2017-08-02 15:23:19 -0700 | [diff] [blame] | 1160 | The following attributes must appear on a secret: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1161 | |
James E. Blair | aafabe9 | 2017-08-02 15:23:19 -0700 | [diff] [blame] | 1162 | .. attr:: name |
| 1163 | :required: |
| 1164 | |
| 1165 | The name of the secret, used in a :ref:`Job` definition to |
| 1166 | request the secret. |
| 1167 | |
| 1168 | .. attr:: data |
| 1169 | :required: |
| 1170 | |
| 1171 | A dictionary which will be added to the Ansible variables |
| 1172 | available to the job. The values can either be plain text |
| 1173 | strings, or encrypted values. See :ref:`encryption` for more |
| 1174 | information. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1175 | |
| 1176 | .. _nodeset: |
| 1177 | |
| 1178 | Nodeset |
| 1179 | ~~~~~~~ |
| 1180 | |
| 1181 | A Nodeset is a named collection of nodes for use by a job. Jobs may |
| 1182 | specify what nodes they require individually, however, by defining |
| 1183 | groups of node types once and referring to them by name, job |
| 1184 | configuration may be simplified. |
| 1185 | |
Tobias Henkel | db686e2 | 2017-08-01 09:15:31 +0200 | [diff] [blame] | 1186 | .. code-block:: yaml |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1187 | |
Tobias Henkel | db686e2 | 2017-08-01 09:15:31 +0200 | [diff] [blame] | 1188 | - nodeset: |
| 1189 | name: nodeset1 |
| 1190 | nodes: |
| 1191 | - name: controller |
| 1192 | label: controller-label |
| 1193 | - name: compute1 |
| 1194 | label: compute-label |
| 1195 | - name: compute2 |
| 1196 | label: compute-label |
| 1197 | groups: |
| 1198 | - name: ceph-osd |
| 1199 | nodes: |
| 1200 | - controller |
| 1201 | - name: ceph-monitor |
| 1202 | nodes: |
| 1203 | - controller |
| 1204 | - compute1 |
| 1205 | - compute2 |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1206 | |
Tobias Henkel | db686e2 | 2017-08-01 09:15:31 +0200 | [diff] [blame] | 1207 | .. attr:: nodeset |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1208 | |
Tobias Henkel | db686e2 | 2017-08-01 09:15:31 +0200 | [diff] [blame] | 1209 | A Nodeset requires two attributes: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1210 | |
Tobias Henkel | db686e2 | 2017-08-01 09:15:31 +0200 | [diff] [blame] | 1211 | .. attr:: name |
| 1212 | :required: |
| 1213 | |
| 1214 | The name of the Nodeset, to be referenced by a :ref:`job`. |
| 1215 | |
| 1216 | .. attr:: nodes |
| 1217 | :required: |
| 1218 | |
| 1219 | A list of node definitions, each of which has the following format: |
| 1220 | |
| 1221 | .. attr:: name |
| 1222 | :required: |
| 1223 | |
| 1224 | The name of the node. This will appear in the Ansible inventory |
| 1225 | for the job. |
| 1226 | |
| 1227 | .. attr:: label |
| 1228 | :required: |
| 1229 | |
| 1230 | The Nodepool label for the node. Zuul will request a node with |
| 1231 | this label. |
| 1232 | |
| 1233 | .. attr:: groups |
| 1234 | |
| 1235 | Additional groups can be defined which are accessible from the ansible |
| 1236 | playbooks. |
| 1237 | |
| 1238 | .. attr:: name |
| 1239 | :required: |
| 1240 | |
| 1241 | The name of the group to be referenced by an ansible playbook. |
| 1242 | |
| 1243 | .. attr:: nodes |
| 1244 | :required: |
| 1245 | |
| 1246 | The nodes that shall be part of the group. This is specified as a list |
| 1247 | of strings. |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1248 | |
| 1249 | .. _semaphore: |
| 1250 | |
| 1251 | Semaphore |
| 1252 | ~~~~~~~~~ |
| 1253 | |
| 1254 | Semaphores can be used to restrict the number of certain jobs which |
| 1255 | are running at the same time. This may be useful for jobs which |
| 1256 | access shared or limited resources. A semaphore has a value which |
| 1257 | represents the maximum number of jobs which use that semaphore at the |
| 1258 | same time. |
| 1259 | |
| 1260 | Semaphores are never subject to dynamic reconfiguration. If the value |
| 1261 | of a semaphore is changed, it will take effect only when the change |
Tobias Henkel | 7683298 | 2017-08-01 08:37:40 +0200 | [diff] [blame] | 1262 | where it is updated is merged. An example follows: |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1263 | |
Tobias Henkel | 7683298 | 2017-08-01 08:37:40 +0200 | [diff] [blame] | 1264 | .. code-block:: yaml |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1265 | |
Tobias Henkel | 7683298 | 2017-08-01 08:37:40 +0200 | [diff] [blame] | 1266 | - semaphore: |
| 1267 | name: semaphore-foo |
| 1268 | max: 5 |
| 1269 | - semaphore: |
| 1270 | name: semaphore-bar |
| 1271 | max: 3 |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1272 | |
Tobias Henkel | 7683298 | 2017-08-01 08:37:40 +0200 | [diff] [blame] | 1273 | .. attr:: semaphore |
James E. Blair | 1de8d40 | 2017-05-07 17:08:04 -0700 | [diff] [blame] | 1274 | |
Tobias Henkel | 7683298 | 2017-08-01 08:37:40 +0200 | [diff] [blame] | 1275 | The following attributes are available: |
| 1276 | |
| 1277 | .. attr:: name |
| 1278 | :required: |
| 1279 | |
| 1280 | The name of the semaphore, referenced by jobs. |
| 1281 | |
| 1282 | .. attr:: max |
| 1283 | :default: 1 |
| 1284 | |
| 1285 | The maximum number of running jobs which can use this semaphore. |