James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 1 | :title: Components |
| 2 | |
| 3 | .. _components: |
| 4 | |
| 5 | Components |
| 6 | ========== |
| 7 | |
| 8 | Zuul is a distributed system consisting of several components, each of |
| 9 | which is described below. All Zuul processes read the |
| 10 | **/etc/zuul/zuul.conf** file (an alternate location may be supplied on |
| 11 | the command line) which uses an INI file syntax. Each component may |
| 12 | have its own configuration file, though you may find it simpler to use |
| 13 | the same file for all components. |
| 14 | |
| 15 | A minimal Zuul system may consist of a *scheduler* and *executor* both |
| 16 | running on the same host. Larger installations should consider |
| 17 | running multiple executors, each on a dedicated host, and running |
| 18 | mergers on dedicated hosts as well. |
| 19 | |
| 20 | Common |
| 21 | ------ |
| 22 | |
| 23 | The following applies to all Zuul components. |
| 24 | |
| 25 | Configuration |
| 26 | ~~~~~~~~~~~~~ |
| 27 | |
| 28 | The following sections of **zuul.conf** are used by all Zuul components: |
| 29 | |
| 30 | gearman |
| 31 | """"""" |
| 32 | |
| 33 | Client connection information for gearman. |
| 34 | |
| 35 | **server** |
| 36 | Hostname or IP address of the Gearman server. |
| 37 | ``server=gearman.example.com`` (required) |
| 38 | |
| 39 | **port** |
| 40 | Port on which the Gearman server is listening. |
| 41 | ``port=4730`` (optional) |
| 42 | |
| 43 | **ssl_ca** |
| 44 | Optional: An openssl file containing a set of concatenated |
| 45 | “certification authority” certificates in PEM formet. |
| 46 | |
| 47 | **ssl_cert** |
| 48 | Optional: An openssl file containing the client public certificate in |
| 49 | PEM format. |
| 50 | |
| 51 | **ssl_key** |
| 52 | Optional: An openssl file containing the client private key in PEM format. |
| 53 | |
James E. Blair | fdb111d | 2017-06-23 20:56:05 +0100 | [diff] [blame] | 54 | zookeeper |
| 55 | """"""""" |
| 56 | |
James E. Blair | 4f3e622 | 2017-07-05 14:52:08 -0700 | [diff] [blame] | 57 | .. NOTE: this is a white lie at this point, since only the scheduler |
| 58 | uses this, however, we expect other components to use it later, so |
| 59 | it's reasonable for admins to plan for this now. |
| 60 | |
James E. Blair | fdb111d | 2017-06-23 20:56:05 +0100 | [diff] [blame] | 61 | **hosts** |
| 62 | A list of zookeeper hosts for Zuul to use when communicating with |
| 63 | Nodepool. ``hosts=zk1.example.com,zk2.example.com,zk3.example.com`` |
| 64 | |
James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 65 | |
| 66 | Scheduler |
| 67 | --------- |
| 68 | |
| 69 | The scheduler is the primary component of Zuul. The scheduler is not |
| 70 | a scalable component; one, and only one, scheduler must be running at |
| 71 | all times for Zuul to be operational. It receives events from any |
| 72 | connections to remote systems which have been configured, enqueues |
| 73 | items into pipelines, distributes jobs to executors, and reports |
| 74 | results. |
| 75 | |
| 76 | Configuration |
| 77 | ~~~~~~~~~~~~~ |
| 78 | |
| 79 | The following sections of **zuul.conf** are used by the scheduler: |
| 80 | |
| 81 | gearman_server |
| 82 | """""""""""""" |
| 83 | |
| 84 | The builtin gearman server. Zuul can fork a gearman process from itself rather |
| 85 | than connecting to an external one. |
| 86 | |
| 87 | **start** |
| 88 | Whether to start the internal Gearman server (default: False). |
| 89 | ``start=true`` |
| 90 | |
| 91 | **listen_address** |
| 92 | IP address or domain name on which to listen (default: all addresses). |
| 93 | ``listen_address=127.0.0.1`` |
| 94 | |
| 95 | **log_config** |
| 96 | Path to log config file for internal Gearman server. |
| 97 | ``log_config=/etc/zuul/gearman-logging.yaml`` |
| 98 | |
| 99 | **ssl_ca** |
| 100 | Optional: An openssl file containing a set of concatenated “certification authority” certificates |
| 101 | in PEM formet. |
| 102 | |
| 103 | **ssl_cert** |
| 104 | Optional: An openssl file containing the server public certificate in PEM format. |
| 105 | |
| 106 | **ssl_key** |
| 107 | Optional: An openssl file containing the server private key in PEM format. |
| 108 | |
| 109 | webapp |
| 110 | """""" |
| 111 | |
| 112 | **listen_address** |
| 113 | IP address or domain name on which to listen (default: 0.0.0.0). |
| 114 | ``listen_address=127.0.0.1`` |
| 115 | |
| 116 | **port** |
| 117 | Port on which the webapp is listening (default: 8001). |
| 118 | ``port=8008`` |
| 119 | |
James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 120 | **status_expiry** |
| 121 | Zuul will cache the status.json file for this many seconds. This is an |
| 122 | optional value and ``1`` is used by default. |
| 123 | ``status_expiry=1`` |
| 124 | |
James E. Blair | 4f3e622 | 2017-07-05 14:52:08 -0700 | [diff] [blame] | 125 | **status_url** |
| 126 | URL that will be posted in Zuul comments made to changes when |
| 127 | starting jobs for a change. Used by zuul-scheduler only. |
| 128 | ``status_url=https://zuul.example.com/status`` |
| 129 | |
James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 130 | scheduler |
| 131 | """"""""" |
James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 132 | |
| 133 | **tenant_config** |
| 134 | Path to tenant config file. |
| 135 | ``layout_config=/etc/zuul/tenant.yaml`` |
| 136 | |
| 137 | **log_config** |
| 138 | Path to log config file. |
| 139 | ``log_config=/etc/zuul/scheduler-logging.yaml`` |
| 140 | |
| 141 | **pidfile** |
| 142 | Path to PID lock file. |
| 143 | ``pidfile=/var/run/zuul/scheduler.pid`` |
| 144 | |
| 145 | **state_dir** |
| 146 | Path to directory that Zuul should save state to. |
| 147 | ``state_dir=/var/lib/zuul`` |
| 148 | |
| 149 | Operation |
| 150 | ~~~~~~~~~ |
| 151 | |
| 152 | To start the scheduler, run ``zuul-scheduler``. To stop it, kill the |
| 153 | PID which was saved in the pidfile specified in the configuration. |
| 154 | |
| 155 | Most of Zuul's configuration is automatically updated as changes to |
| 156 | the repositories which contain it are merged. However, Zuul must be |
| 157 | explicitly notified of changes to the tenant config file, since it is |
| 158 | not read from a git repository. To do so, send the scheduler PID |
| 159 | (saved in the pidfile specified in the configuration) a SIGHUP signal. |
| 160 | |
| 161 | Merger |
| 162 | ------ |
| 163 | |
| 164 | Mergers are an optional Zuul service; they are not required for Zuul |
| 165 | to operate, but some high volume sites may benefit from running them. |
| 166 | Zuul performs quite a lot of git operations in the course of its work. |
| 167 | Each change that is to be tested must be speculatively merged with the |
| 168 | current state of its target branch to ensure that it can merge, and to |
| 169 | ensure that the tests that Zuul perform accurately represent the |
| 170 | outcome of merging the change. Because Zuul's configuration is stored |
| 171 | in the git repos it interacts with, and is dynamically evaluated, Zuul |
| 172 | often needs to perform a speculative merge in order to determine |
| 173 | whether it needs to perform any further actions. |
| 174 | |
| 175 | All of these git operations add up, and while Zuul executors can also |
| 176 | perform them, large numbers may impact their ability to run jobs. |
| 177 | Therefore, administrators may wish to run standalone mergers in order |
| 178 | to reduce the load on executors. |
| 179 | |
| 180 | Configuration |
| 181 | ~~~~~~~~~~~~~ |
| 182 | |
| 183 | The following section of **zuul.conf** is used by the merger: |
| 184 | |
| 185 | merger |
| 186 | """""" |
| 187 | |
| 188 | **git_dir** |
| 189 | Directory that Zuul should clone local git repositories to. |
| 190 | ``git_dir=/var/lib/zuul/git`` |
| 191 | |
| 192 | **git_user_email** |
| 193 | Optional: Value to pass to `git config user.email`. |
| 194 | ``git_user_email=zuul@example.com`` |
| 195 | |
| 196 | **git_user_name** |
| 197 | Optional: Value to pass to `git config user.name`. |
| 198 | ``git_user_name=zuul`` |
| 199 | |
| 200 | **log_config** |
| 201 | Path to log config file for the merger process. |
| 202 | ``log_config=/etc/zuul/logging.yaml`` |
| 203 | |
| 204 | **pidfile** |
| 205 | Path to PID lock file for the merger process. |
| 206 | ``pidfile=/var/run/zuul-merger/merger.pid`` |
| 207 | |
| 208 | Operation |
| 209 | ~~~~~~~~~ |
| 210 | |
| 211 | To start the merger, run ``zuul-merger``. To stop it, kill the |
| 212 | PID which was saved in the pidfile specified in the configuration. |
| 213 | |
| 214 | Executor |
| 215 | -------- |
| 216 | |
| 217 | Executors are responsible for running jobs. At the start of each job, |
| 218 | an executor prepares an environment in which to run Ansible which |
| 219 | contains all of the git repositories specified by the job with all |
| 220 | dependent changes merged into their appropriate branches. The branch |
| 221 | corresponding to the proposed change will be checked out (in all |
| 222 | projects, if it exists). Any roles specified by the job will also be |
| 223 | present (also with dependent changes merged, if appropriate) and added |
| 224 | to the Ansible role path. The executor also prepares an Ansible |
| 225 | inventory file with all of the nodes requested by the job. |
| 226 | |
| 227 | The executor also contains a merger. This is used by the executor to |
| 228 | prepare the git repositories used by jobs, but is also available to |
| 229 | perform any tasks normally performed by standalone mergers. Because |
| 230 | the executor performs both roles, small Zuul installations may not |
| 231 | need to run standalone mergers. |
| 232 | |
| 233 | Trusted and Untrusted Playbooks |
| 234 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 235 | |
| 236 | The executor runs playbooks in one of two execution contexts depending |
| 237 | on whether the project containing the playbook is a *config project* |
| 238 | or an *untrusted project*. If the playbook is in a *config project*, |
| 239 | the executor runs the playbook in the *trusted* execution context, |
| 240 | otherwise, it is run in the *untrusted* execution context. |
| 241 | |
| 242 | Both execution contexts use `bubblewrap`_ to create a namespace to |
| 243 | ensure that playbook executions are isolated and are unable to access |
| 244 | files outside of a restricted environment. The administrator may |
| 245 | configure additional local directories on the executor to be made |
| 246 | available to the restricted environment. |
| 247 | |
| 248 | The *trusted* execution context has access to all Ansible features, |
| 249 | including the ability to load custom Ansible modules. Needless to |
| 250 | say, extra scrutiny should be given to code that runs in a trusted |
| 251 | context as it could be used to compromise other jobs running on the |
| 252 | executor, or the executor itself, especially if the administrator has |
| 253 | granted additional access through bubblewrap, or a method of escaping |
| 254 | the restricted environment created by bubblewrap is found. |
| 255 | |
| 256 | Playbooks run in the *untrusted* execution context are not permitted |
| 257 | to load additional Ansible modules or access files outside of the |
| 258 | restricted environment prepared for them by the executor. In addition |
| 259 | to the bubblewrap environment applied to both execution contexts, in |
| 260 | the *untrusted* context some standard Ansible modules are replaced |
| 261 | with versions which prohibit some actions, including attempts to |
| 262 | access files outside of the restricted execution context. These |
| 263 | redundant protections are made as part of a defense-in-depth strategy. |
| 264 | |
| 265 | .. _bubblewrap: https://github.com/projectatomic/bubblewrap |
| 266 | |
| 267 | Configuration |
| 268 | ~~~~~~~~~~~~~ |
| 269 | |
| 270 | The following sections of **zuul.conf** are used by the executor: |
| 271 | |
| 272 | executor |
| 273 | """""""" |
| 274 | |
| 275 | **finger_port** |
| 276 | Port to use for finger log streamer. |
| 277 | ``finger_port=79`` |
| 278 | |
| 279 | **git_dir** |
| 280 | Directory that Zuul should clone local git repositories to. |
| 281 | ``git_dir=/var/lib/zuul/git`` |
| 282 | |
| 283 | **log_config** |
| 284 | Path to log config file for the executor process. |
| 285 | ``log_config=/etc/zuul/logging.yaml`` |
| 286 | |
| 287 | **private_key_file** |
| 288 | SSH private key file to be used when logging into worker nodes. |
| 289 | ``private_key_file=~/.ssh/id_rsa`` |
| 290 | |
| 291 | **user** |
| 292 | User ID for the zuul-executor process. In normal operation as a daemon, |
| 293 | the executor should be started as the ``root`` user, but it will drop |
| 294 | privileges to this user during startup. |
| 295 | ``user=zuul`` |
| 296 | |
| 297 | merger |
| 298 | """""" |
| 299 | |
| 300 | **git_user_email** |
| 301 | Optional: Value to pass to `git config user.email`. |
| 302 | ``git_user_email=zuul@example.com`` |
| 303 | |
| 304 | **git_user_name** |
| 305 | Optional: Value to pass to `git config user.name`. |
| 306 | ``git_user_name=zuul`` |
| 307 | |
| 308 | Operation |
| 309 | ~~~~~~~~~ |
| 310 | |
| 311 | To start the executor, run ``zuul-executor``. |
| 312 | |
| 313 | There are several commands which can be run to control the executor's |
| 314 | behavior once it is running. |
| 315 | |
| 316 | To stop the executor immediately, aborting all jobs (they may be |
| 317 | relaunched according to their retry policy), run ``zuul-executor |
| 318 | stop``. |
| 319 | |
| 320 | To request that the executor stop executing new jobs and exit when all |
| 321 | currently running jobs have completed, run ``zuul-executor graceful``. |
| 322 | |
| 323 | To enable or disable running Ansible in verbose mode (with the '-vvv' |
| 324 | argument to ansible-playbook) run ``zuul-executor verbose`` and |
| 325 | ``zuul-executor unverbose``. |
David Shrewsbury | ae734d1 | 2017-07-11 12:41:59 -0400 | [diff] [blame] | 326 | |
| 327 | Web Server |
| 328 | ---------- |
| 329 | |
| 330 | The Zuul web server currently acts as a websocket interface to live log |
| 331 | streaming. Eventually, it will serve as the single process handling all |
| 332 | HTTP interactions with Zuul. |
| 333 | |
| 334 | Configuration |
| 335 | ~~~~~~~~~~~~~ |
| 336 | |
| 337 | In addition to the ``gearman`` common configuration section, the following |
| 338 | sections of **zuul.conf** are used by the web server: |
| 339 | |
| 340 | web |
| 341 | """ |
| 342 | |
| 343 | **listen_address** |
| 344 | IP address or domain name on which to listen (default: 127.0.0.1). |
| 345 | ``listen_address=127.0.0.1`` |
| 346 | |
| 347 | **log_config** |
| 348 | Path to log config file for the web server process. |
| 349 | ``log_config=/etc/zuul/logging.yaml`` |
| 350 | |
| 351 | **pidfile** |
| 352 | Path to PID lock file for the web server process. |
| 353 | ``pidfile=/var/run/zuul-web/zuul-web.pid`` |
| 354 | |
| 355 | **port** |
| 356 | Port to use for web server process. |
| 357 | ``port=9000`` |
| 358 | |
| 359 | Operation |
| 360 | ~~~~~~~~~ |
| 361 | |
| 362 | To start the web server, run ``zuul-web``. To stop it, kill the |
| 363 | PID which was saved in the pidfile specified in the configuration. |