blob: e7226e930c5c8430e193f912a431da9a0e7e6957 [file] [log] [blame]
James E. Blair1de8d402017-05-07 17:08:04 -07001:title: Project Configuration
2
3.. _project-config:
4
5Project Configuration
6=====================
7
8The following sections describe the main part of Zuul's configuration.
9All of what follows is found within files inside of the repositories
10that Zuul manages.
11
12Security Contexts
13-----------------
14
15When a system administrator configures Zuul to operate on a project,
16they specify one of two security contexts for that project. A
17*config-project* is one which is primarily tasked with holding
18configuration information and job content for Zuul. Jobs which are
19defined in a *config-project* are run with elevated privileges, and
20all Zuul configuration items are available for use. It is expected
21that changes to *config-projects* will undergo careful scrutiny before
22being merged.
23
24An *untrusted-project* is a project whose primary focus is not to
25operate Zuul, but rather it is one of the projects being tested or
26deployed. The Zuul configuration language available to these projects
27is somewhat restricted (as detailed in individual section below), and
28jobs defined in these projects run in a restricted execution
29environment since they may be operating on changes which have not yet
30undergone review.
31
32Configuration Loading
33---------------------
34
35When Zuul starts, it examines all of the git repositories which are
James E. Blaireff5a9d2017-06-20 00:00:37 -070036specified by the system administrator in :ref:`tenant-config` and searches
James E. Blair1de8d402017-05-07 17:08:04 -070037for files in the root of each repository. In the case of a
38*config-project*, Zuul looks for a file named `zuul.yaml`. In the
39case of an *untrusted-project*, Zuul looks first for `zuul.yaml` and
40if that is not found, `.zuul.yaml` (with a leading dot). In the case
41of an *untrusted-project*, the configuration from every branch is
42included, however, in the case of a *config-project*, only the
43`master` branch is examined.
44
45When a change is proposed to one of these files in an
46*untrusted-project*, the configuration proposed in the change is
47merged into the running configuration so that any changes to Zuul's
48configuration are self-testing as part of that change. If there is a
49configuration error, no jobs will be run and the error will be
50reported by any applicable pipelines. In the case of a change to a
51*config-project*, the new configuration is parsed and examined for
52errors, but the new configuration is not used in testing the change.
53This is because configuration in *config-projects* is able to access
54elevated privileges and should always be reviewed before being merged.
55
56As soon as a change containing a Zuul configuration change merges to
57any Zuul-managed repository, the new configuration takes effect
58immediately.
59
60Configuration Items
61-------------------
62
63The `zuul.yaml` and `.zuul.yaml` configuration files are
64YAML-formatted and are structured as a series of items, each of which
65is described below.
66
67.. _pipeline:
68
69Pipeline
70~~~~~~~~
71
72A pipeline describes a workflow operation in Zuul. It associates jobs
73for a given project with triggering and reporting events.
74
75Its flexible configuration allows for characterizing any number of
76workflows, and by specifying each as a named configuration, makes it
77easy to apply similar workflow operations to projects or groups of
78projects.
79
80By way of example, one of the primary uses of Zuul is to perform
81project gating. To do so, one can create a *gate* pipeline which
82tells Zuul that when a certain event (such as approval by a code
83reviewer) occurs, the corresponding change or pull request should be
84enqueued into the pipeline. When that happens, the jobs which have
85been configured to run for that project in the *gate* pipeline are
86run, and when they complete, the pipeline reports the results to the
87user.
88
89Pipeline configuration items may only appear in *config-projects*.
90
91Generally, a Zuul administrator would define a small number of
92pipelines which represent the workflow processes used in their
93environment. Each project can then be added to the available
94pipelines as appropriate.
95
96Here is an example *check* pipeline, which runs whenever a new
97patchset is created in Gerrit. If the associated jobs all report
98success, the pipeline reports back to Gerrit with a *Verified* vote of
99+1, or if at least one of them fails, a -1::
100
101 - pipeline:
102 name: check
103 manager: independent
104 trigger:
105 my_gerrit:
106 - event: patchset-created
107 success:
108 my_gerrit:
109 verified: 1
110 failure:
111 my_gerrit
112 verified: -1
113
James E. Blaireff5a9d2017-06-20 00:00:37 -0700114.. TODO: See TODO for more annotated examples of common pipeline configurations.
James E. Blair1de8d402017-05-07 17:08:04 -0700115
116The attributes available on a pipeline are as follows (all are
117optional unless otherwise specified):
118
119**name** (required)
120 This is used later in the project definition to indicate what jobs
121 should be run for events in the pipeline.
122
123**manager** (required)
124 There are currently two schemes for managing pipelines:
125
James E. Blaireff5a9d2017-06-20 00:00:37 -0700126 .. _independent_pipeline_manager:
127
James E. Blair1de8d402017-05-07 17:08:04 -0700128 *independent*
129 Every event in this pipeline should be treated as independent of
130 other events in the pipeline. This is appropriate when the order of
131 events in the pipeline doesn't matter because the results of the
132 actions this pipeline performs can not affect other events in the
133 pipeline. For example, when a change is first uploaded for review,
134 you may want to run tests on that change to provide early feedback
135 to reviewers. At the end of the tests, the change is not going to
136 be merged, so it is safe to run these tests in parallel without
137 regard to any other changes in the pipeline. They are independent.
138
139 Another type of pipeline that is independent is a post-merge
140 pipeline. In that case, the changes have already merged, so the
141 results can not affect any other events in the pipeline.
142
James E. Blaireff5a9d2017-06-20 00:00:37 -0700143 .. _dependent_pipeline_manager:
144
James E. Blair1de8d402017-05-07 17:08:04 -0700145 *dependent*
146 The dependent pipeline manager is designed for gating. It ensures
147 that every change is tested exactly as it is going to be merged
148 into the repository. An ideal gating system would test one change
149 at a time, applied to the tip of the repository, and only if that
150 change passed tests would it be merged. Then the next change in
151 line would be tested the same way. In order to achieve parallel
152 testing of changes, the dependent pipeline manager performs
153 speculative execution on changes. It orders changes based on
154 their entry into the pipeline. It begins testing all changes in
155 parallel, assuming that each change ahead in the pipeline will pass
156 its tests. If they all succeed, all the changes can be tested and
157 merged in parallel. If a change near the front of the pipeline
158 fails its tests, each change behind it ignores whatever tests have
159 been completed and are tested again without the change in front.
160 This way gate tests may run in parallel but still be tested
161 correctly, exactly as they will appear in the repository when
162 merged.
163
164 For more detail on the theory and operation of Zuul's dependent
165 pipeline manager, see: :doc:`gating`.
166
167**description**
168 This field may be used to provide a textual description of the
169 pipeline. It may appear in the status page or in documentation.
170
171**success-message**
172 The introductory text in reports when all the voting jobs are
173 successful. Defaults to "Build successful."
174
175**failure-message**
176 The introductory text in reports when at least one voting job fails.
177 Defaults to "Build failed."
178
179**merge-failure-message**
180 The introductory text in the message reported when a change fails to
181 merge with the current state of the repository. Defaults to "Merge
182 failed."
183
184**footer-message**
185 Supplies additional information after test results. Useful for
186 adding information about the CI system such as debugging and contact
187 details.
188
189**trigger**
190 At least one trigger source must be supplied for each pipeline.
191 Triggers are not exclusive -- matching events may be placed in
192 multiple pipelines, and they will behave independently in each of
193 the pipelines they match.
194
195 Triggers are loaded from their connection name. The driver type of
196 the connection will dictate which options are available.
James E. Blaireff5a9d2017-06-20 00:00:37 -0700197 See :ref:`drivers`.
James E. Blair1de8d402017-05-07 17:08:04 -0700198
199**require**
200 If this section is present, it established pre-requisites for any
201 kind of item entering the Pipeline. Regardless of how the item is
202 to be enqueued (via any trigger or automatic dependency resolution),
203 the conditions specified here must be met or the item will not be
204 enqueued.
205
James E. Blaireff5a9d2017-06-20 00:00:37 -0700206.. _pipeline-require-approval:
James E. Blair1de8d402017-05-07 17:08:04 -0700207
208 **approval**
209 This requires that a certain kind of approval be present for the
210 current patchset of the change (the approval could be added by the
211 event in question). It takes several sub-parameters, all of which
212 are optional and are combined together so that there must be an
213 approval matching all specified requirements.
214
215 *username*
216 If present, an approval from this username is required. It is
217 treated as a regular expression.
218
219 *email*
220 If present, an approval with this email address is required. It
221 is treated as a regular expression.
222
223 *email-filter* (deprecated)
224 A deprecated alternate spelling of *email*. Only one of *email* or
225 *email_filter* should be used.
226
227 *older-than*
228 If present, the approval must be older than this amount of time
229 to match. Provide a time interval as a number with a suffix of
230 "w" (weeks), "d" (days), "h" (hours), "m" (minutes), "s"
231 (seconds). Example ``48h`` or ``2d``.
232
233 *newer-than*
234 If present, the approval must be newer than this amount of time
235 to match. Same format as "older-than".
236
237 Any other field is interpreted as a review category and value
238 pair. For example ``verified: 1`` would require that the approval
239 be for a +1 vote in the "Verified" column. The value may either
240 be a single value or a list: ``verified: [1, 2]`` would match
241 either a +1 or +2 vote.
242
243 **open**
244 A boolean value (``true`` or ``false``) that indicates whether the change
245 must be open or closed in order to be enqueued.
246
247 **current-patchset**
248 A boolean value (``true`` or ``false``) that indicates whether the change
249 must be the current patchset in order to be enqueued.
250
251 **status**
252 A string value that corresponds with the status of the change
253 reported by the trigger.
254
255**reject**
256 If this section is present, it establishes pre-requisites that can
257 block an item from being enqueued. It can be considered a negative
258 version of **require**.
259
260 **approval**
261 This takes a list of approvals. If an approval matches the provided
262 criteria the change can not be entered into the pipeline. It follows
263 the same syntax as the :ref:`"require approval" pipeline above
264 <pipeline-require-approval>`.
265
266 Example to reject a change with any negative vote::
267
268 reject:
269 approval:
270 - code-review: [-1, -2]
271
272**dequeue-on-new-patchset**
273 Normally, if a new patchset is uploaded to a change that is in a
274 pipeline, the existing entry in the pipeline will be removed (with
275 jobs canceled and any dependent changes that can no longer merge as
276 well. To suppress this behavior (and allow jobs to continue
277 running), set this to ``false``. Default: ``true``.
278
279**ignore-dependencies**
280 In any kind of pipeline (dependent or independent), Zuul will
281 attempt to enqueue all dependencies ahead of the current change so
282 that they are tested together (independent pipelines report the
283 results of each change regardless of the results of changes ahead).
284 To ignore dependencies completely in an independent pipeline, set
285 this to ``true``. This option is ignored by dependent pipelines.
286 The default is: ``false``.
287
James E. Blaireff5a9d2017-06-20 00:00:37 -0700288**precedence**
289 Indicates how the build scheduler should prioritize jobs for
290 different pipelines. Each pipeline may have one precedence, jobs
291 for pipelines with a higher precedence will be run before ones with
292 lower. The value should be one of ``high``, ``normal``, or ``low``.
293 Default: ``normal``.
294
James E. Blair1de8d402017-05-07 17:08:04 -0700295The following options configure *reporters*. Reporters are
296complementary to triggers; where a trigger is an event on a connection
297which causes Zuul to enqueue an item, a reporter is the action
298performed on a connection when an item is dequeued after its jobs
299complete. The actual syntax for a reporter is defined by the driver
300which implements it. See :ref:`drivers` for more information.
301
302**success**
303 Describes where Zuul should report to if all the jobs complete
304 successfully. This section is optional; if it is omitted, Zuul will
305 run jobs and do nothing on success -- it will not report at all. If
306 the section is present, the listed reporters will be asked to report
307 on the jobs. The reporters are listed by their connection name. The
308 options available depend on the driver for the supplied connection.
309
310**failure**
311 These reporters describe what Zuul should do if at least one job
312 fails.
313
314**merge-failure**
315 These reporters describe what Zuul should do if it is unable to
316 merge in the patchset. If no merge-failure reporters are listed then
317 the ``failure`` reporters will be used to notify of unsuccessful
318 merges.
319
320**start**
321 These reporters describe what Zuul should do when a change is added
322 to the pipeline. This can be used, for example, to reset a
323 previously reported result.
324
325**disabled**
326 These reporters describe what Zuul should do when a pipeline is
327 disabled. See ``disable-after-consecutive-failures``.
328
James E. Blaireff5a9d2017-06-20 00:00:37 -0700329The following options can be used to alter Zuul's behavior to mitigate
330situations in which jobs are failing frequently (perhaps due to a
331problem with an external dependency, or unusually high
332non-deterministic test failures).
333
James E. Blair1de8d402017-05-07 17:08:04 -0700334**disable-after-consecutive-failures**
335 If set, a pipeline can enter a ''disabled'' state if too many changes
336 in a row fail. When this value is exceeded the pipeline will stop
337 reporting to any of the ``success``, ``failure`` or ``merge-failure``
338 reporters and instead only report to the ``disabled`` reporters.
339 (No ``start`` reports are made when a pipeline is disabled).
340
James E. Blair1de8d402017-05-07 17:08:04 -0700341**window**
342 Dependent pipeline managers only. Zuul can rate limit dependent
343 pipelines in a manner similar to TCP flow control. Jobs are only
344 started for items in the queue if they are within the actionable
345 window for the pipeline. The initial length of this window is
346 configurable with this value. The value given should be a positive
347 integer value. A value of ``0`` disables rate limiting on the
348 DependentPipelineManager. Default: ``20``.
349
350**window-floor**
351 Dependent pipeline managers only. This is the minimum value for the
352 window described above. Should be a positive non zero integer value.
353 Default: ``3``.
354
355**window-increase-type**
356 Dependent pipeline managers only. This value describes how the window
357 should grow when changes are successfully merged by zuul. A value of
358 ``linear`` indicates that ``window-increase-factor`` should be added
359 to the previous window value. A value of ``exponential`` indicates
360 that ``window-increase-factor`` should be multiplied against the
361 previous window value and the result will become the window size.
362 Default: ``linear``.
363
364**window-increase-factor**
365 Dependent pipeline managers only. The value to be added or multiplied
366 against the previous window value to determine the new window after
367 successful change merges.
368 Default: ``1``.
369
370**window-decrease-type**
371 Dependent pipeline managers only. This value describes how the window
372 should shrink when changes are not able to be merged by Zuul. A value
373 of ``linear`` indicates that ``window-decrease-factor`` should be
374 subtracted from the previous window value. A value of ``exponential``
375 indicates that ``window-decrease-factor`` should be divided against
376 the previous window value and the result will become the window size.
377 Default: ``exponential``.
378
379**window-decrease-factor**
380 Dependent pipline managers only. The value to be subtracted or divided
381 against the previous window value to determine the new window after
382 unsuccessful change merges.
383 Default: ``2``.
384
385
386.. _job:
387
388Job
389~~~
390
391A job is a unit of work performed by Zuul on an item enqueued into a
392pipeline. Items may run any number of jobs (which may depend on each
393other). Each job is an invocation of an Ansible playbook with a
394specific inventory of hosts. The actual tasks that are run by the job
395appear in the playbook for that job while the attributes that appear in the
396Zuul configuration specify information about when, where, and how the
397job should be run.
398
399Jobs in Zuul support inheritance. Any job may specify a single parent
400job, and any attributes not set on the child job are collected from
401the parent job. In this way, a configuration structure may be built
402starting with very basic jobs which describe characteristics that all
403jobs on the system should have, progressing through stages of
404specialization before arriving at a particular job. A job may inherit
405from any other job in any project (however, if the other job is marked
406as `final`, some attributes may not be overidden).
407
408Jobs also support a concept called variance. The first time a job
409definition appears is called the reference definition of the job.
410Subsequent job definitions with the same name are called variants.
411These may have different selection criteria which indicate to Zuul
412that, for instance, the job should behave differently on a different
413git branch. Unlike inheritance, all job variants must be defined in
414the same project.
415
416When Zuul decides to run a job, it performs a process known as
417freezing the job. Because any number of job variants may be
418applicable, Zuul collects all of the matching variants and applies
419them in the order they appeared in the configuration. The resulting
420frozen job is built from attributes gathered from all of the
421matching variants. In this way, exactly what is run is dependent on
422the pipeline, project, branch, and content of the item.
423
424In addition to the job's main playbook, each job may specify one or
425more pre- and post-playbooks. These are run, in order, before and
426after (respectively) the main playbook. They may be used to set up
427and tear down resources needed by the main playbook. When combined
428with inheritance, they provide powerful tools for job construction. A
429job only has a single main playbook, and when inheriting from a
430parent, the child's main playbook overrides (or replaces) the
431parent's. However, the pre- and post-playbooks are appended and
432prepended in a nesting fashion. So if a parent job and child job both
433specified pre and post playbooks, the sequence of playbooks run would
434be:
435
436* parent pre-run playbook
437* child pre-run playbook
438* child playbook
439* child post-run playbook
440* parent post-run playbook
441
442Further inheritance would nest even deeper.
443
444Here is an example of two job definitions::
445
446 - job:
447 name: base
448 pre-run: copy-git-repos
449 post-run: copy-logs
450
451 - job:
452 name: run-tests
453 parent: base
454 nodes:
455 - name: test-node
456 image: fedora
457
458The following attributes are available on a job; all are optional
459unless otherwise specified:
460
461**name** (required)
462 The name of the job. By default, Zuul looks for a playbook with
463 this name to use as the main playbook for the job. This name is
464 also referenced later in a project pipeline configuration.
465
466**parent**
467 Specifies a job to inherit from. The parent job can be defined in
468 this or any other project. Any attributes not specified on a job
469 will be collected from its parent.
470
471**description**
472 A textual description of the job. Not currently used directly by
473 Zuul, but it is used by the zuul-sphinx extension to Sphinx to
474 auto-document Zuul jobs (in which case it is interpreted as
475 ReStructuredText.
476
477**success-message**
478 Normally when a job succeeds, the string "SUCCESS" is reported as
479 the result for the job. If set, this option may be used to supply a
480 different string. Default: "SUCCESS".
481
482**failure-message**
483 Normally when a job fails, the string "FAILURE" is reported as
484 the result for the job. If set, this option may be used to supply a
485 different string. Default: "FAILURE".
486
487**success-url**
488 When a job succeeds, this URL is reported along with the result.
489 Default: none.
490
491**failure-url**
492 When a job fails, this URL is reported along with the result.
493 Default: none.
494
495**hold-following-changes**
496 In a dependent pipeline, this option may be used to indicate that no
497 jobs should start on any items which depend on the current item
498 until this job has completed successfully. This may be used to
499 conserve build resources, at the expense of inhibiting the
500 parallelization which speeds the processing of items in a dependent
501 pipeline. A boolean value, default: false.
502
503**voting**
504 Indicates whether the result of this job should be used in
505 determining the overall result of the item. A boolean value,
506 default: true.
507
508**semaphore**
509 The name of a :ref:`semaphore` which should be acquired and released
510 when the job begins and ends. If the semaphore is at maximum
511 capacity, then Zuul will wait until it can be acquired before
512 starting the job. Default: none.
513
514**tags**
515 Metadata about this job. Tags are units of information attached to
516 the job; they do not affect Zuul's behavior, but they can be used
517 within the job to characterize the job. For example, a job which
518 tests a certain subsystem could be tagged with the name of that
519 subsystem, and if the job's results are reported into a database,
520 then the results of all jobs affecting that subsystem could be
521 queried. This attribute is specified as a list of strings, and when
522 inheriting jobs or applying variants, tags accumulate in a set, so
523 the result is always a set of all the tags from all the jobs and
524 variants used in constructing the frozen job, with no duplication.
525 Default: none.
526
James E. Blaireff5a9d2017-06-20 00:00:37 -0700527**branches**
James E. Blair1de8d402017-05-07 17:08:04 -0700528 A regular expression (or list of regular expressions) which describe
529 on what branches a job should run (or in the case of variants: to
530 alter the behavior of a job for a certain branch).
531
532 If there is no job definition for a given job which matches the
533 branch of an item, then that job is not run for the item.
534 Otherwise, all of the job variants which match that branch (and any
535 other selection criteria) are used when freezing the job.
536
537 This example illustrates a job called *run-tests* which uses a
538 nodeset based on the current release of an operating system to
539 perform its tests, except when testing changes to the stable/2.0
540 branch, in which case it uses an older release::
541
542 - job:
543 name: run-tests
544 nodes: current-release
545
546 - job:
547 name: run-tests
548 branch: stable/2.0
549 nodes: old-release
550
551 In some cases, Zuul uses an implied value for the branch specifier
552 if none is supplied:
553
554 * For a job definition in a *config-project*, no implied branch
555 specifier is used. If no branch specifier appears, the job
556 applies to all branches.
557
558 * In the case of an *untrusted-project*, no implied branch specifier
559 is applied to the reference definition of a job. That is to say,
560 that if the first appearance of the job definition appears without
561 a branch specifier, then it will apply to all branches. Note that
562 when collecting its configuration, Zuul reads the `master` branch
563 of a given project first, then other branches in alphabetical
564 order.
565
566 * Any further job variants other than the reference definition in an
567 *untrusted-project* will, if they do not have a branch specifier,
568 will have an implied branch specifier for the current branch
569 applied.
570
571 This allows for the very simple and expected workflow where if a
572 project defines a job on the master branch with no branch specifier,
573 and then creates a new branch based on master, any changes to that
574 job definition within the new branch only affect that branch.
575
576**files**
577 This attribute indicates that the job should only run on changes
578 where the specified files are modified. This is a regular
579 expression or list of regular expressions. Default: none.
580
581**irrelevant-files**
582 This is a negative complement of `files`. It indicates that the job
583 should run unless *all* of the files changed match this list. In
584 other words, if the regular expression `docs/.*` is supplied, then
585 this job will not run if the only files changed are in the docs
586 directory. A regular expression or list of regular expressions.
587 Default: none.
588
589**auth**
590 Authentication information to be made available to the job. This is
591 a dictionary with two potential keys:
592
593 **inherit**
594 A boolean indicating that the authentication information referenced
595 by this job should be able to be inherited by child jobs. Normally
596 when a job inherits from another job, the auth section is not
597 included. This permits jobs to inherit the same basic structure and
598 playbook, but ensures that secret information is unable to be
599 exposed by a child job which may alter the job's behavior. If it is
600 safe for the contents of the authentication section to be used by
601 child jobs, set this to ``true``. Default: ``false``.
602
603 **secrets**
604 A list of secrets which may be used by the job. A :ref:`secret` is
605 a named collection of private information defined separately in the
606 configuration. The secrets that appear here must be defined in the
607 same project as this job definition.
608
609 In the future, other types of authentication information may be
610 added.
611
612**nodes**
613 A list of nodes which should be supplied to the job. This parameter
614 may be supplied either as a string, in which case it references a
615 :ref:`nodeset` definition which appears elsewhere in the
616 configuration, or a list, in which case it is interpreted in the
617 same way as a Nodeset definition (in essence, it is an anonymous
618 Node definition unique to this job). See the :ref:`nodeset`
619 reference for the syntax to use in that case.
620
621 If a job has an empty or no node definition, it will still run and
622 may be able to perform actions on the Zuul executor.
623
624**override-branch**
625 When Zuul runs jobs for a proposed change, it normally checks out
626 the branch associated with that change on every project present in
627 the job. If jobs are running on a ref (such as a branch tip or
628 tag), then that ref is normally checked out. This attribute is used
629 to override that behavior and indicate that this job should,
630 regardless of the branch for the queue item, use the indicated
631 branch instead. This can be used, for example, to run a previous
632 version of the software (from a stable maintenance branch) under
633 test even if the change being tested applies to a different branch
634 (this is only likely to be useful if there is some cross-branch
635 interaction with some component of the system being tested). See
636 also the project-specific **override-branch** attribute under
637 **required-projects** to apply this behavior to a subset of a job's
638 projects.
639
640**timeout**
641 The time in minutes that the job should be allowed to run before it
642 is automatically aborted and failure is reported. If no timeout is
643 supplied, the job may run indefinitely. Supplying a timeout is
644 highly recommended.
645
646**attempts**
647 When Zuul encounters an error running a job's pre-run playbook, Zuul
648 will stop and restart the job. Errors during the main or
649 post-run -playbook phase of a job are not affected by this parameter
650 (they are reported immediately). This parameter controls the number
651 of attempts to make before an error is reported. Default: 3.
652
653**pre-run**
654 The name of a playbook or list of playbooks to run before the main
655 body of a job. The playbook is expected to reside in the
656 `playbooks/` directory of the project where the job is defined.
657
658 When a job inherits from a parent, the child's pre-run playbooks are
659 run after the parent's. See :ref:`job` for more information.
660
661**post-run**
662 The name of a playbook or list of playbooks to run after the main
663 body of a job. The playbook is expected to reside in the
664 `playbooks/` directory of the project where the job is defined.
665
666 When a job inherits from a parent, the child's post-run playbooks
667 are run before the parent's. See :ref:`job` for more information.
668
669**run**
670 The name of the main playbook for this job. This parameter is not
671 normally necessary, as it defaults to the name of the job. However,
672 if a playbook with a different name is needed, it can be specified
673 here. The playbook is expected to reside in the `playbooks/`
674 directory of the project where the job is defined. When a child
675 inherits from a parent, a playbook with the name of the child job is
676 implicitly searched first, before falling back on the playbook used
677 by the parent job (unless the child job specifies a ``run``
678 attribute, in which case that value is used). Default: the name of
679 the job.
680
681**roles**
682 A list of Ansible roles to prepare for the job. Because a job runs
683 an Ansible playbook, any roles which are used by the job must be
684 prepared and installed by Zuul before the job begins. This value is
685 a list of dictionaries, each of which indicates one of two types of
686 roles: a Galaxy role, which is simply a role that is installed from
687 Ansible Galaxy, or a Zuul role, which is a role provided by a
688 project managed by Zuul. Zuul roles are able to benefit from
689 speculative merging and cross-project dependencies when used by jobs
690 in untrusted projects.
691
692 A project which supplies a role may be structured in one of two
693 configurations: a bare role (in which the role exists at the root of
694 the project), or a contained role (in which the role exists within
695 the `roles/` directory of the project, perhaps along with other
696 roles). In the case of a contained role, the `roles/` directory of
697 the project is added to the role search path. In the case of a bare
698 role, the project itself is added to the role search path. In case
699 the name of the project is not the name under which the role should
700 be installed (and therefore referenced from Ansible), the `name`
701 attribute may be used to specify an alternate.
702
James E. Blaireff5a9d2017-06-20 00:00:37 -0700703 .. note:: galaxy roles are not yet implemented
704
James E. Blair1de8d402017-05-07 17:08:04 -0700705 **galaxy**
706 The name of the role in Ansible Galaxy. If this attribute is
707 supplied, Zuul will search Ansible Galaxy for a role by this name
708 and install it. Mutually exclusive with ``zuul``; either
709 ``galaxy`` or ``zuul`` must be supplied.
710
711 **zuul**
712 The name of a Zuul project which supplies the role. Mutually
713 exclusive with ``galaxy``; either ``galaxy`` or ``zuul`` must be
714 supplied.
715
716 **name**
717 The installation name of the role. In the case of a bare role,
718 the role will be made available under this name. Ignored in the
719 case of a contained role.
720
721**required-projects**
722 A list of other projects which are used by this job. Any Zuul
723 projects specified here will also be checked out by Zuul into the
724 working directory for the job. Speculative merging and cross-repo
725 dependencies will be honored.
726
727 The format for this attribute is either a list of strings or
728 dictionaries. Strings are interpreted as project names,
729 dictionaries may have the following attributes:
730
731 **name**
732 The name of the required project.
733
734 **override-branch**
735 When Zuul runs jobs for a proposed change, it normally checks out
736 the branch associated with that change on every project present in
737 the job. If jobs are running on a ref (such as a branch tip or
738 tag), then that ref is normally checked out. This attribute is
739 used to override that behavior and indicate that this job should,
740 regardless of the branch for the queue item, use the indicated
741 branch instead, for only this project. See also the
742 **override-branch** attribute of jobs to apply the same behavior
743 to all projects in a job.
744
745**vars**
746
747A dictionary of variables to supply to Ansible. When inheriting from
748a job (or creating a variant of a job) vars are merged with previous
749definitions. This means a variable definition with the same name will
750override a previously defined variable, but new variable names will be
751added to the set of defined variables.
752
753**dependencies**
754 A list of other jobs upon which this job depends. Zuul will not
755 start executing this job until all of its dependencies have
756 completed successfully, and if one or more of them fail, this job
757 will not be run.
758
759**allowed-projects**
760 A list of Zuul projects which may use this job. By default, a job
761 may be used by any other project known to Zuul, however, some jobs
762 use resources or perform actions which are not appropriate for other
763 projects. In these cases, a list of projects which are allowed to
764 use this job may be supplied. If this list is not empty, then it
765 must be an exhaustive list of all projects permitted to use the job.
766 The current project (where the job is defined) is not automatically
767 included, so if it should be able to run this job, then it must be
768 explicitly listed. Default: the empty list (all projects may use
769 the job).
770
771
772.. _project:
773
774Project
775~~~~~~~
776
777A project corresponds to a source code repository with which Zuul is
778configured to interact. The main responsibility of the `Project`
779configuration item is to specify which jobs should run in which
780pipelines for a given project. Within each `Project` definition, a
781section for each `Pipeline` may appear. This project-pipeline
782definition is what determines how a project participates in a
783pipeline.
784
785Consider the following `Project` definition::
786
787 - project:
788 name: yoyodyne
789 check:
790 jobs:
791 - check-syntax
792 - unit-tests
793 gate:
794 queue: integrated
795 jobs:
796 - unit-tests
797 - integration-tests
798
799The project has two project-pipeline stanzas, one for the `check`
800pipeline, and one for `gate`. Each specifies which jobs shuld run
801when a change for that project enteres the respective pipeline -- when
802a change enters `check`, the `check-syntax` and `unit-test` jobs are
803run.
804
805Pipelines which use the dependent pipeline manager (e.g., the `gate`
806example shown earlier) maintain separate queues for groups of
807projects. When Zuul serializes a set of changes which represent
808future potential project states, it must know about all of the
809projects within Zuul which may have an effect on the outcome of the
810jobs it runs. If project *A* uses project *B* as a library, then Zuul
811must be told about that relationship so that it knows to serialize
812changes to A and B together, so that it does not merge a change to B
813while it is testing a change to A.
814
815Zuul could simply assume that all projects are related, or even infer
816relationships by which projects a job indicates it uses, however, in a
817large system that would become unwieldy very quickly, and
818unnecessarily delay changes to unrelated projects. To allow for
819flexibility in the construction of groups of related projects, the
820change queues used by dependent pipeline managers are specified
821manually. To group two or more related projects into a shared queue
822for a dependent pipeline, set the ``queue`` parameter to the same
823value for those projects.
824
825The `gate` project-pipeline definition above specifies that this
826project participates in the `integrated` shared queue for that
827pipeline.
828
829In addition to a project-pipeline definition for one or more
830`Pipelines`, the following attributes may appear in a Project:
831
832**name** (required)
833 The name of the project. If Zuul is configured with two or more
834 unique projects with the same name, the canonical hostname for the
835 project should be included (e.g., `git.example.com/foo`).
836
837**templates**
838 A list of :ref:`project-template` references; the project-pipeline
839 definitions of each Project Template will be applied to this
840 project. If more than one template includes jobs for a given
841 pipeline, they will be combined, as will any jobs specified in
842 project-pipeline definitions on the project itself.
843
844.. _project-template:
845
846Project Template
847~~~~~~~~~~~~~~~~
848
849A Project Template defines one or more project-pipeline definitions
850which can be re-used by multiple projects.
851
852A Project Template uses the same syntax as a :ref:`project`
853definition, however, in the case of a template, the ``name`` attribute
854does not refer to the name of a project, but rather names the template
855so that it can be referenced in a `Project` definition.
856
857.. _secret:
858
859Secret
860~~~~~~
861
862A Secret is a collection of private data for use by one or more jobs.
863In order to maintain the security of the data, the values are usually
864encrypted, however, data which are not sensitive may be provided
865unencrypted as well for convenience.
866
867A Secret may only be used by jobs defined within the same project. To
868use a secret, a :ref:`job` must specify the secret within its `auth`
869section. To protect against jobs in other repositories declaring a
870job with a secret as a parent and then exposing that secret, jobs
871which inherit from a job with secrets will not inherit the secrets
872themselves. To alter that behavior, see the `inherit` job attribute.
873Further, jobs which do not permit children to inherit secrets (the
874default) are also automatically marked `final`, meaning that their
875execution related attributes may not be changed in a project-pipeline
876stanza. This is to protect against a job with secrets defined in one
877project being used by another project in a way which might expose the
878secrets. If a job with secrets is unsafe to be used by other
879projects, the `allowed-projects` job attribute can be used to restrict
880the projects which can invoke that job. Finally, pipelines which are
881used to execute proposed but unreviewed changes can set the
882`allow-secrets` attribute to indicate that they should not supply
883secrets at all in order to protect against someone proposing a change
884which exposes a secret.
885
886The following attributes are required:
887
888**name** (required)
889 The name of the secret, used in a :ref:`Job` definition to request
890 the secret.
891
892**data** (required)
893 A dictionary which will be added to the Ansible variables available
894 to the job. The values can either be plain text strings, or
895 encrypted values. See :ref:`encryption` for more information.
896
897.. _nodeset:
898
899Nodeset
900~~~~~~~
901
902A Nodeset is a named collection of nodes for use by a job. Jobs may
903specify what nodes they require individually, however, by defining
904groups of node types once and referring to them by name, job
905configuration may be simplified.
906
907A Nodeset requires two attributes:
908
909**name** (required)
910 The name of the Nodeset, to be referenced by a :ref:`job`.
911
912**nodes** (required)
913 A list of node definitions, each of which has the following format:
914
915 **name** (required)
916 The name of the node. This will appear in the Ansible inventory
917 for the job.
918
919 **label** (required)
920 The Nodepool label for the node. Zuul will request a node with
921 this label.
922
923.. _semaphore:
924
925Semaphore
926~~~~~~~~~
927
928Semaphores can be used to restrict the number of certain jobs which
929are running at the same time. This may be useful for jobs which
930access shared or limited resources. A semaphore has a value which
931represents the maximum number of jobs which use that semaphore at the
932same time.
933
934Semaphores are never subject to dynamic reconfiguration. If the value
935of a semaphore is changed, it will take effect only when the change
936where it is updated is merged. An example follows::
937
938 - semaphore:
939 name: semaphore-foo
940 max: 5
941 - semaphore:
942 name: semaphore-bar
943 max: 3
944
945The following attributes are available:
946
947**name** (required)
948 The name of the semaphore, referenced by jobs.
949
950**max**
951 The maximum number of running jobs which can use this semaphore.
952 Defaults to 1.