summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorMonty Taylor <mordred@inaugust.com>2018-10-09 01:52:18 +0200
committerMonty Taylor <mordred@inaugust.com>2018-10-09 12:31:59 +0200
commit63d06e732b6e5accee51587648882109a5b44079 (patch)
treea6eaccd0493177e11db04ee314884fa503318474 /src
parentb383d4a80edceaf446d719454b89b5d4584216a4 (diff)
Add initial work on tutorial
Diffstat (limited to 'src')
-rw-r--r--src/zuulv3/tutorial.rst1611
1 files changed, 1611 insertions, 0 deletions
diff --git a/src/zuulv3/tutorial.rst b/src/zuulv3/tutorial.rst
new file mode 100644
index 0000000..7272594
--- /dev/null
+++ b/src/zuulv3/tutorial.rst
@@ -0,0 +1,1611 @@
1. display in 68x24
2.. display in 88x24
3
4.. pygments yaml? (only file breaks (---) tinted)
5.. slide on high level v3 changes
6.. slide on nodepool
7
8.. transition:: dissolve
9 :duration: 0.4
10
11Test Slide
12==========
13.. hidetitle::
14
15.. ansi:: images/testslide.ans
16
17Preshow
18=======
19.. hidetitle::
20
21.. ansi:: images/cursor.ans images/cursor2.ans
22
23Zuul
24====
25.. hidetitle::
26.. ansi:: images/title.ans
27
28Overview
29========
30
31* Discussion of concepts
32* Installation of software
33* Configurting Zuul
34* Writing jobs
35
36Please Ask Questions
37====================
38
39Pre-show
40========
41
42While we talk about other things ...
43
44* Install docker, docker-compose, git-review
45
46Debian/Ubuntu:
47
48::
49
50 apt-get install docker-compose git git-review
51
52Red Hat / SuSE
53
54::
55
56 yum install docker-compose git git-review
57
58* git clone https://git.zuul-ci.org/zuul
59* cd zuul
60* git review -d 608344
61* cd doc/source/admin/examples
62* docker-compose up
63
64Output in docker-compose window
65===============================
66
67* All services running with debug logging to stdout
68* Tons of information will have been output - including some errors
69* Zuul connects to Gerrit before it's fully configured
70* As it becomes configured, Zuul notices and becomes happy
71* Once happy, it should stablize and become idle
72
73We'll come back to this
74=======================
75
76It's going to do a bunch of network - and this is a conference.
77
78Red Hat
79=======
80.. hidetitle::
81.. container:: handout
82 i work for
83
84.. ansi:: images/redhat.ans
85
86OpenStack
87=========
88.. hidetitle::
89.. ansi:: images/openstack.ans
90
91OpenStack Infra
92===============
93
94::
95
96 "most insane CI infrastructure I've ever been a part of"
97
98 -- Alex Gaynor
99
100 "OpenStack Infra are like the SpaceX of CI"
101
102 -- Emily Dunham
103
104Zuul
105====
106.. hidetitle::
107.. ansi:: images/zuul.ans
108
109
110Spoilers
111========
112
113* What Zuul does
114
115 * multiple repositories
116 * integrated deliverable
117 * gated commits
118 * open tooling
119 * nobody is special
120 * testing like deployment
121
122OpenStack Is
123============
124
125 * Federated
126 * Distributed
127 * Large
128 * Open
129 * Not Alone
130
131Federated
132=========
133
134 * Hundreds of involved companies
135 * No 'main' company
136 * "Decisions are made by those who show up"
137 * Union of priorities/use cases
138
139Impact of being Federated
140=========================
141
142 * No company can appoint people to positions in the project
143 * The project cannot fire anyone
144 * Variable background of contributors
145 * Heavy reliance on consensus
146
147Distributed
148===========
149
150 * There is no office
151 * Contributor base is global
152 * Multitude of contributor backgrounds
153
154Impact of being Distributed
155===========================
156
157 * Tooling must empower all contributors, regardless of background,
158 skill level or cultural context
159 * Heavy preference for text-based communication
160 * Cannot assume US-centric needs or solutions
161
162Large numbers of
163================
164
165 * Contributors (\~2k in any given 6 month period)
166 * Changes
167 * Code Repositories (1955 as of this morning)
168
169Not Bragging About Scale
170========================
171
172OpenStack Scale Comparison
173==========================
174
175 * 2KJPH (2,000 jobs per hour)
176 * Build Nodes from 13 Regions of 5 Public and 2 Private OpenStack Clouds
177 * Rackspace, Internap, OVH, Vexxhost, CityCloud and Linaro, Limestone
178 * 10,000 changes merged per month
179
180OpenStack Scale Comparison
181==========================
182
183 * 2KJPH (2,000 jobs per hour)
184 * Build Nodes from 13 Regions of 5 Public and 2 Private OpenStack Clouds
185 * Rackspace, Internap, OVH, Vexxhost, CityCloud and Linaro, Limestone
186 * 10,000 changes merged per month
187
188 * By comparison, our friends at the amazing project Ansible received
189 13,000 changes and had merged 8,000 of them in its first 4 years.
190
191Four Opens
192==========
193
194 * Open Source
195 (we don't hold back Enterprise features, we don't cripple things)
196 * Open Design
197 (design process open to all, decisions are not made inside company doors)
198 * Open Development
199 (public source code, public code review, all code is reviewed and gated)
200 * Open Community
201 (lazy consensus, democratic leadership from participants,
202 public logged meetings in IRC, public archived mailing lists)
203
204We're Not Alone
205===============
206
207 * Dependencies (libvirt/kvm/xen, mysql/pg, rabbit,
208 python/javascript, ceph/gluster, ansible/salt/puppet/chef, ovs/odl)
209 * Adjacencies (kubernetes, ansible, terraform, opnfv, spinnaker)
210 * Vendors (plugins, products, services, distros)
211
212Developer Process In a Nutshell
213===============================
214
215 * Code Review - nobody has direct commit/push access
216 * 3rd-Party CI for vendors
217 * Gated Commits
218
219OpenStack Developer Workflow
220============================
221.. container:: handout
222
223 * Who has submitted a patch?
224 * Who wants to?
225 * (Who is here because the name of this talk is weird?)
226
227::
228
229 Hack Review Test
230 ========= ========== ==========
231
232 push approve
233 +-------------+ +-------------+
234 | | | |
235 +------+--+ +--v----+--+ +--v-------+
236 | | | | | |
237 | $EDITOR | | Gerrit | | Zuul |
238 | | | | | |
239 +------^--+ +--+----^--+ +--+-------+
240 | | | |
241 +-------------+ +-------------+
242 clone merge
243
244Gerrit
245======
246.. hidetitle::
247.. container:: handout
248
249 explain patch upload, zuul runs, test results displayed in gerrit
250 this is all the interface to zuul users need to see
251
252 switch to actual gertty screenshot
253
254 also show zuul status page
255
256 but zuul is doing a lot of work behind the scenes, and if you look
257 closer, this is what you see
258
259.. ansi:: images/color-gertty.ans
260
261Zuul Architecture
262=================
263
264.. ansi:: images/architecture.ans
265
266Nodepool
267========
268
269* A separate program that works very closely with *Zuul*
270* Builds images daily and uploads to clouds
271* Creates and destroys (at least) a vm for every job
272
273 (Remember that 2,000 jobs per hour number?)
274
275Zuul is not New
276===============
277
278 * Has been in Production for OpenStack for Six Years
279 * Zuul v3 first release where not-OpenStack is first-class use case
280 * Zuul is now a top-level effort of OpenStack Foundation
281
282Not just for OpenStack
283======================
284
285 * Zuul is in production for OpenStack (in OpenStack VMs)
286
287 Also running at:
288
289 * BMW (control plane in OpenShift)
290 * Easystack
291 * GoDaddy (control plane in Kubernetes)
292 * OpenContrail
293 * OpenLab
294 * Red Hat
295 * others ...
296
297Zuul in a nutshell
298==================
299
300 * Listens for code events
301 * Prepares appropriate job config and git repo states
302 * Allocates nodes for test jobs
303 * Pushes git repo states to nodes
304 * Runs user-defined Ansible playbooks
305 * Collects/reports results
306 * Potentially merges change
307
308All in Service of Gating
309========================
310
311Gating
312======
313
314 Every change proposed for a repository is tested before it merges.
315
316Co-gating
317=========
318
319 Changes to a set of repositories merge monotonically such
320 that each change is tested with the current state of all
321 the other related repositories before it merges.
322
323Parallel Co-gating
324==================
325
326 Changes are serialized such that each change is tested
327 with all of the changes ahead of it to satisfy the
328 co-gating requirement while being able to run tests for
329 multiple changes simultaneously.
330
331Zuul Simulation
332===============
333.. transition:: pan
334.. container:: handout
335
336 * todo
337
338.. ansi:: images/zsim-00.ans
339
340Zuul Simulation
341===============
342.. transition:: cut
343.. container:: handout
344
345 * todo
346
347.. ansi:: images/zsim-01.ans
348
349Zuul Simulation
350===============
351.. transition:: cut
352.. container:: handout
353
354 * todo
355
356.. ansi:: images/zsim-02.ans
357
358Zuul Simulation
359===============
360.. transition:: cut
361.. container:: handout
362
363 * todo
364
365.. ansi:: images/zsim-03.ans
366
367Zuul Simulation
368===============
369.. transition:: cut
370.. container:: handout
371
372 * todo
373
374.. ansi:: images/zsim-04.ans
375
376Zuul Simulation
377===============
378.. transition:: cut
379.. container:: handout
380
381 * todo
382
383.. ansi:: images/zsim-05.ans
384
385Zuul Simulation
386===============
387.. transition:: cut
388.. container:: handout
389
390 * todo
391
392.. ansi:: images/zsim-06.ans
393
394Zuul Simulation
395===============
396.. transition:: cut
397.. container:: handout
398
399 * todo
400
401.. ansi:: images/zsim-07.ans
402
403Zuul Simulation
404===============
405.. transition:: cut
406.. container:: handout
407
408 * todo
409
410.. ansi:: images/zsim-08.ans
411
412Zuul Simulation
413===============
414.. transition:: cut
415.. container:: handout
416
417 * todo
418
419.. ansi:: images/zsim-09.ans
420
421Zuul Simulation
422===============
423.. transition:: cut
424.. container:: handout
425
426 * todo
427
428.. ansi:: images/zsim-10.ans
429
430Zuul Simulation
431===============
432.. transition:: cut
433.. container:: handout
434
435 * todo
436
437.. ansi:: images/zsim-11.ans
438
439Zuul Simulation
440===============
441.. transition:: cut
442.. container:: handout
443
444 * todo
445
446.. ansi:: images/zsim-12.ans
447
448Zuul Simulation
449===============
450.. transition:: cut
451.. container:: handout
452
453 * todo
454
455.. ansi:: images/zsim-13.ans
456
457Zuul Simulation
458===============
459.. transition:: cut
460.. container:: handout
461
462 * todo
463
464.. ansi:: images/zsim-14.ans
465
466Zuul Simulation
467===============
468.. transition:: cut
469.. container:: handout
470
471 * todo
472
473.. ansi:: images/zsim-15.ans
474
475Zuul Simulation
476===============
477.. transition:: cut
478.. container:: handout
479
480 * todo
481
482.. ansi:: images/zsim-16.ans
483
484Zuul Simulation
485===============
486.. transition:: cut
487.. container:: handout
488
489 * todo
490
491.. ansi:: images/zsim-17.ans
492
493Zuul Simulation
494===============
495.. transition:: cut
496.. container:: handout
497
498 * todo
499
500.. ansi:: images/zsim-18.ans
501
502Zuul Simulation
503===============
504.. transition:: cut
505.. container:: handout
506
507 * todo
508
509.. ansi:: images/zsim-19.ans
510
511Zuul Simulation
512===============
513.. transition:: cut
514.. container:: handout
515
516 * todo
517
518.. ansi:: images/zsim-20.ans
519
520Zuul Simulation
521===============
522.. transition:: cut
523.. container:: handout
524
525 * todo
526
527.. ansi:: images/zsim-21.ans
528
529Zuul Simulation
530===============
531.. transition:: cut
532.. container:: handout
533
534 * todo
535
536.. ansi:: images/zsim-22.ans
537
538Cross-Project Dependencies
539==========================
540
541Testing or gating dependencies manually specified by developers
542
543.. container:: progressive
544
545 * shade https://review.openstack.org/513913
546
547 Add unittest tips jobs
548 * os-client-config https://review.openstack.org/513915
549
550 Add shade-tox-tips jobs
551
552 Depends-On: https://review.openstack.org/513913
553 * os-client-config https://review.openstack.org/513751
554
555 Added nat_source flag for networks
556
557 Depends-On: https://review.openstack.org/513915
558 * shade https://review.openstack.org/51391
559
560 Add support for configured NAT source variable
561
562 Depends-On: https://review.openstack.org/513751
563
564
565Live Configuration Changes
566==========================
567
568.. container:: handout
569
570 Zuul is a distributed system, with a distributed configuration.
571
572.. code:: yaml
573
574 - tenant:
575 name: openstack
576 source:
577 gerrit:
578 config-repos:
579 - openstack-infra/project-config
580 project-repos:
581 - openstack/nova
582 - openstack/keystone
583 - openstack-infra/devstack-gate
584
585Zuul Startup
586============
587
588* Read config file
589
590Zuul Startup
591============
592
593* Read config file
594* Ask mergers for branches of each repo
595
596.. ansi:: images/startup1.ans
597
598Zuul Startup
599============
600
601* Read config file
602* Ask mergers for branches of each repo
603* Ask mergers for .zuul.yaml for each branch
604
605 of each repo
606
607.. ansi:: images/startup2.ans
608
609When .zuul.yaml Changes
610=======================
611
612.. container:: progressive
613
614 * Zuul looks for changes to .zuul.yaml
615 * Asks mergers for updated content
616 * Splices into configuration used for that change
617 * Works with cross-repo dependencies
618
619 ("This change depends on a change to the job definition")
620
621How do you use this thing?
622==========================
623.. transition:: tilt
624.. hidetitle::
625.. figlet:: Configuration
626
627Human Roles
628===========
629
630* Deployer
631* Project Admin
632* End User
633
634Deployer Config
635===============
636
637Zuul: Connection, Triggers, Reporters
638Nodepool: Launcher and Builder Config
639
640Connection Plugins
641==================
642
643Describes how Zuul connects to external systems
644
645* Gerrit
646* Github
647* git
648* mqtt
649* smtp
650* sql
651
652Trigger Plugins
653===============
654
655Input to Zuul for use in causing jobs to run
656
657* Gerrit
658* Github
659* git
660* zuul
661
662Reporter Plugins
663================
664
665Where Zuul should send information about jobs
666
667* Gerrit
668* Github
669* mqtt
670* smtp
671* sql
672
673Nodepool Launcher
674=================
675
676Where build nodes should come from
677
678* OpenStack
679* Static
680
681In works:
682
683* Kubernetes
684* OpenShift
685* ec2
686* Azure
687
688Nodepool Builder
689================
690
691Optionally periodically build and upload new base images
692
693* OpenStack
694
695main.yaml
696=========
697
698* Most of Zuul's config comes from git repos
699* main.yaml is static config
700* what git repos to manage
701* what config objects to load
702* which repos to get config from
703
704Config Project vs. Untrusted Project
705====================================
706
707config project
708
709* special project containing project admin content
710* has access to features that are normally restricted
711* job changes are not applied speculatively
712
713untrusted project
714
715* most projects
716* some actions (like executing code on localhost) are blocked
717* job changes are applied speculatively
718
719Job Config
720==========
721
722Pipelines
723=========
724
725* A process definition that connects git repositories, jobs, and
726 reporting mechanisms.
727* A context to fix a set of jobs to each project.
728* Pipeline Managers are Plugins: dependent, independent, supercedent
729
730Check Pipeline
731==============
732
733.. code:: yaml
734
735 - pipeline:
736 name: check
737 manager: independent
738 source: gerrit
739 trigger:
740 gerrit:
741 - event: patchset-created
742 - event: change-restored
743 success:
744 gerrit:
745 verified: 1
746
747Gate Pipeline
748=============
749
750.. code:: yaml
751
752 - pipeline:
753 name: gate
754 manager: dependent
755 source: gerrit
756 trigger:
757 gerrit:
758 - event: comment-added
759 approval:
760 - workflow: 1
761 success:
762 gerrit:
763 verified: 2
764 submit: true
765
766Jobs
767====
768
769* Jobs run on nodes from nodepool (static or dynamic)
770* Metadata defined in Zuul's configuration
771* Execution content in Ansible
772* Jobs may be defined centrally or in the repo being tested
773* Jobs have contextual variants that simplify configuration
774
775zuul-jobs
776=========
777
778* Zuul jobs are all defined in git repositories
779* Designed to be directly shared across zuul installations
780* Standard library: https://git.zuul-ci.org/zuul-jobs
781* Zuul installs should add ``zuul-jobs`` to their config
782* As changes land in ``zuul-jobs`` - Zuul installs will get them automatically
783
784Job
785===
786
787.. code:: yaml
788
789 - job:
790 name: base
791 parent: null
792 description: |
793 The base job for Zuul.
794 timeout: 1800
795 nodeset:
796 nodes:
797 - name: primary
798 label: centos-7
799 pre-run: playbooks/base/pre.yaml
800 post-run:
801 - playbooks/base/post-ssh.yaml
802 - playbooks/base/post-logs.yaml
803 secrets:
804 - site_logs
805
806Simple Job
807==========
808
809.. code:: yaml
810
811 - job:
812 name: tox
813 pre-run: playbooks/setup-tox.yaml
814 run: playbooks/tox.yaml
815 post-run: playbooks/fetch-tox-output.yaml
816
817Simple Job Inheritance
818======================
819
820.. code:: yaml
821
822 - job:
823 name: tox-py36
824 parent: tox
825 vars:
826 tox_envlist: py36
827
828Inheritance Works Like An Onion
829===============================
830
831 * pre-run playbooks run in order of inheritance
832 * run playbook of job runs
833 * post-run playbooks run in reverse order of inheritance
834 * If pre-run playbooks fail, job is re-tried
835 * All post-run playbooks run - as far as pre-run playbooks got
836
837Inheritance Example
838===================
839
840For tox-py36 job
841
842 * base pre-run playbooks/base/pre.yaml
843 * tox pre-run playbooks/setup-tox.yaml
844 * tox run playbooks/tox.yaml
845 * tox post-run playbooks/fetch-tox-output.yaml
846 * base post-run playbooks/base/post-ssh.yaml
847 * base post-run playbooks/base/post-logs.yaml
848
849Simple Job Variant
850==================
851
852.. code:: yaml
853
854 - job:
855 name: tox-py27
856 branches: stable/mitaka
857 nodeset:
858 - name: ubuntu-trusty
859 label: ubuntu-trusty
860
861Nodesets for Multi-node Jobs
862============================
863
864.. code:: yaml
865
866 - nodeset:
867 name: ceph-cluster
868 nodes:
869 - name: controller
870 label: centos-7
871 - name: compute1
872 label: fedora-28
873 - name: compute2
874 label: fedora-28
875 groups:
876 - name: ceph-osd
877 nodes:
878 - controller
879 - name: ceph-monitor
880 nodes:
881 - controller
882 - compute1
883 - compute2
884
885Multi-node Job
886==============
887
888* nodesets are provided to Ansible for jobs in inventory
889
890.. code:: yaml
891
892 - job:
893 name: ceph-multinode
894 nodeset: ceph-cluster
895 run: playbooks/install-ceph.yaml
896
897Multi-node Ceph Job Content
898===========================
899
900.. code:: yaml
901
902 - hosts: all
903 roles:
904 - install-ceph
905
906 - hosts: ceph-osd
907 roles:
908 - start-ceph-osd
909
910 - hosts: ceph-monitor
911 roles:
912 - start-ceph-monitor
913
914 - hosts: all
915 roles:
916 - do-something-interesting
917
918Projects
919========
920
921* Projects are git repositories
922* Specify a set of jobs for each pipeline
923* golang git repo naming as been adopted:
924
925::
926
927 zuul@ubuntu-xenial:~$ find /home/zuul/src -mindepth 3 -maxdepth 3 -type d
928 /home/zuul/src/git.openstack.org/openstack-infra/shade
929 /home/zuul/src/git.openstack.org/openstack/keystoneauth
930 /home/zuul/src/git.openstack.org/openstack/os-client-config
931 /home/zuul/src/github.com/ansible/ansible
932
933Project Config
934==============
935
936 * Specify a set of jobs for each pipeline
937
938.. code:: yaml
939
940 - project:
941 check:
942 jobs:
943 - openstack-tox-py27
944 - openstack-tox-py35
945 - openstack-tox-docs
946 gate:
947 jobs:
948 - openstack-tox-py27
949 - openstack-tox-py35
950 - openstack-tox-docs
951
952Project with Local Variant
953==========================
954
955.. code:: yaml
956
957 - project:
958 check:
959 jobs:
960 - openstack-tox-py27
961 - openstack-tox-py35
962 - openstack-tox-py36:
963 voting: false
964 - openstack-tox-docs
965 gate:
966 jobs:
967 - openstack-tox-py27
968 - openstack-tox-py35
969 - openstack-tox-docs
970
971Project with More Local Variants
972================================
973
974.. code:: yaml
975
976 - project:
977 check:
978 jobs:
979 - openstack-tox-py27
980 - openstack-tox-py35
981 - openstack-tox-py36:
982 voting: false
983 - openstack-tox-docs:
984 files: '^docs/.*$'
985
986Project with Many Local Variants
987================================
988
989.. code:: yaml
990
991 - project:
992 check:
993 jobs:
994 - openstack-tox-py27:
995 nodeset:
996 - name: centos-7
997 label: centos-7
998 - openstack-tox-py27:
999 branches: stable/newton
1000 nodeset:
1001 - name: ubuntu-trusty
1002 label: ubuntu-trusty
1003 - openstack-tox-py35
1004 - openstack-tox-py36:
1005 voting: false
1006 - openstack-tox-docs:
1007 files: '^docs/.*$'
1008
1009Project With Central and Local Config
1010=====================================
1011
1012.. code:: yaml
1013
1014 # In git.openstack.org/openstack-infra/project-config:
1015 - project:
1016 name: openstack/nova
1017 templates:
1018 - openstack-tox-jobs
1019
1020.. code:: yaml
1021
1022 # In git.openstack.org/openstack/nova/.zuul.yaml:
1023 - project:
1024 check:
1025 - nova-placement-functional-devstack
1026
1027Project with Job Dependencies
1028=============================
1029
1030.. code:: yaml
1031
1032 - project:
1033 release:
1034 jobs:
1035 - build-artifacts
1036 - upload-tarball:
1037 dependencies: build-artifacts
1038 - upload-pypi:
1039 dependencies: build-artifacts
1040 - notify-mirror:
1041 dependencies:
1042 - upload-tarball
1043 - upload-pypi
1044
1045Playbooks
1046=========
1047
1048* Jobs run playbooks
1049* Playbooks may be defined centrally or in the repo being tested
1050* Playbooks can use roles from current or other Zuul repos or Galaxy
1051* Playbooks are not allowed to execute content on 'localhost'
1052
1053devstack-tempest Run Playbook
1054=============================
1055
1056.. code:: yaml
1057
1058 # Changes that run through devstack-tempest are likely to have an impact on
1059 # the devstack part of the job, so we keep devstack in the main play to
1060 # avoid zuul retrying on legitimate failures.
1061 - hosts: all
1062 roles:
1063 - run-devstack
1064
1065 # We run tests only on one node, regardless how many nodes are in the system
1066 - hosts: tempest
1067 roles:
1068 - setup-tempest-run-dir
1069 - setup-tempest-data-dir
1070 - acl-devstack-files
1071 - run-tempest
1072
1073Simple Shell Playbook
1074=====================
1075
1076.. code:: yaml
1077
1078 hosts: controller
1079 roles:
1080 - shell: |
1081 cd {{ zuul.project.src_dir }}
1082 ./run_tests.sh
1083
1084
1085Test Like Production
1086====================
1087
1088If you use Ansible for deployment, your test and deployment processes
1089and playbooks are the same
1090
1091What if you don't use Ansible?
1092==============================
1093
1094OpenStack Infra Control Plane uses Puppet (for now)
1095===================================================
1096
1097.. code:: yaml
1098
1099 # In git.openstack.org/openstack-infra/project-config/roles/legacy-install-afs-with-puppet/tasks/main.yaml
1100 - name: Install puppet
1101 shell: ./install_puppet.sh
1102 args:
1103 chdir: "{{ ansible_user_dir }}/src/git.openstack.org/openstack-infra/system-config"
1104 environment:
1105 # Skip setting up pip, our images have already done this.
1106 SETUP_PIP: "false"
1107 become: yes
1108
1109 - name: Copy manifest
1110 copy:
1111 src: manifest.pp
1112 dest: "{{ ansible_user_dir }}/manifest.pp"
1113
1114 - name: Run puppet
1115 puppet:
1116 manifest: "{{ ansible_user_dir }}/manifest.pp"
1117 become: yes
1118
1119Secrets
1120=======
1121
1122* Inspired by Kubernetes Secrets API
1123* Projects can add named encrypted secrets to their .zuul.yaml file
1124* Jobs can request to use secrets by name
1125* Jobs using secrets are not reconfigured speculatively
1126* Secrets can only be used by the same project they are defined in
1127* Public key per project:
1128 ``{{ zuul_url }}/{{ tenant }}/{{ project }}.pub``
1129
1130::
1131 GET https://zuul.openstack.org/openstack-infra/shade.pub
1132
1133Secret Example (note, no admins had to enable this)
1134===================================================
1135
1136.. code:: yaml
1137
1138 # In git.openstack.org/openstack/loci/.zuul.yaml:
1139 - secret:
1140 name: loci_docker_login
1141 data:
1142 user: loci-username
1143 password: !encrypted/pkcs1-oaep
1144 - gUEX4eY3JAk/Xt7Evmf/hF7xr6HpNRXTibZjrKTbmI4QYHlzEBrBbHey27Pt/eYvKKeKw
1145 hk8MDQ4rNX7ZK1v+CKTilUfOf4AkKYbe6JFDd4z+zIZ2PAA7ZedO5FY/OnqrG7nhLvQHE
1146 5nQrYwmxRp4O8eU5qG1dSrM9X+bzri8UnsI7URjqmEsIvlUqtybQKB9qQXT4d6mOeaKGE
1147 5h6Ydkb9Zdi4Qh+GpCGDYwHZKu1mBgVK5M1G6NFMy1DYz+4NJNkTRe9J+0TmWhQ/KZSqo
1148 4ck0x7Tb0Nr7hQzV8SxlwkaCTLDzvbiqmsJPLmzXY2jry6QsaRCpthS01vnj47itoZ/7p
1149 taH9CoJ0Gl7AkaxsrDSVjWSjatTQpsy1ub2fuzWHH4ASJFCiu83Lb2xwYts++r8ZSn+mA
1150 hbEs0GzPI6dIWg0u7aUsRWMOB4A+6t2IOJibVYwmwkG8TjHRXxVCLH5sY+i3MR+NicR9T
1151 IZFdY/AyH6vt5uHLQDU35+5n91pUG3F2lyiY5aeMOvBL05p27GTMuixR5ZoHcvSoHHtCq
1152 7Wnk21iHqmv/UnEzqUfXZOque9YP386RBWkshrHd0x3OHUfBK/WrpivxvIGBzGwMr2qAj
1153 /AhJsfDXKBBbhGOGk1u5oBLjeC4SRnAcIVh1+RWzR4/cAhOuy2EcbzxaGb6VTM=
1154
1155Secret Example
1156==============
1157
1158.. code:: yaml
1159
1160 # In git.openstack.org/openstack/loci/.zuul.yaml:
1161 - job:
1162 name: publish-loci-cinder
1163 parent: loci-cinder
1164 post-run: playbooks/push
1165 secrets:
1166 - loci_docker_login
1167
1168 # In git.openstack.org/openstack/loci/playbooks/push.yaml:
1169 - hosts: all
1170 tasks:
1171 - include_vars: vars.yaml
1172
1173 - name: Push project to DockerHub
1174 block:
1175 - command: docker login -u {{ loci_docker_login.user }} -p {{ loci_docker_login.password }}
1176 no_log: True
1177 - command: docker push openstackloci/{{ project }}:{{ branch }}-{{ item.name }}
1178 with_items: "{{ distros }}"
1179
1180Important Links
1181===============
1182
1183* https://zuul-ci.org/
1184* https://git.zuul-ci.org/cgit/zuul
1185* https://zuul-ci.org/docs/zuul
1186* https://zuul-ci.org/docs/zuul-jobs/
1187* https://docs.openstack.org/infra/openstack-zuul-jobs/
1188* freenode:#zuul
1189
1190Coffee
1191======
1192
1193I've been awake for many hours. Let's get a coffee?
1194
1195Installation of Software
1196========================
1197
1198Ways to Install Zuul
1199====================
1200
1201* Windmill: http://git.openstack.org/cgit/openstack/windmill
1202* Software Factory: https://softwarefactory-project.io/
1203* Puppet: http://git.openstack.org/cgit/openstack-infra/puppet-zuul
1204* Containers: https://hub.docker.com/_/zuul/
1205
1206Zuul Containers
1207===============
1208
1209* Published on every commit
1210* Application/Process containers
1211* Built using tool 'pbrx'
1212* Config / Data should be bind-mounted in
1213
1214Container Philosophy
1215====================
1216
1217* As minimal as possible
1218* OS inside of container does not matter
1219
1220zuul/zuul-executor
1221==================
1222
1223* In k8s, zuul-executor must be run privileged
1224* Uses bubblewrap for unprivileged sanboxing
1225* Restriction may be lifted in the future
1226
1227Release Management
1228==================
1229
1230* Zuul is a CI system
1231* C stands for "Continuous"
1232* It is run Continuously Delivered and Deployed upstream
1233* Releases are tagged from code run upstream
1234* There is no intent to have a 'stable' release
1235* 'stable' is a synonym for "old and buggy"
1236
1237zuul/zuul-scheduler
1238===================
1239
1240* SPOF
1241* We're working on it
1242* Recommend running scheduler from tags
1243
1244Demo Installation using docker-compose
1245======================================
1246
1247Remember this?
1248
1249* Install docker, docker-compose, git-review
1250
1251Debian/Ubuntu:
1252
1253::
1254
1255 apt-get install docker-compose git git-review
1256
1257Red Hat / SuSE
1258
1259::
1260
1261 yum install docker-compose git git-review
1262
1263* git clone https://git.zuul-ci.org/zuul
1264* cd zuul
1265* git review -d 608344
1266* cd doc/source/admin/examples
1267* docker-compose up
1268
1269What's Running
1270==============
1271
1272* Zookeeper
1273* Gerrit
1274* Nodepool Launcher
1275* Zuul Scheduler
1276* Zuul Web Server
1277* Zuul Executor
1278* Apache HTTPD
1279* A container to use as a 'static' build node
1280
1281How they're connected
1282=====================
1283
1284* End Users talk to Gerrit and Apache HTTPD
1285* Zuul Scheduler talks to Gerrit
1286* Nodepool Launcher, Zuul Scheduler, Zuul Web talk to Zookeeper
1287* Zuul Executor talks to Zuul Scheduler (using Gearman)
1288
1289Initial provided config
1290=======================
1291
1292* docker-compose has plumbed in basic config ``etc_zuul/zuul.conf``
1293 and ``etc_zuul/main.yaml``
1294* Gerrit Connection named "gerrit"
1295* Zuul user for that connection
1296* Git connection named "zuul-ci.org" for ``zuul-jobs`` standard library
1297
1298Initial tenant
1299==============
1300
1301* Zuul is (always) multi-tenant
1302* Example config contains a tenant called ``example-tenant``
1303* Three projects in the ``example-tenant`` tenant:
1304 ``zuul-config``, ``test1``, ``test2``
1305* Three projects are also in gerrit ready to use
1306
1307zuul.conf
1308=========
1309
1310::
1311
1312 [gearman]
1313 server=scheduler
1314
1315 [gearman_server]
1316 start=true
1317
1318 [zookeeper]
1319 hosts=zk
1320
1321 [scheduler]
1322 tenant_config=/etc/zuul/main.yaml
1323
1324 [web]
1325 listen_address=0.0.0.0
1326
1327 [executor]
1328 private_key_file=/var/ssh/nodepool
1329 default_username=root
1330
1331zuul.conf part 2
1332================
1333
1334::
1335
1336 [connection "gerrit"]
1337 name=gerrit
1338 driver=gerrit
1339 server=gerrit
1340 sshkey=/var/ssh/zuul
1341 user=zuul
1342 password=secret
1343 baseurl=http://gerrit:8080
1344 auth_type=basic
1345
1346 [connection "zuul-ci.org"]
1347 name=zuul-ci
1348 driver=git
1349 baseurl=https://git.zuul-ci.org/
1350
1351main.yaml
1352=========
1353
1354::
1355
1356 - tenant:
1357 name: example-tenant
1358 source:
1359 gerrit:
1360 config-projects:
1361 - zuul-config
1362 untrusted-projects:
1363 - test1
1364 - test2
1365 zuul-ci.org:
1366 untrusted-projects:
1367 - zuul-jobs:
1368 include:
1369 - job
1370
1371Gerrit Account
1372==============
1373
1374* Need a user account to interact with Gerrit
1375* Gerrit is configured in dev mode - no passwords required
1376* Visit http://localhost:8080
1377* Click "Become"
1378* Click "New Account"
1379* Click "Register"
1380* Enter Full Name
1381* Click "Save Changes"
1382* Enter username in Username field (match your local laptop user)
1383* Copy ``~/.ssh/id_rsa.pub`` contents into SSH Key field
1384* Click Continue
1385
1386Config Repo
1387===========
1388
1389* ``zuul-config`` is a trusted ``config-repo``
1390* Security and functionality of system depend on this repo
1391* Limit its contents to minimum required
1392
1393Config Files vs. Directories
1394============================
1395
1396* Zuul reads config from:
1397 ``.zuul.yaml``, ``zuul.yaml``, ``zuul.d`` or ``.zuul.d``
1398* For projects with substantial zuul config, like ``zuul-config``
1399 ``zuul.d`` directory is likely best.
1400* The directories are read run-parts style.
1401* Recommended practice is splitting by type of object
1402
1403Setting up Gating
1404=================
1405
1406* We want to have changes to ``zuul-config`` be gated
1407* We need to define pipelines: ``check`` and ``gate``
1408* Need to attach ``zuul-config`` to them
1409* Start with builtin ``noop`` job (always return success)
1410* Use regex to attach all projects to ``check`` and ``gate``
1411
1412Pipeline Definitions
1413====================
1414
1415* Zuul has no built-in workflow definitions, let's add ``check`` and ``gate``
1416
1417check pipeline
1418==============
1419
1420::
1421
1422 - pipeline:
1423 name: check
1424 description: |
1425 Newly uploaded patchsets enter this pipeline to receive an
1426 initial +/-1 Verified vote.
1427 manager: independent
1428 require:
1429 gerrit:
1430 open: True
1431 current-patchset: True
1432 trigger:
1433 gerrit:
1434 - event: patchset-created
1435 - event: change-restored
1436 success:
1437 gerrit:
1438 Verified: 1
1439 failure:
1440 gerrit:
1441 Verified: -1
1442
1443gate pipeline
1444=============
1445
1446::
1447 - pipeline:
1448 name: gate
1449 description: |
1450 Changes that have been approved are enqueued in order in this
1451 pipeline, and if they pass tests, will be merged.
1452 manager: dependent
1453 post-review: True
1454 require:
1455 gerrit:
1456 open: True
1457 current-patchset: True
1458 approval:
1459 - Workflow: 1
1460 trigger:
1461 gerrit:
1462 - event: comment-added
1463 approval:
1464 - Workflow: 1
1465 start:
1466 gerrit:
1467 Verified: 0
1468 success:
1469 gerrit:
1470 Verified: 2
1471 submit: true
1472 failure:
1473 gerrit:
1474 Verified: -2
1475
1476Add the pipeline definitions
1477============================
1478
1479.. code-block:: bash
1480
1481 git clone http://localhost:8080/zuul-config
1482 cd zuul-config
1483 mkdir zuul.d
1484 cp ../examples/zuul-config/zuul.d/pipelines.yaml .
1485
1486Shared Project Pipeline Definition
1487==================================
1488
1489In ``examples/zuul-config/zuul.d/projects.yaml``
1490
1491.. code-block:: yaml
1492
1493 - project:
1494 name: ^.*$
1495 check:
1496 jobs: []
1497 gate:
1498 jobs: []
1499
1500 - project:
1501 name: zuul-config
1502 check:
1503 jobs:
1504 - noop
1505 gate:
1506 jobs:
1507 - noop
1508
1509Attach the projects to the pipelines
1510====================================
1511
1512.. code-block:: bash
1513
1514 cp ../examples/zuul-config/zuul.d/projects.yaml .
1515
1516Commit the changes and push up for review
1517=========================================
1518
1519.. code-block:: bash
1520
1521 git add zuul.d
1522 git commit
1523 git review
1524
1525Force merging bootstrap config
1526==============================
1527
1528* Zuul is running with no config, so it won't do anything
1529* For this change (and this change only) we will bypass gating
1530
1531Reviewing normally
1532==================
1533
1534* visit http://localhost:8080/#/c/zuul-config/+/1001/
1535* click reply
1536* vote +2 Code Review +1 Approved
1537
1538Verified +2 is Missing
1539======================
1540
1541Verified +2 is what we have zuul configured to do.
1542
1543::
1544 success:
1545 gerrit:
1546 Verified: 2
1547 submit: true
1548
1549
1550Bypassing Gating
1551================
1552
1553* visit http://localhost:8080/
1554* click 'switch account'
1555* click 'admin'
1556* visit http://localhost:8080/#/c/zuul-config/+/1001/
1557* click reply
1558* vote +2 Verified (normal users do not see this)
1559* click submit (normal users do not see this)
1560* click 'switch account'
1561* click your username
1562
1563Base Job
1564========
1565
1566* Every Zuul installation must define a ``base`` job
1567* Push git repos to build node
1568* Publish logs/artifacts
1569* Any local specific setup
1570* Goes in config repo - because it impacts EVERY job
1571
1572Add Base Job to zuul-config
1573===========================
1574
1575::
1576
1577 cp ../examples/zuul-config/zuul.d/jobs.yaml .
1578 git add jobs.yaml
1579 git commit
1580 git review
1581
1582Then go to http://localhost:8080/#/c/zuul-config/+/1002/ and approve it
1583
1584Zuul should merge the patch
1585===========================
1586
1587zuul-config is configured to use the ``noop`` job
1588
1589Zuul tests syntax automatically
1590===============================
1591
1592* Edit jobs.yaml
1593* Change ``parent: null`` to ``parent: broken``
1594* git commit ; git review
1595* Check out the review in gerrit ... there should be errors!
1596
1597Questions
1598=========
1599
1600.. ansi:: images/questions.ans
1601
1602Presentty
1603=========
1604.. hidetitle::
1605.. transition:: pan
1606.. figlet:: Presentty
1607
1608* Console presentations written in reStructuredText
1609* Cross-fade, pan, tilt, cut transitions
1610* Figlet, cowsay!
1611* https://pypi.python.org/pypi/presentty