Like pre-run and post-run, allow a user to run a list of playbooks for
a job. One example would be your job workflow would be to run multiple
playbooks over using a site.yaml file with include_playbook commands.
A second use case, more related to job design. With multiple playbooks
support for job.run, the first playbook would be use deploy your server
and the second playbook to validate the server was provisioned properly.
Today, this can be done using a single run and post-run playbooks,
however if post-run fails, zuul will return POST_FAILURE, not FAILURE.
Not a large issue, but could be confusing to users when POST_FAILURE is
returned.
While it is possible a user could create a single site.yaml playbook,
and use multiple include_playbook statements to get this functionality,
there are downsides to this approach (mostly with the leaking of
variables). Today, operators simply run ansible-playbook multiple times
with the specific playbooks they only want.
Story: 2002543
Task: 22101
Change-Id: I6268d9944e745cc07407ea7dd040fbfeb79dad4d
Related-To: https://review.openstack.org/519596
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
There are a few missing commas in our sage_args, this fixes them.
Otherwise we get the following error from zuul:
Adding hosts ssh with ansible_password ansible_user to the inventory is prohibited
Change-Id: I6162bc6a223da54af26bedd2e950ed21a64908b0
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
A job may want to know information about the first level of child jobs
that will run after it, to provide this information we now include
zuul.child_jobs (as list) in the inventory file.
Change-Id: I17386d4aa1409b7ac996518981501c2d22899434
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This adds a post-timeout setting which applies as a timeout to each
post-run playbook. This is separate and independent of the normal job
timeout which now only applies to the pre-run and run playbooks in a
cumulative fashion.
The reason for this change is when a pre-run or run playbook hits the
timeout and the job fails you still want to do your best to copy all of
the log data that you can find so that you can debug the timeout.
Similarly to timeout, if post-timeout is not set then post-run playbooks
will have no timeout and can run indefinitely.
Change-Id: I830a6a14d2623f50fbc3f05396cc909d79de04bb
There are some cases, such as the artifact upload job, where the job can
take a dict parameter and where it could be advantageous to allow other
people to re-use the job but passing in their own local secret data by
supplying variables to a variant. However, currently secrets carry with
them a name, which is used as the variable name in ansible.
Make a secret in a job config be able to be given as a string or a
dict. In the dict case, the name of the secret and the name it should be
added to ansible as are required. This allows someone to have a named
secret but to pass it to a job under a different name.
Change-Id: I27a82c6ee1cf7399353509f98a0a52536ebbc19a
The failure-url is not used when formatting jobs with a result of e.g.
POST_FAILURE or TIME_OUT. Fix this by defaulting to the failure-url
for any non-success result.
This also enhances the test_playbook test with a broken post playbook
and tests for the correct urls.
Change-Id: I8485dee83e36275a1dd439f12cf8c0fdf90999ca
We want to properly flex our bubblewrap implementation, this job does
so.
Change-Id: I6647d71434a8d8f6621d3fd34883683ef149775a
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
It will be helpful to know which executor ansible-playbook is run
from so pass this info into vars.yaml.
Additionally, update our test_v3 playbook test to also validate our
other executor ansible variables.
Change-Id: I22091c8e764ad519878e5d530e5bc72ffd2a4870
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This replaces the job dependency tree with a graph so that we can
indicate that a job should wait until one or more jobs are complete
before starting.
Project pipeline job definitions are now a flat list, with each job
specifying its dependencies as the job attribute 'dependencies'.
Fixes bug #1166937.
Signed-off-by: Fredrik Medley <fredrik.medley@autoliv.com>
Signed-off-by: Fredrik Medley <fredrik.medley@gmail.com>
Signed-off-by: James E. Blair <jeblair@redhat.com>
Co-Authored-By: James E. Blair <jeblair@redhat.com>
Change-Id: I921940cafeea0738c39deb99357cfd7c91592359
Because we want jobs to know something about the provider they are
running on, expose nodepool variables in the inventory file.
Change-Id: I18c8b414b1bbb114d55d21c5ae77d6348b3e9080
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Plumb through support for timeout for jobs. By default, we don't
support any timeout, which means jobs live forever.
Change-Id: Ice4fedffc6086676f54da0f06630a0ff7ad7d916
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
There are actions undertaken by action plugins in normal ansible that
allow for executing code on the host that ansible is executing on. We do
not want to allow that for untrusted code, so add a set of action
plugins that override the upstream ones and simply return errors.
Additionally, we can trap for attempts to execute local commands in the
normal action plugin by looking at remote_addr, connection and
delegate_to.
Change-Id: I57dbe5648a9dc6ec9147c8698ad46c4fa1326e5a
This replaces the stubbed-out 'hello world' Ansible playbook with
an implementation which actually runs the corresponding playbook
defined in the repo where the job is defined.
Change-Id: I73a6b3b067c7d61bb2a2b2140ab98c4944a6adfe
Story: 2000772
James E. Blair