This change is preparation for https://review.opendev.org/c/zuul/zuul-jobs/+/887917
In the beginning, there was only prepare-workspace[0] which rsynced repos.
Then we added mirror-workspace-git[1] to make it more efficient by using git operation, but it required some openstack-specific code in project-config to work.
Then we added prepare-workspace-git[2] which completed the git-based sync solution by locating everything requried in zuul-jobs. It used mirror-workspace-git by reference and added this TODO:
# TODO(tobiash): we might want to deprecate the role mirror-workspace-git-repos
# and move it here.
This change completes that TODO by moving the mirror-workspace-git-repos code into prepare-workspace-git and places the repo in a sensible and maintainable state with two simple and good options:
* prepare-workspace (rsync)
* prepare-workspace-git (git)
In the unlikely event anyone is still using mirror-workspace-git-repos standalone (OpenStack/OpenDev is not, and that solution was haphazard as described above) they would be well served by a notification that there is a better alternative which is what most of the community actually uses now.
[0] cfffd4431b
[1] 348598e96a
[2] 7cee7156bc
Change-Id: Ib80e0447d49363182fd0d4c4d4e269841bc3aa95
We added nox somewhat recently and set it up to mimic existing tox jobs.
This meant adding py27 jobs. Since then (in OpenDev at least) only a
single project has used the py27 job: Bindep. Bindep is dropping support
for python2.7 as the need for it has come to an end. Additionally, nox
doesn't work with python2.7 out of the box due to a virtualenv
dependency that ends up being too new for python2.7 venv creation.
Rather than hack around that let's drop python2.7 job support.
Change-Id: I52c07b01ad173304c19b13a10927fdadf9d84170
This adds a new role that can be used to ensure a quay repo exists
before publishing to it. This is particularly useful for creating public
repos in quay as simply pushing to a repo with quay will create a
private repo by default.
Change-Id: I979f1b9b64f901bb8d54b8991bb9142b18b6330f
This is a role to abstract removal of tags from registries, which is
an operation that practically has to be done via the registry API.
This implements removing tags from the quay and docker API's.
For the common case of working with a repository like
"quay.io/org/project" there is minimal configuration. However, if you
run a private repository, this is flexible with a few extra variables
to tell the role to use the quay API but your own URL.
By default it clears out old tags from the Zuul promote pipeline.
However if you set registry_tag_remove_tag it will only remove that
one tag.
This is inspired by the current work done in promote-docker-image
role.
Change-Id: I7f2d9d00024e34451e2d20b2c2f8171ecd151943
This role uses skopeo to perform image operations.
Also update the container roles docs to add missing documentation
for the already existing upload-container-image role. Clarify
some ambiguity about the registry and repository attributes of
the container images data structure.
Change-Id: Ib66c85daf0edacf0dd797ab34b0d629f99c7111b
Co-Authored-By: James E. Blair <jim@acmegating.com>
The enable-fips role has been refactored to support both centos/rhel and
Ubuntu.
In addition, for the Ubuntu tasks, a small role is added to enable a
Ubuntu Advantage subscription. This is required because Ubuntu requires
a subscription to enable FIPS. This role takes a subscription key as a
parameter (ubuntu_ua_token.token).
In Openstack, this is provided by the openstack-fips job in
openstack/project-config, which will be the base job for OpenStack jobs.
This job will provide the ubuntu_ua_token.token.
Change-Id: I47a31f680172b47584510adb672b68498a85bd32
The default base job nodeset is moving from focal to jammy. Jammy
doesn't have python3.8 to run these jobs. Address that by explicitly
forcing these jobs to run on focal.
Change-Id: I57433092ea2afbec4546659ea20f31161cc41a6e
The new 5.3.0 release of Sphinx has started giving circular reference
errors on some of the included files. Pin this while we figure it
out.
Change-Id: I7674eb0e08207e1ec3b3941361d1fae75f124ddd
This role will do basic checks to confirm that the node is
sufficiently up to continue afer a reboot.
Change-Id: Iebf474c9351e4246d7ab2072b48a50e93dbf0b94
This is a copy of prepare-workspace-git except that it imports
test-mirror-workspace-git-repos. This is for base job testing.
Change-Id: I4ef3e4376c9e958761c165836c4fb546157e237a
This adds roles that, similar to add-build-sshkey, create a per-build
WinRM certificate, install it on remote windows nodes, and then switch
to using the certificate in Ansible for authentication. A second role
is included which can clean up the cert which is useful for static
nodes.
Since winrm certificates must be acessible within the bubblewrap
container, these roles can be used to restrict the system-wide winrm
cert to trusted playbooks while untrusted playbooks will only have access
to the per-build cert (with appropriate configuration of the executor).
Change-Id: I4efe25594c2f543886a000aa02fb0a38683a43cb
To match change I2870450ffd02f55509fcc1297d050b09deafbfb9 in Zuul.
This does not use the versioning feature due to the nature of this repo.
This also corrects a reference which is now an error.
Change-Id: Ia1d31df932b447f11bc588925de9974d4f6dfc7d
FIPS needs to be enabled before test-setup is run, as enabling
FIPS requires the node to be rebooted, test-setup needs to run and
setup the environment after the reboot.
Change-Id: I6fecb9c6e917d1a36b2b82c1b02098eed4323ac7
This patch adds a new multinode job definition that enables
FIPS mode prior to multinode configuration.
In order to enable FIPS mode, the OS boot procedure need to be
changed to enable the appropriate kernel flag. This modification
has effect only after system reboot.
The default behavior of this job is to always enable FIPS mode.
Change-Id: I6f1365837d9ed2ba82c391a20f9094c9ef0e6c4e
Signed-off-by: Douglas Viroel <dviroel@redhat.com>
Update the deprecation policy to indicate that zuul-jobs is no
longer tested with EOL platforms. Also explicitly switch the minimum
Python 3 documented to 3.6, and add a note to the tox-py34 and
tox-py35 jobs mentioning that they're no longer directly tested.
Move those jobs to the deprecated jobs list as well, to help
reinforce the point that their continued use is not recommended.
Change-Id: I2edbf8ea010caf7a7641e0d88f360965fc0b96ab
SetupTools 58 dropped support for its old use_2to3 option, which has
started surfacing a number of ancient Python packages in need of
updates. In this case, the last full release of funcparserlib (which
is a transitive dependency by way of blockdiag by way of
sphinxcontrib-blockdiag) was in 2013, but luckily they have an alpha
release which we can pin explicitly and pull in as a temporary
workaround to get docs builds going again.
Change-Id: I6903eeac2c479e2da795c1dbd215cdee33d09fd7
Role copied and modified from ensure-podman
As focal doesn't exist for project atomic ppa [1]
Install is performed from opensuse repository only
[1] http://ppa.launchpad.net/projectatomic/ppa/ubuntu/dists/
Change-Id: I72fc2e68768664b80c39bd47295330131337d8b5
This new role will be used to replace our upload-docker-image role in
the future.
Change-Id: I0e2b0cca6575255520aa6d4d48a12128ab5f46cc
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This reverts commit 51a8ed8e95.
This has a typo ("exector"). The fix is obvious, but the bigger
issue is that it was not caught in testing, even though the main
purpose of the change was to re-enable tests. We should understand
why it wasn't caught in testing and resolve that before fixing and
unreverting.
Change-Id: I3ed407546fecc52d4a039f7959c0521511e6a00b
Ansible doens't really have a great built-in way to modify a json file
(unlike ini files). The extant docker role does what seems to be the
usual standard, which is slurp in the file, parse it and then write it
back out.
In a follow-on change (I338616c41a65b007d56648fdab6da2a6a6b909f4) we
need to set some more values in the docker configuration .json file,
which made me think it's generic enough that we can have a role to
basically run read the file, |combine and write it back out.
This adds such a role with various options, and converts the existing
json configuration update in ensure-docker to use it.
Change-Id: I155a409945e0175249cf2dc630b839c7a97fb452
This reverts commit 69a238df46.
The role is re-written with executor-safe methods.
Depends-On: https://review.opendev.org/753222
Change-Id: I0b52eff66bfdca776e0e5c426bf1fc57deb3fc49
Add a role to install Rust via the rustup tool. It defaults to
installing globally, which avoids having to worry too much about
setting paths for follow-on jobs.
Packaged Rust and the upstream rustup install tool can live together,
and there's various documentation about it. Thus I've made this such
that we can expand it with packaged Rust support if there is a need,
but I have not implemented that yet.
Change-Id: I32f9b285904a7036f9a80ada8a49fa9cf31b5163