zuul-jobs/doc/source/policy.rst
Albin Vass 3d4f3a3a28 Add linting rule to enforce no-same-owner policy
Change-Id: I92c66a21be95935d11fc8e9887d9d91c645d28d4
2020-06-18 11:06:45 +02:00

11 KiB

Policy

Below are some guidelines for developers contributing to zuul-jobs.

Deprecation Policy

Because zuul-jobs is intended for wide use by any Zuul, we try to take care when making backwards incompatible changes.

If we need to do so, we will send a notice to the zuul-announce mailing list describing the change and indicating when it will be merged. We will usually wait at least two weeks between sending the announcement and merging the change.

If the change affects your jobs, and you are unable to adjust to it within the timeframe, please let us know with a message to the zuul-discuss mailing list -- we may be able to adjust the timeframe. Otherwise, you may wish to temporarily switch to a local fork of zuul-jobs (or stop updating it if you already have).

New Zuul Features

When a new feature is available in Zuul, the jobs in zuul-jobs may not be able to immediately take advantage of it. We need to allow time for folks to upgrade their Zuul installations so they will be compatible with the change. In these cases, we will wait four weeks after the first Zuul release with the required feature before merging a change to zuul-jobs which uses it.

Deprecated Zuul Features

Before deprecating a feature in Zuul which is used by zuul-jobs, the usage of the feature must be removed from zuul-jobs according to the deprecation policy described above.

Python Version Policy

zuul-jobs targets Python 2.7 onwards and Python 3.5 onwards (note this differs slightly from Ansible upstream, where the policy is 2.6 onwards unless libraries depend on newer features. zuul-jobs does not support Python 2.6).

Library code should be written to be compatible with both. There are some tips on this in Ansible and Python 3.

Coding guidelines

Role Variable Naming Policy

Variables referenced by roles from global scope (often intended to be set via host_vars and group_vars, but also set during role inclusion) must be namespaced by prepending their role-name to the variable. Thus example-role would have variables with names such as example_role_variable; e.g.

tasks:
  - name: Call "example" role
    include_role:
      name: example-role
    vars:
      example_role_variable: 'something'

Support for Multiple Operating Systems

Ideally, roles should be able to run regardless of the OS or the distribution flavor of the host. A role can target a specific OS or distribution; in that case it should be mentioned in the role's documentation and start with a fail task if the host does not match the intended environment:

tasks:
  - name: Make sure the role is run on XXX version Y
    fail:
      msg: "This role supports XXX version Y only"
      when:
        - ansible_distribution != "XXX"
        - ansible_distribution_major_version != "Y"

Here are a few guidelines to help make roles OS-independent when possible:

  • Use the package module instead of yum, apt or other distribution-specific commands.
  • If more than one specific task is needed for a specific OS, these tasks should be stored in a separate YAML file named after the specific flavor they target. The following boilerplate code can be used to target specific flavors:
tasks:
  - name: Execute distro-specific tasks
    include_tasks: "{{ item }}"
    with_first_found:
      - "{{ ansible_distribution }}.{{ ansible_distribution_major_version }}.{{ ansible_architecture }}.yaml"
      - "{{ ansible_distribution }}.{{ ansible_distribution_major_version }}.yaml"
      - "{{ ansible_distribution }}.yaml"
      - "{{ ansible_os_family }}.yaml"
      - "default.yaml"

If run on Fedora 32 x86_64, this playbook will attempt to include the first tasklist found among:

  • Fedora.32.x86_64.yaml
  • Fedora.32.yaml
  • Fedora.yaml
  • RedHat.yaml
  • default.yaml

The default tasklist should return a failure explaining the host's environment is not supported, or a skip if the tasks were optional.

Handling privileges on hosts

Zuul offers great freedom in the types and configurations of hosts on which roles are run. Therefore roles should not assume the amount of privileges they will be granted on hosts. Some settings may not allow any form of privilege escalation, meaning that some tasks such as installing packages will fail.

In order to make a role available to as many hosts as possible, it is good practice to avoid privilege escalations:

  • Do not use become: yes in tasks, unless necessary
  • If installing software is required, favor software deployments in user land, like virtualenvs, if possible.
  • Check before executing a task requiring privilege escalation is actually needed (e.g. is the package to install already present, or is the firewall rule already set), and make the task skippable if its effects were already applied to the host.

If privilege escalation is unavoidable, this should be mentioned in the role's documentation so that operators can choose or set up their hosts accordingly. If relevant, the specific steps where the privilege escalation occurs should be documented so that they can be reproduced when configuring hosts. If possible, they should be grouped in a separate playbook that can be applied to hosts manually.

Output Variables

Some roles may find it useful to set a variable that can be consumed by later roles. For example, the ensure-pip role sets a variable which specifies a working virtualenv command for the host.

Roles should document their output under the Output section of their README documentation. The variable should use the cacheable: true flag to set_fact to ensure that the variable is available across playbooks.

Installing Dependencies in Roles

Roles should be self-sufficient. This makes it sometimes necessary to pull dependencies within a role, in order to execute a task. Since this is usually an action requiring elevated privileges on the host, the guidelines in the previous paragraph apply. Again, ideally all the installation tasks should be grouped in a separate playbook.

Here are the ways to install dependencies in order of preference:

  • Use the package module to install packages
  • Manage dependencies with bindep and the bindep role.
  • Use OS-specific tasks like apt, yum etc. to support as many OSes as possible.

In any case, the role's documentation should mention which dependencies are needed, allowing users to prepare their hosts accordingly.

Ansible Linting Rules

Because the Ansible roles contained in this repo are expected to be pretty universally applicable in Zuul systems, we must write them defensively to work around some Ansible behaviors. Custom rules for ansible-lint have been set up to enforce this.

Loops in Roles

Nesting Ansible loops using the default loop_var of item is not safe.

Roles in this repo should override the default loop_var in loops and use a variable name prefixed with zj_ to make them more unique. The idea is this will avoid conflicts with the calling level which may use include_role in a loop creating a loop_var conflict.

For example:

command: echo {{ zj_number }}
loop:
  - one
  - two
  - three
loop_control:
  loop_var: zj_number

Preservation Of Owner Between Executor And Remote

Since it's not possible to make sure the user and group on the remote node also exists on the executor and vice versa, owner and group should not be preserved when transfering files between them.

For example when using the synchronize module set owner and group to false:

- name: valid
  synchronize:
    dest: /tmp/log.txt
    src: /tmp/log.txt
    owner: false
    group: false

When using the unarchive module add --no-same-owner to extra_opts when handling tarballs and do not use -X when handling zipfiles:

- name: valid
  unarchive:
    dest: ~/example
    src: /tmp/example.tar.gz
    extra_opts:
      - '--no-same-owner'

- name: faulty
  unarchive:
    dest: ~/example
    src: /tmp/example.zip
    extra_opts:
      - '-X'

Testing

If you add a new role, please add a new job to test it.

Because zuul-jobs is meant to be included in every Zuul tenant with no special include/exclude settings, everything in the zuul.d/ directory must be suitable for any environment. It can not reference any secrets, nodesets, project templates, or jobs that are not in zuul-jobs. It is the public user interface for the project.

Jobs which test the roles in zuul-jobs itself can be placed in the zuul-tests.d/ directory of the project. This directory is read by OpenDev's Zuul, but is not intended to be used by any other Zuul. It may contain references to specific nodesets and other aspects of the OpenDev environment so that we can perform first-party testing of changes to zuul-jobs.

The zuul-tests.d/ directory is organized in the same way as the documentation, so when you add a role and add it to a documentation file, add a test job for it to a similarly named file in zuul-tests.d/. Name the job the same as the role, but prefix it with zuul-jobs-test-.

There is a playbook which may provide sufficient test coverage for many simple roles by simply executing them. To use it, create a job like this:

- job:
    name: zuul-jobs-test-your-new-role
    run: test-playbooks/simple-role-test.yaml
    vars:
      role_name: your-new-role

If you need to do anything other than simply including a role (for example, testing how multiple roles interact, or performing validation after the role runs), you should probably make a dedicated playbook for the job.

Some roles have special handling for different platforms and therefore need to be tested on each. Some notable examples include many of the roles which typically appear in base jobs. There is a script in tools/update-test-platforms.py which will look for jobs with the tags all-platforms or all-platforms-multinode and it will automatically create (or delete) identical jobs for each of the platforms that are available in OpenDev. If you don't need the whole set (perhaps you only need to test on one or two specific platforms), you can still do the same thing manually.