[openstack-dev] [all] 3rd Party CI vs. Gerrit

James E. Blair corvus at inaugust.com
Mon Jun 30 15:14:00 UTC 2014


Joshua Hesketh <joshua.hesketh at rackspace.com> writes:

> On 6/28/14 10:40 AM, James E. Blair wrote:
>> An alternate approach would be to have third-party CI systems register
>> jobs with OpenStack's Zuul rather than using their own account.  This
>> would mean only a single report of all jobs (upstream and 3rd-party)
>> per-patchset.  It significantly reduces clutter and makes results more
>> accessible -- but even with one system we've never actually wanted to
>> have Jenkins results in comments, so I think one of the other options
>> would be preferred.  Nonetheless, this is possible with a little bit of
>> work.
>
> I agree this isn't the preferred solution, but I disagree with the
> little bit of work. This would require CI systems registering with
> gearman which would mean security issues. The biggest problem with
> this though is that zuul would be stuck waiting from results from 3rd
> parties which often have very slow return times.

"Security issues" is a bit vague.  They already register with Gerrit;
I'm only suggesting that the point of aggregation would change.  I'm
anticipating that they would use authenticated SSL, with ACLs scoped to
the names of jobs each system is permitted to run.  From the perspective
of overall security as well as network topology (ie, firewalls), very
little changes.  The main differences are third party CI systems don't
have to run Zuul anymore, and we go back to having a smaller number of
votes/comments.

Part of the "little bit of work" I was referring to was adding a
timeout.  That should truly be not much work, and work we're planning on
doing anyway to help with the tripleo cloud.

But anyway, it's not important to design this out if we prefer another
solution (and I prefer the table of results separated from comments).

-Jim



More information about the OpenStack-dev mailing list