General Purpose Roles


Install SSH public key(s) on all hosts

This role is intended to be run at the end of a failed job for which the build node set will be held with zuul’s autohold command.

It copies the public key(s) into the authorized_keys file of every host in the inventory, allowing privileged users to access the node set for debugging or post-mortem analysis.

Add this stanza at the end of your project’s base post playbook to activate this functionality:

- hosts: all
    - role: add-authorized-keys
        - public_key: ssh-rsa AAAAB...
        - public_key: ssh-rsa AAAAB...
      when: not zuul_success | bool


Including this role earlier in any playbook may allow the keys’ owners to tamper with the execution of the jobs. It is strongly advised against doing so.

Role Variables


A list of keys to inject.


A public key to inject into authorized_keys, or a URL to a public key.


Generate and install a build-local SSH key on all hosts

This role is intended to be run on the Zuul Executor at the start of every job. It generates an SSH keypair and installs the public key in the authorized_keys file of every host in the inventory. It then removes the Zuul master key from this job’s SSH agent so that the original key used to log into all of the hosts is no longer accessible (any per-project keys, if present, remain available), then adds the newly generated private key.

Role Variables

Default: ``{{ zuul.executor.work_root }}/{{ }}_id_rsa``

Where to put the newly-generated SSH private key.

Default: ``id_{{ zuul_ssh_key_algorithm }}``

File name for the the newly-generated SSH private key.

Default: false

Remove previous build sshkey. Set it to true for single use static node. Do not set it to true for multi-slot static nodes as it removes the build key configured by other jobs.

Default: rsa

The digital signature algorithm to be used to generate the key.

Default: 3072

Specifies the number of bits in the key to create.


Generate and install a build-local WinRM certificate on all Windows hosts

This role is intended to be run on the Zuul Executor at the start of every job. It generates a self-signed certificate and installs the certificate on every Windows host in the inventory.

It then updates the host vars for each such host to use the new certificate. The original certificate used to initially connect to the host still remains on disk, but once the build-local certificate is in place, later untrusted playbooks no longer need it to be provided.

Role Variables


A complex argument expected to be supplied from a Zuul secret. These are the Windows login credentials for the account to associate with the certificate.


The username of the account.


The password of the account.

Default: ``False``

If this is true, then change the password for the user to the value supplied before adding the certificate. This is useful if the initial account password is automatically generated and otherwise unknown.

Default: ``{{ }}_winrm``

The base name of the certificate file.

Default: ``{{ zuul.executor.work_root }}/{{ zuul_temp_winrm_name }}.crt``

File name for the the newly-generated certificate.

Default: ``{{ zuul.executor.work_root }}/{{ zuul_temp_winrm_name }}.key``

File name for the the newly-generated private key.

Default: ``{{ zuul.executor.work_root }}/{{ zuul_temp_winrm_name }}.pfx``

Executor-local file name for the the exported certificate.

Default: ``~/appdata/local/temp/{{ zuul_temp_winrm_name }}.pfx``

Remote temporary location for the certificate during import.


Install a GPG private key onto a host.

Role Variables


Complex argument which contains the GPG private key. It is expected that this argument comes from a Secret.


The ascii-armored contents of the GPG private key.


Add an ssh key to the host so that non-ansible ssh connections can be made.

Role Variables


Complex argument which contains the ssh key information. It is expected that this argument comes from a Secret.


String containing known host signature for the remote host.


Contents of the ssh private key to use.


The FQDN of the remote host.


Installs distro packages using bindep tool

Looks for a bindep.txt in a project’s source directory, or failing that a other-requirements.txt. If one exists, run bindep on the file to produce a list of required distro packages that do not exist and then install the missing packages.

Role Variables

Default: {{ zuul.project.src_dir }}

The directory to look for bindep files in.

Default: test

A specific bindep profile to request.


Path or list of paths to a specific bindep file(s) to read from.


Path to the bindep command. Defaults to unset which will look for a system installed bindep. If bindep_command is not found, bindep will be installed into a temporary virtualenv.


Path to a bindep fallback file to be used if no bindep file can be found in bindep.bindep_dir.


Return the location of buildset logs

When a ‘buildset’ directory exists in the job logs, then use zuul_return to set buildset_artifacts_url for children jobs.

rpm-build job:

  • Create a repository

  • Fetch the repository to “{{ zuul.executor.log_root }}/buildset”

  • Use the buildset-artifacts-location role

rpm-test jobs:

  • Install “{{ buildset_artficats_url }}” yum repository

  • Run integration tests

    - rpm-build
    - rpm-test1:
          - rpm-build
    - rpm-test2:
          - rpm-build

Role Variables


Base URL where logs are to be found.


Path of the logs. This optional when the role is used after ‘upload-logs’.


Clear firewall rules from test nodes

Some test workloads manage all of their own firewall rules, and pre-existing firewall rules can pollute the system. This role clears out firewall rules for both ipv4 and ipv6.

You may want to consult your Zuul system’s system administrator prior to using this role as the preexisting firewall configuration may provide necessary functionality.


An ansible role to configure services to use mirrors.

Role Variables

Default: {{ zuul_site_mirror_fqdn }}

The base host for mirror servers.

Default: False

Use ssl to communicate to mirror endpoints. Note if the platform cannot use ssl (for example Ubuntu Xenial apt needs additional packages) this will still use http instead of https when set for that platform.

Default: {{ mirror_fqdn }}

The base host for PyPi mirror server.


URL to override the generated pypi mirror url based on configure-mirrors.pypi_fqdn.

Default: False

Set to True in order to tag APT mirrors as trusted, needed when accessing unsigned mirrors with newer releases like Ubuntu Bionic.

Default: False

Set this to True in order to enable deb-src entries in sources.list configs for apt. Note this option currently only works on Debian (not Ubuntu) installations.

Default: True

Set to False to opt-out of installing extra repositories such as PowerTools and HighAvailability on centos-8-stream and backports for Debian/Ubuntu. The intent is to match the upstream distro state when this variable is set to False. Note that this role is not necessarily consistent with the repos that are enabled by default between distribution versions (centos stream 8 vs. 9 for example).

Default: See `vars/CentOS-9.yaml`

A list of the components that should be redirected to the mirror_fqdn when setting up a CentOS 9-stream host. For example, your mirror may only mirror some components, or not the debug/source components, etc.


Copy a build-local SSH key to a defined user on all hosts

This role is intended to be run on the Zuul Executor. It copies a generated build specific ssh key to a user and adds it to the authorized_keys file of every host in the inventory.

Role Variables

Default: "{{ zuul.executor.work_root }}/{{ }}_id_rsa"

Where to source the build private key

Default: root

The user to copy the sshkey to.


Download artifacts from a completed build of a Zuul job

Given a change, downloads artifacts from a previous build (by default of the current change) into the work directory. This will download as many artifacts as match the selection criteria.

Role Variables


The Zuul API endpoint to use. Example:{{ zuul.tenant }}


The pipeline in which the previous build ran.


The job of the previous build.


The artifact type. This is the value of the type field in the artifact metadata. This can be a string or a list of strings.

Default: change={{ zuul.change }}&patchset={{ zuul.patchset }}&pipeline={{ download_artifact_pipeline }}&job_name={{ download_artifact_job }}

The query to use to find the build. Normally the default is used.

Default: {{ zuul.executor.work_root }}

The directory in which to place the downloaded artifacts.


Run dstat_graph

This requires that the run-dstat role be previously used.

Add this to a post-run playbook to run dstat_graph to graph data from dstat.

Use the ensure-dstat-graph in a pre-run playbook to make sure that dstat_graph is available (since it is not currently packaged in any operating system).

The output will appear in dstat.html in the zuul-output/logs directory.

Role Variables

Default: /opt/cache/dstat_graph

The role will check this location to see if a cached copy of dstat_graph is available.

Default: /tmp/dstat_graph

If a cached copy is not available, the role will check if dstat_graph was previously downloaded to this location.

Default: "{{ ansible_user_dir }}/zuul-output/logs/dstat.csv"

The path to the dstat data file.


Log a few lines about the job.

Role Variables


Base URL where logs are to be found.

Default: False

This var is consumed by set-zuul-log-path-fact which emit-job-header calls into. If you set this you will get log paths prefixed with the first three characters of the build uuid. This will improve log file sharding.

More details can be found at set-zuul-log-path-fact.zuul_log_path_shard_build


Enable FIPS on a node.

Set a node into FIPS mode, to test functionality when crypto policies are set to FIPS in RHEL/Centos >=8 or Ubuntu.

For Ubuntu nodes, the node is assumed to already have an Ubuntu Advantage subscription activated, as this is required to enable FIPS mode. The enable-ua-subscription role in this repo can be used to activate the subscription.

The role will set the node into FIPS mode, reboot the node, and then call the post-reboot-tasks role. This role requires a role parameter - nslookup_target.


Enable netconsole for host

This enables the netconsole on a host to send kernel/dmesg logs to a remote host. This can be very useful if a node is experiencing a kernel oops or another form of unexpected disconnect where you can not retrieve information via standard logging methods.

The netconsole_remote_ip and netconsole_remote_port variables must be set. This host can capture the logs with a command like:

$ nc -v -u -l -p 6666 | tee console-output.log


$ socat udp-recv:6666 - | tee console-output.log

One further trick is to send interesting data to /dev/kmsg, this should make it across the netconsole even if the main interface has been disabled, etc. e.g.:

$ ip addr | sudo tee /dev/kmsg

Role Variables


The IP address of the remote host to send to.


The port listening on the remote host.


Enable UA Subscription on a node.

For Ubuntu nodes, this role activates an Ubuntu advantage subscription using a passed in token (ubuntu_ua_token.token).

Role Variables

Default: None
Type: dict

Dict used to specify Ubuntu advantage subscription information. ubuntu_ua_token.token is a subscription key.



Import GPG keys and encrypt a file

Role Variables

Default: *undefined*

A string with the full path to a log file to encrypt, or a list of string values of full paths to encrypt. Must be defined. Resulting file(s) will have .gpg added.

Default: []

List of recipients who will be able to decrypt the file(s). This should be a list of name keys that exist in encrypt_file_keys.

Default: []

Keys available to encrypt the file with. Each entry is a dictionary with keys

  • name : a freeform string identifier

  • key_id: the GPG key ID

  • gpg_asc: the GPG ASCII-armored public key. If the public-key is not already available, it will be imported to GPG.

It is intended that this is a global-variable, and specific files to be encrypted then choose a subset of keys in this variable for encryption.


Ensure that bazelisk is present.

If bazelisk is already installed, this role does nothing. Otherwise, it downloads bazelisk from GitHub and installs it in the user’s home directory by default.

Role Variables

Default: v1.3.0

Version of bazelisk to install.

Default: linux-amd64

Architecture to install.

Default:{{ bazelisk_version }}/bazelisk-{{ bazelisk_arch }}

The URL from which to download bazelisk.

Default: "{{ ansible_user_dir }}/.local/bin/bazelisk"

Where to install bazelisk. If the role downloads bazelisk, it will set ensure-bazelisk.bazelisk_executable to this value as well.

Output Variables

Default: bazelisk

The bazelisk executable. If this already exists, the role will not perform any further actions. It will be made available for other roles running after role.


Ensure dhall is installed

Installs the specified version of the haskell implementation.

Role Variables

Default: 1.31.1

The dhall version.


Install dstat_graph

This downloads dstat_graph if it is not already present on the remote host.

Add this to a pre-run playbook to ensure it is available for roles such as dstat-graph.

Role Variables

Default: /opt/cache/dstat_graph

The role will check this location to see if a cached copy of dstat_graph is available.

Default: /tmp/dstat_graph

If a cached copy is not available, the role will download dstat_graph to this location.


Ensure markdownlint-cli from NPM is installed.


Ensure shake is installed

Installs the shake tool using the distro package.


Collect output from a markdownlint run. Assumes you will only run one repo, and one node.

Role Variables

Default: {{ zuul.project.src_dir }}

The location of the main working directory of the job.


Prepare an archive containing all repositories that are part of the job. This can be used to prepare the repos archive suitable for caching in the node image to be used by prepare-workspace-git.

The path to the resulting archive file will be stored in the git_cache_file variable. That variable can be used to push the archive to a place where it will be picked up to be baked into the node image.

Role variables

Default: {{ansible_user_dir }}/git-cache"

Directory where the git cache should be prepared. Usually this should not be changed.


If a special SSH key is placed in the right place, stops and waits for user to SSH in to the node.

This role is intended to be used in pre/post playbooks to allow a smoother self-service experience than autoholds can offer, at the expense that one can only access the node for the length of the job timeout.

Role Variables

Default: ``{{ zuul.project.src_dir }}/``

If a public key is found here, the intercept-job role will install it, print details for SSH’ing into this machine, and wait until the intercept_job_stop_path exists.

Default: ``{{ zuul.project.src_dir }}/intercept_job.stop``

If this file exists, the intercept-job role will stop waiting and allow the playbook to continue.


Log the inventory used to run the job to the job’s log dir.

This will result in the log collection roles logging the job inventory.

Role Variables

Default: {{ zuul.executor.log_root }}/zuul-info

The directory path to store the inventory file.


Run markdownlint against all markdown files in the given project.

Role Variables

Default: {{ zuul.project.src_dir }}

Directory to search for markdown files in.


Configures a VXLAN virtual network overlay through an openvswitch network bridge between a ‘switch’ node and ‘peer’ nodes.

This allows members of the bridge to communicate with each other through the virtual network.

By default, this role will:

  • Install and start openvswitch

  • Set up a br-infra bridge on all nodes

  • Set up the connectivity between the switch and the peer with a virtual port

  • Set up an ip address on the bridge interface: # switch node # first peer # second peer

Role requirements

This role requires and expects two groups to be set up in the Ansible host inventory in order to work:

  • switch (the node acting as the switch)

  • peers (nodes connected to the virtual switch ports)

Role variables

Default: 1000000

VXLAN Network Identifier offset (openvswitch key).

Default: Smallest mtu less 50 bytes for vxlan overhead

Bridge interface MTU. By default we determine this value by checking all interfaces on host, taking the smallest MTU and subtracting by 50 for vxlan overhead. Can be overridden explicitly if this does not work.

Default: br-infra

Name of the bridge interface.

Default: true

Whether or not to configure an IP address on the bridge interface.

Default: false

When bridge_configure_address is true, whether or not to set up firewall rules to allow traffic freely within the bridge subnet (bridge_address_prefix.0/bridge_address_subnet).

Default: 172.24.4

The IP address range prefix.

Default: 1

The IP address offset, used with bridge_address_prefix to provide the full IP address. The initial offset defines the IP address of the switch node in the virtual network.

Default: 23

The IP address range CIDR/subnet.

Default: true

Whether or not to install openvswitch. It can be set to false when ovs installation is taken care outside of the role.


Multinode firewall is configured.

This role is intended to install iptables and configure firewall.

Role Variables

Default: iptables

Install the distribution package for Iptables.


Configures the inventory hostnames in a multi-node job resolve to their respective private ipv4 addresses through the /etc/hosts file on each node.


Configures the file /etc/ssh/ssh_known_hosts on each node in a multi-node job to contain all known host names.


Saves current iptables rules for both ipv4 and ipv6 and makes them persistent so that they are available if iptables or the instance is restarted.

This role can be re-used more than once in order to persist new rules.


Prepare remote workspaces

This role is intended to run before any other role in a Zuul job.

It starts the Zuul console streamer on every host in the inventory, and then copies the prepared source repos to the working directory on every host.

Role Variables

Default: .

The directory into which the source repositories are copied.


Mirror the local git repos to remote nodes

This role uses git operations (unlike prepare-workspace which uses rsync) to mirror the locally prepared git repos to the remote nodes while taking advantage of cached repos on the node if they exist. This role works generically regardless of the existence of a cached repo on the node.

The cached repos need to be placed using the canonical name under the cached_repos_root directory.

Role Variables

Default: /opt/git

The root of the cached repos.

Default: False
Type: bool

A flag which if set to true, filters the to be synchronized project list to only use projects which are required by the job.

Default: false

If true git operations will be silenced and won’t print every changed reference.

Default: "{{ ansible_user_dir }}"

The root of the workspace in which the repos are mirrored.


Prepare remote workspaces in OpenShift

This role can be used instead of the prepare-workspace role when the synchronize module doesn’t work with kubectl connection. It copies the prepared source repos to the pods’ cwd using the oc rsync command.

This role is intended to run once before any other role in a Zuul job. This role requires the origin-clients to be installed.

Role Variables

Default: {{ zuul.resources }}

The dictionary of pod name, pod information to copy the sources to.


Ensure that processes are running after a node reboot.

Some roles (like the enable-fips role) need to reboot the node in order to complete their operations.

This role can be invoked to ensure that the node is sufficiently up again before continuing by doing some basic checks for connectivity (ssh), restarting the zuul-console and making sure DNS is up.

A role parameter nslookup_target is required to specify the DNS name to ensure DNS is working.

Role Variables

Default: None
Type: str

DNS name to query to confirm that DNS is working. If working in a mirrored environment, it is a good idea to use $zuul_site_mirror_fqdn, because this is what will be needed for package installs in any case.


Remove the per-build SSH key from all hosts

The complement to add-build-sshkey. It removes the build’s SSH key from the authorized_keys files of all remote hosts.

Role Variables


Where the per-build SSH private key was stored.

Default: rsa

The digital signature algorithm which was used to generate the key.


Remove the per-build WinRM certificate from all hosts

The complement to add-build-winrm-cert. It removes the build’s WinRM certificate from WSMan registry of all Windows hosts.


Remove an added GPG key from the host.


Remove an added ssh key from the host.

Role Variables


Complex argument which contains the ssh key information. It is expected that this argument comes from a Secret.


String containing known host signature for the remote host.


The FQDN of the remote host.


Run render command and ensure there are no resulting differences.

Ensure that generated configuration files are idempotent.

Role Variables

Default: make

The command that render the configuration files.

Default: {{ zuul.project.src_dir }}

Directory to run the render command in.


Remove the zuul ssh key

This role is intended to be run on the Zuul Executor at the start of every job to prevent access to public Zuul ssh connection.


Remove sudo access for the Zuul user.

If the file /etc/sudoers.d/zuul exists, then it will be removed. This is to facilitate systems which may use the same image for tests which require sudo and those which do not.

This role also asserts that sudo access has been removed and will fail if it has not.


Run dstat

Add this to a pre-run playbook to run dstat.

The role dstat-graph may optionally be used to graph the resulting data.

Role Variables

Default: "{{ ansible_user_dir }}/zuul-output/logs/dstat.csv"

The path to the dstat data file.


Run the shake build system command.

Role Variables

Default: shake.html

The name of the report.


The name of the target to build.

Default: {{ zuul.project.src_dir }}

Directory to run the shake command in.


Sign artifacts

Role Variables


Complex argument which contains the GPG private key for signing the artifacts. It is expected that this argument comes from a Secret.


The ascii-armored contents of the GPG private key.

Default: "{{ zuul.executor.work_root }}/artifacts/"

Path to a directory containing artifacts to sign.


Stage job output on the remote node

Takes as input a dictionary of files/folders named ‘zuul_copy_output’. Copies contents into {{ stage_dir }} on the remote node and is intended to be used before output fetching in a base job’s post-playbook. If you plan to pair this role with the ‘fetch-output’ role you should ensure {{ stage-dir }] is set to match {{ zuul_output_dir }}.

Role Variables

Default: None

Dictionary of files and folders to be staged.

The input is a dictionary so that it can accumulated via zuul variable merging. Keys of the dictionary will be things to copy. Valid values describe the type of output to copy:

  • logs

  • artifacts

  • docs

  • null # ansible null, not the string null

null overrides the will of a parent job to copy something instructing not to copy.

If the type is suffixed with _txt, then the item will have .txt appended to its name. For example:

  /var/log/syslog: logs_txt

Will copy /var/log/syslog to logs/syslog.txt.

Default: {{ ansible_user_dir }}

The stage directory on the remote node.

Default: null

A dict of file extensions to be replaced with .txt when staging. This can be useful to ensure that text files with an extension not registered in the web server may be viewed via browser when uploaded to a file server.

Note that this is only used for files listed directly in zuul_copy_output and it won’t be applied to files contained in folders listed in zuul_copy_output.


  conf: True
  log: True
  txt: False

zuul.conf --(staged as)--> zuul_conf.txt
Default: False

When True, files staged as logs will be compressed individually. Note this option is deprecated as final log storage should control whether or not contents are compressed. The reason for this is certain services like swift may serve compressed files like .tar.gz tarballs uncompressed when you want them to be compressed when served in this way.


Start Zuul console logger

It starts the Zuul console streamer on every host in the inventory.


Perform project test setup tasks.

This role assumes that Zuul has checked out a change for a project at {{ zuul_work_dir }} and looks for a file named tools/ If that file exists and is executable, it will be run.

This allows projects to specify test-setup steps (such as creating or initializing a database) in a form that can be easily run by both an automated testing system and developers.

Role Variables


Environment variables to pass in to the test-setup script.


String of optional command line options passed to the test-setup script.

Default: false

Set this to true to skip running the test-setup script even if it exists.

Default: {{ zuul.project.src_dir }}

The directory in which to look for the setup script.


Trigger readthedocs build for a project

Role Variables

Default: ``{{ zuul.project.short_name }}``

The readthedocs project name


The readthedocs webhook API ID. This needs to be taken from the project’s “Integrations” dashboard page in RTD. The URL will look like<project-name>/<id>/.

This may come from a secret, however it can not be triggered without authentication.


Complex argument which contains the RTD authentication credentials. This is expected to come from a secret.


The webhook integration token. You’ll find this value on the project’s “Integrations” dashboard page in RTD. This can be used instead of username/password combo.


The readthedocs username. If set, this will be used to authenticate in preference to any token set via rtd_integration_token.


Password for username. Must be set if username is set.


Update JSON file

This role reads a JSON file, merges it with supplied values using Ansible’s combine filter and writes it back out. It is useful for updating configuration files. Note this role is not currently idempotent and will write the file each time.

Role Variables

Type: path

The path to the file to edit.

Type: object

The data to be combined with the existing file data. This uses the Jinja combine filter.

Default: false
Type: bool

If enabled, output the combined result in a debug task.

Default: {}

The default value if the given file does not exist.

Default: false
Type: bool

The become: status when writing out the new file.


The mode for the combined file.


The user for the combined file.


The group for the combined file.


The mode for the directory if that does not already exists.


Upload artifacts specified from the executor to artifactory.


This role uses the src function of the uri module introduced in Ansible 2.7 therefore any ansible version lower than that is not supported.

Role Variables


Complex argument that contains the information about credentials, fqdn and name. This argument is expected to come from a secret.


User for authenticating.


Password for authenticating. Has a lower precedense than api_key.


API key for authenticating. Has a higher precedense than password.


Fully qualified domain name to the instance.

Default: https

Set to http if the instance does not support https.

Default: false

Set to true if the instance requires basic auth to be used.


Dictionary of types of items to upload. Currently only supports artifacts.


Variable that contains a manifest of the artifacts that should be uploaded to a specific instance of artifactory. This is expected to be set during the build as a cached fact.

  - name: tarball
    src: artifact.tar.gz
    dest: /destination/to/put/artifact/artifact.tar.gz
    instance: artifact-server1
      Content-Type: application/gzip

The attributes available on an artifact are the following.

Name of the artifact. This will be displayed in the build page.


Path relative to {{ zuul.executor.work_root }}/artifacts/.


Destination where the artifact should be put in.


Artifactory instance to place the artiface in, this is to choose which entry in upload-artifactory.upload_artifactory_instances to upload the artifact to.


Any headers that should be passed to ansibles uri module when uploading.

Properties to set in artifactory.

Properties can be either strings or lists of strings.

  property1: value1
    - value2
    - value3

Any metadata that should be returned to Zuul together with the artifact link.


Mirrors a git repository to a remote git server

Meant to be used after a change was successfully merged, this role mirrors a tested git repository to a remote git server over SSH.

The role assumes that git has been previously installed and does not require superuser privileges to run.

Role Variables


Dictionary that provides the remote git repository credentials


SSH user for the remote git repository

SSH host for the remote git repository


Literal private key contents. Should start with something like -----BEGIN RSA PRIVATE KEY-----.


SSH host key of the remote git server. Can be obtained with ssh-keyscan -H <host>.


Path of the remote git repository


Validate all commits have Signed-off-by header

Role Variables


Message to display when Signed-off-by header is missing.

Default: {{ zuul.project.src_dir }}

Directory to DCO license check in.


Log information about the build node

Role Variables

Default: false

If true, fail when no IPv4 route to zuul_site_traceroute_host is available. When false (default) a missing IPv4 route is acceptable so long as there is still a viable IPv6 route.

Default: false

If true, fail when no IPv6 route to zuul_site_traceroute_host is available. When false (default) a missing IPv6 route is acceptable so long as there is still a viable IPv4 route.


If defined, a host to run a traceroute against to verify build node network connectivity.

Default: ['/etc/dib-builddate.txt', '/etc/image-hostname.txt']

A list of files to read from the filesystem of the build node and whose contents will be logged. The default files are files written to nodes by diskimage-builder.


Validate bind zone.db files

This role uses named-checkzone to validate Bind zone.db files.

Role Variables

Default: zuul.project.src_dir

Look for zone.db files recursively in this directory. The layout should be where a parent directory is named for the zone the child zone.db file describes. This populates the zone_db_files variable. Will not be used if zone_db_files is explicitly set per below.

Default: []

A list of zone.db files to check. Each entry is a list with the first element the domain, and the second element the path to the zone.db file. If this variable is set, automatic searching described by zone_files will not be performed.


Sets three facts based on information in a git repo.


The short sha found in the repository.


A string describing the project’s version. It will either be the value of {{ zuul.tag }} or {{ scm_tag }}.{{ commits_since_tag }}.{{ scm_sha }} otherwise where scm_tag is either the most recent tag or the value of scm_sha if there are no commits in the repo.


Number of commits since the most recent tag.

Role Variables

Default: {{ zuul.project.src_dir }}

Directory to run git in.


Write an abbreviated version of the Zuul inventory to a file

This writes the minimal information about hosts from the current Zuul inventory to a file. It may be used to subsequently invoke Ansible with the inventory for the job.

Role Variables


The path of the inventory file to write.

Type: list

A list of facts about the host to include. By default this parameter is omitted and all variables about a host will be included. To only include certain variables, list them here. The empty list will cause no variables to be included.

Type: list

A list of facts about the host to exclude. By default, all variables about a host will be included. To exclude certain variables, list them here.

Type: dict

Additional hostvars to include. This can be used to map information from nodepool into the inventory if used as follows:

  public_v4: nodepool.public_ipv4
  public_v6: nodepool.public_ipv6

This will map hostvars[hostname][‘nodepool’][‘public_ipv4’] to hostvars[hostname][‘public_v4’].

Type: dict

An additional dictionary added on a per-host basis. The keys of this dictionary should be hostnames, if the host name matches, the value (also a dictionary) is merged into the hostvars for that host. For example below, will have foo with value bar, while will have foo with value baz.

     foo: bar
     foo: baz

Run the zuul-admin tenant-conf-check command.

This requires a partial zuul.conf (it only needs the connection entries, and those without any credential information) and a tenant config file. It will validate the syntax of the tenant config file (but not the job configuration of any projects in the tenants).

Role Variables


The path to the partial zuul.conf to use. This must contain the connection entries, but no credentials are required. Any other sections are ignored.


The path to the tenant config file to check.


The Zuul scheduler container image which contains the zuul-admin command to run.


An optional value, expected in the form of a secret, that supplies credential information if zuul_tenant_conf_check_image is in a registry that requires authentication. The format is a dictionary keyed by the registry name. Example:

    username: 'username'
    password: 'password'

The dictionary key should be the name of the registry


The registry username.


The registry password.