Third Party Testing


Gerrit has an event stream which can be subscribed to. Using this event stream, it is possible to test commits against testing systems beyond those supplied by OpenDev Zuul setup. It is also possible for these systems to feed information back into Gerrit and they can also leave non-gating votes on Gerrit review requests.

There are several examples of systems that read the Gerrit event stream and run their own tests on the commits on this page. For each patch set the third party system tests, the system adds a comment in Gerrit with a summary of the test result and links to the test artifacts.


  • Before posting a comment to any patch, a third party testing system must contact the project they wish to test and get approval to post comments on their patches. This can be done by attending the project’s meeting.

  • Until a third party testing system operates in a stable fashion, third party tests can comment on patches but not vote on them.

    • A system can also be set up to only do ‘+1’ reviews and leave all the ‘-1’s to be manually confirmed.

  • A third-party system may only leave one comment per patch set (unless it is retriggered).

  • The maintainers are responsible for re-triggering tests when their third party testing system breaks.

  • Support recheck to request re-running a test.

    • Support the following syntaxes: recheck.

    • Recheck means recheck everything. A single recheck comment should re-trigger all testing systems.

  • Publish contact information for the maintainers.

    • All accounts must have a wikipage entry. Follow the instructions on the ThirdPartySystems wiki page to add your system. When complete, there should be a page dedicated to your system with a URL like:

    • All comments from your CI system must contain a link to the wiki page for your CI system.

    • Maintainers are encouraged to be in IRC regularly to make it faster to contact them.

  • Include a public link to all test artifacts to make debugging failed tests easier (using a dns name over a hardcoded ip is recommended). This should include:

    • Environment details

      • This must include a utc timestamp of the test run

    • Test configuration

      • Skipped tests

      • logs should include a trace of the commands used

    • OpenStack logs

    • Tempest logs (including testr_results.html.gz)

  • Logs must be browsable and accessible.

    • Logs requiring download, installation or login to access are not acceptable

    • Big log files, like over 10MB can be pre-compressed as they are unlikely to be loadable by browsers.

    • Single log archives can be used in exceptional cases where both, the number of files and their size makes web browsing impractical. Even if this approach is taken, attention must be made to assure that important files that are often needed are not hidden inside the archive, forcing users to download the entire archive in order to check just one file.

    • .html files should not be compressed.


    All test artifacts must be retained for one month.

Reading the Event Stream

It is possible to use ssh to connect to on port 29418 with your ssh key if you have a normal reviewer account in Gerrit.

This will give you a real-time JSON stream of events happening inside Gerrit. For example:

$ ssh -p 29418 gerrit stream-events

Will give a stream with an output like this (line breaks and indentation added in this document for readability, the real JSON will be all one line per event):

  {"project":"openstack/keystone","branch":"stable/essex","topic":"bug/969088","id":"I18ae38af62b4c2b2423e20e436611fc30f844ae1","number":"7385","subject":"Make import_nova_auth only create roles which don\u0027t already exist","owner":
    {"name":"Chuck Short","email":"","username":"zulcss"},"url":""},
      {"name":"Chuck Short","email":"","username":"zulcss"},
    {"name":"Mark McLoughlin","email":"","username":"markmc"},
    [{"type":"CRVW","description":"Code Review","value":"2"},{"type":"APRV","description":"Approved","value":"0"}],
"comment":"Hmm, I actually thought this was in Essex already.\n\nIt\u0027s a pretty annoying little issue for folks migrating for nova auth. Fix is small and pretty safe. Good choice for backporting"}

For most purposes you will want to trigger on patchset-created for when a new patchset has been uploaded.

Further documentation on how to use the events stream can be found in Gerrit’s stream event documentation page.

Posting Result To Gerrit

External testing systems can give non-gating votes to Gerrit by means of a -1/+1 verify vote. OpenDev Zuul has extra permissions to give a +2/-2 verify vote which is gating. Comments should also be provided to explain what kind of test failed. We do also ask that the comments contain public links to the failure so that the developer can see what caused the failure.

An example of how to post this is as follows:

$ ssh -p 29418 gerrit review -m '"Test failed on MegaTestSystem <>"' --verified=-1 c0ff33

In this example c0ff33 is the commit ID for the review. You can set the verified to either -1 or +1 depending on whether or not it passed the tests.

Further documentation on the review command in Gerrit can be found in the Gerrit review documentation page.

We do suggest cautious testing of these systems and have a development Gerrit setup to test on if required. In SmokeStack’s case all failures are manually reviewed before getting pushed to OpenStack, while this may not scale it is advisable during the initial testing of the setup.

Creating a Service Account

In order to post comments as a Third Party CI System and eventually verify your build status on Gerrit patches, you will need a dedicated Gerrit CI account. You will need to create this account in our OpenID provider Launchpad. You may already have an existing personal account in Launchpad, but you should create a new and entirely separate account for this purpose. This new CI service account needs to use a different email address than any existing accounts you have, because Gerrit assumes email addresses are unique across all accounts.

Once you have created this account with the OpenID provider you can log into Gerrit with that new account as you would with your normal user account. Once logged in you will need to do several things:

  1. Set an SSH username at if it isn’t already set. This is the username your CI system will use to SSH to Gerrit in order to read the event stream.

  2. Set the account’s fullname at This name should follow a few rules in order to make it clear in Gerrit comments what this CI system exists to test. The name should have three pieces Organization Product/technology CI designator. The organization value should be your company name or other organization affiliation. Product/technology should describe the product or technology you are testing in conjunction with OpenStack. This should be the name of a component which cannot be tested in the official OpenStack infrastructure (requires particular physical hardware, proprietary software, some hypervisor feature not available in public clouds, et cetera). Note this should not be the name of an OpenStack project but rather the thing you are testing with OpenStack projects. And finally the CI designator is used to denote this is a CI system so that automatic Gerrit comment parsers can filter these comments out. This value should be CI for most CI systems but can be Bot if you are not performing continuous integration. An example of a proper name would be something like IBM DB2 CI.

  3. Add the SSH public key you will be using to the Gerrit account at . You can generate an ssh key using ssh-keygen. You want to give Gerrit the contents of the generated file.

  4. Make sure the address at is current and can be reached in case we need to inform you of a problem with your account’s activities.

It would also be a good idea to contact the Third Party Coordinators asking to add your account to the Third Party CI mail filter list. This is necessary to keep Gerrit from sending email messages every time an account comments on a patch.

Once you have done this you will have everything you need to comment on Gerrit changes from our CI system but you will not be able to vote +/-1 Verified on changes. To get voting rights you will need to get the release group of the project you are testing to add you to their project specific <project>-ci group. Please contact the project in question when you are ready to start voting and they can add you to this group.

The Jenkins Gerrit Trigger Plugin Way

There is a Gerrit Trigger plugin for Jenkins which automates all of the processes described in this document. So if your testing system is Jenkins based you can use it to simplify things. You will still need an account to do this as described in the Creating a Service Account section above.

The Gerrit Trigger plugin for Jenkins can be found on the Jenkins repository. You can install it using the Advanced tab in the Jenkins Plugin Manager.

Once installed Jenkins will have a new Gerrit Trigger option in the Manage Jenkins menu. This should be given the following options:

Frontend URL:
SSH Port: 29418
Username: (the Gerrit user)
SSH Key File: (path to the user SSH key)

Started: 0
Successful: 1
Failed: -1
Unstable: 0

Code Review
Started: 0
Successful: 0
Failed: 0
Unstable: 0

(under Advanced Button):

Stated: (blank)
Successful: gerrit approve <CHANGE>,<PATCHSET> --message 'Build Successful <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>
Failed: gerrit approve <CHANGE>,<PATCHSET> --message 'Build Failed <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>
Unstable: gerrit approve <CHANGE>,<PATCHSET> --message 'Build Unstable <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>

Note that it is useful to include something in the messages about what testing system is supplying these messages.

When creating jobs in Jenkins you will have the option to add triggers. You should configure as follows:

Trigger on Patchset Uploaded: ticked
(the rest unticked)

Type: Plain
Pattern: openstack/project-name (where project-name is the name of the project)
  Type: Path
  Pattern: **

To format the result’s message in a way that works with the current OpenStack Gerrit GUI parser, configure the URL to post parameter (under the Gerrit Reporting Values section) for each job. The correct value for this parameter is:


The two $ENV_VAR will be replaced dynamically when the <BUILDS_STATS> parameter will be evaluated.

This job will now automatically trigger when a new patchset is uploaded and will report the results to Gerrit automatically.

The Zuul Gerrit Trigger Way

Zuul is a tool that determines what jobs are run when. Zuul listens to the Gerrit event stream, and first tries to match each event to one or more pipelines. Zuul’s pipelines are configured in a single file called layout.yaml. Here’s a snippet from that file that constructs the check pipeline taken from this Zuul sample layout.yaml file

  - name: check
    manager: IndependentPipelineManager
        - event: patchset-created
        verified: 1
        verified: -1
        subject: Upstream change {change} has a merge conflict

This pipeline is configured to trigger on any Gerrit event that represents a new patch set created. The matching event will invoke the configured job(s) (discussed next). If all the jobs are successful, Zuul will add a comment to Gerrit with a verified +1 vote, and if any one fails, with a verified -1. In case of merge failure Third Party CI should not comment, but check merger-debug.log and recheck the patch manually if needed. Email will be sent to notify the owner about the issue.

Testing your CI setup

You can use the opendev/ci-sandbox project to test your external CI infrastructure with OpenStack’s Gerrit. By using the sandbox project you can test your CI system without affecting regular OpenStack reviews.

Once you confirm your CI system works as you expect, change your configuration of the gerrit trigger plugin or zuul to subscribe to gerrit events from your target project.

Permissions on your Third Party System

When you create your CI account it will have no special permissions. This means it can comment on changes but generally not vote +/-1 Verified on any changes. The exception to this is on the opendev/ci-sandbox project. Any account is able to vote +/-1 Verified on that account and it provides a way to test your CI’s voting abilities before you vote on other projects.

The OpenStack Infrastructure team disables mis-behaving third-party ci accounts at its discretion. This documentation endeavours to outline specific circumstances that may lead to an account being disabled. There have been times when third-party ci systems behave in ways we didn’t envision and therefore were unable to document prior to the event. If your third-party ci system has been disabled, you are welcome to join us in the #opendev irc channel on OFTC to discuss your situation.

In order to get your Third Party CI account to have voting permissions on repos in gerrit in addition to opendev/ci-sandbox you have a greater chance of success if you follow these steps:

  • Set up your system and test it according to “Testing your CI setup” outlined above (this will create a history of activity associated with your account which will be evaluated when you apply for voting permissions).

  • Post comments, that adhere to the “Requirements” listed above, that demonstrate the format for your system communication to the repos you want your system to test.

  • Once your Third Party Account has a history on gerrit so that others can evaluate your format for comments, and the stability of your voting pattern (in the sandbox repo):

    • send an email to the openstack-discuss mailing list nominating your system for voting permissions


      • use tags [Infra][Nova] for the Nova program, please replace [Nova] with [Program], where [Program] is the name of the program your CI account will test

    • present your account history

    • address any questions and concerns with your system

  • If the members of the program you want voting permissions from agree your system should be able to vote, the release group for that program or project can add you to the <project>-ci group specific to that program/project.

FAQ (Frequently Asked Questions)

  • Q: How do you serve the content of compressed logs so they are rendered within

    the browser, rather than presenting a download prompt to the user?

    A: Add the following lines to your web server conf file:

    RewriteEngine On
    RewriteCond   %{HTTP:Accept-Encoding} gzip
    RewriteCond   %{LA-U:REQUEST_FILENAME}.gz -f
    RewriteRule   ^(.+)$ $1.gz [L]
    <FilesMatch ".*\.gz$">
      ForceType text/html
      AddDefaultCharset UTF-8
      AddEncoding x-gzip gz