James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 1 | .. _glossary: |
| 2 | |
| 3 | Glossary |
| 4 | ======== |
| 5 | |
| 6 | .. glossary:: |
| 7 | :sorted: |
| 8 | |
James E. Blair | 2bab6e7 | 2017-08-07 09:52:45 -0700 | [diff] [blame^] | 9 | base job |
| 10 | |
| 11 | A job with no parent. A base job may only be defined in a |
| 12 | :term:`config-project`. Multiple base jobs may be defined, but |
| 13 | each tenant has a single default job which will be used as the |
| 14 | parent of any job which does not specify one explicitly. |
| 15 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 16 | check |
| 17 | |
| 18 | By convention, the name of a pipeline which performs pre-merge |
| 19 | tests. Such a pipeline might be triggered by creating a new |
| 20 | change or pull request. It may run with changes which have not |
| 21 | yet seen any human review, so care must be taken in selecting |
| 22 | the kinds of jobs to run, and what resources will be available |
| 23 | to them in order to avoid misuse of the system or credential |
| 24 | compromise. |
| 25 | |
| 26 | config-project |
| 27 | |
| 28 | One of two types of projects which may be specified by the |
| 29 | administrator in the tenant config file. A config-project is |
| 30 | primarily tasked with holding configuration information and job |
| 31 | content for Zuul. Jobs which are defined in a config-project |
| 32 | are run with elevated privileges, and all Zuul configuration |
| 33 | items are available for use. It is expected that changes to |
| 34 | config-projects will undergo careful scrutiny before being |
| 35 | merged. |
| 36 | |
| 37 | gate |
| 38 | |
| 39 | By convention, the name of a pipeline which performs project |
| 40 | gating. Such a pipeline might be triggered by a core team |
| 41 | member approving a change or pull request. It should have a |
| 42 | :value:`dependent <pipeline.manager.dependent>` pipeline manager |
| 43 | so that it can combine and sequence changes as they are |
| 44 | approved. |
| 45 | |
| 46 | reporter |
| 47 | |
| 48 | A reporter is a :ref:`pipeline attribute <reporters>` which |
| 49 | describes the action performed when an item is dequeued after |
| 50 | its jobs complete. Reporters are implemented by :ref:`drivers` |
| 51 | so their actions may be quite varied. For example, a reporter |
| 52 | might leave feedback in a remote system on a proposed change, |
| 53 | send email, or store information in a database. |
| 54 | |
James E. Blair | 9d0b4cc | 2017-08-03 15:08:47 -0700 | [diff] [blame] | 55 | trusted execution context |
| 56 | |
| 57 | Playbooks defined in a :term:`config-project` run in the |
| 58 | *trusted* execution context. The trusted execution context has |
| 59 | access to all Ansible features, including the ability to load |
| 60 | custom Ansible modules. |
| 61 | |
| 62 | untrusted execution context |
| 63 | |
| 64 | Playbooks defined in an :term:`untrusted-project` run in the |
| 65 | *untrusted* execution context. Playbooks run in the untrusted |
| 66 | execution context are not permitted to load additional Ansible |
| 67 | modules or access files outside of the restricted environment |
| 68 | prepared for them by the executor. In addition to the |
| 69 | bubblewrap environment applied to both execution contexts, in |
| 70 | the untrusted context some standard Ansible modules are replaced |
| 71 | with versions which prohibit some actions, including attempts to |
| 72 | access files outside of the restricted execution context. These |
| 73 | redundant protections are made as part of a defense-in-depth |
| 74 | strategy. |
| 75 | |
James E. Blair | ac3c7ae | 2017-07-31 09:01:08 -0700 | [diff] [blame] | 76 | untrusted-project |
| 77 | |
| 78 | One of two types of projects which may be specified by the |
| 79 | administrator in the tenant config file. An untrusted-project |
| 80 | is one whose primary focus is not to operate Zuul, but rather it |
| 81 | is one of the projects being tested or deployed. The Zuul |
| 82 | configuration language available to these projects is somewhat |
| 83 | restricted, and jobs defined in these projects run in a |
| 84 | restricted execution environment since they may be operating on |
| 85 | changes which have not yet undergone review. |