blob: d4dbf01c67bec75d52d68bc4947886b251fa0654 [file] [log] [blame]
James E. Blairac3c7ae2017-07-31 09:01:08 -07001.. _glossary:
2
3Glossary
4========
5
6.. glossary::
7 :sorted:
8
James E. Blair2bab6e72017-08-07 09:52:45 -07009 base job
10
11 A job with no parent. A base job may only be defined in a
12 :term:`config-project`. Multiple base jobs may be defined, but
13 each tenant has a single default job which will be used as the
14 parent of any job which does not specify one explicitly.
15
James E. Blairac3c7ae2017-07-31 09:01:08 -070016 check
17
18 By convention, the name of a pipeline which performs pre-merge
19 tests. Such a pipeline might be triggered by creating a new
20 change or pull request. It may run with changes which have not
21 yet seen any human review, so care must be taken in selecting
22 the kinds of jobs to run, and what resources will be available
23 to them in order to avoid misuse of the system or credential
24 compromise.
25
26 config-project
27
28 One of two types of projects which may be specified by the
29 administrator in the tenant config file. A config-project is
30 primarily tasked with holding configuration information and job
31 content for Zuul. Jobs which are defined in a config-project
32 are run with elevated privileges, and all Zuul configuration
33 items are available for use. It is expected that changes to
34 config-projects will undergo careful scrutiny before being
35 merged.
36
37 gate
38
39 By convention, the name of a pipeline which performs project
40 gating. Such a pipeline might be triggered by a core team
41 member approving a change or pull request. It should have a
42 :value:`dependent <pipeline.manager.dependent>` pipeline manager
43 so that it can combine and sequence changes as they are
44 approved.
45
46 reporter
47
48 A reporter is a :ref:`pipeline attribute <reporters>` which
49 describes the action performed when an item is dequeued after
50 its jobs complete. Reporters are implemented by :ref:`drivers`
51 so their actions may be quite varied. For example, a reporter
52 might leave feedback in a remote system on a proposed change,
53 send email, or store information in a database.
54
James E. Blair9d0b4cc2017-08-03 15:08:47 -070055 trusted execution context
56
57 Playbooks defined in a :term:`config-project` run in the
58 *trusted* execution context. The trusted execution context has
59 access to all Ansible features, including the ability to load
60 custom Ansible modules.
61
62 untrusted execution context
63
64 Playbooks defined in an :term:`untrusted-project` run in the
65 *untrusted* execution context. Playbooks run in the untrusted
66 execution context are not permitted to load additional Ansible
67 modules or access files outside of the restricted environment
68 prepared for them by the executor. In addition to the
69 bubblewrap environment applied to both execution contexts, in
70 the untrusted context some standard Ansible modules are replaced
71 with versions which prohibit some actions, including attempts to
72 access files outside of the restricted execution context. These
73 redundant protections are made as part of a defense-in-depth
74 strategy.
75
James E. Blairac3c7ae2017-07-31 09:01:08 -070076 untrusted-project
77
78 One of two types of projects which may be specified by the
79 administrator in the tenant config file. An untrusted-project
80 is one whose primary focus is not to operate Zuul, but rather it
81 is one of the projects being tested or deployed. The Zuul
82 configuration language available to these projects is somewhat
83 restricted, and jobs defined in these projects run in a
84 restricted execution environment since they may be operating on
85 changes which have not yet undergone review.