A simple, no-jargon dictionary for DevOps and Cloud engineering. Find clear definitions for technical terms, tools, and concepts to help you understand modern infrastructure.
A file in the build context directory that lists files and directories Docker should exclude when sending the build context to the daemon. Excluding node_modules, .git, and test fixtures reduces build context from gigabytes to megabytes.
A Kubernetes scheduling rule that expresses attraction constraints — directing the scheduler to prefer or require that pods land on specific nodes or near specific other pods. Comes in two forms: Node Affinity (pod-to-node preferences) and Pod Affinity/Anti-Affinity (pod-to-pod co-location or separation rules).
A Prometheus stack component that receives firing alerts, deduplicates and groups related ones, applies routing rules, and delivers notifications to Slack, PagerDuty, or email. Alertmanager turns raw metric threshold violations into actionable team notifications.
Argo Rollouts is a Kubernetes controller that extends Deployments with advanced rollout strategies — blue-green, canary with traffic weighting, and automated analysis. It integrates with Prometheus and Istio to automatically promote or roll back based on real-time metrics.
ArgoCD is a declarative GitOps continuous delivery tool for Kubernetes that watches a Git repository and automatically synchronises the cluster to match the declared state — providing self-healing, auditable deployments where every change is a Git commit.
A CI/CD artifact is a file or set of files produced by one pipeline job and passed to subsequent jobs or stored for later use. Common artifacts include Docker image references, compiled binaries, test reports, and coverage files that travel through the pipeline.
Artifact promotion is the practice of building a Docker image or binary exactly once and passing the same immutable artifact through dev, staging, and production — rather than rebuilding for each environment. What was tested is exactly what gets deployed.
Atlantis is an open-source tool that automates Terraform pull request workflows — running terraform plan automatically when a PR is opened and posting the output as a comment, then running terraform apply when an approved reviewer comments 'atlantis apply'.
The starting point of a Dockerfile specified in the FROM instruction. The base image determines the operating system, package manager, and initial filesystem of the final image — and is the single biggest factor in image size and security.
Bash (Bourne Again Shell) is the default command-line shell on Linux servers. It is both an interactive shell for daily commands and a scripting language for automation. Bash scripts power CI/CD pipelines, deployment scripts, health checks, and server automation across the industry.
A Kubernetes QoS Class assigned to pods that have no resource requests or limits configured at all. BestEffort pods receive whatever CPU and memory is left over on the node, have zero resource guarantees, and are the first pods evicted when a node experiences memory pressure.
A release strategy that runs two identical environments simultaneously — blue (live) and green (new version). Traffic switches from blue to green all at once after green is fully tested. Rollback is instant by switching traffic back to blue.
The default Docker network driver that creates an isolated virtual network on the host, connecting containers via a Linux bridge device. User-defined bridge networks add automatic DNS resolution by container name.
Docker's mechanism for reusing unchanged image layers from previous builds to speed up rebuild time. Each instruction is a cache key — if the instruction and its inputs are unchanged, Docker reuses the cached layer instead of re-executing the instruction.
A Kubernetes QoS Class where at least one container has resource requests set but they differ from the limits. Burstable pods can use more resources than requested when the node has spare capacity, and are evicted second after BestEffort during node memory pressure.
Container Network Interface - a specification and set of plugins that configure network interfaces inside Linux containers, enabling pod-to-pod communication across all nodes in a Kubernetes cluster. Popular implementations include Calico, Cilium, and Flannel. Without a CNI plugin installed, no pods can communicate and all will remain stuck in Pending.
A release strategy that sends a small percentage of real user traffic (typically 5-10%) to the new application version while the majority continues on the stable version. If the canary performs well, traffic percentage is gradually increased until full rollout.
One of the four DORA metrics — measures the percentage of deployments that cause a production incident requiring a hotfix or rollback. Elite performers keep this below 5%. High failure rates indicate insufficient test coverage or inadequate staging environment fidelity.
A Kubernetes component that automatically adds worker nodes when pods cannot be scheduled due to insufficient resources, and removes idle nodes when utilisation drops — reducing cloud costs without manual intervention.
The default Kubernetes Service type that assigns a stable virtual IP address accessible only within the cluster, enabling internal pod-to-pod communication through a consistent endpoint that remains fixed regardless of underlying pod IP changes.
A configuration in a Docker Compose service that defines a command Docker runs periodically to determine if a container is healthy. Other services use depends_on with condition: service_healthy to wait until a dependency passes its health check before starting.
A secondary Docker Compose file that extends or modifies the base compose file for specific environments. Docker automatically merges docker-compose.override.yml with docker-compose.yml, allowing environment-specific configuration without duplicating the base file.
A Docker Compose feature that tags services with profile names, allowing them to be selectively started. Services without a profile always start — services with a profile only start when that profile is explicitly activated with --profile.
A named container definition in a Docker Compose file that specifies the image, ports, environment, volumes, dependencies, and runtime configuration for one component of a multi-container application.
A Kubernetes object that stores non-sensitive configuration data as key-value pairs, allowing application configuration to be completely decoupled from container images and injected into pods as environment variables or mounted files at runtime.
A lightweight, isolated process running on a shared Linux kernel using namespaces and cgroups — providing filesystem, network, and process isolation without the overhead of a full virtual machine.
A read-only, layered filesystem snapshot containing an application and everything it needs to run — code, runtime, libraries, and configuration. Container images are the templates from which containers are created.
The security boundaries that Linux namespaces and cgroups create around a container process, limiting its view of the filesystem, network, processes, and system resources. Container isolation is weaker than VM isolation — all containers share the host kernel.
The sequence of states a Docker container moves through from creation to removal — created, running, paused, stopped, and dead — each triggered by specific Docker CLI commands or container exit events.
A service that stores and distributes Docker images. The registry serves as the central repository from which developers push built images and deployment systems pull them to create containers.
A Kubernetes plugin interface that defines how Kubernetes communicates with container runtimes. CRI allows Kubernetes to work with containerd, CRI-O, and other runtimes — and explains why Kubernetes deprecated Docker as a runtime in version 1.24.
The default DNS server in Kubernetes that runs as a Deployment inside the cluster, resolving service names to ClusterIP addresses and enabling pods to discover and communicate with each other using human-readable DNS names instead of raw IP addresses.
Terraform count and for_each are meta-arguments that create multiple instances of a resource or module from a single block. Count creates N identical copies using a numeric index. For_each creates one instance per item in a map or set, giving each instance a meaningful key instead of a number.
A Kubernetes pod status indicating the container repeatedly crashes immediately after starting and the kubelet applies exponential backoff delays before each restart attempt, beginning at 10 seconds and capping at 5 minutes. It signals that something inside the container is fundamentally broken - not a transient network issue.
A daemon is a background process that runs continuously without a controlling terminal, typically started at boot and providing a service to other processes or the system. Common daemons include sshd (SSH server), nginx (web server), and cron (job scheduler).
A Kubernetes controller that ensures exactly one copy of a pod runs on every node in the cluster (or a filtered subset). When new nodes join, the DaemonSet automatically schedules a pod on them. When nodes leave, those pods are garbage collected. Used for infrastructure agents that must run everywhere — log collectors, monitoring exporters, network plugins, and security scanners.
The depends_on meta-argument in Terraform explicitly declares that one resource must be created before another, even when there is no direct reference between them. Terraform normally infers dependencies automatically from references — depends_on handles the rare cases where the dependency is implicit and invisible to Terraform.
A Kubernetes controller that manages a set of identical pods — ensuring the desired number of replicas always runs, handling rolling updates to new versions with zero downtime, and automatically replacing crashed or deleted pods.
One of the four DORA metrics — measures how often an organisation successfully deploys to production. Elite performers deploy multiple times per day. High frequency is only safe with automated testing, fast rollback, and small batch sizes.
The modern Docker build engine that replaces the legacy builder with parallel layer building, better caching, secret mounts, SSH agent forwarding, and multi-platform builds. Enabled by default in Docker 23+.
A Docker CLI plugin that extends docker build with BuildKit features including multi-platform image building, advanced cache management, and parallel builds. Buildx enables building images for linux/amd64, linux/arm64, and other architectures from a single machine.
A tool for defining and running multi-container Docker applications using a YAML file. A single docker compose up command creates and starts all services, networks, and volumes defined in the compose file.
A comparison of two container orchestration approaches. Compose runs multi-container apps on a single host and suits small teams and local development. Kubernetes orchestrates containers across multiple hosts with self-healing, auto-scaling, and rolling deployments.
A Docker security feature that enables cryptographic signing and verification of images using Notary. When enabled, Docker refuses to pull or run images that have not been signed by a trusted key — protecting against image tampering in transit.
The set of files and directories sent to the Docker daemon when building an image. Docker reads everything in the build context directory and sends it to the daemon — making a small, well-scoped context essential for fast builds.
Docker's embedded DNS server (127.0.0.11) that runs inside every container on a user-defined network, resolving container names and network aliases to IP addresses without any manual configuration.
The background service (dockerd) that manages Docker objects — images, containers, networks, and volumes. The Docker CLI communicates with the daemon via a REST API over a Unix socket at /var/run/docker.sock.
A Dockerfile instruction or docker run flag that defines a command Docker runs periodically inside a container to determine if it is healthy. Containers can be starting, healthy, or unhealthy — used by orchestrators for traffic routing decisions.
A read-only, layered filesystem snapshot that serves as the template for creating containers. Each layer represents a Dockerfile instruction and is cached and reused across builds to speed up image creation.
The mechanism Docker uses to capture and route container stdout and stderr output. The default json-file driver writes to the host filesystem — production systems typically use awslogs, fluentd, or splunk drivers to ship logs to centralised aggregation systems.
A virtual network that Docker creates to enable communication between containers and between containers and the host. Docker provides several network drivers (bridge, host, overlay, none) for different connectivity requirements.
The practice of configuring Docker containers to run as a non-root user (UID > 0) to limit the damage a compromised container process can do to the host system and other containers.
A family of Docker commands that remove unused objects — stopped containers, dangling images, unused volumes, unused networks — to recover disk space on the host. Essential maintenance on build machines where layers accumulate over time.
A configuration that tells Docker what to do when a container exits. The four policies — no, always, on-failure, and unless-stopped — determine whether Docker automatically restarts a container and under what conditions.
Sensitive data (passwords, tokens, certificates) that must be available to containers at runtime without being stored in image layers, environment variables, or compose files in plaintext. Docker provides BuildKit secret mounts for build-time and file-based secrets for runtime.
Docker's built-in runtime resource monitoring command that shows real-time CPU, memory, network I/O, and block I/O usage for running containers. Used for capacity planning and detecting runaway containers before formal monitoring is in place.
Docker's built-in container orchestration mode that turns a group of Docker hosts into a cluster. Swarm provides service scaling, rolling updates, secrets management, and overlay networking — a simpler alternative to Kubernetes for teams not ready for its complexity.
A Docker-managed persistent storage location on the host filesystem that exists outside the container's union filesystem. Volumes persist beyond container lifetime, can be shared between containers, and are the recommended way to store data that must survive container restarts.
A text file containing ordered instructions that Docker executes to build an image layer by layer. Each instruction creates a new filesystem layer — FROM sets the base, RUN executes commands, COPY adds files, and CMD defines the startup command.
Infrastructure drift in Terraform occurs when real cloud resources are changed outside of Terraform — by clicking in the AWS console, running AWS CLI commands, or making emergency fixes — causing the actual infrastructure to no longer match what Terraform expects from its state file.
A CI/CD environment is a named deployment target — such as dev, staging, or production — that tracks deployment history, enforces approval requirements, and holds environment-specific secrets. Environments make promotion workflows explicit and auditable.
An environment variable is a named value stored in a process's environment that child processes inherit. Environment variables configure application behaviour without hardcoding values. They are the standard method for passing configuration, secrets, and runtime settings to processes.
A file descriptor is a non-negative integer that the Linux kernel assigns to an open file, socket, pipe, or device. Every process has a table of file descriptors. 0 is stdin, 1 is stdout, 2 is stderr. All I/O in Linux happens through file descriptors.
Linux file permissions control which users can read, write, or execute a file using a three-level model: owner, group, and other. Each level has three bits that can be independently set, represented as rwxr-xr-- or in octal as 754.
A filesystem is the method an operating system uses to organise, store, and retrieve files on a storage device. Linux uses ext4 and XFS most commonly in production, plus virtual filesystems like /proc and /sys that exist only in memory.
GitHub Actions is GitHub's built-in CI/CD platform that runs automated workflows in YAML files under .github/workflows/. Workflows trigger on repository events — push, pull request, schedule — and run jobs on GitHub-hosted or self-hosted runners.
GitLab CI is GitLab's integrated CI/CD system defined in a .gitlab-ci.yml file at the repository root. It runs jobs on registered runners, tracks deployments to named environments, and integrates tightly with GitLab's merge request workflow for inline pipeline status.
A set of practices where the entire desired state of infrastructure and applications is stored in Git as the single source of truth. Changes are made via Git commits and pull requests — a reconciliation agent (ArgoCD, Flux) automatically applies them to the target environment.
An open-source visualisation platform that connects to Prometheus to create real-time dashboards and alert panels. In Kubernetes environments Grafana turns raw PromQL queries into readable charts that make cluster health and pod performance visible across the entire engineering team.
A Kubernetes QoS Class assigned to pods where every container has CPU and memory requests set exactly equal to their limits. Guaranteed pods receive the highest resource protection and are the last to be evicted when a node runs out of memory.
HCL (HashiCorp Configuration Language) is the configuration language Terraform uses to define infrastructure. It is designed to be human-readable and machine-parseable — more readable than JSON and simpler than a full programming language.
Horizontal Pod Autoscaler - a Kubernetes controller that automatically scales the number of pod replicas in a Deployment or StatefulSet up or down based on observed CPU utilization, memory usage, or custom application metrics. It eliminates the need to manually adjust replica counts during traffic spikes and quiet periods.
Helm is the package manager for Kubernetes that bundles manifests into reusable parameterised charts. In CI/CD pipelines, Helm deploys applications with environment-specific values — enabling the same chart to deploy to dev, staging, and production with different configurations.
A package manager for Kubernetes that bundles all required Kubernetes manifests into a reusable unit called a chart. Helm templates variables at deploy time, enabling the same chart to deploy consistently across dev, staging, and production environments with different configurations.
A Docker network mode where the container shares the host's network namespace directly, using the host's IP address and ports without any NAT. Provides the best network performance but eliminates all network isolation between the container and host.
A content-addressable SHA256 hash that uniquely and immutably identifies a specific version of a Docker image. Unlike tags which can be overwritten, a digest always refers to exactly the same image bytes.
A Kubernetes pod status indicating the kubelet cannot pull the container image from the registry and is applying exponential backoff delays between retry attempts. It is always caused by one of four things: the image name or tag is wrong, the image does not exist, the registry requires authentication that the cluster does not have, or the registry is unreachable from the node.
Infracost is an open-source tool that estimates the monthly cloud cost of a Terraform plan before you apply it — showing a cost breakdown per resource and the cost difference between your current and proposed infrastructure.
An API object that manages external HTTP and HTTPS access to services inside a cluster. Ingress sits in front of multiple services and acts as a smart router — directing traffic based on hostnames, URL paths, or headers without exposing each service directly to the internet.
An inode is a data structure in a Linux filesystem that stores metadata about a file — its permissions, owner, size, and data block locations — but not its filename. The filename lives in a directory entry that points to the inode number.
A Terraform input variable is a parameter that makes a module or configuration reusable by letting callers pass in different values at runtime. Variables are declared with a variable block and can have a type, default value, description, and validation rules.
Jenkins is an open-source automation server widely used in enterprise environments for CI/CD pipelines. It uses a Groovy-based Jenkinsfile to define declarative pipelines with stages, agents, and post-build actions — running on self-hosted infrastructure with full customisation.
A CI/CD job is a discrete unit of work within a pipeline stage that runs on a runner or agent. Each job runs in isolation, has its own set of steps, and produces a pass or fail result that determines whether dependent jobs can proceed.
The primary node agent in Kubernetes that runs on every worker node, responsible for ensuring containers described in PodSpecs are running, healthy, and reporting status back to the control plane.
One of the four DORA metrics — measures the time from a code commit to that code running in production. Elite performers achieve lead times under one hour. Long lead times indicate slow pipelines, large batch sizes, or excessive manual gates.
A namespace-scoped policy that sets default, minimum, and maximum resource constraints for individual containers and pods within a namespace. While ResourceQuota caps the total consumption of a namespace, LimitRange enforces boundaries at the per-container level — automatically injecting default requests/limits into pods that don't specify them.
Granular Linux kernel privileges that can be individually granted or revoked from container processes. Docker drops 14 dangerous capabilities by default — using --cap-drop ALL with selective --cap-add provides the most restrictive security posture.
A Linux firewall controls which network packets are allowed into, out of, or through a server using rules evaluated by the kernel's netfilter framework. Tools like iptables, nftables, and ufw write rules into netfilter. The default-deny model blocks all traffic not explicitly permitted.
The Linux kernel is the core of the operating system — the software that manages hardware, memory, processes, and system calls. It runs in privileged kernel space while applications run in user space. The kernel is the layer that makes all higher-level Linux functionality possible.
A Terraform local value is a named expression that you compute once and reuse throughout a configuration without repeating the calculation. Locals are like constants or intermediate variables — they are not input parameters and cannot be set by callers.
One of the four DORA metrics — measures the average time to restore service after a production incident. Elite performers restore in under one hour. MTTR is driven by detection speed, rollback speed, and on-call runbook quality.
The source argument in a Terraform module block tells Terraform where to find the module code — a local relative path, a Terraform Registry address, a GitHub URL, or a private registry. The source determines how Terraform downloads and versions the module.
Mounting in Linux attaches a filesystem (on a disk partition, network share, or virtual source) to a directory in the filesystem tree. After mounting, files on the device appear at that directory path and are accessible through normal file operations.
A Dockerfile pattern that uses multiple FROM instructions to separate build-time dependencies from runtime artifacts. The final image contains only what is needed to run the application — not the compilers, test frameworks, or build tools used during the build.
A Kubernetes mechanism for partitioning cluster resources into isolated virtual segments. Namespaces allow multiple teams, projects, or environments to share the same physical cluster while maintaining logical separation of workloads, access controls, and resource quotas. They do not provide network isolation by themselves — that requires Network Policies.
A network port is a 16-bit number (0-65535) that identifies a specific service or process on a host within a TCP/IP connection. Ports allow a single IP address to host multiple services simultaneously. Ports below 1024 are privileged and require root to bind.
Open Container Initiative — an open industry standard for container image format and runtime specification maintained by the Linux Foundation. OCI ensures that images built with Docker can run on containerd, podman, CRI-O, and any other OCI-compliant runtime.
OIDC (OpenID Connect) for CI/CD allows pipelines to assume cloud provider roles using short-lived tokens instead of long-lived static credentials. GitHub Actions, GitLab CI, and other platforms issue OIDC tokens that AWS, GCP, and Azure accept in exchange for temporary access credentials.
A pod termination status in Kubernetes that occurs when a container exceeds its configured memory limit, causing the Linux kernel to forcefully terminate the process. Exit code is always 137.
A Terraform output value exposes specific attributes from your infrastructure after an apply — like an EC2 instance's IP address or an S3 bucket's name. Outputs are printed to the terminal after apply and can be read by other Terraform configurations through remote state data sources.
A multi-host Docker network driver that spans multiple Docker hosts, enabling containers on different machines to communicate as if on the same network. Used in Docker Swarm and as the conceptual foundation for understanding Kubernetes CNI networking.
PATH is an environment variable containing a colon-separated list of directories the shell searches when you type a command. The shell checks each directory in order and runs the first matching binary found. Commands not in any PATH directory require an absolute path.
PID (Process ID) is a unique integer assigned by the Linux kernel to every running process. PID 1 is always systemd (or init), the first process after the kernel boots. Every other process gets the next available PID number up to the system maximum.
A Linux package manager installs, updates, and removes software packages along with their dependencies. apt manages .deb packages on Debian/Ubuntu. yum and dnf manage .rpm packages on RHEL/CentOS/Amazon Linux. Both verify package integrity with GPG signatures before installation.
A user's formal request for storage in Kubernetes that binds to an available PersistentVolume, abstracting the underlying storage provider and allowing pods to consume durable storage independently of their own lifecycle.
A pipe (|) connects the standard output of one command to the standard input of the next, creating a data processing chain. Pipes let you compose simple commands into powerful one-liners without temporary files. The kernel implements pipes as in-memory buffers between processes.
A CI/CD pipeline is an automated sequence of stages that takes source code from a Git commit through building, testing, scanning, and deploying to production — eliminating manual steps and ensuring every change follows the same verified path to release.
The smallest deployable unit in Kubernetes — a group of one or more containers that share the same network namespace, storage volumes, and lifecycle. Every container in Kubernetes runs inside a pod, and every pod gets its own unique IP address inside the cluster.
A Kubernetes policy object that limits the number of pods of a replicated application that can be simultaneously down during voluntary disruptions like node drains, cluster upgrades, or autoscaling events, ensuring minimum availability is always maintained.
The mechanism by which Docker exposes a container's internal port to the host network, making the container service accessible from outside using -p host_port:container_port. Docker creates iptables DNAT rules to route traffic from the host port to the container.
A process is a running instance of a program. Linux gives each process a unique PID, its own memory space, and a set of open file descriptors. Every process has a parent — except PID 1 (systemd) — forming a tree of all running processes.
Prometheus Query Language — the functional query language used to select, filter, aggregate, and calculate metrics stored in Prometheus. PromQL is used to build Grafana dashboard panels, define alert thresholds in PrometheusRule objects, and explore live metric data in the Prometheus web UI.
An open-source monitoring system that collects time-series metrics by scraping HTTP endpoints every 15 seconds. In Kubernetes it is the standard tool for collecting pod CPU, memory, request rates, and error rates — storing them locally and providing PromQL for querying.
A Quality of Service classification that Kubernetes automatically assigns to every pod based on its resource requests and limits configuration. QoS Class determines the eviction priority when a node runs low on memory — pods with lower QoS Class are evicted first to protect higher-priority pods.
Role-Based Access Control — Kubernetes's built-in authorization system that controls who (users, groups, or ServiceAccounts) can perform what actions (get, list, create, delete) on which resources (pods, secrets, deployments) within the cluster. RBAC is enforced through four objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding.
Shell redirection operators control where a command's input comes from and where its output goes. The > operator writes stdout to a file, >> appends, < reads stdin from a file, and 2> captures stderr. Combining them allows precise control over all three standard streams.
Terraform remote state stores the terraform.tfstate file on a shared backend — like AWS S3 or Terraform Cloud — instead of on a local disk. Remote state allows a whole team to share infrastructure state safely and enables one Terraform configuration to read outputs from another.
A namespace-scoped Kubernetes object that enforces hard upper limits on the total amount of compute resources (CPU, memory) and API objects (pods, secrets, services) that can exist within a namespace. ResourceQuotas protect shared clusters from a single team or runaway workload consuming all available resources.
A Kubernetes deployment strategy that replaces old pods with new ones gradually — one at a time or in small batches — ensuring pods are always running and serving traffic throughout the entire update. The default zero-downtime release strategy for Kubernetes Deployments.
A CI/CD runner is the machine or container that executes jobs in a pipeline. GitHub-hosted runners are managed ephemeral VMs. Self-hosted runners run on your own infrastructure — giving control over hardware, networking, installed tools, and access to private resources.
SAST (Static Application Security Testing) scans source code or compiled binaries for security vulnerabilities without executing the program. Integrated into CI pipelines, tools like Semgrep, SonarQube, and CodeQL catch injection flaws, secrets, and insecure patterns before code reaches production.
SSH (Secure Shell) is a cryptographic network protocol that provides encrypted remote access to Linux servers. It authenticates using key pairs or passwords and creates an encrypted tunnel for all data, replacing insecure protocols like Telnet and rsh.
An SSH private key is the secret half of an asymmetric key pair stored locally at ~/.ssh/id_ed25519. It proves identity during SSH authentication by signing a server challenge. It must never be shared, transmitted, or committed to version control under any circumstances.
An SSH public key is the shareable half of an asymmetric key pair used for SSH authentication. It is placed in ~/.ssh/authorized_keys on the server. The server uses it to verify that the connecting client holds the matching private key, without the private key ever being transmitted.
A Kubernetes identity assigned to pods that controls what API operations the pod is permitted to perform within the cluster. Every pod runs under a ServiceAccount — if you don't specify one, Kubernetes automatically assigns the `default` ServiceAccount. ServiceAccounts are the foundation of pod-level RBAC: they are bound to Roles and ClusterRoles to grant or restrict cluster API access.
A shell is a command-line interpreter that reads user input, executes commands, and returns output. Bash is the standard shell on Linux servers. The shell is both an interactive interface and a scripting language for automation.
A signal is an asynchronous notification sent to a Linux process by the kernel, another process, or the user. Each signal has a number and name. A process can handle signals with custom code, ignore them, or let the default action (often termination) occur.
A CI/CD stage is a logical grouping of related jobs within a pipeline representing one phase of delivery — such as Build, Test, Scan, or Deploy. Stages run sequentially and a failed stage blocks all subsequent stages from running.
A Terraform state lock prevents multiple terraform apply operations from running against the same state file simultaneously. When one engineer runs terraform apply, the state is locked — any other apply attempt waits or fails until the lock is released.
A Kubernetes workload controller designed for applications that require stable, persistent identity across pod restarts — such as databases, message queues, and distributed stores. Unlike Deployments, each StatefulSet pod gets a predictable name, dedicated storage, and starts/stops in a guaranteed sequential order.
A symbolic link (symlink) is a special file that contains a path pointing to another file or directory. Accessing the symlink transparently accesses the target. Unlike hard links, symlinks can cross filesystems and point to directories.
A key-value property applied to a Kubernetes node that repels pods from being scheduled onto it unless the pod explicitly declares a matching Toleration, enabling controlled and dedicated workload placement.
The terraform apply command executes the changes shown in a plan — creating, updating, or destroying real infrastructure to match your Terraform configuration. It updates the state file after each successful change.
A Terraform backend defines where Terraform stores its state file and how operations like plan and apply are executed. The default backend stores state locally on disk — production teams use remote backends like S3 or Terraform Cloud to share state safely across a team.
The terraform import command brings an existing cloud resource that was created outside of Terraform under Terraform management by adding it to the state file. After importing, Terraform can plan and apply changes to that resource without recreating it.
The terraform init command initialises a Terraform working directory — downloading required provider plugins, configuring the backend, and installing module dependencies. You must run terraform init before any other Terraform command when working in a new directory or after adding a new provider or module.
A Terraform module is a container for multiple Terraform resources that are used together. Every Terraform configuration is technically a module — but the term usually refers to reusable child modules that are called from a root module to create a specific piece of infrastructure.
The terraform plan command shows you exactly what Terraform will create, change, or destroy before it does anything. It reads your configuration files, compares them to the current state file, and prints a diff — giving you a safe preview before you apply.
A Terraform provider is a plugin that gives Terraform the ability to create, read, update, and delete resources in a specific platform — such as AWS, GCP, Azure, or GitHub. Each provider translates your HCL configuration into real API calls for that platform.
Terraform refresh updates the state file to match the current real state of your infrastructure — detecting changes made outside of Terraform. In modern Terraform (1.0+), refresh behaviour is built into every plan and apply by default.
A Terraform resource is a block of HCL configuration that declares one piece of infrastructure — like an EC2 instance, an S3 bucket, or a DNS record. Terraform creates, updates, and deletes the real-world object to match the resource declaration.
The terraform.tfstate file is a JSON file that Terraform uses to track the real-world infrastructure it has created. It maps each resource in your configuration to its actual ID in the cloud provider — like an EC2 instance ID or an S3 bucket name.
terraform validate checks that a Terraform configuration is syntactically correct and internally consistent — catching errors before plan or apply. Tflint is a Terraform linter that catches additional issues like deprecated syntax, missing required provider version constraints, and provider-specific rule violations.
A Terraform workspace is a named instance of state within a single backend configuration. Workspaces allow running the same Terraform configuration against separate state files — often used to manage dev, staging, and production environments from one codebase.
Terragrunt is a thin wrapper around Terraform that adds features for DRY (Don't Repeat Yourself) configurations — automatically configuring remote state backends, enabling module dependency management, and reducing copy-paste across environments.
A test coverage gate is a CI pipeline rule that fails the build if code test coverage drops below a defined threshold. Coverage gates enforce a minimum quality standard and prevent developers from shipping new code without corresponding tests.
A pod-level configuration in Kubernetes that allows the scheduler to place a pod onto a node that carries a matching Taint, enabling specific workloads to run on dedicated or restricted nodes.
A CI/CD trigger is the event that starts a pipeline run. Common triggers include a Git push to a branch, a pull request opening, a scheduled cron expression, a manual dispatch, or a webhook from an external system like a monitoring alert.
The copy-on-write filesystem that Docker uses to layer image layers on top of each other. Each layer is immutable and shared across containers using the same image — only the top read-write layer is unique per container.
A systemd unit file is a configuration file that describes a service, socket, timer, or other system resource managed by systemd. Unit files have three sections: [Unit] for metadata and dependencies, [Service] for execution details, and [Install] for boot-time configuration.
A configuration that connects a directory or file from outside a container into the container's filesystem, making data accessible to the container process. Docker supports three mount types: named volumes, bind mounts, and tmpfs.
awk is a text processing tool that splits each input line into fields and applies pattern-action rules. It excels at extracting specific columns from structured text like logs, CSV files, and command output. awk is indispensable for log analysis and data transformation in shell scripts.
cron is a time-based job scheduler daemon that executes commands at specified intervals. Jobs are defined in crontab files using a five-field time syntax (minute, hour, day, month, weekday). It is the standard mechanism for backups, log rotation, and scheduled maintenance.
A distributed key-value store that serves as Kubernetes' primary backing store for all cluster state and configuration data, making it the single source of truth for the entire control plane including nodes, pods, secrets, and configs.
grep (Global Regular Expression Print) searches files or stdin for lines matching a pattern and prints matching lines. It is the standard tool for filtering log files, searching code, and extracting information from command output in Linux environments.
iptables is the user-space command-line tool for configuring the Linux kernel's netfilter packet filtering framework. It organises rules into tables (filter, nat, mangle) and chains (INPUT, OUTPUT, FORWARD) that evaluate every network packet passing through the system.
A network proxy that runs on every Kubernetes node, maintaining iptables or IPVS rules to enable Service-based load balancing and routing of network traffic to the correct pod endpoints across the cluster.
A Linux kernel security feature that filters which system calls a container process is allowed to make. Docker applies a default seccomp profile blocking 44 dangerous syscalls — custom profiles can restrict further for high-security workloads.
sed (Stream Editor) processes text line by line, applying editing commands like substitution, deletion, and insertion. It is the standard tool for find-and-replace operations on files and streams, used in scripts to modify config files, transform log output, and perform batch text transformations.
systemd is the init system and service manager used by virtually all modern Linux distributions. As PID 1, it is the first process after the kernel boots and the parent of all other processes. It manages service lifecycle, logging, timers, and system state.
A .tfvars file (terraform.tfvars or *.auto.tfvars) contains values for Terraform input variables, keeping configuration values separate from variable declarations. Different .tfvars files for dev, staging, and production let you reuse the same infrastructure code with environment-specific settings.