Skip to content

Glossary

This glossary provides definitions for Garden Linux-specific terminology. If you would like to contribute additional terms or improve existing definitions, please visit our contributing guide.

Jump to: A · B · C · D · E · F · G · I · K · L · M · N · O · P · R · S · T · U · V


A

ADR (Architecture Decision Record)

A document that captures an important architectural decision made about the Garden Linux system. ADRs provide context, rationale, and consequences of decisions. Garden Linux stores ADRs in the reference/adr section. See ADR-0001 for more background on why Garden Linux uses ADRs, and Documenting Architecture Decisions by Michael Nygard for the original concept.

AppArmor

A Linux Security Module (LSM) that provides mandatory access control (MAC) by confining programs to a limited set of resources using per-program profiles. Garden Linux uses AppArmor as its default LSM for platforms requiring Kubernetes compatibility (for example, nodes running the gardener or khost features). Some compliance features such as cis replace AppArmor with SELinux instead. See SELinux for the alternative LSM.

Architecture

The processor architecture for which a Garden Linux image is built. Supported architectures include amd64 (x86-64) and arm64 (ARM 64-bit). The architecture is the second component of a flavor, e.g., kvm-python-amd64 is a flavor (see Flavor). See Architecture documentation for details on Garden Linux system design.

Artifact Base Name

The artifact base name is the versioned flavor qualified with a short commit hash:

{cname}-{arch}-{version}-{short_commit}

Example: aws-gardener_prod-amd64-1877.3-a1b2c3d4. The artifact base name is the prefix of every output file produced by the builder under .build/ and the key used for S3 artifact storage. It uniquely identifies a specific build run. See ADR 0035 for the authoritative definition.

AWS

Amazon Web Services. One of the major cloud platforms supported by Garden Linux. Garden Linux provides AWS-specific images through the aws platform feature with cloud-init integration and AWS-specific kernel modules. See AWS platform guide and AWS first boot tutorial for usage details.

Azure

Microsoft Azure. A major cloud platform supported by Garden Linux through the azure platform feature with platform-specific image configurations and optimizations. See Azure platform guide and Azure first boot tutorial for usage details.


B

Bare Metal

A platform target for Garden Linux images designed to run directly on physical hardware without a hypervisor. The baremetal feature is of type platform. The metal feature (which is of type element) provides standard kernel modules and physical hardware components and is distinct from baremetal. See On-Premises Installation and Bare Metal first boot tutorial for usage details. For the platform/element distinction, see Platform and Element.

Builder

The gardenlinux/builder component that creates customized Linux distributions. The builder is a separate project maintained by the Garden Linux team and is used to build Garden Linux images with specific Flavors. See Building Images documentation for practical guidance, ADR-0020 for details on platform enforcement in the builder, and ADR-0031 for the builder-GLCI interface design.

Versioned Flavor

A versioned flavor is the flavor qualified with a version — the string passed to the ./build script to invoke a build:

{cname}-{arch}-{version}

Example: aws-gardener_prod-amd64-1877.3. See ADR 0035 for the authoritative definition.


C

CIS (Center for Internet Security)

A framework providing security configuration benchmarks. Garden Linux offers optional CIS compliance through the cis feature and related sub-features (cisAudit, cisModprobe, cisOS, cisPackages, cisPartition, cisSshd, cisSysctl). See ADR-0017 for details on the CIS feature implementation and ADR-0029 regarding SELinux in permissive mode for CIS compliance.

chost (Container Host)

The chost element feature adjusts Garden Linux to support running container and Kubernetes workloads. It installs and configures containerd and related packages. The khost (Kubernetes Host) feature extends chost with additional Kubernetes-specific configuration. See khost (Kubernetes Host) and containerd.

Cloud Image

A Garden Linux image optimized for cloud platforms (AWS, Azure, GCP, etc.) with cloud-init support and platform-specific configurations.

CNAME (Canonical Name)

The cname is the minimal, canonically-sorted encoding of the feature set — and only the feature set. Architecture, version, and commit are not part of the cname:

cname = {feature-encoding}

Example: aws-gardener_prod. The GARDENLINUX_CNAME entry in /etc/os-release contains the cname. See ADR 0035 for the authoritative definition and GARDENLINUX_CNAME for the environment variable.

Container Image

A Garden Linux image packaged for use with container runtimes. Available through GitHub Packages at ghcr.io/gardenlinux/gardenlinux.

containerd

An industry-standard container runtime that manages the lifecycle of containers on a host. Garden Linux includes containerd in the chost, khost, and gardener element features. Individual Garden Linux releases of containerd are maintained in the gardenlinux/package-containerd repository. See chost (Container Host) and khost (Kubernetes Host).


D

Debian

The upstream Linux distribution on which Garden Linux is based. Garden Linux is a Debian GNU/Linux derivative that provides customized, auditable images with a focus on cloud and security features.

debootstrap

A tool that installs a Debian base system into a subdirectory of another, already installed system. The Garden Linux builder uses debootstrap to create the initial root filesystem for every image, bootstrapping the minbase variant as the foundation for the base feature layer.

Dependabot

GitHub's automated dependency update tool. See ADR-0003 (later reverted by ADR-0018) for the history of Dependabot usage in the builder project.

Distribution

Refers to a Garden Linux release or version. See ADR-0002 which establishes that distributions can never change retroactively, ensuring stability and reproducibility.

dracut

The initramfs infrastructure used by Garden Linux to generate the initial RAM filesystem. Garden Linux uses dracut-generated initramfs instead of initramfs-tools used by standard Debian.


E

Element

A feature of type element represents a functional component or capability added on top of a platform feature. Elements are composable — multiple elements may be present in a single build. Examples: cis, fedramp, firewall, gardener, metal, server. See ADR 0034 for the authoritative definition.

Ephemeral

Refers to the _ephemeral feature that configures Garden Linux for stateless operation where no persistent state is maintained between reboots.


F

Feature

A modular component that adds specific functionality to a Garden Linux image. Features are defined in the features/ directory. Every feature has exactly one type — platform, element, or flag — declared in its info.yaml. Features prefixed with an underscore (_) are of type flag (e.g., _prod, _fips); the _ prefix marks the feature as a flag, not as "internal" or "private". Features without a prefix are either platform or element types (e.g., aws, gardener). See ADR 0034 for the authoritative type definitions, Flavors documentation for an overview, and ADR-0032 for details on feature test coverage analysis.

Feature Set

The feature set of a build is the complete set of features present after dependency graph resolution — the transitive closure of all included features minus all excluded ones. The minimal feature set is the subset of the feature set whose members are not pulled in transitively by any other selected feature; the cname is derived from this minimal set. See ADR 0034 and ADR 0035 for details.

FedRAMP

Federal Risk and Authorization Management Program. Garden Linux provides an optional fedramp feature for US federal compliance requirements.

FIPS

Federal Information Processing Standards. The _fips feature enables FIPS 140-2/140-3 cryptographic module compliance in Garden Linux.

Firecracker

A lightweight virtual machine monitor (VMM) for running microVMs. Garden Linux historically supported Firecracker as a platform. See ADR-0012 for details on why Firecracker support was discontinued.

Flag

A feature of type flag represents a lightweight modifier. Flags are identified by a leading underscore (_) in their name (e.g., _prod, _fips, _trustedboot). They are intended for minor behavioral changes that do not warrant a full element and should not include other features. See ADR 0034 for the authoritative definition.

Flavor

A flavor is the cname qualified with a target architecture:

{cname}-{arch}

Example: aws-gardener_prod-amd64. The flavor identifies what is being built for which architecture, independent of any particular release version. It is the natural unit for entries in flavors.yaml and CI job naming. See ADR 0035 for the authoritative definition, Flavors documentation, Choosing Flavors guide, and Flavor Matrix reference for more details.

Frankenstein

A frankenstein image is a build that contains more than one platform feature. This is not a supported configuration. The builder enforces the single-platform rule by default; use --allow-frankenstein to override. When multiple platform features are present, GARDENLINUX_PLATFORM is set to the literal string frankenstein. See ADR 0034 and ADR-0020.


G

Garden Linux

A Debian GNU/Linux derivative designed to provide small, auditable Linux images for cloud providers and bare-metal machines. Garden Linux is optimized for Gardener nodes and provides extensive customization through features. See Architectural Decisions, Use Cases, and Security Posture for more information.

Gardener

Gardener is a Kubernetes-based platform for managing clusters across multiple cloud providers. Garden Linux is the recommended operating system for Gardener worker nodes through the gardener feature.

GARDENLINUX_CNAME

The GARDENLINUX_CNAME key in /etc/os-release. It contains the cname — the feature encoding only, without architecture, version, or commit hash. Example: aws-gardener_prod. See ADR 0035 for the authoritative definition.

GARDENLINUX_PLATFORM

The GARDENLINUX_PLATFORM key in /etc/os-release. It contains the single authoritative platform identifier for the image (e.g., aws, kvm, baremetal). It is derived from the resolved feature set: if exactly one platform feature is present, GARDENLINUX_PLATFORM is set to that feature's name; if more than one platform feature is present (frankenstein build), it is set to the literal string frankenstein. It is the value to use for all platform-routing decisions. See ADR 0034 for the authoritative definition.

GCP

Google Cloud Platform. A major cloud platform supported by Garden Linux through the gcp platform feature with platform-specific configurations. See GCP platform guide and GCP first boot tutorial for usage details.

GitHub Actions

GitHub's continuous integration and deployment platform. Garden Linux uses GitHub Actions for automated testing and building. See ADR-0028 for the decision to pin GitHub Actions to specific SHA hashes for security and reproducibility.

GLCI

Garden Linux Continuous Integration. The CI pipeline that runs Garden Linux build, test, and publish workflows on GitHub Actions. GLCI consumes build artifacts and metadata uploaded to Amazon S3 by the builder, then runs automated tests against those artifacts. After successful testing, GLCI registers a release entry in the Garden Linux Release Database (GLRD) and publishes images to the GitHub Container Registry and cloud provider image galleries. See ADR-0031 for the builder-GLCI interface design and the GitHub Workflows explanation for a detailed pipeline overview.

GLRD (Garden Linux Release Database)

The Garden Linux Release Database. A system that tracks Garden Linux releases and their associated metadata — including version, commit, S3 artifact locations, and image identifiers for cloud platforms. GLRD entries are created automatically by the GLCI publish pipeline: nightly entries are created from main-branch builds, and minor entries are created from release-branch builds. The build requirements workflow resolves the correct artifact version and commit ID by querying GLRD. The database is hosted in the gardenlinux/glrd repository. See GLCI and the GitHub Workflows explanation.

GLVD

Garden Linux Vulnerability Database. A system for tracking and managing security vulnerabilities in Garden Linux packages and images.

Go Dependencies

Garden Linux uses Go for various tools and components. See ADR-0004 for the decision to vendor Go dependencies.


I

Immutable

Refers to the optional immutable image feature where the root filesystem is read-only to prevent modifications and ensure system integrity.

initramfs

Initial RAM filesystem. Garden Linux uses dracut to generate the initramfs, which is loaded by the kernel during the boot process before mounting the root filesystem.


K

Kernel

Garden Linux runs the latest Long Term Support (LTS) kernel from the Linux kernel project, providing up-to-date hardware support and security patches.

khost (Kubernetes Host)

The khost element feature adjusts Garden Linux to support running vanilla (non-Gardener) Kubernetes workloads. It extends the chost feature with kubelet configuration, sysctl tuning, and swap removal. See chost (Container Host).

KVM

Kernel-based Virtual Machine. A Linux kernel module that provides hardware virtualization capabilities. The kvm platform feature is a common target for Garden Linux images used in virtualized environments.


L

Lima (Linux Machines)

A tool for running Linux virtual machines on macOS and Linux hosts. Garden Linux provides official Lima images that can be launched with limactl. See ADR-0023 for details on Lima image download mechanisms and ADR-0024 for the decision to promote Lima images to official status. Also see Lima documentation for more details.

LTS Kernel

Long Term Support kernel. Garden Linux uses LTS kernel versions that receive extended security updates and bug fixes from the Linux kernel maintainers.


M

Major Version

The first number in Garden Linux's semantic versioning scheme (e.g., the "2017" in "2017.0.0"). Major versions may include breaking changes or significant architectural shifts. See ADR-0011 for the complete versioning strategy.

Metal

The metal feature is of type element. It provides standard kernel modules and physical hardware components for use on top of a platform feature. It is distinct from baremetal, which is the platform feature for running Garden Linux directly on physical hardware. See Bare Metal and Element.

Minimal Feature Set

The minimal feature set is the subset of the resolved feature set whose members are not pulled in transitively by any other selected feature. The cname is derived from the minimal feature set. See ADR 0035 for details.

Minor Version

The second number in Garden Linux's semantic versioning scheme (e.g., the "0" in "2017.0.0"). Minor versions typically add features or improvements in a backwards-compatible manner. See ADR-0011 for details.


N

Nightly Release

Automated builds of Garden Linux that occur on a regular schedule from the latest development code. Nightly releases are tagged as nightly and do not include maintenance commitments or updates. They are intended for testing and feedback, not production use.


O

OCI (OCI Image Format)

OCI Image Format. A container image specification defined by the Open Container Initiative. Garden Linux provides OCI-formatted container images. See First Boot as OCI image and the OCI platform guide for usage details.

OpenSSL

The cryptographic library used by Garden Linux. Garden Linux uses OpenSSL 3.5 by default.

OpenStack

An open-source cloud computing platform. Garden Linux provides OpenStack-specific images through the openstack platform feature.

OpenTofu

An open-source infrastructure-as-code tool (a community fork of Terraform) used by the Garden Linux test suite to provision cloud infrastructure for platform tests. When running cloud-based tests, the tests-ng framework calls OpenTofu to deploy the image under test to the target cloud provider and tears down the resources after the test run completes. See tests-ng and OpenTofu documentation.


P

package-build

The gardenlinux/package-build repository providing the tooling and scripts used to build Garden Linux custom packages. Individual packages are maintained in separate package-* repositories (for example, package-containerd, package-openssh), each of which uses the common tooling from package-build to produce APT-installable .deb artifacts. See Garden Linux Packaging explanation and repo-debian-snapshot for the snapshot repository used as a build input.

Patch Version

The third number in Garden Linux's semantic versioning scheme (e.g., the "0" in "2017.0.0"). Patch versions contain backwards-compatible bug fixes and security updates. See ADR-0011 for details.

Platform

A feature of type platform represents the deployment target — the combination of hardware, firmware, and cloud or hypervisor environment the image is intended to run on. A well-formed build must contain exactly one platform feature. Examples: aws, azure, baremetal, container, gcp, kvm. The single authoritative platform identifier for a running image is available in GARDENLINUX_PLATFORM in /etc/os-release. See ADR 0034 for the authoritative definition, ADR-0020 for the single-platform enforcement rule, and GARDENLINUX_PLATFORM.

Podman

A daemonless container engine for developing, managing, and running OCI containers. Garden Linux uses rootless Podman by default for building images, though other container engines can be used with the --container-engine flag.

PR References

Pull Request references in commit messages. See ADR-0014 for the requirement to enforce PR references in commits.

python-gardenlinux-lib

The python-gardenlinux-lib repository containing Python libraries and utilities for working with Garden Linux. See ADR-0030 for the architectural decision to create this library.


R

Release

A stable, versioned distribution of Garden Linux following semantic versioning. Releases are published on GitHub Releases and GitHub Packages. See ADR-0011 for the versioning strategy and ADR-0015 for the policy on backports from stable branches.

repo-debian-snapshot

The gardenlinux/repo-debian-snapshot repository that creates and maintains timestamped snapshots of the Debian testing repository. These snapshots are used as the APT source for Garden Linux builds, ensuring reproducibility: every build references a fixed, immutable snapshot rather than a live Debian mirror. Snapshots are hosted on Amazon S3 and mirrored to the GitHub Container Registry. See Repository Infrastructure explanation.

Rootless Podman

Running Podman without requiring root privileges. Garden Linux builds use rootless Podman by default, enhancing security by avoiding privileged operations during the build process.


S

sapmachine

An OpenJDK release maintained and supported by SAP. Garden Linux provides sapmachine as the sapmachine element feature, which installs the SapMachine Java runtime. The feature depends on _curl for package retrieval. See SapMachine project.

Secure Boot

A security feature that ensures only trusted software can boot on a system by verifying digital signatures. Garden Linux supports Secure Boot through the _secureboot feature. See ADR-0005 for details on Secure Boot keys in GLCI, and the Secure Boot documentation for usage details.

SELinux

Security-Enhanced Linux. An optional security feature available through the _selinux feature that provides mandatory access control (MAC) security mechanisms. See ADR-0029 for the decision regarding SELinux in permissive mode for CIS compliance.

Semver

Semantic Versioning. Garden Linux follows the semver specification (MAJOR.MINOR.PATCH) starting with version 2017.0.0. See ADR-0011 for the complete versioning strategy and semver.org for the specification.

STIG

Security Technical Implementation Guide. Garden Linux provides optional STIG compliance through the stig and stigDev features, based on DISA (Defense Information Systems Agency) security standards.

systemd

The system and service manager used by Garden Linux. Garden Linux is purely systemd-based, using systemd-networkd for networking, systemd for service management, and other systemd components. See ADR-0019 for the decision to standardize on systemd timers, and ADR-0027 regarding the removal of systemd-rc.


T

tests

The Garden Linux test framework. The framework lives in the tests/ directory of the gardenlinux/gardenlinux repository and is sometimes referred to as test-ng in ADR filenames. tests-ng is a pytest-based system that supports chroot, QEMU, and cloud-based test execution. Key design decisions: tests are non-invasive and read-only by default; test logic is unified and declarative; host dependencies are kept minimal. See ADR-0006 (new test framework), ADR-0007 (non-invasive testing), ADR-0008 (unified test logic), ADR-0010 (incremental migration), ADR-0016 (minimal host dependencies), ADR-0021 (tiger tool usage), ADR-0022 (system state diffing), and ADR-0026 (when-to parsers).

TPM2

Trusted Platform Module 2.0. A hardware-based security feature that can be enabled with the _tpm2 feature for secure key storage and system integrity verification.

Trusted Boot

An extension to Secure Boot that provides additional system integrity verification throughout the boot process. Garden Linux supports Trusted Boot through the _trustedboot feature.


U

Unit Tests

Automated tests that validate the correct functionality of a Garden Linux image after it's created. Unit tests verify that the image contains expected packages, configurations, and behaviors. See ADR-0013 for the decision to discontinue certain package must-have tests, and ADR-0025 for the decision to disable debsums tests.

USI (Unified System Image)

A boot approach where the Linux kernel, initramfs, and root filesystem are combined into a single Unified Kernel Image (UKI) with an embedded EROFS root disk. The _usi flag feature enables this mode in Garden Linux. USI images boot without a separate root partition and include the _nocrypt and _unsigned features by default; they are incompatible with the _legacy feature.


V

Virtual Machine Image

A Garden Linux image formatted for use with hypervisors like KVM, VMware, or cloud platform virtualization systems.

VMware

A virtualization platform supported by Garden Linux. Garden Linux provides VMware-specific images through the vmware platform feature, including support for OVA (Open Virtual Appliance) format.