summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-12-08 06:09:38 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-12-08 06:09:38 +0000
commita0834ebcaa12d126a20e07b6502121e1dc58c9b9 (patch)
treedd4b127209355e93fcb728027776caba5cda2175 /doc
parent1741eab29cacbe9bc0ada51f60496774eb177cc9 (diff)
downloadgitlab-ce-a0834ebcaa12d126a20e07b6502121e1dc58c9b9.tar.gz
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
-rw-r--r--doc/ci/caching/index.md162
-rw-r--r--doc/ci/pipelines/pipeline_efficiency.md2
-rw-r--r--doc/user/application_security/terminology/index.md20
3 files changed, 80 insertions, 104 deletions
diff --git a/doc/ci/caching/index.md b/doc/ci/caching/index.md
index 04e8d3a97b6..2eb8ad47951 100644
--- a/doc/ci/caching/index.md
+++ b/doc/ci/caching/index.md
@@ -11,48 +11,49 @@ GitLab CI/CD provides a caching mechanism that can be used to save time
when your jobs are running.
Caching is about speeding the time a job is executed by reusing the same
-content of a previous job. It can be particularly useful when you are
+content of a previous job. Use caching when you are
developing software that depends on other libraries which are fetched via the
internet during build time.
If caching is enabled, it's shared between pipelines and jobs at the project
-level by default, starting from GitLab 9.0. Caches are not shared across
-projects.
+level by default. Caches are not shared across projects.
Make sure you read the [`cache` reference](../yaml/README.md#cache) to learn
how it is defined in `.gitlab-ci.yml`.
## Cache vs artifacts
-Be careful if you use cache and artifacts to store the same path in your jobs
-as **caches are restored before artifacts** and the content could be overwritten.
+If you use cache and artifacts to store the same path in your jobs, the cache might
+be overwritten because caches are restored before artifacts.
Don't use caching for passing artifacts between stages, as it is designed to store
runtime dependencies needed to compile the project:
- `cache`: **For storing project dependencies**
- Caches are used to speed up runs of a given job in **subsequent pipelines**, by
- storing downloaded dependencies so that they don't have to be fetched from the
- internet again (like npm packages, Go vendor packages, etc.) While the cache could
- be configured to pass intermediate build results between stages, this should be
- done with artifacts instead.
+ Caches can increase the speed of a given job in subsequent pipelines. You can
+ store downloaded dependencies so that they don't have to be fetched from the
+ internet again. Dependencies include things like npm packages, Go vendor packages, and so on.
+ You can configure a cache to pass intermediate build results between stages,
+ but you should use artifacts instead.
- `artifacts`: **Use for stage results that are passed between stages.**
- Artifacts are files generated by a job which are stored and uploaded, and can then
- be fetched and used by jobs in later stages of the **same pipeline**. In other words,
- [you can't create an artifact in job-A in stage-1, and then use this artifact in job-B in stage-1](https://gitlab.com/gitlab-org/gitlab/-/issues/25837).
- This data is be available in different pipelines, but is available to be downloaded
+ Artifacts are files that are generated by a job so they can be stored and uploaded. You can
+ fetch and use artifacts in jobs in later stages of the same pipeline. You can't
+ create an artifact in a job in one stage, and use this artifact in a different job in
+ the same stage. This data is not available in different pipelines, but can be downloaded
from the UI.
-The name `artifacts` sounds like it's only useful outside of the job, like for downloading
-a final image, but artifacts are also available in later stages within a pipeline.
-So if you build your application by downloading all the required modules, you might
-want to declare them as artifacts so that subsequent stages can use them. There are
-some optimizations like declaring an [expiry time](../yaml/README.md#artifactsexpire_in)
-so you don't keep artifacts around too long, or using [dependencies](../yaml/README.md#dependencies)
-to control which jobs fetch the artifacts.
+ If you download modules while building your application, you can declare them as
+ artifacts and subsequent stage jobs can use them.
+
+ You can define an [expiry time](../yaml/README.md#artifactsexpire_in) so artifacts
+ are deleted after a defined time. Use [dependencies](../yaml/README.md#dependencies)
+ to control which jobs fetch the artifacts.
+
+ Artifacts can also be used to make files available for download after a pipeline
+ completes, like a build image.
Caches:
@@ -68,7 +69,7 @@ Artifacts:
- Are disabled if not defined per job (using `artifacts:`).
- Can only be enabled per job, not globally.
-- Are created during a pipeline and can be used by the subsequent jobs of that currently active pipeline.
+- Are created during a pipeline and can be used by subsequent jobs in the same pipeline.
- Are always uploaded to GitLab (known as coordinator).
- Can have an expiration value for controlling disk usage (30 days by default).
@@ -77,12 +78,8 @@ can't link to files outside it.
## Good caching practices
-We have the cache from the perspective of the developers (who consume a cache
-within the job) and the cache from the perspective of the runner. Depending on
-which type of runner you are using, cache can act differently.
-
-From the perspective of the developer, to ensure maximum availability of the
-cache, when declaring `cache` in your jobs, use one or a mix of the following:
+To ensure maximum availability of the cache, when you declare `cache` in your jobs,
+use one or more of the following:
- [Tag your runners](../runners/README.md#use-tags-to-limit-the-number-of-jobs-using-the-runner) and use the tag on jobs
that share their cache.
@@ -92,13 +89,7 @@ cache, when declaring `cache` in your jobs, use one or a mix of the following:
different caches on each branch). For that, you can take advantage of the
[CI/CD predefined variables](../variables/README.md#predefined-environment-variables).
-NOTE:
-Using the same runner for your pipeline, is the most simple and efficient way to
-cache files in one stage or pipeline, and pass this cache to subsequent stages
-or pipelines in a guaranteed manner.
-
-From the perspective of the runner, in order for cache to work effectively, one
-of the following must be true:
+For runners to work with caches efficiently, you must do one of the following:
- Use a single runner for all your jobs.
- Use multiple runners (in autoscale mode or not) that use
@@ -108,11 +99,10 @@ of the following must be true:
share a common network-mounted directory (using NFS or something similar)
where the cache is stored.
-NOTE:
Read about the [availability of the cache](#availability-of-the-cache)
to learn more about the internals and get a better idea how cache works.
-### Sharing caches across the same branch
+### Share caches across the same branch
Define a cache with the `key: ${CI_COMMIT_REF_SLUG}` so that jobs of each
branch always use the same cache:
@@ -122,10 +112,9 @@ cache:
key: ${CI_COMMIT_REF_SLUG}
```
-While this feels like it might be safe from accidentally overwriting the cache,
-it means merge requests get slow first pipelines, which might be a bad
-developer experience. The next time a new commit is pushed to the branch, the
-cache is re-used.
+This configuration is safe from accidentally overwriting the cache, but merge requests
+get slow first pipelines. The next time a new commit is pushed to the branch, the
+cache is re-used and jobs run faster.
To enable per-job and per-branch caching:
@@ -134,31 +123,30 @@ cache:
key: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
```
-To enable per-branch and per-stage caching:
+To enable per-stage and per-branch caching:
```yaml
cache:
key: "$CI_JOB_STAGE-$CI_COMMIT_REF_SLUG"
```
-### Sharing caches across different branches
+### Share caches across different branches
-If the files you are caching need to be shared across all branches and all jobs,
-you can use the same key for all of them:
+To share a cache across all branches and all jobs, use the same key for everything:
```yaml
cache:
key: one-key-to-rule-them-all
```
-To share the same cache between branches, but separate them by job:
+To share caches between branches, but have a unique cache for each job:
```yaml
cache:
key: ${CI_JOB_NAME}
```
-### Disabling cache on specific jobs
+### Disable cache on specific jobs
If you have defined the cache globally, it means that each job uses the
same definition. You can override this behavior per-job, and if you want to
@@ -169,7 +157,7 @@ job:
cache: {}
```
-### Inherit global config, but override specific settings per job
+### Inherit global configuration, but override specific settings per job
You can override cache settings without overwriting the global cache by using
[anchors](../yaml/README.md#anchors). For example, if you want to override the
@@ -197,20 +185,19 @@ For more fine tuning, read also about the
## Common use cases
-The most common use case of cache is to preserve contents between subsequent
-runs of jobs for things like dependencies and commonly used libraries
-(Node.js packages, PHP packages, rubygems, Python libraries, etc.),
-so they don't have to be re-fetched from the public internet.
+The most common use case of caching is to avoid downloading content like dependencies
+or libraries repeatedly between subsequent runs of jobs. Node.js packages,
+PHP packages, Ruby gems, Python libraries, and others can all be cached.
For more examples, check out our [GitLab CI/CD templates](https://gitlab.com/gitlab-org/gitlab/tree/master/lib/gitlab/ci/templates).
-### Caching Node.js dependencies
+### Cache Node.js dependencies
-Assuming your project is using [npm](https://www.npmjs.com/) to install the Node.js
+If your project is using [npm](https://www.npmjs.com/) to install the Node.js
dependencies, the following example defines `cache` globally so that all jobs inherit it.
-By default, npm stores cache data in the home folder `~/.npm` but since
-[you can't cache things outside of the project directory](../yaml/README.md#cachepaths),
-we tell npm to use `./.npm` instead, and it is cached per-branch:
+By default, npm stores cache data in the home folder `~/.npm` but you
+[can't cache things outside of the project directory](../yaml/README.md#cachepaths).
+Instead, we tell npm to use `./.npm`, and cache it per-branch:
```yaml
#
@@ -253,7 +240,7 @@ cache:
before_script:
# Install and run Composer
- - curl --show-error --silent https://getcomposer.org/installer | php
+ - curl --show-error --silent "https://getcomposer.org/installer" | php
- php composer.phar install
test:
@@ -355,17 +342,18 @@ test:
## Availability of the cache
-Caching is an optimization, but isn't guaranteed to always work, so you need to
+Caching is an optimization, but it isn't guaranteed to always work. You need to
be prepared to regenerate any cached files in each job that needs them.
-Assuming you have properly [defined `cache` in `.gitlab-ci.yml`](../yaml/README.md#cache)
-according to your workflow, the availability of the cache ultimately depends on
-how the runner has been configured (the executor type and whether different
-runners are used for passing the cache between jobs).
+After you have defined a [cache in `.gitlab-ci.yml`](../yaml/README.md#cache),
+the availability of the cache depends on:
+
+- The runner's executor type
+- Whether different runners are used to pass the cache between jobs.
### Where the caches are stored
-Since the runner is the one responsible for storing the cache, it's essential
+The runner is responsible for storing the cache, so it's essential
to know **where** it's stored. All the cache paths defined under a job in
`.gitlab-ci.yml` are archived in a single `cache.zip` file and stored in the
runner's configured cache location. By default, they are stored locally in the
@@ -379,11 +367,7 @@ machine where the runner is installed and depends on the type of the executor.
### How archiving and extracting works
-In the most simple scenario, consider that you use only one machine where the
-runner is installed, and all jobs of your project run on the same host.
-
-Let's see the following example of two jobs that belong to two consecutive
-stages:
+This example has two jobs that belong to two consecutive stages:
```yaml
stages:
@@ -415,7 +399,8 @@ job B:
- vendor/
```
-Here's what happens behind the scenes:
+If you have one machine with one runner installed, and all jobs for your project
+run on the same host:
1. Pipeline starts.
1. `job A` runs.
@@ -432,10 +417,9 @@ Here's what happens behind the scenes:
1. Pipeline finishes.
By using a single runner on a single machine, you don't have the issue where
-`job B` might execute on a runner different from `job A`, thus guaranteeing the
-cache between stages. That only works if the build goes from stage `build`
-to `test` in the same runner/machine, otherwise, you [might not have the cache
-available](#cache-mismatch).
+`job B` might execute on a runner different from `job A`. This setup guarantees the
+cache can be reused between stages. It only works if the execution goes from the `build` stage
+to the `test` stage in the same runner/machine. Otherwise, the cache [might not be available](#cache-mismatch).
During the caching process, there's also a couple of things to consider:
@@ -449,10 +433,10 @@ During the caching process, there's also a couple of things to consider:
pulled down), and the runner doesn't mind if the archive of `job A` overwrites
things in the archive of `job B`.
-The reason why it works this way is because the cache created for one runner
-often isn't valid when used by a different one which can run on a
-**different architecture** (e.g., when the cache includes binary files). And
-since the different steps might be executed by runners running on different
+It works this way because the cache created for one runner
+often isn't valid when used by a different one. A different runner may run on a
+different architecture (for example, when the cache includes binary files). Also,
+because the different steps might be executed by runners running on different
machines, it is a safe default.
### Cache mismatch
@@ -464,7 +448,7 @@ mismatch and a few ideas how to fix it.
| -------------------------- | ------------- |
| You use multiple standalone runners (not in autoscale mode) attached to one project without a shared cache | Use only one runner for your project or use multiple runners with distributed cache enabled |
| You use runners in autoscale mode without a distributed cache enabled | Configure the autoscale runner to use a distributed cache |
-| The machine the runner is installed on is low on disk space or, if you've set up distributed cache, the S3 bucket where the cache is stored doesn't have enough space | Make sure you clear some space to allow new caches to be stored. Currently, there's no automatic way to do this. |
+| The machine the runner is installed on is low on disk space or, if you've set up distributed cache, the S3 bucket where the cache is stored doesn't have enough space | Make sure you clear some space to allow new caches to be stored. There's no automatic way to do this. |
| You use the same `key` for jobs where they cache different paths. | Use different cache keys to that the cache archive is stored to a different location and doesn't overwrite wrong caches. |
Let's explore some examples.
@@ -472,12 +456,10 @@ Let's explore some examples.
#### Examples
Let's assume you have only one runner assigned to your project, so the cache
-is stored in the runner's machine by default. If two jobs, A and B,
-have the same cache key, but they cache different paths, cache B would overwrite
-cache A, even if their `paths` don't match:
+is stored in the runner's machine by default.
-We want `job A` and `job B` to re-use their
-cache when the pipeline is run for a second time.
+Two jobs could cause caches to be overwritten if they have the same cache key, but
+they cache a different path:
```yaml
stages:
@@ -538,9 +520,8 @@ job B:
- vendor/
```
-In that case, even if the `key` is different (no fear of overwriting), you
-might experience that the cached files "get cleaned" before each stage if the
-jobs run on different runners in the subsequent pipelines.
+Even if the `key` is different, the cached files might get "cleaned" before each
+stage if the jobs run on different runners in the subsequent pipelines.
## Clearing the cache
@@ -559,7 +540,7 @@ next run of the pipeline, the cache is stored in a different location.
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/41249) in GitLab 10.4.
-If you want to avoid editing `.gitlab-ci.yml`, you can easily clear the cache
+If you want to avoid editing `.gitlab-ci.yml`, you can clear the cache
via GitLab's UI:
1. Navigate to your project's **CI/CD > Pipelines** page.
@@ -569,11 +550,6 @@ via GitLab's UI:
1. On the next push, your CI/CD job uses a new cache.
-Behind the scenes, this works by increasing a counter in the database, and the
-value of that counter is used to create the key for the cache by appending an
-integer to it: `-1`, `-2`, etc. After a push, a new key is generated and the
-old cache is not valid anymore.
-
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/doc/ci/pipelines/pipeline_efficiency.md b/doc/ci/pipelines/pipeline_efficiency.md
index 2693816d8c9..a78c9e1b26b 100644
--- a/doc/ci/pipelines/pipeline_efficiency.md
+++ b/doc/ci/pipelines/pipeline_efficiency.md
@@ -190,7 +190,7 @@ be more efficient, but can also make pipelines harder to understand and analyze.
### Caching
Another optimization method is to [cache](../caching/index.md) dependencies. If your
-dependencies change rarely, like [NodeJS `/node_modules`](../caching/index.md#caching-nodejs-dependencies),
+dependencies change rarely, like [NodeJS `/node_modules`](../caching/index.md#cache-nodejs-dependencies),
caching can make pipeline execution much faster.
You can use [`cache:when`](../yaml/README.md#cachewhen) to cache downloaded dependencies
diff --git a/doc/user/application_security/terminology/index.md b/doc/user/application_security/terminology/index.md
index 26f89491048..e046b18b2a4 100644
--- a/doc/user/application_security/terminology/index.md
+++ b/doc/user/application_security/terminology/index.md
@@ -5,16 +5,16 @@ info: To determine the technical writer assigned to the Stage/Group associated w
type: reference
---
-# Secure and Defend terminology
+# Secure and Protect terminology
-This terminology list for GitLab Secure and Defend aims to:
+This terminology list for GitLab Secure and Protect aims to:
- Promote a ubiquitous language for discussing application security.
-- Improve the effectiveness of communication regarding GitLab's application security features.
+- Improve the effectiveness of communication regarding GitLab application security features.
- Get new contributors up to speed faster.
-This document defines application security terms in the specific context of GitLab's Secure and
-Defend products. Terms may therefore have different meanings outside of GitLab Secure and Defend.
+This document defines application security terms in the specific context of GitLab Secure and
+Protect features. Terms may therefore have different meanings outside that context.
## Terms
@@ -24,7 +24,7 @@ Software that performs a scan. The scan analyzes an attack surface for vulnerabi
a report containing findings. Reports adhere to the [Secure report format](#secure-report-format).
Analyzers integrate into GitLab using a CI job. The report produced by the analyzer is published as
-an artifact once the job is complete. GitLab ingests this report, allowing users to visualize and
+an artifact after the job is complete. GitLab ingests this report, allowing users to visualize and
manage found vulnerabilities. For more information, see [Security Scanner Integration](../../../development/integrations/secure.md).
Many GitLab analyzers follow a standard approach using Docker to run a wrapped scanner. For example,
@@ -74,7 +74,7 @@ or creating a merge request.
### Finding
-An asset that has the potential to be vulnerable, identified within a project by an analyzer. Assets
+An asset that has the potential to be vulnerable, identified in a project by an analyzer. Assets
include but are not restricted to source code, binary packages, containers, dependencies, networks,
applications, and infrastructure.
@@ -98,9 +98,9 @@ A finding's primary identifier is a value unique to that finding. The external t
of the finding's [first identifier](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v2.4.0-rc1/dist/sast-report-format.json#L228)
combine to create the value.
-Examples of primary identifiers include ZAP's `PluginID`, or `CVE` for Klar. Note that the
-identifier must be stable. Subsequent scans must return the same value for the same finding, even if
-the location has slightly changed.
+Examples of primary identifiers include `PluginID` for OWASP Zed Attack Proxy (ZAP), or `CVE` for
+Klar. Note that the identifier must be stable. Subsequent scans must return the same value for the
+same finding, even if the location has slightly changed.
### Report finding