Reference

Glossary

Over 350 definitions for every major term used across the kldload documentation. Covers OpenZFS, WireGuard, eBPF, XDP, networking, storage, virtualization, KVM, monitoring, security, operations, and kldload-specific tooling.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

ABD (Adaptive Buffer Data): An internal ZFS data structure that abstracts how data buffers are allocated and managed, allowing the kernel to use either linear or scatter-gather buffers depending on memory pressure and I/O size.
AF_XDP: A Linux address family that provides a high-performance, zero-copy path between XDP programs and user-space applications. Used to build kernel-bypass networking stacks while keeping the kernel in control of the NIC. See: XDP & TC Datapath
Alertmanager: The Prometheus component that handles alerts sent by Prometheus server. It deduplicates, groups, routes, and silences alerts, then dispatches notifications to receivers like email, Slack, or PagerDuty. See: Monitoring Stack
AllowedIPs: In WireGuard, the list of IP ranges that a peer is allowed to send traffic from or receive traffic to. Functions as both a routing table and an access control list. See: WireGuard Basics
Ansible: An agentless configuration management and automation tool that uses SSH to push changes to remote hosts. kldload postinstallers can be written as Ansible playbooks. See: Automation
answers file: A file containing environment variables that drive an unattended kldload installation. The web UI writes this file; kldload-install-target reads it to determine distro, profile, disk layout, and networking. See: Unattended Install
AppArmor: A Linux security module that confines programs to a limited set of resources using per-program profiles. Used by Debian and Ubuntu as an alternative to SELinux. See: Security
ARC (Adaptive Replacement Cache): ZFS's in-memory read cache that adaptively balances between recently-used and frequently-used data. Typically consumes up to half of system RAM and is the primary reason ZFS performs well on repeated reads. See: Memory & ARC
ARP (Address Resolution Protocol): A Layer 2 protocol that maps IP addresses to MAC addresses on a local network segment. ARP requests are broadcast; ARP replies are unicast.
ashift: A ZFS pool property that sets the minimum block allocation size as a power of two. Use ashift=12 for 4K-sector disks (all modern drives) and ashift=13 for some NVMe devices. Cannot be changed after pool creation. See: Pool Design
ASN (Autonomous System Number): A unique number assigned to a network or group of networks under a single administrative domain for BGP routing. Private ASNs (64512-65534) are used in internal BGP deployments.
atime: A ZFS dataset property that controls whether file access times are updated on every read. Disabling atime (zfs set atime=off) reduces unnecessary write I/O. See also: relatime. See: Tuning for Workloads
audit: The Linux audit subsystem (auditd) that logs security-relevant events such as file access, system calls, and authentication attempts. kldload configures audit rules aligned with DISA STIG baselines. See: Audit & Trust
backplane: A dedicated WireGuard network (typically wg0) used for management traffic between nodes. Carries SSH, Ansible, and control-plane communication, isolated from data and storage traffic. See: Backplane Networks
beaconing: A pattern where compromised hosts periodically contact an external command-and-control server at regular intervals. eBPF network monitors can detect beaconing by analyzing outbound connection timing and frequency. See: eBPF Security
BCC (BPF Compiler Collection): A toolkit for creating eBPF-based kernel tracing and manipulation programs. Includes ready-made tools like opensnoop, execsnoop, and tcplife. See: eBPF Reference
BFD (Bidirectional Forwarding Detection): A lightweight protocol that detects link failures in milliseconds, used alongside BGP or OSPF to trigger fast failover when a path goes down.
BGP (Border Gateway Protocol): The routing protocol that glues the internet together. In kldload deployments, iBGP over WireGuard tunnels distributes routes between sites using BIRD or FRRouting. See: BIRD & BGP
BIRD: An open-source routing daemon that implements BGP, OSPF, and other protocols. kldload uses BIRD for dynamic routing across WireGuard mesh networks. See: BIRD & BGP
block cloning (ZFS): A ZFS feature (OpenZFS 2.2+) that enables instant file copies by referencing the same on-disk blocks instead of duplicating data. Similar to reflinks on btrfs, but integrated with ZFS copy-on-write semantics.
block device: A storage device that provides random access to fixed-size blocks of data (typically 512 bytes or 4K). Disks, partitions, LVM volumes, and zvols are all block devices.
bloom filter (BPF): An eBPF map type that provides space-efficient probabilistic set membership testing. Used in high-throughput packet filtering and DDoS mitigation to quickly check if an element might be in a set. See: eBPF Reference
blue/green deployment: A release strategy that maintains two identical environments (blue and green). Traffic is switched from one to the other after validation, enabling instant rollback. ZFS boot environments provide this at the OS level. See: Blue/Green & SRE
bookmark (ZFS): A lightweight reference to a snapshot's transaction group, used for incremental send without retaining the full snapshot. Bookmarks consume almost no space and allow the source snapshot to be destroyed while still enabling incremental replication. See: Snapshots & Replication
boot environment: A ZFS clone of the root filesystem that can be booted independently. Allows upgrading or patching in a clone, then switching to it atomically. If the upgrade fails, reboot into the previous environment. See: Boot Environments
BPF helper: A kernel function callable from eBPF programs that provides access to kernel facilities like map operations, time, random numbers, packet manipulation, and cgroup control. The set of available helpers depends on the program type. See: eBPF Reference
BPF map: A key-value data structure shared between eBPF programs running in the kernel and user-space applications. Used to pass configuration in and telemetry out. See: eBPF Reference
BPF verifier: The in-kernel static analysis engine that checks every eBPF program before loading. Ensures programs terminate, do not access out-of-bounds memory, and follow safety rules. Programs that fail verification are rejected. See: eBPF Security
bpftrace: A high-level tracing language for eBPF, similar to awk or DTrace. Lets you write one-liner probes for kernel and user-space events without compiling C. See: Custom eBPF Programs
bridge: A virtual Layer 2 switch in the Linux kernel that connects network interfaces, VMs, and containers on the same broadcast domain. Created with ip link add type bridge or via NetworkManager/systemd-networkd.
BTF (BPF Type Format): A compact metadata format that describes kernel data structures, enabling eBPF programs compiled on one kernel to run on another without recompilation (CO-RE). See: eBPF Reference
btrfs: A copy-on-write Linux filesystem with built-in snapshots and RAID. Sometimes compared to ZFS, but lacks ZFS's mature RAID-Z, native encryption, and send/receive replication. See: ZFS vs Everything Else
burn rate: The speed at which an error budget is being consumed relative to the SLO window. A burn rate of 1.0 means the budget will be exactly exhausted by the end of the window; higher values trigger alerts. See: Blue/Green & SRE
C2 (Command and Control): The infrastructure an attacker uses to communicate with and control compromised hosts. eBPF-based network monitors can detect C2 traffic by identifying beaconing patterns, unusual DNS queries, or connections to known-bad destinations. See: eBPF Security
cachefile (ZFS): A ZFS pool property (cachefile) that specifies where pool configuration is stored for automatic import at boot. Set to /etc/zfs/zpool.cache by default, or none to prevent auto-import. See: Boot Chain
canary deployment: A release strategy that routes a small percentage of traffic to a new version before rolling it out fully. If error rates spike, the canary is killed and traffic stays on the old version. See: Blue/Green & SRE
CAP_BPF: A Linux capability that grants permission to load eBPF programs into the kernel without requiring full root. Introduced in Linux 5.8 to allow least-privilege eBPF usage. See: eBPF Security
capacity planning: The process of forecasting future resource needs (CPU, RAM, disk, network) based on current usage trends and growth projections. ZFS compression ratios and ARC hit rates are key inputs for storage capacity planning. See: Operations Guide
cgroup (control group): A Linux kernel mechanism that limits, accounts for, and isolates resource usage (CPU, memory, I/O, network) of process groups. Containers and systemd services use cgroups for resource management. eBPF programs can attach to cgroup hooks for per-container networking and access control.
CDN (Content Delivery Network): A geographically distributed network of servers that cache and serve content close to end users, reducing latency and offloading origin servers.
certificate: An X.509 document that binds a public key to an identity (hostname, IP, or organization). Used in TLS to authenticate servers and, with mTLS, clients. See: TLS & PKI
checksum: ZFS computes a checksum (SHA-256 or fletcher4) for every block of data and stores it in the parent block pointer. This detects silent data corruption (bit rot) on every read. See: ZFS Overview
CI/CD (Continuous Integration / Continuous Delivery): A practice where code changes are automatically built, tested, and deployed. kldload's image factory uses CI/CD to produce golden images from postinstallers. See: Packer & IaC
CIDR (Classless Inter-Domain Routing): A notation for IP addresses and their associated subnet masks, written as address/prefix-length (e.g., 10.0.0.0/24). Replaced the old Class A/B/C system.
Cilium: A CNI plugin that uses eBPF to provide networking, observability, and security for Kubernetes and other container platforms. Replaces iptables/nftables with in-kernel eBPF programs for packet processing. See: Cilium
clone (ZFS): A writable copy of a ZFS snapshot. Clones share all blocks with their parent snapshot until divergence, making them nearly instant and space-free to create. Boot environments are implemented as clones. See: Snapshots & Replication
cloud-init: An industry-standard tool for initializing cloud instances on first boot. Configures hostname, SSH keys, networking, and runs user-data scripts. kldload golden images are sealed with cloud-init for cloning. See: Cloud & Packer
cloud-init datasource: A cloud-init module that knows how to retrieve instance metadata and user-data from a specific source (NoCloud, GCE, EC2, Azure, etc.). kldload golden images use a multi-datasource configuration to work across hypervisors and clouds. See: Cloud & Packer
cls_bpf: A TC (Traffic Control) classifier that executes eBPF programs to classify, filter, or modify network packets at the qdisc layer. Provides a programmable alternative to traditional TC filters like u32. See: XDP & TC Datapath
CMVP (Cryptographic Module Validation Program): A joint US/Canadian program that validates cryptographic modules against the FIPS 140 standard. Required for federal and regulated environments. See: FIPS 140-3 Compliance
compression (ZFS): ZFS can transparently compress data on disk using LZ4 (fast, default), ZSTD (better ratio), or GZIP (best ratio, slowest). LZ4 is recommended for almost all workloads because it compresses faster than disks can write. See: Compression & Dedup
compressratio (ZFS): A read-only ZFS property that reports the ratio of uncompressed data to compressed data for a dataset. A compressratio of 2.0x means data occupies half the expected disk space. See: Compression & Dedup
container: An isolated user-space environment that shares the host kernel but has its own filesystem, process tree, and network stack. Created via namespaces and cgroups. Docker and Podman are common container runtimes. See: Docker & Podman on ZFS
container escape: A security breach where a process inside a container breaks out of its isolation to access the host system or other containers. eBPF-based security tools detect escapes by monitoring syscall patterns and namespace transitions. See: eBPF Security
copy-on-write (CoW): A data management strategy where modified blocks are written to new locations rather than overwriting in place. ZFS and btrfs both use CoW, which enables atomic writes, snapshots, and self-healing without a journal. See: ZFS Overview
CO-RE (Compile Once, Run Everywhere): An eBPF development approach that uses BTF type information so programs compiled on one kernel version run on others without recompilation. Eliminates the need to ship kernel headers. See: eBPF Reference
cryptokey routing: WireGuard's model where each peer's public key is associated with a set of allowed IP ranges. The routing table and access control are unified into a single cryptographic identity. See: WireGuard
cryptojacking: An attack where an adversary hijacks compute resources to mine cryptocurrency without the owner's knowledge. eBPF CPU profiling can detect cryptojacking by identifying anomalous CPU consumption patterns. See: eBPF Security
darksite: A local package mirror baked into the kldload ISO, enabling fully offline installation. RPM darksites use file:// paths; Debian/Ubuntu darksites are served over HTTP on ports 3142/3143. See: Editions & Profiles
dataset (ZFS): A ZFS filesystem, volume, snapshot, or bookmark. Datasets are the fundamental organizational unit in ZFS and are arranged in a hierarchy under a pool (e.g., rpool/ROOT/default). See: ZFS Overview
DDoS mitigation: Techniques for defending against distributed denial-of-service attacks. XDP programs can drop malicious packets at line rate before they enter the kernel networking stack, making eBPF/XDP one of the most efficient DDoS mitigation approaches. See: XDP & TC Datapath
DDT (Dedup Table): The in-memory table ZFS maintains to track duplicate blocks when deduplication is enabled. Each entry requires roughly 320 bytes of RAM. The DDT is the primary reason dedup is memory-intensive. See: Compression & Dedup
deduplication (ZFS): A ZFS feature that eliminates duplicate blocks at the pool level by maintaining an in-memory dedup table (DDT). Requires significant RAM (roughly 5 GB per TB of data) and is rarely worth enabling outside specific workloads. See: Compression & Dedup
debootstrap: A tool that installs a Debian or Ubuntu base system into a subdirectory. kldload uses debootstrap for Debian and Ubuntu target installations, bootstrapping the root filesystem from darksite APT mirrors. See: Editions & Profiles
DHCP (Dynamic Host Configuration Protocol): A protocol that automatically assigns IP addresses, gateways, and DNS servers to devices on a network. Most kldload systems use static IPs for servers and DHCP for desktop profiles.
DISA STIG: Security Technical Implementation Guides published by the US Defense Information Systems Agency. kldload's security profile applies STIG-aligned hardening rules for CentOS, RHEL, and Rocky. See: Security Hardening
dnf: The package manager for Fedora, CentOS Stream, RHEL, and Rocky Linux. kldload uses dnf --installroot to bootstrap RPM-based target systems and dnf download to build RPM darksites. See: Package Management
DKMS (Dynamic Kernel Module Support): A framework that automatically rebuilds kernel modules (like ZFS) when a new kernel is installed. Ensures ZFS stays functional across kernel upgrades without manual intervention. See: Build ZFS from Scratch
dnodesize (ZFS): A ZFS dataset property that controls the size of dnodes (metadata structures). Larger dnodes (e.g., dnodesize=auto) store extended attributes and system attributes inline, improving metadata performance at the cost of slightly more space. See: Tuning for Workloads
DNS (Domain Name System): The hierarchical naming system that translates domain names (e.g., kldload.com) to IP addresses. kldload supports configuring local DNS resolvers and DNSSEC validation. See: DNS
DNSSEC: A set of extensions to DNS that provide cryptographic authentication of DNS responses, preventing cache poisoning and man-in-the-middle attacks on name resolution. See: DNS
dracut: An initramfs generator used on RHEL-family and Fedora systems. Assembles the initial RAM filesystem with required kernel modules, firmware, and boot scripts. kldload uses dracut to build the live ISO initramfs with ZFS support. See: Secure Boot & the Boot Chain
Docker: A container runtime and image format that popularized application containerization. kldload supports running Docker with ZFS as the storage backend for efficient layer management. See: Docker & Podman on ZFS
dRAID (Distributed RAID): A ZFS RAID topology that distributes parity and spare capacity across all drives in a vdev. Provides much faster resilver times than traditional RAIDZ because rebuilds use all drives in parallel. See: dRAID Storage
DSCP (Differentiated Services Code Point): A 6-bit field in the IP header used to classify and prioritize network traffic. nftables and eBPF programs can set or match DSCP values to implement Quality of Service (QoS) policies. See: nftables
DTrace: A comprehensive dynamic tracing framework originally from Solaris. Linux's bpftrace provides similar one-liner tracing capabilities using eBPF as the backend. Many DTrace one-liners translate directly to bpftrace syntax. See: Custom eBPF Programs
eBPF (extended Berkeley Packet Filter): A technology that allows sandboxed programs to run inside the Linux kernel without modifying kernel source or loading kernel modules. Used for networking, observability, and security. See: eBPF Reference
ECMP (Equal-Cost Multi-Path): A routing technique that distributes traffic across multiple equal-cost paths to a destination. Increases bandwidth and provides redundancy. Supported by BIRD, FRRouting, and the Linux kernel's routing table.
EDR (Endpoint Detection and Response): A category of security tools that monitor endpoints for suspicious activity, collect telemetry, and enable investigation and response. eBPF-based EDR agents provide deep kernel visibility with minimal performance overhead. See: eBPF Security
EFI (Extensible Firmware Interface): The modern firmware interface (UEFI) that replaces legacy BIOS. kldload creates an EFI System Partition with a signed bootloader chain for ZFS boot. See: Secure Boot & the Boot Chain
EFI System Partition (ESP): A FAT32 partition (typically 512 MB) on a GPT disk that contains bootloader files, kernel images, and UEFI applications. Required for UEFI booting. kldload places the unified kernel image and ZFSBootMenu on the ESP. See: Secure Boot & the Boot Chain
encryption (ZFS): Native ZFS encryption (added in OpenZFS 0.8) encrypts data at the dataset level using AES-256-GCM. Keys can be passphrases or raw key files. Encryption is inherited by child datasets. See: Encryption
endpoint (WireGuard): The IP address and UDP port of a WireGuard peer. Only one side of a tunnel needs a known endpoint; the other can be behind NAT and will be discovered after the first handshake. See: WireGuard Basics
error budget: The maximum amount of downtime or errors permitted within a given period, derived from the SLO. If the error budget is exhausted, new deployments are frozen until reliability improves. See: Blue/Green & SRE
EVPN (Ethernet VPN): A BGP-based control plane for VXLAN that provides MAC address learning, multi-tenancy, and efficient BUM (broadcast/unknown/multicast) traffic handling across Layer 2 overlay networks. See: VXLAN & EVPN
error budget (operations): In SRE practice, the maximum amount of unreliability permitted within a measurement window. When the error budget is exhausted, engineering effort shifts from feature work to reliability improvements. Derived from the SLO. See: Blue/Green & SRE
ext4: The default Linux filesystem for most distributions. Mature and fast but lacks ZFS's snapshots, checksums, compression, and self-healing capabilities. See: ZFS vs Everything Else
fast dedup (ZFS): An improved deduplication implementation in OpenZFS 2.2+ that uses a per-block-size DDT with on-disk log entries, significantly reducing memory requirements compared to the original dedup implementation. See: Compression & Dedup
feature flags (ZFS): The mechanism ZFS uses to manage on-disk format changes. Each feature can be enabled independently and has three states: disabled, enabled, and active. Feature flags replaced the old pool version numbering system. See: ZFS Overview
fentry/fexit: A newer eBPF attachment point that hooks kernel function entry and exit with lower overhead than kprobes. fentry/fexit programs can access function arguments and return values with type safety via BTF. See: eBPF Reference
file integrity monitoring: A security technique that detects unauthorized changes to critical system files by comparing current checksums against a known-good baseline. eBPF-based FIM monitors file operations in real time without scanning. See: eBPF Security
filesystem: A method for organizing and storing data on a block device. Linux supports many filesystems (ext4, XFS, ZFS, btrfs). ZFS is unique in that it combines the filesystem and volume manager into one.
FIPS 140-3: A US federal standard for cryptographic modules. kldload can be configured with FIPS-validated kernel crypto and OpenSSL modules for regulated environments. See: FIPS 140-3 Compliance
Firecracker: A lightweight VMM (virtual machine monitor) created by AWS that launches microVMs in under 125ms. Ideal for serverless workloads on ZFS-backed storage. See: Serverless / Firecracker
firewalld: A dynamic firewall manager for Linux that provides zones and services as abstractions over nftables/iptables. Default on CentOS, RHEL, Rocky, and Fedora.
flame graph: A visualization of profiled stack traces where the x-axis represents the population of stack traces and the y-axis shows call depth. Flame graphs make it easy to identify hot code paths. Generated from folded stacks produced by perf, bpftrace, or BCC tools. See: eBPF Performance
fleet management: The practice of managing a large number of servers as a single unit rather than individually. Combines golden images, automation, monitoring, and configuration management to maintain consistency across all nodes. See: Operations Guide
folded stacks: A text format where each line represents a unique stack trace with semicolon-separated frames and a count. Used as the intermediate representation between profilers (perf, bpftrace) and flame graph generators. See: Core Dumps & Stacks
fragmentation (ZFS): A measure of how scattered free space is across a ZFS pool. High fragmentation (above 50%) can degrade write performance. CoW filesystems are more prone to fragmentation than traditional ones. See: Tuning for Workloads
FRRouting: A free, open-source routing suite forked from Quagga. Supports BGP, OSPF, IS-IS, and more. An alternative to BIRD for kldload deployments that need a broader protocol set. See: BIRD & BGP
ftrace: The Linux kernel's built-in function tracer that provides low-level tracing of kernel functions, interrupts, and scheduling events. eBPF and bpftrace can use ftrace infrastructure under the hood for attaching to kernel functions. See: Tracepoints & Probes
GENEVE (Generic Network Virtualization Encapsulation): A modern tunnel encapsulation protocol designed to replace VXLAN, GRE, and others with a single extensible format. Used by Cilium and OVN for overlay networking.
GPT (GUID Partition Table): The modern disk partitioning standard that replaces MBR. Supports disks larger than 2 TB, up to 128 partitions, and stores a backup partition table at the end of the disk. Required for UEFI boot and used by all kldload installations.
ghost list (ARC): A metadata-only list in the ZFS ARC that tracks recently evicted entries. Ghost lists (one for MRU evictions, one for MFU evictions) guide the ARC's adaptive replacement algorithm by recording what would have been a hit if the cache were larger. See: Memory & ARC
golden image: A pre-built, validated OS image used as the base for all new deployments. kldload's image factory produces golden images sealed with cloud-init for consistent, repeatable provisioning. See: Cloud & Packer
Grafana: An open-source visualization and dashboarding platform that renders time-series data from sources like Prometheus, Loki, and InfluxDB. kldload monitoring stacks use Grafana for ZFS, eBPF, and system dashboards. See: Grafana / Monitoring
GRE (Generic Routing Encapsulation): A tunneling protocol that encapsulates packets inside IP packets. Simpler than IPsec but provides no encryption. Largely replaced by WireGuard and VXLAN in modern deployments.
GRUB: The GNU GRand Unified Bootloader, traditionally used to boot Linux from ZFS. kldload uses ZFSBootMenu instead, which eliminates GRUB's ZFS compatibility issues. See: ZFS Without GRUB
hairpin NAT: A NAT configuration where internal hosts can access an internal server via its external (public) IP address. The router rewrites both source and destination addresses so the return traffic routes correctly. Also called NAT loopback or NAT reflection.
handshake (WireGuard): The initial key exchange between two WireGuard peers using the Noise protocol framework. A new handshake occurs every two minutes or when a roaming peer changes IP. See: WireGuard Basics
HAProxy: A high-performance TCP/HTTP load balancer and proxy. kldload uses HAProxy for Layer 4 and Layer 7 load balancing across services in multi-node deployments. See: Load Balancing & HA
HBA (Host Bus Adapter): A hardware interface card that connects a server to storage devices (SAS, SATA, or Fibre Channel). For ZFS, use HBAs in IT mode (passthrough) rather than RAID mode so ZFS sees raw disks. See: Hardware Selection
HIDS (Host Intrusion Detection System): A security system that monitors a single host for suspicious activity by analyzing system calls, file changes, and network connections. eBPF-based HIDS provides real-time kernel-level visibility without the overhead of traditional agents. See: eBPF Security
Hubble: The observability layer built into Cilium that provides network flow visibility, DNS monitoring, and HTTP-level metrics using eBPF. See: Cilium
hypervisor: Software that creates and manages virtual machines. Type 1 (bare-metal) hypervisors like KVM run directly on hardware; Type 2 (hosted) hypervisors like VirtualBox run on top of an OS. See: KVM Virtual Machines
hugepages: Memory pages larger than the default 4K (typically 2 MB or 1 GB) that reduce TLB misses and improve performance for memory-intensive workloads like KVM virtual machines and databases. Configured via /sys/kernel/mm/hugepages/ or kernel boot parameters. See: KVM Virtual Machines
IaC (Infrastructure as Code): The practice of managing infrastructure through machine-readable configuration files rather than manual processes. Packer, Terraform, and Ansible are common IaC tools used with kldload. See: Packer & IaC
ICMP (Internet Control Message Protocol): A network protocol used for diagnostic and error messages (ping, traceroute, destination unreachable). Essential for network troubleshooting and MTU path discovery.
image-based deployment: A deployment model where servers are provisioned from pre-built golden images rather than configured in place. Provides consistency, speed, and reproducibility. kldload's image factory and kexport tool enable this workflow. See: Cloud & Packer
image factory: A CI/CD pipeline that produces golden images by running kldload installations, sealing the result with cloud-init, and exporting in various formats (qcow2, vmdk, vhd, ova, raw). See: Cloud & Packer
immutable infrastructure: An operational model where servers are never modified after deployment. Instead, changes produce a new golden image that replaces existing instances entirely. Reduces configuration drift. See: Packer & IaC
inode: A data structure in Unix-like filesystems that stores metadata about a file (permissions, timestamps, block pointers) but not the file's name or data. ZFS uses dnodes, which serve the same purpose.
initramfs: An initial RAM filesystem loaded by the bootloader before the real root filesystem is available. Contains kernel modules and scripts needed to mount root. ZFSBootMenu uses a dracut-built initramfs that includes ZFS modules. See: Secure Boot & the Boot Chain
import (pool): The ZFS operation (zpool import) that makes a pool available for use on a system. Pools must be imported after physical disk attachment or system migration. Export before moving disks between systems. See: ZFS Overview
instruction limit (BPF): The maximum number of instructions an eBPF program can execute (1 million in Linux 5.2+, previously 4096). Enforced by the verifier to guarantee programs terminate. Complex programs use tail calls or subprograms to work within this limit. See: eBPF Reference
interface (WireGuard): A virtual network device (e.g., wg0, wg1) that represents a WireGuard tunnel. Each interface has its own private key and set of peers. kldload uses multiple interfaces for plane separation. See: WireGuard
IPsec: A protocol suite for encrypting and authenticating IP packets at the network layer. More complex than WireGuard and typically used for legacy site-to-site VPNs or when standards compliance requires it.
IOMMU (Input/Output Memory Management Unit): Hardware that provides memory address translation and isolation for I/O devices. Required for PCI passthrough (VFIO) in KVM, allowing virtual machines direct access to physical hardware like GPUs and NICs. Enable via intel_iommu=on or amd_iommu=on. See: KVM Virtual Machines
iSCSI: A protocol that carries SCSI commands over TCP/IP networks, allowing remote block-device access. ZFS zvols can be exported as iSCSI targets for use by other hosts. See: NFS & iSCSI
ISO (disk image): An archive file format representing the contents of an optical disc (ISO 9660). kldload produces a bootable hybrid ISO image that can be written to USB or mounted as a virtual CDROM for installation. See: Download
IT mode (HBA): A firmware mode for SAS/SATA host bus adapters that presents each drive individually (Initiator Target mode) without hardware RAID. Required for ZFS, which needs direct access to raw disks. Also called JBOD mode or passthrough mode. See: Hardware Selection
JBOD (Just a Bunch of Disks): A disk enclosure that presents each drive individually to the operating system without hardware RAID. The preferred configuration for ZFS, which manages its own redundancy. See: Hardware Selection
JIT compilation (BPF): The process where the kernel translates eBPF bytecode into native machine instructions at load time. JIT compilation eliminates the overhead of an interpreter, bringing eBPF program performance close to native C code. Enabled by default on most architectures. See: eBPF Reference
journald: The systemd logging daemon that collects and stores log data in a structured, indexed binary format. Provides rich querying via journalctl and can forward logs to syslog or external collectors like promtail. See: systemd
kai: The kldload AI assistant tool. Runs a local LLM (via Ollama) trained on your infrastructure to answer questions about ZFS, WireGuard, eBPF, and your specific deployment. See: AI Admin Assistant
kbe: The kldload boot environment manager. Lists, creates, activates, and destroys ZFS boot environments for safe OS upgrades and rollbacks. See: Boot Environments
kclone: A kldload tool that clones a KVM virtual machine by snapshotting its ZFS zvol and creating a linked clone. Near-instant and space-efficient. See: Tools & Commands
kdf: The kldload disk-free command. Shows ZFS pool and dataset usage with compression ratios, snapshot space, and reservation details in a single view. See: Tools & Commands
kdir: A kldload tool for managing ZFS datasets as directories. Creates, lists, and destroys datasets with sensible defaults for mountpoints and properties. See: Tools & Commands
kfunc: A kernel function explicitly exposed to eBPF programs as a stable API. Unlike BPF helpers, kfuncs are defined in kernel modules and can be added without modifying the core BPF infrastructure. Used for advanced features like iterators and XDP metadata. See: eBPF Reference
keepalive (WireGuard): A PersistentKeepalive setting that sends an empty packet at a fixed interval (typically 25 seconds) to keep NAT mappings alive when a peer is behind a firewall. See: WireGuard Basics
keepalived: A Linux daemon that implements VRRP for floating virtual IP addresses and health checking. Used for high-availability failover between load balancers or gateways. See: Load Balancing & HA
kernel module: A piece of code that can be loaded into the Linux kernel at runtime to extend its functionality without rebooting. ZFS, WireGuard, and device drivers are common kernel modules. DKMS automatically rebuilds modules when the kernel is updated. See: Kernels & Architecture
kexport: The kldload image export tool. Converts a completed installation into a golden image in qcow2, vmdk, vhd, ova, or raw format, sealed with cloud-init for cloning. See: Export Formats
kldload: A Linux re-packer that builds a single bootable ISO capable of installing multiple distributions with ZFS on root, WireGuard mesh networking, eBPF observability, and offline package mirrors. See: Executive Summary
kpkg: The kldload package management wrapper. Provides a unified interface across dnf, apt, and pacman, automatically using darksite mirrors when available. See: Package Management
kprobe: A dynamic tracing mechanism that attaches eBPF programs to arbitrary kernel function entry or return points. Useful for debugging and performance analysis without recompiling the kernel. See: eBPF Reference
kretprobe: A dynamic tracing mechanism that attaches an eBPF program to a kernel function's return point. Used to capture return values and measure function latency by pairing with a kprobe at function entry. See: Tracepoints & Probes
kstack: A bpftrace built-in that captures the current kernel stack trace. Used in profiling and tracing scripts to understand the call chain that led to a particular event. See: Core Dumps & Stacks
krecovery: The kldload disaster recovery tool. Manages ZFS send/receive replication to remote targets and orchestrates failover and failback procedures. See: Disaster Recovery
ksnap: The kldload snapshot manager. Creates, lists, compares, and destroys ZFS snapshots with policy-based retention (hourly, daily, weekly, monthly). See: Snapshots Guide
kst: The kldload status command. Displays a one-screen health dashboard showing ZFS pool health, disk usage, compression ratio, snapshot count, boot environments, memory, CPU, and service status. See: Tools & Commands
kupgrade: The kldload upgrade tool. Creates a boot environment, upgrades packages inside it, and switches the active boot entry. If the upgrade fails, the previous boot environment remains untouched. See: Tools & Commands
KVM (Kernel-based Virtual Machine): A Linux kernel module that turns the kernel into a Type 1 hypervisor. Combined with QEMU for device emulation, it provides near-native VM performance. kldload stores VM disks as ZFS zvols. See: KVM Virtual Machines
kvm-clone: A kldload tool that creates a linked clone of an existing KVM virtual machine using ZFS snapshots. The clone is copy-on-write and initially consumes zero additional disk space. See: Tools & Commands
kvm-create: A kldload tool that provisions a new KVM virtual machine with a ZFS zvol disk, virtio devices, and sensible defaults. Accepts parameters for CPU, RAM, disk size, and network. See: Tools & Commands
kvm-delete: A kldload tool that destroys a KVM virtual machine and its associated ZFS zvol, snapshots, and clones. Requires confirmation. See: Tools & Commands
kvm-list: A kldload tool that lists all KVM virtual machines with their state, CPU, RAM, disk size, and ZFS dataset path. See: Tools & Commands
kvm-replicate: A kldload tool that replicates a KVM virtual machine to a remote host using incremental ZFS send/receive. Used for disaster recovery and migration. See: Tools & Commands
kvm-snap: A kldload tool that takes a consistent snapshot of a running KVM virtual machine's ZFS zvol. Supports automatic retention policies. See: Tools & Commands
L2 (Layer 2): The data link layer in the OSI model, dealing with MAC addresses, Ethernet frames, and switches. VLANs and bridges operate at Layer 2.
L2ARC: A second-level read cache in ZFS that uses a fast device (typically an SSD or NVMe) to extend the in-memory ARC. Useful when the working set exceeds available RAM. See: Memory & ARC
L2ARC headers: Metadata entries in the ARC that track which blocks are cached on the L2ARC device. Each L2ARC header consumes about 170 bytes of RAM. With persistent L2ARC (OpenZFS 2.0+), headers survive reboots so the L2ARC cache is immediately warm. See: Memory & ARC
L3 (Layer 3): The network layer in the OSI model, dealing with IP addresses and routing. Routers and firewalls operate at Layer 3.
L4 (Layer 4): The transport layer in the OSI model, dealing with TCP and UDP ports. Layer 4 load balancers route based on IP and port without inspecting the payload.
L4 load balancing: Load balancing at the transport layer (TCP/UDP) based on IP addresses and port numbers without inspecting application-layer content. XDP and eBPF enable high-performance L4 load balancing in the kernel, as used by Cilium and Katran. See: Load Balancing & HA
L7 (Layer 7): The application layer in the OSI model, dealing with protocols like HTTP, DNS, and TLS. Layer 7 load balancers can make routing decisions based on URL paths, headers, and cookies.
LACP (Link Aggregation Control Protocol): A protocol that combines multiple physical NICs into a single logical link for increased throughput and redundancy. Requires switch support.
libbpf: The canonical C library for loading and interacting with eBPF programs and maps. Provides CO-RE support, skeleton auto-generation, and a stable API for building eBPF applications without BCC's runtime dependency on LLVM/Clang. See: eBPF Reference
libvirt: A virtualization API and management toolkit that provides a common interface for KVM, QEMU, Xen, and other hypervisors. kldload uses libvirt for VM lifecycle management via virsh. See: KVM Virtual Machines
load balancer: A device or software that distributes incoming network traffic across multiple backend servers. HAProxy and keepalived are the primary load balancers in kldload deployments. See: Load Balancing & HA
logbias (ZFS): A ZFS dataset property that controls whether synchronous writes go through the ZIL (logbias=latency, default) or are written directly to the main pool (logbias=throughput). Set to throughput for workloads like databases that manage their own write-ahead log. See: Tuning for Workloads
LogQL: The query language used by Grafana Loki for filtering, parsing, and aggregating log data. Syntax is inspired by PromQL, with pipeline stages for line filtering, label extraction, and metric generation. See: Monitoring Stack
Loki: A horizontally scalable, multi-tenant log aggregation system designed by Grafana Labs. Unlike traditional log systems, Loki indexes only labels (not full text), making it lightweight and cost-effective. See: Monitoring Stack
LSM (Linux Security Module): A kernel framework that provides hooks for implementing access control policies (SELinux, AppArmor). BPF LSM programs can attach to these hooks to implement custom, dynamic security policies without kernel recompilation. See: eBPF Security
LUKS (Linux Unified Key Setup): The standard disk encryption format for Linux. Can be used to encrypt the partition underneath a ZFS pool, or ZFS's native encryption can be used instead. See: Secure Boot & Encryption
LVM (Logical Volume Manager): A Linux storage abstraction layer that provides resizable logical volumes on top of physical disks. ZFS replaces LVM's functionality with its own integrated volume management.
LXC (Linux Containers): A lightweight container runtime that uses Linux namespaces and cgroups to provide OS-level virtualization. LXC containers run full init systems, unlike application containers.
machine-id: A unique 128-bit identifier (/etc/machine-id) generated at first boot that distinguishes hosts for systemd, journald, and other services. kldload clears machine-id when sealing golden images so each clone generates a unique identity. See: Cloud & Packer
macvtap: A Linux network device that combines a macvlan interface with a tap device, allowing KVM virtual machines to be attached directly to a physical network interface without a bridge. Provides better performance than bridging but does not allow VM-to-host communication. See: KVM Virtual Machines
mdadm: The Linux software RAID utility for creating and managing md (multiple device) arrays. ZFS replaces mdadm with its own RAIDZ implementation. See: ZFS vs Everything Else
mesh (WireGuard): A network topology where every node has a direct WireGuard tunnel to every other node. kldload builds full-mesh or hub-and-spoke topologies depending on the deployment model. See: WireGuard Mesh & Multi-Site
metaslab: A subdivision of a ZFS vdev that manages free space allocation. Each vdev is divided into roughly 200 metaslabs. ZFS selects the best metaslab for each write based on free space and fragmentation, optimizing write performance. See: Tuning for Workloads
MFU (Most Frequently Used): One of the two lists in the ZFS ARC that caches blocks accessed more than once. The MFU list holds frequently accessed data; the ARC dynamically balances space between MFU and MRU based on workload patterns. See: Memory & ARC
microVM: A minimal virtual machine designed for fast boot times (sub-second) and small memory footprint. Firecracker is the most common microVM monitor, used for serverless workloads. See: Serverless / Firecracker
mirror (ZFS): A ZFS vdev type that replicates data across two or more disks. Provides the best random read performance and the fastest resilver times, at the cost of 50% (or more) capacity overhead. See: Pool Design
MOK (Machine Owner Key): A key enrolled in the UEFI firmware's MOK database to sign and verify third-party kernel modules (like ZFS). Required for ZFS on Secure Boot systems. See: Secure Boot & the Boot Chain
mTLS (mutual TLS): A TLS connection where both the client and server present certificates and verify each other's identity. Used for zero-trust service-to-service communication. See: TLS & PKI
MTU (Maximum Transmission Unit): The largest packet size (in bytes) that a network interface will transmit without fragmentation. Standard Ethernet MTU is 1500; jumbo frames use 9000. WireGuard tunnels reduce effective MTU by 60-80 bytes.
MRU (Most Recently Used): One of the two lists in the ZFS ARC that caches blocks accessed only once recently. The MRU list holds data that may or may not be accessed again; the ARC dynamically adjusts the MRU/MFU balance. See: Memory & ARC
multicast: A networking technique where packets are sent to a group of receivers simultaneously using a single transmission. Used by protocols like VXLAN for BUM traffic and by OSPF for route advertisements.
N-way mirror (ZFS): A ZFS mirror vdev with more than two disks (three-way, four-way, etc.). Additional mirrors improve read performance and survive more simultaneous disk failures, at the cost of proportionally more storage capacity. See: Pool Design
NAPI (New API): The Linux kernel's interrupt mitigation framework for network device drivers. NAPI combines interrupt-driven and polling-based packet processing to achieve high throughput without excessive CPU usage from interrupts. XDP hooks run within the NAPI context. See: XDP & TC Datapath
NAT (Network Address Translation): A method of remapping IP addresses as packets pass through a router. Source NAT (SNAT/masquerade) allows private-IP hosts to reach the internet; DNAT forwards inbound connections to internal hosts.
netfilter: The Linux kernel framework for packet filtering, NAT, and mangling. nftables and iptables are user-space frontends that configure netfilter rules.
namespace (Linux): A kernel feature that isolates system resources (PID, network, mount, user, IPC, UTS, cgroup) so that processes in different namespaces see different views of the system. The fundamental building block of containers.
NFS (Network File System): A protocol for sharing filesystems over a network. ZFS datasets can be exported via NFS directly using the sharenfs property. See: NFS & iSCSI
nftables: The modern Linux packet classification framework that replaces iptables, ip6tables, arptables, and ebtables with a single unified tool (nft). kldload uses nftables for firewall rules. See: nftables
NIC (Network Interface Card): A hardware component that connects a computer to a network. Modern NICs support features like checksum offload, RSS, and SR-IOV for high-performance networking.
node_exporter: A Prometheus exporter that exposes hardware and OS-level metrics (CPU, memory, disk, network) from Linux hosts. The foundation of host-level monitoring in Prometheus-based stacks. See: Monitoring Stack
NUMA (Non-Uniform Memory Access): A memory architecture where access time depends on which CPU socket owns the memory region. KVM and ZFS performance benefits from NUMA-aware configuration that keeps memory allocations local to the CPU accessing them. See: KVM Virtual Machines
NVMe (Non-Volatile Memory Express): A storage protocol designed for flash/SSD drives connected via PCIe. Provides much lower latency and higher throughput than SATA or SAS. Ideal for ZFS L2ARC and SLOG devices. See: Hardware Selection
OCI (Open Container Initiative): A set of industry standards for container image formats and runtimes. Docker and Podman both produce OCI-compliant images.
off-CPU analysis: A performance analysis technique that measures time a thread spends blocked (waiting for I/O, locks, scheduling) rather than running on a CPU. eBPF programs attached to scheduler events capture off-CPU stacks for generating off-CPU flame graphs. See: eBPF Performance
on-CPU profiling: A performance analysis technique that samples stack traces of running threads at regular intervals (e.g., 99 Hz) to identify hot code paths. perf and eBPF-based profilers produce on-CPU flame graphs for CPU-bound workloads. See: eBPF Performance
Open vSwitch (OVS): A production-quality, multilayer virtual switch that supports standard management interfaces (OpenFlow, OVSDB) and is designed for multi-server virtualization environments. Used in OpenStack and some KVM deployments as an alternative to Linux bridges. See: KVM Virtual Machines
OSPF (Open Shortest Path First): A link-state routing protocol used for intra-domain routing. Converges faster than distance-vector protocols and is commonly used within a single site before aggregating routes into BGP.
overlay network: A virtual network built on top of an existing (underlay) network using encapsulation (VXLAN, GENEVE, WireGuard). Allows hosts on different physical networks to communicate as if they were on the same Layer 2 segment.
pacstrap: An Arch Linux tool that installs packages into a new root filesystem directory. kldload uses pacstrap for Arch Linux target installations, bootstrapping the root filesystem from online repositories. See: Editions & Profiles
Packer: A HashiCorp tool that automates the creation of machine images across multiple platforms from a single configuration. kldload uses Packer to build golden images from postinstallers. See: Packer & IaC
partition: A division of a physical disk into one or more logical sections. GPT (GUID Partition Table) is the modern standard. ZFS pools are typically built on whole disks or GPT partitions.
PCI passthrough: A technique that gives a virtual machine direct, exclusive access to a physical PCI device (GPU, NIC, NVMe) via VFIO. Requires IOMMU support and provides near-native device performance. See: KVM Virtual Machines
peer (WireGuard): A remote host in a WireGuard tunnel identified by its public key. Each peer has an AllowedIPs list, an optional endpoint, and an optional pre-shared key. See: WireGuard Basics
perf buffer: A per-CPU ring buffer used by eBPF programs to stream event data to user space. Older than BPF ring buffers but still widely used. Each CPU has its own buffer, so events may arrive out of order. See: eBPF Reference
perf_event: A Linux kernel subsystem that provides access to hardware performance counters (CPU cycles, cache misses, branch mispredictions) and software events (context switches, page faults). eBPF programs can attach to perf events for sampling-based profiling. See: eBPF Performance
persistent L2ARC: A ZFS feature (OpenZFS 2.0+) that preserves L2ARC contents across reboots by writing metadata to the cache device. Eliminates the cold-cache penalty after restarts, providing immediate read cache benefits. See: Memory & ARC
PKI (Public Key Infrastructure): A framework for managing digital certificates and public keys. kldload supports automated PKI via step-ca for issuing short-lived certificates to services and hosts. See: TLS & PKI
plane (network): A logically separated network for a specific traffic type. kldload uses four WireGuard planes: management (wg0), data (wg1), monitoring (wg2), and storage (wg3). See: Backplane Networks
Podman: A daemonless, rootless container runtime that is command-compatible with Docker. Preferred on RHEL-family systems. Supports ZFS as a storage driver. See: Docker & Podman on ZFS
pool (ZFS): The top-level storage container in ZFS, composed of one or more vdevs. A pool provides a shared storage namespace and manages all data placement, redundancy, and caching. See: Pool Design
pool feature (ZFS): An on-disk format capability tracked by the ZFS feature flags system. Pool features are enabled per-pool and may be required by certain functionality (e.g., feature@encryption, feature@block_cloning). See: ZFS Overview
postinstaller: A script or set of scripts that run after the base OS installation to configure services, deploy applications, and harden the system. kldload postinstallers are shell scripts or Ansible playbooks. See: Postinstallers
pre-shared key (PSK): An optional symmetric key added to a WireGuard tunnel for post-quantum resistance. Provides an additional layer of encryption on top of the Curve25519 key exchange. See: WireGuard Basics
primarycache (ZFS): A ZFS dataset property that controls what is cached in the ARC: all (data and metadata), metadata (metadata only), or none. Setting to metadata avoids polluting the ARC with large sequential reads. See: Memory & ARC
process injection: An attack technique where malicious code is injected into a running process's address space (e.g., via ptrace, LD_PRELOAD, or /proc/pid/mem). eBPF-based security tools detect injection by monitoring ptrace syscalls and suspicious memory writes. See: eBPF Security
profile (kldload): A build configuration that determines which packages, tools, and services are included in the installation. Standard profiles: desktop (GNOME + ZFS), server (headless + ZFS), kvm (hypervisor), ai (Ollama + LLM), core (ZFS only, no kldload tools). See: Editions & Profiles
program array (BPF): An eBPF map type that holds references to other eBPF programs, enabling tail calls. A running program can jump to another program in the array, allowing complex logic to be split across multiple programs that share the same execution context. See: eBPF Reference
Prometheus: An open-source time-series database and monitoring system that scrapes metrics from instrumented targets at regular intervals. The foundation of kldload's monitoring stack, paired with Grafana for visualization and Alertmanager for notifications. See: Monitoring Stack
PromQL: The query language for Prometheus. Supports instant queries, range queries, aggregations, and functions for analyzing time-series data. Used in Grafana dashboards and Alertmanager rules. See: Monitoring Stack
promtail: A log shipping agent that discovers log files, attaches labels, and pushes log entries to Grafana Loki. Typically deployed as a systemd service or DaemonSet alongside the application. See: Monitoring Stack
qcow2: The native disk image format for QEMU/KVM. Supports thin provisioning, snapshots, compression, and encryption. One of the export formats supported by kexport. See: Export Formats
QEMU: A generic machine emulator and virtualizer. When paired with KVM, QEMU provides hardware-accelerated virtualization with device emulation for disks, NICs, and displays. See: KVM Virtual Machines
quota (ZFS): A ZFS property that limits the amount of space a dataset and its descendants can consume. Quotas prevent a single dataset from filling the entire pool. See: ZFS Overview
qemu-img: A QEMU disk image utility that creates, converts, and modifies disk images. kldload uses qemu-img convert to export installed systems as qcow2, vmdk, vhd, ova, or raw golden images. See: Export Formats
RAG (Retrieval-Augmented Generation): An AI technique where an LLM retrieves relevant documents from a knowledge base before generating a response. kai uses RAG to ground its answers in your actual infrastructure documentation. See: Train on Your Infra
RAIDZ / RAIDZ2 / RAIDZ3: ZFS's software RAID implementations providing single, double, or triple parity respectively. RAIDZ tolerates 1 disk failure, RAIDZ2 tolerates 2, and RAIDZ3 tolerates 3. Unlike hardware RAID5/6, RAIDZ has no write hole. See: Multi-Disk & RAID
RBAC (Role-Based Access Control): A security model that assigns permissions to roles rather than individual users. Users are then assigned roles. Used in Kubernetes, Vault, and OS-level access control.
raw send (ZFS): A ZFS send mode (zfs send --raw) that transmits encrypted data in its encrypted form, allowing replication to untrusted remote systems without exposing the encryption key. The receiving side stores the data encrypted. See: Encryption
recording rule (Prometheus): A Prometheus rule that pre-computes frequently used or expensive PromQL expressions and saves the result as a new time series. Improves dashboard load times and enables efficient alerting on aggregated metrics. See: Monitoring Stack
recordsize (ZFS): The maximum block size for a ZFS dataset, ranging from 512 bytes to 16 MB. Default is 128K. Databases benefit from smaller recordsizes (8K-16K); sequential workloads benefit from larger ones (1M). See: Tuning for Workloads
redundant_metadata (ZFS): A ZFS dataset property that controls how many extra copies of metadata are stored. The default all stores extra copies of all metadata; most skips redundant copies for indirect blocks that already have a checksum chain. See: Tuning for Workloads
refreservation (ZFS): A ZFS property that reserves space for a dataset excluding its snapshots and descendants. Guarantees the dataset can always write this much data, even if the pool is otherwise full. Often used on zvols to prevent ENOSPC. See: ZFS Overview
relatime (ZFS): A ZFS dataset property that updates atime only if the previous access time is older than the modify or change time. Provides a compromise between full atime updates and disabling atime entirely. See: Tuning for Workloads
replication (ZFS): The process of copying ZFS datasets to another pool or host using zfs send | zfs receive. Incremental sends transfer only changed blocks, making remote backups efficient. See: Snapshots & Replication
reservation (ZFS): A ZFS property that guarantees a minimum amount of space for a dataset. Unlike quotas (which set an upper limit), reservations set a lower bound on available space.
resilver: The process of reconstructing data on a replacement drive after a disk failure in a ZFS pool. Similar to a RAID rebuild, but ZFS only resilvers allocated blocks, making it faster than traditional RAID rebuilds. See: Pool Design
route: A network path entry that tells the kernel where to send packets for a given destination prefix. Static routes are configured manually; dynamic routes are learned via BGP or OSPF.
RPO (Recovery Point Objective): The maximum acceptable amount of data loss measured in time. An RPO of 1 hour means you can lose at most 1 hour of data. ZFS snapshot frequency determines the achievable RPO. See: Disaster Recovery
RTO (Recovery Time Objective): The maximum acceptable time to restore service after a failure. ZFS boot environments and instant rollbacks help achieve low RTOs. See: Disaster Recovery
ring buffer (BPF): A shared ring buffer (BPF_MAP_TYPE_RINGBUF) introduced in Linux 5.8 for streaming data from eBPF programs to user space. Unlike perf buffers, a single ring buffer is shared across all CPUs, preserving event ordering and improving memory efficiency. See: eBPF Reference
runbook: A documented procedure for responding to a specific operational event or alert. Runbooks ensure consistent incident response across a team and are often linked directly from Alertmanager notifications. See: Operations Guide
Salt (SaltStack): A configuration management and remote execution tool. An alternative to Ansible with an agent-based architecture and event-driven automation.
Sanoid: A policy-based ZFS snapshot management tool that creates, prunes, and monitors snapshots on a schedule. Its companion tool, Syncoid, handles ZFS send/receive replication. kldload includes Sanoid for automated snapshot management. See: Snapshots Guide
scan (ZFS): A ZFS pool operation that reads data for verification or reconstruction. The two scan types are scrub (reads all blocks and verifies checksums) and resilver (reconstructs data on a replacement device). Only one scan can run at a time per pool. See: ZFS Overview
SAS (Serial Attached SCSI): A point-to-point serial protocol for connecting storage devices. SAS drives are more reliable than SATA (designed for 24/7 operation) and support dual-port for multipath. See: Hardware Selection
SATA (Serial ATA): The most common interface for consumer hard drives and SSDs. Cheaper than SAS but limited to a single data path and lower reliability ratings.
squashfs: A compressed, read-only Linux filesystem used for live CD/USB images. The kldload live ISO stores the root filesystem as a squashfs image, which is mounted via an overlay at boot for a writable live environment.
sealed image: A golden image that has been prepared for cloning by clearing machine-specific state: machine-id is reset, SSH host keys are removed, and cloud-init is configured to regenerate unique identifiers on first boot. kldload's k_seal_image_for_clone() performs this sealing. See: Cloud & Packer
scrub: A ZFS maintenance operation that reads every block in a pool and verifies its checksum. Detects and repairs silent data corruption (bit rot). Should be run weekly or monthly. See: ZFS Overview
seccomp: A Linux kernel feature that restricts the system calls a process can make. Used by container runtimes and systemd to reduce the attack surface of services. See: Security
secondarycache (ZFS): A ZFS dataset property that controls what is cached in the L2ARC: all (data and metadata), metadata (metadata only), or none. Useful for preventing large sequential reads from thrashing the L2ARC. See: Memory & ARC
Secure Boot: A UEFI feature that verifies the digital signature of bootloaders and kernel modules before executing them. Prevents unauthorized code from running during the boot process. Requires MOK enrollment for ZFS. See: Secure Boot & the Boot Chain
SELinux (Security-Enhanced Linux): A mandatory access control (MAC) system in the Linux kernel that confines processes to the minimum privileges they need. Default on CentOS, RHEL, Rocky, and Fedora. See: Security
send/receive (ZFS): The ZFS mechanism for serializing a snapshot into a byte stream (zfs send) and deserializing it on another pool (zfs receive). The foundation for backup, replication, and migration. See: Snapshots & Replication
sk_buff: The kernel data structure that represents a network packet in the Linux networking stack. eBPF programs attached to TC or XDP hooks operate on sk_buff or xdp_buff structures. See: eBPF Reference
skeleton (BPF): An auto-generated C header file produced by bpftool gen skeleton that provides a type-safe API for loading, attaching, and interacting with an eBPF program's maps and sections from user space. Part of the libbpf CO-RE workflow. See: eBPF Reference
SLI (Service Level Indicator): A quantitative measurement of a service's behavior, such as request latency, error rate, or throughput. SLIs are the raw metrics that SLOs are built on. See: Blue/Green & SRE
SLO (Service Level Objective): A target value or range for an SLI, such as "99.9% of requests complete in under 200ms." Defines the reliability goal that the error budget is derived from. See: Blue/Green & SRE
SLOG (Separate Log): A dedicated, fast device (typically NVMe) used as a ZFS Intent Log (ZIL) to accelerate synchronous writes. Only benefits workloads that use sync writes (NFS, databases). See: Hardware Selection
softirq: A Linux kernel mechanism for deferring interrupt processing to a lower-priority context. Network packet processing (NET_RX, NET_TX) runs in softirq context. High softirq CPU usage indicates heavy network or block I/O load. See: eBPF Performance
SMART (Self-Monitoring, Analysis, and Reporting Technology): A monitoring system built into hard drives and SSDs that tracks health indicators like reallocated sectors, temperature, and read error rates. Use smartctl to query SMART data. See: Hardware Selection
SMB/CIFS: The Server Message Block protocol (also known as CIFS) used for sharing files on Windows networks. ZFS datasets can be shared via Samba using the sharesmb property.
snapshot (ZFS): A read-only, point-in-time copy of a ZFS dataset. Snapshots are instantaneous and initially consume no additional space. They grow only as the live dataset diverges. See: Snapshots Guide
special vdev: A ZFS vdev class that stores metadata, dedup tables, and optionally small file blocks on a fast device (NVMe). Dramatically improves metadata-heavy operations like ls and find. See: Pool Design
special_small_blocks (ZFS): A pool property that directs blocks smaller than the specified threshold to the special vdev. Setting special_small_blocks=32K stores small files and metadata on fast NVMe while keeping large data on spinning disks. See: Pool Design
SRE (Site Reliability Engineering): A discipline that applies software engineering practices to infrastructure and operations. Focuses on reliability, automation, error budgets, and eliminating toil. See: Blue/Green & SRE
SRT (Secure Reliable Transport): An open-source video transport protocol optimized for low-latency, reliable streaming over unpredictable networks. Used in live broadcasting and media workflows. See: Live TV Streaming
SSD (Solid State Drive): A storage device that uses flash memory instead of spinning platters. Provides much lower latency and higher IOPS than HDDs. Used for ZFS L2ARC, SLOG, and special vdevs.
step-ca: An open-source online Certificate Authority from Smallstep that issues short-lived TLS certificates with automatic renewal. Used by kldload for internal PKI. See: TLS & PKI
struct_ops (BPF): An eBPF program type that implements kernel struct operations (function pointer tables) in BPF. Used to replace or augment kernel subsystem behaviors, such as TCP congestion control algorithms, with custom eBPF implementations. See: eBPF Reference
SR-IOV (Single Root I/O Virtualization): A PCI specification that allows a single physical NIC to present multiple virtual functions (VFs), each assignable to a different VM via VFIO. Provides near-native network performance without software bridging overhead. See: KVM Virtual Machines
subnet: A logical subdivision of an IP network, defined by a network address and a prefix length (e.g., 10.0.0.0/24 represents 256 addresses). Subnetting segments traffic and defines broadcast domains.
SUID (Set User ID): A Unix file permission bit that causes an executable to run with the privileges of the file owner (typically root) rather than the calling user. SUID binaries are a common attack vector; security hardening removes unnecessary SUID bits. See: Security Hardening
swap: Disk space used as overflow when physical RAM is full. On ZFS systems, swap is typically placed on a zvol or a dedicated partition rather than a swap file. See: Memory & ARC
Syncoid: A companion tool to Sanoid that automates ZFS send/receive replication between hosts. Handles incremental sends, encryption, compression, and SSH transport for efficient off-site backup. See: Snapshots Guide
SYN flood: A denial-of-service attack that exhausts server resources by sending a flood of TCP SYN packets without completing the three-way handshake. XDP programs can mitigate SYN floods at line rate by implementing SYN cookies or rate limiting before the kernel TCP stack. See: XDP & TC Datapath
sync property (ZFS): A ZFS dataset property that controls synchronous write behavior: standard (honor sync requests), always (treat all writes as sync), or disabled (ignore sync requests for performance at the risk of data loss on power failure). See: Tuning for Workloads
systemd: The init system and service manager for most modern Linux distributions. Manages service lifecycle, logging (journald), networking (networkd), timers, and more. kldload uses systemd units for all platform services. See: systemd
tail call (BPF): A mechanism that allows one eBPF program to jump to another without returning, effectively chaining programs together. Tail calls use program arrays and enable complex logic that exceeds the single-program instruction limit. See: eBPF Reference
TC (Traffic Control): The Linux kernel subsystem for queuing, shaping, scheduling, and classifying network traffic. eBPF programs can be attached to TC hooks for programmable packet processing. See: eBPF Reference
TCP (Transmission Control Protocol): A reliable, connection-oriented transport protocol that guarantees in-order delivery. Used for HTTP, SSH, and most application traffic.
Terraform: A HashiCorp IaC tool that provisions and manages infrastructure across cloud providers and on-premise platforms using declarative configuration files. See: Packer & IaC
thin provisioning: A storage allocation strategy where space is allocated on demand rather than upfront. ZFS datasets and zvols are thin-provisioned by default — a 100 GB zvol only uses space as data is written. See: ZFS Overview
textfile collector: A node_exporter feature that reads custom metrics from .prom files in a designated directory. Allows cron jobs, scripts, and custom exporters to expose metrics to Prometheus without running a persistent HTTP server. See: Monitoring Stack
Thanos: A set of components that extend Prometheus with long-term storage, global query view across multiple Prometheus instances, and downsampling. Enables durable, multi-cluster monitoring without modifying Prometheus itself. See: Monitoring Stack
TOML: A configuration file format designed to be easy to read and parse. Used by WireGuard configuration files and some Rust-based tools in the kldload ecosystem.
TPM (Trusted Platform Module): A hardware security chip that provides cryptographic functions, secure key storage, and platform integrity measurement. Used with Secure Boot and disk encryption (LUKS) to bind keys to the hardware platform. See: Secure Boot & the Boot Chain
TLS (Transport Layer Security): A cryptographic protocol that provides encrypted and authenticated communication over a network. The successor to SSL. Used for HTTPS, encrypted email, and service-to-service mTLS. See: TLS & PKI
toil: Manual, repetitive, automatable, tactical work that scales linearly with service growth and produces no enduring value. A core SRE concept — the goal is to automate toil away. See: Blue/Green & SRE
tracepoint: A static instrumentation point compiled into the Linux kernel at predetermined locations. More stable than kprobes because they are part of the kernel ABI. eBPF programs can attach to tracepoints. See: eBPF Reference
tunnel (WireGuard): An encrypted, authenticated point-to-point connection between two WireGuard interfaces. All traffic is encapsulated in UDP packets. See: WireGuard Basics
txg (Transaction Group): ZFS batches writes into transaction groups that are flushed to disk atomically every 5 seconds (by default). This ensures filesystem consistency without a traditional journal. See: Tuning for Workloads
uberblock (ZFS): The root of the ZFS on-disk tree, stored redundantly across all top-level vdevs in the pool. The uberblock with the highest transaction group number identifies the most recent consistent state. ZFS writes uberblocks atomically to ensure crash consistency. See: Boot Chain
UDP (User Datagram Protocol): A connectionless transport protocol that sends datagrams without reliability guarantees. Faster than TCP for latency-sensitive traffic. WireGuard runs over UDP.
underlay: The physical network infrastructure that carries encapsulated overlay traffic. In kldload deployments, the underlay is the bare-metal Ethernet network; overlays run inside WireGuard tunnels or VXLAN.
UKI (Unified Kernel Image): A single EFI binary that bundles the Linux kernel, initramfs, kernel command line, and optional splash screen into one signed file. Simplifies Secure Boot by requiring only one signature for the entire boot payload. See: Secure Boot & the Boot Chain
uprobe: A dynamic tracing mechanism that attaches eBPF programs to user-space function entry points. Enables tracing application-level functions (e.g., in libc, OpenSSL, or custom binaries) without modifying the application. See: Tracepoints & Probes
uretprobe: A dynamic tracing mechanism that attaches an eBPF program to a user-space function's return point. Used to capture return values and measure function latency in applications. See: Tracepoints & Probes
USE method (Utilization Saturation Errors): A performance analysis methodology created by Brendan Gregg that checks three metrics for every resource: utilization (how busy), saturation (how queued), and errors (how broken). Provides a systematic approach to diagnosing bottlenecks. See: eBPF Performance
USDT (User Statically Defined Tracing): Static tracepoints embedded in user-space applications at compile time. eBPF programs can attach to USDT probes for stable, low-overhead application tracing. Common in runtimes like MySQL, PostgreSQL, and Python. See: Tracepoints & Probes
ustack: A bpftrace built-in that captures the current user-space stack trace of a process. Combined with kstack, it provides full kernel-to-user call chains for end-to-end performance analysis. See: Core Dumps & Stacks
Vault: A HashiCorp tool for securely storing and managing secrets, encryption keys, and certificates. kldload can integrate with Vault for dynamic secret injection and automated certificate issuance. See: Vault & Secrets
vdev (virtual device): A building block of a ZFS pool. A vdev can be a single disk, a mirror, a RAIDZ group, or a special-purpose device (cache, log, spare). Pools are composed of one or more data vdevs. See: Pool Design
verifier (eBPF): The kernel component that statically analyzes every eBPF program before loading to ensure it cannot crash, loop infinitely, or access unauthorized memory. The verifier is the safety guarantee that makes eBPF safe. See: eBPF Security
vfio-pci: A Linux kernel driver that provides safe, IOMMU-protected access to PCI devices from user space. Used for PCI passthrough in KVM, allowing virtual machines to directly access GPUs, NICs, and NVMe controllers. See: KVM Virtual Machines
virt-install: A command-line tool for creating KVM virtual machines via libvirt. kldload's kvm-create wraps virt-install with ZFS-aware defaults. See: KVM Virtual Machines
virsh: The command-line interface for libvirt. Manages VM lifecycle (start, stop, migrate, snapshot) and configuration. See: KVM Virtual Machines
virtio: A standard for paravirtualized I/O devices in KVM/QEMU virtual machines. virtio-blk, virtio-net, and virtio-scsi provide near-native disk, network, and SCSI performance by avoiding full hardware emulation. See: KVM Virtual Machines
virtio-fs: A shared filesystem for KVM virtual machines that provides near-native performance for host-to-guest directory sharing. Uses the FUSE protocol over virtio transport, replacing the slower 9p/virtio-9p approach.
VLAN (Virtual LAN): A Layer 2 broadcast domain created by tagging Ethernet frames with an 802.1Q header. VLANs segment traffic on a shared physical switch without requiring separate hardware.
VM (Virtual Machine): An emulated computer that runs its own operating system on virtualized hardware. KVM/QEMU provides hardware-accelerated VMs on kldload hosts, with zvols as disk backends. See: KVM Virtual Machines
VM template: A sealed, read-only virtual machine image used as the base for creating new VMs. kldload creates VM templates by installing to a zvol, sealing with cloud-init, and snapshotting. New VMs are linked clones of the template snapshot. See: Cloud & Packer
vmlinux.h: A generated header file containing all kernel data structure definitions derived from BTF. Used by eBPF CO-RE programs to access kernel structures without requiring kernel headers to be installed on the target system. See: eBPF Reference
VNI (VXLAN Network Identifier): A 24-bit identifier in a VXLAN header that distinguishes up to 16 million overlay networks on the same underlay infrastructure. Analogous to a VLAN ID but with a much larger address space. See: VXLAN & EVPN
volblocksize: The block size for a ZFS zvol (volume). Set at creation time and cannot be changed. Use 4K-16K for database zvols and 64K for general-purpose VM disks. See: Tuning for Workloads
VRRP (Virtual Router Redundancy Protocol): A protocol that provides automatic failover of a virtual IP address between a master and one or more backup routers. Implemented by keepalived. See: Load Balancing & HA
VXLAN (Virtual Extensible LAN): A network encapsulation protocol that tunnels Layer 2 Ethernet frames inside Layer 3 UDP packets. Extends broadcast domains across Layer 3 boundaries. kldload uses VXLAN with EVPN for multi-site networking. See: VXLAN & EVPN
zvol (ZFS Volume): A ZFS dataset that presents as a raw block device rather than a filesystem. Used as disk backends for KVM virtual machines, iSCSI targets, and swap. Inherits ZFS features like snapshots, compression, and replication. See: KVM Virtual Machines
wakeup analysis: A performance analysis technique that traces the chain of events that wake a blocked thread. eBPF programs on scheduler wakeup tracepoints reveal which process or interrupt caused a thread to become runnable, helping diagnose latency issues. See: eBPF Performance
WebSocket: A protocol that provides full-duplex communication over a single TCP connection. The kldload web UI uses WebSockets to stream real-time installation progress from the backend to the browser. See: Web UI
wg0: The conventional name for the first WireGuard interface. In kldload deployments, wg0 is typically the management backplane (10.78.x.x/16). See: Backplane Networks
WireGuard: A modern, minimal VPN protocol built into the Linux kernel. Uses Curve25519 for key exchange, ChaCha20 for encryption, and Poly1305 for authentication. kldload uses WireGuard for all inter-node communication across four traffic planes. See: WireGuard Basics
XDP (eXpress Data Path): An eBPF hook that runs at the earliest point in the Linux network receive path, before the kernel allocates an sk_buff. Enables wire-speed packet processing for DDoS mitigation, load balancing, and firewalling. See: eBPF Performance
XDP_DROP: An XDP program return code that drops the packet immediately at the driver level without any further processing. The fastest possible packet discard path in Linux, used for DDoS mitigation. See: XDP & TC Datapath
xdp_md: The metadata structure passed to XDP programs, containing pointers to the packet data start and end, the receiving interface index, and RX queue information. The XDP equivalent of sk_buff but much simpler and faster. See: XDP & TC Datapath
XDP_PASS: An XDP program return code that passes the packet up to the normal kernel networking stack for standard processing. Used when a packet does not match any XDP filtering or redirection rules. See: XDP & TC Datapath
XDP_REDIRECT: An XDP program return code that redirects the packet to another network interface, CPU, or AF_XDP socket without passing through the kernel stack. Enables high-performance forwarding and load balancing. See: XDP & TC Datapath
XDP_TX: An XDP program return code that transmits the (potentially modified) packet back out the same interface it arrived on. Used for implementing packet reflection, hairpin forwarding, and request/response protocols at XDP speed. See: XDP & TC Datapath
xattr (sa/dir) (ZFS): A ZFS dataset property (xattr=sa or xattr=dir) that controls how extended attributes are stored. The sa mode stores xattrs in the dnode's system attribute area for better performance; dir stores them in hidden directories for compatibility. See: Tuning for Workloads
XFS: A high-performance journaling filesystem, default on CentOS/RHEL. Excellent for large sequential workloads but lacks ZFS's snapshots, checksums, and integrated volume management. See: ZFS vs Everything Else
xorriso: A tool for creating, loading, and manipulating ISO 9660 filesystem images with Rock Ridge and El Torito boot extensions. kldload uses xorriso to assemble the final bootable ISO with both UEFI and legacy BIOS boot support.
YAML: A human-readable data serialization format used for configuration files. kldload profiles, Ansible playbooks, and Kubernetes manifests are written in YAML.
yum: The legacy package manager for RHEL/CentOS, now replaced by dnf. On modern RHEL-family systems, the yum command is a symlink to dnf.
zdb: The ZFS debugger tool that displays low-level on-disk data structures including uberblocks, metaslabs, block pointers, and DDT entries. Used for forensic analysis and debugging pool issues. Not for routine administration. See: Tuning for Workloads
ZED (ZFS Event Daemon): A daemon that listens for ZFS kernel events (scrub completion, device failures, resilver progress) and executes configurable scripts in response. Used for email alerts, auto-replacing failed drives, and triggering custom recovery actions. See: ZFS Overview
zfs_arc_max: A kernel module parameter that caps the maximum size of the ARC in bytes. Set in /etc/modprobe.d/zfs.conf. Useful when ZFS competes with other memory-hungry workloads like databases or VMs. See: Memory & ARC
ZFSBootMenu: An EFI bootloader that replaces GRUB for ZFS-on-root systems. Discovers all bootable ZFS datasets, supports boot environments, and provides a recovery shell. kldload uses ZFSBootMenu by default. See: ZFS Without GRUB
zfs diff: A ZFS command that shows the difference between two snapshots or between a snapshot and the current filesystem. Lists files that were added, modified, deleted, or renamed. Useful for auditing changes between snapshots. See: Snapshots & Replication
zfs hold: A ZFS command that places a user-defined hold (tag) on a snapshot, preventing it from being destroyed until the hold is released with zfs release. Used by replication tools to protect snapshots needed for incremental sends. See: Snapshots & Replication
ZIL (ZFS Intent Log): A write-ahead log that ZFS uses to make synchronous writes durable before they are committed to the main pool in a transaction group. By default the ZIL is on the pool's data disks; a SLOG device moves it to faster storage. See: Hardware Selection
zpool: The command-line tool for managing ZFS storage pools. Handles pool creation, destruction, import/export, scrub, status, and device management. See: ZFS Overview
zpool iostat: A ZFS command that displays I/O statistics for pools and vdevs, including read/write bandwidth, IOPS, and latency histograms. The primary tool for diagnosing ZFS storage performance. See: Tuning for Workloads
zpool scrub: A ZFS command that initiates a scrub operation, reading every block in the pool and verifying checksums. Detects and auto-repairs silent data corruption on redundant pools. Should be run on a regular schedule (weekly or monthly). See: ZFS Overview
zpool status: A ZFS command that displays the health, configuration, and scan status of all pools or a specific pool. Shows degraded vdevs, faulted disks, scrub progress, and error counts. The first command to run when diagnosing ZFS issues. See: ZFS Overview
zpool.cache: The default cache file (/etc/zfs/zpool.cache) that stores pool configuration for automatic import at boot. Managed by the cachefile pool property. If missing, pools must be imported manually. See: Boot Chain

← Monitoring Stack Help & Links →