Skip to content

Glossary

Definitions of Qbee-specific terms and concepts used throughout this documentation. Entries are grouped by domain below; use the alphabetical index to jump to a specific term.

A–Z index

AA/B update, agent attestation, All devices, audit log

Bbootstrap key, bootstrapping, bundle

Ccommand to run, commit-then-converge, connectivity watchdog, converge, CVE

Ddelta update, desired state, device, drift

Eentity

FFile Distribution, fleet

Ggolden image, group

Hheartbeat monitoring

Iinheritance, inventory

Kkey-value templating

Mmetrics monitor

Nnode

OOTA

Ppackage management, parameters, polling cycle, port forwarding, pre-seeded keys, process watch, pull-based

QQbee, Qbee agent, Qbee Terraform Provider, qbee-cli, qbee-connect, qbee.io

RRAUC, rebootstrap, remote access, remote access actions

Ssecrets, secure tunnel, software management, system parameters

Ttags, template parameters, TPM

Platform & architecture

Qbee
The Qbee device management platform for Linux and IoT fleets — the cloud backend, agent, and tooling together. See Manage Your Linux Devices From Anywhere.
qbee.io
Qbee's cloud backend (SaaS) that stores desired state, processes agent requests, and serves the web console and API gateway. See The Agent and the Cloud.
Qbee agent
The lightweight daemon installed on each managed device. It initiates outbound HTTPS to qbee.io, pulls its desired state, converges the device to match, and reports status. The binary is qbee-agent. See Device Agent.
qbee-cli
Open-source command-line tool for interacting with qbee.io, with remote access (port forwarding) functionality built in. An alternative to the qbee-connect desktop app. See Remote access with qbee-cli.
qbee-connect
Desktop application for managing secure remote access connections to Qbee-managed devices — browse inventory, open port-forwarding tunnels, and run multiple sessions side by side. An alternative to qbee-cli. See qbee-connect.
Qbee Terraform Provider
The Qbee Terraform Provider, which lets you manage device configurations declaratively as infrastructure-as-code. See Qbee Terraform Provider.
device
Any endpoint running the Qbee agent and managed through Qbee — an edge device, gateway, or single-board computer. See The Agent and the Cloud.
fleet
The collection of devices managed together under one Qbee account. See Fleet organization.
pull-based
The agent's communication model — the device initiates every connection to qbee.io over outbound HTTPS. No inbound firewall rules, VPN, or public IP address are required. See What is configuration management?.
polling cycle
The interval at which the agent checks in with qbee.io, retrieves its desired state, converges, and reports status. Default and minimum is 5 minutes. See Settings and The Polling Cycle.
desired state
The target configuration committed in qbee.io that the agent drives the device toward. The agent does not run a script — it reconciles the device to match the desired state on each poll. See Configuration Convergence.
converge
The process by which the agent drives a device to match its desired state. Repeated on every polling cycle so that drift is corrected automatically. See Configuration Convergence.
drift
Any change to a device's state made outside Qbee (a manual edit, a hand-installed package). The agent detects drift on its next poll and reconverges to the desired state. See When Things Go Wrong.
commit-then-converge
Qbee's workflow model — you define and commit a desired state in the console, and the agent converges each device to match on its next poll. See Apply Configuration.
agent attestation
Cryptographic proof (signed checksums and SLSA provenance) that the qbee-agent binaries you install are exactly what Qbee built and tested. See Agent attestation.

Fleet organization

group
A node in the fleet's tree structure, used to organize devices and apply configuration that inherits to its children. The root group is "All devices". See Groups.
tags
Cross-cutting labels that overlay the group tree, letting you target devices in different branches with shared configuration. See Tags.
All devices
The root group at the top of the fleet tree. Every device is enrolled here unless moved into a sub-group. See Groups.
inheritance
The mechanism by which configuration applied to a group or tag flows down to its devices, so each device does not need to be configured individually. See Inheritance.

Onboarding

bootstrapping
The process of securely enrolling a device into Qbee. The device identifies itself with a valid bootstrap key and is then accepted by the platform. See What is Bootstrapping?.
bootstrap key
The secret key used to enroll devices. Each account has a unique default bootstrap key, and additional keys can be created for production use. See The Bootstrap Key.
pre-seeded keys
Bootstrap keys (and device keys) baked into a system image so that devices can onboard automatically, without manual key injection. See Bootstrap Keys in Production.
rebootstrap
Re-enrolling a device by deleting its local keys and re-running the bootstrap command — typically to move it between accounts or reset its identity. See Rebootstrapping devices.

Configuration

bundle
A configuration representing one aspect of system setup (files, users, firewall, packages, etc.). Only one bundle of each type can be defined per entity. See Concepts.
node
In the configuration model, a group or device — the thing configuration is attached to. See Concepts.
entity
In the configuration model, a node or tag — the broader target a configuration can apply to. See Concepts.
File Distribution
The bundle that deploys files to devices and optionally runs a command when they change. Qbee's general-purpose configuration management tool. See File Distribution.
key-value templating
The {{key}} mustache-notation mechanism that exposes parts of a distributed file as editable variables, so one template can serve many device-specific configurations. See Key-Value Templating.
template parameters
Per-item key-value pairs that feed {{key}} placeholders in a specific File Distribution, Software Management, or Docker Compose file. Distinct from parameters, which are organization-wide. See Key-Value Templating.
parameters
Shared key-value pairs (including secrets) defined on the Parameters tab. Referenced anywhere in the Qbee configuration via $(parameter) placeholders, including as input to template parameters. Inherit down the group tree. See Parameters and secrets.
secrets
Key-value pairs that behave like parameters but cannot be retrieved once saved and are redacted from device logs. A device receives the value only when requesting its configuration. See Secrets.
system parameters
Locally-resolved $(sys.*) values (hostname, architecture, OS flavor, etc.) that the agent substitutes at converge time, so one configuration can span heterogeneous fleets. See Device resolved parameters.
command to run
An optional hook on a File Distribution entry that runs whenever the distributed file is (re)written — used to restart a service or apply changes after a templated file changes. See Command to Run.

Remote access

remote access
The capability to reach any device in the fleet through encrypted tunnels, regardless of network topology — no VPN or open inbound ports required. See Remote Access.
secure tunnel
The encrypted, ephemeral channel between an operator and a device through which remote access sessions (console, port forwarding, file copy) run. See Remote Access.
port forwarding
Mapping a port on a remote device to a port on your local machine through a secure tunnel, so you can reach device-local services (web UIs, VNC, SSH) from your workstation. See Remote access with qbee-cli.
remote access actions
The four operation types the permission model controls: tunnel (network tunneling, TCP and UDP), console (terminal/PTY access), reload (force the agent to run), and copy (file upload and download). See Permission Syntax.

OTA updates

OTA
Over-the-air delivery of software, configuration, or full system image updates to devices without physical access. See OTA Updates.
RAUC
Robust Auto-Update Controller — the open-source framework Qbee uses for atomic A/B image updates with rollback support. See A/B Update with RAUC.
A/B update
A full-image update scheme in which the device has two system partitions (slots A and B). The new image is written to the inactive slot, the bootloader swaps slots on the next boot, and the device automatically reverts if the new slot fails to start. See A/B Update with RAUC.
delta update
An update that transfers only the binary diff between the old and new image rather than the full image, reducing bandwidth. See A/B Update with RAUC.
golden image
A prebuilt, tested system image used as the canonical baseline for provisioning devices — often with the agent and keys pre-baked so onboarding is automatic. See Automatic bootstrap using golden image.

Software & packages

package management
The bundle that updates existing OS packages from the device's configured repositories. For installing new packages, use Software management. See Package management.
software management
The bundle that installs new packages on a device — either from a repository or from package files uploaded to the file manager. See Software management.

Monitoring & security

inventory
The per-device record of system metadata the platform collects — hardware, OS, installed packages (with CVE matches), users, ports, and running processes. See Inventory.
audit log
The immutable record of who changed what on the platform and when, used for compliance and troubleshooting. See Audit Log.
CVE
The view that lists known vulnerabilities detected against a device's installed packages, drawn from inventory data. See CVE.
heartbeat monitoring
The mechanism that tracks device online/offline transitions and raises notifications when a device stops checking in. See Settings.
connectivity watchdog
The bundle that reboots a device after a configured number of failed attempts to reach qbee.io — useful for devices on flaky mobile networks. See Connectivity watchdog.
process watch
The bundle that keeps a named process running (or stopped) by detecting its presence and restarting (or killing) it as needed. See Process watch.
metrics monitor
The on-device bundle that watches system metrics against thresholds and raises notifications when they are crossed. See Metrics monitor.
TPM
Trusted Platform Module — a hardware security module used for secure key storage, attestation, and secure-boot workflows. Qbee supports TPM-backed device identity. See TPM.