LibUp/Architecture
LibUp is split into a few different components that all come from a shared codebase.
Web interface
editThe web interface is a Flask application that reads data from MariaDB using SQLAlchemy. It is managed by the libup-web
systemd unit. This application runs inside a podman container on a separate VM, so it has no access to the private SSH key material nor ssh-agent.
The web image is automatically built via the deployment pipeline on every merged commit to the Git repository. It can be deployed by running sudo podman auto-update
manually. A systemd timer will run the auto update every 24 hours automatically.
Runner
editA daily systemd timer triggers the libup-run
script, which fetches the latest configuration, obtains latest upstream versions, and queues jobs into celery
Upgrader (libup-celery)
editThe actual upgrading process runs one job per repo/branch combination. We cache each Git repo we clone in /srv/git (as a bare repo), so in most cases it just needs to do a git fetch to get the latest version. After that, everything runs inside the docker container.
/srv/git is mounted read-only so the container can clone from the that folder.
...write some more.
At the end of the job, the log, patch file, advisories are written to a JSON file, which is read by the celery job on the host (outside the container) and turned into database rows, and inserted.