LibUp/Architecture

LibUp is split into a few different components that all come from a shared codebase.

Web interface
The web interface is a Flask application that reads data from MariaDB using SQLAlchemy. It is managed by the  systemd unit. This application runs inside a podman container on a separate VM, so it has no access to the private SSH key material nor ssh-agent.

The web image is automatically built via the deployment pipeline on every merged commit to the Git repository. It can be deployed by running  manually. A systemd timer will run the auto update every 24 hours automatically.

Runner
A daily systemd timer triggers the  script, which fetches the latest configuration, obtains latest upstream versions, and queues jobs into celery

Upgrader (libup-celery)
The actual upgrading process runs one job per repo/branch combination. We cache each Git repo we clone in /srv/git (as a bare repo), so in most cases it just needs to do a git fetch to get the latest version. After that, everything runs inside the docker container.

/srv/git is mounted read-only so the container can clone from the that folder.

...write some more.

At the end of the job, the log, patch file, advisories are written to a JSON file, which is read by the celery job on the host (outside the container) and turned into database rows, and inserted.