LibUp/Architecture

LibUp is split into a few different components that all come from a shared codebase.

Web interface
The web interface is a Flask application that reads data from MariaDB using SQLAlchemy. It is managed by the  systemd unit. This application runs directly on the host and is not isolated, however it does not have access to the ssh-agent.

Runner
A daily systemd timer triggers the  script, which fetches the latest configuration, obtains latest upstream versions, and queues jobs into celery

Upgrader (libup-celery)
The actual upgrading process runs one job per repo/branch combination. We cache each Git repo we clone in /srv/git (as a bare repo), so in most cases it just needs to do a git fetch to get the latest version. After that, everything runs inside the docker container.

/srv/git is mounted read-only so the container can clone from the that folder.

...write some more.

At the end of the job, the log, patch file, advisories are written to a JSON file, which is read by the celery job on the host (outside the container) and turned into database rows, and inserted.