contribute
design
translation platform
Containerized setup of Weblate in Tails' Translation Platform

Containerized setup of Weblate in Tails' Translation Platform

Verification of the integrity of the source code of Weblate and its dependencies was a concern since the beginning of this project, as compromise of that piece would mean compromise of the Tails documentation/website. That concern initially led to the decision of not relying on Pypi as a source of packages, which made upgrade and maintenance of the installation more difficult, as we then needed a new/separate way of resolving dependencies and fetching source code.

With time it became clear that the speed of Weblate releases was much faster than Tails' sysadmins capacity of upgrading and maintaining the platform up-to-date. This led to the decision of redesigning the platform to use a containerized Weblate application as provided by upstream.

Our current Puppet code for the translation platform is a result of that process and, when applied, will setup Weblate from a container using Podman and configure the environment around it to provide the other parts of the Translation Platform.

Trusted sources

By using Weblate's upstream container, we are effectively trusting all parties involved in building and distributing that container to provide the source code as intended by the developers of Weblate and each of its dependencies.

What follows is a list of actors involved in the build and distribution chain of the Weblate container and may need to be revisited when/if upstream changes its process:

The Debian container image is used as a base for the Weblate container image.
Some Python dependencies are installed from Debian (build dependencies, mainly, but also pycairo and maybe others).
Pip and Wheel are installed from Pypi.
Weblate and its requirements are all downloaded from Pypi.
Image builds and uploads to Docker.io are automated in GitHub.
The container image is distributed through Docker Hub.

Administrative commands

Please note that the weblate user in the host system (UID 2000000 in translate.lizard) corresponds to the root user inside the Weblate container (UID 0).

Also, some of the commands below have to be executed in a directory readable to the user weblate in the host system (eg. /tmp or /var/lib/weblate).

To start, stop or restart the container, use Systemd with the --user flag:

   sudo -u weblate XDG_RUNTIME_DIR=/run/user/2000000 systemctl --user stop podman-weblate

To see the container logs:

   sudo -u weblate podman logs -f --tail=1 weblate

To get a shell as the weblate user in the running Weblate container:

   sudo -u weblate podman exec -t -i weblate /bin/bash

To get a shell as the root user in the running Weblate container:

   sudo -u weblate podman exec -t -i --user=root weblate /bin/bash

To see the logs of the integration script:

   sudo -u weblate tail -f /var/log/weblate/update.log

To run the integration script (note that this is run periodically by cron):

   sudo -u weblate /var/lib/weblate/scripts/run_in_container.sh /scripts/cron.sh

To run permissions enforcement (note that this is run periodically by cron):

   sudo -u weblate /var/lib/weblate/scripts/run_in_container.sh /scripts/weblate_permissions.py --enforce

To update the translation memory database (note that this is run periodically by cron):

   sudo -u weblate /var/lib/weblate/scripts/update_tm.sh

To see Apache logs (replace access with error on the line below to see the corresponding error logs):

   sudo /usr/bin/tail -f /var/log/apache2/access.log