From d3329245bbdaf39a8228b992ee123475c83c8f92 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sat, 8 Feb 2020 11:46:35 +0200
Subject: Change: arch diagram, and component list

---
 worker.md | 39 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 5 deletions(-)

diff --git a/worker.md b/worker.md
index 7a7e1a4..a63c110 100644
--- a/worker.md
+++ b/worker.md
@@ -61,12 +61,18 @@ The contractor architecture is as follows.
 
 ~~~dot
 digraph "arch" {
-  buildyaml [shape=box, label="Build specification"];
-  artifacts [shape=box];
+  buildyaml [shape=tab, label="Build specification", style=filled];
+  artifacts [shape=tab, style=filled];
+  contractor [shape=ellipse, label="Ick contractor", style=filled];
+  bwrap [shape=ellipse, label="Security container"];
   workspace [shape=box, label="Temp workspace"];
-  systree   [shape=box, label="System tree"];
+  systree   [shape=box, label="Temp system tree"];
+  network [shape=octagon, label="Network"];
 
   buildyaml -> contractor;
+  contractor -> systree;
+  contractor -> workspace;
+  contractor -> network;
   contractor -> bwrap;
   bwrap -> workspace;
   bwrap -> systree;
@@ -75,6 +81,28 @@ digraph "arch" {
 }
 ~~~
 
+There are several components:
+
+* A **build specification** provided by the user. Lists all the
+  projects to build, and how to build them.
+
+* An **artifact store**, a local directory, maintained by the
+  contractor. Persistent across invocations of the contractor.
+
+* A **workspace**, a local temporary directory, created by the
+  controller for the duration a project build. Populated by the build
+  steps of a project.
+
+* A **system tree**, a local temporary directory, created by the
+  controller for the duration of a project build. Populated by
+  contractor build actions to install an operating system and build
+  dependencies.
+
+* A **security container** implemented using Bubblewrap, combining the
+  workspace and the system tree into a process using Linux kernel
+  namespaces. All untrusted build steps are executed in the security
+  container, without network access.
+
 The contractor reads a build specfication from a file, instead of
 retrieving it from the Ick controller (see
 [indepenence](#req-independent)), and executes all the build steps
@@ -114,8 +142,9 @@ The contractor executes also the trusted, external programs using
 bwrap, but with network access, and read-only access to the host's
 operating system.
 
-The contractor implmements a local artifact store, probably as a plain
-directory, and provides build steps for controlled access to it.
+The contractor implmements a persisten local artifact store, probably
+as a plain directory, and provides build steps for controlled access
+to it.
 
 
 Simple threat modelling
-- 
cgit v1.2.1