Auto-merge for PR #630 via VersionBot

Use resinos-in-container for the development dind supervisor
2025-04-18 08:10:04 +00:00 · 2018-04-23 17:16:11 +00:00 · 2018-04-23 17:16:11 +00:00 · 78107b1199
commit 78107b1199
parent 5be3736266 12998203f5
26 changed files with 184 additions and 480 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,13 +1,11 @@
 /node_modules/
 /automation/node_modules/
 /automation/meta-resin/
+/meta-resin/
 *.swp
-data
+/data/
 bin/gosuper
 gosuper/bin/
-tools/dind/config.json
-tools/dind/apps.json
-tools/dind/config/localenv

 base-image/build/bitbake.lock
 base-image/build/cache
@ -15,11 +13,8 @@ base-image/build/downloads
 base-image/build/sstate-cache
 base-image/build/tmp-glibc

-Dockerfile.build.*
-Dockerfile.runtime.*
-!Dockerfile.build.template
-!Dockerfile.runtime.template
 /build/
 /dist/
-tools/dind/config/services/docker.service.d/proxy.conf
-tools/dind/supervisor-image.tar
+tools/dind/config/
+tools/dind/config.json*
+tools/dind/apps.json
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
+[submodule "tools/dind/resinos-in-container"]
+	path = tools/dind/resinos-in-container
+	url = git@github.com:resin-os/resinos-in-container.git
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).

+## v7.4.4 - 2018-04-23
+
+* Use resinos-in-container for the development dind supervisor #630 [Pablo Carranza Velez]
+
 ## v7.4.3 - 2018-04-19

 * On startup, only attach to logs for running containers, and remove any containers marked as dead #625 [Pablo Carranza Velez]
--- a/120
+++ b/120
@ -23,12 +23,25 @@
 # * IMAGE: image to build and run (either for run-supervisor or test-gosuper/integration)
 # * SUPERVISOR_IMAGE: In run-supervisor and supervisor-dind, the supervisor image to run inside the docker-in-docker image
 # * PRELOADED_IMAGE: If true, will preload user app image from tools/dev/apps.json and bind mount apps.json into the docker-in-docker supervisor
-# * SUPERVISOR_EXTRA_MOUNTS: Additional bind mount flags for the docker-in-docker supervisor
-# * PASSWORDLESS_DROPBEAR: For run-supervisor - start a passwordless ssh daemon in the docker-in-docker supervisor
-# * CONTAINER_NAME: For run-supervisor, specify the container name for the docker-in-docker container (default: resin_supervisor_1)
+# * MOUNT_DIST: If true, mount the dist folder into the docker-in-docker supervisor
+# * MOUNT_NODE_MODULES: If true, mount the node_modules folder into the docker-in-docker supervisor
+# * CONTAINER_NAME: For run-supervisor, specify the container name for the docker-in-docker container (default: supervisor which produces container resinos-in-container-supervisor)
 # * CONFIG_FILENAME: For run-supervisor, specify the filename to mount as config.json, relative to tools/dind/ (default: config.json)
+# * DIND_IMAGE: For run-supervisor, specify the resinOS image to use (default: resin/resinos:2.12.5_rev1-intel-nuc)
 #

+# Based on https://stackoverflow.com/a/8540718/2549019
+# Retrieves a repo part of the given docker image string
+# Param:
+#   1. String to parse in form 'repo[:tag]'.
+repo = $(firstword $(subst :, ,$1))
+
+# Returns a tag (if any) on a docker image string.
+# If there is no tag part in the string, returns latest
+# Param:
+#   1. String to parse in form 'repo[:tag]'.
+tag = $(or $(word 2,$(subst :, ,$1)),latest)
+
 THIS_FILE := $(lastword $(MAKEFILE_LIST))

 help:
@ -49,12 +62,6 @@ ifdef no_proxy
 	DOCKER_NO_PROXY=--build-arg no_proxy=$(no_proxy)
 endif

-ifdef use_proxy_at_runtime
-	rt_http_proxy=$(http_proxy)
-	rt_https_proxy=$(https_proxy)
-	rt_no_proxy=$(no_proxy)
-endif
-
 DISABLE_CACHE ?= 'false'

 DOCKER_VERSION:=$(shell docker version --format '{{.Server.Version}}')
@ -73,21 +80,26 @@ IMAGE ?= resin/$(ARCH)-supervisor:master

 # Default values for run-supervisor
 SUPERVISOR_IMAGE ?= resin/$(ARCH)-supervisor:master
-PASSWORDLESS_DROPBEAR ?= false
-CONTAINER_NAME ?= resin_supervisor_1
+CONTAINER_NAME ?= supervisor
 CONFIG_FILENAME ?= config.json
+DIND_IMAGE ?= resin/resinos:2.12.5_rev1-intel-nuc

 # Bind mounts and variables for the run-supervisor target
-SUPERVISOR_DIND_MOUNTS := -v $$(pwd)/../../:/resin-supervisor -v $$(pwd)/$(CONFIG_FILENAME):/mnt/conf/config.json -v $$(pwd)/config/env:/usr/src/app/config/env -v $$(pwd)/config/localenv:/usr/src/app/config/localenv
-ifeq ($(OS), Linux)
-	SUPERVISOR_DIND_MOUNTS := ${SUPERVISOR_DIND_MOUNTS} -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /bin/kmod:/bin/kmod
-endif
+SUPERVISOR_DIND_MOUNTS := -v $$(pwd)/config/supervisor-image.tar:/usr/src/supervisor-image.tar:ro -v $$(pwd)/start-resin-supervisor:/usr/bin/start-resin-supervisor:ro -v $$(pwd)/config/supervisor.conf:/etc/resin-supervisor/supervisor.conf
+
 ifeq ($(PRELOADED_IMAGE),true)
-	SUPERVISOR_DIND_MOUNTS := ${SUPERVISOR_DIND_MOUNTS} -v $$(pwd)/apps.json:/usr/src/app/config/apps.json
+	SUPERVISOR_DIND_MOUNTS := ${SUPERVISOR_DIND_MOUNTS} -v $$(pwd)/apps.json:/mnt/data/apps.json
 else
 	PRELOADED_IMAGE=
 endif
-SUPERVISOR_EXTRA_MOUNTS ?=
+
+ifeq ($(MOUNT_DIST), true)
+	SUPERVISOR_DIND_MOUNTS := ${SUPERVISOR_DIND_MOUNTS} -v $$(pwd)/../../dist:/resin-supervisor/dist
+endif
+
+ifeq ($(MOUNT_NODE_MODULES), true)
+	SUPERVISOR_DIND_MOUNTS := ${SUPERVISOR_DIND_MOUNTS} -v $$(pwd)/../../node_modules:/resin-supervisor/node_modules
+endif

 ifdef TARGET_COMPONENT
 	DOCKER_TARGET_COMPONENT := "--target=${TARGET_COMPONENT}"
@ -98,66 +110,32 @@ endif
 # Default target is to build the supervisor image
 all: supervisor

-# Settings to make the run-supervisor target work behind a proxy
-DOCKERD_PROXY=tools/dind/config/services/docker.service.d/proxy.conf
-${DOCKERD_PROXY}:
-	rm -f ${DOCKERD_PROXY}
-	if [ -n "${rt_http_proxy}" ]; then \
-		proxies="\"HTTP_PROXY=${rt_http_proxy}\""; \
-		proxies="$${proxies[*]} \"http_proxy=${rt_http_proxy}\""; \
-	fi; \
-	if [ -n "${rt_https_proxy}" ]; then \
-		proxies="$${proxies[*]} \"HTTPS_PROXY=${rt_https_proxy}\""; \
-		proxies="$${proxies[*]} \"https_proxy=${rt_https_proxy}\""; \
-	fi; \
-	if [ -n "${rt_no_proxy}" ]; then \
-		proxies="$${proxies[*]} \"no_proxy=${rt_no_proxy}\""; \
-	fi; \
-	if [ -n "${proxies}" ]; then \
-		echo "[Service]" > ${DOCKERD_PROXY}; \
-		echo "Environment=$${proxies[*]}" >> ${DOCKERD_PROXY}; \
-	else \
-		touch ${DOCKERD_PROXY}; \
-	fi
-
 supervisor-tar:
-	docker save --output tools/dind/supervisor-image.tar $(SUPERVISOR_IMAGE)
-
-supervisor-dind: ${DOCKERD_PROXY} supervisor-tar
 	cd tools/dind \
-	&& docker build \
-		$(DOCKER_HTTP_PROXY) \
-		$(DOCKER_HTTPS_PROXY) \
-		$(DOCKER_NO_PROXY) \
-		${DOCKER_BUILD_OPTIONS} \
-		--no-cache=$(DISABLE_CACHE) \
-		--build-arg PASSWORDLESS_DROPBEAR=$(PASSWORDLESS_DROPBEAR) \
-		-t $(IMAGE) .
+	&& mkdir -p config \
+	&& docker save --output config/supervisor-image.tar $(SUPERVISOR_IMAGE)

-run-supervisor: stop-supervisor supervisor-dind
+supervisor-conf:
 	cd tools/dind \
-	&& echo "SUPERVISOR_IMAGE=$(SUPERVISOR_IMAGE)" > config/localenv \
-	&& echo "PRELOADED_IMAGE=$(PRELOADED_IMAGE)" >> config/localenv \
-	&& echo "SUPERVISOR_EXTRA_MOUNTS=$(SUPERVISOR_EXTRA_MOUNTS)" >> config/localenv; \
-	if [ -n "$(rt_http_proxy)" ]; then \
-		echo "HTTP_PROXY=$(rt_http_proxy)" >> config/localenv \
-		&& echo "http_proxy=$(rt_http_proxy)" >> config/localenv; \
-	fi; \
-	if [ -n "$(rt_https_proxy)" ]; then \
-		echo "HTTPS_PROXY=$(rt_https_proxy)" >> config/localenv \
-		&& echo "https_proxy=$(rt_https_proxy)" >> config/localenv; \
-	fi; \
-	if [ -n "$(rt_no_proxy)" ]; then \
-		echo "no_proxy=$(rt_no_proxy)" >> config/localenv; \
-	fi \
-	&& docker run -d --name $(CONTAINER_NAME) --privileged ${SUPERVISOR_DIND_MOUNTS} $(IMAGE)
+	&& mkdir -p config \
+	&& echo "SUPERVISOR_IMAGE=$(call repo,$(SUPERVISOR_IMAGE))" > config/supervisor.conf \
+	&& echo "SUPERVISOR_TAG=$(call tag,$(SUPERVISOR_IMAGE))" >> config/supervisor.conf \
+	&& echo "LED_FILE=/dev/null" >> config/supervisor.conf
+
+supervisor-dind: supervisor-tar supervisor-conf
+
+run-supervisor: supervisor-dind
+	cd tools/dind \
+	&& ./resinos-in-container/resinos-in-container.sh \
+		--detach \
+		--config "$$(pwd)/$(CONFIG_FILENAME)" \
+		--image $(DIND_IMAGE) \
+		--id $(CONTAINER_NAME) \
+		--extra-args "${SUPERVISOR_DIND_MOUNTS}"

 stop-supervisor:
-	# Stop docker and remove volumes to prevent us from running out of loopback devices,
-	# as per https://github.com/jpetazzo/dind/issues/19
-	-docker exec $(CONTAINER_NAME) bash -c "systemctl stop docker" || true
-	-docker stop $(CONTAINER_NAME) > /dev/null || true
-	-docker rm -f --volumes $(CONTAINER_NAME) > /dev/null || true
+	-docker stop resinos-in-container-$(CONTAINER_NAME) > /dev/null || true
+	-docker rm -f --volumes resinos-in-container-$(CONTAINER_NAME) > /dev/null || true

 supervisor-image:
 ifneq ($(DOCKER_GE_17_05),true)
--- a/README.md
+++ b/README.md
@ -4,29 +4,24 @@ Join our online chat at [![Gitter chat](https://badges.gitter.im/resin-io/chat.p

 This is [resin.io](https://resin.io)'s supervisor, a program that runs on IoT devices and has the task of running user Apps (which are Docker containers), and updating them as resin.io's API informs it to.

-The supervisor is for now a Node.js program, with a subset of its functionality implemented in Go.
-
-We are using [waffle.io](https://waffle.io) to manage our tickets / issues, so if you want to track our progress or contribute take a look at [our board there](https://waffle.io/resin-io/resin-supervisor).
+The supervisor is a Node.js program.

 ## Running a supervisor locally

 This process will allow you to run a development instance of the supervisor on your local computer. It is not recommended for production scenarios, but allows someone developing on the supervisor to test changes quickly.
-The supervisor is run inside a Docker-in-Docker container that roughly emulates its environment when running on a resinOS device.
+The supervisor is run inside a resinOS instance running in a container, so effectively it's a Docker-in-Docker instance (or more precisely, [balena](https://github.com/resin-os/balena)-in-Docker).

 ### Set up `config.json`

-Add a `tools/dind/config.json` file from a staging or production device image. It should be configured for an x86 or amd64 device type (e.g. an Intel Nuc) so that you can push apps to it and they run properly on your computer.
+To configure the supervisor, you'll need a `tools/dind/config.json` file. There's two options on how to get this file:

-Note: Don't use staging for production devices. This is for development purposes only. A production (resin.io) `config.json` should work just as well for this local supervisor, but we also don't recommend using this in production scenarios - resinOS is better suited for that.
-
-A `config.json` file can be obtained in several ways, for instance:
-
-* Log in to the dashboard on resinstaging (https://dashboard.resinstaging.io), create or select an application, click "Download OS" and on the Advanced section select "Download configuration only".
-* Install the resin CLI with `npm install -g resin-cli`, then login with `resin login` and finally run `resin config generate --app <appName> -o config.json` (choose the default settings whenever prompted). Check [this section](https://github.com/resin-io/resin-cli#how-do-i-point-the-resin-cli-to-staging) on how to point resin CLI to a device on staging.
+* Log in to the [resin dashboard](https://dashboard.resin.io), create or select an application, click "Add device" and on the Advanced section select "Download configuration file only". Make sure you use an x86 or amd64 device type for your application, for example Intel NUC.
+* Install the resin CLI with `npm install -g resin-cli`, then login with `resin login` and finally run `resin config generate --app <appName> -o config.json` (choose the default settings whenever prompted).

 The `config.json` file should look something like this:

 (Please note we've added comments to the JSON for better explanation - the actual file should be valid json *without* such comments)
+
 ```
 {
 	"applicationId": "2167", /* Id of the app this supervisor will run */
@ -73,46 +68,23 @@ This will mount the ./dist folder into the supervisor container and build the co
 ```

 ### Testing with preloaded apps
-To test preloaded apps, add a `tools/dind/apps.json` file according to the preloaded apps spec.

-It should look something like this:
+To test preloaded apps, run `resin preload` (see the [resin CLI docs](https://docs.resin.io/tools/cli/#preload-60-image-62-) on an OS image for the app you are testing with. Then copy the `apps.json` file from the `resin-data` partition into `tools/dind/apps.json`. 

-(As before, please note we've added comments to the JSON for better explanation - the actual file should be valid json *without* such comments)
-
-```
-[{
-	"appId": "2167", /* Id of the app we are running */
-	"name": "myapplication", /* Name of the app we are running */
-	"commit": "commithash", /* Current git commit for the app */
-	"imageId": "registry.resinstaging.io/path/to/image", /* Id of the Docker image for this app */
-	"env": { /* Environment variables for the app */
-		"KEY": "value"
-	},
-	"config": { /* Device configuration variables */
-		"RESIN_SUPERVISOR_DELTA": "1"
-	}
-}]
-```
+This file has a format equivalent to the `local` part of the target state endpoint on the resin API.

 Make sure the `config.json` file doesn't have uuid, registered_at or deviceId populated from a previous run.

 Then run the supervisor like this:
+
 ```bash
 ./dindctl run --image resin/amd64-supervisor:master --preload
 ```
-This will make the Docker-in-Docker instance pull the image specified in `apps.json` before running the supervisor, simulating a preloaded resinOS image (where `resin preload` has been used on the image, see [the resin CLI docs](https://docs.resin.io/tools/cli/#preload-60-image-62-)).

-### Enabling passwordless dropbear access
-
-If you want to enable passwordless dropbear login (e.g. while testing `resin sync`) you can set the `--ssh` option, like:
-
-```bash
-./dindctl run --image resin/amd64-supervisor:master --ssh
-```
-
-This will run an ssh daemon **with no password** inside the Docker-in-Docker instance, so use with caution.
+This will make the Docker-in-Docker instance pull the image specified in `apps.json` before running the supervisor, simulating a preloaded resinOS image.

 ### View the supervisor's logs
+
 ```bash
 ./dindctl logs
 ```
@ -125,15 +97,18 @@ additional options, for instance, to see the logs from the supervisor service:
 ```

 ### Stop the supervisor
+
 ```bash
 ./dindctl stop
 ```
+
 This will stop the container and remove it, also removing its volumes.

 ## Developing with a resinOS device

 If you want to test local changes (only changes to the Node.js code are supported) on a real resinOS device, provision
 a [development OS image](https://docs.resin.io/understanding/understanding-devices/2.0.0/#dev-vs-prod-images) and power up the device. On the resin.io dashboard, take note of the device's IP address. Then run:
+
 ```
 ./sync.js <device IP>
 ```
@ -142,73 +117,32 @@ This will build the supervisor code and sync it onto the running supervisor cont

 ## Build a local supervisor image

-This should rarely be needed as `--mount-dist` allows you to test any changes to the Node.js code without a full rebuild. However, if you've changed code in gosuper, base-image or the Dockerfile you will need to build the proper
+This should rarely be needed as `--mount-dist` allows you to test any changes to the Node.js code without a full rebuild. However, if you've changed code in the base image or the Dockerfile you will need to build the proper
 supervisor Docker image.

 Build the supervisor with a specific tag, and for a specific architecture, like this:
+
 ```bash
 ./dindctl build --tag master --arch amd64
 ```

 This will build the supervisor Docker image locally. If you then run `docker images` you should see the repo/tag you
-set there. Keep in mind several images will be pulled for caching purposes - if the base image is not cached the build
-can take a few hours.
+set there. Keep in mind several images will be pulled for caching purposes.

-The Docker caching system can be tricky, so it might try to build the base image anyways; if you see that the build hangs at something like:
+## Base image

-```
-### Shell environment set up for builds. ###
-
-You can now run 'bitbake <target>'
-
-Common targets are:
-    core-image-minimal
-    core-image-sato
-    meta-toolchain
-    meta-ide-support
-
-You can also run generated qemu images with a command like 'runqemu qemux86'
-```
-
-...don't be alarmed, it means it is building the base image and will take a few hours without any output. Go grab some coffee or play a game of Risk.
-
-## Working with the Go supervisor
-
-The code for the Go supervisor lives in the `gosuper` directory.
-
-To build it, run (with the ARCH and IMAGE you want):
-```bash
-make ARCH=amd64 IMAGE=username/gosuper:master gosuper
-```
-This will build a Docker image that builds the Go supervisor and has the executable at /go/bin/gosuper inside the image.
-
-### Adding Go dependencies
-This project uses [glide](https://github.com/Masterminds/glide) to manage its Go dependencies. Refer to its repository for instructions on adding packages.
-
-In order for go utilities to work, this repo needs to be within the `src` directory in a valid Go workspace. This can easily be achieved by having the repo as a child of a directory named `src` and setting the `GOPATH` environment variable to such directory's parent.
+The supervisor uses the [resin-supervisor-base](https://github.com/resin-io/resin-supervisor-base) as a base image.
+This is a minimal Linux image containing busybox, rsync and Node.js, and it's built with the [Yocto project](https://www.yoctoproject.org/).

 ## Testing

-We're working on adding more tests to this repo, but here's what you can run in the meantime:
+You can run some unit tests with:

-### Gosuper
-
-The Go supervisor can be tested by running:
-```bash
-make ARCH=amd64 test-gosuper
 ```
-The test suite is at [gosuper/main_test.go](./gosuper/main_test.go).
-
-### Integration test
-The integration test tests the supervisor API by hitting its endpoints. To run it, first run the supervisor as explained in the first section of this document.
-
-Once it's running, you can run the test with:
-```bash
-make ARCH=amd64 test-integration
+npm test
 ```

-The tests will fail if the supervisor API is down - bear in mind that the supervisor image takes a while to start the actual supervisor program, so you might have to wait a few minutes between running the supervisor and testing it.
-The test expects the supervisor to be already running the application (so that the app is already on the SQLite database), so check the dashboard to see if the app has already downloaded.
+You'll need Node.js 6 installed, and having run `npm install` first. The supervisor runs on Node 6.13.1, so using that specific version will ensure tests run in the same environment as production.

 ## Contributing

--- a/55
+++ b/55
@ -20,14 +20,14 @@
 # Options:
 # 	--arch | -a  [arch]		architecture of the supervisor to build (default: amd64 )
 # 	--image | -i [image]	image name for supervisor image to build/use ( default: resin/$ARCH-supervisor:master )
-# 	--dind-image [image]	image name for the dind host container
-# 	--dind-container [name]	container name for the dind host container ( default: resin_supervisor_1 )
+# 	--dind-image [image]	image to use for the resinos-in-container host (default: resin/resinos:2.12.5_rev1-intel-nuc)
+# 	--dind-container [name]	container name suffix for the dind host container ( default: "supervisor", which will produce a container named resinos-in-container-supervisor)
 # 	--mount-dist			bind-mount './dist/' (where webpack stores the built js) from local development environment into supervisor container.
 # 	--mount-nm				bind-mount './node_modules/' from local development environment into supervisor container.
-# 	--preload | -p			use tools/dev/apps.json to preload an application image into the dind host.
-# 	--ssh					enable a passwordless dropbear ssh server on the dind host
+# 	--preload | -p			use tools/dind/apps.json to preload an application image into the dind host.
 # 	--config | -c [file]	path to config.json, relative to tools/dind ( default: config.json )
 # 	--tag | -t [tag]		for the "build" action, specify the tag to build (default: master)
+# 	--no-clean				for the "stop" action, skip removing the data, boot and state volumes
 #
 # See README.md for examples.
 #
@ -44,15 +44,15 @@ SUPERVISOR_BASE_DIR="${DIR}"

 ARCH="amd64"
 SUPERVISOR_IMAGE="resin/${ARCH}-supervisor:master"
-PASSWORDLESS_DROPBEAR="false"
-SUPERVISOR_EXTRA_MOUNTS=""
-DIST_MOUNTED="false"
-DIND_IMAGE="resin-supervisor-dind"
-CONTAINER_NAME="resin_supervisor_1"
+DIND_IMAGE="resin/resinos:2.12.5_rev1-intel-nuc"
+MOUNT_DIST="false"
+MOUNT_NODE_MODULES="false"
+CONTAINER_NAME="supervisor"
 PRELOADED_IMAGE=""
 OPTIMIZE="true"
 CONFIG_FILENAME="config.json"
 TAG="master"
+CLEAN_VOLUMES="true"

 function showHelp {
 	cat $THIS_FILE | awk '{if(/^#/)print;else exit}' | tail -n +2 | sed 's/\#//' | sed 's|dindctl|'$THIS_FILE'|'
@ -63,18 +63,14 @@ function parseOptions {
 	do
 		case $1 in
 			--mount-dist)
-				DIST_MOUNTED="true"
-				SUPERVISOR_EXTRA_MOUNTS="$SUPERVISOR_EXTRA_MOUNTS -v /resin-supervisor/dist:/usr/src/app/dist"
+				MOUNT_DIST="true"
 				;;
 			--mount-nm)
-				SUPERVISOR_EXTRA_MOUNTS="$SUPERVISOR_EXTRA_MOUNTS -v /resin-supervisor/node_modules:/usr/src/app/node_modules"
+				MOUNT_NODE_MODULES="true"
 				;;
 			-p|--preload)
 				PRELOADED_IMAGE="true"
 				;;
-			--ssh)
-				PASSWORDLESS_DROPBEAR="true"
-				;;
 			-i|--image)
 				SUPERVISOR_IMAGE="$2"
 				shift || { echo "--image provided not specified" && exit 1; }
@ -102,6 +98,9 @@ function parseOptions {
 			-n|--no-optimize)
 				OPTIMIZE="false"
 				;;
+			--no-clean)
+				CLEAN_VOLUMES="false"
+				;;
 			*)
 				echo "Warning: unknown argument: $arg"
 				;;
@ -111,7 +110,7 @@ function parseOptions {
 }

 function buildSupervisor {
-	echo "Building and deploying for architecture $ARCH and tagging as $TAG"
+	echo "Building supervisor image for architecture $ARCH and tagging as $TAG"
 	ARCH="$ARCH" TAG="$TAG" bash automation/build.sh
 }

@ -128,11 +127,14 @@ function buildSupervisorSrc {
 function refreshSupervisorSrc {
 	buildSupervisorSrc
 	echo "Restarting the supervisor container"
-	docker exec -ti $CONTAINER_NAME balena restart resin_supervisor
+	docker exec -ti resinos-in-container-$CONTAINER_NAME systemctl restart resin-supervisor
 }

 function runDind {
-	if [ "$DIST_MOUNTED" = "true" ]; then
+	if [ ! -f "tools/dind/resinos-in-container/resinos-in-container.sh" ]; then
+		git submodule update --init
+	fi
+	if [ "$MOUNT_DIST" = "true" ]; then
 		buildSupervisorSrc
 		echo "Running with mounted dist folder"
 	fi
@ -147,22 +149,30 @@ function runDind {
 	make -C "$SUPERVISOR_BASE_DIR" \
 		ARCH="$ARCH" \
 		SUPERVISOR_IMAGE="$SUPERVISOR_IMAGE" \
-		PASSWORDLESS_DROPBEAR="$PASSWORDLESS_DROPBEAR" \
-		SUPERVISOR_EXTRA_MOUNTS="$SUPERVISOR_EXTRA_MOUNTS" \
+		MOUNT_DIST="$MOUNT_DIST" \
+		MOUNT_NODE_MODULES="$MOUNT_NODE_MODULES" \
 		PRELOADED_IMAGE="$PRELOADED_IMAGE" \
-		IMAGE="$DIND_IMAGE" \
 		CONTAINER_NAME="$CONTAINER_NAME" \
 		CONFIG_FILENAME="$CONFIG_FILENAME" \
+		DIND_IMAGE="$DIND_IMAGE" \
 		run-supervisor
 }

 function stopDind {
 	echo "Stopping dind supervisor"
 	make -C "$SUPERVISOR_BASE_DIR" CONTAINER_NAME="$CONTAINER_NAME" stop-supervisor
+	if [ "$CLEAN_VOLUMES" = "true" ]; then
+		cleanDind
+	fi
+}
+
+function cleanDind {
+	echo "Cleaning dind supervisor volumes"
+	docker volume rm "resin-boot-$CONTAINER_NAME" "resin-state-$CONTAINER_NAME" "resin-data-$CONTAINER_NAME" &> /dev/null || true
 }

 function logs {
-	docker exec -ti $CONTAINER_NAME journalctl $@
+	docker exec -ti resinos-in-container-$CONTAINER_NAME journalctl $@
 }

 action="$1"
@ -177,6 +187,7 @@ else
 			buildSupervisor
 			;;
 		run)
+			stopDind
 			runDind
 			;;
 		buildrun)
--- a/package.json
+++ b/package.json
@ -1,7 +1,7 @@
 {
  "name": "resin-supervisor",
  "description": "This is resin.io's Supervisor, a program that runs on IoT devices and has the task of running user Apps (which are Docker containers), and updating them as Resin's API informs it to.",
-  "version": "7.4.3",
+  "version": "7.4.4",
  "license": "Apache-2.0",
  "repository": {
    "type": "git",
--- a/tools/dind/Dockerfile
+++ b/tools/dind/Dockerfile
@ -1,46 +0,0 @@
-FROM resin/resin-base:v2.9.2
-
-VOLUME /var/lib/docker
-VOLUME /resin-data
-
-RUN apt-get update \
-	&& apt-get install -y \
-	ifupdown \
-	rsync \
-	dropbear \
-	aufs-tools \
-	&& rm -rf /var/lib/apt/lists/*
-
-ENV BALENA_VERSION 17.06-rev1
-ENV RELEASE_NAME jessie
-
-# Change to 'true' to allow blank password dropbear logins on dind HostOS
-ARG PASSWORDLESS_DROPBEAR=false
-
-COPY config/certs/ /usr/local/share/ca-certificates/
-RUN rm -f /usr/local/share/ca-certificates/.keepme ; update-ca-certificates
-
-RUN curl -sL "https://github.com/resin-os/balena/releases/download/${BALENA_VERSION}/balena-${BALENA_VERSION}-x86_64.tar.gz" \
-	| tar xzv -C /usr/bin --strip-components=1
-
-RUN curl -sL https://raw.githubusercontent.com/resin-os/balena/${BALENA_VERSION}/hack/dind > /usr/bin/dind \
-	&& chmod +x /usr/bin/dind
-
-RUN passwd -d root
-
-# Change os release to a resin-sync compatible one
-RUN sed -i 's/\(PRETTY_NAME=\).*/\1"Resin OS 2.12.5+dind"/' /etc/os-release
-RUN echo 'VARIANT_ID="dev"' >> /etc/os-release
-
-COPY config/openvpn/ /etc/openvpn/
-COPY config/dropbear/config /etc/default/dropbear
-COPY config/services/ /etc/systemd/system/
-COPY resin-vars vpn-init /usr/src/app/
-
-RUN if [ "$PASSWORDLESS_DROPBEAR" = "true" ]; then sed -i 's/\(DROPBEAR_EXTRA_ARGS=\).*/\1"-B"/' /etc/default/dropbear; fi
-
-ENV DOCKER_HOST unix:///var/run/docker.sock
-RUN groupadd docker
-RUN systemctl enable resin-supervisor-dind
-
-COPY supervisor-image.tar /usr/src/
--- a/tools/dind/config/certs/.keepme
+++ b/tools/dind/config/certs/.keepme
--- a/tools/dind/config/dropbear/config
+++ b/tools/dind/config/dropbear/config
@ -1,2 +0,0 @@
-DROPBEAR_EXTRA_ARGS="-s -w -g"
-DROPBEAR_PORT="22222"
--- a/tools/dind/config/env
+++ b/tools/dind/config/env
@ -1,4 +0,0 @@
-CONFIG_PATH=/mnt/conf/config.json
-LED_FILE=/dev/null
-RESIN_SUPERVISOR_SECRET=bananas
-APPS_PATH=/usr/src/app/config/apps.json
--- a/tools/dind/config/openvpn/ca.crt
+++ b/tools/dind/config/openvpn/ca.crt
@ -1,15 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIICWDCCAcGgAwIBAgIJAPSxvaHnsjuiMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMTMxMjEyMTQ0NzU2WhcNMjMxMjEwMTQ0NzU2WjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQDlMvQ2juZrzXRqWpX7t4FXXLl4G8ncNT1v2MmT3pp6uF4nkVGuR4YtW3bipCKa
-TXFvyhZuxE/7fJYGhafMWZs26kPt7vsmiTREEGC+BHqNQb0wImrLZOK2W97GduSe
-e8nZcWSC3Z8UCXRBH7Zks4zaFwhtcggvdJ/Pw9w12tNIzQIDAQABo1AwTjAdBgNV
-HQ4EFgQUU4WqX2fLx7gU2QpQvVH0nZNQsRYwHwYDVR0jBBgwFoAUU4WqX2fLx7gU
-2QpQvVH0nZNQsRYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAYhTMd
-PsCCxHlqBjOuswP6PYOg5Mz5Aqg70ZZfhLjEWyoSEsrVJM4es+xrtHAItT28Axky
-RPN7rzLsd3GiH9a6WzaeNdpWdYMSi3+NrNbkOSvnNhGxu/QHb0LtmetxpD6SDFfP
-J11EnN34vWG1JBYHv5Sov+E993rRJvE4UEulZQ==
-----END CERTIFICATE-----
--- a/tools/dind/config/openvpn/client.conf.tmpl
+++ b/tools/dind/config/openvpn/client.conf.tmpl
@ -1,21 +0,0 @@
-client
-remote #{VPN_ENDPOINT} 443
-resolv-retry infinite
-
-remote-cert-tls server
-ca /etc/openvpn/ca.crt
-auth-user-pass /var/volatile/vpnfile
-auth-retry nointeract
-script-security 2
-up /etc/openvpn/upscript.sh
-up-restart
-down /etc/openvpn/downscript.sh
-
-comp-lzo
-dev tun
-proto tcp
-nobind
-
-persist-key
-persist-tun
-verb 3
--- a/tools/dind/config/openvpn/downscript.sh
+++ b/tools/dind/config/openvpn/downscript.sh
@ -1,4 +0,0 @@
-#!/bin/bash
-
-mkdir -p /run/openvpn/vpn_status
-rm -f /run/openvpn/vpn_status/active
--- a/tools/dind/config/openvpn/upscript.sh
+++ b/tools/dind/config/openvpn/upscript.sh
@ -1,4 +0,0 @@
-#!/bin/bash
-
-mkdir -p /run/openvpn/vpn_status
-touch /run/openvpn/vpn_status/active
--- a/tools/dind/config/services/confd.service
+++ b/tools/dind/config/services/confd.service
@ -1,12 +0,0 @@
-[Unit]
-Description=Confd
-Before=rsyslog.service
-
-[Service]
-Type=oneshot
-EnvironmentFile=/etc/docker.env
-ExecStart=-/usr/local/bin/confd -onetime -confdir=/etc/confd -backend=env
-ExecStart=-/usr/local/bin/confd -onetime -confdir=/etc/confd -node=http://172.17.42.1:4001
-
-[Install]
-WantedBy=basic.target
--- a/tools/dind/config/services/docker.service
+++ b/tools/dind/config/services/docker.service
@ -1,19 +0,0 @@
-[Unit]
-Description=Balena Application Container Engine
-Documentation=http://docs.docker.com
-After=network.target docker.socket
-Requires=docker.socket
-
-[Service]
-Type=notify
-Restart=always
-ExecStart=/usr/bin/dind /usr/bin/balenad --storage-driver aufs --host=fd:// -g /var/lib/docker
-#Adjust OOMscore to -900 to make killing balena unlikely
-OOMScoreAdjust=-900
-MountFlags=slave
-LimitNOFILE=1048576
-LimitNPROC=1048576
-LimitCORE=infinity
-
-[Install]
-WantedBy=multi-user.target
--- a/tools/dind/config/services/docker.service.d/.gitkeep
+++ b/tools/dind/config/services/docker.service.d/.gitkeep
--- a/tools/dind/config/services/docker.socket
+++ b/tools/dind/config/services/docker.socket
@ -1,12 +0,0 @@
-[Unit]
-Description=Docker Socket for the API
-PartOf=docker.service
-
-[Socket]
-ListenStream=/var/run/docker.sock
-SocketMode=0660
-SocketUser=root
-SocketGroup=docker
-
-[Install]
-WantedBy=sockets.target
--- a/tools/dind/config/services/openvpn-resin.service
+++ b/tools/dind/config/services/openvpn-resin.service
@ -1,14 +0,0 @@
-[Unit]
-Description=OpenVPN Application On Resin
-Wants=prepare-openvpn.service
-After=syslog.target network.target prepare-openvpn.service
-
-[Service]
-PrivateTmp=true
-Type=forking
-PIDFile=/var/run/openvpn/resin.pid
-ExecStartPre=-/bin/mkdir -p /var/run/openvpn
-ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/resin.pid --cd /etc/openvpn/ --config client.conf
-
-[Install]
-WantedBy=multi-user.target
--- a/tools/dind/config/services/prepare-openvpn.service
+++ b/tools/dind/config/services/prepare-openvpn.service
@ -1,13 +0,0 @@
-[Unit]
-Description=Prepare OpenVPN Application On Resin
-Before=openvpn@client.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-WorkingDirectory=/usr/src/app
-EnvironmentFile=/usr/src/app/config/env
-ExecStart=/usr/src/app/vpn-init
-
-[Install]
-WantedBy=multi-user.target
--- a/tools/dind/config/services/resin-supervisor-dind.service
+++ b/tools/dind/config/services/resin-supervisor-dind.service
@ -1,46 +0,0 @@
-[Unit]
-Description=resin-supervisor-dind
-Wants=confd.service docker.service openvpn-resin.service
-After=confd.service
-Before=openvpn-resin.service
-
-[Service]
-WorkingDirectory=/usr/src/app
-Environment=DOCKER_HOST=unix:///var/run/docker.sock
-EnvironmentFile=/usr/src/app/config/env
-EnvironmentFile=/usr/src/app/config/localenv
-ExecStartPre=/bin/bash -c 'if [ "${PRELOADED_IMAGE}" == "true" ]; then /usr/bin/balena pull $(jq --raw-output ".[0].imageId" ${APPS_PATH}); fi'
-ExecStartPre=/usr/bin/balena load --input /usr/src/supervisor-image.tar
-ExecStartPre=-/usr/bin/balena kill resin_supervisor
-ExecStartPre=-/usr/bin/balena rm resin_supervisor
-ExecStartPre=-/bin/touch /etc/resolv.conf
-ExecStart=/bin/bash -c 'source /usr/src/app/resin-vars && \
-	/usr/bin/balena run --rm --privileged --name resin_supervisor \
-	--net=host \
-	-v /var/run/docker.sock:/var/run/docker.sock \
-	-v "${CONFIG_PATH}:/boot/config.json" \
-	-v "${APPS_PATH}:/boot/apps.json" \
-	-v /resin-data/resin-supervisor:/data \
-	-v /proc/net/fib_trie:/mnt/fib_trie \
-	-v /var/log/supervisor-log:/var/log \
-	-v /:/mnt/root \
-	-v /etc/resolv.conf:/etc/resolv.conf:rw \
-	${SUPERVISOR_EXTRA_MOUNTS} \
-	-e "API_ENDPOINT=$API_ENDPOINT" \
-	-e "DELTA_ENDPOINT=$DELTA_ENDPOINT" \
-	-e "REGISTRY_ENDPOINT=$REGISTRY_ENDPOINT" \
-	-e "PUBNUB_SUBSCRIBE_KEY=$PUBNUB_SUBSCRIBE_KEY" \
-	-e "PUBNUB_PUBLISH_KEY=$PUBNUB_PUBLISH_KEY" \
-	-e "MIXPANEL_TOKEN=$MIXPANEL_TOKEN" \
-	-e "LED_FILE=${LED_FILE}" \
-	-e "LISTEN_PORT=$LISTEN_PORT" \
-	-e "SUPERVISOR_IMAGE=${SUPERVISOR_IMAGE}" \
-	-e "RESIN_SUPERVISOR_SECRET=${RESIN_SUPERVISOR_SECRET}" \
-	-e "DOCKER_ROOT=/mnt/root/var/lib/docker" \
-	-e "DOCKER_SOCKET=/var/run/docker.sock" \
-	${SUPERVISOR_IMAGE}'
-TimeoutStartSec=0
-Restart=always
-
-[Install]
-WantedBy=basic.target
--- a/tools/dind/resin-vars
+++ b/tools/dind/resin-vars
@ -1,59 +0,0 @@
-#!/bin/bash
-
-help () {
-    cat << EOF
-Script for setting resin shell environment
-resin-vars [options]
-
-Options:
-    -h, --help
-        Display this help and exit.
-
-    -c, --config-path CONFIG_PATH
-        Use a non default config.json file.
-        Default: /mnt/conf/config.json
-EOF
-}
-
-# Parse arguments
-while [[ $# > 0 ]]; do
-    key=$1
-    case $key in
-        -h|--help)
-            help
-            exit 0
-            ;;
-        -c|--config-path)
-            CONFIG_PATH=$2
-            shift
-            ;;
-        *)
-            echo "[WARNING] $0 : Argument '$1' unknown. Ignoring."
-            ;;
-    esac
-    shift
-done
-
-# Default values
-if [ -z "$CONFIG_PATH" ]; then
-    CONFIG_PATH=/mnt/conf/config.json
-fi
-
-# If config.json provides redefinitions for our vars let us rewrite their
-# runtime value
-if [ -f $CONFIG_PATH ]
-then
-    API_ENDPOINT=$(jq --raw-output ".apiEndpoint" $CONFIG_PATH)
-    DELTA_ENDPOINT=$(jq --raw-output ".deltaEndpoint" $CONFIG_PATH)
-    LISTEN_PORT=$(jq --raw-output ".listenPort" $CONFIG_PATH)
-    MIXPANEL_TOKEN=$(jq --raw-output ".mixpanelToken" $CONFIG_PATH)
-    PUBNUB_PUBLISH_KEY=$(jq --raw-output ".pubnubPublishKey" $CONFIG_PATH)
-    PUBNUB_SUBSCRIBE_KEY=$(jq --raw-output ".pubnubSubscribeKey" $CONFIG_PATH)
-    REGISTRY_ENDPOINT=$(jq --raw-output ".registryEndpoint" $CONFIG_PATH)
-    VPN_ENDPOINT=$(jq --raw-output ".vpnEndpoint" $CONFIG_PATH)
-    if [ -z "$API_ENDPOINT" -o -z "$LISTEN_PORT" -o -z "$MIXPANEL_TOKEN" -o -z "$PUBNUB_PUBLISH_KEY" -o -z "$PUBNUB_SUBSCRIBE_KEY" -o -z "$REGISTRY_ENDPOINT" -o -z "$VPN_ENDPOINT" ]; then
-        echo "[WARNING] $0 : Couldn't read some variables from $CONFIG_PATH"
-    fi
-else
-    echo "[WARNING] $0 : '$CONFIG_PATH' not found."
-fi
--- a/tools/dind/resinos-in-container
+++ b/tools/dind/resinos-in-container
@ -0,0 +1 @@
+Subproject commit 6549263ae304d12b3efe739897b98b10f67c7cc0
--- a/tools/dind/start-resin-supervisor
+++ b/tools/dind/start-resin-supervisor
@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Adapted from: https://github.com/resin-os/meta-resin/blob/v2.12.5/meta-resin-common/recipes-containers/docker-disk/docker-resin-supervisor-disk/start-resin-supervisor
+
+source /usr/sbin/resin-vars
+
+if ! balena inspect $SUPERVISOR_IMAGE:$SUPERVISOR_TAG > /dev/null; then
+    balena load --input /usr/src/supervisor-image.tar
+fi
+
+if [ -f /mnt/data/apps.json ]; then
+    preloaded_img=$(jq --raw-output ".[0].imageId" /mnt/data/apps.json || echo "")
+    if [ "$preloaded_img" != "" ] && ! balena inspect $preloaded_img; then
+        balena pull $preloaded_img
+    fi
+fi
+
+EXTRA_MOUNTS=""
+if [ -d /resin-supervisor/dist ]; then
+    EXTRA_MOUNTS="${EXTRA_MOUNTS} -v /resin-supervisor/dist:/usr/src/app/dist"
+fi
+if [ -d /resin-supervisor/node_modules ]; then
+    EXTRA_MOUNTS="${EXTRA_MOUNTS} -v /resin-supervisor/node_modules:/usr/src/app/node_modules"
+fi
+
+SUPERVISOR_IMAGE_ID=$(balena inspect --format='{{.Id}}' $SUPERVISOR_IMAGE:$SUPERVISOR_TAG)
+SUPERVISOR_CONTAINER_IMAGE_ID=$(balena inspect --format='{{.Image}}' resin_supervisor || echo "")
+
+runSupervisor() {
+    balena rm --force resin_supervisor || true
+    balena run --privileged --name resin_supervisor \
+        --net=host \
+        -v /var/run/balena.sock:/var/run/balena.sock \
+        -v $CONFIG_PATH:/boot/config.json  \
+        -v /mnt/data/apps.json:/boot/apps.json \
+        -v /resin-data/resin-supervisor:/data \
+        -v /proc/net/fib_trie:/mnt/fib_trie \
+        -v /var/log/supervisor-log:/var/log \
+        -v /:/mnt/root \
+        -e DOCKER_ROOT=/mnt/root/var/lib/docker \
+        -e DOCKER_SOCKET=/var/run/balena.sock \
+        -e BOOT_MOUNTPOINT=$BOOT_MOUNTPOINT \
+        -e API_ENDPOINT=$API_ENDPOINT \
+        -e REGISTRY_ENDPOINT=$REGISTRY_ENDPOINT \
+        -e PUBNUB_SUBSCRIBE_KEY=$PUBNUB_SUBSCRIBE_KEY \
+        -e PUBNUB_PUBLISH_KEY=$PUBNUB_PUBLISH_KEY \
+        -e MIXPANEL_TOKEN=$MIXPANEL_TOKEN \
+        -e DELTA_ENDPOINT=$DELTA_ENDPOINT \
+        -e LED_FILE=${LED_FILE} \
+        -e LISTEN_PORT=$LISTEN_PORT \
+        -e SUPERVISOR_IMAGE=${SUPERVISOR_IMAGE}:${SUPERVISOR_TAG} \
+        ${EXTRA_MOUNTS} \
+        ${SUPERVISOR_IMAGE}:${SUPERVISOR_TAG}
+}
+
+if [ -z "$SUPERVISOR_IMAGE_ID" ]; then
+    # No supervisor image exists on the device, try to pull it
+    systemctl start update-resin-supervisor
+elif [ "$SUPERVISOR_IMAGE_ID" = "$SUPERVISOR_CONTAINER_IMAGE_ID" ]; then
+    # Supervisor image exists, and the current supervisor container is created from
+    balena start --attach resin_supervisor
+else
+    # No supervisor container exists or there's a different supervisor image to run
+    runSupervisor
+fi
--- a/tools/dind/vpn-init
+++ b/tools/dind/vpn-init
@ -1,16 +0,0 @@
-#!/bin/bash
-source /usr/src/app/resin-vars
-sed --expression="s/#{VPN_ENDPOINT}/${VPN_ENDPOINT}/" /etc/openvpn/client.conf.tmpl > /etc/openvpn/client.conf
-
-while true; do
-	if [ `jq ".uuid | length" $CONFIG_PATH` -eq 0 ]; then
-		echo "UUID missing from config file, VPN cannot connect"
-		sleep 2
-	else
-		read uuid api_key <<<$(jq -r '.uuid,.apiKey // .deviceApiKey' $CONFIG_PATH)
-		mkdir -p /var/volatile/
-		echo $uuid > /var/volatile/vpnfile
-		echo $api_key >> /var/volatile/vpnfile
-		break
-	fi
-done
				`@ -0,0 +1 @@`
				`Subproject commit 6549263ae304d12b3efe739897b98b10f67c7cc0`