podman-auto-update(1)

1podman-auto-update(1)()                                podman-auto-update(1)()
2
3
4

NAME

6       podman-auto-update - Auto update containers according to their auto-up‐
7       date policy
8
9

SYNOPSIS

11       podman auto-update [options]
12
13

DESCRIPTION

15       podman auto-update looks up containers  with  a  specified  io.contain‐
16       ers.autoupdate label (i.e., the auto-update policy).
17
18
19       If  the label is present and set to registry, Podman reaches out to the
20       corresponding registry to check if the image has been updated. The  la‐
21       bel  image  is an alternative to registry maintained for backwards com‐
22       patibility.  An image is considered updated if the digest in the  local
23       storage  is  different  than  the one of the remote image.  If an image
24       must be updated, Podman pulls it down and restarts the systemd unit ex‐
25       ecuting the container.
26
27
28       The  registry  policy requires a fully-qualified image reference (e.g.,
29       quay.io/podman/stable:latest) to be used to create the container.  This
30       enforcement  is  necessary  to  know  which image to actually check and
31       pull.  If an image ID was used, Podman would not know  which  image  to
32       check/pull anymore.
33
34
35       Alternatively,  if  the  autoupdate  label is set to local, Podman will
36       compare the image a container is using to the image with its  raw  name
37       in  local  storage.   If  an  image  is  updated locally, Podman simply
38       restarts the systemd unit executing the container.
39
40
41       If io.containers.autoupdate.authfile label is present,  Podman  reaches
42       out to the corresponding authfile when pulling images.
43
44
45       At container-creation time, Podman looks up the PODMAN_SYSTEMD_UNIT en‐
46       vironment variable and stores it verbatim  in  the  container's  label.
47       This  variable is now set by all systemd units generated by podman-gen‐
48       erate-systemd and is set to %n (i.e., the name of systemd unit starting
49       the  container).   This  data is then being used in the auto-update se‐
50       quence to instruct systemd (via DBUS) to restart the unit and hence  to
51       restart the container.
52
53
54       Note  that  podman auto-update relies on systemd. The systemd units are
55       expected to be generated with podman-generate-systemd --new, or similar
56       units  that  create  new containers in order to run the updated images.
57       Systemd units that start and stop a container cannot run a new image.
58
59
60   Systemd Unit and Timer
61       Podman ships with a podman-auto-update.service systemd unit. This  unit
62       is  triggered daily at midnight by the podman-auto-update.timer systemd
63       timer.  The timer can be altered for custom time-based updates  if  de‐
64       sired.   The  unit can further be invoked by other systemd units (e.g.,
65       via the dependency tree) or manually via systemctl  start  podman-auto-
66       update.service.
67
68

OPTIONS

70   --authfile=path
71       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
72       ers/auth.json, which is set using podman login.  If  the  authorization
73       state  is  not found there, $HOME/.docker/config.json is checked, which
74       is set using docker login.
75
76
77       Note: There is also the option to override the default path of the  au‐
78       thentication  file  by setting the REGISTRY_AUTH_FILE environment vari‐
79       able. This can be done with export REGISTRY_AUTH_FILE=path.
80
81
82   --dry-run
83       Check for the availability of new images but do not  perform  any  pull
84       operation or restart any service or container.  The UPDATED field indi‐
85       cates the availability of a new image with "pending".
86
87
88   --format=format
89       Change the default output format.  This can be of a supported type like
90       'json'  or  a  Go template.  Valid placeholders for the Go template are
91       listed below:
92
93
94       ┌───────────────┬──────────────────────────────┐
95       │Placeholder    │ Description                  │
96       ├───────────────┼──────────────────────────────┤
97       │.Unit          │ Name of the systemd unit     │
98       ├───────────────┼──────────────────────────────┤
99       │.ContainerName │ Name of the container        │
100       ├───────────────┼──────────────────────────────┤
101       │.ContainerID   │ ID of the container          │
102       ├───────────────┼──────────────────────────────┤
103       │.Container     │ ID and name of the container │
104       ├───────────────┼──────────────────────────────┤
105       │.Image         │ Name of the image            │
106       ├───────────────┼──────────────────────────────┤
107       │.Policy        │ Auto-update  policy  of  the │
108       │               │ container                    │
109       ├───────────────┼──────────────────────────────┤
110       │.Updated       │ Update               status: │
111       │               │ true,false,failed            │
112       └───────────────┴──────────────────────────────┘
113
114   --rollback
115       If restarting a systemd unit after updating the image has failed, roll‐
116       back  to  using  the  previous image and restart the unit another time.
117       Default is true.
118
119
120       Please note that detecting if a systemd unit has failed is best done by
121       the  container  sending  the  READY  message  via  SDNOTIFY.  This way,
122       restarting the unit will wait until having received the  message  or  a
123       timeout  kicked in.  Without that, restarting the systemd unit may suc‐
124       ceed even if the container has failed shortly after.
125
126
127       For a container to send the READY message via SDNOTIFY it must be  cre‐
128       ated with the --sdnotify=container option (see podman-run(1)).  The ap‐
129       plication running inside the container can then execute  systemd-notify
130       --ready  when  ready  or use the sdnotify bindings of the specific pro‐
131       gramming language (e.g., sd_notify(3)).
132
133

EXAMPLES

135       Autoupdate with registry policy
136
137
138              ### Start a container
139              $ podman run --label "io.containers.autoupdate=registry"
140                  --label "io.containers.autoupdate.authfile=/some/authfile.json"
141                  -d --name=test registry.fedoraproject.org/fedora:latest sleep infinity
142              bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d
143
144              ### Generate a systemd unit for this container
145              $ podman generate systemd --new --files bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d
146              /home/user/container-bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d.service
147
148              ### Load the new systemd unit and start it
149              $ mv ./container-bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d.service ~/.config/systemd/user/container-test.service
150              $ systemctl --user daemon-reload
151
152              ### If the previously created containers or pods are using shared resources, such as ports, make sure to remove them before starting the generated systemd units.
153              $ podman stop bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d
154              $ podman rm bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d
155
156              $ systemctl --user start container-test.service
157
158              ### Check if a newer image is available
159              $ podman auto-update --dry-run --format "{{.Image}} {{.Updated}}"
160              registry.fedoraproject.org/fedora:latest   pending
161
162              ### Autoupdate the services
163              $ podman auto-update
164              UNIT                    CONTAINER            IMAGE                                     POLICY      UPDATED
165              container-test.service  08fd34e533fd (test)  registry.fedoraproject.org/fedora:latest  registry    false
166
167
168
169       Autoupdate with local policy
170
171
172              ### Start a container
173              $ podman run --label "io.containers.autoupdate=local"
174                  -d busybox:latest top
175              be0889fd06f252a2e5141b37072c6bada68563026cb2b2649f53394d87ccc338
176
177              ### Generate a systemd unit for this container
178              $ podman generate systemd --new --files be0889fd06f252a2e5141b37072c6bada68563026cb2b2649f53394d87ccc338
179              /home/user/container-be0889fd06f252a2e5141b37072c6bada68563026cb2b2649f53394d87ccc338.service
180
181              ### Load the new systemd unit and start it
182              $ mv ./container-be0889fd06f252a2e5141b37072c6bada68563026cb2b2649f53394d87ccc338.service ~/.config/systemd/user
183              $ systemctl --user daemon-reload
184
185              ### If the previously created containers or pods are using shared resources, such as ports, make sure to remove them before starting the generated systemd units.
186              $ podman stop be0889fd06f252a2e5141b37072c6bada68563026cb2b2649f53394d87ccc338
187              $ podman rm be0889fd06f252a2e5141b37072c6bada68563026cb2b2649f53394d87ccc338
188
189              $ systemctl --user start container-be0889fd06f252a2e5141b37072c6bada68563026cb2b2649f53394d87ccc338.service
190
191              ### Get the name of the container
192              $ podman ps
193              CONTAINER ID  IMAGE                             COMMAND  CREATED        STATUS            PORTS   NAMES
194              01f5c8113e84  docker.io/library/busybox:latest  top      2 seconds ago  Up 3 seconds ago          inspiring_galileo
195
196              ### Modify the image
197              $ podman commit --change CMD=/bin/bash inspiring_galileo busybox:latest
198
199              ### Auto-update the container
200              $ podman auto-update
201              [...]
202
203
204

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

EXAMPLES

SEE ALSO