1podman-auto-update(1)       General Commands Manual      podman-auto-update(1)
2
3
4

NAME

6       podman-auto-update - Auto update containers according to their auto-up‐
7       date policy
8
9

SYNOPSIS

11       podman auto-update [options]
12
13

DESCRIPTION

15       podman auto-update pulls down new container images  and  restarts  con‐
16       tainers  configured for auto updates.  To make use of auto updates, the
17       container or Kubernetes workloads must run inside a systemd unit.   Af‐
18       ter a successful update of an image, the containers using the image get
19       updated by restarting the systemd units they run in.  Please  refer  to
20       quadlet(5) on how to run Podman under systemd.
21
22
23       To  configure a container for auto updates, it must be created with the
24       io.containers.autoupdate label or the AutoUpdate  field  in  quadlet(5)
25       with one of the following two values:
26
27
28registry:  If the label is present and set to registry, Podman
29                reaches out to the corresponding registry to check if the  im‐
30                age  has  been  updated.  The label image is an alternative to
31                registry maintained for backwards compatibility.  An image  is
32                considered  updated if the digest in the local storage is dif‐
33                ferent than the one of the remote image.  If an image must  be
34                updated,  Podman  pulls  it down and restarts the systemd unit
35                executing the  container.   The  registry  policy  requires  a
36                fully-qualified  image  reference  (e.g.,  quay.io/podman/sta‐
37                ble:latest) to be used to create the container.  This enforce‐
38                ment  is  necessary  to know which image to actually check and
39                pull.  If an image ID was used, Podman would  not  know  which
40                image to check/pull anymore.
41
42local:  If  the  autoupdate label is set to local, Podman com‐
43                pares the image digest of the container to the one in the  lo‐
44                cal  container  storage.   If  they differ, the local image is
45                considered to be newer and the systemd unit gets restarted.
46
47
48
49   Auto Updates and Kubernetes YAML
50       Podman supports auto updates for Kubernetes workloads.  The auto-update
51       policy  can  be configured directly via quadlet(5) or inside the Kuber‐
52       netes YAML with the Podman-specific annotations mentioned below:
53
54
55io.containers.autoupdate: "registry|local" to apply the  auto-
56                update policy to all containers
57
58io.containers.autoupdate/$container: "registry|local" to apply
59                the auto-update policy to $container only
60
61io.containers.sdnotify: "conmon|container" to apply the  sdno‐
62                tify policy to all containers
63
64io.containers.sdnotify/$container: "conmon|container" to apply
65                the sdnotify policy to $container only
66
67
68
69       By default, the autoupdate policy is set to  "disabled",  the  sdnotify
70       policy is set to "conmon".
71
72
73   Systemd Unit and Timer
74       Podman  ships with a podman-auto-update.service systemd unit. This unit
75       is triggered daily at midnight by the podman-auto-update.timer  systemd
76       timer.   The  timer can be altered for custom time-based updates if de‐
77       sired.  The unit can further be invoked by other systemd  units  (e.g.,
78       via  the  dependency tree) or manually via systemctl start podman-auto-
79       update.service.
80
81

OPTIONS

83   --authfile=path
84       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
85       ers/auth.json  on Linux, and $HOME/.config/containers/auth.json on Win‐
86       dows/macOS.  The file is created by podman login. If the  authorization
87       state  is  not found there, $HOME/.docker/config.json is checked, which
88       is set using docker login.
89
90
91       Note: There is also the option to override the default path of the  au‐
92       thentication  file  by setting the REGISTRY_AUTH_FILE environment vari‐
93       able. This can be done with export REGISTRY_AUTH_FILE=path.
94
95
96       Alternatively, the  io.containers.autoupdate.authfile  container  label
97       can be configured.  In that case, Podman will use the specified label's
98       value instead.
99
100
101   --dry-run
102       Check for the availability of new images but do not  perform  any  pull
103       operation or restart any service or container.  The UPDATED field indi‐
104       cates the availability of a new image with "pending".
105
106
107   --format=format
108       Change the default output format.  This can be of a supported type like
109       'json'  or  a  Go template.  Valid placeholders for the Go template are
110       listed below:
111
112
113       ┌───────────────┬──────────────────────────────┐
114Placeholder    Description                  
115       ├───────────────┼──────────────────────────────┤
116.Container     ID and name of the container 
117       ├───────────────┼──────────────────────────────┤
118.ContainerID   ID of the container          
119       ├───────────────┼──────────────────────────────┤
120.ContainerName Name of the container        
121       ├───────────────┼──────────────────────────────┤
122.Image         Name of the image            
123       ├───────────────┼──────────────────────────────┤
124.Policy        │ Auto-update  policy  of  the │
125       │               │ container                    │
126       ├───────────────┼──────────────────────────────┤
127.Unit          Name of the systemd unit     
128       ├───────────────┼──────────────────────────────┤
129.Updated       │ Update               status: │
130       │               │ true,false,failed            │
131       └───────────────┴──────────────────────────────┘
132
133   --rollback
134       If restarting a systemd unit after updating the image has failed, roll‐
135       back  to  using  the  previous image and restart the unit another time.
136       Default is true.
137
138
139       Note that detecting if a systemd unit has failed is best  done  by  the
140       container sending the READY message via SDNOTIFY.  This way, restarting
141       the unit waits until having received the message or  a  timeout  kicked
142       in.   Without that, restarting the systemd unit may succeed even if the
143       container has failed shortly after.
144
145
146       For a container to send the READY message via SDNOTIFY it must be  cre‐
147       ated with the --sdnotify=container option (see podman-run(1)).  The ap‐
148       plication running inside the container can then execute  systemd-notify
149       --ready  when  ready  or use the sdnotify bindings of the specific pro‐
150       gramming language (e.g., sd_notify(3)).
151
152
153   --tls-verify
154       Require HTTPS and verify certificates when contacting  registries  (de‐
155       fault: true).  If explicitly set to true, TLS verification is used.  If
156       set to false, TLS verification is not used.  If not specified, TLS ver‐
157       ification  is  used unless the target registry is listed as an insecure
158       registry in containers-registries.conf(5)
159
160

EXAMPLES

162       Create a Quadlet file configured for auto updates:
163
164       $ cat ~/.config/containers/systemd/sleep.container
165       [Container]
166       Image=registry.fedoraproject.org/fedora:latest
167       Exec=sleep infinity
168       AutoUpdate=registry
169
170
171
172       Generate a systemd service from the Quadlet file by reloading the  sys‐
173       temd user daemon:
174
175       $ systemctl --user daemon-reload
176
177
178
179       Start the systemd service and make sure the container is running
180
181       $ systemctl --user start sleep.service
182       $ podman ps
183       CONTAINER ID  IMAGE                                     COMMAND         CREATED        STATUS        PORTS       NAMES
184       f8e4759798d4  registry.fedoraproject.org/fedora:latest  sleep infinity  2 seconds ago  Up 2 seconds              systemd-sleep
185
186
187
188       Check if a new image is available via --dry-run:
189
190       $ podman auto-update --dry-run --format "{{.Image}} {{.Updated}}"
191       registry.fedoraproject.org/fedora:latest   pending
192
193
194
195       Update the service:
196
197       $ podman auto-update
198       UNIT           CONTAINER                     IMAGE                                     POLICY      UPDATED
199       sleep.service  f8e4759798d4 (systemd-sleep)  registry.fedoraproject.org/fedora:latest  registry    true
200
201
202

SEE ALSO

204       podman(1),   podman-generate-systemd(1),   podman-run(1),   podman-sys‐
205       temd.unit(5), sd_notify(3), systemd.unit(5)
206
207
208
209                                                         podman-auto-update(1)
Impressum