Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auto-update no PODMAN_SYSTEMD_UNIT label found #6793

Closed
q-b opened this issue Jun 26, 2020 · 17 comments · Fixed by #6858
Closed

auto-update no PODMAN_SYSTEMD_UNIT label found #6793

q-b opened this issue Jun 26, 2020 · 17 comments · Fixed by #6858
Assignees
@vrothberg
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@q-b
Copy link

q-b commented Jun 26, 2020

Hi,

While playing with podman last version on CentOS 8, I was unable to use the auto-update feature.

# podman auto-update
Trying to pull ...
<redacted>
... signatures
Error: 1 error occurred:
	* error auto-updating container "<redacted>": no PODMAN_SYSTEMD_UNIT label found

https://github.com/containers/libpod/blob/0968f25988624699f2db559f0a984cf84c8a284f/pkg/autoupdate/autoupdate.go#L184

The service file looks good (I checked it on disk and daemon-reloaded tu be sure):

...
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
...

# podman inspect ...
...
            "Labels": {
                "io.containers.autoupdate": "image",
...
            "CreateCommand": [
...
                "--label",
                "io.containers.autoupdate=image",
...

# podman version
Version:      2.0.1
API Version:  1
Go Version:   go1.13.4
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Let me know if you need more input to troubleshoot this issue!
@mheon
Copy link
Member

mheon commented Jun 26, 2020

@vrothberg PTAL

@vrothberg vrothberg self-assigned this Jun 29, 2020
@vrothberg vrothberg added the bug label Jun 29, 2020
@vrothberg
Copy link
Member

Thanks for opening the issue!

Indeed, we regressed on it. Absolute time to extend the systemd tests...

@vrothberg
Copy link
Member

And as it looks like we regressed with 2.0.1. 2.0.0 is working...

@vrothberg
Copy link
Member

Master is fine though.

@vrothberg
Copy link
Member

I now fail to reproduce again. Very curious.

I used the following script to reproduce:

./bin/podman rm -af
CID=`./bin/podman create --label "io.containers.autoupdate=image" -d busybox:latest top`
./bin/podman generate systemd --new $CID > ~/.config/systemd/user/container-test.service
systemctl --user daemon-reload
systemctl --user stop container-test && systemctl --user start container-test && ./bin/podman inspect --format "{{.Config.Labels}}" -l
./bin/podman auto-update
systemctl --user stop container-test

@vrothberg
Copy link
Member

@edsantiago could you have a quick look and try to reproduce with 2.0.1?

@vrothberg vrothberg mentioned this issue Jun 29, 2020
Merged
@vrothberg
Copy link
Member

Opened #6810 to add a test that would catch that case.

@edsantiago
Copy link
Member

I can't find any way to reproduce; am trying root on f32.

vrothberg added a commit to vrothberg/libpod that referenced this issue Jun 29, 2020
@vrothberg
systemd system test: run auto-update
43714ca 
Run `podman auto-update` in the systemd system tests.  Note that this is
a first step to at least exercise parts of `auto-update` in the CI.  The
service won't get updated just yet as we need to set up a local
registry, and push a new image.  I do not have enough time at the moment
to do that but consider this change already as an improvement.

We are experiencing some issues in containers#6793 w.r.t. to auto-updates but
couldn't track down the root cause yet.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
Copy link
Member

I now fail to reproduce again. Very curious.

I used the following script to reproduce:

./bin/podman rm -af
CID=`./bin/podman create --label "io.containers.autoupdate=image" -d busybox:latest top`
./bin/podman generate systemd --new $CID > ~/.config/systemd/user/container-test.service
systemctl --user daemon-reload
systemctl --user stop container-test && systemctl --user start container-test && ./bin/podman inspect --format "{{.Config.Labels}}" -l
./bin/podman auto-update
systemctl --user stop container-test

@q-b can you try this reproducer?

@edsantiago
Copy link
Member

Giving up. For posterity, here is what I tried:

  • podman run instead of podman create
  • setting up a local registry, adding it as insecure in registries.conf, using localhost:5000/foobar:latest as source image.
  • The above, plus pushing/tagging various images as foobar:latest to confirm that podman auto-update would re-pull.
  • In all of those, many iterations of test loops intended to catch flakes

@vrothberg
Copy link
Member

Thanks a lot for checking, @edsantiago!

@q-b
Copy link
Author

q-b commented Jul 3, 2020

@vrothberg

As myself:

[qb@p1-dc1-node-1 ~]$ podman rm -af
[qb@p1-dc1-node-1 ~]$ CID=`podman create --label "io.containers.autoupdate=image" -d busybox:latest top`
Trying to pull registry.fedoraproject.org/busybox:latest...
  manifest unknown: manifest unknown
Trying to pull registry.access.redhat.com/busybox:latest...
  name unknown: Repo not found
Trying to pull registry.centos.org/busybox:latest...
  manifest unknown: manifest unknown
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 91f30d776fb2 done
Copying config c7c37e472d done
Writing manifest to image destination
Storing signatures
[qb@p1-dc1-node-1 ~]$ mkdir -p ~/.config/systemd/user/
[qb@p1-dc1-node-1 ~]$ podman generate systemd --new $CID > ~/.config/systemd/user/container-test.service
[qb@p1-dc1-node-1 ~]$ systemctl --user daemon-reload
[qb@p1-dc1-node-1 ~]$ systemctl --user stop container-test && systemctl --user start container-test && podman inspect --format "{{.Config.Labels}}" -l
map[PODMAN_SYSTEMD_UNIT:container-test.service io.containers.autoupdate:image]
[qb@p1-dc1-node-1 ~]$ podman auto-update
[qb@p1-dc1-node-1 ~]$ systemctl --user stop container-test

I need to try as root next.

@q-b
Copy link
Author

q-b commented Jul 3, 2020 

[root@p1-dc1-node-1 ~]# podman rm -af
[root@p1-dc1-node-1 ~]# CID=`podman create --label "io.containers.autoupdate=image" -d busybox:latest top`
[root@p1-dc1-node-1 ~]# podman generate systemd --new $CID > /usr/lib/systemd/system/container-test.service
[root@p1-dc1-node-1 ~]# restorecon -RFv /usr/lib/systemd/system/container-test.service
Relabeled /usr/lib/systemd/system/container-test.service from unconfined_u:object_r:systemd_unit_file_t:s0 to system_u:object_r:systemd_unit_file_t:s0
[root@p1-dc1-node-1 ~]# systemctl daemon-reload
[root@p1-dc1-node-1 ~]# systemctl stop container-test && systemctl start container-test && podman inspect --format "{{.Config.Labels}}" -l
map[PODMAN_SYSTEMD_UNIT:container-test.service io.containers.autoupdate:image]
[root@p1-dc1-node-1 ~]# podman auto-update
[root@p1-dc1-node-1 ~]# systemctl stop container-test.service

@q-b
Copy link
Author

q-b commented Jul 3, 2020

Reproducible:

[root@p1-dc1-node-1 ~]# podman container create \
>   --name ctn-caddy \
>   --label io.containers.autoupdate=image \
>   --volume /etc/caddy:/etc/caddy:Z \
>   --volume /var/lib/caddy:/data:Z \
>   --volume /var/www:/usr/share/caddy:Z \
>   --network host \
>   --publish 80 \
>   --publish 443 \
>   docker.io/library/caddy:2
ab698f14f3a6291b4e71985eba7477aa85a55fed8337a7b2240f35cb6ee3282b
[root@p1-dc1-node-1 ~]# podman generate systemd \
>   --files \
>   --name \
>   --container-prefix srv \
>   --pod-prefix srv \
>   ctn-caddy
/root/srv-ctn-caddy.service
[root@p1-dc1-node-1 ~]# mv -i srv-*.service /usr/lib/systemd/system/
[root@p1-dc1-node-1 ~]# restorecon -FRv /usr/lib/systemd/system
Relabeled /usr/lib/systemd/system/srv-ctn-caddy.service from unconfined_u:object_r:admin_home_t:s0 to system_u:object_r:systemd_unit_file_t:s0
[root@p1-dc1-node-1 ~]# systemctl daemon-reload
[root@p1-dc1-node-1 ~]# systemctl enable --now srv-ctn-caddy.service
Created symlink /etc/systemd/system/multi-user.target.wants/srv-ctn-caddy.service → /usr/lib/systemd/system/srv-ctn-caddy.service.
Created symlink /etc/systemd/system/default.target.wants/srv-ctn-caddy.service → /usr/lib/systemd/system/srv-ctn-caddy.service.
[root@p1-dc1-node-1 ~]# podman inspect --format "{{.Config.Labels}}" -l
map[io.containers.autoupdate:image org.opencontainers.image.description:a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go org.opencontainers.image.documentation:https://caddyserver.com/docs org.opencontainers.image.licenses:Apache-2.0 org.opencontainers.image.source:https://github.com/caddyserver/caddy-docker org.opencontainers.image.title:Caddy org.opencontainers.image.url:https://caddyserver.com org.opencontainers.image.vendor:Light Code Labs org.opencontainers.image.version:v2.0.0]
[root@p1-dc1-node-1 ~]# podman auto-update
Trying to pull docker://docker.io/library/caddy:2...
Getting image source signatures
Copying blob 639b35073727 done
Copying blob df20fa9351a1 done
Copying blob b1e49a2f7ba4 done
Copying blob 2ed237faf7b9 done
Copying blob 57d6f0d7c084 done
Copying config 90a12b5c95 done
Writing manifest to image destination
Storing signatures
Error: 1 error occurred:
	* error auto-updating container "ab698f14f3a6291b4e71985eba7477aa85a55fed8337a7b2240f35cb6ee3282b": no PODMAN_SYSTEMD_UNIT label found

@q-b
Copy link
Author

q-b commented Jul 4, 2020

Ok, so it seems related to the --newflag. The description does not mention auto-update, and the podman-auto-update man page does not explicitly state its requirement either.

If diffed both unit files:

[root@p1-dc1-node-1 ~]# diff without-new with-new
3c3
< # Sat Jul  4 10:52:24 CEST 2020
---
> # Sat Jul  4 10:48:30 CEST 2020
14,17c14,18
< ExecStart=/usr/bin/podman start ctn-caddy
< ExecStop=/usr/bin/podman stop -t 10 ctn-caddy
< ExecStopPost=/usr/bin/podman stop -t 10 ctn-caddy
< PIDFile=/run/srv-ctn-caddy.pid
---
> ExecStartPre=/bin/rm -f %t/srv-ctn-caddy.pid %t/srv-ctn-caddy.ctr-id
> ExecStart=/usr/bin/podman run --conmon-pidfile %t/srv-ctn-caddy.pid --cidfile %t/srv-ctn-caddy.ctr-id --cgroups=no-conmon -d --replace --name ctn-caddy --label io.containers.autoupdate=image --volume /etc/caddy:/etc/caddy:Z --volume /var/lib/caddy:/data:Z --volume /var/www:/usr/share/caddy:Z --network host --publish 80 --publish 443 docker.io/library/caddy:2
> ExecStop=/usr/bin/podman stop --ignore --cidfile %t/srv-ctn-caddy.ctr-id -t 10
> ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/srv-ctn-caddy.ctr-id
> PIDFile=%t/srv-ctn-caddy.pid

I checked the labels with --new as well and it looks OK:

[root@p1-dc1-node-1 ~]# podman inspect --format "{{.Config.Labels}}" -l
map[PODMAN_SYSTEMD_UNIT:srv-ctn-caddy.service io.containers.autoupdate:image ...]

@vrothberg
Copy link
Member

Thanks a lot for checking! Using unit files that create new containers (as done with --new) is a requirement as we need to create and start new containers in order to use the updated image.

I'll open a PR to improve the docs and make this requirement explicit.

vrothberg added a commit to vrothberg/libpod that referenced this issue Jul 6, 2020
@vrothberg
auto-update: clarify systemd-unit requirements
0ef5def 
Clarify in the help message and the man page that auto updates only work
with systemd units that are similar to the ones from `generate systemd
--new`.  Units that merely start/stop a container do not work as they
will use the same image.

Fixes: containers#6793
Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg vrothberg mentioned this issue Jul 6, 2020
Merged
@vrothberg
Copy link
Member

Opened #6858

mheon pushed a commit to mheon/libpod that referenced this issue Jul 6, 2020
@vrothberg @mheon
auto-update: clarify systemd-unit requirements
d59ef41 
Clarify in the help message and the man page that auto updates only work
with systemd units that are similar to the ones from `generate systemd
--new`.  Units that merely start/stop a container do not work as they
will use the same image.

Fixes: containers#6793
Signed-off-by: Valentin Rothberg <[email protected]>
skorhone pushed a commit to skorhone/libpod that referenced this issue Jul 7, 2020
@vrothberg @skorhone
auto-update: clarify systemd-unit requirements
2067330 
Clarify in the help message and the man page that auto updates only work
with systemd units that are similar to the ones from `generate systemd
--new`.  Units that merely start/stop a container do not work as they
will use the same image.

Fixes: containers#6793
Signed-off-by: Valentin Rothberg <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@vrothberg vrothberg

Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

auto-update: clarify systemd-unit requirements vrothberg/libpod
4 participants
@edsantiago @q-b @mheon @vrothberg