Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dry-run, download-only, notifiy-only modes for podman auto-update #9949

Closed
jpf91 opened this issue Apr 6, 2021 · 6 comments · Fixed by #10937
Closed

Dry-run, download-only, notifiy-only modes for podman auto-update #9949

jpf91 opened this issue Apr 6, 2021 · 6 comments · Fixed by #10937
Assignees
@vrothberg
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@jpf91
Copy link

jpf91 commented Apr 6, 2021

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

It'd be great to have much more configuration options for podman auto-update: I have quite some services which I don't want updated automatically. These are things such as IPA client containers which perform a join to the IPA directory which should not happen unattended (can easily break depending on DNS and network state). Because of this, I have systemd services which should not be restarted if an update is available. I also have services which could be restarted but wouldn't apply the new configuration anyway, as they start persistent containers. To summarize, it'd be great to have these operation modes:

  • Only check if updates are available. Print a list of affected container names. Provide some way to react to this, so that users can send this information via email.
  • Check for updates and pull, but do not restart containers
  • Check for updates, pull and restart containers

in general, it'd be great to have some more verbose output from auto-update. (Even if it's just for testing whether the labels have been set properly).

I've programmed a small hack to do / demonstrate all this:

#!/bin/bash

IGNORE_LABEL=1
VERBOSE=1
DOWNLOAD=0
SEND_UPDATE_MAIL=0

if [ -f /etc/podman-download-updates.conf ]; then
    source /etc/podman-download-updates.conf
fi 

CONTAINERS=$(podman ps --format {{.ID}})
DOWNLOAD_IMAGES=()
CONTAINER_UPDATES=()

echo "Scanning running containers:"
for CID in $CONTAINERS; do
    IMAGE=$(podman inspect $CID --format {{.ImageName}})
    IMAGE_ID=$(podman inspect $CID --format {{.ImageID}})
    NAME=$(podman inspect $CID --format {{.Name}})
    LABELS=$(podman inspect $CID --format {{.Config.Labels}})

    echo $LABELS | grep -q "io.containers.autoupdate:image"
    IS_ENABLED=$?

    if [[ $IS_ENABLED -eq 0 || IGNORE_LABEL -eq 1 ]]; then
        test $VERBOSE -eq 1 && echo "* $NAME($CID) checking for updates"
        
        TIME_REG=$(skopeo inspect docker://$IMAGE 2> /dev/null | jq '.Created')
        TIME_LOCAL=$(skopeo inspect containers-storage:$IMAGE 2> /dev/null | jq '.Created')
        TIME_CONTAINER=$(skopeo inspect containers-storage:$IMAGE_ID 2> /dev/null | jq '.Created')

        if [ "$TIME_LOCAL" != "$TIME_REG" ]; then
            DOWNLOAD_IMAGES=(${DOWNLOAD_IMAGES[@]} $IMAGE)
        fi
        if [ "$TIME_CONTAINER" != "$TIME_REG" ]; then
            CONTAINER_UPDATES=(${CONTAINER_UPDATES[@]} $NAME)
        fi
    elif [ $VERBOSE -eq 1 ]; then
        echo "# $NAME($CID) auto-updates not enabled"
    fi
done

if [[ $DOWNLOAD -eq 1 && ${#DOWNLOAD_IMAGES[@]} -ne 0 ]]; then
    echo ""
    echo ""
    echo "Downloading new images:"
    for IMAGE in "${DOWNLOAD_IMAGES[@]}"
    do
        echo "* $IMAGE"
        podman pull $IMAGE
    done
fi

if [[ ${#CONTAINER_UPDATES[@]} -ne 0 ]]; then
    echo ""
    echo ""
    echo "The following containers can be updated:"
    for CONTAINER in "${CONTAINER_UPDATES[@]}"
    do
        echo "* $CONTAINER"
    done
fi

if [[ $SEND_UPDATE_MAIL -eq 1 ]]; then
    /etc/systemd-email.sh "Container Updater" podman-update.service
fi

This provides (verbose) output similar to this and allows sending it via email:

Scanning running containers:
* test-fedora(557a24bd6552) checking for updates
* fs-maintenance(a6d7a2dc89fd) checking for updates
* samba-server(c28e852d7f14) checking for updates
* ssh-fileserver(1c824402f0a4) checking for updates
* freeipa(991f0963cd34) checking for updates
* registry(72759de3dc2b) checking for updates
* acme(e0371cf959f7) checking for updates
* minidlna(6c3fef68d33b) checking for updates
* droneci-runner(5ac00170e988) checking for updates
* droneci(4020901edb6b) checking for updates
* nginx(ac05f1df94a1) checking for updates
* gitea(fa5e9d0c2788) checking for updates
* tvheadend(6d915652eb7c) checking for updates
* mariadb(02af78367ca7) checking for updates
* cockpit-ws(da51dbc9a63e) checking for updates
* ipa-client-nas(094163fd59b5) checking for updates


The following containers can be updated:
* fs-maintenance
* samba-server
* freeipa
* mariadb
* ipa-client-nas

BTW: My planned strategy for updates is systemctl stop container && podman rename container container.bak && systemctl start container where the systemd unit looks like those described here: #9948 It would be great if auto-update could integrate well into this workflow.
@openshift-ci-robot openshift-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Apr 6, 2021
@github-actions
Copy link

github-actions bot commented May 7, 2021

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented May 7, 2021

It would probably be better for you to open PR's then issues...

@github-actions
Copy link

github-actions bot commented Jun 7, 2021

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Jun 7, 2021

@vrothberg WDYT?

@vrothberg
Copy link
Member

Yes, I am in favor of doing that. There is a number of things I want to work on for auto updates. Once we leave bug scrubbing, I'd love to spend some time on it.

Another thing I want to do is get a REST endpoint, such that auto updates can be triggered remotely.

@vrothberg vrothberg self-assigned this Jun 23, 2021
@vrothberg
Copy link
Member

Note: I started spending time on it.

@vrothberg vrothberg mentioned this issue Jul 8, 2021
Merged
vrothberg added a commit to vrothberg/libpod that referenced this issue Jul 14, 2021
@vrothberg
auto-update: make output more user friendly
01cfb51 
The rather raw and scarce output of `podman auto-update` has been a
thorn in my eyes for a longer while.  So far, Podman would only print
updated systemd units, one per line, without further formatting.

Motivated by issue containers#9949 which is asking for some more useful
information in combination with a dry-run feature, I sat down and
reflected which information may come in handy.

Running `podman auto-update` will now look as follows:

```
$ podman auto-update
Trying to pull [...]

UNIT                    CONTAINER            IMAGE                   POLICY      UPDATED
container-test.service  08fd34e533fd (test)  localhost:5000/busybox  registry    false
```

Also refactor the spaghetti code in the backend a bit to make it easier
to digest and maintain.

For easier testing and for the sake of consistency with other commands
listing output, add a `--format` flag.

The man page will get an overhaul in a follow up commit.

Signed-off-by: Valentin Rothberg <[email protected]>
vrothberg added a commit to vrothberg/libpod that referenced this issue Jul 15, 2021
@vrothberg
auto-update: add --dry-run
59f31d8 
Add a --dry-run flag to `podman auto-update` which will look for new
images but won't perform any pull or restart any service or container.

The "UPDATED" column will now indicate the availability of a newer image
via "pending".

```
$ podman auto-update --dry-run
UNIT                    CONTAINER            IMAGE                   POLICY      UPDATED
container-test.service  08fd34e533fd (test)  localhost:5000/busybox  registry    false
```

Fixes: containers#9949
Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg vrothberg mentioned this issue Jul 15, 2021
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@vrothberg vrothberg

Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

auto-update: add --dry-run vrothberg/libpod
4 participants
@jpf91 @rhatdan @vrothberg @openshift-ci-robot