Dry-run, download-only, notifiy-only modes for podman auto-update

jpf91 commented 3 years ago

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

It'd be great to have much more configuration options for podman auto-update: I have quite some services which I don't want updated automatically. These are things such as IPA client containers which perform a join to the IPA directory which should not happen unattended (can easily break depending on DNS and network state). Because of this, I have systemd services which should not be restarted if an update is available. I also have services which could be restarted but wouldn't apply the new configuration anyway, as they start persistent containers. To summarize, it'd be great to have these operation modes:

Only check if updates are available. Print a list of affected container names. Provide some way to react to this, so that users can send this information via email.
Check for updates and pull, but do not restart containers
Check for updates, pull and restart containers

in general, it'd be great to have some more verbose output from auto-update. (Even if it's just for testing whether the labels have been set properly).

I've programmed a small hack to do / demonstrate all this:

#!/bin/bash

IGNORE_LABEL=1
VERBOSE=1
DOWNLOAD=0
SEND_UPDATE_MAIL=0

if [ -f /etc/podman-download-updates.conf ]; then
    source /etc/podman-download-updates.conf
fi 

CONTAINERS=$(podman ps --format {{.ID}})
DOWNLOAD_IMAGES=()
CONTAINER_UPDATES=()

echo "Scanning running containers:"
for CID in $CONTAINERS; do
    IMAGE=$(podman inspect $CID --format {{.ImageName}})
    IMAGE_ID=$(podman inspect $CID --format {{.ImageID}})
    NAME=$(podman inspect $CID --format {{.Name}})
    LABELS=$(podman inspect $CID --format {{.Config.Labels}})

    echo $LABELS | grep -q "io.containers.autoupdate:image"
    IS_ENABLED=$?

    if [[ $IS_ENABLED -eq 0 || IGNORE_LABEL -eq 1 ]]; then
        test $VERBOSE -eq 1 && echo "* $NAME($CID) checking for updates"

        TIME_REG=$(skopeo inspect docker://$IMAGE 2> /dev/null | jq '.Created')
        TIME_LOCAL=$(skopeo inspect containers-storage:$IMAGE 2> /dev/null | jq '.Created')
        TIME_CONTAINER=$(skopeo inspect containers-storage:$IMAGE_ID 2> /dev/null | jq '.Created')

        if [ "$TIME_LOCAL" != "$TIME_REG" ]; then
            DOWNLOAD_IMAGES=(${DOWNLOAD_IMAGES[@]} $IMAGE)
        fi
        if [ "$TIME_CONTAINER" != "$TIME_REG" ]; then
            CONTAINER_UPDATES=(${CONTAINER_UPDATES[@]} $NAME)
        fi
    elif [ $VERBOSE -eq 1 ]; then
        echo "# $NAME($CID) auto-updates not enabled"
    fi
done

if [[ $DOWNLOAD -eq 1 && ${#DOWNLOAD_IMAGES[@]} -ne 0 ]]; then
    echo ""
    echo ""
    echo "Downloading new images:"
    for IMAGE in "${DOWNLOAD_IMAGES[@]}"
    do
        echo "* $IMAGE"
        podman pull $IMAGE
    done
fi

if [[ ${#CONTAINER_UPDATES[@]} -ne 0 ]]; then
    echo ""
    echo ""
    echo "The following containers can be updated:"
    for CONTAINER in "${CONTAINER_UPDATES[@]}"
    do
        echo "* $CONTAINER"
    done
fi

if [[ $SEND_UPDATE_MAIL -eq 1 ]]; then
    /etc/systemd-email.sh "Container Updater" podman-update.service
fi

This provides (verbose) output similar to this and allows sending it via email:

Scanning running containers:
* test-fedora(557a24bd6552) checking for updates
* fs-maintenance(a6d7a2dc89fd) checking for updates
* samba-server(c28e852d7f14) checking for updates
* ssh-fileserver(1c824402f0a4) checking for updates
* freeipa(991f0963cd34) checking for updates
* registry(72759de3dc2b) checking for updates
* acme(e0371cf959f7) checking for updates
* minidlna(6c3fef68d33b) checking for updates
* droneci-runner(5ac00170e988) checking for updates
* droneci(4020901edb6b) checking for updates
* nginx(ac05f1df94a1) checking for updates
* gitea(fa5e9d0c2788) checking for updates
* tvheadend(6d915652eb7c) checking for updates
* mariadb(02af78367ca7) checking for updates
* cockpit-ws(da51dbc9a63e) checking for updates
* ipa-client-nas(094163fd59b5) checking for updates

The following containers can be updated:
* fs-maintenance
* samba-server
* freeipa
* mariadb
* ipa-client-nas

BTW: My planned strategy for updates is systemctl stop container && podman rename container container.bak && systemctl start container where the systemd unit looks like those described here: https://github.com/containers/podman/issues/9948 It would be great if auto-update could integrate well into this workflow.

github-actions[bot] commented 3 years ago

A friendly reminder that this issue had no activity for 30 days.

rhatdan commented 3 years ago

It would probably be better for you to open PR's then issues...

github-actions[bot] commented 3 years ago

A friendly reminder that this issue had no activity for 30 days.

rhatdan commented 3 years ago

@vrothberg WDYT?

vrothberg commented 3 years ago

Yes, I am in favor of doing that. There is a number of things I want to work on for auto updates. Once we leave bug scrubbing, I'd love to spend some time on it.

Another thing I want to do is get a REST endpoint, such that auto updates can be triggered remotely.

vrothberg commented 3 years ago

Note: I started spending time on it.

containers / podman

Dry-run, download-only, notifiy-only modes for podman auto-update #9949