FreeBSD Manual Pages
podman-auto-update(1) General Commands Manual podman-auto-update(1) NAME podman-auto-update - Auto update containers according to their auto-up- date policy SYNOPSIS podman auto-update [options] DESCRIPTION podman auto-update pulls down new container images and restarts con- tainers configured for auto updates. To make use of auto updates, the container or Kubernetes workloads must run inside a systemd unit. Af- ter a successful update of an image, the containers using the image get updated by restarting the systemd units they run in. Please refer to quadlet(5) on how to run Podman under systemd. To configure a container for auto updates, it must be created with the io.containers.autoupdate label or the AutoUpdate field in quadlet(5) with one of the following two values: • registry: If the label is present and set to registry, Podman reaches out to the corresponding registry to check if the image has been up- dated. The label image is an alternative to registry maintained for backwards compatibility. An image is considered updated if the di- gest in the local storage is different than the one of the remote im- age. If an image must be updated, Podman pulls it down and restarts the systemd unit executing the container. The registry policy re- quires a fully-qualified image reference (e.g., quay.io/podman/sta- ble:latest) to be used to create the container. This enforcement is necessary to know which image to actually check and pull. If an im- age ID was used, Podman would not know which image to check/pull any- more. • local: If the autoupdate label is set to local, Podman compares the image digest of the container to the one in the local container stor- age. If they differ, the local image is considered to be newer and the systemd unit gets restarted. Auto Updates and Kubernetes YAML Podman supports auto updates for Kubernetes workloads. The auto-update policy can be configured directly via quadlet(5) or inside the Kuber- netes YAML with the Podman-specific annotations mentioned below: • io.containers.autoupdate: "registry|local" to apply the auto-update policy to all containers • io.containers.autoupdate/$container: "registry|local" to apply the auto-update policy to $container only • io.containers.sdnotify: "conmon|container" to apply the sdnotify pol- icy to all containers • io.containers.sdnotify/$container: "conmon|container" to apply the sdnotify policy to $container only By default, the autoupdate policy is set to "disabled", the sdnotify policy is set to "conmon". Systemd Unit and Timer Podman ships with a podman-auto-update.service systemd unit. This unit is triggered daily at midnight by the podman-auto-update.timer systemd timer. The timer can be altered for custom time-based updates if de- sired. The unit can further be invoked by other systemd units (e.g., via the dependency tree) or manually via systemctl start podman-auto- update.service. OPTIONS --authfile=path Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain- ers/auth.json on Linux, and $HOME/.config/containers/auth.json on Win- dows/macOS. The file is created by podman login. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using docker login. Note: There is also the option to override the default path of the au- thentication file by setting the REGISTRY_AUTH_FILE environment vari- able. This can be done with export REGISTRY_AUTH_FILE=path. Alternatively, the io.containers.autoupdate.authfile container label can be configured. In that case, Podman will use the specified label's value instead. --dry-run Check for the availability of new images but do not perform any pull operation or restart any service or container. The UPDATED field indi- cates the availability of a new image with "pending". --format=format Change the default output format. This can be of a supported type like 'json' or a Go template. Valid placeholders for the Go template are listed below: +----------------+------------------------------+ | Placeholder | Description | +----------------+------------------------------+ | .Container | ID and name of the container | +----------------+------------------------------+ | .ContainerID | ID of the container | +----------------+------------------------------+ | .ContainerName | Name of the container | +----------------+------------------------------+ | .Image | Name of the image | +----------------+------------------------------+ | .Policy | Auto-update policy of the | | | container | +----------------+------------------------------+ | .Unit | Name of the systemd unit | +----------------+------------------------------+ | .Updated | Update status: | | | true,false,failed | +----------------+------------------------------+ --rollback If restarting a systemd unit after updating the image has failed, roll- back to using the previous image and restart the unit another time. Default is true. Note that detecting if a systemd unit has failed is best done by the container sending the READY message via SDNOTIFY. This way, restarting the unit waits until having received the message or a timeout kicked in. Without that, restarting the systemd unit may succeed even if the container has failed shortly after. For a container to send the READY message via SDNOTIFY it must be cre- ated with the --sdnotify=container option (see podman-run(1)). The ap- plication running inside the container can then execute systemd-notify --ready when ready or use the sdnotify bindings of the specific pro- gramming language (e.g., sd_notify(3)). --tls-verify Require HTTPS and verify certificates when contacting registries (de- fault: true). If explicitly set to true, TLS verification is used. If set to false, TLS verification is not used. If not specified, TLS ver- ification is used unless the target registry is listed as an insecure registry in containers-registries.conf(5) EXAMPLES Create a Quadlet file configured for auto updates: $ cat ~/.config/containers/systemd/sleep.container [Container] Image=registry.fedoraproject.org/fedora:latest Exec=sleep infinity AutoUpdate=registry Generate a systemd service from the Quadlet file by reloading the sys- temd user daemon: $ systemctl --user daemon-reload Start the systemd service and make sure the container is running $ systemctl --user start sleep.service $ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f8e4759798d4 registry.fedoraproject.org/fedora:latest sleep infinity 2 seconds ago Up 2 seconds systemd-sleep Check if a new image is available via --dry-run: $ podman auto-update --dry-run --format "{{.Image}} {{.Updated}}" registry.fedoraproject.org/fedora:latest pending Update the service: $ podman auto-update UNIT CONTAINER IMAGE POLICY UPDATED sleep.service f8e4759798d4 (systemd-sleep) registry.fedoraproject.org/fedora:latest registry true SEE ALSO podman(1), podman-generate-systemd(1), podman-run(1), podman-sys- temd.unit(5), sd_notify(3), systemd.unit(5) podman-auto-update(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=podman-auto-update&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>