auto update containers in systemd units

cmd/podman/autoupdate.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/containers/libpod/cmd/podman/cliconfig"
+	"github.com/containers/libpod/pkg/adapter"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+var (
+	autoUpdateCommand     cliconfig.AutoUpdateValues
+	autoUpdateDescription = `Auto update containers according to their auto-update policy.
+
+Auto-update policies are specified with the "io.containers.autoupdate" label.`
+	_autoUpdateCommand = &cobra.Command{
+		Use:   "auto-update [flags]",
+		Short: "Auto update containers according to their auto-update policy",
+		Args:  noSubArgs,
+		Long:  autoUpdateDescription,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			restartCommand.InputArgs = args
+			restartCommand.GlobalFlags = MainGlobalOpts
+			return autoUpdateCmd(&restartCommand)
+		},
+		Example: `podman auto-update`,
+	}
+)
+
+func init() {
+	autoUpdateCommand.Command = _autoUpdateCommand
+	autoUpdateCommand.SetHelpTemplate(HelpTemplate())
+	autoUpdateCommand.SetUsageTemplate(UsageTemplate())
+}
+
+func autoUpdateCmd(c *cliconfig.RestartValues) error {
+	runtime, err := adapter.GetRuntime(getContext(), &c.PodmanCommand)
+	if err != nil {
+		return errors.Wrapf(err, "error creating libpod runtime")
+	}
+	defer runtime.DeferredShutdown(false)
+
+	units, failures := runtime.AutoUpdate()
+	for _, unit := range units {
+		fmt.Println(unit)
+	}
+	var finalErr error
+	if len(failures) > 0 {
+		finalErr = failures[0]
+		for _, e := range failures[1:] {
+			finalErr = errors.Errorf("%v\n%v", finalErr, e)
+		}
+	}
+	return finalErr
+}

cmd/podman/cliconfig/config.go

@@ -54,6 +54,10 @@ type AttachValues struct {
 	SigProxy   bool
 }
 
+type AutoUpdateValues struct {
+	PodmanCommand
+}
+
 type ImagesValues struct {
 	PodmanCommand
 	All       bool
@@ -470,10 +474,11 @@ type RefreshValues struct {
 
 type RestartValues struct {
 	PodmanCommand
-	All     bool
-	Latest  bool
-	Running bool
-	Timeout uint
+	All        bool
+	AutoUpdate bool
+	Latest     bool
+	Running    bool
+	Timeout    uint
 }
 
 type RestoreValues struct {

cmd/podman/commands.go

@@ -11,6 +11,7 @@ const remoteclient = false
 // Commands that the local client implements
 func getMainCommands() []*cobra.Command {
 	rootCommands := []*cobra.Command{
+		_autoUpdateCommand,
 		_cpCommand,
 		_playCommand,
 		_loginCommand,

cmd/podman/shared/create.go

@@ -18,13 +18,15 @@ import (
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/image"
 	ann "github.com/containers/libpod/pkg/annotations"
+	"github.com/containers/libpod/pkg/autoupdate"
 	envLib "github.com/containers/libpod/pkg/env"
 	"github.com/containers/libpod/pkg/errorhandling"
 	"github.com/containers/libpod/pkg/inspect"
 	ns "github.com/containers/libpod/pkg/namespaces"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/seccomp"
 	cc "github.com/containers/libpod/pkg/spec"
+	systemdGen "github.com/containers/libpod/pkg/systemd/generate"
 	"github.com/containers/libpod/pkg/util"
 	"github.com/docker/go-connections/nat"
 	"github.com/docker/go-units"
@@ -69,6 +71,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 	}
 
 	imageName := ""
+	rawImageName := ""
 	var imageData *inspect.ImageData = nil
 
 	// Set the storage if there is no rootfs specified
@@ -78,9 +81,8 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 			writer = os.Stderr
 		}
 
-		name := ""
 		if len(c.InputArgs) != 0 {
-			name = c.InputArgs[0]
+			rawImageName = c.InputArgs[0]
 		} else {
 			return nil, nil, errors.Errorf("error, image name not provided")
 		}
@@ -97,7 +99,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 			ArchitectureChoice: overrideArch,
 		}
 
-		newImage, err := runtime.ImageRuntime().New(ctx, name, rtc.SignaturePolicyPath, c.String("authfile"), writer, &dockerRegistryOptions, image.SigningOptions{}, nil, pullType)
+		newImage, err := runtime.ImageRuntime().New(ctx, rawImageName, rtc.SignaturePolicyPath, c.String("authfile"), writer, &dockerRegistryOptions, image.SigningOptions{}, nil, pullType)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -174,11 +176,32 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		}
 	}
 
-	createConfig, err := ParseCreateOpts(ctx, c, runtime, imageName, imageData)
+	createConfig, err := ParseCreateOpts(ctx, c, runtime, imageName, rawImageName, imageData)
 	if err != nil {
 		return nil, nil, err
 	}
 
+	// (VR): Ideally we perform the checks _before_ pulling the image but that
+	// would require some bigger code refactoring of `ParseCreateOpts` and the
+	// logic here.  But as the creation code will be consolidated in the future
+	// and given auto updates are experimental, we can live with that for now.
+	// In the end, the user may only need to correct the policy or the raw image
+	// name.
+	autoUpdatePolicy, autoUpdatePolicySpecified := createConfig.Labels[autoupdate.Label]
+	if autoUpdatePolicySpecified {
+		if _, err := autoupdate.LookupPolicy(autoUpdatePolicy); err != nil {
+			return nil, nil, err
+		}
+		// Now we need to make sure we're having a fully-qualified image reference.
+		if rootfs != "" {
+			return nil, nil, errors.Errorf("auto updates do not work with --rootfs")
+		}
+		// Make sure the input image is a docker.
+		if err := autoupdate.ValidateImageReference(rawImageName); err != nil {
+			return nil, nil, err
+		}
+	}
+
 	// Because parseCreateOpts does derive anything from the image, we add health check
 	// at this point. The rest is done by WithOptions.
 	createConfig.HealthCheck = healthCheck
@@ -270,7 +293,7 @@ func configurePod(c *GenericCLIResults, runtime *libpod.Runtime, namespaces map[
 
 // Parses CLI options related to container creation into a config which can be
 // parsed into an OCI runtime spec
-func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*cc.CreateConfig, error) {
+func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.Runtime, imageName string, rawImageName string, data *inspect.ImageData) (*cc.CreateConfig, error) {
 	var (
 		inputCommand, command                                    []string
 		memoryLimit, memoryReservation, memorySwap, memoryKernel int64
@@ -481,12 +504,15 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		"container": "podman",
 	}
 
+	// First transform the os env into a map. We need it for the labels later in
+	// any case.
+	osEnv, err := envLib.ParseSlice(os.Environ())
+	if err != nil {
+		return nil, errors.Wrap(err, "error parsing host environment variables")
+	}
+
 	// Start with env-host
 	if c.Bool("env-host") {
-		osEnv, err := envLib.ParseSlice(os.Environ())
-		if err != nil {
-			return nil, errors.Wrap(err, "error parsing host environment variables")
-		}
 		env = envLib.Join(env, osEnv)
 	}
 
@@ -534,6 +560,10 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		}
 	}
 
+	if systemdUnit, exists := osEnv[systemdGen.EnvVariable]; exists {
+		labels[systemdGen.EnvVariable] = systemdUnit
+	}
+
 	// ANNOTATIONS
 	annotations := make(map[string]string)
 
@@ -764,11 +794,12 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		Entrypoint:        entrypoint,
 		Env:               env,
 		// ExposedPorts:   ports,
-		Init:        c.Bool("init"),
-		InitPath:    c.String("init-path"),
-		Image:       imageName,
-		ImageID:     imageID,
-		Interactive: c.Bool("interactive"),
+		Init:         c.Bool("init"),
+		InitPath:     c.String("init-path"),
+		Image:        imageName,
+		RawImageName: rawImageName,
+		ImageID:      imageID,
+		Interactive:  c.Bool("interactive"),
 		// IP6Address:     c.String("ipv6"), // Not implemented yet - needs CNI support for static v6
 		Labels: labels,
 		// LinkLocalIP:    c.StringSlice("link-local-ip"), // Not implemented yet

completions/bash/podman

@@ -3334,6 +3334,7 @@ _podman_podman() {
      "
      commands="
     attach
+    auto-update
     build
     commit
     container

contrib/systemd/auto-update/podman-auto-update.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Podman auto-update service
+Documentation=man:podman-auto-update(1)
+Wants=network.target
+After=network-online.target
+
+[Service]
+ExecStart=/usr/bin/podman auto-update
+
+[Install]
+WantedBy=multi-user.target default.target

contrib/systemd/auto-update/podman-auto-update.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Podman auto-update timer
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target

docs/source/markdown/podman-auto-update.1.md

@@ -0,0 +1,46 @@
+% podman-auto-update(1)
+
+## NAME
+podman-auto-update - Auto update containers according to their auto-update policy
+
+## SYNOPSIS
+**podman auto-update**
+
+## DESCRIPTION
+`podman auto-update` looks up containers with a specified "io.containers.autoupdate" label (i.e., the auto-update policy).
+
+If the label is present and set to "image", Podman reaches out to the corresponding registry to check if the image has been updated.
+An image is considered updated if the digest in the local storage is different than the one of the remote image.
+If an image must be updated, Podman pulls it down and restarts the systemd unit executing the container.
+
+At container-creation time, Podman looks up the "PODMAN_SYSTEMD_UNIT" environment variables and stores it verbatim in the container's label.
+This variable is now set by all systemd units generated by `podman-generate-systemd` and is set to `%n` (i.e., the name of systemd unit starting the container).
+This data is then being used in the auto-update sequence to instruct systemd (via DBUS) to restart the unit and hence to restart the container.
+
+Note that `podman auto-update` relies on systemd and requires a fully-qualified image reference (e.g., quay.io/podman/stable:latest) to be used to create the container.
+This enforcement is necessary to know which image to actually check and pull.
+If an image ID was used, Podman would not know which image to check/pull anymore.
+
+## EXAMPLES
+
+```
+# Start a container
+$ podman run -d busybox:latest top
+bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d
+
+# Generate a systemd unit for this container
+$ podman generate systemd --new --files bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d
+/home/user/containers/libpod/container-bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d.service
+
+# Load the new systemd unit and start it
+$ mv ./container-bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d.service ~/.config/systemd/user
+$ systemctl --user daemon-reload
+$ systemctl --user start container-bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d.service
+
+# Auto-update the container
+$ podman auto-update
+container-bc219740a210455fa27deacc96d50a9e20516492f1417507c13ce1533dbdcd9d.service
+```
+
+## SEE ALSO
+podman(1), podman-generate-systemd(1), podman-run(1), systemd.unit(5)

docs/source/markdown/podman.1.md

@@ -154,6 +154,7 @@ the exit codes follow the `chroot` standard, see below:
 | Command                                          | Description                                                                 |
 | ------------------------------------------------ | --------------------------------------------------------------------------- |
 | [podman-attach(1)](podman-attach.1.md)           | Attach to a running container.                                              |
+| [podman-auto-update(1)](podman-auto-update.1.md) | Auto update containers according to their auto-update policy                |
 | [podman-build(1)](podman-build.1.md)             | Build a container image using a Containerfile.                              |
 | [podman-commit(1)](podman-commit.1.md)           | Create new image based on the changed container.                            |
 | [podman-container(1)](podman-container.1.md)     | Manage containers.                                                          |

hack/man-page-checker

@@ -49,6 +49,12 @@ for md in $(ls -1 *-*.1.md | grep -v remote);do
 
     # podman.1.md has a two-column table; podman-*.1.md all have three.
     parent=$(echo $md | sed -e 's/^\(.*\)-.*$/\1.1.md/')
+    if [[ $parent =~ "podman-auto" ]]; then
+        # podman-auto-update.1.md is special cased as it's structure differs
+        # from that of other man pages where main and sub-commands split by
+        # dashes.
+        parent="podman.1.md"
+    fi
     x=3
     if expr -- "$parent" : ".*-" >/dev/null; then
         x=4
@@ -90,6 +96,12 @@ for md in *.1.md;do
     # Get the command name, and confirm that it matches the md file name.
     cmd=$(echo "$synopsis" | sed -e 's/\(.*\)\*\*.*/\1/' | tr -d \*)
     md_nodash=$(basename "$md" .1.md | tr '-' ' ')
+    if [[ $md_nodash = 'podman auto update' ]]; then
+        # podman-auto-update.1.md is special cased as it's structure differs
+        # from that of other man pages where main and sub-commands split by
+        # dashes.
+        md_nodash='podman auto-update'
+    fi
     if [ "$cmd" != "$md_nodash" -a "$cmd" != "podman-remote" ]; then
         echo
         printf "Inconsistent program name in SYNOPSIS in %s:\n" $md

hack/podman-commands.sh

@@ -38,6 +38,9 @@ function podman_man() {
 
         # Special case: there is no podman-help man page, nor need for such.
         echo "help"
+        # Auto-update differs from other commands as it's a single command, not
+        # a main and sub-command split by a dash.
+        echo "auto-update"
     elif [ "$@" = "podman-image-trust" ]; then
         # Special case: set and show aren't actually in a table in the man page
         echo set

libpod/container.go

@@ -239,6 +239,12 @@ type ContainerConfig struct {
 	// container has been created with.
 	CreateCommand []string `json:"CreateCommand,omitempty"`
 
+	// RawImageName is the raw and unprocessed name of the image when creating
+	// the container (as specified by the user).  May or may not be set.  One
+	// use case to store this data are auto-updates where we need the _exact_
+	// name and not some normalized instance of it.
+	RawImageName string `json:"RawImageName,omitempty"`
+
 	// TODO consider breaking these subsections up into smaller structs
 
 	// UID/GID mappings used by the storage
@@ -503,11 +509,17 @@ func (c *Container) Namespace() string {
 	return c.config.Namespace
 }
 
-// Image returns the ID and name of the image used as the container's rootfs
+// Image returns the ID and name of the image used as the container's rootfs.
 func (c *Container) Image() (string, string) {
 	return c.config.RootfsImageID, c.config.RootfsImageName
 }
 
+// RawImageName returns the unprocessed and not-normalized user-specified image
+// name.
+func (c *Container) RawImageName() string {
+	return c.config.RawImageName
+}
+
 // ShmDir returns the sources path to be mounted on /dev/shm in container
 func (c *Container) ShmDir() string {
 	return c.config.ShmDir

libpod/events/config.go

@@ -98,6 +98,8 @@ const (
 
 	// Attach ...
 	Attach Status = "attach"
+	// AutoUpdate ...
+	AutoUpdate Status = "auto-update"
 	// Checkpoint ...
 	Checkpoint Status = "checkpoint"
 	// Cleanup ...