Add systemd service and timer for running 'podman image prune -a' #25864
Conversation
johanneskastl
changed the title
Signed-off-by: Johannes Kastl <git@johannes-kastl.de>
Signed-off-by: Johannes Kastl <git@johannes-kastl.de>
johanneskastl
force-pushed
the
20250412_add_image_prune_service
branch
from
4a9b458 to
fd380fe
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, johanneskastl The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
There was a problem hiding this comment.
I don't think this is a good idea to install by default.
At the very least this will totally race against the auto-update service. There is no image pin/locking so if auto-update pulls a new one restarts the container unit the image will have no users and will be pruned which is totally incorrect.
And even without auto-update this will be racy for any podman run $IMAGE where $IMAGE is not here locally and is just being pulled. There are ton of windows where prune can delete stuff that is in fact just about to be used. As I don't think running this on a timer by default is good. I have seen distros such as debian enabling all our units so this can have bad consequences.
IMO all users must be fully aware of when pruning would happen so I rather have them do this explicitly themselves.
| [Install] | ||
| WantedBy=default.target |
There was a problem hiding this comment.
This should not have a install section, only the timer should be enabled
There was a problem hiding this comment.
Thanks for the review. I just copied the existing podman-auto-update.service.in service which also has an Install section.
Removed in ed68145
I can imagine some users find it useful (I've ended up with something similar for my own use). My LGTM was about adding it, but not installing it by default which as you say can have some unexpected consequences. |
…section, only the timer should be installed Signed-off-by: Johannes Kastl <git@johannes-kastl.de>
johanneskastl
force-pushed
the
20250412_add_image_prune_service
branch
from
ed68145 to
99187d5
Compare
Good point. I can added a comment in the service file stating this problematic points. AFAIK there is no systemd mechanism to prevent one unit running while another one is running. Is there any special reason why
Supplying a service does not mean that all services should be enabled. If a distribution chooses to do so, it is up to their packagers to explain why. But not providing a service because one distribution does funny things makes it harder for all users on other distributions that do not enable services/timers by default (e.g. openSUSE, Fedora, etc.)
True, but this service would only make it easier for users to do that. I is not enabled by default and needs user action to be enabled. I just think it is a waste of time to have each user have to write their own service. Kind Regards, |
I mean there is After=/Before= but I am not sure how this plays together with the timers. IMO a comment in the service files solves nothing, like what normal user would look into a service files for such comment. Instead some online "guides" will tell users to turn on the service and then we get to deal with all the hard to debug bug reports where random images are deleted.
Because it will delete all unused user images! For an auto update that seem a rather unexpected side effect. It is really the same issue I have with this unit. Some parallel podman command could fail because of it and it the worse case we delete critical user data without their consent.
Sure I don't disagree on that part. I have also pushed debian to no enable all our services by default due other bugs so maybe that is no longer a concern. |
I get your point about user errors.
I need to read up on the fine details of In my case the auto-update service updated the images, but did not remove anything and my disk started filling up... I am not sure what the difference between a
Yes, but that is something the user needs to be aware of. And as this timer/service needs to be explicitly enabled by a user it is their responsibility? Of course the name and description can be adjusted to make it clear that ALL UNUSED IMAGES WILL BE DELETED or similar. But in the end it is the user's decision, isn't it? |
|
A friendly reminder that this PR had no activity for 30 days. |
dangling is a image without a name, i.e. where podman images shows
I am not sure where such description would be visible to regular users. I mean I am not strictly against such service per se but if the out of the box experience will cause conflicts/race conditions against the auto update service then I think this is a problem and not worth including. ps: this change currently doesn't do anything either since oyu must add the new file in the Makefile for it to be installed, see install.systemd target |
… files to install.systemd target
I think that is the main point, if the user does not read what is in the service description...
IMHO and take this with a grain of salt:
Having a
Thanks for the hint, I added what I hope might be enough (and I hope vim did not break the whitespace...) |
AFAIK that is not the case for type=oneshot units, https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html
I have not tested that but we rely on that for quadlet as well I think. |
Reason
I am running rootless podman and have the
podman-auto-updateservice and timer active. I found that while thepodman-auto-updateservice is containing apodman image prunecommand, it was not able to properly clean up the outdated images filling up the disk.Running image prune with
-asolved this without causing harm.I think having a system (or user) service for running this command would come in handy.
Side note:
Not sure if there should be a service for running
podman image prunewithout-afor people not using theauto-updateservice.Does this PR introduce a user-facing change?
This PR adds a systemd (system and user) service and timer for running
podman image prune -a.