NAME¶ 名称
podman-auto-update - Auto update containers according to their auto-update policy
podman-auto-update - 根据其自动更新策略自动更新容器
SYNOPSIS¶ 概要
podman auto-update [options]
podman auto-update [选项]
DESCRIPTION¶ 描述
podman auto-update pulls down new container images and restarts containers configured for auto updates.
To make use of auto updates, the container or Kubernetes workloads must run inside a systemd unit.
After a successful update of an image, the containers using the image get updated by restarting the systemd units they run in.
Please refer to quadlet(5) on how to run Podman under systemd.
podman auto-update 下载新的容器镜像并重新启动配置为自动更新的容器。要使用自动更新,容器或 Kubernetes 工作负载必须在 systemd 单元内运行。成功更新镜像后,使用该镜像的容器通过重新启动它们运行的 systemd 单元来进行更新。请参考 quadlet(5) 了解如何在 systemd 下运行 Podman。
To configure a container for auto updates, it must be created with the io.containers.autoupdate label or the AutoUpdate field in quadlet(5) with one of the following two values:
要为自动更新配置容器,必须使用 io.containers.autoupdate 标签或 AutoUpdate 字段在 quadlet(5) 中创建容器,并设置以下两个值之一:
registry: If the label is present and set toregistry, Podman reaches out to the corresponding registry to check if the image has been updated. The labelimageis an alternative toregistrymaintained for backwards compatibility. An image is considered updated if the digest in the local storage is different than the one of the remote image. If an image must be updated, Podman pulls it down and restarts the systemd unit executing the container. The registry policy requires a fully-qualified image reference (e.g., quay.io/podman/stable:latest) to be used to create the container. This enforcement is necessary to know which image to actually check and pull. If an image ID was used, Podman would not know which image to check/pull anymore.
registry:如果标签存在且设置为registry,Podman 将访问相应的注册表以检查图像是否已更新。标签image是为了向后兼容而维护的registry的替代方案。如果本地存储中的摘要与远程图像的摘要不同,则认为图像已更新。如果必须更新图像,Podman 将其拉取下来并重新启动执行容器的 systemd 单元。注册表策略要求使用完全合格的图像引用(例如,quay.io/podman/stable:latest)来创建容器。这种强制执行是必要的,以便知道实际要检查和拉取哪个图像。如果使用图像 ID,Podman 将不再知道要检查/拉取哪个图像。local: If the autoupdate label is set tolocal, Podman compares the image digest of the container to the one in the local container storage. If they differ, the local image is considered to be newer and the systemd unit gets restarted.
local:如果自动更新标签设置为local,Podman 将比较容器的图像摘要与本地容器存储中的摘要。如果它们不同,则认为本地图像更新,系统单元将被重新启动。
Auto Updates and Kubernetes YAML¶
自动更新和 Kubernetes YAML ¶
Podman supports auto updates for Kubernetes workloads. The auto-update policy can be configured directly via quadlet(5) or inside the Kubernetes YAML with the Podman-specific annotations mentioned below:
Podman 支持 Kubernetes 工作负载的自动更新。可以通过 quadlet(5) 直接配置自动更新策略,或者在 Kubernetes YAML 中使用下面提到的 Podman 特定注释进行配置:
io.containers.autoupdate: “registry|local” to apply the auto-update policy to all containers
io.containers.autoupdate: “registry|local” 以将自动更新策略应用于所有容器io.containers.autoupdate/$container: “registry|local” to apply the auto-update policy to$containeronly
io.containers.autoupdate/$container: 将“registry|local”应用于仅适用于$container的自动更新策略io.containers.sdnotify: “conmon|container” to apply the sdnotify policy to all containers
io.containers.sdnotify: 将“conmon|container”应用于所有容器的 sdnotify 策略io.containers.sdnotify/$container: “conmon|container” to apply the sdnotify policy to$containeronly
io.containers.sdnotify/$container: 将“conmon|container”应用于仅适用于$container的 sdnotify 策略
By default, the autoupdate policy is set to “disabled”, the sdnotify policy is set to “conmon”.
默认情况下,自动更新策略设置为“禁用”,sdnotify 策略设置为“conmon”。
Systemd Unit and Timer¶
Systemd 单元和定时器
Podman ships with a podman-auto-update.service systemd unit. This unit is triggered daily at midnight by the podman-auto-update.timer systemd timer.
The timer can be altered for custom time-based updates if desired.
The unit can further be invoked by other systemd units (e.g., via the dependency tree) or manually via systemctl start podman-auto-update.service.
Podman 随附一个 podman-auto-update.service systemd 单元。该单元每天午夜由 podman-auto-update.timer systemd 定时器触发。如果需要,可以修改定时器以进行基于自定义时间的更新。该单元还可以被其他 systemd 单元调用(例如,通过依赖树)或通过 systemctl start podman-auto-update.service 手动调用。
OPTIONS¶ 选项
--authfile=path¶
Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json on Linux, and $HOME/.config/containers/auth.json on Windows/macOS.
The file is created by podman login. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using docker login.
认证文件的路径。在 Linux 上默认为 ${XDG_RUNTIME_DIR}/containers/auth.json ,在 Windows/macOS 上默认为 $HOME/.config/containers/auth.json 。该文件由 podman login 创建。如果授权状态未在那里找到,则会检查 $HOME/.docker/config.json ,该值是使用 docker login 设置的。
Note: There is also the option to override the default path of the authentication file by setting the REGISTRY_AUTH_FILE environment variable. This can be done with export REGISTRY_AUTH_FILE=path.
注意:还有一种选择,可以通过设置 REGISTRY_AUTH_FILE 环境变量来覆盖认证文件的默认路径。可以通过 export REGISTRY_AUTH_FILE=path 来实现。
Alternatively, the io.containers.autoupdate.authfile container label can be configured. In that case, Podman will use the specified label’s value instead.
或者,可以配置 io.containers.autoupdate.authfile 容器标签。在这种情况下,Podman 将使用指定标签的值。
--dry-run¶
Check for the availability of new images but do not perform any pull operation or restart any service or container.
The UPDATED field indicates the availability of a new image with “pending”.
检查新镜像的可用性,但不执行任何拉取操作或重新启动任何服务或容器。 UPDATED 字段指示具有“挂起”状态的新镜像的可用性。
--format=format¶
Change the default output format. This can be of a supported type like ‘json’ or a Go template.
Valid placeholders for the Go template are listed below:
更改默认输出格式。这可以是支持的类型,如'json'或 Go 模板。Go 模板的有效占位符如下所示:
Placeholder |
Description |
|---|---|
.Container |
ID and name of the container |
.ContainerID |
ID of the container 容器的 ID |
.ContainerName |
Name of the container 容器的名称 |
.Image |
Name of the image 镜像的名称 |
.Policy |
Auto-update policy of the container |
.Unit |
Name of the systemd unit |
.Updated |
Update status: true,false,failed |
--rollback¶ --回滚 ¶
If restarting a systemd unit after updating the image has failed, rollback to using the previous image and restart the unit another time. Default is true.
如果在更新镜像后重新启动 systemd 单元失败,则回滚到使用先前的镜像,并在另一个时间重新启动该单元。默认值为 true。
Note that detecting if a systemd unit has failed is best done by the container sending the READY message via SDNOTIFY.
This way, restarting the unit waits until having received the message or a timeout kicked in.
Without that, restarting the systemd unit may succeed even if the container has failed shortly after.
请注意,最好由容器通过 SDNOTIFY 发送 READY 消息来检测 systemd 单元是否失败。这样,重新启动该单元会等到收到消息或超时启动。如果没有这样做,即使容器在短时间内失败,重新启动 systemd 单元也可能成功。
For a container to send the READY message via SDNOTIFY it must be created with the --sdnotify=container option (see podman-run(1)).
The application running inside the container can then execute systemd-notify --ready when ready or use the sdnotify bindings of the specific programming language (e.g., sd_notify(3)).
要使容器通过 SDNOTIFY 发送 READY 消息,必须使用 --sdnotify=container 选项创建容器(参见 podman-run(1))。然后容器内运行的应用程序可以在准备就绪时执行 systemd-notify --ready 或使用特定编程语言的 sdnotify 绑定(例如,sd_notify(3))。
--tls-verify¶
Require HTTPS and verify certificates when contacting registries (default: true).
If explicitly set to true, TLS verification is used.
If set to false, TLS verification is not used.
If not specified, TLS verification is used unless the target registry
is listed as an insecure registry in containers-registries.conf(5)
在联系注册表时需要 HTTPS 并验证证书(默认值为 true)。如果显式设置为 true,则使用 TLS 验证。如果设置为 false,则不使用 TLS 验证。如果未指定,则除非目标注册表在 containers-registries.conf(5) 中被列为不安全注册表,否则将使用 TLS 验证。
EXAMPLES¶ 示例
Create a Quadlet file configured for auto updates:
创建一个配置为自动更新的 Quadlet 文件:
$ cat ~/.config/containers/systemd/sleep.container
[Container]
Image=registry.fedoraproject.org/fedora:latest
Exec=sleep infinity
AutoUpdate=registry
Generate a systemd service from the Quadlet file by reloading the systemd user daemon:
从 Quadlet 文件生成一个 systemd 服务,通过重新加载 systemd 用户守护程序:
$ systemctl --user daemon-reload
Start the systemd service and make sure the container is running
启动 systemd 服务,并确保容器正在运行
$ systemctl --user start sleep.service
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f8e4759798d4 registry.fedoraproject.org/fedora:latest sleep infinity 2 seconds ago Up 2 seconds systemd-sleep
Check if a new image is available via --dry-run:
检查是否有新的图像可通过 --dry-run 获取:
$ podman auto-update --dry-run --format "{{.Image}} {{.Updated}}"
registry.fedoraproject.org/fedora:latest pending
Update the service: 更新服务:
$ podman auto-update
UNIT CONTAINER IMAGE POLICY UPDATED
sleep.service f8e4759798d4 (systemd-sleep) registry.fedoraproject.org/fedora:latest registry true
SEE ALSO¶ 参见 ¶
podman(1), podman-generate-systemd(1), podman-run(1), podman-systemd.unit(5), sd_notify(3), systemd.unit(5)