{"id":482321,"date":"2022-08-08T11:04:16","date_gmt":"2022-08-08T08:04:16","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-enable-podmans-automatic-container-updates\/"},"modified":"2022-08-08T11:04:16","modified_gmt":"2022-08-08T08:04:16","slug":"how-to-enable-podmans-automatic-container-updates","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-enable-podmans-automatic-container-updates\/","title":{"rendered":"#How to Enable Podman\u2019s Automatic Container Updates"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a272f4cafac0\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a272f4cafac0\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-podmans-automatic-container-updates\/#%E2%80%9CHow_to_Enable_Podmans_Automatic_Container_Updates%E2%80%9D\" >&#8220;How to Enable Podman\u2019s Automatic Container Updates&#8221;<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-podmans-automatic-container-updates\/#Why_Auto-Update_Containers\" >Why Auto-Update Containers?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-podmans-automatic-container-updates\/#Enabling_Auto-Updates\" >Enabling Auto-Updates<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-podmans-automatic-container-updates\/#Creating_a_Systemd_Service\" >Creating a Systemd Service<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-podmans-automatic-container-updates\/#Performing_an_Update\" >Performing an Update<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-podmans-automatic-container-updates\/#Checking_for_Updates\" >Checking for Updates<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-podmans-automatic-container-updates\/#Applying_Updates_on_a_Schedule\" >Applying Updates on a Schedule<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-podmans-automatic-container-updates\/#Summary\" >Summary<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9CHow_to_Enable_Podmans_Automatic_Container_Updates%E2%80%9D\"><\/span>&#8220;How to Enable Podman\u2019s Automatic Container Updates&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div>\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-807708\" data-pagespeed-no-defer=\"\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/05\/Podman.jpeg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Graphic showing the Podman logo\" width=\"1602\" height=\"902\"\/><\/p>\n<p>Podman is an OCI-compliant containerization platform that\u2019s often used instead of Docker. Its daemonless model and extensive featureset makes it a good contender for use in development and production alike.<\/p>\n<p>In this article we\u2019ll show how to use Podman\u2019s <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.podman.io\/en\/latest\/markdown\/podman-auto-update.1.html\">auto-update system<\/a> to restart your containers when new images are released. Podman can be configured periodically check for updates, pull the latest image, and recreate affected containers using their current settings.<\/p>\n<h2 id=\"why-auto-update-containers\"><span class=\"ez-toc-section\" id=\"Why_Auto-Update_Containers\"><\/span>Why Auto-Update Containers?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Containers are often short-lived but they still need to be regularly maintained. A critical vulnerability inside an image could give attackers a foothold into your <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication that\u2019s exploited within hours of its discovery.<\/p>\n<p>Most popular container technologies require you to manually update your containers. This places a burden on operations teams to subscribe to release announcements and create tooling that rolls out new changes.<\/p>\n<p>Podman\u2019s built-in container update system addresses this challenge and keeps workloads fresh. Containers can be promptly updated after you push new image versions, providing peace of mind that your deployments are running the latest patches and bug fixes.<\/p>\n<h2 id=\"enabling-auto-updates\"><span class=\"ez-toc-section\" id=\"Enabling_Auto-Updates\"><\/span>Enabling Auto-Updates<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Auto-updates are activated for a container by setting the <code>io.containers.autoupdate<\/code> label when you create it.<\/p>\n<pre>$ podman run -d -p 8080:80 \\&#13;\n    --name nginx-container \\&#13;\n    --label io.containers.autoupdate=registry \\&#13;\n    docker.io\/library\/nginx:latest<\/pre>\n<p>The label can have two possible values:<\/p>\n<ul>\n<li><strong><code>registry<\/code><\/strong> \u2013 During update checks, Podman will contact the image registry to check whether the tag used by your container has a new version available. The image will be pulled and your container restarted when this is the case. Registry updates only work when you\u2019re using a fully qualified registry path \u2013 the <code>docker.io\/library\/nginx:latest<\/code> reference shown above is intentional, as <code>nginx:latest<\/code> is too vague.<\/li>\n<li><strong><code>local<\/code><\/strong> \u2013 This update method restricts Podman to looking at container images that already exist on your host\u2019s filesystem. The container will be restarted if the local version of the image tag differs from the version that the container\u2019s running. This can be useful when rebuilding images during development.<\/li>\n<\/ul>\n<p>The presence of the label makes this sample NGINX container eligible for auto-updates. However more work is required before updates can actually be applied.<\/p>\n<h2 id=\"creating-a-systemd-service\"><span class=\"ez-toc-section\" id=\"Creating_a_Systemd_Service\"><\/span>Creating a Systemd Service<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Podman\u2019s update mechanism requires your containers to run inside <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.freedesktop.org\/wiki\/Software\/systemd\">systemd<\/a> services. Because Podman is daemonless, it lacks a central controller that can start and stop your containers. Wrapping them in a systemd service provides lifecycle management capabilities and the option of restarts in response to specific events.<\/p>\n<p>Podman\u2019s CLI includes a command that creates a systemd unit definition from a container:<\/p>\n<pre>$ podman generate systemd --name nginx-container &gt; \/etc\/systemd\/system\/nginx-container.service<\/pre>\n<p>The commands above create a new NGINX container with a systemd service in the correct location.<\/p>\n<p>Next reload systemd to register the service definition, then enable and start the service:<\/p>\n<pre>$ systemctl daemon-reload&#13;\n$ systemctl enable nginx-container.service&#13;\n$ systemctl start nginx-container.service<\/pre>\n<p>Your NGINX container is now a systemd service which will start automatically when your host boots. You can use <code>systemctl<\/code> commands to start and stop the container, instead of Podman\u2019s CLI:<\/p>\n<pre>$ systemctl start nginx-container.service&#13;\n$ systemctl stop nginx-container.service<\/pre>\n<p>To remove the container in the future, you should stop, disable, and delete the service\u2019s unit file. Restart systemd afterwards to fully apply the change.<\/p>\n<pre>$ systemctl stop nginx-container.service&#13;\n$ systemctl disable nginx-container.service&#13;\n$ rm \/etc\/systemd\/system\/nginx-container.service&#13;\n$ systemctl daemon-reload<\/pre>\n<h2 id=\"performing-an-update\"><span class=\"ez-toc-section\" id=\"Performing_an_Update\"><\/span>Performing an Update<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now everything\u2019s set up to successfully auto-update your NGINX container. You can run an update check on-demand using Podman\u2019s <code>auto-update<\/code> command:<\/p>\n<pre>$ podman auto-update&#13;\nTrying to pull docker.io\/library\/nginx:latest...&#13;\nGetting image source signatures&#13;\n...&#13;\nUNIT                     CONTAINER      IMAGE                               POLICY      UPDATED&#13;\nnginx-container.service  2de4ba96b09    docker.io\/library\/nginx:latest      registry    true<\/pre>\n<p>This updates the containers within systemd services that are accessible to the user running the command. You have may needed to use <code>sudo<\/code> to follow the example above; if so, run the <code>auto-update<\/code> command as root too:<\/p>\n<pre>$ sudo podman auto-update<\/pre>\n<p>The <code>registry<\/code> update strategy was used in this example so Podman connects to the image registry, checks for changes, and then pulls the new image if applicable. The command\u2019s output indicates whether each service\u2019s container has been updated.<\/p>\n<p>Because containers are managed by systemd, Podman\u2019s able to detect whether the new container\u2019s started successfully. Podman will automatically rollback to the previous version of an image if an update failure is detected. For this to work reliably the application inside the container <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.podman.io\/en\/latest\/markdown\/podman-auto-update.1.html#rollback\">should notify systemd<\/a> when it\u2019s started successfully. It can do this by running <code>systemd-notify --ready<\/code>.<\/p>\n<h3 id=\"checking-for-updates\"><span class=\"ez-toc-section\" id=\"Checking_for_Updates\"><\/span>Checking for Updates<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Sometimes you might need to check whether your container fleet has updates available without im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tely applying them. Use the <code>auto-update<\/code> command with the <code>--dry-run<\/code> flag to get a list of services where an updated image has been published:<\/p>\n<pre>$ podman auto-update --dry-run&#13;\n...&#13;\nUNIT                     CONTAINER      IMAGE                               POLICY      UPDATED&#13;\nnginx-container.service  2de4ba96b09    docker.io\/library\/nginx:latest      registry    pending<\/pre>\n<p>Services shown as <code>pending<\/code> have an update available.<\/p>\n<h2 id=\"applying-updates-on-a-schedule\"><span class=\"ez-toc-section\" id=\"Applying_Updates_on_a_Schedule\"><\/span>Applying Updates on a Schedule<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now we\u2019ve successfully set up on-demand container updates. You don\u2019t need to manually pull new images or restart your containers. The final step is setting up a schedule so Podman applies updates periodically, without you running the <code>auto-update<\/code> command.<\/p>\n<p>Most Podman distributions include a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/containers\/podman\/tree\/main\/contrib\/systemd\/auto-update\">systemd timer<\/a> for this purpose. You can activate the timer using <code>systemctl<\/code>:<\/p>\n<pre>$ systemctl enable podman-auto-update.timer<\/pre>\n<p>The timer\u2019s configured to check for updates every day. You can customize the schedule by opening the timer file using <code>systemctl edit<\/code> and changing the value of the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.freedesktop.org\/software\/systemd\/man\/systemd.timer.html\"><code>OnCalendar<\/code> field<\/a>:<\/p>\n<pre>$ systemctl edit podman-auto-update.timer&#13;\n&#13;\n[Timer]&#13;\nOnCalendar=Fri *-*-* 18:00<\/pre>\n<p>The time expression shown above will run the update check every Friday at 6pm. The syntax is documented <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.freedesktop.org\/software\/systemd\/man\/systemd.time.html\">within systemd\u2019s manual<\/a>.<\/p>\n<p>Now the timer\u2019s enabled, you can start deploying your containers with the <code>io.containers.autoupdate<\/code> label. They\u2019ll be updated and restarted periodically, automating your maintenance procedures.<\/p>\n<p>You don\u2019t have to use Podman\u2019s systemd timer to create an update schedule. You could run <code>podman auto-update<\/code> inside your existing tooling or another job scheduler such as <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/linux.die.net\/man\/8\/crond\"><code>cron<\/code><\/a>.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Podman\u2019s auto-updates let you move containers to new image versions without manually restarting them or using external tools. This can help you maintain your container fleet as images release bug fixes and security patches.<\/p>\n<p>While automatic updates are a useful tool, they shouldn\u2019t be used without due consideration. Allowing automatic updates can introduce its own issues if a broken image is accidentally released. Containers that restart by themselves could also cause downtime or disrupt dependent services.<\/p>\n<p>Consequently you should assess your own application\u2019s suitability before implementing this solution. One intermediate approach is to run <code>auto-update --dry-run<\/code> periodically and send the results to a monitoring service. This keeps you informed of available updates without incurring the risks of applying them without approval.<\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/devops\/how-to-enable-podmans-automatic-container-updates\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;How to Enable Podman\u2019s Automatic Container Updates&#8221; Podman is an OCI-compliant containerization platform that\u2019s often used instead of Docker. Its daemonless model and extensive featureset makes it a good contender for use in development and production alike. In this article we\u2019ll show how to use Podman\u2019s auto-update system to restart your containers when new images&#8230;<\/p>\n","protected":false},"author":1,"featured_media":482322,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/05\/Podman.jpeg?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-482321","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/482321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=482321"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/482321\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/482322"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=482321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=482321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=482321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}