357 lines
12 KiB
Go
357 lines
12 KiB
Go
package autoupdate
|
|
|
|
import (
|
|
"context"
|
|
"os"
|
|
"sort"
|
|
|
|
"github.com/containers/common/libimage"
|
|
"github.com/containers/common/pkg/config"
|
|
"github.com/containers/image/v5/docker"
|
|
"github.com/containers/image/v5/docker/reference"
|
|
"github.com/containers/image/v5/manifest"
|
|
"github.com/containers/image/v5/transports/alltransports"
|
|
"github.com/containers/podman/v3/libpod"
|
|
"github.com/containers/podman/v3/libpod/define"
|
|
"github.com/containers/podman/v3/pkg/systemd"
|
|
systemdDefine "github.com/containers/podman/v3/pkg/systemd/define"
|
|
"github.com/pkg/errors"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// Label denotes the container/pod label key to specify auto-update policies in
|
|
// container labels.
|
|
const Label = "io.containers.autoupdate"
|
|
|
|
// Label denotes the container label key to specify authfile in
|
|
// container labels.
|
|
const AuthfileLabel = "io.containers.autoupdate.authfile"
|
|
|
|
// Policy represents an auto-update policy.
|
|
type Policy string
|
|
|
|
const (
|
|
// PolicyDefault is the default policy denoting no auto updates.
|
|
PolicyDefault Policy = "disabled"
|
|
// PolicyRegistryImage is the policy to update as soon as there's a new image found.
|
|
PolicyRegistryImage = "registry"
|
|
// PolicyLocalImage is the policy to run auto-update based on a local image
|
|
PolicyLocalImage = "local"
|
|
)
|
|
|
|
// Map for easy lookups of supported policies.
|
|
var supportedPolicies = map[string]Policy{
|
|
"": PolicyDefault,
|
|
"disabled": PolicyDefault,
|
|
"image": PolicyRegistryImage,
|
|
"registry": PolicyRegistryImage,
|
|
"local": PolicyLocalImage,
|
|
}
|
|
|
|
// policyMapper is used for tying a container to it's autoupdate policy
|
|
type policyMapper map[Policy][]*libpod.Container
|
|
|
|
// LookupPolicy looks up the corresponding Policy for the specified
|
|
// string. If none is found, an errors is returned including the list of
|
|
// supported policies.
|
|
//
|
|
// Note that an empty string resolved to PolicyDefault.
|
|
func LookupPolicy(s string) (Policy, error) {
|
|
policy, exists := supportedPolicies[s]
|
|
if exists {
|
|
return policy, nil
|
|
}
|
|
|
|
// Sort the keys first as maps are non-deterministic.
|
|
keys := []string{}
|
|
for k := range supportedPolicies {
|
|
if k != "" {
|
|
keys = append(keys, k)
|
|
}
|
|
}
|
|
sort.Strings(keys)
|
|
|
|
return "", errors.Errorf("invalid auto-update policy %q: valid policies are %+q", s, keys)
|
|
}
|
|
|
|
// Options include parameters for auto updates.
|
|
type Options struct {
|
|
// Authfile to use when contacting registries.
|
|
Authfile string
|
|
}
|
|
|
|
// ValidateImageReference checks if the specified imageName is a fully-qualified
|
|
// image reference to the docker transport (without digest). Such a reference
|
|
// includes a domain, name and tag (e.g., quay.io/podman/stable:latest). The
|
|
// reference may also be prefixed with "docker://" explicitly indicating that
|
|
// it's a reference to the docker transport.
|
|
func ValidateImageReference(imageName string) error {
|
|
// Make sure the input image is a docker.
|
|
imageRef, err := alltransports.ParseImageName(imageName)
|
|
if err == nil && imageRef.Transport().Name() != docker.Transport.Name() {
|
|
return errors.Errorf("auto updates require the docker image transport but image is of transport %q", imageRef.Transport().Name())
|
|
} else if err != nil {
|
|
repo, err := reference.Parse(imageName)
|
|
if err != nil {
|
|
return errors.Wrap(err, "error enforcing fully-qualified docker transport reference for auto updates")
|
|
}
|
|
if _, ok := repo.(reference.NamedTagged); !ok {
|
|
return errors.Errorf("auto updates require fully-qualified image references (no tag): %q", imageName)
|
|
}
|
|
if _, ok := repo.(reference.Digested); ok {
|
|
return errors.Errorf("auto updates require fully-qualified image references without digest: %q", imageName)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// AutoUpdate looks up containers with a specified auto-update policy and acts
|
|
// accordingly.
|
|
//
|
|
// If the policy is set to PolicyRegistryImage, it checks if the image
|
|
// on the remote registry is different than the local one. If the image digests
|
|
// differ, it pulls the remote image and restarts the systemd unit running the
|
|
// container.
|
|
//
|
|
// If the policy is set to PolicyLocalImage, it checks if the image
|
|
// of a running container is different than the local one. If the image digests
|
|
// differ, it restarts the systemd unit with the new image.
|
|
//
|
|
// It returns a slice of successfully restarted systemd units and a slice of
|
|
// errors encountered during auto update.
|
|
func AutoUpdate(runtime *libpod.Runtime, options Options) ([]string, []error) {
|
|
// Create a map from `image ID -> []*Container`.
|
|
containerMap, errs := imageContainersMap(runtime)
|
|
if len(containerMap) == 0 {
|
|
return nil, errs
|
|
}
|
|
|
|
// Create a map from `image ID -> *libimage.Image` for image lookups.
|
|
listOptions := &libimage.ListImagesOptions{
|
|
Filters: []string{"readonly=false"},
|
|
}
|
|
imagesSlice, err := runtime.LibimageRuntime().ListImages(context.Background(), nil, listOptions)
|
|
if err != nil {
|
|
return nil, []error{err}
|
|
}
|
|
imageMap := make(map[string]*libimage.Image)
|
|
for i := range imagesSlice {
|
|
imageMap[imagesSlice[i].ID()] = imagesSlice[i]
|
|
}
|
|
|
|
// Connect to DBUS.
|
|
conn, err := systemd.ConnectToDBUS()
|
|
if err != nil {
|
|
logrus.Errorf(err.Error())
|
|
return nil, []error{err}
|
|
}
|
|
defer conn.Close()
|
|
|
|
// Update images.
|
|
containersToRestart := []*libpod.Container{}
|
|
updatedRawImages := make(map[string]bool)
|
|
for imageID, policyMapper := range containerMap {
|
|
image, exists := imageMap[imageID]
|
|
if !exists {
|
|
errs = append(errs, errors.Errorf("container image ID %q not found in local storage", imageID))
|
|
return nil, errs
|
|
}
|
|
// Now we have to check if the image of any containers must be updated.
|
|
// Note that the image ID is NOT enough for this check as a given image
|
|
// may have multiple tags.
|
|
for _, registryCtr := range policyMapper[PolicyRegistryImage] {
|
|
cid := registryCtr.ID()
|
|
rawImageName := registryCtr.RawImageName()
|
|
if rawImageName == "" {
|
|
errs = append(errs, errors.Errorf("error registry auto-updating container %q: raw-image name is empty", cid))
|
|
}
|
|
readAuthenticationPath(registryCtr, options)
|
|
needsUpdate, err := newerRemoteImageAvailable(runtime, image, rawImageName, options)
|
|
if err != nil {
|
|
errs = append(errs, errors.Wrapf(err, "error registry auto-updating container %q: image check for %q failed", cid, rawImageName))
|
|
continue
|
|
}
|
|
|
|
if needsUpdate {
|
|
logrus.Infof("Auto-updating container %q using registry image %q", cid, rawImageName)
|
|
if _, updated := updatedRawImages[rawImageName]; !updated {
|
|
_, err = updateImage(runtime, rawImageName, options)
|
|
if err != nil {
|
|
errs = append(errs, errors.Wrapf(err, "error registry auto-updating container %q: image update for %q failed", cid, rawImageName))
|
|
continue
|
|
}
|
|
updatedRawImages[rawImageName] = true
|
|
}
|
|
containersToRestart = append(containersToRestart, registryCtr)
|
|
}
|
|
}
|
|
|
|
for _, localCtr := range policyMapper[PolicyLocalImage] {
|
|
cid := localCtr.ID()
|
|
rawImageName := localCtr.RawImageName()
|
|
if rawImageName == "" {
|
|
errs = append(errs, errors.Errorf("error locally auto-updating container %q: raw-image name is empty", cid))
|
|
}
|
|
// This avoids restarting containers unnecessarily.
|
|
needsUpdate, err := newerLocalImageAvailable(runtime, image, rawImageName)
|
|
if err != nil {
|
|
errs = append(errs, errors.Wrapf(err, "error locally auto-updating container %q: image check for %q failed", cid, rawImageName))
|
|
continue
|
|
}
|
|
|
|
if needsUpdate {
|
|
logrus.Infof("Auto-updating container %q using local image %q", cid, rawImageName)
|
|
containersToRestart = append(containersToRestart, localCtr)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Restart containers.
|
|
updatedUnits := []string{}
|
|
for _, ctr := range containersToRestart {
|
|
labels := ctr.Labels()
|
|
unit, exists := labels[systemdDefine.EnvVariable]
|
|
if !exists {
|
|
// Shouldn't happen but let's be sure of it.
|
|
errs = append(errs, errors.Errorf("error auto-updating container %q: no %s label found", ctr.ID(), systemdDefine.EnvVariable))
|
|
continue
|
|
}
|
|
_, err := conn.RestartUnit(unit, "replace", nil)
|
|
if err != nil {
|
|
errs = append(errs, errors.Wrapf(err, "error auto-updating container %q: restarting systemd unit %q failed", ctr.ID(), unit))
|
|
continue
|
|
}
|
|
logrus.Infof("Successfully restarted systemd unit %q", unit)
|
|
updatedUnits = append(updatedUnits, unit)
|
|
}
|
|
|
|
return updatedUnits, errs
|
|
}
|
|
|
|
// imageContainersMap generates a map[image ID] -> [containers using the image]
|
|
// of all containers with a valid auto-update policy.
|
|
func imageContainersMap(runtime *libpod.Runtime) (map[string]policyMapper, []error) {
|
|
allContainers, err := runtime.GetAllContainers()
|
|
if err != nil {
|
|
return nil, []error{err}
|
|
}
|
|
|
|
errors := []error{}
|
|
containerMap := make(map[string]policyMapper)
|
|
for _, ctr := range allContainers {
|
|
state, err := ctr.State()
|
|
if err != nil {
|
|
errors = append(errors, err)
|
|
continue
|
|
}
|
|
// Only update running containers.
|
|
if state != define.ContainerStateRunning {
|
|
continue
|
|
}
|
|
|
|
// Only update containers with the specific label/policy set.
|
|
labels := ctr.Labels()
|
|
value, exists := labels[Label]
|
|
if !exists {
|
|
continue
|
|
}
|
|
|
|
policy, err := LookupPolicy(value)
|
|
if err != nil {
|
|
errors = append(errors, err)
|
|
continue
|
|
}
|
|
|
|
// Skip labels not related to autoupdate
|
|
if policy == PolicyDefault {
|
|
continue
|
|
} else {
|
|
id, _ := ctr.Image()
|
|
policyMap, exists := containerMap[id]
|
|
if !exists {
|
|
policyMap = make(map[Policy][]*libpod.Container)
|
|
}
|
|
policyMap[policy] = append(policyMap[policy], ctr)
|
|
containerMap[id] = policyMap
|
|
// Now we know that `ctr` is configured for auto updates.
|
|
}
|
|
}
|
|
|
|
return containerMap, errors
|
|
}
|
|
|
|
// readAuthenticationPath reads a container's labels and reads authentication path into options
|
|
func readAuthenticationPath(ctr *libpod.Container, options Options) {
|
|
labels := ctr.Labels()
|
|
authFilePath, exists := labels[AuthfileLabel]
|
|
if exists {
|
|
options.Authfile = authFilePath
|
|
}
|
|
}
|
|
|
|
// newerRemoteImageAvailable returns true if there corresponding image on the remote
|
|
// registry is newer.
|
|
func newerRemoteImageAvailable(runtime *libpod.Runtime, img *libimage.Image, origName string, options Options) (bool, error) {
|
|
remoteRef, err := docker.ParseReference("//" + origName)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
data, err := img.Inspect(context.Background(), false)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
sys := runtime.SystemContext()
|
|
sys.AuthFilePath = options.Authfile
|
|
|
|
// We need to account for the arch that the image uses. It seems
|
|
// common on ARM to tweak this option to pull the correct image. See
|
|
// github.com/containers/podman/issues/6613.
|
|
sys.ArchitectureChoice = data.Architecture
|
|
|
|
remoteImg, err := remoteRef.NewImage(context.Background(), sys)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
rawManifest, _, err := remoteImg.Manifest(context.Background())
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
remoteDigest, err := manifest.Digest(rawManifest)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return img.Digest().String() != remoteDigest.String(), nil
|
|
}
|
|
|
|
// newerLocalImageAvailable returns true if the container and local image have different digests
|
|
func newerLocalImageAvailable(runtime *libpod.Runtime, img *libimage.Image, rawImageName string) (bool, error) {
|
|
localImg, _, err := runtime.LibimageRuntime().LookupImage(rawImageName, nil)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
localDigest := localImg.Digest().String()
|
|
|
|
ctrDigest := img.Digest().String()
|
|
|
|
return localDigest != ctrDigest, nil
|
|
}
|
|
|
|
// updateImage pulls the specified image.
|
|
func updateImage(runtime *libpod.Runtime, name string, options Options) (*libimage.Image, error) {
|
|
pullOptions := &libimage.PullOptions{}
|
|
pullOptions.AuthFilePath = options.Authfile
|
|
pullOptions.Writer = os.Stderr
|
|
|
|
pulledImages, err := runtime.LibimageRuntime().Pull(context.Background(), name, config.PullPolicyAlways, pullOptions)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return pulledImages[0], nil
|
|
}
|