mirror of
				https://github.com/containers/podman.git
				synced 2025-10-25 02:04:43 +08:00 
			
		
		
		
	 5098124570
			
		
	
	5098124570
	
	
	
		
			
			Finalizes the linked BZ to fix passing down custom authfiles during auto updates. Also fixes the if-newer pull policy. [NO TESTS NEEDED] for now validated manually. There's a TODO to add a new system test that I did not find time for before PTO. BZ: bugzilla.redhat.com/show_bug.cgi?id=2000943 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
		
			
				
	
	
		
			432 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			432 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| package autoupdate
 | |
| 
 | |
| import (
 | |
| 	"context"
 | |
| 	"os"
 | |
| 	"sort"
 | |
| 
 | |
| 	"github.com/containers/common/libimage"
 | |
| 	"github.com/containers/common/pkg/config"
 | |
| 	"github.com/containers/image/v5/docker"
 | |
| 	"github.com/containers/image/v5/docker/reference"
 | |
| 	"github.com/containers/image/v5/transports/alltransports"
 | |
| 	"github.com/containers/podman/v3/libpod"
 | |
| 	"github.com/containers/podman/v3/libpod/define"
 | |
| 	"github.com/containers/podman/v3/pkg/domain/entities"
 | |
| 	"github.com/containers/podman/v3/pkg/systemd"
 | |
| 	systemdDefine "github.com/containers/podman/v3/pkg/systemd/define"
 | |
| 	"github.com/coreos/go-systemd/v22/dbus"
 | |
| 	"github.com/pkg/errors"
 | |
| 	"github.com/sirupsen/logrus"
 | |
| )
 | |
| 
 | |
| // Label denotes the container/pod label key to specify auto-update policies in
 | |
| // container labels.
 | |
| const Label = "io.containers.autoupdate"
 | |
| 
 | |
| // Label denotes the container label key to specify authfile in
 | |
| // container labels.
 | |
| const AuthfileLabel = "io.containers.autoupdate.authfile"
 | |
| 
 | |
| // Policy represents an auto-update policy.
 | |
| type Policy string
 | |
| 
 | |
| const (
 | |
| 	// PolicyDefault is the default policy denoting no auto updates.
 | |
| 	PolicyDefault Policy = "disabled"
 | |
| 	// PolicyRegistryImage is the policy to update as soon as there's a new image found.
 | |
| 	PolicyRegistryImage = "registry"
 | |
| 	// PolicyLocalImage is the policy to run auto-update based on a local image
 | |
| 	PolicyLocalImage = "local"
 | |
| )
 | |
| 
 | |
| // Map for easy lookups of supported policies.
 | |
| var supportedPolicies = map[string]Policy{
 | |
| 	"":         PolicyDefault,
 | |
| 	"disabled": PolicyDefault,
 | |
| 	"image":    PolicyRegistryImage,
 | |
| 	"registry": PolicyRegistryImage,
 | |
| 	"local":    PolicyLocalImage,
 | |
| }
 | |
| 
 | |
| // policyMapper is used for tying a container to it's autoupdate policy
 | |
| type policyMapper map[Policy][]*libpod.Container
 | |
| 
 | |
| // LookupPolicy looks up the corresponding Policy for the specified
 | |
| // string. If none is found, an errors is returned including the list of
 | |
| // supported policies.
 | |
| //
 | |
| // Note that an empty string resolved to PolicyDefault.
 | |
| func LookupPolicy(s string) (Policy, error) {
 | |
| 	policy, exists := supportedPolicies[s]
 | |
| 	if exists {
 | |
| 		return policy, nil
 | |
| 	}
 | |
| 
 | |
| 	// Sort the keys first as maps are non-deterministic.
 | |
| 	keys := []string{}
 | |
| 	for k := range supportedPolicies {
 | |
| 		if k != "" {
 | |
| 			keys = append(keys, k)
 | |
| 		}
 | |
| 	}
 | |
| 	sort.Strings(keys)
 | |
| 
 | |
| 	return "", errors.Errorf("invalid auto-update policy %q: valid policies are %+q", s, keys)
 | |
| }
 | |
| 
 | |
| // ValidateImageReference checks if the specified imageName is a fully-qualified
 | |
| // image reference to the docker transport (without digest).  Such a reference
 | |
| // includes a domain, name and tag (e.g., quay.io/podman/stable:latest).  The
 | |
| // reference may also be prefixed with "docker://" explicitly indicating that
 | |
| // it's a reference to the docker transport.
 | |
| func ValidateImageReference(imageName string) error {
 | |
| 	// Make sure the input image is a docker.
 | |
| 	imageRef, err := alltransports.ParseImageName(imageName)
 | |
| 	if err == nil && imageRef.Transport().Name() != docker.Transport.Name() {
 | |
| 		return errors.Errorf("auto updates require the docker image transport but image is of transport %q", imageRef.Transport().Name())
 | |
| 	} else if err != nil {
 | |
| 		repo, err := reference.Parse(imageName)
 | |
| 		if err != nil {
 | |
| 			return errors.Wrap(err, "enforcing fully-qualified docker transport reference for auto updates")
 | |
| 		}
 | |
| 		if _, ok := repo.(reference.NamedTagged); !ok {
 | |
| 			return errors.Errorf("auto updates require fully-qualified image references (no tag): %q", imageName)
 | |
| 		}
 | |
| 		if _, ok := repo.(reference.Digested); ok {
 | |
| 			return errors.Errorf("auto updates require fully-qualified image references without digest: %q", imageName)
 | |
| 		}
 | |
| 	}
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // AutoUpdate looks up containers with a specified auto-update policy and acts
 | |
| // accordingly.
 | |
| //
 | |
| // If the policy is set to PolicyRegistryImage, it checks if the image
 | |
| // on the remote registry is different than the local one. If the image digests
 | |
| // differ, it pulls the remote image and restarts the systemd unit running the
 | |
| // container.
 | |
| //
 | |
| // If the policy is set to PolicyLocalImage, it checks if the image
 | |
| // of a running container is different than the local one. If the image digests
 | |
| // differ, it restarts the systemd unit with the new image.
 | |
| //
 | |
| // It returns a slice of successfully restarted systemd units and a slice of
 | |
| // errors encountered during auto update.
 | |
| func AutoUpdate(ctx context.Context, runtime *libpod.Runtime, options entities.AutoUpdateOptions) ([]*entities.AutoUpdateReport, []error) {
 | |
| 	// Create a map from `image ID -> []*Container`.
 | |
| 	containerMap, errs := imageContainersMap(runtime)
 | |
| 	if len(containerMap) == 0 {
 | |
| 		return nil, errs
 | |
| 	}
 | |
| 
 | |
| 	// Create a map from `image ID -> *libimage.Image` for image lookups.
 | |
| 	listOptions := &libimage.ListImagesOptions{
 | |
| 		Filters: []string{"readonly=false"},
 | |
| 	}
 | |
| 	imagesSlice, err := runtime.LibimageRuntime().ListImages(ctx, nil, listOptions)
 | |
| 	if err != nil {
 | |
| 		return nil, []error{err}
 | |
| 	}
 | |
| 	imageMap := make(map[string]*libimage.Image)
 | |
| 	for i := range imagesSlice {
 | |
| 		imageMap[imagesSlice[i].ID()] = imagesSlice[i]
 | |
| 	}
 | |
| 
 | |
| 	// Connect to DBUS.
 | |
| 	conn, err := systemd.ConnectToDBUS()
 | |
| 	if err != nil {
 | |
| 		logrus.Errorf(err.Error())
 | |
| 		return nil, []error{err}
 | |
| 	}
 | |
| 	defer conn.Close()
 | |
| 
 | |
| 	// Update all images/container according to their auto-update policy.
 | |
| 	var allReports []*entities.AutoUpdateReport
 | |
| 	updatedRawImages := make(map[string]bool)
 | |
| 	for imageID, policyMapper := range containerMap {
 | |
| 		image, exists := imageMap[imageID]
 | |
| 		if !exists {
 | |
| 			errs = append(errs, errors.Errorf("container image ID %q not found in local storage", imageID))
 | |
| 			return nil, errs
 | |
| 		}
 | |
| 
 | |
| 		for _, ctr := range policyMapper[PolicyRegistryImage] {
 | |
| 			report, err := autoUpdateRegistry(ctx, image, ctr, updatedRawImages, &options, conn, runtime)
 | |
| 			if err != nil {
 | |
| 				errs = append(errs, err)
 | |
| 			}
 | |
| 			if report != nil {
 | |
| 				allReports = append(allReports, report)
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 		for _, ctr := range policyMapper[PolicyLocalImage] {
 | |
| 			report, err := autoUpdateLocally(ctx, image, ctr, &options, conn, runtime)
 | |
| 			if err != nil {
 | |
| 				errs = append(errs, err)
 | |
| 			}
 | |
| 			if report != nil {
 | |
| 				allReports = append(allReports, report)
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return allReports, errs
 | |
| }
 | |
| 
 | |
| // autoUpdateRegistry updates the image/container according to the "registry" policy.
 | |
| func autoUpdateRegistry(ctx context.Context, image *libimage.Image, ctr *libpod.Container, updatedRawImages map[string]bool, options *entities.AutoUpdateOptions, conn *dbus.Conn, runtime *libpod.Runtime) (*entities.AutoUpdateReport, error) {
 | |
| 	cid := ctr.ID()
 | |
| 	rawImageName := ctr.RawImageName()
 | |
| 	if rawImageName == "" {
 | |
| 		return nil, errors.Errorf("registry auto-updating container %q: raw-image name is empty", cid)
 | |
| 	}
 | |
| 
 | |
| 	labels := ctr.Labels()
 | |
| 	unit, exists := labels[systemdDefine.EnvVariable]
 | |
| 	if !exists {
 | |
| 		return nil, errors.Errorf("auto-updating container %q: no %s label found", ctr.ID(), systemdDefine.EnvVariable)
 | |
| 	}
 | |
| 
 | |
| 	report := &entities.AutoUpdateReport{
 | |
| 		ContainerID:   cid,
 | |
| 		ContainerName: ctr.Name(),
 | |
| 		ImageName:     rawImageName,
 | |
| 		Policy:        PolicyRegistryImage,
 | |
| 		SystemdUnit:   unit,
 | |
| 		Updated:       "failed",
 | |
| 	}
 | |
| 
 | |
| 	if _, updated := updatedRawImages[rawImageName]; updated {
 | |
| 		logrus.Infof("Auto-updating container %q using registry image %q", cid, rawImageName)
 | |
| 		if err := restartSystemdUnit(ctx, ctr, unit, conn); err != nil {
 | |
| 			return report, err
 | |
| 		}
 | |
| 		report.Updated = "true"
 | |
| 		return report, nil
 | |
| 	}
 | |
| 
 | |
| 	authfile := getAuthfilePath(ctr, options)
 | |
| 	needsUpdate, err := newerRemoteImageAvailable(ctx, runtime, image, rawImageName, authfile)
 | |
| 	if err != nil {
 | |
| 		return report, errors.Wrapf(err, "registry auto-updating container %q: image check for %q failed", cid, rawImageName)
 | |
| 	}
 | |
| 
 | |
| 	if !needsUpdate {
 | |
| 		report.Updated = "false"
 | |
| 		return report, nil
 | |
| 	}
 | |
| 
 | |
| 	if options.DryRun {
 | |
| 		report.Updated = "pending"
 | |
| 		return report, nil
 | |
| 	}
 | |
| 
 | |
| 	if _, err := updateImage(ctx, runtime, rawImageName, authfile); err != nil {
 | |
| 		return report, errors.Wrapf(err, "registry auto-updating container %q: image update for %q failed", cid, rawImageName)
 | |
| 	}
 | |
| 	updatedRawImages[rawImageName] = true
 | |
| 
 | |
| 	logrus.Infof("Auto-updating container %q using registry image %q", cid, rawImageName)
 | |
| 	updateErr := restartSystemdUnit(ctx, ctr, unit, conn)
 | |
| 	if updateErr == nil {
 | |
| 		report.Updated = "true"
 | |
| 		return report, nil
 | |
| 	}
 | |
| 
 | |
| 	if !options.Rollback {
 | |
| 		return report, updateErr
 | |
| 	}
 | |
| 
 | |
| 	// To fallback, simply retag the old image and restart the service.
 | |
| 	if err := image.Tag(rawImageName); err != nil {
 | |
| 		return report, errors.Wrap(err, "falling back to previous image")
 | |
| 	}
 | |
| 	if err := restartSystemdUnit(ctx, ctr, unit, conn); err != nil {
 | |
| 		return report, errors.Wrap(err, "restarting unit with old image during fallback")
 | |
| 	}
 | |
| 
 | |
| 	report.Updated = "rolled back"
 | |
| 	return report, nil
 | |
| }
 | |
| 
 | |
| // autoUpdateRegistry updates the image/container according to the "local" policy.
 | |
| func autoUpdateLocally(ctx context.Context, image *libimage.Image, ctr *libpod.Container, options *entities.AutoUpdateOptions, conn *dbus.Conn, runtime *libpod.Runtime) (*entities.AutoUpdateReport, error) {
 | |
| 	cid := ctr.ID()
 | |
| 	rawImageName := ctr.RawImageName()
 | |
| 	if rawImageName == "" {
 | |
| 		return nil, errors.Errorf("locally auto-updating container %q: raw-image name is empty", cid)
 | |
| 	}
 | |
| 
 | |
| 	labels := ctr.Labels()
 | |
| 	unit, exists := labels[systemdDefine.EnvVariable]
 | |
| 	if !exists {
 | |
| 		return nil, errors.Errorf("auto-updating container %q: no %s label found", ctr.ID(), systemdDefine.EnvVariable)
 | |
| 	}
 | |
| 
 | |
| 	report := &entities.AutoUpdateReport{
 | |
| 		ContainerID:   cid,
 | |
| 		ContainerName: ctr.Name(),
 | |
| 		ImageName:     rawImageName,
 | |
| 		Policy:        PolicyLocalImage,
 | |
| 		SystemdUnit:   unit,
 | |
| 		Updated:       "failed",
 | |
| 	}
 | |
| 
 | |
| 	needsUpdate, err := newerLocalImageAvailable(runtime, image, rawImageName)
 | |
| 	if err != nil {
 | |
| 		return report, errors.Wrapf(err, "locally auto-updating container %q: image check for %q failed", cid, rawImageName)
 | |
| 	}
 | |
| 
 | |
| 	if !needsUpdate {
 | |
| 		report.Updated = "false"
 | |
| 		return report, nil
 | |
| 	}
 | |
| 
 | |
| 	if options.DryRun {
 | |
| 		report.Updated = "pending"
 | |
| 		return report, nil
 | |
| 	}
 | |
| 
 | |
| 	logrus.Infof("Auto-updating container %q using local image %q", cid, rawImageName)
 | |
| 	updateErr := restartSystemdUnit(ctx, ctr, unit, conn)
 | |
| 	if updateErr == nil {
 | |
| 		report.Updated = "true"
 | |
| 		return report, nil
 | |
| 	}
 | |
| 
 | |
| 	if !options.Rollback {
 | |
| 		return report, updateErr
 | |
| 	}
 | |
| 
 | |
| 	// To fallback, simply retag the old image and restart the service.
 | |
| 	if err := image.Tag(rawImageName); err != nil {
 | |
| 		return report, errors.Wrap(err, "falling back to previous image")
 | |
| 	}
 | |
| 	if err := restartSystemdUnit(ctx, ctr, unit, conn); err != nil {
 | |
| 		return report, errors.Wrap(err, "restarting unit with old image during fallback")
 | |
| 	}
 | |
| 
 | |
| 	report.Updated = "rolled back"
 | |
| 	return report, nil
 | |
| }
 | |
| 
 | |
| // restartSystemdUnit restarts the systemd unit the container is running in.
 | |
| func restartSystemdUnit(ctx context.Context, ctr *libpod.Container, unit string, conn *dbus.Conn) error {
 | |
| 	restartChan := make(chan string)
 | |
| 	if _, err := conn.RestartUnitContext(ctx, unit, "replace", restartChan); err != nil {
 | |
| 		return errors.Wrapf(err, "auto-updating container %q: restarting systemd unit %q failed", ctr.ID(), unit)
 | |
| 	}
 | |
| 
 | |
| 	// Wait for the restart to finish and actually check if it was
 | |
| 	// successful or not.
 | |
| 	result := <-restartChan
 | |
| 
 | |
| 	switch result {
 | |
| 	case "done":
 | |
| 		logrus.Infof("Successfully restarted systemd unit %q of container %q", unit, ctr.ID())
 | |
| 		return nil
 | |
| 
 | |
| 	default:
 | |
| 		return errors.Errorf("auto-updating container %q: restarting systemd unit %q failed: expected %q but received %q", ctr.ID(), unit, "done", result)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // imageContainersMap generates a map[image ID] -> [containers using the image]
 | |
| // of all containers with a valid auto-update policy.
 | |
| func imageContainersMap(runtime *libpod.Runtime) (map[string]policyMapper, []error) {
 | |
| 	allContainers, err := runtime.GetAllContainers()
 | |
| 	if err != nil {
 | |
| 		return nil, []error{err}
 | |
| 	}
 | |
| 
 | |
| 	errors := []error{}
 | |
| 	containerMap := make(map[string]policyMapper)
 | |
| 	for _, ctr := range allContainers {
 | |
| 		state, err := ctr.State()
 | |
| 		if err != nil {
 | |
| 			errors = append(errors, err)
 | |
| 			continue
 | |
| 		}
 | |
| 		// Only update running containers.
 | |
| 		if state != define.ContainerStateRunning {
 | |
| 			continue
 | |
| 		}
 | |
| 
 | |
| 		// Only update containers with the specific label/policy set.
 | |
| 		labels := ctr.Labels()
 | |
| 		value, exists := labels[Label]
 | |
| 		if !exists {
 | |
| 			continue
 | |
| 		}
 | |
| 
 | |
| 		policy, err := LookupPolicy(value)
 | |
| 		if err != nil {
 | |
| 			errors = append(errors, err)
 | |
| 			continue
 | |
| 		}
 | |
| 
 | |
| 		// Skip labels not related to autoupdate
 | |
| 		if policy == PolicyDefault {
 | |
| 			continue
 | |
| 		} else {
 | |
| 			id, _ := ctr.Image()
 | |
| 			policyMap, exists := containerMap[id]
 | |
| 			if !exists {
 | |
| 				policyMap = make(map[Policy][]*libpod.Container)
 | |
| 			}
 | |
| 			policyMap[policy] = append(policyMap[policy], ctr)
 | |
| 			containerMap[id] = policyMap
 | |
| 			// Now we know that `ctr` is configured for auto updates.
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return containerMap, errors
 | |
| }
 | |
| 
 | |
| // getAuthfilePath returns an authfile path, if set. The authfile label in the
 | |
| // container, if set, as precedence over the one set in the options.
 | |
| func getAuthfilePath(ctr *libpod.Container, options *entities.AutoUpdateOptions) string {
 | |
| 	labels := ctr.Labels()
 | |
| 	authFilePath, exists := labels[AuthfileLabel]
 | |
| 	if exists {
 | |
| 		return authFilePath
 | |
| 	}
 | |
| 	return options.Authfile
 | |
| }
 | |
| 
 | |
| // newerRemoteImageAvailable returns true if there corresponding image on the remote
 | |
| // registry is newer.
 | |
| func newerRemoteImageAvailable(ctx context.Context, runtime *libpod.Runtime, img *libimage.Image, origName string, authfile string) (bool, error) {
 | |
| 	remoteRef, err := docker.ParseReference("//" + origName)
 | |
| 	if err != nil {
 | |
| 		return false, err
 | |
| 	}
 | |
| 	options := &libimage.HasDifferentDigestOptions{AuthFilePath: authfile}
 | |
| 	return img.HasDifferentDigest(ctx, remoteRef, options)
 | |
| }
 | |
| 
 | |
| // newerLocalImageAvailable returns true if the container and local image have different digests
 | |
| func newerLocalImageAvailable(runtime *libpod.Runtime, img *libimage.Image, rawImageName string) (bool, error) {
 | |
| 	localImg, _, err := runtime.LibimageRuntime().LookupImage(rawImageName, nil)
 | |
| 	if err != nil {
 | |
| 		return false, err
 | |
| 	}
 | |
| 	return localImg.Digest().String() != img.Digest().String(), nil
 | |
| }
 | |
| 
 | |
| // updateImage pulls the specified image.
 | |
| func updateImage(ctx context.Context, runtime *libpod.Runtime, name, authfile string) (*libimage.Image, error) {
 | |
| 	pullOptions := &libimage.PullOptions{}
 | |
| 	pullOptions.AuthFilePath = authfile
 | |
| 	pullOptions.Writer = os.Stderr
 | |
| 
 | |
| 	pulledImages, err := runtime.LibimageRuntime().Pull(ctx, name, config.PullPolicyAlways, pullOptions)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	return pulledImages[0], nil
 | |
| }
 |