auto-update: support pods

Support auto updating containers running inside pods.  Similar to
containers, the systemd units need to be generated via
`podman-generate-systemd --new $POD` to generate the pod's units.

Note that auto updating a container inside a pod will restart the entire
pod.  Updates of multiple containers inside a pod are batched, such that
a pod is restarted at most once.  That is effectively the same mechanism
for auto updating containers in a K8s YAML via the `podman-kube@`
template or via Quadlet.

Updating a single container unit without restarting the entire pod is
not possible.  The reasoning behind is that pods are created with
--exit-policy=stop which will render the pod to be stopped when auto
updating the only container inside the pod.  The (reverse) dependencies
between the pod and its containers unit have been carefully selected for
robustness.  Changes may entail undesired side effects or backward
incompatibilities that I am not comfortable with.

Fixes: containers#17181
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

Author: vrothberg

docs/source/markdown/podman-auto-update.1.md.in

@@ -26,6 +26,8 @@ At container-creation time, Podman looks up the `PODMAN_SYSTEMD_UNIT` environmen
 This variable is now set by all systemd units generated by **[podman-generate-systemd](podman-generate-systemd.1.md)** and is set to `%n` (i.e., the name of systemd unit starting the container).
 This data is then being used in the auto-update sequence to instruct systemd (via DBUS) to restart the unit and hence to restart the container.
 
+If a container configured for auto updates is part of a pod, the pod's systemd unit will be restarted and hence the entire pod and all containers inside the pod.  Container updates are batched, such that a pod gets restarted at most once.
+
 Note that **podman auto-update** relies on systemd. The systemd units are expected to be generated with **[podman-generate-systemd --new](podman-generate-systemd.1.md#--new)**, or similar units that create new containers in order to run the updated images.
 Systemd units that start and stop a container cannot run a new image.
 

pkg/autoupdate/autoupdate.go

@@ -398,7 +398,11 @@ func (u *updater) assembleTasks(ctx context.Context) []error {
 
 		// Make sure the container runs in a systemd unit which is
 		// stored as a label at container creation.
-		unit, exists := labels[systemdDefine.EnvVariable]
+		unit, exists, err := u.systemdUnitForContainer(ctr, labels)
+		if err != nil {
+			errors = append(errors, err)
+			continue
+		}
 		if !exists {
 			errors = append(errors, fmt.Errorf("auto-updating container %q: no %s label found", ctr.ID(), systemdDefine.EnvVariable))
 			continue
@@ -436,6 +440,31 @@ func (u *updater) assembleTasks(ctx context.Context) []error {
 	return errors
 }
 
+// systemdUnitForContainer returns the name of the container's systemd unit.
+// If the container is part of a pod, the pod's infra container's systemd unit
+// is returned.  This allows for auto update to restart the pod's systemd unit.
+func (u *updater) systemdUnitForContainer(c *libpod.Container, labels map[string]string) (string, bool, error) {
+	podID := c.ConfigNoCopy().Pod
+	if podID == "" {
+		unit, exists := labels[systemdDefine.EnvVariable]
+		return unit, exists, nil
+	}
+
+	pod, err := u.runtime.LookupPod(podID)
+	if err != nil {
+		return "", false, fmt.Errorf("looking up pod's systemd unit: %w", err)
+	}
+
+	infra, err := pod.InfraContainer()
+	if err != nil {
+		return "", false, fmt.Errorf("looking up pod's systemd unit: %w", err)
+	}
+
+	infraLabels := infra.Labels()
+	unit, exists := infraLabels[systemdDefine.EnvVariable]
+	return unit, exists, nil
+}
+
 // assembleImageMap creates a map from `image ID -> *libimage.Image` for image lookups.
 func (u *updater) assembleImageMap(ctx context.Context) (map[string]*libimage.Image, error) {
 	listOptions := &libimage.ListImagesOptions{

test/system/255-auto-update.bats

@@ -525,4 +525,72 @@ EOF
     rm -f $UNIT_DIR/$unit_name
 }
 
+@test "podman auto-update - pod" {
+    dockerfile=$PODMAN_TMPDIR/Dockerfile
+    cat >$dockerfile <<EOF
+FROM $IMAGE
+RUN touch /123
+EOF
+
+    podname=$(random_string)
+    ctrname=$(random_string)
+    podunit="$UNIT_DIR/pod-$podname.service.*"
+    ctrunit="$UNIT_DIR/container-$ctrname.service.*"
+    local_image=localhost/image:$(random_string 10)
+
+    run_podman tag $IMAGE $local_image
+
+    run_podman pod create --name=$podname
+    run_podman create --label "io.containers.autoupdate=local" --pod=$podname --name=$ctrname $local_image top
+
+    # cd into the unit dir to generate the two files.
+    pushd "$UNIT_DIR"
+    run_podman generate systemd --name --new --files $podname
+    is "$output" ".*$podunit.*"
+    is "$output" ".*$ctrunit.*"
+    popd
+
+    systemctl daemon-reload
+
+    run systemctl start pod-$podname.service
+    assert $status -eq 0 "Error starting pod systemd unit: $output"
+    _wait_service_ready container-$ctrname.service
+
+    run_podman pod inspect --format "{{.State}}" $podname
+    is "$output" "Running" "pod is in running state"
+    run_podman container inspect --format "{{.State.Status}}" $ctrname
+    is "$output" "running" "container is in running state"
+
+    run_podman pod inspect --format "{{.ID}}" $podname
+    podid="$output"
+    run_podman container inspect --format "{{.ID}}" $ctrname
+    ctrid="$output"
+
+    # Note that the pod's unit is listed below, not the one of the container.
+    run_podman auto-update --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}"
+    is "$output" ".*pod-$podname.service,$local_image,false,local.*" "No update available"
+
+    run_podman build -t $local_image -f $dockerfile
+
+    run_podman auto-update --dry-run --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}"
+    is "$output" ".*pod-$podname.service,$local_image,pending,local.*" "Image updated is pending"
+
+    run_podman auto-update --format "{{.Unit}},{{.Image}},{{.Updated}},{{.Policy}}"
+    is "$output" ".*pod-$podname.service,$local_image,true,local.*" "Service has been restarted"
+    _wait_service_ready container-$ctrname.service
+
+    run_podman pod inspect --format "{{.ID}}" $podname
+    assert "$output" != "$podid" "pod has been recreated"
+    run_podman container inspect --format "{{.ID}}" $ctrname
+    assert "$output" != "$ctrid" "container has been recreated"
+
+    run systemctl stop pod-$podname.service
+    assert $status -eq 0 "Error stopping pod systemd unit: $output"
+
+    run_podman pod rm -f $podname
+    run_podman rmi $local_image $(pause_image)
+    rm -f $podunit $ctrunit
+    systemctl daemon-reload
+}
+
 # vim: filetype=sh