diff --git a/playbooks/filesystem/common/usr/local/sbin/pod-service-auto-update b/playbooks/filesystem/common/usr/local/sbin/pod-service-auto-update index fc277b9..06f4524 100644 --- a/playbooks/filesystem/common/usr/local/sbin/pod-service-auto-update +++ b/playbooks/filesystem/common/usr/local/sbin/pod-service-auto-update @@ -14,28 +14,50 @@ import getpass import json import subprocess + +def podman_ps(): + out = subprocess.run(["podman", "ps", "--format", "json"], capture_output=True, check=True) + return json.loads(out.stdout) + + +def podman_image_inspect(image): + out = subprocess.run(["podman", "image", "inspect", "--format", "json", image], + capture_output=True, check=True) + inspect = json.loads(out.stdout) + assert inspect + if len(inspect) > 1: + raise ValueError("podman image inspect returned multiple entries") + return inspect[0] + +def podman_pull(image): + subprocess.run(["podman", "pull", image], capture_output=True, check=True) + if __name__ == "__main__": - out = subprocess.run(["podman", "images", "--format", "json"], capture_output=True, check=True) - images = json.loads(out.stdout) + containers = podman_ps() + + images = set() + for container in containers: + labels = container.get("Labels", None) + if labels is None: + continue + autoupdate = labels.get("io.containers.autoupdate", None) + if (autoupdate is None) or (autoupdate == "disabled"): + continue + if autoupdate != "image": + raise ValueError(f"unrecognised autopdate label: {autoupdate}") + images.add(container["Image"]) updated = [] for image in images: - if not image["Names"]: - continue - if len(image["Names"]) > 1: - raise ValueError(f"Multiple names available for image: {image['Names']}") - name = image["Names"][0] + inspect = podman_image_inspect(image) + original_digest = inspect["Digest"] - subprocess.run(["podman", "pull", name], capture_output=True, check=True) + podman_pull(image) - out = subprocess.run(["podman", "inspect", "--format", "json", name], - capture_output=True, check=True) - inspect = json.loads(out.stdout) - assert inspect - if len(inspect) > 1: - raise ValueError("Podman inspect returned multiple entries") + inspect = podman_image_inspect(image) + new_digest = inspect["Digest"] - if inspect[0]["Digest"] != image["Digest"]: + if new_digest != original_digest: updated.append(name) if updated: