feat: Implement auto update support for podman-remote

Signed-off-by: Stefan Nienhuis <[email protected]>

Author: StefanNienhuis

cmd/podman/auto-update.go

@@ -31,7 +31,6 @@ var (
   or similar units that create new containers in order to run the updated images.
   Please refer to the podman-auto-update(1) man page for details.`
 	autoUpdateCommand = &cobra.Command{
-		Annotations:       map[string]string{registry.EngineMode: registry.ABIMode},
 		Use:               "auto-update [options]",
 		Short:             "Auto update containers according to their auto-update policy",
 		Long:              autoUpdateDescription,

hack/swagger-check

@@ -343,6 +343,11 @@ sub operation_name {
         $main   = 'image';
         $action = $1;
     }
+    # Top-level autoupdate endpoint
+    elsif ($main eq 'autoupdate') {
+        $main   = 'autoupdate';
+        $action = '';
+    }
     # Top-level system endpoints
     elsif ($main =~ /^(auth|event|info|version)$/) {
         $main   = 'system';

pkg/api/handlers/libpod/autoupdate.go

@@ -0,0 +1,79 @@
+//go:build !remote
+
+package libpod
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/containers/podman/v5/libpod"
+	"github.com/containers/podman/v5/pkg/api/handlers"
+	"github.com/containers/podman/v5/pkg/api/handlers/utils"
+	api "github.com/containers/podman/v5/pkg/api/types"
+	"github.com/containers/podman/v5/pkg/auth"
+	"github.com/containers/podman/v5/pkg/domain/entities"
+	"github.com/containers/podman/v5/pkg/domain/infra/abi"
+	"github.com/containers/podman/v5/pkg/errorhandling"
+	"github.com/gorilla/schema"
+	"go.podman.io/image/v5/types"
+)
+
+func AutoUpdate(w http.ResponseWriter, r *http.Request) {
+	decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder)
+	runtime := r.Context().Value(api.RuntimeKey).(*libpod.Runtime)
+
+	query := struct {
+		DryRun    bool               `schema:"dryRun"`
+		Rollback  bool               `schema:"rollback"`
+		TLSVerify types.OptionalBool `schema:"tlsVerify"`
+	}{}
+
+	if err := decoder.Decode(&query, r.URL.Query()); err != nil {
+		utils.Error(w, http.StatusBadRequest, fmt.Errorf("failed to parse parameters for %s: %w", r.URL.String(), err))
+		return
+	}
+
+	_, authfile, err := auth.GetCredentials(r)
+	if err != nil {
+		utils.Error(w, http.StatusBadRequest, err)
+		return
+	}
+	defer auth.RemoveAuthfile(authfile)
+
+	containerEngine := abi.ContainerEngine{Libpod: runtime}
+
+	options := entities.AutoUpdateOptions{
+		Authfile:              authfile,
+		DryRun:                query.DryRun,
+		Rollback:              query.Rollback,
+		InsecureSkipTLSVerify: types.OptionalBoolUndefined,
+	}
+
+	// If TLS verification is explicitly specified (True or False) in the query,
+	// set the InsecureSkipTLSVerify option accordingly.
+	// If TLSVerify was not set in the query, OptionalBoolUndefined is used and
+	// handled later based off the target registry configuration.
+	switch query.TLSVerify {
+	case types.OptionalBoolTrue:
+		options.InsecureSkipTLSVerify = types.NewOptionalBool(false)
+	case types.OptionalBoolFalse:
+		options.InsecureSkipTLSVerify = types.NewOptionalBool(true)
+	case types.OptionalBoolUndefined:
+		// If the user doesn't define TLSVerify in the query, do nothing and pass
+		// it to the backend code to handle.
+	default: // Should never happen
+		panic("Unexpected handling occurred for TLSVerify")
+	}
+
+	autoUpdateReports, autoUpdateFailures := containerEngine.AutoUpdate(r.Context(), options)
+	if autoUpdateReports == nil {
+		if err := errorhandling.JoinErrors(autoUpdateFailures); err != nil {
+			utils.Error(w, http.StatusInternalServerError, err)
+			return
+		}
+	}
+
+	reports := handlers.LibpodAutoUpdateReports{Reports: autoUpdateReports, Errors: errorhandling.ErrorsToStrings(autoUpdateFailures)}
+
+	utils.WriteResponse(w, http.StatusOK, reports)
+}

pkg/api/handlers/swagger/responses.go

@@ -520,3 +520,10 @@ type artifactPushResponse struct {
 	// in:body
 	Body entities.ArtifactPushReport
 }
+
+// Auto Update
+// swagger:response
+type autoupdateResponse struct {
+	// in:body
+	Body handlers.LibpodAutoUpdateReports
+}

pkg/api/handlers/types.go

@@ -188,3 +188,10 @@ type ExecStartConfig struct {
 type ExecRemoveConfig struct {
 	Force bool `json:"Force"`
 }
+
+// LibpodAutoUpdateReport is the return type for auto update via the rest api.
+type LibpodAutoUpdateReports struct {
+	Reports []*entities.AutoUpdateReport
+	// Auto update returns data and possible errors.
+	Errors []string
+}

pkg/api/server/register_autoupdate.go

@@ -0,0 +1,52 @@
+//go:build !remote
+
+package server
+
+import (
+	"net/http"
+
+	"github.com/containers/podman/v5/pkg/api/handlers/libpod"
+	"github.com/gorilla/mux"
+)
+
+func (s *APIServer) registerAutoUpdateHandlers(r *mux.Router) error {
+	// swagger:operation POST /libpod/autoupdate libpod AutoupdateLibpod
+	// ---
+	// tags:
+	//   - autoupdate
+	// summary: Auto update
+	// description: |
+	//   Auto update containers according to their auto-update policy.
+	//
+	//   Auto-update policies are specified with the "io.containers.autoupdate" label.
+	//   Containers are expected to run in systemd units created with "podman-generate-systemd --new",
+	//   or similar units that create new containers in order to run the updated images.
+	//   Please refer to the podman-auto-update(1) man page for details.
+	// parameters:
+	//   - in: query
+	//     name: authfile
+	//     type: string
+	//     description: Authfile to use when contacting registries.
+	//   - in: query
+	//     name: dryRun
+	//     type: boolean
+	//     description: Only check for but do not perform any update. If an update is pending, it will be indicated in the Updated field.
+	//   - in: query
+	//     name: rollback
+	//     type: boolean
+	//     description: If restarting the service with the new image failed, restart it another time with the previous image.
+	//   - in: query
+	//     name: tlsVerify
+	//     type: boolean
+	//     default: true
+	//     description: Require HTTPS and verify signatures when contacting registries.
+	// produces:
+	//   - application/json
+	// responses:
+	//   200:
+	//     $ref: "#/responses/autoupdateResponse"
+	//   500:
+	//     $ref: '#/responses/internalError'
+	r.HandleFunc(VersionedPath("/libpod/autoupdate"), s.APIHandler(libpod.AutoUpdate)).Methods(http.MethodPost)
+	return nil
+}

pkg/api/server/server.go

@@ -133,6 +133,7 @@ func newServer(runtime *libpod.Runtime, listener net.Listener, opts entities.Ser
 		server.registerAuthHandlers,
 		server.registerArtifactHandlers,
 		server.registerArchiveHandlers,
+		server.registerAutoUpdateHandlers,
 		server.registerContainersHandlers,
 		server.registerDistributionHandlers,
 		server.registerEventsHandlers,

pkg/api/tags.yaml

@@ -1,6 +1,8 @@
 tags:
     - name: artifacts
       description: Actions related to artifacts
+    - name: autoupdate
+      description: Actions related to auto update
     - name: containers
       description: Actions related to containers
     - name: exec

pkg/bindings/auto-update/auto-update.go

@@ -0,0 +1,54 @@
+package autoupdate
+
+import (
+	"context"
+	"net/http"
+	"strconv"
+
+	"github.com/containers/podman/v5/pkg/api/handlers"
+	"github.com/containers/podman/v5/pkg/auth"
+	"github.com/containers/podman/v5/pkg/bindings"
+	"github.com/containers/podman/v5/pkg/domain/entities"
+	"github.com/containers/podman/v5/pkg/errorhandling"
+	imageTypes "go.podman.io/image/v5/types"
+)
+
+func AutoUpdate(ctx context.Context, options *AutoUpdateOptions) ([]*entities.AutoUpdateReport, []error) {
+	conn, err := bindings.GetClient(ctx)
+	if err != nil {
+		return nil, []error{err}
+	}
+	if options == nil {
+		options = new(AutoUpdateOptions)
+	}
+
+	params, err := options.ToParams()
+	if err != nil {
+		return nil, []error{err}
+	}
+	// InsecureSkipTLSVerify is special.  We need to delete the param added by
+	// ToParams() and change the key and flip the bool
+	if options.InsecureSkipTLSVerify != nil {
+		params.Del("SkipTLSVerify")
+		params.Set("tlsVerify", strconv.FormatBool(!options.GetInsecureSkipTLSVerify()))
+	}
+
+	header, err := auth.MakeXRegistryAuthHeader(&imageTypes.SystemContext{AuthFilePath: options.GetAuthfile()}, "", "")
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	response, err := conn.DoRequest(ctx, nil, http.MethodPost, "/autoupdate", params, header)
+	if err != nil {
+		return nil, []error{err}
+	}
+	defer response.Body.Close()
+
+	var reports handlers.LibpodAutoUpdateReports
+
+	if err := response.Process(&reports); err != nil {
+		return nil, []error{err}
+	}
+
+	return reports.Reports, errorhandling.StringsToErrors(reports.Errors)
+}

pkg/bindings/auto-update/types.go

@@ -0,0 +1,19 @@
+package autoupdate
+
+// AutoUpdateOptions are the options for running auto-update
+//
+//go:generate go run ../generator/generator.go AutoUpdateOptions
+type AutoUpdateOptions struct {
+	// Authfile to use when contacting registries.
+	Authfile *string
+	// Only check for but do not perform any update.  If an update is
+	// pending, it will be indicated in the Updated field of
+	// AutoUpdateReport.
+	DryRun *bool
+	// If restarting the service with the new image failed, restart it
+	// another time with the previous image.
+	Rollback *bool
+	// Allow contacting registries over HTTP, or HTTPS with failed TLS
+	// verification. Note that this does not affect other TLS connections.
+	InsecureSkipTLSVerify *bool
+}