I recently migrated a bunch of docker services onto NixOS as declarative oci-containers (podman backend). Everything works well, and podman pulled the latest images for each one on the first startup.
Now it’s been a couple weeks, and I know some of those images have updates. Is there a way to get all of them to update again? The NixOS configuration specifies the “latest” tag for each, but a nixos-rebuild doesn’t do anything here.
Do I need to deal directly with podman and update each image individually? Or is there a way to get all containers to rebuild on the latest images again?
I’m pretty new to Nix, but I migrated my ansible playbooks and a couple of scripts for managing/updating my containers for everything but the setup of the service in the NixOS configuration.
You could probably setup a simple systemd service to podman pull each image and restart periodically using Nix if you’re not too concerned about automatically updating latest containers. I prefer a bit more control to prevent inadvertent breakage due to an update…
Thanks! This is what I ended up doing, creating a systemd service/timer to periodically pull the latest image for each container.
My confusion came from the fact that I was able to specify the creation of the containers via virtualisation.oci-containers in the NixOS config, but couldn’t update them from the same source. But, in the end, pulling new images and restarting the services isn’t a big deal.
Sure. I ended up breaking it out as a script I could run manually if I want to, and then a service to run that.
Script:
update-containers = pkgs.writeShellScriptBin "update-containers" ''
SUDO=""
if [[ $(id -u) -ne 0 ]]; then
SUDO="sudo"
fi
images=$($SUDO ${pkgs.podman}/bin/podman ps -a --format="{{.Image}}" | sort -u)
for image in $images
do
$SUDO ${pkgs.podman}/bin/podman pull $image
done
'';