How to update container images with Podman

Image Hessel Visser from the website pixabay

Keeping images up to date is a standard procedure in operating and managing a containerized environment. Next, we’ll look at how to do this.

Podman is a daemon-less engine for developing, managing and running Open Container Initiative (OCI) containers. This is one of a series of articles on using Podman based on what I do in my actual work environment. Previously, I showed you how to display network information with Podman, including containers and pod IP addresses.

This article also shows you how to update container images. It is very important to keep running containers and pods up to date with the latest image updates. Before following this article, you can first run the shell scripts that I used in one of the previous articles, in the section “Initial setup“.


You can read all of my previous posts in the Podman series here:

Check images before updating

Before updating any images, it is important to understand what exactly has changed in one version of an image compared to another. Tracking these changes will allow you to understand their impact on your infrastructure. In certain scenarios, it may be useful to use deeper verification tools such as

Skopeo

, which allows you to check “a remote image, showing its properties, including layers, without having to transfer the image to the host.” You can also check the image’s Dockerfile for update information. However, only the Podman command line interface (CLI) can help you gather some of this information.

This example shows the images I’ve been using since the first article was posted:

$ podman image ls
REPOSITORY               	TAG     	IMAGE ID  	CREATED    	SIZE
docker.io/library/wordpress  latest  	054741915cf1  6 weeks ago	629 MB
docker.io/library/mysql  	latest  	bbf6571db497  6 weeks ago	521 MB
docker.io/library/httpd  	latest  	ea28e1b82f31  6 weeks ago	148 MB
k8s.gcr.io/pause         	3.5     	ed210e3e4a5b  10 months ago  690 kB

For this demo, I will be using the httpd. In the CREATED column, Podman reports that the last tagged image was created six weeks ago. To check what was done to this image when it was created, you can get the history of the image:

$ podman image history httpd
ID        	CREATED  	CREATED BY                                 	SIZE          	COMMENT
ea28e1b82f31  6 weeks ago  /bin/sh -c #(nop)  CMD ["httpd-foreground"]	0 B
<missing> 	6 weeks ago  /bin/sh -c #(nop)  EXPOSE 80               	0 B  
<missing> 	6 weeks ago  /bin/sh -c #(nop) COPY file:c432ff61c4993e...  3.58 kB
<missing> 	6 weeks ago  /bin/sh -c #(nop)  STOPSIGNAL SIGWINCH     	0 B          	 
<missing> 	6 weeks ago  /bin/sh -c set -eux;                                         	savedAptMark="$(apt...  61 MB
<missing> 	6 weeks ago  /bin/sh -c #(nop)  ENV HTTPD_PATCHES=      	0 B
<missing> 	6 weeks ago  /bin/sh -c #(nop)  ENV HTTPD_SHA256=20e01d...  0 B
<missing> 	6 weeks ago  /bin/sh -c #(nop)  ENV HTTPD_VERSION=2.4.51	0 B
<missing> 	6 weeks ago  /bin/sh -c set -eux;                       	apt-get update;   apt...  	2.69 MB
<missing> 	6 weeks ago  /bin/sh -c #(nop) WORKDIR /usr/local/apache2   0 B
<missing> 	6 weeks ago  /bin/sh -c mkdir -p "$HTTPD_PREFIX"        	&& ch...      	3.07 kB
<missing> 	6 weeks ago  /bin/sh -c #(nop)  ENV PATH=/usr/local/apa...  0 B
<missing> 	6 weeks ago  /bin/sh -c #(nop)  ENV HTTPD_PREFIX=/usr/l...  0 B
<missing> 	6 weeks ago  /bin/sh -c #(nop)  CMD ["bash"]            	0 B  
<missing> 	6 weeks ago  /bin/sh -c #(nop) ADD file:ece5ff85ca549f0...  83.9 MB

Note the HTTPD_VERSION=2.4.51 environment variable. To get more detailed information about this image, examine it using the subcommand

inspect

. The output is very verbose, so I’ve shortened it here:

$ podman image inspect httpd
[
	{
    	"Id": "ea28e1b82f314092abd3f90a69e57d6ccf506382821ee0b8d9b48c3e47440c1f",
    	"Digest": "sha256:fba8a9f4290180ceee5c74638bb85ff21fd15961e6fdfa4def48e18820512bb1",
    	"RepoTags": [
        	"docker.io/library/httpd:latest"
    	],
    	"RepoDigests": [  "docker.io/library/httpd@sha256:24d492e04f02881adcc1d7543b0251754a2be6a24c75aae7a008fdae767b7337", "docker.io/library/httpd@sha256:fba8a9f4290180ceee5c74638bb85ff21fd15961e6fdfa4def48e18820512bb1"],
    	"Parent": "",
    	"Comment": "",
    	"Created": "2021-12-02T10:03:55.933654778Z",
    	"Config": {
        	"ExposedPorts": {
            	"80/tcp": {}
        	},
        	"Env": [
            	"PATH=/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "HTTPD_PREFIX=/usr/local/apache2", "HTTPD_VERSION=2.4.51",
[…]
    	"Version": "20.10.7",
    	"Author": "",
    	"Architecture": "amd64",
    	"Os": "linux",
    	"Size": 147627312,
    	"VirtualSize": 147627312,
    	"GraphDriver": {
        	"Name": "overlay",
        	"Data": {
            	"LowerDir": "/home/localuser/.local/share/containers/storage/overlay/e20054c1032fd3c5f8d8b35d8c75b806d8f813c90621b8304d543c7edf26b2f6/diff:/home/localuser/.local/share/containers/storage/overlay/1121e686efcde8973c70358a33725d8e9616f13eab864334568ee5aea0578295/diff:/home/localuser/.local/share/containers/storage/overlay/
[...]

The next step is to update the image.

Manually updating container images

To update the image, run the same command that is used to extract the image,

podman pull

. Its syntax is the following:

podman pull [options] IMAGE [IMAGE...]

To run a specific version of an image, set the desired image tag. For this demo, I’ll be running the latest version on the httpd image, so Podman will fetch the latest httpd version using the latest tag.

If you don’t specify any tag, Podman will by default retrieve the image using the latest tag:

$ podman pull docker.io/library/httpd:latest
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
[...]
Copying blob 67283bbdd4a0 done  
Copying config dabbfbe0c5 done  
Writing manifest to image destination
Storing signatures
dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34

Now when you check your fetched images again, you will see that the httpd image has changed its ID and the CREATE column says it was created “4 weeks ago”. This means that the new extracted image has a two-week update difference compared to the previous version:

$ podman image ls
REPOSITORY               	TAG     	IMAGE ID  	CREATED    	SIZE
docker.io/library/httpd  	latest  	dabbfbe0c57b  4 weeks ago	148 MB
docker.io/library/wordpress  latest  	054741915cf1  6 weeks ago	629 MB
docker.io/library/mysql  	latest  	bbf6571db497  6 weeks ago	521 MB
<none>                   	<none>  	ea28e1b82f31  6 weeks ago	148 MB
k8s.gcr.io/pause         	3.5     	ed210e3e4a5b  10 months ago  690 kB

But what has changed between one image and another? Let’s check the history of the image to find out:

$ podman image history httpd
ID        	CREATED  	CREATED BY                                 	SIZE          	COMMENT
dabbfbe0c57b  4 weeks ago  /bin/sh -c #(nop)  CMD ["httpd-foreground"]	0 B
<missing> 	4 weeks ago  /bin/sh -c #(nop)  EXPOSE 80               	0 B    
<missing> 	4 weeks ago  /bin/sh -c #(nop) COPY file:c432ff61c4993e...  3.58 kB
<missing> 	4 weeks ago  /bin/sh -c #(nop)  STOPSIGNAL SIGWINCH     	0 B
<missing> 	4 weeks ago  /bin/sh -c set -eux;                                         	savedAptMark="$(apt...  61.1 MB
[...]
<missing> 	4 weeks ago  /bin/sh -c #(nop)  ENV HTTPD_PREFIX=/usr/l...  0 B
<missing> 	4 weeks ago  /bin/sh -c #(nop)  CMD ["bash"]            	0 B
<missing> 	4 weeks ago  /bin/sh -c #(nop) ADD file:09675d11695f65c...  83.9 MB

Remember the HTTPD_VERSION=2.4.51 environment variable I asked you to pay attention to? You can see that it has been changed in this updated image to HTTPD_VERSION=2.4.52, which means Apache has been upgraded between versions.

But this updated image is not used by any running container. What happens if I update the image of an already running container? Let’s check it out.

Manually applying image updates to a running container

I will be using the same httpd image taken from the docker.io registry as above. I will run it like

root container

to use the old image again, since I used it as root before. Here is the old extracted image:

$ sudo  podman image ls
REPOSITORY                         	TAG     	IMAGE ID  	CREATED    	SIZE
docker.io/library/wordpress        	latest  	054741915cf1  6 weeks ago	629 MB
docker.io/library/mysql            	latest  	bbf6571db497  6 weeks ago	521 MB
docker.io/library/httpd            	latest  	ea28e1b82f31  6 weeks ago	148 MB
registry.access.redhat.com/ubi8/pause  latest  	20b34168e325  2 months ago   3.49 MB
k8s.gcr.io/pause                   	3.5     	ed210e3e4a5b  10 months ago  690 kB

Here is a running rootfull container using the old image:

$ sudo podman ps
CONTAINER ID  IMAGE                       	COMMAND       	CREATED	STATUS        	PORTS             	NAMES
b85600da6d86  docker.io/library/httpd:latest  httpd-foreground  4 min ago  Up 3 minutes ago  0.0.0.0:8081->80/tcp  httpd

Simple

curl

to the container’s running webserver shows the version of Apache provided this way:

$ sudo curl -v http://localhost:8081
*   Trying 127.0.0.1:8081...
* Connected to localhost (127.0.0.1) port 8081 (#0)
> GET / HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 18 Jan 2022 18:00:14 GMT
< Server: Apache/2.4.51 (Unix)
< Last-Modified: Tue, 07 Dec 2021 21:29:58 GMT
< ETag: "74-5d295133b0ae6"
< Accept-Ranges: bytes
< Content-Length: 116
< Content-Type: text/html
<
<html>
  <header>
	<title>Enable SysAdmin</title>
  </header>
  <body>
	<p>Hello World!</p>
  </body>
</html>
* Connection #0 to host localhost left intact

Server: Apache/2.4.51 (Unix) shows the same version as in the HTTPD_VERSION=2.4.51 environment variable for this image, confirming that it still works with the old image. I’ll check the latest version of the image again while the container is running:

$ sudo podman pull docker.io/library/httpd:latest
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob 41c22baa66ec done  
[...]
Copying blob d982c879c57e done  
Copying config dabbfbe0c5 done  
Writing manifest to image destination
Storing signatures
dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34

In the UP column, you can see that the container didn’t stop for a single moment, which is good because the web server continued to run its services:

$ sudo podman ps
CONTAINER ID  IMAGE                       	COMMAND       	CREATED    	STATUS        	PORTS             	NAMES
b85600da6d86  docker.io/library/httpd:latest  httpd-foreground  4 minutes ago  Up 4 minutes ago  0.0.0.0:8081->80/tcp  httpd

We check that the httpd image has been updated, changed its IMAGE ID and shows in the CREATED column that it was created “4 weeks ago”. This means that I now have the latest version of the image:

$ sudo podman image ls
REPOSITORY                         	TAG     	IMAGE ID  	CREATED    	SIZE
docker.io/library/httpd            	latest  	dabbfbe0c57b  4 weeks ago	148 MB
docker.io/library/wordpress        	latest  	054741915cf1  6 weeks ago	629 MB
docker.io/library/mysql            	latest  	bbf6571db497  6 weeks ago	521 MB
<none>                             	<none>  	ea28e1b82f31  6 weeks ago	148 MB
registry.access.redhat.com/ubi8/pause  latest  	20b34168e325  2 months ago   3.49 MB
k8s.gcr.io/pause                   	3.5     	ed210e3e4a5b  10 months ago  690 kB

But when I run simple curl again against the running container, I see that the Apache version hasn’t changed at all:

$ sudo curl -v http://localhost:8081
*   Trying 127.0.0.1:8081...
* Connected to localhost (127.0.0.1) port 8081 (#0)
> GET / HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 18 Jan 2022 18:04:12 GMT
< Server: Apache/2.4.51 (Unix)
< Last-Modified: Tue, 07 Dec 2021 21:29:58 GMT
< ETag: "74-5d295133b0ae6"
< Accept-Ranges: bytes
< Content-Length: 116
< Content-Type: text/html
<
<html>
  <header>
	<title>Enable SysAdmin</title>
  </header>
  <body>
	<p>Hello World!</p>
  </body>
</html>
* Connection #0 to host localhost left intact

When looking at a running httpd container, you can see that it still displays the HTTPD_VERSION=2.4.51 environment variable, which explains why it continues to use Apache version 2.4.51:

$ sudo podman inspect httpd --format "{{.Image}} {{.ImageName}} {{.Config.Env}}"
ea28e1b82f314092abd3f90a69e57d6ccf506382821ee0b8d9b48c3e47440c1f docker.io/library/httpd:latest [PATH=/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm container=podman HTTPD_PREFIX=/usr/local/apache2 HTTPD_VERSION=2.4.51 HTTPD_SHA256=20e01d81fecf077690a4439e3969a9b22a09a8d43c525356e863407741b838f4 HTTPD_PATCHES= HOME=/root HOSTNAME=b85600da6d86]

This is because simply pulling and updating container images does not automatically update running containers using those images. This requires a separate operation. To manually force a running container to use the updated image, stop the container and start it again. I created a script

create_web.sh

in this example in the first article of this series:

$ sudo podman stop httpd
httpd

$ sudo podman rm -a
b85600da6d86cdd9cce0edf782025718de4e3fa9c3203005c579418ec9c99737

$ sudo ./create_web.sh
7b932bbe6367b2af96d2d7e4dc059d56873737d1e4b1c343912e10574f6ce8cc

The container is now running again and using the updated image:

$ sudo podman ps
CONTAINER ID  IMAGE                       	COMMAND       	CREATED    	STATUS        	PORTS             	NAMES
7b932bbe6367  docker.io/library/httpd:latest  httpd-foreground  5 seconds ago  Up 4 seconds ago  0.0.0.0:8081->80/tcp  httpd

To verify this, we check the newly launched container for the presence of the HTTPD_VERSION environment variable:

$ sudo podman inspect httpd --format "{{.Image}} {{.ImageName}} {{.Config.Env}}"
dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 docker.io/library/httpd:latest [PATH=/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm container=podman HTTPD_VERSION=2.4.52 HTTPD_SHA256=0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9 HTTPD_PATCHES= HTTPD_PREFIX=/usr/local/apache2 HOME=/root HOSTNAME=7b932bbe6367]

Jackpot! The container is now running with the HTTPD_VERSION=2.4.52 environment variable, which means that Apache should work with that version. I will test it by running

curl

again:

$ sudo curl -v http://localhost:8081
*   Trying 127.0.0.1:8081...
* Connected to localhost (127.0.0.1) port 8081 (#0)
> GET / HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 18 Jan 2022 18:23:04 GMT
< Server: Apache/2.4.52 (Unix)
< Last-Modified: Tue, 07 Dec 2021 21:29:58 GMT
< ETag: "74-5d295133b0ae6"
< Accept-Ranges: bytes
< Content-Length: 116
< Content-Type: text/html
<
<html>
  <header>
	<title>Enable SysAdmin</title>
  </header>
  <body>
	<p>Hello World!</p>
  </body>
</html>
* Connection #0 to host localhost left intact

As the Server: Apache/2.4.52 (Unix) field shows, the container is finally up to date and running with the latest version of the httpd image. That’s the whole process of quickly updating the image manually.

You might say, “That’s good, but it’s fraught with errors. Maybe there is some automatic way to run all this? Of course have! And for that, I recommend two great articles from members of the community. “Retrieving podman images from the container repository” And “How to use auto-update and restore in Podman”.

Stay relevant

Keeping container images up to date is essential to running and managing a containerized environment. This approach provides several key benefits:

  • This allows your applications to have the latest versions of certain packages and tools.

  • It also ensures that you can make the necessary changes to the application at the image level.

  • This improves the security of your infrastructure as the images will always contain the latest security patches and bug fixes.

A UFO flew in and left promo codes here for our blog readers:

15% for all VDS tariffs (except for the Heating tariff) — HABRFIRSTVDS.

20% off AMD Ryzen and Intel Core Dedicated Servers HABRFIRSTDEDIC.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *