Hello,
A few months ago, we’ve created a tool to allow unattended upgrades of container images: upkick. This tool runs on all the nodes, connects to the local Docker socket and:
- detects all images used by local containers;
- pulls the detected images;
- checks if the new image hash is the same as that of the containers using it;
- stop+rm the container if the hash is different, forcing Rancher to recreate it with the new image.
This works rather well (although it is a bit violent arguably), but does not allow to update private images, as containers cannot access registry credentials using the Rancher API.
One option would be to use the Rancher API itself to perform the tasks. It would go like this:
- detect all images used in the environment (using /containers);
- pull the images (using /pullTask);
- upgrade services using the image if it was modified (using /service).
Theoretically, this should work (and allow to use only one upkick container per env instead of one per host). However, I fail to see how the Rancher API would let me know if an image was modified by the pull action. Is there such an information?