percona · catalinaadam · Nov 20, 2024 · Oct 4, 2024 · Oct 4, 2024 · Oct 7, 2024
@@ -2,18 +2,20 @@
 
 This section provides instructions for running PMM Server with Podman based on our [Docker image](https://hub.docker.com/r/percona/pmm-server).
 
+## About Podman
+
 
 !!! seealso alert alert-info "See also"
     - [Docker](../docker/index.md) 
     - Other [tags](https://hub.docker.com/r/percona/pmm-server/tags) are available.
 
-Podman is an open-source project available on most Linux platforms and resides on [GitHub](https://github.com/containers/podman). Podman is a daemonless container engine for developing, managing, and running Open Container Initiative (OCI) containers and container images on your Linux System. 
+Podman is an open-source, daemonless container engine for developing, managing, and running Open Container Initiative (OCI) containers and container images on Linux systems. It is widely supported across Linux distributions and hosted on [GitHub](https://github.com/containers/podman).
 
-Non-privileged users could run containers under the control of Podman.
+One of Podman’s advantages is that it allows non-privileged users to run containers, enhancing security by avoiding elevated permissions.
 
-It could be just aliased (`alias docker=podman`) with docker and work with the same way. All instructions from [Docker](../docker/index.md) section also apply here.
+Podman is compatible with Docker; by using an alias (`alias docker=podman`), you can run Docker commands seamlessly with Podman. All instructions in the Docker section apply to Podman as well.
 
-Percona recommends running PMM as a non-privileged user and running it as part of the SystemD service provided. SystemD service ensures that the service is running and maintains logs and other management features (start, stop, etc.).
+Percona recommends running PMM with Podman as a non-privileged user and as part of the provided SystemD service. SystemD helps ensure that the service is actively running and offers logging and management functions, such as start, stop, and restart.
 
 ## Before you start
 
@@ -26,6 +28,145 @@ Percona recommends running PMM as a non-privileged user and running it as part o
       - Grant Watchtower access to the Docker socket to monitor and manage containers effectively, ensuring proper security measures are in place to protect the Docker socket.
       - Verify that both Watchtower and PMM Server are on the same network, or ensure PMM Server can connect to Watchtower for communication. This network setup is essential for PMM Server to initiate updates through Watchtower.
 
+## Update mechanism
+
+PMM Server updates work differently in Podman compared to Docker due to security policies:
+
+- Docker updates use a simpler flow where PMM Server directly instructs Watchtower to replace the Docker container in one step.
+- Podman updates require SystemD integration and follow a multi-step process with environment file changes for better security isolation.
+
+## Install
+
+You can install PMM with either automated UI-based updates or a manual update method, depending on your preferences.
+
+The UI-based method, using Watchtower, enables direct updates from the web interface without requiring command-line access and automates the process. 
+
+On the other hand, the manual method offers a simpler setup with complete control over updates and no need for additional services, but it requires command-line access and manual intervention to track and apply updates.
+
+=== "Installation with UI updates"
+
+    This method enables updates through the PMM web interface using Watchtower and SystemD services. When you initiate an update in the UI, PMM Server updates its image reference, prompting Watchtower to pull the new image. Watchtower then stops the existing container, and SystemD automatically restarts it with the updated image.
+    {.power-number}
+
+    1. Create PMM Server service file at `~/.config/systemd/user/pmm-server.service`:
+
+        ```sh
+        [Unit]
+        Description=pmm-server
+        Wants=network-online.target
+        After=network-online.target
+        After=nss-user-lookup.target nss-lookup.target
+        After=time-sync.target
+        [Service]
+        EnvironmentFile=~/.config/systemd/user/pmm-server.env
+        Restart=on-failure
+        RestartSec=20
+        ExecStart=/usr/bin/podman run \
+            --volume ~/.config/systemd/user/:/home/pmm/update/ \
+            --rm --replace=true --name %N \
+            --env-file=~/.config/systemd/user/pmm-server.env \
+            --net pmm_default \
+            --cap-add=net_admin,net_raw \
+            --userns=keep-id:uid=1000,gid=1000 \
+            -p 443:8443/tcp --ulimit=host ${PMM_IMAGE}
+        ExecStop=/usr/bin/podman stop -t 10 %N
+        [Install]
+        WantedBy=default.target
+        ```
+
+    2. Create the environment file at `~/.config/systemd/user/pmm-server.env`:
+
+        ```sh
+        PMM_WATCHTOWER_HOST=http://watchtower:8080
+        PMM_WATCHTOWER_TOKEN=123
+        PMM_IMAGE=docker.io/perconalab/pmm-server:3
+        ```
+
+    3. Create or update the Watchtower service file at `~/.config/systemd/user/watchtower.service`:
+
+        ```sh
+        [Unit]
+        Description=watchtower
+        Wants=network-online.target
+        After=network-online.target
+        After=nss-user-lookup.target nss-lookup.target
+        After=time-sync.target
+        [Service]
+        Restart=on-failure
+        RestartSec=20
+        Environment=WATCHTOWER_HTTP_API_UPDATE=1
+        Environment=WATCHTOWER_HTTP_API_TOKEN=123
+        Environment=WATCHTOWER_NO_RESTART=1
+        Environment=WATCHTOWER_DEBUG=1
+        ExecStart=/usr/bin/podman run --rm --replace=true --name %N \
+            -v ${XDG_RUNTIME_DIR}/podman/podman.sock:/var/run/docker.sock \
+            -e WATCHTOWER_HTTP_API_UPDATE=${WATCHTOWER_HTTP_API_UPDATE} \
+            -e WATCHTOWER_HTTP_API_TOKEN=${WATCHTOWER_HTTP_API_TOKEN} \
+            -e WATCHTOWER_NO_RESTART=${WATCHTOWER_NO_RESTART} \
+            -e WATCHTOWER_DEBUG=${WATCHTOWER_DEBUG} \
+            --net pmm_default \
+            --cap-add=net_admin,net_raw \
+            docker.io/perconalab/watchtower:latest
+        ExecStop=/usr/bin/podman stop -t 10 %N
+        [Install]
+        WantedBy=default.target
+        ```
+
+    4. Start services:
+
+        ```sh
+        systemctl --user enable --now pmm-server
+        systemctl --user enable --now watchtower
+        ```
+
+    5. Go to `https://localhost:8443` to access the PMM user interface in a web browser. If you are accessing the host remotely, replace `localhost` with the IP or server name of the host.
+
+=== "Installation with manual updates"
+
+    The installation with manual updates offers a straightforward setup with direct control over updates, without relying on additional services. In this approach, you manually update the `PMM_IMAGE` in the environment file and restart the PMM Server service. SystemD then automatically manages the container replacement.
+    {.power-number}
+
+    1. Create PMM Server service file at `~/.config/systemd/user/pmm-server.service`:
+
+        ```sh
+        [Unit]
+        Description=pmm-server
+        Wants=network-online.target
+        After=network-online.target
+        After=nss-user-lookup.target nss-lookup.target
+        After=time-sync.target
+        [Service]
+        EnvironmentFile=~/.config/systemd/user/pmm-server.env
+        Restart=on-failure
+        RestartSec=20
+        ExecStart=/usr/bin/podman run \
+            --rm --replace=true --name %N \
+            --env-file=~/.config/systemd/user/pmm-server.env \
+            --net pmm_default \
+            --cap-add=net_admin,net_raw \
+            --userns=keep-id:uid=1000,gid=1000 \
+            -p 443:8443/tcp --ulimit=host ${PMM_IMAGE}
+        ExecStop=/usr/bin/podman stop -t 10 %N
+        [Install]
+        WantedBy=default.target
+        ```
+
+    2. Create the environment file at `~/.config/systemd/user/pmm-server.env`:
+
+        ```sh
+        PMM_IMAGE=docker.io/perconalab/pmm-server:3
+        ```
+
+    3. Start services:
+
+        ```sh
+        systemctl --user enable --now pmm-server
+        ```
+
+    4. Go to `https://localhost:8443` to access the PMM user interface in a web browser. If you are accessing the host remotely, replace `localhost` with the IP or server name of the host.
+
+    For information on manually upgrading, see [Upgrade PMM Server using Podman](../../../../pmm-upgrade/upgrade_podman.md).
+=======
 ## Run as non-privileged user to start PMM
 
 ??? info "Summary"

@@ -7,7 +7,7 @@ Before starting the upgrade, complete these preparation steps to ensure you can
 
 1. Create a backup before upgrading, as downgrades are not possible. Therefore, reverting to a previous version requires an backup made prior to the upgrade.
 
-2. Verify your current PMM version: Check your current PMM version by navigating to **PMM Configuration > Updates** or by running the following command. 
+2. Verify your current PMM version: Check your current PMM version by navigating to **PMM Configuration > Updates** or by running the following command: 
 
     ```sh
     podman exec -it pmm-server \
@@ -21,15 +21,16 @@ Follow these steps to upgrade your PMM Server while preserving your monitoring d
 
 1. [Back up your data](../install-pmm/install-pmm-server/baremetal/podman/backup_container_podman.md).
 
-2. Update PMM tag by editing `~/.config/pmm-server/env` file and running the following command to set the latest release version:
+2. Update PMM tag by editing `~/.config/systemd/user/pmm-server.env` file and running the following command to set the latest release version:
+
     ```sh
-    sed -i "s/PMM_TAG=.*/PMM_TAG=3.0.0/g" ~/.config/pmm-server/env
+    sed -i "s/PMM_IMAGE=.*/PMM_IMAGE=docker.io/percona/pmm-server:3.0.0/g" ~/.config/systemd/user/pmm-server.env
     ```
 
 3. Pre-pull the new image to ensure a faster restart:
 
     ```sh
-    source ~/.config/pmm-server/env
+    source ~/.config/systemd/user/pmm-server.env
     podman pull ${PMM_IMAGE}:${PMM_TAG}
     ```
 
@@ -45,7 +46,7 @@ Follow these steps to upgrade your PMM Server while preserving your monitoring d
     podman ps | grep pmm-server
     ```
 
-3. Check the logs for any errors:
+6. Check the logs for any errors:
 
     ```sh
     podman logs pmm-server

@@ -23,11 +23,19 @@ This change comes with proactive notifications, alerting you immediately when ne
 When migrating from PMM v2 to PMM v3, you’ll need to update your environment variables to match the new naming convention. This is because PMM v3 introduces several important changes to improve consistency and clarity:
 
 - environment variables now use PMM_ prefix
-- some boolean flags reversed (e.g., `DISABLE_` → `ENABLE_`)
+- some boolean flags reversed (e.g., `DISABLE_` > `ENABLE_`)
 - removed deprecated variables
 
 To check the Migration reference table, see [Environment variables in PMM](../install-pmm/install-pmm-server/baremetal/docker/env_var.md##variables-for-migrating-from-pmm-v2-to-pmm-v3).
 
+### UI-based upgrades for Podman installations
+
+You can now upgrade PMM Server installations running under Podman directly through the **PMM Configuration > Updates** panel in the UI. 
+
+This functionality integrates Watchtower for automated container updates and requires configuration of new environment variables (`PMM_WATCHTOWER_HOST`, `PMM_WATCHTOWER_TOKEN`) as well as relevant systemd service settings.
+
+For detailed configuration instructions, see [Installation with UI updates](../install-pmm/install-pmm-server/baremetal/podman/index.md).
+
 ### Encryption of sensitive data
 
 To strengthen the security of your monitoring setup, all sensitive information stored in the PMM Server database, including usernames, passwords, AWS keys, Azure credentials, and TLS/SSL certificates, is now encrypted.

@@ -18,7 +18,7 @@ If you have any templates available in the  `/srv/ia/templates` folder, make sur
 
 If you get an email or page from your system that the IP is not reachable from outside my organization, do the following:
 
-To configure your PMM Server’s Public Address, select <i class="uil uil-cog"></i> **Configuration** → <i class="uil uil-setting"></i> **Settings* → *Advanced Settings**, and supply an address to use in your alert notifications.
+To configure your PMM Server’s Public Address, select  **PMM Configuration > Settings > Advanced Settings**, and supply an address to use in your alert notifications.
 
 ## Alert Rule Templates are disabled