Saltbox container and image updates¶
How application containers on saltierpoop (192.168.6.243) are deployed and
updated. This is separate from coordinated OS patching on the VM (weekly
apt from infra-services).
What homelab Ansible manages on saltierpoop¶
| Layer | Tool | What changes |
|---|---|---|
| VM OS | Homelab patching role (wave 0) |
apt security upgrades, optional reboot |
| Git config / timers | ansible-pull on the VM |
Tailscale, node_exporter, patch SSH trust, SOPS → Saltbox secrets files |
| Saltbox secrets only | saltbox-host role |
accounts.yml, settings.yml from homelab SOPS |
Homelab does not run docker compose pull, bump image tags, or redeploy
Saltbox roles. There is no Komodo periphery on saltierpoop — all Komodo stacks
in services/komodo/resources.toml use server = "infra-services".
What Saltbox manages¶
Saltbox is the installer and config generator for ~50 containers on the VM. Authoritative paths:
| Path | Purpose |
|---|---|
/srv/git/saltbox/ |
Saltbox git checkout (sb CLI) |
/srv/git/saltbox/inventories/host_vars/localhost.yml |
Per-app overrides (sb edit inventory) |
/srv/git/saltbox/accounts.yml |
Credentials (homelab SOPS deploys) |
/srv/git/saltbox/settings.yml |
Global settings (homelab SOPS deploys) |
/opt/<app>/ |
Generated compose + config per role |
Deploy / recreate a role:
sb install renders compose from Saltbox inventory and (re)creates containers.
It is not a scheduled auto-updater — you run it when you change inventory or
want to redeploy.
Edit app config without full reinstall:
Inventory-only tweaks (VPN network mode, DNS flags, etc.):
How container images actually get newer versions¶
Saltbox roles pin images in generated compose (tags or :latest per role).
There is no homelab automation that pulls new images on a schedule.
| Approach | When to use |
|---|---|
sb install <role> |
After changing Saltbox inventory/config; recreates containers and typically pulls images per role definition |
Portainer (https://portainer.realemail.app) |
Manual pull/recreate per container; useful for one-off image bumps |
docker pull + recreate |
Direct, when you know the image name (bypasses Saltbox until next sb install) |
| Saltbox / Saltbox repo upgrade | Major Saltbox version bumps — follow Saltbox docs, then sb install affected roles |
Homelab monitoring on infra-services does not alert on stale Saltbox image
ages today — only VM OS patch staleness (patch.prom on the guest OS).
What coordinated patching does not update¶
- Plex, Sonarr, Radarr, Traefik, Authentik, etc. container images
- Saltbox-generated compose under
/opt/* - Media paths under
/mnt/*
Those stay on Saltbox/operator lifecycle. VM reboot after OS patch may restart containers (Docker), but does not pull newer image layers.
Related¶
- saltierpoop appliance
- Coordinated OS patching — VM OS only
- Komodo README — infra-services stacks only
- Saltbox monitoring migration