If you run long-lived containers on Linux, "just pull the new image and restart it later" usually turns into "I'll do it this weekend". That is how drift sneaks in. Podman already has a cleaner answer. Its auto-update flow can check for a new image, pull it, and restart the corresponding systemd unit. Better yet, it can roll back if the restart fails. The catch is that you need to wire it up the right way. In practice, that means: run the container through a systemd unit use a fully qualified image reference for registry-based updates add a readiness signal so rollback can detect bad starts reliably add a health check so broken containers do not look healthy by accident Here is a practical setup for a rootless container managed with Quadlet. What Podman auto-update actually does According to podman-auto-update(1) , Podman can update containers that run inside systemd units. It checks containers marked for auto-update, pulls a newer image when available, and restarts the unit that owns the container.…