From 4c963e2930bb3ac7a4d553ebb084d9b86e5d50d1 Mon Sep 17 00:00:00 2001
From: Igor Pecovnik <igor@armbian.com>
Date: Sun, 18 Jan 2026 11:38:49 +0100
Subject: [PATCH] docker: improve auto-pull cronjob with opt-in flag and
 cleanup

- Add ARMBIAN_DOCKER_AUTO_PULL environment variable (opt-in, must be explicitly set to "yes")
- Move auto-pull cronjob setup from requirements to docker CLI
- Add automatic cleanup of cronjob files when flag is disabled/removed
- Remove verbose "unchanged" messages for cleaner output
- Simplify control flow in docker_ensure_auto_pull_cronjob()
---
 lib/functions/cli/cli-docker.sh       |  6 +++++
 lib/functions/cli/cli-requirements.sh |  6 -----
 lib/functions/host/docker.sh          | 39 +++++++++++++++++++++------
 3 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/lib/functions/cli/cli-docker.sh b/lib/functions/cli/cli-docker.sh
index 5fd9cbfad1..761bf4a7b5 100644
--- a/lib/functions/cli/cli-docker.sh
+++ b/lib/functions/cli/cli-docker.sh
@@ -48,6 +48,12 @@ function cli_docker_run() {
 
 	LOG_SECTION="docker_cli_prepare" do_with_logging docker_cli_prepare
 
+	# Ensure Docker auto-pull cronjob is installed (controlled by ARMBIAN_DOCKER_AUTO_PULL flag)
+	# Only run this when not generating Dockerfile only
+	if [[ "${DOCKERFILE_GENERATE_ONLY}" != "yes" ]]; then
+		docker_ensure_auto_pull_cronjob
+	fi
+
 	# @TODO: and can be very well said that in CI, we always want FAST_DOCKER=yes, unless we're building the Docker image itself.
 	if [[ "${FAST_DOCKER:-"no"}" != "yes" ]]; then # "no, I want *slow* docker" -- no one, ever
 		LOG_SECTION="docker_cli_prepare_dockerfile" do_with_logging docker_cli_prepare_dockerfile
diff --git a/lib/functions/cli/cli-requirements.sh b/lib/functions/cli/cli-requirements.sh
index ffd4665192..3c5ad4b9be 100644
--- a/lib/functions/cli/cli-requirements.sh
+++ b/lib/functions/cli/cli-requirements.sh
@@ -47,10 +47,4 @@ function cli_requirements_run() {
 	fi
 
 	display_alert "Done with" "@host dependencies" "cachehit"
-
-	# Ensure Docker auto-pull cronjob is installed if Docker is available
-	if [[ -n "$(command -v docker)" ]]; then
-		display_alert "Docker" "ensuring auto-pull cronjob is installed" "info"
-		docker_ensure_auto_pull_cronjob
-	fi
 }
diff --git a/lib/functions/host/docker.sh b/lib/functions/host/docker.sh
index 6096480098..85f8220c0d 100644
--- a/lib/functions/host/docker.sh
+++ b/lib/functions/host/docker.sh
@@ -711,6 +711,7 @@ function docker_pull_with_marker() {
 
 # Setup or update system cronjob to automatically pull Docker images
 # This ensures images are always fresh before builds start
+# Controlled by ARMBIAN_DOCKER_AUTO_PULL environment variable (must be explicitly set to "yes" to enable)
 function docker_setup_auto_pull_cronjob() {
 	if [[ ! -d /etc/cron.d ]]; then
 		exit_with_error "Docker auto-pull cronjob" "cron not available; /etc/cron.d does not exist on this system"
@@ -813,7 +814,6 @@ function docker_setup_auto_pull_cronjob() {
 		stored_hash="$(cat "${hash_file}")"
 		if [[ "${stored_hash}" == "${current_hash}" ]]; then
 			needs_update="no"
-			display_alert "Docker auto-pull" "configuration unchanged, no update needed" "debug"
 		else
 			display_alert "Docker auto-pull" "configuration changed, updating" "info"
 		fi
@@ -848,16 +848,39 @@ function docker_setup_auto_pull_cronjob() {
 }
 
 # Check if auto-pull cronjob is installed, and install if not or outdated
+# Controlled by ARMBIAN_DOCKER_AUTO_PULL environment variable (must be explicitly set to "yes" to enable)
 function docker_ensure_auto_pull_cronjob() {
 	declare wrapper_script="/usr/local/bin/armbian-docker-pull"
+	declare cron_file="/etc/cron.d/armbian-docker-pull"
 	declare hash_file="/var/lib/armbian/docker-pull.hash"
 
-	# Always call docker_setup_auto_pull_cronjob - it will check hashes and only update if needed
-	if [[ ! -f "${wrapper_script}" ]] || [[ ! -f "${hash_file}" ]]; then
-		display_alert "Docker auto-pull cronjob" "wrapper or hash file missing, installing now" "info"
-		docker_setup_auto_pull_cronjob
-	else
-		# Still call setup to check for updates via hash comparison
-		docker_setup_auto_pull_cronjob
+	# Only proceed if ARMBIAN_DOCKER_AUTO_PULL is explicitly set to "yes"
+	if [[ "${ARMBIAN_DOCKER_AUTO_PULL}" != "yes" ]]; then
+		# Remove cronjob, wrapper script, and hash file if they exist
+		if [[ -f "${cron_file}" ]] || [[ -f "${wrapper_script}" ]] || [[ -f "${hash_file}" ]]; then
+			display_alert "Docker auto-pull" "removing cronjob and wrapper script" "info"
+
+			if [[ -f "${cron_file}" ]]; then
+				run_host_command_logged sudo rm -f "${cron_file}"
+				display_alert "Removed" "cron file: ${cron_file}" "debug"
+			fi
+
+			if [[ -f "${wrapper_script}" ]]; then
+				run_host_command_logged sudo rm -f "${wrapper_script}"
+				display_alert "Removed" "wrapper script: ${wrapper_script}" "debug"
+			fi
+
+			if [[ -f "${hash_file}" ]]; then
+				run_host_command_logged sudo rm -f "${hash_file}"
+				display_alert "Removed" "hash file: ${hash_file}" "debug"
+			fi
+
+			display_alert "Docker auto-pull" "cronjob and wrapper script removed successfully" "info"
+		fi
+		return 0
 	fi
+
+	# ARMBIAN_DOCKER_AUTO_PULL is explicitly set to "yes", ensure cronjob is installed
+	# Always call docker_setup_auto_pull_cronjob - it will check hashes and only update if needed
+	docker_setup_auto_pull_cronjob
 }