Introduction
A regular problem with docker instances that are very "set and forget" is remembering to update all your images regularly, especially if you have a lot of them. Watchtower is a container that solves this for you by automatically checking for updates and updating containers that you specify on a schedule of your choosing.Note: if you are using Gluetun you will want to exclude this from any watchtower config as this will always break your setup and require manual fix which is inconvenient if you are not available to fix it. To prevent this, either a) don't include Gluetun when making the list of containers to update or b) add the following property to your Gluetun compose file:
labels:
- com.centurylinklabs.watchtower.enable=false
This will exclude the Gluetun container when having watchtower set to "update everything".
Your Docker compose
Thankfully, setting up watchtower is incredibly simple. The docker compose is as follows:services:
watchtower:
image: containrrr/watchtower:latest
container_name: watchtower
environment:
- TZ=Your/TZ
- WATCHTOWER_CLEANUP=true
- WATCHTOWER_INCLUDE_STOPPED=true
- WATCHTOWER_REVIVE_STOPPED=false
- WATCHTOWER_SCHEDULE=0 0 4 * * *
command:
# add or remove the below as required
- container1
- container2
- container3
- container4
- container5
- container6
volumes:
- /var/run/docker.sock:/var/run/docker.sock
restart: unless-stopped
Now, let's break down what each piece of the docker-compose does.
- image: This tells docker what image to download from the docker image repository. In this case, watchtower. The :latest appended to it asks it to grab whatever image is tagged as "latest" in the selected repo.
- container_name: sets the name of the container in docker and when being referenced by other services.
Next there are a number of environment variables set. I'll address them in order:
- TZ= this ensures the logs will be timestamped with a time that makes sense to you locally. Consult the tz database and find either your town or a town in the same time zone as you, and insert that instead of "Your/TZ"
- WATCHTOWER_CLEANUP= Setting this to true makes watchtower remove old containers after downloading the new ones, ensuring you don't end up with a ton of old images clogging up your hard drive.
- WATCHTOWER_INCLUDE_STOPPED= Setting this to true makes watchtower update containers that are not running at the time it checks for updates.
- WATCHTOWER_REVIVE_STOPPED= When this is true watchtower will also restart any containers that are updated while stopped at the time it checks for updates.
- WATCHTOWER_SCHEDULE= This sets the schedule on which watchtower checks for and updates your containers. If you have set cronjobs before on Linux, the value I have set in the example will look familiar. It uses the standard cronjob syntax, and if this is new to you I recommend checking out this cron expression generator. It will help set up the schedule you want it to update on. In my example compose, this is set to "0 0 4 * * *" which tells the job to run every day at 4 AM (in the TZ you have selected).
Next up is actually an optional section. If you would like watchtower to upgrade every container you have, you can simply ignore the entire "command:" section. Not having the command section will make it update any and all containers that you have not explicitly excluded with the tag I listed above for excluding Gluetun. I personally like to have it only update the containers I explicitly state, so I include it. Below the command section you simply need to list the "container_name:" variable of any containers you would like to see updated. If you aren't sure about what name to use for a particular container, you can see all running containers along with their name identifiers by running docker ps -s in the terminal of the machine you are running docker on.
Nearing the bottom, we have our volume. All this does is binds the /var/run/docker.sock in the container-space to the actual /var/run/docker.sock on your machine. The left side of the colon is your machine, the right side of the colon is the directory on the container.
Lastly, restart: unless-stopped ensures that watchtower will restart itself if it crashes, unless you have manually stopped it.
After you have set all of these variables, you can spin up your docker container using the gui of your choice or by using docker compose run watchtower. After that, all you have to do is wait for your specified schedule to trigger and then see the logs for the container. It will tell you when it made the check, how many containers were updated, and you'll be able to see that it is working.
Have questions? Ask in one of the Signal groups or contact me at cenotaph.contact@pm.me