It is important that we keep our containers updated to ensure that we have the latest security patches and features. In this tutorial, I will show you two methods to keep your containers updated.

Method 1: Using Watchtower

Watchtower is a container that automatically updates your Docker containers. It is a great tool for keeping your containers up to date without having to manually update them. The use of Watchtower is somewhat controversial in the Docker community because it can cause issues with certain containers that may have breaking changes.

In my opinion, I believe this is more on a non-issue and anyone complaining about this has poorly implemented this container in their environment. One could consider this a “skill issue” rather than a “tool issue” and I am among those who believe this.

You can use this Docker-Compose yml configuration to set up Watchtower. Remember to change the network to work with your environment.

services:
  watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    networks:
      - proxy
    restart: unless-stopped
    environment:
      WATCHTOWER_HEALTHCHECK_CMD: "ps aux | grep -qE 'java|node|ruby|python|php' && exit 1 || true"
      WATCHTOWER_SCHEDULE: "0 0/12 * * *"  # Run every 12 hours

networks:
  proxy:
    external: true

Watchtower uses cron syntax for scheduling updates. The above configuration will check for updates every 12 hours. You can adjust this as needed. If you need help with cron syntax, you can use cron.help. Also, it’s worth mentioning that cron uses UTC time, so keep that in mind when setting up your schedule.

By default, Watchtower watches all containers. For those who don’t trust developers to not break their containers, you can add a label to the containers you want excluded. The label is com.centurylinklabs.watchtower.enable=false. Here is an example of how you would add this to a container.

services:
  mycontainer:
    image: myimage:latest
    container_name: mycontainer
    networks:
      - proxy
    restart: unless-stopped
    labels:
      - com.centurylinklabs.watchtower.enable=false

Method 2: Diun Discord Notifications and Manual Updates

If you’re not comfortable with Watchtower automatically updating your containers, you can use Diun. Diun is a container that checks for updates and sends notifications to your preferred service. This is a great way to keep track of updates without automatically applying them.

Personally, I am not the biggest fan of this method because it requires manual intervention to update the containers. I tried for several weeks to get this to work in my environment, but I found it to be more of a hassle than it was worth. I would recommend using Watchtower if you’re comfortable with it.

We will be using a config file in addition to the Docker-Compose yml file. In a directory, create a docker-compose.yml file and a diun.yml file. Here is an example of the diun.yml file. It uses Discord for notifications, but you can use other services as well. Read the Diun documentation for more information.

watch:
  workers: 20
  schedule: "* */6 * * *"

providers:
  docker:
    watchStopped: true
    watchByDefault: true

defaults:
  notifyOn:
    - new
    - update

notif:
  discord:
    webhookURL: <webhookURL>
    mentions:
      - "@everyone"
    renderFields: true
    timeout: 10s
    templateBody: |
      Docker tag {{ .Entry.Image }} which you subscribed to through {{ .Entry.Provider }} provider has been released.

Again, the schedule is in cron syntax. The above configuration will check for updates every 6 hours. You can adjust this as needed. You will need to replace <webhookURL> with your Discord webhook URL. If you need help setting up a Discord webhook, you can use this guide.

You can use this Docker-Compose yml configuration to set up Diun. Remember to change the network to work with your environment.

services:
  diun:
    image: crazymax/diun:latest
    container_name: diun
    command: serve
    networks:
      - proxy
    volumes:
      - "./data:/data"
      - "./diun.yml:/diun.yml:ro"
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - "TZ=America/New_York"
      - "DIUN_WATCH_WORKERS=20"
      - "LOG_LEVEL=info"
      - "LOG_JSON=false"
    labels:
      - "diun.enable=true"
    restart: always

networks:
  proxy:
    external: true

This configuration will set up Diun to check for updates every 6 hours. You can adjust this as needed. The diun.yml file will be mounted to the container, so make sure it is in the same directory as the docker-compose.yml file.

Conclusion

Keeping your containers updated is crucial for maintaining a secure and efficient environment. Whether you choose to use Watchtower or Diun, it is important to have a system in place to ensure that your containers are up-to-date. I hope this tutorial has helped you understand the importance of container updates and how to implement them in your environment.