What are you using to update your Docker images?
You must log in or # to comment.
While I’m a big proponent of version pinning your critical services, if you’re running stuff in docker swarm shepherd is a solid service updater for the less critical things.
After too many wild rides with Watchtower auto-nuking services, thanks to breaking changes (migrations, DB updates, deployment changes, etc), I switched to What’s Up Docker and pin the version for all of my containers.
WUD lets me know when something has an update, so I periodically go through their release notes and do the update(s) manually. Usually as simple as read the notes, changes version in compose, down (or pull), then “up -d”. But this approach has saved my bacon multiple times.
I’ve seen there are other solutions - of varying degrees of promises vs delivery - but most of my stuff is long term and stable. My approach maintains all that.
I theoretically have Diun setup, but realistically I just run my Ansible playbook weekly and have most containers set to latest. The exceptions being things that sometimes need special steps when upgrading such as Immich or critical stuff I want special attention such as Athelia/Authentik, for those I subscribe to their releases via RSS so I can update them easily, which usually is just changing a value in my Ansible configuration, but if extra changes are needed I can adapt them.
In reality for me it’s German CERT sending me emails that my n8n is again out of date with tons of CVEs.
I generally don’t update automatically, I currently use WUD. It works fine for image checking and notifications and had no need to change it for now, but I am thinking of trying dockhand too.
Quadlets. Auto update and auto rollback if the new image fails to start. Plus easier management overall, too.
All my docker images are in code in Github.
Renovate makes a PR when there are image or helm chart updates.
ArgoCD sees the PR merge and applies to Kubernetes.
For a few special cases I use ArgoCD-image-updater.
+1 for Renovate. It’s not a drop-in replacement for Watchtower, but it allowed me to create a robust CI/CD pipeline. And, it can be centrally run, instead of having Watchtower running on every Docker host I have.
I use dockwatch, but not for automatic updates. I just update after reviewing the changelog and user reports.
Dockhand can search for updates but you have to install them manually. Which I prefer anyway, plus Dockhand also replaced Portainer/Komodo for me.
In the same boat but with Arcane
Even better, Dockhand can send notifications when updates are available. I used to be a Watchtower user with nightly updates until one of my services became unavailable the next day due to a breaking change. Now I look at the update notification and apply manually through Dockhand after reviewing to make sure the update is good. Dockhand also can run Gripe and/or Trivy vulnerability scans on new images so you know approximately how many CVEs you’re adding to your network with each new or updated container! 🤣 I liked Portainer a lot but have grown to like Dockhand a lot. I’m having some issues with updates and vulnerability scanning on Hawser nodes so I’ve also tried Komodo and Arcane. Not sure which I’ll end up with long-term, but Dockhand is my favorite overall. What’s your opinion on these tools? Have you run into any issues with Dockhand?
I haven’t tried Arcane. I prefer Komodo’s interface over Portainer but Portainer worked better for me. I was running Portainer and Dockpeek for updates but Dockhand has replaced both, and IMO the interface is even better than Komodo’s. I’m still learning, there are features I don’t know much about like stack management, which I still do manually.
You have en option to install them automatically in the settings or per container
Good to know. Personally I prefer to review the changelogs before updating, though.
Im using Komodo for deployong and auto updates.
is there something wrong with watchtower I missed?
It’s not maintained anymore but there is a fork. Someone else posted the link.
I just use my free portainer business for 3 nodes to show in the containers view which ones are outdated, and I check it regularly. Really whish there could be some kind of notification but oh well. I also follow the releases for all the projects I self host so I know when to check. Automating this makes me too nervous for comfort.
I’m thinking of using Dockcheck. It’s not a drop-in replacement for Watchtower, but you probably can wip up a quick systemd service to run it.
Never used it, but TugTainer. I use the fork of Watchtower and run it with
'--run-once' '--cleanup'. You can run it and let it update your containers as soon as an update is available, but I just like to run it manually.
