Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more.
Updating all Docker containers
I've been discovering docker in the past days and I now have several containers running on my Synology NAS via docker compose.
I was wondering how I can keep my containers up to date so that I don't miss security updates but I don't know how to best deal with it.
The first option I found would be to regularly go in each and every folder where my docker-compose files are and do the following but it's too tedious to do it very regularly :
docker compose pull && docker compose up -d
The second option I came across is Watchtower but I read mixed things about it.
How do you handle this? Is there a more elegant solution?
Thanks!
Watchtower: https://containrrr.dev/watchtower/
But remember to pin the version number of the docker container to a specific version and avoid “latest”. At least for containers that you cannot afford to go down.
I personally keep containers like watchtower, portainer, docker-volume-backup., etc at latest. But others like Nextcloud, Vaultwarden and importantly ALL DATABASES pinned to specific version numbers.
Watchtower is probably all you need. You can set it to either automatically update containers when new images are published, or you can set it to notify you if you want to do it yourself. This can also be container-specific, so you don't have to set up more than one instance if you want to auto-update some and just be notified for others.
Some examples of stuff I have no issues with auto-updating:
Plex
the *arrs
Some examples of stuff I prefer a notification on because the data is critical
Vault/bitwarden
Databases like postgres, mysql etc. (though to be honest you shouldn't be using a 'latest' tag with those anyway)
My photo service stack
Your use-case may be different to others, and your fault tolerance may be higher or lower than others. If you expect to need or want to review all release notes for every single new image, don't auto update. If you reckon you'll just go with it anyway and see what happens, then you've got options to auto update or not, but at least know that a new image is out there.
Another notify-only option is Diun. If helpful, this blog explains the differences and how to set them both up https://academy.pointtosource.com/containers/updating-diun-watchtower/
Oh and to manually update stacks I created aliases so I can shorthand the processes to update more than one container at a time.
watchtower is as elegant as it gets.
What are the mixed things about Watchtower?
I've maybe had 2 total containers fail to start because of some bad code in an update from the maintainers. This was over a 2 year period out of a total of 50+ containers that are checked daily for updates. It's been far more a blessing than a curse, to put it in other words.
If you're still paranoid over certain containers, you can whitelist specific containers to be updated, so it doesn't have to be all or none.
Cron job to run that then restart the containers or docker compose up -d if you want
this seems to assume that you'd always have "latest" specified for a container to be updated? As when a specific version is specified, it would simply state that image is already up to date.
I dislike the docker approach with "latest" that it makes it way to difficult even showing what that version even is? That you can call "latest" to download just that, the latest, is one thing, but then to remain calling it that way once the image is downloaded, is rather counter productive to be able to easily see yourself if it is actually still the latest...
When it was created might be a give away, it is not recent.
Hence also implementations like Watchtower, Diun and the likes, to keep an eye on new versions.
Portainer is an easier way to manage your stacks. Watchtower is great, but can lead to the occasional broken container. Overall it's more of a benefit to have it updating stuff for you. Just remember to set the schedule where it won't impact you or your users.
Definitely sounds like Watchtower is best for you, but to offer an alternative, if you'd prefer to just be notified that an update is available rather than one automatically happening, you could try using diun (Docker Image Update Notifier).
I've struggled with watchtower. I have it installed but all I get are 404s in the logs saying it can't find various containers that I'm using. It doesn't seem to actually do anything other than generate log noise.