Automatically update your Docker base images with watchtower

I’m an avid user of Docker containers, using base images pulled from the public registry DockedHub. As you may know, Docker containers are based on Docked base images, e.g. I run postgres containers that are based on Postgres base image.

It occurs that base images could get updated by their respective author (in our case Postgres team) and pushed to DockerHub. But your container does not benefit from this update unless:

  • you pull the new image
  • stop and delete your container
  • spawn another container using the new base image (of course I’m considering a very simple setup without clusters and Kubernetes).

What if I tell you that there is a way to automate the process for you?

Enter watchtower: a Docker container (inception!) to automatically restart your Docker container to use the most recent published base image; of course, watchtower checks regularly for any updates of the base image and pulls the new version if necessary.

Configuration is none existent as you just have to follow watchtower’s instructions and launch the container: after that, you are all set!

Anybody said drawbacks? Yes, there might be drawbacks. What if your container is restarted during a transaction? What if the new base image is unstable?

These are all factors that you should take into account if you want watchtower to update your containers or not. In my case, for some applications that I run in containers, I value the comfort of having watchtower handle the updates enormously compared to the problems it may generate (so far: none).

2 thoughts on “Automatically update your Docker base images with watchtower”

  1. It seems to me, that watchtower actually performs a pull, each and every time it does this check. This behavior inflates the number of pulls to the repo.

    Is there a way to configure watchtower to perform the check and pull only, if the “latest” in the repository is changed?

    1. A workaround might be to use:

      --no-pull Do not pull new images. When this flag is specified, watchtower will not attempt to pull new images from the registry. Instead it will only monitor the local image cache for changes. Use this option if you are building new images directly on the Docker host without pushing them to a registry.
      

      In that case, you have to manually check and pull for newest base images.

Leave a Reply