Docker Updates, A giant headache… In some ways.

Docker Updates, A giant headache… In some ways.

Hey there, fellow Sysadmins and tech enthusiasts!

First off, if you're anything like me, you've found that Docker has become an integral part of your infrastructure. It's flexible, lightweight, and incredibly efficient. Yet, there's one aspect of it that's been a constant thorn in my side: managing updates.

Now, don't get me wrong. I'm all for frequent updates. They patch security vulnerabilities, improve performance, and add new features. We're living in an age where dynamic software development and deployment have become the new norm, and Docker containers embody that to a tee. But with such a rapid cycle of updates to various containers, it often feels like I'm part of an endless game of cat and mouse.

The Challenge of Constant Monitoring

In a world of constant updates, being a vigilant sysadmin requires an almost hawk-like focus. But let's be real, between managing server loads, network outages, and the occasional coffee spill, manually keeping track of each Docker container's update cycle is, in a word, maddening.

Enter my savior: Diun.

For those unfamiliar, Diun is a Docker container tailored for this very challenge. It's an efficient, reliable tool that scans all your running containers and checks for updates. And the best part? Instead of constantly monitoring a dashboard or logging in to check, I've set up Diun to communicate directly with my helpdesk system.

Here’s How it Works:

  1. Scanning: Diun periodically scans my environment, comparing the versions of my running containers against those available in the repository.
  2. Notification: Upon detecting an update, Diun doesn't just silently log it. It takes action! It sends out an email.
  3. Ticket Creation: That email? It goes straight to my helpdesk, automatically generating a ticket. This means I have a record of every update, neatly prioritized and logged, ready for action.
  4. Update Application: With the ticket in place, it serves as a reminder (and occasionally a prod) to delve in and apply the necessary updates.

Using Diun has significantly streamlined my Docker management workflow. I no longer have to chase updates; they come to me. It's proactive sysadmin work, and while it doesn’t entirely eliminate the challenge, it makes the whole process more structured and, dare I say, a tad more enjoyable.

Embracing Full Automation with Watchtower

While Diun has been an absolute game-changer in alerting me to available updates, I've recently upped my automation game even further with another fantastic tool: Watchtower.

For those diving into the depths of Docker for the first time, or even seasoned pros looking for a more hands-off approach, Watchtower is nothing short of a miracle worker. This tool automates the process of updating Docker containers, ensuring they're always running the latest versions.

The Watchtower Way:

  1. Continuous Monitoring: Just like Diun, Watchtower keeps a vigilant eye on your Docker containers. But instead of just alerting you about available updates, it takes the next logical step.
  2. Automated Updates: When Watchtower detects an outdated container, it pulls the latest image and gracefully restarts the container. The beauty lies in its simplicity: no manual intervention, no meticulous planning—just set it and forget it.
  3. Safety First: One might wonder about the risks of such automation. Watchtower is built with a keen understanding of production environments. It can be configured to not restart containers if the newer images aren’t compatible, safeguarding against potential disruptions.
  4. Logs and Notifications: To keep you in the loop, Watchtower logs all its actions. You can also set it up to send notifications, giving you peace of mind that your environment is always updated and secure.

Integrating Watchtower into my sysadmin toolkit has been a revelation. I still use Diun for its structured ticketing system, ensuring I'm always aware of changes in the environment. However, for many containers where continuous uptime with the latest features and patches is critical, Watchtower has become my go-to.

Setting Up Watchtower with Docker Compose

For those of you using Docker Compose, setting up Watchtower can be even more straightforward, while offering the flexibility of managing multiple containers effortlessly. Below is a template based on a real-world example:

version: "3"
    image: containrrr/watchtower
      - /var/run/docker.sock:/var/run/docker.sock

Replace the placeholders (,,, [YOUR_PASSWORD], and with your actual details.

Here's a quick breakdown:

  • WATCHTOWER_NOTIFICATIONS: Sets the type of notification. In this case, it's set to email.
  • WATCHTOWER_NOTIFICATION_EMAIL_FROM: The email address from which the notifications will be sent.
  • WATCHTOWER_NOTIFICATION_EMAIL_TO: The email address where you'll receive the notifications.
  • WATCHTOWER_NOTIFICATION_EMAIL_SERVER: The SMTP server for sending emails.
  • WATCHTOWER_NOTIFICATION_EMAIL_DELAY: The delay between notifications.
  • WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER: The username used to authenticate with the SMTP server.
  • WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD: The password used to authenticate with the SMTP server. Ensure this is kept secure and consider using secrets if sharing your Docker Compose configurations.
  • WATCHTOWER_NOTIFICATIONS_HOSTNAME: The hostname for your Docker instance. Useful for identifying which Docker instance sent the notification.

After setting up the Docker Compose file, simply run:

docker-compose up -d

And Watchtower will be up and running, monitoring your containers and notifying you of updates as per your configuration.

Excluding Certain Containers from Automatic Updates

While the automation of Watchtower is phenomenal, there might be instances where you'd like some containers to be excluded from the automated updates. This could be due to stability reasons, specific version requirements, or any other unique scenarios that require a container to remain untouched.

Fortunately, Watchtower provides an easy way to ensure certain containers stay excluded from its watchful gaze.

Here's how to set it up:

  1. Using Labels: When you run a container that you want to exclude from Watchtower's updates, you can add a label to it. Use the --label flag followed by com.centurylinklabs.watchtower.enable=false. For instance:
docker run -d \
  --name your_container_name \
  --label com.centurylinklabs.watchtower.enable=false \

By adding this label, you're instructing Watchtower to skip checking this particular container for updates.

  1. Watchtower Configuration: If you're using Docker Compose, you can integrate this label into your service definition. Here's a snippet for clarity:
    image: your_image:your_tag
      - com.centurylinklabs.watchtower.enable=false

By following the above steps, you can easily ensure that specific containers remain unaffected by Watchtower's automatic updates. It's always good to have granular control over your environment, especially when automation is involved. Remember, automation tools are meant to serve us, not the other way around.

In wrapping up, Docker has truly revolutionized the way many of us manage and deploy applications. It's not without its challenges, particularly when it comes to managing updates. However, with tools like Diun and Watchtower, it's become significantly easier to stay on top of the ever-evolving container landscape.

Here's to fewer headaches and more seamless updates!

Keep an eye out for an upcoming article about setting up Diun as well.