Set up Watchtower to auto-update running Docker containers to ensure you get the latest features and more importantly any security fixes.
Before you begin
If you've been following the series by now we've spun up several Docker containers to get our NGINX Proxy, Ghost blog, Database and static website up and running. You're probably wondering how am I going to manage all of this🤦♂️.
So far we've got 7 containers up and running doing various tasks all tied into our NGINX Proxy out into the web (All on a $6 Vultr I might add, with room to spare).
So how do you go about managing all of this? luckily someone has thought about that - enter Watchtower which is a tool that automatically watches all of the source images of our containers for future updates and will trigger an update process in our VPS should a newer version of the image we are using run a container become available.
A great example of this is Ghost. Periodically the Ghost development team will release updated features on new versions of the Ghost platform or potential security fixes that we want to install as soon as they become available. Normally this process would rely on you to identify a new release and require you to log in and manually update the container.
Here's a bit of an overview of what we're building:
Watchtower will periodically check other containers to ensure they are up to date.
First off, let's set up the folder structure - we need a new folder, which I'm going to call 'watchtower'
- The watchtower folder contains the docker-compose.yml folder
Create the required folder structure using the following commands:
mkdir watchtower cd watchtower
Defining the service with Docker-Compose
Once you've created all the required folders let's jump straight and create the docker-compose.yml file that will allow us to define the service we want to spin up.
let's break this down a bit to understand what we're defining:
- We're using v2tec/watchtower as the docker image
- I've updated the container_name to watchtower just so it's easier for me to keep track of when you list all of the running docker images as part of this tutorial series
- We're attaching the docker container to the proxy network so it can talk to the reverse-proxy to make outbound requests for email alerts
- Optional: If you are interested in getting some sort of indication when containers get updated you can add an environment section to configure the email notification service such as Mailgun.
The below example includes the Watchtower email notification options:
In previous parts of the how to series we've configured .env environment to contain the VIRTUAL_HOST & VIRTUAL_PORT variables. As this container doesn't require a domain we don't need to communicate these items to the NGINX proxy to allow forwarding of traffic.
How to Add Comments to Docker-compose file
If you want to add comments to the docker-compose file simply add a # at the start of the line to designate what comes after it as a comment.
You can update the polling period by including a new environment variable called POLL_Interval. Note this is in seconds.
Start the two services
let's spin up Watchtower and let it get to work.
sudo docker-compose up
Appending -d will detach from the docker logs for the docker-compose.yml file.
sudo docker-compose up -d
Confirm the Docker container is now running by using the following command:
That's it, The Watchtower container will connect to the docker socket and identify all of the containers and associated images that are being run on our VPS and will periodically check for any updates. If an update is found Watchtower will stop the container and relaunch it with the new image in a matter of seconds, all without you lifting a finger!