Setup Watchtower to auto update running Docker containers to ensure you get the latest features and more importantly any security fixes.
Before you begin
This article is part of a series, to see the overview of the series click here
If you've been following the series by now we've spun up a number of Docker containers to get our NGINX Proxy, Ghost blog, Database and static website up and running. You're probably wondering how am I going to manage all of this🤦♂️.
So far we've got 7 containers up and running doing varies tasks all tied into our NGINX Proxy out in to the web (All on a $6 Vultr VPS I might add, with room to spare).
So how do you go about managing all of this? luckily someone has thought about that - enter Watchtower which is a tool that automatically watches all of the source images of our containers for future updates and will trigger an update process in our VPS should a newer version of the image we are using to run a container become available.
A great example of this is Ghost. Periodically the Ghost development team will release updates features on new versions of the Ghost platform or potential security fixes that we want to install as soon as they become available. Normally this process would rely on yourself to identify a new release and require you to login and manually update the container.
Here's a bit of an overview of what we're building:
Watchtower will periodically check other containers to ensure they are up to date.
First off, lets setup the folder structure - we need a new folder, which I'm going to call 'watchtower
- The watchtower folder contains the docker-compose.yml folder
Create the required folder structure using the following commands:
mkdir watchtower cd watchtower
Defining the service with Docker-Compose
Once you've created all the required folders lets jump straight and create our docker-compose.yml file that will allow us to define the service we want to spin up.
version: '3.1' services: watchtower: image: v2tec/watchtower container_name: watchtower volumes: - /var/run/docker.sock:/var/run/docker.sock restart: always networks: - proxy networks: proxy: external: name: nginx-proxy
let's break down this down a bit to understand what we're defining:
- We're using v2tec/watchtower as the docker image
- I've updated the container_name to watchtower just so it's easier for me to keep track of when you list all of the running docker images as part of this tutorial series
- We're attaching the docker container to the proxy network so it can talk to the reverse-proxy to make outbound requests for email alerts
- Optional: If you are interested in getting some sort of indication when containers get updated you can add a environment section to configure the email notification service such as Mailgun.
The below example includes the Watchtower email notification options:
version: '3.1' services: watchtower: image: v2tec/watchtower container_name: watchtower environment: - WATCHTOWER_NOTIFICATIONS=email - WATCHTOWER_NOTIFICATION_EMAIL_FROM=REDACTED - WATCHTOWER_NOTIFICATION_EMAIL_TO=REDACTED - WATCHTOWER_NOTIFICATION_EMAIL_SERVER=smtp.mailgun.org - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=587 - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER=REDACTED - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD=REDACTED volumes: - /var/run/docker.sock:/var/run/docker.sock restart: always networks: - proxy networks: proxy: external: name: nginx-proxy
In previous parts of the how to series we've configured .env environment to contain the VIRTUAL_HOST & VIRTUAL_PORT variables. As this container doesn't require a domain we don't need to communicate these items to the NGINX proxy to allow forwarding of traffic.
Start the two services
let's spin up Watchtower and let it get to work.
sudo docker-compose up
Appending -d will detach from the docker logs for the docker-compose.yml file.
sudo docker-compose up -d
Confirm the Docker container is now running by using the following command:
That's it, The Watchtower container will connect into the docker socket and identify all of the containers and associated images that are being run on our VPS and will periodically check for any updates. If an update is found Watchtower will stop the container and relaunch it with the new image in a matter of seconds, all without you lifting a finger!