I’ve had a couple issues with running updates Portainer since getting it setup. The first issue I’ve had is that the “Always pull the image” option doesn’t seemingly always pull the latest version of the image, causing a reboot of my container after I recreate it without actually applying the latest update. The second issue has been that I can’t have these updates happen automatically with portainer, there is no automatic update option built in. I’ve found a solution to this problem which provides a lot of flexibility for how I would like to run the updates. Let me take you through deploying and running Watchtower. You can find out more about Watchtower here: containrrr/watchtower - Docker Image | Docker Hub
Watchtower addresses my issues in a couple different and exciting ways! I can setup Watchtower to run when I want it to run, updating all containers at once at a time that suites me for an outage or I can set it up to run automatically on a set interval (once an hour if updates are available for example). I’ve chosen a mix of the two options for my 3 docker hosts. For my Docker hosts which are in the cloud and exposed to the internet for services that I’m delivering (blogs etc), I have configured the updates to happen every 3600 seconds or 1 hour to ensure I’ve always got the latest patches to protect me from any vulnerabilities that may pop up. My docker host I have at home; I have setup to run on demand and all I need to do is turn on the Watchtower container. Let me show you how.
Option 1: Automated every 60 minutes
Logon to your docker host and run the following commands to install your own Watchtower container to handle updates:
sudo docker run -d --name watchtower –e WATCHTOWER_POLL_INTERVAL=3600 -v /var/run/docker.sock:/var/run/docker.sock --restart always containrrr/watchtower
That’s it! You’ve now got automatic updates that will run every 60 minutes for all of your containers. If you wanted to check the logs you can run the below command from the CLI:
sudo docker logs watchtower
If you have Portainer, this will show under the logs of the watchtower container.
Pros:
- Automated updates as soon as they become available.
- Security vulnerabilities automatically installed.
Cons
- Something might break due to the updates to the container (so far, I’ve only had 1 thing break which I was able to fix from my phone through Portainer within 2 minutes)
Option 1: Run updates on-demand
Logon to your docker host and run the following commands to install a Watchtower container that we can use to do on-demand updates
sudo docker run -d --name watchtower –e WATCHTOWER_RUN_ONCE=true -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower
This will mean that this container will be created but turned off. Each time this container started, it will shut itself down again once the updates are completed.
Pros:
- Convenient & predictable update install times
Cons:
- Updates can be missed for critical security vulnerabilities
BONUS:
If you’re feeling brave, there is a couple of other environment variables you can use with Watchtower:
If you want to automatically remove any of the old images from your docker host, you can add in the following:
WATCHTOWER_CLEANUP=true
If you want to allow Watchtower to update powered off containers, you can use the following:
WATCHTOWER_INCLUDE_STOPPED=true
If you want to have Watchtower to start containers which are currently stopped after update, you can use the following:
WATCHTOWER_REVIVE_STOPPED=true
Enjoy!