Docker is a popular open-source container management platform. It enables users to create, run, and manage containers. Containers are isolated processes that run on top of a Linux kernel. Docker images are the files that represent an image of an operating system or application. To update a Docker container from your image registry, you first need to create a new image from the latest version of the container you want to update. You can then use the docker build command to create a new image from this new version of the container. You can then use the docker push command to send this new image to your image registry. Finally, you can use the docker pull command to retrieve this new image from your image registry and install it on your machine. ..


Docker is a tool that makes it easy to run apps in portable containers. One of the primary benefits of containerization is easily managed updates—all you need to do is restart with a new container, and there are tools that can automate this entire process.

RELATED: How to Upgrade Docker Containers to Apply Image Updates

Automatically Deploying Docker Containers

Docker is a great choice for continuous integration/continuous deployment pipelines (CI/CD) as it helps automate both steps of the process. Dockerfiles themselves provide a way to build your app’s image, and it’s pretty easy to set up automated container builds from source on services like Github. Once built, and pushed to an “image registry,” it can then be downloaded and ran by any server running Docker.

This is great, but that still involves running commands on the server every time you want to update. If you’d like it to be truly automatic, then you may be interested in a tool called Watchtower.

Watchtower is a utility that runs on your Docker host and periodically checks for updates to containers. If it detects a new version of an image from the container registry, it will automatically kill the container and restart it immediately.

This is a very attractive feature, but before you go installing it, it’s important to discuss the downsides. Doing updates entirely automatically means you will have less control over the time and prior testing of the deployment, as whenever the commit in your repository goes through and triggers a build, the running containers will update. If you don’t own the image being ran, it may update unexpectedly if you don’t exclude them from Watchtower.

If you’re not doing updates every day, you may be better off with a Docker GUI like Portainer, which lets you browse running containers across your servers and click a button to update them automatically. This gives you more control over the process and can help prevent unexpected updates.

If you’d like to get started using Portainer, you can read our guide to setting it up to learn more.

RELATED: How to Get Started With Portainer, a Web UI for Docker

Using Watchtower

Watchtower is packaged as a Docker container itself, so it’s pretty easy to install—just one command will get it up and running:

This launches a Watchtower container, and also creates a binding mounting the docker.sock from the host so that it can interact with the Docker API. By default, this scans all running containers for updates every 24 hours, which can be changed with the –interval flag.

You can also create a docker-compose.yml file to start Watchtower as a service:

“All running containers” probably includes some things you’d rather not have unexpectedly update, including images from the Docker Hub that you don’t have control over. You can exclude containers from updates, but only by setting a label on the container being scanned.

You’ll need to either set this flag on the command line during docker run, or specify it in the container’s build process using the LABEL directive.

You can also do the reverse, by passing the –label-enable flag when starting Watchtower and setting containers to “true.”

Running Watchtower as a Docker Compose Service

A better method, especially when you only need to run Watchtower for a single container, is to package it into an existing docker-compose.yml file and create a scope for Watchtower to scan for. In this example, the NGINX image is given the scope “nginx,” and Watchtower is configured to only update containers with that scope label.

If you only use Watchtower this way–packaged into a compose file with a scope—it will allow you to run multiple instances. If you run Watchtower without a scope on the same system though, it will override these instances.

Using Third Party Registries

By default, Watchtower only works with the Docker Hub and any other public registry. This excludes certain services like Github’s Container Registry, which requires a username and Personal Access Token (PAT) to pull images from.

You can add config for private registries by creating a config.json file with the following content:

The “credentials” value should be set to a base64 encoded string of your username:password combo, or personal access token in the case of Github.

Then, when you run Watchtower, pass in an additional mount for this config.json file.