What are you using to update your Docker images?
In reality for me it’s German CERT sending me emails that my n8n is again out of date with tons of CVEs.
Watchtower replacement recommendations
Submitted 16 hours ago by ReedReads@lemmy.zip to selfhosted@lemmy.world
Comments
sznowicki@lemmy.world 2 hours ago
Nibodhika@lemmy.world 2 hours ago
I theoretically have Diun setup, but realistically I just run my Ansible playbook weekly and have most containers set to latest. The exceptions being things that sometimes need special steps when upgrading such as Immich or critical stuff I want special attention such as Athelia/Authentik, for those I subscribe to their releases via RSS so I can update them easily, which usually is just changing a value in my Ansible configuration, but if extra changes are needed I can adapt them.
whysofurious@lemmy.dbzer0.com 3 hours ago
frongt@lemmy.zip 15 hours ago
K3can@lemmy.radio 10 hours ago
Quadlets. Auto update and auto rollback if the new image fails to start. Plus easier management overall, too.
FrederikNJS@piefed.zip 14 hours ago
All my docker images are in code in Github.
Renovate makes a PR when there are image or helm chart updates.
ArgoCD sees the PR merge and applies to Kubernetes.
For a few special cases I use ArgoCD-image-updater.
HybridSarcasm@lemmy.world 14 hours ago
+1 for Renovate. It’s not a drop-in replacement for Watchtower, but it allowed me to create a robust CI/CD pipeline. And, it can be centrally run, instead of having Watchtower running on every Docker host I have.
Peruvian_Skies@sh.itjust.works 16 hours ago
Dockhand can search for updates but you have to install them manually. Which I prefer anyway, plus Dockhand also replaced Portainer/Komodo for me.
badlotus@discuss.online 11 hours ago
Even better, Dockhand can send notifications when updates are available. I used to be a Watchtower user with nightly updates until one of my services became unavailable the next day due to a breaking change. Now I look at the update notification and apply manually through Dockhand after reviewing to make sure the update is good. Dockhand also can run Gripe and/or Trivy vulnerability scans on new images so you know approximately how many CVEs you’re adding to your network with each new or updated container! 🤣 I liked Portainer a lot but have grown to like Dockhand a lot. I’m having some issues with updates and vulnerability scanning on Hawser nodes so I’ve also tried Komodo and Arcane. Not sure which I’ll end up with long-term, but Dockhand is my favorite overall. What’s your opinion on these tools? Have you run into any issues with Dockhand?
Peruvian_Skies@sh.itjust.works 10 hours ago
I haven’t tried Arcane. I prefer Komodo’s interface over Portainer but Portainer worked better for me. I was running Portainer and Dockpeek for updates but Dockhand has replaced both, and IMO the interface is even better than Komodo’s. I’m still learning, there are features I don’t know much about like stack management, which I still do manually.
diminou@lemmy.zip 14 hours ago
You have en option to install them automatically in the settings or per container
lIlIllIlIIIllIlIlII@lemmy.zip 15 hours ago
Im using Komodo for deployong and auto updates.
northernlights@lemmy.today 10 hours ago
I just use my free portainer business for 3 nodes to show in the containers view which ones are outdated, and I check it regularly. Really whish there could be some kind of notification but oh well. I also follow the releases for all the projects I self host so I know when to check. Automating this makes me too nervous for comfort.
GreenKnight23@lemmy.world 7 hours ago
is there something wrong with watchtower I missed?
Tywele@piefed.social 4 hours ago
It’s not maintained anymore but there is a fork. Someone else posted the link.
yardratianSoma@lemmy.ca 8 hours ago
irmadlad@lemmy.world 15 hours ago
Never used it, but TugTainer. I use the fork of Watchtower and run it with
‘–run-once’ ‘–cleanup’. You can run it and let it update your containers as soon as an update is available, but I just like to run it manually.eco_game@discuss.tchncs.de 13 hours ago
I don’t use it anymore as I switched to TrueNAS which has the functionality built in, but I used to use docking-station.
BlackEco@lemmy.blackeco.com 13 hours ago
I’m thinking of using Dockcheck. It’s not a drop-in replacement for Watchtower, but you probably can wip up a quick systemd service to run it.
Brewchin@lemmy.world 4 minutes ago
After too many wild rides with Watchtower auto-nuking services, thanks to breaking changes (migrations, DB updates, deployment changes, etc), I switched to What’s Up Docker and pin the version for all of my containers.
WUD lets me know when something has an update, so I periodically go through their release notes and do the update(s) manually. Usually as simple as read the notes, changes version in compose, down (or pull), then “up -d”. But this approach has saved my bacon multiple times.
I’ve seen there are other solutions - of varying degrees of promises vs delivery - but most of my stuff is long term and stable. My approach maintains all that.