Latest Watchtower fork?

cross-posted from: https://lemmy.world/post/26728988

Hi - I'm rebuilding my homelab and want to give docker compose another try. It looks like Watchtower is years out of date now. I see two forks that look more promising per https://techgaun.github.io/active-forks/index.html#https://github.com/containrrr/watchtower

These two: https://github.com/beatkind/watchtower https://github.com/nicholas-fedor/watchtower

The former seems to have more activity. What are you all using?

https://github.com/beatkind/watchtowerOpen link View original on lemmy.world

Comments23

roofuskit

lemmy.world

Those of you self hosters who use watchtower, what's your use case?

morethanevil reply

lemmy.fedifriends.social

I only let me notify about updates. I don't want autoupdates, because some projects may have breaking changes (looking at you Immich 😁)

I get a message from watchtower over Gotify and then I can read the changelog

blazeknave reply

lemmy.world

I've been thinking about this. Can you do that with watchtower? Don't need diem or anything?

morethanevil reply

lemmy.fedifriends.social

It is very easy. Here is my compose:

services:
  watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
    command: --interval 10800
    logging:
      driver: local
    environment:
          WATCHTOWER_NOTIFICATION_URL: gotify://
          WATCHTOWER_NOTIFICATIONS_HOSTNAME: Fancy name
          WATCHTOWER_MONITOR_ONLY: true
          WATCHTOWER_WARN_ON_HEAD_FAILURE: never

Every 3 hours it will check for updates, send a message via Gotify and pull the new images. It will not restart the containers with the new images.

roofuskit reply

lemmy.world

Is it possible to have it auto update say one container and notify the rest?

VeryNiiiice reply

sh.itjust.works

Yes. There is a label you would need to apply to all of your containers to specify whether or not to update: com.centurylinklabs.watchtower.monitor-only=true

morethanevil reply

lemmy.fedifriends.social

No, because MONITOR_ONLY is for all

bigDottee reply

geekroom.tech

Honestly I think this might be a better way than what I’m using now. I’ve subbed to ~~dockerrelease.io~~ (edit: docker-notify.com) and releasealert.dev … get spammed all day everyday because the devs keep pushing all sorts of updates to old branches… or because those sites aren’t configured well.

mac reply

lemm.ee

I just use RSS for this ¯_(ツ)_/¯

Appoxo reply

lemmy.dbzer0.com

You can use scopes to limit updates to pre-determinded containers.

ShortN0te reply

lemmy.ml

Automatic updates. Works like a dream. Depending on what you are running it can obviously cause issues, either server side breaking or server,client communication issues

ZeldaFreak reply

lemmy.world

Auto update. Works like a charm, except PostgreSQL. For me it's good enough and even though works with containers, where they don't recommend it. I do have backups and for my private time, I don't get paid, so it should be as maintenance as possible from my side.

I do check from time to time if something is broken and I noticed a container where they removed a version tag, I was using. The "biggest" thing that was broken, was my gitea server where they changed the config for the default Theme.

Also that's why I hate PostgreSQL. It requires manual labor for updating. Had a recipe Docker and they cut support for previous major version quickly. Not good. That stuff could break, ist an option with every update. This is why backups exist. As a single user, it's not a problem. For a big system, I wouldn't do auto updates, so I can check if everything works.

blazeknave reply

lemmy.world

ADHD and not technical by trade so it's not in my DNA to remember

BakedCatboy reply

lemmy.ml

I use it to auto update nginx and haproxy containers, since they adhere very well to semver there is very little risk of breakage if you use the correct tag and not just :latest. I haven't had a single issue in many years, and it's nice to know that I'll get critical security updates within 24h of images being pushed.

Appoxo reply

lemmy.dbzer0.com

Thw only it provides: Auto-updating.

Bakkoda reply

sh.itjust.works

I just have it send a notification of available update. No auto for me.

roofuskit reply

lemmy.world

Yeah but what are you updating that is so non-critical you can trust watchtower to update it unattended, without reading release notes?

Appoxo reply

lemmy.dbzer0.com

traefik, authelia, the *arrs etc.
I disabled auto updates for databases.

ShortN0te

lemmy.ml

Years out of date

What problems does it have? Never ran into an issue for my usecase.

blazeknave reply

lemmy.world

I don't know. Last time I used it was maintained. Seems like a security vulnerability running something this critical out of date, no?

ShortN0te reply

lemmy.ml

Just because there is no update does not mean there are security vulnerabilities to worry about, or do you have a specific one that is not fixed?

The attack vector seems very narrow to me. It checks the container registry downloads the containers and runs some docker commands.

It has no interface, so in order to attack it you either have to compromise the container registry (but then it would be easier to compromise the containers you download) the secure connection used to download the containers (https is quite stable) or something on the server side.

Also the project does not really look that abundant to me.

EDIT: So i have not checked this, but watchtower is probably using docker for most steps anyway? So basically the only thing that could be attacked is via the notifications watchtower is sending?

BlackEco

lemmy.blackeco.com

The first one also has better code coverage and way more pulls on Docker Hub.

Justin

lemmy.jlh.name

Use renovate instead, it supports dockerfiles.

https://docs.renovatebot.com/docker/