Skip to content
A process for automating Docker container base image updates.
Branch: master
Clone or download
simskij add tests for check action, resolve wt cleanup bug (#284)
add unit tests for the check action to allow for some
refactoring and bug fixing without having to worry about
breaking stuff.

resolve watchtower cleanup bug by adding an initial 1 second sleep
in the check action. without the sleep, the docker client returns an
empty array, which is why we were left with two watchtowers.
Latest commit 46ffa16 Apr 20, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci send coverage to codacy Apr 16, 2019
.github/ISSUE_TEMPLATE Update issue templates Apr 15, 2019
actions add tests for check action, resolve wt cleanup bug (#284) Apr 20, 2019
app fix merge conflicts and do some refactoring Apr 8, 2019
container add tests for check action, resolve wt cleanup bug (#284) Apr 20, 2019
notifications Add Slack Channel, IconEmoji, and IconURL options (#241) Apr 7, 2019
.codacy.yml exclude markdown files from coverage analysis Apr 17, 2019
.gitignore fix merge conflicts and do some refactoring Apr 8, 2019 Create Apr 7, 2019
Dockerfile pin down dockerfile alpine version Apr 17, 2019
Dockerfile.self-contained update tls example Apr 18, 2019
go.sum exclude markdown files from coverage analysis Apr 17, 2019
main.go add tests for check action, resolve wt cleanup bug (#284) Apr 20, 2019


A process for automating Docker container base image updates.

Circle CI GoDoc Microbadger Go Report Card latest version Apache-2.0 License Codacy Badge Codacy Badge


Watchtower is an application that will monitor your running Docker containers and watch for changes to the images that those containers were originally started from. If watchtower detects that an image has changed, it will automatically restart the container using the new image.

With watchtower you can update the running version of your containerized app simply by pushing a new image to the Docker Hub or your own image registry. Watchtower will pull down your new image, gracefully shut down your existing container and restart it with the same options that were used when it was deployed initially.

For example, let's say you were running watchtower along with an instance of centurylink/wetty-cli image:

$ docker ps
CONTAINER ID   IMAGE                   STATUS          PORTS                    NAMES
967848166a45   centurylink/wetty-cli   Up 10 minutes>3000/tcp   wetty
6cc4d2a9d1a5   containrrr/watchtower   Up 15 minutes                            watchtower

Every few minutes watchtower will pull the latest centurylink/wetty-cli image and compare it to the one that was used to run the "wetty" container. If it sees that the image has changed it will stop/remove the "wetty" container and then restart it using the new image and the same docker run options that were used to start the container initially (in this case, that would include the -p 8080:3000 port mapping).


Watchtower is itself packaged as a Docker container so installation is as simple as pulling the containrrr/watchtower image. If you are using ARM based architecture, pull the appropriate containrrr/watchtower:armhf-<tag> image from the containrrr Docker Hub.

Since the watchtower code needs to interact with the Docker API in order to monitor the running containers, you need to mount /var/run/docker.sock into the container with the -v flag when you run it.

Run the watchtower container with the following command:

docker run -d \
  --name watchtower \
  -v /var/run/docker.sock:/var/run/docker.sock \

If pulling images from private Docker registries, supply registry authentication credentials with the environment variables REPO_USER and REPO_PASS or by mounting the host's docker config file into the container (at the root of the container filesystem /).

Passing environment variables:

docker run -d \
  --name watchtower \
  -e REPO_USER=username \
  -e REPO_PASS=password \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower container_to_watch --debug

Also check out this Stack Overflow answer for more options on how to pass environment variables.

Mounting the host's docker config file:

docker run -d \
  --name watchtower \
  -v /home/<user>/.docker/config.json:/config.json \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower container_to_watch --debug

If you mount the config file as described above, be sure to also prepend the url for the registry when starting up your watched image (you can omit the https://). Here is a complete docker-compose.yml file that starts up a docker container from a private repo at dockerhub and monitors it with watchtower. Note the command argument changing the interval to 30s rather than the default 5 minutes.

version: "3"
      - "443:3443"
      - "80:3080"
    image: containrrr/watchtower
      - /var/run/docker.sock:/var/run/docker.sock
      - /root/.docker/config.json:/config.json
    command: --interval 30


By default, watchtower will monitor all containers running within the Docker daemon to which it is pointed (in most cases this will be the local Docker daemon, but you can override it with the --host option described in the next section). However, you can restrict watchtower to monitoring a subset of the running containers by specifying the container names as arguments when launching watchtower.

docker run -d \
  --name watchtower \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower nginx redis

In the example above, watchtower will only monitor the containers named "nginx" and "redis" for updates -- all of the other running containers will be ignored.

If you do not want watchtower to run as a daemon you can pass a run-once flag and remove the watchtower container after it's execution.

docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower --run-once nginx redis

In the example above, watchtower will execute an upgrade attempt on the containers named "nginx" and "redis". Using this mode will enable debugging output showing all actions performed as usage is intended for interactive users. Once the attempt is completed, the container will exit and remove itself due to the "--rm" flag.

When no arguments are specified, watchtower will monitor all running containers.


Any of the options described below can be passed to the watchtower process by setting them after the image name in the docker run string:

docker run --rm containrrr/watchtower --help
  • --host, -h Docker daemon socket to connect to. Defaults to "unix:///var/run/docker.sock" but can be pointed at a remote Docker host by specifying a TCP endpoint as "tcp://hostname:port". The host value can also be provided by setting the DOCKER_HOST environment variable.
  • --run-once Run an update attempt against a container name list one time immediately and exit.
  • --interval, -i Poll interval (in seconds). This value controls how frequently watchtower will poll for new images. Defaults to 300 seconds (5 minutes).
  • --schedule, -s Cron expression in 6 fields (rather than the traditional 5) which defines when and how often to check for new images. Either --interval or the schedule expression could be defined, but not both. An example: --schedule "0 0 4 * * *"
  • --no-pull Do not pull new images. When this flag is specified, watchtower will not attempt to pull new images from the registry. Instead it will only monitor the local image cache for changes. Use this option if you are building new images directly on the Docker host without pushing them to a registry.
  • --stop-timeout Timeout before the container is forcefully stopped. When set, this option will change the default (10s) wait time to the given value. An example: --stop-timeout 30s will set the timeout to 30 seconds.
  • --label-enable Watch containers where the com.centurylinklabs.watchtower.enable label is set to true.
  • --cleanup Remove old images after updating. When this flag is specified, watchtower will remove the old image after restarting a container with a new image. Use this option to prevent the accumulation of orphaned images on your system as containers are updated.
  • --tlsverify Use TLS when connecting to the Docker socket and verify the server's certificate.
  • --debug Enable debug mode. When this option is specified you'll see more verbose logging in the watchtower log file.
  • --monitor-only Will only monitor for new images, not update the containers.
  • --help Show documentation about the supported flags.

See below for options used to configure notifications.

Linked Containers

Watchtower will detect if there are links between any of the running containers and ensure that things are stopped/started in a way that won't break any of the links. If an update is detected for one of the dependencies in a group of linked containers, watchtower will stop and start all of the containers in the correct order so that the application comes back up correctly.

For example, imagine you were running a mysql container and a wordpress container which had been linked to the mysql container. If watchtower were to detect that the mysql container required an update, it would first shut down the linked wordpress container followed by the mysql container. When restarting the containers it would handle mysql first and then wordpress to ensure that the link continued to work.

Stopping Containers

When watchtower detects that a running container needs to be updated it will stop the container by sending it a SIGTERM signal. If your container should be shutdown with a different signal you can communicate this to watchtower by setting a label named com.centurylinklabs.watchtower.stop-signal with the value of the desired signal.

This label can be coded directly into your image by using the LABEL instruction in your Dockerfile:

LABEL com.centurylinklabs.watchtower.stop-signal="SIGHUP"

Or, it can be specified as part of the docker run command line:

docker run -d --label=com.centurylinklabs.watchtower.stop-signal=SIGHUP someimage

Selectively Watching Containers

By default, watchtower will watch all containers. However, sometimes only some containers should be updated.

If you need to exclude some containers, set the com.centurylinklabs.watchtower.enable label to false.

LABEL com.centurylinklabs.watchtower.enable="false"

Or, it can be specified as part of the docker run command line:

docker run -d --label=com.centurylinklabs.watchtower.enable=false someimage

If you need to only include only some containers, pass the --label-enable flag on startup and set the com.centurylinklabs.watchtower.enable label with a value of true for the containers you want to watch.

LABEL com.centurylinklabs.watchtower.enable="true"

Or, it can be specified as part of the docker run command line:

docker run -d --label=com.centurylinklabs.watchtower.enable=true someimage

Remote Hosts

By default, watchtower is set-up to monitor the local Docker daemon (the same daemon running the watchtower container itself). However, it is possible to configure watchtower to monitor a remote Docker endpoint. When starting the watchtower container you can specify a remote Docker endpoint with either the --host flag or the DOCKER_HOST environment variable:

docker run -d \
  --name watchtower \
  containrrr/watchtower --host "tcp://"


docker run -d \
  --name watchtower \
  -e DOCKER_HOST="tcp://" \

Note in both of the examples above that it is unnecessary to mount the /var/run/docker.sock into the watchtower container.

Secure Connections

Watchtower is also capable of connecting to Docker endpoints which are protected by SSL/TLS. If you've used docker-machine to provision your remote Docker host, you simply need to volume mount the certificates generated by docker-machine into the watchtower container and optionally specify --tlsverify flag.

The docker-machine certificates for a particular host can be located by executing the docker-machine env command for the desired host (note the values for the DOCKER_HOST and DOCKER_CERT_PATH environment variables that are returned from this command). The directory containing the certificates for the remote host needs to be mounted into the watchtower container at /etc/ssl/docker.

With the certificates mounted into the watchtower container you need to specify the --tlsverify flag to enable verification of the certificate:

docker run -d \
  --name watchtower \
  -e DOCKER_CERT_PATH=/etc/ssl/docker \
  -v $DOCKER_CERT_PATH:/etc/ssl/docker \
  containrrr/watchtower --tlsverify

Updating Watchtower

If watchtower is monitoring the same Docker daemon under which the watchtower container itself is running (i.e. if you volume-mounted /var/run/docker.sock into the watchtower container) then it has the ability to update itself. If a new version of the containrrr/watchtower image is pushed to the Docker Hub, your watchtower will pull down the new image and restart itself automatically.


Watchtower can send notifications when containers are updated. Notifications are sent via hooks in the logging system, logrus. The types of notifications to send are passed via the comma-separated option --notifications (or corresponding environment variable WATCHTOWER_NOTIFICATIONS), which has the following valid values:

  • email to send notifications via e-mail
  • slack to send notifications through a Slack webhook
  • msteams to send notifications via MSTeams webhook


  • --notifications-level (env. WATCHTOWER_NOTIFICATIONS_LEVEL): Controls the log level which is used for the notifications. If omitted, the default log level is info. Possible values are: panic, fatal, error, warn, info or debug.

Notifications via E-Mail

To receive notifications by email, the following command-line options, or their corresponding environment variables, can be set:

  • --notification-email-from (env. WATCHTOWER_NOTIFICATION_EMAIL_FROM): The e-mail address from which notifications will be sent.
  • --notification-email-to (env. WATCHTOWER_NOTIFICATION_EMAIL_TO): The e-mail address to which notifications will be sent.
  • --notification-email-server (env. WATCHTOWER_NOTIFICATION_EMAIL_SERVER): The SMTP server to send e-mails through.
  • --notification-email-server-tls-skip-verify (env. WATCHTOWER_NOTIFICATION_EMAIL_SERVER_TLS_SKIP_VERIFY): Do not verify the TLS certificate of the mail server. This should be used only for testing.
  • --notification-email-server-port (env. WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT): The port used to connect to the SMTP server to send e-mails through. Defaults to 25.
  • --notification-email-server-user (env. WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER): The username to authenticate with the SMTP server with.
  • --notification-email-server-password (env. WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD): The password to authenticate with the SMTP server with.


docker run -d \
  --name watchtower \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e \
  -e \
  -e \
  -e \

Notifications through Slack webhook

To receive notifications in Slack, add slack to the --notifications option or the WATCHTOWER_NOTIFICATIONS environment variable.

Additionally, you should set the Slack webhook url using the --notification-slack-hook-url option or the WATCHTOWER_NOTIFICATION_SLACK_HOOK_URL environment variable.

By default, watchtower will send messages under the name watchtower, you can customize this string through the --notification-slack-identifier option or the WATCHTOWER_NOTIFICATION_SLACK_IDENTIFIER environment variable.

Other, optional, variables include:

  • --notification-slack-channel (env. WATCHTOWER_NOTIFICATION_SLACK_CHANNEL): A string which overrides the webhook's default channel. Example: #my-custom-channel.
  • --notification-slack-icon-emoji (env. WATCHTOWER_NOTIFICATION_SLACK_ICON_EMOJI): An emoji code string to use in place of the default icon.
  • --notification-slack-icon-url (env. WATCHTOWER_NOTIFICATION_SLACK_ICON_URL): An icon image URL string to use in place of the default icon.


docker run -d \
  --name watchtower \
  -v /var/run/docker.sock:/var/run/docker.sock \

Notifications via MSTeams incoming webhook

To receive notifications in MSTeams channel, add msteams to the --notifications option or the WATCHTOWER_NOTIFICATIONS environment variable.

Additionally, you should set the MSTeams webhook url using the --notification-msteams-hook option or the WATCHTOWER_NOTIFICATION_MSTEAMS_HOOK_URL environment variable.

MSTeams notifier could send keys/values filled by log.WithField or log.WithFields as MSTeams message facts. To enable this feature add --notification-msteams-data flag or set WATCHTOWER_NOTIFICATION_MSTEAMS_USE_LOG_DATA=true environment variable.


docker run -d \
  --name watchtower \
  -v /var/run/docker.sock:/var/run/docker.sock \
You can’t perform that action at this time.