GitHub - beatkind/watchtower: A process for automating Docker container base image updates.
github.com
A process for automating Docker container base image updates. - GitHub - beatkind/watchtower: A process for automating Docker container base image updates.
    • BakedCatboy@lemmy.mlEnglish
      1·
      4 hours ago

      I use it to auto update nginx and haproxy containers, since they adhere very well to semver there is very little risk of breakage if you use the correct tag and not just :latest. I haven’t had a single issue in many years, and it’s nice to know that I’ll get critical security updates within 24h of images being pushed.

    • MorethanevilAEnglish
      81·
      14 hours ago

      I only let me notify about updates. I don’t want autoupdates, because some projects may have breaking changes (looking at you Immich 😁)

      I get a message from watchtower over Gotify and then I can read the changelog

      • blazeknave@lemmy.worldOPEnglish
        2·
        13 hours ago

        I’ve been thinking about this. Can you do that with watchtower? Don’t need diem or anything?

        • MorethanevilAEnglish
          3·
          13 hours ago

          It is very easy. Here is my compose:

          services:
  watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
    command: --interval 10800
    logging:
      driver: local
    environment:
          WATCHTOWER_NOTIFICATION_URL: gotify://
          WATCHTOWER_NOTIFICATIONS_HOSTNAME: Fancy name
          WATCHTOWER_MONITOR_ONLY: true
          WATCHTOWER_WARN_ON_HEAD_FAILURE: never

          Every 3 hours it will check for updates, send a message via Gotify and pull the new images. It will not restart the containers with the new images.

          • bigDottee@geekroom.techEnglish
            2·
            9 hours ago

            Honestly I think this might be a better way than what I’m using now. I’ve subbed to dockerrelease.io and releasealert.dev … get spammed all day everyday because the devs keep pushing all sorts of updates to old branches… or because those sites aren’t configured well.

    • ShortN0te@lemmy.mlEnglish
      4·
      14 hours ago

      Automatic updates. Works like a dream. Depending on what you are running it can obviously cause issues, either server side breaking or server,client communication issues

  • ShortN0te@lemmy.mlEnglish
    52·
    14 hours ago

    Years out of date

    What problems does it have? Never ran into an issue for my usecase.

    • blazeknave@lemmy.worldOPEnglish
      3·
      13 hours ago

      I don’t know. Last time I used it was maintained. Seems like a security vulnerability running something this critical out of date, no?

      • ShortN0te@lemmy.mlEnglish
        42·
        13 hours ago

        Just because there is no update does not mean there are security vulnerabilities to worry about, or do you have a specific one that is not fixed?

        The attack vector seems very narrow to me. It checks the container registry downloads the containers and runs some docker commands.

        It has no interface, so in order to attack it you either have to compromise the container registry (but then it would be easier to compromise the containers you download) the secure connection used to download the containers (https is quite stable) or something on the server side.

        Also the project does not really look that abundant to me.

        EDIT: So i have not checked this, but watchtower is probably using docker for most steps anyway? So basically the only thing that could be attacked is via the notifications watchtower is sending?