So last time, I was vehemently against using Watchtower to update my docker images. Like, it’s a recipe for disaster, you will end up with Traefik that breaks since some configuration broke.
Or your homeassistant/zigbee2mqtt/mqtt is broke, and none of your lights work. And let’s be real, Smart Home is only good, if everything actually work. But after doing the manual
docker compose pull && docker compose up -d
I was getting fed up with it. I wanted to stay bleeding edge, I want all the security updates and the bug fixes, I don’t want to constantly go and log into multiple machines with SSH and do the manual magic, and find out everything works (everything doesn’t always work *winkwink*).
Notifications for the win
So what changed was as I was browsing watchtower for notification ways, I stumbled upon ntfy. And with subsequent testing, gotify (I like the UI of gotify way more than the UI of ntfy). And these gave me the push I wanted. If I could have a separate software, in my phone, that would send me notifications on anything that happens, then I would be ok for watchtower doing stuff behind the scenes.
I could get monitoring updates on images I want to update manually (Home Assistant, Omada Controller, etc), and I could auto-update lesser images, and hope everything works. But with notifications, it would give me the reminder, that hey, go and check that everything works.
services:
gotify:
image: gotify/server:latest
container_name: gotify
restart: unless-stopped
environment:
- TZ=Europe/Helsinki
- GOTIFY_SERVER_PORT=80
- GOTIFY_SERVER_KEEPALIVEPERIODSECONDS=0
- GOTIFY_SERVER_SSL_ENABLED=false
- GOTIFY_SERVER_STREAM_PINGPERIODSECONDS=45
- GOTIFY_DATABASE_DIALECT=sqlite3
- GOTIFY_DATABASE_CONNECTION=data/gotify.db
- GOTIFY_DEFAULTUSER_NAME=xxx
- GOTIFY_DEFAULTUSER_PASS=xxx
- GOTIFY_PASSSTRENGTH=10
- GOTIFY_UPLOADEDIMAGESDIR=data/images
- GOTIFY_PLUGINSDIR=data/plugins
- GOTIFY_REGISTRATION=false
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- ./data:/app/data
labels:
- "com.centurylinklabs.watchtower.enable=true"So with gotify done, next is time to give watchtower a spin. And yes, I think it’s hilarious how watchtower can set itself to update itself.
services:
watchtower:
image: containrrr/watchtower:latest
container_name: watchtower
hostname: Duckpond
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- "TZ=Europe/Helsinki"
- "WATCHTOWER_POLL_INTERVAL=3600" # Poll interval in seconds
- "WATCHTOWER_INCLUDE_STOPPED=true" # Include stopped containers
- "WATCHTOWER_INCLUDE_RESTARTING=true" # Will also include restarting containers
- "WATCHTOWER_REVIVE_STOPPED=true" # Restart stopped containers
- "WATCHTOWER_CLEANUP=true" # Delete unused image
- "WATCHTOWER_LABEL_ENABLE=true" # Only include containers with enable label
- "WATCHTOWER_LIFECYCLE_HOOKS=true" # Enable pre/post-update scripts
- "WATCHTOWER_NOTIFICATIONS_LEVEL=info"
- "WATCHTOWER_NOTIFICATIONS=gotify"
- "WATCHTOWER_NOTIFICATION_GOTIFY_URL=http://gotify"
- "WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN=xxxx"
labels:
- "com.centurylinklabs.watchtower.enable=true"Happy times
So yes, this makes my life really a lot simpler. I don’t have to stress about updating every single container. Especially the ones that are exposed to the world (not like there is anything crtitical but the principle).
And I get to do some nifty security stuff also, since I added some nice cron scripts that notify me with:
- Someone logs into my VPS
- I have package updates that need to be run on any of my servers
So it’s not just about docker containers, it’s about everything in my network. And again, this is a separate app that I choose to run. It separates my messages I receive from any of my machines, apps I wish to run in my network.
Separation of concerns.