this post was submitted on 21 Mar 2026
36 points (97.4% liked)

Selfhosted

56958 readers
891 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
36
Watchtower replacement recommendations (lemmy.zip)
submitted 1 day ago by ReedReads@lemmy.zip to c/selfhosted@lemmy.world
23 comments fedilink hide all child comments
 

What are you using to update your Docker images?

top 23 comments
sorted by: hot top controversial new old
[–] Brewchin@lemmy.world 3 points 23 hours ago

After too many wild rides with Watchtower auto-nuking services, thanks to breaking changes (migrations, DB updates, deployment changes, etc), I switched to What's Up Docker and pin the version for all of my containers.

WUD lets me know when something has an update, so I periodically go through their release notes and do the update(s) manually. Usually as simple as read the notes, changes version in compose, down (or pull), then "up -d". But this approach has saved my bacon multiple times.

I've seen there are other solutions - of varying degrees of promises vs delivery - but most of my stuff is long term and stable. My approach maintains all that.

[–] Nibodhika@lemmy.world 3 points 1 day ago

I theoretically have Diun setup, but realistically I just run my Ansible playbook weekly and have most containers set to latest. The exceptions being things that sometimes need special steps when upgrading such as Immich or critical stuff I want special attention such as Athelia/Authentik, for those I subscribe to their releases via RSS so I can update them easily, which usually is just changing a value in my Ansible configuration, but if extra changes are needed I can adapt them.

[–] whysofurious@lemmy.dbzer0.com 3 points 1 day ago

I generally don't update automatically, I currently use WUD. It works fine for image checking and notifications and had no need to change it for now, but I am thinking of trying dockhand too.

[–] hoppolito@mander.xyz 1 points 21 hours ago

While I’m a big proponent of version pinning your critical services, if you’re running stuff in docker swarm shepherd is a solid service updater for the less critical things.

[–] sznowicki@lemmy.world 2 points 1 day ago

In reality for me it’s German CERT sending me emails that my n8n is again out of date with tons of CVEs.

[–] K3can@lemmy.radio 7 points 1 day ago

Quadlets. Auto update and auto rollback if the new image fails to start. Plus easier management overall, too.

[–] FrederikNJS@piefed.zip 11 points 1 day ago (1 children)

https://docs.renovatebot.com/

All my docker images are in code in Github.

Renovate makes a PR when there are image or helm chart updates.

ArgoCD sees the PR merge and applies to Kubernetes.

For a few special cases I use ArgoCD-image-updater.

[–] HybridSarcasm@lemmy.world 2 points 1 day ago

+1 for Renovate. It's not a drop-in replacement for Watchtower, but it allowed me to create a robust CI/CD pipeline. And, it can be centrally run, instead of having Watchtower running on every Docker host I have.

[–] frongt@lemmy.zip 11 points 1 day ago

https://github.com/nicholas-fedor/watchtower/

[–] Peruvian_Skies@sh.itjust.works 8 points 1 day ago (3 children)

Dockhand can search for updates but you have to install them manually. Which I prefer anyway, plus Dockhand also replaced Portainer/Komodo for me.

[–] niisyth@lemmy.ca 2 points 21 hours ago

In the same boat but with Arcane

[–] badlotus@discuss.online 2 points 1 day ago (1 children)

Even better, Dockhand can send notifications when updates are available. I used to be a Watchtower user with nightly updates until one of my services became unavailable the next day due to a breaking change. Now I look at the update notification and apply manually through Dockhand after reviewing to make sure the update is good. Dockhand also can run Gripe and/or Trivy vulnerability scans on new images so you know approximately how many CVEs you’re adding to your network with each new or updated container! 🤣 I liked Portainer a lot but have grown to like Dockhand a lot. I’m having some issues with updates and vulnerability scanning on Hawser nodes so I’ve also tried Komodo and Arcane. Not sure which I’ll end up with long-term, but Dockhand is my favorite overall. What’s your opinion on these tools? Have you run into any issues with Dockhand?

[–] Peruvian_Skies@sh.itjust.works 1 points 1 day ago

I haven't tried Arcane. I prefer Komodo's interface over Portainer but Portainer worked better for me. I was running Portainer and Dockpeek for updates but Dockhand has replaced both, and IMO the interface is even better than Komodo's. I'm still learning, there are features I don't know much about like stack management, which I still do manually.

[–] diminou@lemmy.zip 1 points 1 day ago (1 children)

You have en option to install them automatically in the settings or per container

[–] Peruvian_Skies@sh.itjust.works 2 points 19 hours ago

Good to know. Personally I prefer to review the changelogs before updating, though.

[–] lIlIllIlIIIllIlIlII@lemmy.zip 6 points 1 day ago

Im using Komodo for deployong and auto updates.

[–] yardratianSoma@lemmy.ca 2 points 1 day ago

I use dockwatch, but not for automatic updates. I just update after reviewing the changelog and user reports.

[–] GreenKnight23@lemmy.world 1 points 1 day ago (1 children)

is there something wrong with watchtower I missed?

[–] Tywele@piefed.social 2 points 1 day ago

It’s not maintained anymore but there is a fork. Someone else posted the link.

[–] BlackEco@lemmy.blackeco.com 2 points 1 day ago

I'm thinking of using Dockcheck. It's not a drop-in replacement for Watchtower, but you probably can wip up a quick systemd service to run it.

[–] northernlights@lemmy.today 1 points 1 day ago

I just use my free portainer business for 3 nodes to show in the containers view which ones are outdated, and I check it regularly. Really whish there could be some kind of notification but oh well. I also follow the releases for all the projects I self host so I know when to check. Automating this makes me too nervous for comfort.

[–] irmadlad@lemmy.world 2 points 1 day ago

Never used it, but TugTainer. I use the fork of Watchtower and run it with '--run-once' '--cleanup'. You can run it and let it update your containers as soon as an update is available, but I just like to run it manually.

[–] eco_game@discuss.tchncs.de 1 points 1 day ago

I don't use it anymore as I switched to TrueNAS which has the functionality built in, but I used to use docking-station.