watchtower

command module

v1.12.2 Latest Latest Go to latest Published: Apr 20, 2026 License: Apache-2.0 Imports: 2 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/openserbia/watchtower

Links

Open Source Insights

README ¶

Watchtower — the maintained fork

Automatic base-image updates for Docker containers. A drop-in replacement for containrrr/watchtower, which is no longer maintained upstream.

Documentation · Why this fork? · Changelog

TL;DR

What it is: a small Go daemon that polls the Docker socket, checks registries for new image digests, and recreates stale containers with the same config (volumes, networks, env, command).
Who it's for: homelabs, self-hosted stacks, media centers, dev environments — anywhere a running Kubernetes cluster would be overkill.
Who it's not for: production workloads that need staged rollouts, canaries, or rollback. Use Kubernetes (or k3s / MicroK8s) for that.
Images: docker.io/openserbia/watchtower and ghcr.io/openserbia/watchtower (multi-arch: amd64, arm64, arm/v6, arm/v7, 386, riscv64).
Module path: github.com/openserbia/watchtower.

Quick start

Requirements: Docker Engine 20.10 or newer. Watchtower auto-negotiates the API version, so older daemons may work but aren't tested.

docker run --detach \
    --name watchtower \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    openserbia/watchtower

That's it — Watchtower polls every 24h by default and updates any container it can see. To scope it, opt containers in with a label:

docker run --label com.centurylinklabs.watchtower.enable=true my-app:latest
docker run -v /var/run/docker.sock:/var/run/docker.sock \
    openserbia/watchtower --label-enable

docker-compose

services:
  watchtower:
    image: openserbia/watchtower:latest
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command:
      - --interval=60
      - --cleanup
      - --label-enable

Full flag reference, notification setup, lifecycle hooks, HTTP API, and metrics all live on the docs site.

Why this fork

containrrr/watchtower stopped accepting changes in late 2024. This fork keeps it alive with a modern toolchain (Go 1.26, golangci-lint v2, Devbox-pinned CI) and extends the same feature set across four axes:

Fixes real-world upstream bugs left unmerged when the project was archived — #966 (--cleanup deletes the replacement image), #1217 (nil-pointer panic on GC'd source image), #1413 (No such image loop that wedges the container).
Safer updates — opt-in --health-check-gated waits for the replacement container to report healthy and automatically rolls back to the previous image on failure, with per-container label overrides and a post-rollback cooldown that prevents thrash.
Hardened network layer — bounded exponential backoff on registry flakes, an in-memory bearer-token cache, strict TLS by default (removing upstream's blanket InsecureSkipVerify), constant-time bearer-token comparison, and opt-in --insecure-registry / --registry-ca-bundle for self-signed registries.
Operational visibility — ship-ready Grafana dashboard + Prometheus alerts, a GET /v1/audit JSON endpoint for post-deploy verification, --http-api-metrics-no-auth for trusted-network scraping, and ~20 new metrics covering every HTTP-facing surface (request counts by status/endpoint/host/outcome, retry counters, Docker API errors, bearer-cache hit rate, poll-duration histogram, and more).

Drop-in compatible — same CLI flags, labels (com.centurylinklabs.watchtower.*), HTTP API, and notification backends. Swap the image name and you're done. Migration diff, full comparison table, and roadmap: Why this fork?.

Verifying a release

# Binary checksums
sha256sum -c watchtower_<version>_checksums.txt --ignore-missing

# Image provenance
docker inspect openserbia/watchtower:latest \
    --format '{{ index .Config.Labels "org.opencontainers.image.revision" }}'

Security

Report vulnerabilities via GitHub Security Advisories — this opens a private thread with the maintainers. Please do not file public issues for security bugs. See SECURITY.md for scope and policy.

Contributing

devbox shell                 # reproducible toolchain (Go 1.26, golangci-lint v2, go-task)
devbox run -- task lint      # 0 findings required
devbox run -- task test      # Ginkgo suites with -race
devbox run -- task build     # ./build/watchtower

See CONTRIBUTING.md for PR expectations and CLAUDE.md for an architectural tour tuned for AI coding assistants (and handy for humans too).

License

Documentation ¶

Overview ¶

Package main is the watchtower entry point. It delegates to the Cobra command tree in cmd.

Source Files ¶

View all Source files

main.go

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
cmd Package cmd contains the watchtower (sub-)commands.	Package cmd contains the watchtower (sub-)commands.
internal
actions Package actions orchestrates the high-level watchtower update flow: listing containers, running sanity and duplicate-instance checks, and driving the stop/start sequence through pkg/container.	Package actions orchestrates the high-level watchtower update flow: listing containers, running sanity and duplicate-instance checks, and driving the stop/start sequence through pkg/container.
actions/mocks
events Package events bridges Docker engine image events to targeted watchtower scans, so local `docker build` / `docker load` rebuilds trigger an update without waiting for the next scheduled poll.	Package events bridges Docker engine image events to targeted watchtower scans, so local `docker build` / `docker load` rebuilds trigger an update without waiting for the next scheduled poll.
flags Package flags defines watchtower's CLI flag set and the viper-backed environment-variable bindings that accompany it.	Package flags defines watchtower's CLI flag set and the viper-backed environment-variable bindings that accompany it.
meta Package meta holds build-time metadata populated via -ldflags.	Package meta holds build-time metadata populated via -ldflags.
util Package util contains small utility helpers shared across watchtower.	Package util contains small utility helpers shared across watchtower.
pkg
api Package api hosts the HTTP control-plane for watchtower (token auth, /v1/update, /v1/metrics).	Package api hosts the HTTP control-plane for watchtower (token auth, /v1/update, /v1/metrics).
api/audit Package audit exposes the HTTP handler for the /v1/audit endpoint.	Package audit exposes the HTTP handler for the /v1/audit endpoint.
api/metrics Package metrics exposes the Prometheus /v1/metrics HTTP handler.	Package metrics exposes the Prometheus /v1/metrics HTTP handler.
api/update Package update exposes the HTTP handler for the /v1/update API endpoint.	Package update exposes the HTTP handler for the /v1/update API endpoint.
container Package container contains code related to dealing with docker containers	Package container contains code related to dealing with docker containers
container/mocks
filters Package filters composes container predicates for selecting update targets.	Package filters composes container predicates for selecting update targets.
lifecycle Package lifecycle runs user-defined pre/post check and update commands (configured via com.centurylinklabs.watchtower.lifecycle.* labels) inside target containers.	Package lifecycle runs user-defined pre/post check and update commands (configured via com.centurylinklabs.watchtower.lifecycle.* labels) inside target containers.
metrics Package metrics collects watchtower scan statistics and exports them via prometheus counters/gauges consumed by the /v1/metrics API.	Package metrics collects watchtower scan statistics and exports them via prometheus counters/gauges consumed by the /v1/metrics API.
notifications Package notifications sends watchtower session outcomes through shoutrrr (and legacy email/slack/msteams/gotify shims) using configurable templates.	Package notifications sends watchtower session outcomes through shoutrrr (and legacy email/slack/msteams/gotify shims) using configurable templates.
notifications/preview
notifications/preview/data
notifications/templates Package templates contains the text/template function map used by notification templates.	Package templates contains the text/template function map used by notification templates.
registry Package registry authenticates to container image registries and resolves remote image digests used by the stale-check logic.	Package registry authenticates to container image registries and resolves remote image digests used by the stale-check logic.
registry/auth Package auth handles registry authentication and bearer-token challenges.	Package auth handles registry authentication and bearer-token challenges.
registry/digest Package digest compares the current image digest to the latest one published in the registry to decide whether a container is stale.	Package digest compares the current image digest to the latest one published in the registry to decide whether a container is stale.
registry/helpers Package helpers holds registry-address resolution helpers shared across the registry sub-packages.	Package helpers holds registry-address resolution helpers shared across the registry sub-packages.
registry/manifest Package manifest builds registry manifest URLs for digest lookups.	Package manifest builds registry manifest URLs for digest lookups.
registry/retry Package retry wraps registry HTTP requests in a bounded exponential backoff so a single flaky oauth/manifest response doesn't wedge an image for a full poll interval.	Package retry wraps registry HTTP requests in a bounded exponential backoff so a single flaky oauth/manifest response doesn't wedge an image for a full poll interval.
registry/transport Package transport builds the http.Client used for registry API calls.	Package transport builds the http.Client used for registry API calls.
session Package session tracks container state and outcomes for a single watchtower update run.	Package session tracks container state and outcomes for a single watchtower update run.
sorter Package sorter topologically orders containers by their declared depends-on and links graph so updates happen in a safe order.	Package sorter topologically orders containers by their declared depends-on and links graph so updates happen in a safe order.
types Package types defines the data-transfer and interface types shared across watchtower packages.	Package types defines the data-transfer and interface types shared across watchtower packages.
tplprev