README
¶
Watchtower — the maintained fork
Automatic base-image updates for Docker containers.
A drop-in replacement for containrrr/watchtower, which is no longer maintained upstream.
TL;DR
- What it is: a small Go daemon that polls the Docker socket, checks registries for new image digests, and recreates stale containers with the same config (volumes, networks, env, command).
- Who it's for: homelabs, self-hosted stacks, media centers, dev environments — anywhere a running Kubernetes cluster would be overkill.
- Who it's not for: production workloads that need staged rollouts, canaries, or rollback. Use Kubernetes (or k3s / MicroK8s) for that.
- Images:
docker.io/openserbia/watchtowerandghcr.io/openserbia/watchtower(multi-arch: amd64, arm64v8, armhf, i386). - Go module path:
github.com/openserbia/watchtower.
Quick start
docker run --detach \
--name watchtower \
--volume /var/run/docker.sock:/var/run/docker.sock \
openserbia/watchtower
That's it — Watchtower will poll every 24h by default and update any container it can see. To scope it, label the containers you want managed:
docker run --label com.centurylinklabs.watchtower.enable=true my-app:latest
docker run -v /var/run/docker.sock:/var/run/docker.sock \
openserbia/watchtower --label-enable
Common flags you'll reach for: --interval 60, --cleanup, --label-enable, --http-api-metrics, --notification-url. Run docker run --rm openserbia/watchtower --help for the full list, or see the docs site — the flag surface is still compatible with upstream.
Why this fork
containrrr/watchtower is the de-facto Docker auto-updater, but the upstream repository stopped accepting changes in late 2024. This fork exists to keep it alive with a modern toolchain and fixes driven by real-world homelab usage.
containrrr/watchtower |
openserbia/watchtower |
|
|---|---|---|
| Maintenance status | Archived / unmaintained | Active |
| Go version | 1.20 | 1.26 |
| Linter | golangci-lint v1 | golangci-lint v2 (gofumpt + gci) |
| Dev environment | Ad-hoc | Devbox-pinned (reproducible, matches CI) |
| Module path | github.com/containrrr/watchtower |
github.com/openserbia/watchtower |
| Dependency updates | Stale | Tracked via Dependabot |
| CI | Travis-era workflows | Devbox + go-task on GitHub Actions |
| Knowledge graph for contributors | — | code-review-graph MCP support wired in |
Drop-in compatible: same CLI flags, same labels (com.centurylinklabs.watchtower.*), same HTTP API endpoints, same notification backends (shoutrrr, email, Slack, MS Teams, Gotify). Swap the image name and you're done.
Known rough edges (fork roadmap)
This fork tracks a running deployment (Timeweb private registry, ~13 watched images, 60s poll) and collects fixes for behaviors that bite in that setup. Contributions welcome on any of these:
- No retry-with-backoff on registry auth flakes. When the registry's oauth endpoint returns a transient 403/404, Watchtower logs
no available image info. Proceeding to next.and waits for the next poll with an identical request — no exponential backoff, no per-repository circuit breaker. A flaky registry can wedge a single image for minutes while manualdocker pullsucceeds instantly. - Pull failures logged at
info, noterror.WATCHTOWER_NOTIFICATIONS_LEVEL=errorsilently swallows repeated failed pulls for a single container. Neither Watchtower nor a success-only event watcher notifies on a stuck-in-failure loop. - No self-metrics wired up by default. Prometheus metrics exist (
WATCHTOWER_HTTP_API_METRICS=true+ token) but nothing ships ready-to-scrape. Alerts likescanned > 0 AND updated == 0 AND image_age > N dayswould catch the failure modes above automatically. - Label-based opt-in is fail-open. A new service without
com.centurylinklabs.watchtower.enable=trueis silently ignored — no security updates, no warning. Indistinguishable from intentional exclusions (databases, stateful stuff). A "tracked by neither Watchtower nor an allowlist" audit would help. - Races with manual compose deploys.
docker compose pullbetween two polls can leave Watchtower's cached container ID pointing at a ghost, producingNo such containeratlevel=error. Benign but noisy enough to drown real failures. :latesteverywhere means a broken upstream push reaches prod in one poll interval. Not a fork bug — a deliberate tradeoff in Watchtower's design — but worth calling out so users opt in consciously.
Documentation
Full user docs (flags, labels, notifications, lifecycle hooks, HTTP API) still live at https://containrrr.dev/watchtower and apply to this fork unchanged. The source for those docs is in docs/ — we rebuild them from this repo via mkdocs when anything diverges.
Contributing
devbox shell # reproducible toolchain (Go 1.26, golangci-lint v2, go-task)
devbox run -- task lint # 0 findings required
devbox run -- task test # Ginkgo v1 suites
devbox run -- task build # ./build/watchtower
See CONTRIBUTING.md for PR expectations and CLAUDE.md for an architectural tour tuned for AI coding assistants (and handy for humans too).
License
Apache 2.0. Originally © containrrr authors; fork maintained under the same license. See LICENSE.md.
Documentation
¶
Overview ¶
Package main is the watchtower entry point. It delegates to the Cobra command tree in cmd.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package cmd contains the watchtower (sub-)commands
|
Package cmd contains the watchtower (sub-)commands |
|
internal
|
|
|
actions
Package actions orchestrates the high-level watchtower update flow: listing containers, running sanity and duplicate-instance checks, and driving the stop/start sequence through pkg/container.
|
Package actions orchestrates the high-level watchtower update flow: listing containers, running sanity and duplicate-instance checks, and driving the stop/start sequence through pkg/container. |
|
flags
Package flags defines watchtower's CLI flag set and the viper-backed environment-variable bindings that accompany it.
|
Package flags defines watchtower's CLI flag set and the viper-backed environment-variable bindings that accompany it. |
|
meta
Package meta holds build-time metadata populated via -ldflags.
|
Package meta holds build-time metadata populated via -ldflags. |
|
util
Package util contains small utility helpers shared across watchtower.
|
Package util contains small utility helpers shared across watchtower. |
|
pkg
|
|
|
api
Package api hosts the HTTP control-plane for watchtower (token auth, /v1/update, /v1/metrics).
|
Package api hosts the HTTP control-plane for watchtower (token auth, /v1/update, /v1/metrics). |
|
api/metrics
Package metrics exposes the Prometheus /v1/metrics HTTP handler.
|
Package metrics exposes the Prometheus /v1/metrics HTTP handler. |
|
api/update
Package update exposes the HTTP handler for the /v1/update API endpoint.
|
Package update exposes the HTTP handler for the /v1/update API endpoint. |
|
container
Package container contains code related to dealing with docker containers
|
Package container contains code related to dealing with docker containers |
|
filters
Package filters composes container predicates for selecting update targets.
|
Package filters composes container predicates for selecting update targets. |
|
lifecycle
Package lifecycle runs user-defined pre/post check and update commands (configured via com.centurylinklabs.watchtower.lifecycle.* labels) inside target containers.
|
Package lifecycle runs user-defined pre/post check and update commands (configured via com.centurylinklabs.watchtower.lifecycle.* labels) inside target containers. |
|
metrics
Package metrics collects watchtower scan statistics and exports them via prometheus counters/gauges consumed by the /v1/metrics API.
|
Package metrics collects watchtower scan statistics and exports them via prometheus counters/gauges consumed by the /v1/metrics API. |
|
notifications
Package notifications sends watchtower session outcomes through shoutrrr (and legacy email/slack/msteams/gotify shims) using configurable templates.
|
Package notifications sends watchtower session outcomes through shoutrrr (and legacy email/slack/msteams/gotify shims) using configurable templates. |
|
notifications/templates
Package templates contains the text/template function map used by notification templates.
|
Package templates contains the text/template function map used by notification templates. |
|
registry
Package registry authenticates to container image registries and resolves remote image digests used by the stale-check logic.
|
Package registry authenticates to container image registries and resolves remote image digests used by the stale-check logic. |
|
registry/auth
Package auth handles registry authentication and bearer-token challenges.
|
Package auth handles registry authentication and bearer-token challenges. |
|
registry/digest
Package digest compares the current image digest to the latest one published in the registry to decide whether a container is stale.
|
Package digest compares the current image digest to the latest one published in the registry to decide whether a container is stale. |
|
registry/helpers
Package helpers holds registry-address resolution helpers shared across the registry sub-packages.
|
Package helpers holds registry-address resolution helpers shared across the registry sub-packages. |
|
registry/manifest
Package manifest builds registry manifest URLs for digest lookups.
|
Package manifest builds registry manifest URLs for digest lookups. |
|
session
Package session tracks container state and outcomes for a single watchtower update run.
|
Package session tracks container state and outcomes for a single watchtower update run. |
|
sorter
Package sorter topologically orders containers by their declared depends-on and links graph so updates happen in a safe order.
|
Package sorter topologically orders containers by their declared depends-on and links graph so updates happen in a safe order. |
|
types
Package types defines the data-transfer and interface types shared across watchtower packages.
|
Package types defines the data-transfer and interface types shared across watchtower packages. |
Click to show internal directories.
Click to hide internal directories.