Best practices on updating/maintaining Docker containers
Docker containers are built from base images, which are essentially snapshots of a filesystem that include the operating system and additional installed packages. These base images are updated regularly to include security patches, bug fixes, and feature enhancements.
However, once a Docker container is built from a base image, it doesn’t automatically receive updates from its base image. This means that over time, containers can become outdated and vulnerable to security threats if not manually updated.
Docker Container Update Automation
Upgrading Docker containers to apply image updates is an essential task for ensuring the security, performance, and compatibility of containerized applications. By setting up methods and best practices, you can effectively manage container updates and keep your applications running smoothly on the latest software versions. Here’s a list of tools available to you for facilitating Docker container updates:
Watchtower
With Watchtower you can update the running version of your containerized app simply by pushing a new image to the Docker Hub or your own image registry. Watchtower will pull down your new image, gracefully shut down your existing container and restart it with the same options that were used when it was deployed initially. It can monitor all containers on a host or only those explicitly specified and also supports notifications, which can alert us to the status of container updates through various channels such as email, Slack, or HTTP endpoints.
To install Watchtower
docker
docker run -d \
--name watchtower \
-v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower
docker-compose
version: "3"
services:
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
podman-auto-update
podman-auto-update will update containers according to the update policy you have configured.
WUD aka What’s up Docker?
WUD aka What’s up Docker? keeps you notified when a new version of a Docker Container is available.
Automated builds
With Docker Hub’s Automated builds, the feature Repository Links will rebuild your container when an upstream container is rebuilt, and the Webhooks feature will send you a notification.
Compose Updater
Compose Updater is an application which continuously monitors your running docker containers. When an image is updated, the updated version gets pulled (or built via –pull) from the registry and the docker compose composition gets restarted. It’s a solution for watching your Docker® containers running via Docker Compose for image updates and automatically restarting the compositions whenever an image is refreshed.
Docker-Container-Updater
Docker-Container-Updater from Jan Hansmeyer. This tool handles updates without relying on the “latest” tag or sticking to the current image tag, which might cause you to miss important updates. note that this project is currently in its early stages, you may want something more solid or mature.
Portainer
We all have a preference when it comes to container management platforms. I personally prefer Portainer, but other solutions exists, like Yacht. Both Portainer and Yacht provides a web interface for managing docker containers with support for templating to provide fast deployments of dockerized applications.
The full version of Portainer is not free, but I have all the functionalities I need in Portainer Community Edition which is a lightweight version, a service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments.
Portainer’s Web API: using git commit hooks for local projects
For locally developped containers, you can use Post-Commit Hooks and the web api to update the container stacks. Portainer, like docker exposes an HTTP API that you can use to automate everything you do via the Portainer UI. You can also use Portainer as a gateway (HTTP queries against the Portainer API) to the underlying Docker/Kubernetes API.
docker-stacks-config Portainer Stacks Management
docker-stacks-config is a project contains the configurations for managing Portainer stacks using docker-compose.yml files.
See the project page docker-stacks-config for more details.
Remember to schedule regular updates, test updates in a staging environment, monitor container health, back up data, and document the upgrade process to maintain a secure and reliable container environment.
