Whipping up containers for weird and obscure services can be a lot of fun when you’ve built a new home lab. But once you’ve put together a self-hosted suite comprising dozens of containers, you might have a hard time managing them.

Having spent a lot of time with containerized services, I must admit that updating containers is my least favorite home lab maintenance task. Luckily for me, I’ve got a self-hosted Watchtower instance that takes care of container updates, and here’s everything you need to know to run it on your home server.

What’s Watchtower, anyway?

And why should you use it?

When you’re trying to update a container, you’ll have to follow a rather long procedure. Assuming you’re using a volume mount for storing the important files, the general process involves stopping the service, removing the container (not the data), pulling the updated image, and spinning up a new container with it. Clearly, it’s not the most convenient method of maintaining your containers, especially when you’ve got a fleet of services in your home lab.

Watchtower can automate the entire process once you deploy it as a container, making it borderline essential for any home server. It's also capable of detecting the dependencies between your services and can shut down all the containers before updating the image(s) to ensure your self-hosted stack functions normally after the update.

Deploying Watchtower

Since Watchtower itself runs as a containerized service and connects to the /var/run/docker.sock daemon, you’ll need Docker Engine before attempting this project. Once you’ve got the container runtime installed,

1. Launch the terminal app included with your OS.
2. You can deploy a Watchtower container with this command:

   sudo docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower

Here's an extra tip when setting up Watchtower

Although Watchtower is a convenient tool to have in your Docker stack, it has a major shortcoming: Watchtower can’t determine if a container image is faulty. It’s not uncommon for broken container images to get uploaded to public repos, and Watchtower could end up using them to create buggy containers.

That’s where the container selection environment variables come into play. The full-exclude label, for instance, prevents Watchtower from automatically pulling the latest images for your mission-critical apps, while the monitor-only label forces it to check for updates first. First, you'll have to add --label-enable to the docker run command for the Watchtower container. After that, you’re free to insert the Watchtower labels into the docker-compose.yml files or docker run commands for your favorite containers.