How long ago did you deploy that container? Days? Weeks? Months? In the meantime, how many security issues have been discovered and patched in the image used to create that container? Without updating, that container could suffer from serious security issues. What do you do? Stop the container, pull down a new image, and recreate the container? You could, but that would take time and require you to remember to check on it with some regularity.
What if I told you there was an easy way to automate that? Even better, what if I told you there was a container that would automatically check for image updates and, if it finds any changes in a container’s base image, it will gracefully shut it down and restart it with new image and the same options used when the containers was initially started. The container that will take care of all of this is called Watchtower and it works.
I’m going to show you how to spin up the Watchtower container so that it will monitor your containers and keep them automatically (and always) up to date.
I will assume you already have Docker installed and one or more containers running.
SEE: Configuration management policy (Tech Pro Research)
I will demonstrate two different ways to deploy Watchtower. The first will monitor and update all of your containers, whereas the second will monitor and update only a specific container.
Let’s have Watcher monitor all of those containers. Before we do this, let’s check on the status of our containers with the command docker ps. This will show you a list of the currently running containers. What’s important at this juncture is to take note of the CREATED column. (Figure A).
You should see, in the CREATED column, the age of the containers displayed.
Now let’s deploy Watchtower. Open up a terminal window and issue the command:
docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock v2tec/watchtower
NOTE: To run the above command, your user must belong to the Docker group. If you haven’t already taken care of that, issue the command sudo usermod -a -G docker USERNAME (Where USERNAME is the name of the user to be added). In order for this change to take effect, you must log out and log back in.
Give Watchtower a moment to do its thing and the CREATE times will have changed (Figure B).
The process is very quick, so outages will only last seconds. You might cringe at the idea of your containers being down, but the tradeoff of having them always updated should ease that concern.
SEE: Special report: The cloud v. data center decision (free PDF) (TechRepublic)
Watching a single container
You can deploy Watchtower in such a way that it will only monitor a single, specific container. Let’s say you have Shipyard deployed (for Docker management) and you want to ensure it is always up to date. If your Shipyard container is named shipyard, the command for Watchtower would be:
docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock v2tec/watchtower shipyard
Issue the above and only the Shipyard container will be monitored and automatically updated.
The caveat and the trick
Of course there’s a caveat. Fortunately, in this case, it’s not only one to be shrugged off, but should also be quite obvious. In order for Watchtower to do its thing, it must be running. However, this can also be to your advantage. Remember when I said there would be outages when Watchtower does its thing? You can avoid this by doing the following:
- Deploy the Watchtower container
- Keep issuing the docker ps command until you see the containers have updated
- Stop the Watchtower container
Yes, this kind of defeats the purpose of automating containers on a regular basis, but if container uptime is crucial to your business, this could be a way to avoid that. You could even cobble together a bash script that would run this process nightly (when the containers weren’t in use) and setup a cron job to run it automatically.
Easy container updates
If you thought container updating would be a pain, you thought wrong. With the likes of Watchtower, container updates are not only easy, they’re automatic. If your business depends upon containers, it is in your best interest to keep them updated–otherwise you run the risk of having unpatched applications running on your network. Watchtower makes this incredibly easy.