Deploy Watchtower on Ubuntu — automatically update Docker containers when new images are published, with email and Slack notifications.
com.centurylinklabs.watchtower.enable=true) to control which containers are updated automatically.Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/management/watchtower/watchtower-ubuntu.sh
chmod +x watchtower-ubuntu.sh
sudo bash watchtower-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/management/watchtower/watchtower-ubuntu.shchmod +x watchtower-ubuntu.shThe script installs Docker if needed, then deploys Watchtower configured to monitor and update your containers automatically.
sudo bash watchtower-ubuntu.shCheck the Watchtower container logs to confirm it started correctly:
docker logs watchtowerAdd the opt-in label to containers you want Watchtower to update:
# In your docker-compose.yml, add the label:
services:
myapp:
image: myapp:latest
labels:
- "com.centurylinklabs.watchtower.enable=true"
# Watchtower checks for new images every 24 hours by default
# Force a manual check:
docker exec watchtower /watchtower --run-once| Port | Purpose |
|---|---|
| None | Watchtower runs as a background agent — no web UI or open ports required |
Watchtower is a lightweight Docker container that monitors other containers for image updates and automatically recreates them with the latest version. It polls the source registry (Docker Hub, GHCR, private registries) on a configurable schedule (default: 24 hours) and pulls a new image when one is available — then gracefully stops, removes, and recreates the container with the same run parameters. Notifications via email, Slack, Telegram, ntfy, or webhook keep you informed of every update. Watchtower is the simplest way to ensure all your self-hosted services stay current without manual docker pull and docker compose up commands.
Manually updating 20 Docker containers means 20 commands to run, 20 changelogs to check, and 20 chances to forget. Watchtower automates the entire process — new CVE patch for Nextcloud? Updated automatically overnight. New Portainer release? Applied at 3 AM without intervention. The key is configuration: label-based opt-in ensures only the containers you explicitly approve are auto-updated, protecting critical production services while still automating low-risk updates like dashboards and utilities.
Watchtower runs entirely as a background agent with no web UI and no open ports. It communicates outbound to Docker registries (Docker Hub on port 443, GHCR on 443, custom registries as configured) to check for new images. No inbound ports need to be opened on the firewall. The Docker socket mount (/var/run/docker.sock) is required for Watchtower to manage other containers.
Portainer (manual updates via UI — more control, less automation), Dockge (compose-focused UI with manual update capability), Diun (notification-only — detects new images but never auto-updates, safer for production), Renovate (updates image tags in docker-compose files via git PRs — best for code-controlled infrastructure). Watchtower is the right choice for fully automated, zero-touch updates on low-risk homelab services.
Skip Watchtower for any container holding important data (databases, Nextcloud, Vaultwarden) unless you have tested the update path and have a current backup. Also avoid it if your team requires change management approval before updates — use Diun for notifications and deploy updates through your normal process instead. For Kubernetes, use native rolling update strategies rather than Watchtower.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Watchtower recreates containers with the same parameters (volumes, networks, environment, ports) as the original. For stateless services, updates are nearly always safe. For stateful services (databases, file servers), major version updates can introduce breaking changes — always check the upstream changelog before enabling Watchtower on these containers. Use label-based opt-in and keep a current backup before enabling Watchtower on any critical service.
Set WATCHTOWER_LABEL_ENABLE=true in the Watchtower environment. Then add the label com.centurylinklabs.watchtower.enable=true to every container you want auto-updated in their docker-compose.yml. Containers without this label are completely ignored. This is the safest production configuration — only explicitly approved containers are touched by Watchtower.
Set the WATCHTOWER_NOTIFICATION_URL environment variable using the Shoutrrr URL format. Examples: telegram://TOKEN@telegram?channels=CHATID for Telegram, slack://WORKSPACE/TOKEN/CHANNEL for Slack, smtp://user:pass@host:port/?to=email for email, generic+https://ntfy.sh/TOPIC for ntfy. You can set multiple notification URLs separated by spaces. Watchtower sends one notification per update run listing all updated containers.
Yes. Log in to your private registry on the Docker host: docker login registry.yourdomain.com. Watchtower reads the Docker credential store from the host and uses those credentials when pulling images from private registries. For Docker Hub authenticated pulls (to avoid rate limits), log in with docker login before starting Watchtower. For AWS ECR, use the Watchtower ECR credential helper plugin.
Monitor-only mode (WATCHTOWER_MONITOR_ONLY=true) makes Watchtower check for new images and send notifications when updates are available — but it never actually updates or restarts any container. This is ideal for production environments where you want to know about updates but prefer to apply them manually during a planned maintenance window. It gives you the visibility of Watchtower without the automation risk.
By default, Watchtower polls registries every 24 hours (86400 seconds). Change this with WATCHTOWER_POLL_INTERVAL=3600 (hourly) or use a cron schedule: WATCHTOWER_SCHEDULE=0 3 * * 0 for Sunday 3 AM. Avoid polling too frequently — Docker Hub applies rate limits (100 pulls/6 hours for unauthenticated, 200/6 hours for free accounts). For private registries without rate limits, more frequent checks are safe.
If WATCHTOWER_CLEANUP=false, the previous image is still available locally. Stop the container, then run it with the specific old image tag: docker run --name myapp myapp:1.2.3. If the old image was deleted, pull the specific version: docker pull myapp:1.2.3. To prevent future auto-updates on this container, add the com.centurylinklabs.watchtower.enable=false label or pin the image to a specific version tag in docker-compose.yml.
Yes. They complement each other well: Watchtower handles automatic updates on a schedule, while Portainer provides a UI for manual management, log viewing, and container inspection. Portainer itself can be managed by Watchtower (add the enable label to the Portainer container). Some users prefer to exclude Portainer from Watchtower management and update it manually to maintain control over their management interface.