Installing Watchtower on Docker Swarm and Managing Updates with Labels

Docker Swarm offers a streamlined approach to managing containerized applications across multiple hosts. To ensure your applications remain up-to-date without manual intervention, integrating Watchtower into your Docker Swarm setup is a savvy move. Watchtower automates the process of checking for and deploying the latest images for your running containers. However, there may be instances where you wish to exempt specific containers or services from automatic updates. This is achievable through the strategic use of labels. Here’s a concise guide on installing Watchtower on Docker Swarm and leveraging labels to control updates.

Step 1: Deploying Watchtower in Docker Swarm

To begin, you’ll need to create a Docker Compose file for Watchtower. This file instructs Docker Swarm on how to deploy Watchtower correctly. Here’s an example watchtower.yml file designed for Swarm deployment:

version: '3.7'
services:
  watchtower:
    image: containrrr/watchtower
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    command: --interval 30 --label-enable
    deploy:
      placement:
        constraints: [node.role == manager]

This configuration deploys Watchtower to run on a manager node, given its need to access the Docker socket. The --label-enable command ensures Watchtower updates only containers with a specific label indicating they should be watched.

Step 2: Deploying Watchtower Stack

Deploy the Watchtower stack using the following command, ensuring you’re in the directory containing your watchtower.yml:

docker stack deploy -c watchtower.yml watchtower

This command initializes the Watchtower service within your Docker Swarm, setting it to monitor and update containers every 30 seconds.

Step 3: Excluding Containers from Automatic Updates

To exclude specific containers or services from Watchtower updates, utilize the com.centurylinklabs.watchtower.enable label, setting its value to false. This can be done when you first deploy a service or by editing existing services through configuration files or management tools like Portainer.

For a new service, include the label in your Docker Compose file like so:

version: '3.8'
services:
  your_service:
    image: your_image
    deploy:
      labels:
        com.centurylinklabs.watchtower.enable: "false"

For existing containers or services, you can add or modify labels via Portainer’s UI by editing the container or service configuration, allowing for flexible management of your update policies.

Conclusion

Integrating Watchtower into your Docker Swarm infrastructure simplifies the task of keeping containers up-to-date, ensuring your applications benefit from the latest features and security patches. With the added control of exclusion labels, you maintain complete authority over which containers are automatically updated, providing a balance between automation and manual oversight. This setup guarantees a robust, efficient, and up-to-date deployment, minimizing downtime and enhancing security across your Docker Swarm environment.