Update and Cleanup

ghcr.io/nickfedor/watchtower is a service that monitors Docker images for updates on the same tag used, automatically updating and restarting running containers. This is useful for images like DMS that support semver tags.

Automatic image updates + cleanup

Run a watchtower container with access to docker.sock, enabling the service to manage Docker:

compose.yaml

services:
  watchtower:
    image: ghcr.io/nickfedor/watchtower:latest
    # Automatic cleanup:
    environment:
      - WATCHTOWER_CLEANUP=true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

The watchtower container can use the WATCHTOWER_CLEANUP=true ENV (CLI option: --cleanup) to enable automatic cleanup (removal) of the previous image used for container it updates. Removal occurs after the container is restarted with the new image pulled.

containrrr/watchtower is unmaintained

The original project (containrrr/watchtower) has not received maintenance over recent years and was archived in Dec 2025.

A community fork (nicholas-fedor/watchtower) has since established itself as a maintained successor.

The image tag used for a container is monitored for updates (eg: :latest, :edge, :16)

The automatic update support is only for updates to that specific image tag.

---

The tag for an image is never modified by watchtower, instead watchtower monitors the image digest associated to that image tag (which will change to a new image digest if a new image release reassigns the tag), when the digest for the tag changes this triggers a pull of the new image.

• Your container will not update to a new major release version (unless using :latest).
• Omit the minor or patch portion of a semver tag to receive updates for the omitted portion (eg: :16 will represent the latest minor + patch release, whereas :16.0 would only receive patch updates instead of minor releases like 16.1).

Updating only specific containers

By default the watchtower service will check every 24 hours for new image updates to pull, based on currently running containers (not restricted to only those running within your compose.yaml).

Images eligible for updates can configured with a custom command that provides a list of container names, alternatively via container labels to monitor only specific containers (or instead exclude specific containers from monitoring).

Manual cleanup

watchtower supports running on-demand with docker run or compose.yaml via the WATCHTOWER_RUN_ONCE=true ENV (CLI option: --run-once). You can either use this for manual or scheduled update + cleanup, instead of running as a background service.

---

Without watchtower handling image cleanup, you can alternatively invoke cleanup of Docker storage directly with:

• docker image prune --all
• docker system prune --all (also removes unused containers, networks, build cache).

If you omit the --all option, this will instead only remove "dangling" content (eg: Orphaned images).