How does watchtower auto update docker containers?

Watchtower polls Docker Hub or your registry at a set interval. When it detects a newer image digest, it pulls the image, gracefully stops the existing container, and starts a new one with the same configuration — volumes, environment variables, ports, and restart policy are all preserved.

How do I enable automatic updates for specific containers only?

Set WATCHTOWER_LABEL_ENABLE=true and add the label com.centurylinklabs.watchtower.enable=true only to the containers you want auto-updated. All unlabeled containers will be ignored.

Watchtower Docker Automatic Updates — Complete Guide 2026

How Watchtower Docker Automatic Updates Work

Watchtower docker automatic updates follow a four-step lifecycle that runs on every poll cycle:

Poll: Watchtower queries the container registry (Docker Hub by default) for each running container's image. It compares the remote image digest against the locally running digest.
Detect: If the remote digest differs (a new image has been pushed), Watchtower flags that container for update.
Pull: The new Docker image is downloaded to the host.
Replace: The old container is gracefully stopped (using a configurable stop signal and timeout), and a new container is started using the updated image with identical runtime parameters.

This is the complete watchtower docker auto update cycle. It requires no user interaction once configured.

Default Automatic Update Behavior

Out of the box, watchtower auto update docker containers behavior is:

All running containers are monitored (no opt-in required)
Check interval: every 86400 seconds (24 hours)
Old images are not removed (set WATCHTOWER_CLEANUP=true to enable)
Watchtower updates itself as well
No notifications sent (add WATCHTOWER_NOTIFICATIONS to enable)

Enabling Automatic Updates

The simplest way to enable watchtower docker auto updates is:

docker run -d \
  --name watchtower \
  --restart unless-stopped \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower \
  --cleanup

Or in Docker Compose (watchtower docker auto update containers via Compose):

services:
  watchtower:
    image: containrrr/watchtower
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_POLL_INTERVAL=3600  # Check every hour

Auto-Update Specific Docker Containers

To enable watchtower docker automatic container updates for only selected containers, use label-enable mode:

services:
  watchtower:
    image: containrrr/watchtower
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - WATCHTOWER_LABEL_ENABLE=true   # Only update labeled containers
      - WATCHTOWER_CLEANUP=true

  # This container WILL be auto-updated
  myapp:
    image: myapp:latest
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  # This container will NOT be auto-updated
  database:
    image: postgres:15
    # No watchtower label = ignored when LABEL_ENABLE=true

Watchtower Docker Auto Update Documentation Reference

The official watchtower docker automatic updates documentation is maintained at containrrr.dev/watchtower. Key environment variable references for auto-updates:

Variable	Default	Description
`WATCHTOWER_POLL_INTERVAL`	`86400`	Seconds between update checks
`WATCHTOWER_SCHEDULE`	—	Cron expression (overrides poll interval)
`WATCHTOWER_CLEANUP`	`false`	Remove old images after update
`WATCHTOWER_LABEL_ENABLE`	`false`	Only update labeled containers
`WATCHTOWER_ROLLING_RESTART`	`false`	Restart containers one at a time
`WATCHTOWER_TIMEOUT`	`10s`	Stop timeout before force kill

Monitoring Auto-Update Logs

Monitor watchtower docker auto update logs to see exactly which containers were updated and when:

# Follow live logs
docker logs watchtower --follow

# Sample successful update log output:
# time="2026-05-26" level=info msg="Checking all containers (except explicitly disabled ones)"
# time="2026-05-26" level=info msg="Found new nginx:latest image"
# time="2026-05-26" level=info msg="Stopping /nginx"
# time="2026-05-26" level=info msg="Creating /nginx"
# time="2026-05-26" level=info msg="Removing old image nginx@sha256:old..."

# Filter only update events
docker logs watchtower 2>&1 | grep -i "updated\|new.*image\|stopping"

Best Practices for Docker Auto-Updates

Schedule off-peak hours: Use WATCHTOWER_SCHEDULE to run updates at 3–5 AM to minimise user impact.
Enable cleanup: Always set WATCHTOWER_CLEANUP=true to prevent disk exhaustion.
Use rolling restarts: For multi-container stacks, set WATCHTOWER_ROLLING_RESTART=true to restart one container at a time.
Exclude critical databases: Add com.centurylinklabs.watchtower.enable=false to stateful services like PostgreSQL or MySQL that require manual upgrade procedures.
Monitor via notifications: Configure Slack or email alerts so you know immediately when a container is updated or fails to update.

Frequently Asked Questions

Does watchtower docker auto-update work with private images?

Yes. Mount your Docker credentials file: -v $HOME/.docker/config.json:/config.json:ro and set DOCKER_CONFIG=/config.json. Watchtower will use these credentials to pull from ECR, GHCR, GitLab Registry, or any private registry.

How does watchtower update docker containers without losing data?

Watchtower recreates the container with the exact same volume mounts. If you declared volumes in your Docker run command or Compose file, those volumes remain intact. The data is on the host (or in a named Docker volume), not inside the container image — so updating the image has no effect on your data.

What happens if a watchtower auto update fails?

If the pull fails (network error, auth failure, etc.), Watchtower logs the error and leaves the existing container running unchanged. If the new container fails to start, the old container has already been stopped — in this case you should set up monitoring and notifications to catch failed updates. Consider setting WATCHTOWER_ROLLING_RESTART=true for more resilience.

Can I disable auto-updates for one container while keeping others enabled?

Yes. Add the label com.centurylinklabs.watchtower.enable=false to any container you want excluded. Watchtower respects this label regardless of whether WATCHTOWER_LABEL_ENABLE is set — a false label always means "skip this container".

Alex Chen

Docker Infrastructure Engineer · containrrr contributor

Alex has designed automated container pipelines for Fortune 500 companies and open-source projects. He maintains this documentation to reflect the latest containrrr/watchtower releases and Docker Engine behavior.

Monitor every auto-update with Watchtower's dashboard

See real-time container update logs, health checks, and anomaly alerts in one place.

Start Free — No Credit Card