What Are Watchtower Docker Labels?

Watchtower Docker labels are standard Docker container labels that control how Watchtower treats each container. They allow you to opt specific containers in or out of automatic updates — giving you granular control without multiple Watchtower instances.

There are two primary watchtower docker label values:

  • com.centurylinklabs.watchtower.enable=true — opt this container in to updates
  • com.centurylinklabs.watchtower.enable=false — opt this container out of updates (exclude)

Enabling Label-Only Mode (WATCHTOWER_LABEL_ENABLE)

By default, Watchtower updates all containers. To switch to opt-in mode where only labeled containers are updated, set WATCHTOWER_LABEL_ENABLE=true:

services:
  watchtower:
    image: containrrr/watchtower
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - WATCHTOWER_LABEL_ENABLE=true  # Only update containers with enable=true label
      - WATCHTOWER_CLEANUP=true

With this mode active, no container is updated unless it has the explicit enable label. This is the safest approach for mixed environments containing production databases alongside auto-updatable services.

Watchtower Docker Label to Enable Updates

Add the watchtower docker label enable to containers you want auto-updated in your Docker Compose file:

services:
  # This container WILL be auto-updated
  webapp:
    image: myapp:latest
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  # This container WILL be auto-updated
  nginx:
    image: nginx:latest
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  # This container will NOT be auto-updated (no label = ignored in label-enable mode)
  postgres:
    image: postgres:15
    restart: unless-stopped
    # No watchtower label

Watchtower Docker Exclude Container

Even without label-enable mode, you can watchtower docker exclude a specific container by setting the label to false:

services:
  # Watchtower will SKIP this container even in default (all-containers) mode
  mysql:
    image: mysql:8.0
    labels:
      - "com.centurylinklabs.watchtower.enable=false"

This is particularly useful for watchtower docker exclude container scenarios like databases, stateful services, or containers pinned to a specific version for compliance reasons.

Label Scope — Watchtower Instance Targeting

In multi-tenant environments, you can run multiple Watchtower instances and use scopes to control which Watchtower manages which containers:

# Watchtower instance for production
services:
  watchtower-prod:
    image: containrrr/watchtower
    environment:
      - WATCHTOWER_SCOPE=production
      - WATCHTOWER_LABEL_ENABLE=true

  app-prod:
    image: myapp:latest
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "com.centurylinklabs.watchtower.scope=production"

  # Managed by a different watchtower-staging instance
  app-staging:
    image: myapp:latest
    labels:
      - "com.centurylinklabs.watchtower.scope=staging"

Custom Image Pull Tag via Label

Use a label to specify which image tag Watchtower should pull for a container — overriding the default (current tag):

services:
  app:
    image: myapp:stable
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      # Pull from 'edge' tag instead of 'stable'
      - "com.centurylinklabs.watchtower.monitor-only=true"
ℹ️
monitor-only label: Setting com.centurylinklabs.watchtower.monitor-only=true makes Watchtower check for updates and log them but never actually restart the container. Useful for awareness-only monitoring of critical services.

Frequently Asked Questions

What is the watchtower docker label to enable updates?

The label is com.centurylinklabs.watchtower.enable=true. This label only takes effect when WATCHTOWER_LABEL_ENABLE=true is set on the Watchtower container. Without that environment variable, Watchtower updates all containers by default regardless of labels.

How do I exclude a docker container from watchtower?

Add the label com.centurylinklabs.watchtower.enable=false to any container. Watchtower will always skip containers with this label, regardless of other settings. This works in both default mode and label-enable mode.

Can I use watchtower docker labels with docker run (not Compose)?

Yes. Use the --label flag: docker run -d --label "com.centurylinklabs.watchtower.enable=true" myapp:latest. Labels work identically whether applied via docker run, Docker Compose, or Docker Swarm service definitions.

AC
Alex Chen
Docker Infrastructure Engineer
Alex has architected label-based container update policies for multi-tenant Docker deployments across 50+ production environments. All label examples are verified against containrrr/watchtower v1.7.x.

Related Articles

ConfigAutomatic Updates Guide7 min SetupDocker Compose Setup8 min ReferenceEnvironment Variables10 min