Watchtower Docker Force Update — Trigger Update Now 2026

Q: How do I force Watchtower to update containers immediately?

The simplest way to trigger an immediate Watchtower update is to run a one-shot Watchtower container with --run-once: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --run-once. This checks all containers for updates right now and exits when done. If you have a running Watchtower with the HTTP API enabled, you can also POST to /v1/update with the API token.

Q: How do I remove old Docker images after Watchtower updates?

Set WATCHTOWER_CLEANUP=true in your Watchtower environment. This automatically removes the old image after each successful container update. You can also manually clean up images with docker image prune -a to remove all unused images, or docker rmi $(docker images -q) for more selective removal.

Q: Can Watchtower update itself?

Yes. If Watchtower is deployed as a standard Docker container (not as a Docker Swarm service with update constraints), it will monitor its own image and update itself just like any other container. When Watchtower restarts itself after a self-update, it briefly goes offline — this is normal. The new version starts automatically due to the restart policy.

Q: How do I trigger a Watchtower update via HTTP API?

Enable the HTTP API with WATCHTOWER_HTTP_API_UPDATE=true and WATCHTOWER_HTTP_API_TOKEN=yourToken, then expose port 8080. Trigger an update with: curl -H 'Authorization: Bearer yourToken' http://localhost:8080/v1/update. This is useful for CI/CD pipelines that want to trigger container updates after pushing a new image.

Method 1: Force Update with --run-once

The fastest way to force update Docker containers with Watchtower is the --run-once flag. This starts a temporary Watchtower instance, runs one update cycle against all containers, and exits:

# Force update all containers immediately
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower --run-once

# Force update with cleanup (remove old images after update)
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e WATCHTOWER_CLEANUP=true \
  containrrr/watchtower --run-once

# Force update a specific container only
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower --run-once mycontainername

# Force update with debug output to see what's happening
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower --run-once --debug

The --rm flag removes the temporary container after it exits, keeping your Docker environment clean. This command works regardless of whether you have a running Watchtower daemon — it's a completely independent one-shot execution.

Method 2: HTTP API Trigger (Running Daemon)

If you have a Watchtower daemon already running and want to trigger a Watchtower update now without waiting for the next scheduled check, use the HTTP API:

# Step 1: Configure Watchtower with HTTP API enabled
services:
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - WATCHTOWER_HTTP_API_UPDATE=true
      - WATCHTOWER_HTTP_API_TOKEN=mySecureToken123
      - WATCHTOWER_SCHEDULE=0 0 4 * * *     # Normal scheduled check at 4 AM
    ports:
      - "8080:8080"                          # Expose the API port

# Step 2: Trigger an immediate update via curl
curl -X POST \
  -H "Authorization: Bearer mySecureToken123" \
  http://localhost:8080/v1/update

# Response: HTTP 200 with JSON body showing update results

The HTTP API trigger is perfect for CI/CD pipelines — after pushing a new Docker image to your registry, your pipeline can call this endpoint to immediately deploy the update to running containers.

Run Watchtower Manually via Docker Exec

Another way to run Watchtower manually against a specific container is to send a signal to the running Watchtower process, or simply restart the container to trigger an immediate check on the next startup cycle:

# Restart running Watchtower (triggers immediate check on startup if configured)
docker restart watchtower

# OR: Run a second one-shot instance targeting specific containers
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower --run-once nginx redis postgres

Remove Old Docker Images After Update

When Watchtower updates a container, the old image stays on disk by default. Over time with many containers and frequent updates, this wastes significant disk space. There are three approaches to remove old images with Watchtower:

Option 1: WATCHTOWER_CLEANUP (Recommended)

environment:
  - WATCHTOWER_CLEANUP=true   # Auto-remove old image after each successful update

Option 2: Per-container cleanup label

# Add to a specific container to enable cleanup only for that container
labels:
  - "com.centurylinklabs.watchtower.enable=true"
# Then run Watchtower with cleanup:
environment:
  - WATCHTOWER_CLEANUP=true

Option 3: Manual Docker image prune

# Remove all unused images (those not referenced by any container)
docker image prune -a

# Remove only dangling images (untagged, disconnected from containers)
docker image prune

# With --run-once + cleanup in a scheduled cron job
0 5 * * * docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  -e WATCHTOWER_CLEANUP=true containrrr/watchtower --run-once

Watchtower Docker Self-Update

Watchtower can update itself — when a new version of containrrr/watchtower is published on Docker Hub, Watchtower will detect it on its next scheduled check and restart itself with the new image.

# Watchtower will update itself if:
# 1. It is running as a regular Docker container (not Swarm service)
# 2. The containrrr/watchtower image has a newer version on Docker Hub
# 3. No exclude label is applied to the Watchtower container itself

# To PREVENT Watchtower from updating itself (pin the version):
services:
  watchtower:
    image: containrrr/watchtower:1.7.1   # Pinned version won't self-update
    # OR add the exclude label:
    labels:
      - "com.centurylinklabs.watchtower.enable=false"

ℹ️

When Watchtower updates itself, there is a brief downtime (seconds) while the old container stops and the new one starts. This is expected behavior. During this window, other containers won't be monitored, but they won't be affected either — no updates will be triggered until Watchtower resumes.

CI/CD Pipeline Integration

A common Watchtower Docker trigger pattern in CI/CD is to push a new image and immediately notify Watchtower to deploy it:

# Example: GitHub Actions step after building and pushing image
- name: Trigger Watchtower update
  run: |
    curl -f -X POST \
      -H "Authorization: Bearer ${{ secrets.WATCHTOWER_TOKEN }}" \
      https://myserver.example.com:8080/v1/update
  env:
    WATCHTOWER_TOKEN: ${{ secrets.WATCHTOWER_API_TOKEN }}

# GitLab CI equivalent
deploy:
  stage: deploy
  script:
    - curl -f -X POST
        -H "Authorization: Bearer ${WATCHTOWER_TOKEN}"
        https://myserver.example.com:8080/v1/update

This pattern eliminates the need to SSH into your server to deploy — push to your registry, trigger Watchtower, and the update is live within seconds.

Update a Specific Container Only

To update a specific Docker container with Watchtower without updating all others:

# Pass container names as arguments to --run-once
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower --run-once nginx

# Multiple specific containers
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower --run-once nginx redis vaultwarden

# Combined with cleanup
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e WATCHTOWER_CLEANUP=true \
  containrrr/watchtower --run-once myapp

Frequently Asked Questions

How do I force Watchtower to update containers immediately?

Run a one-shot Watchtower container: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --run-once. This checks all containers for updates immediately and exits. You can run this alongside your running Watchtower daemon without conflict. Add -e WATCHTOWER_CLEANUP=true to also remove old images.

How do I remove old Docker images after Watchtower updates?

Set WATCHTOWER_CLEANUP=true in your Watchtower environment variables. This automatically removes the old image after each successful container update. For manual cleanup, use docker image prune -a to remove all unused images from the system.

Can Watchtower update itself?

Yes. Watchtower monitors its own image (containrrr/watchtower) by default and will update itself when a new version is published on Docker Hub. When it updates itself, there is a brief gap of seconds where it restarts. To prevent self-updates, pin the version tag (containrrr/watchtower:1.7.1) or add the disable label to the Watchtower container.

How do I trigger a Watchtower update via HTTP API?

Enable the HTTP API: set WATCHTOWER_HTTP_API_UPDATE=true, WATCHTOWER_HTTP_API_TOKEN=yourToken, and expose port 8080. Then trigger with: curl -H "Authorization: Bearer yourToken" -X POST http://localhost:8080/v1/update. This is ideal for CI/CD pipelines that need to deploy immediately after pushing a new image.

Alex Chen

Docker Infrastructure Engineer

Alex has integrated Watchtower into CI/CD pipelines at multiple organizations, replacing SSH-based deployment scripts with the Watchtower HTTP API trigger pattern. All examples are tested against containrrr/watchtower v1.7.x.