I’m running a Docker-based homelab that I manage primarily via Portainer, and I’m struggling with how to handle container updates. At first, I had all containers pulling latest, but I thought maybe this was a bad idea as I could end up updating a container without intending to. So, I circled back and pinned every container image in my docker-compose files.

Then I started looking into how to handle updates. I’ve heard of Watchtower, but I noticed the Linuxserver.io images all recommend not running Watchtower and instead using Diun. In looking into it, I learned it will notify you of updates based on the tag you’re tracking for the container, meaning it will never do anything for my containers pinned to a specific version. This made me think maybe I’ve taken the wrong approach.

What is the best practice here? I want to generally try to keep things up to date, but I don’t want to accidentally break things. My biggest fear about tracking latest is that I make some other change in a docker-compose and update the stack which pulls latest for all the container in that stack and breaks some of them with unintended updates. Is this a valid concern, and if so, how can I overcome it?

  • MangoPenguin
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    3 months ago

    I use watchtower to auto update everything.

    Anything that needs a specific version for compatibility (Postgres mostly) is pinned to the major release.

    Stuff occasionally breaks, but I have backups for that reason (if you don’t, set that up now before anything else, they should be running daily at least and you should have 2 types of backup minimum).

      • MangoPenguin
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        3 months ago

        Sure:

        • Proxmox backs up all my VMs/CTs nightly to the proxmox backup server I run as a VM with an external HDD attached to it. This keeps around 30 versions with a retention policy so I can go back pretty far if needed. These are full bootable images and include everything.

        • Restic (using Backrest to manage it), runs on any VMs/CTs with critical data, and backs up to Backblaze B2 every night as well, this is a more limited choice of the critical files that I’d need. Similar retention policy as the proxmox backup.

        With both I try and do some full restores every month or two and test things out.