๋์ค(์๋กค๋ก์ง)์ WATCHTOWER(๋์ปค ์ปจํ ์ด๋ ์๋ ์ ๋ฐ์ดํธ) ์ค์นํ๊ธฐ
ํ์ด์ง ์ ๋ณด
๋ณธ๋ฌธ
1. ์ต์ ์ ์๋ ์ฌ์ดํธ ์ฐธ๊ณ
ย
https://containrrr.dev/watchtower/arguments/
ย
2. ์ค์
ย
sudo docker run -d --name watchtower -e TZ=Asia/Seoul -e WATCHTOWER_CLEANUP=true -e WATCHTOWER_REMOVE_VOLUMES=true -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower
ย
[code]
version: "2"
services:
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
TZ: Asia/Seoul
WATCHTOWER_CLEANUP: 'true'
WATCHTOWER_POLL_INTERVAL: 43200
restart: unless-stopped
[/code]
ย
ย
version: "2"
services:
ย watchtower:
ย ย image: containrrr/watchtower
ย ย container_name: watchtower
ย ย volumes:
ย ย ย - /var/run/docker.sock:/var/run/docker.sock
ย ย environment:
ย ย ย TZ: Asia/Seoul
ย ย ย WATCHTOWER_CLEANUP: 'true'
ย ย ย WATCHTOWER_POLL_INTERVAL: 86400
ย ย restart: unless-stopped
ย
Container selection
By default, watchtower will watch all containers. However, sometimes only some containers should be updated.
There are two options:
- Fully exclude: You can choose to exclude containers entirely from being watched by watchtower.
- Monitor only: In this mode, watchtower checks for container updates, sends notifications and invokes theย pre-check/post-check hooksย on the containers but doesย notย perform the update.
Full Excludeยถ
If you need to exclude some containers, set theย com.centurylinklabs.watchtower.enableย label toย false.
LABEL com.centurylinklabs.watchtower.enable="false"
Or, it can be specified as part of theย docker runย command line:
docker run -d --label=com.centurylinklabs.watchtower.enable=false someimage
If you need toย include only containers with the enable label, pass theย --label-enableย flag or theย WATCHTOWER_LABEL_ENABLEย environment variable on startup and set theย com.centurylinklabs.watchtower.enableย label with a value ofย trueย for the containers you want to watch.
LABEL com.centurylinklabs.watchtower.enable="true"
Or, it can be specified as part of theย docker runย command line:
docker run -d --label=com.centurylinklabs.watchtower.enable=true someimage
If you wish to create a monitoring scope, you will need toย run multiple instances and set a scope for each of them.
Watchtower filters running containers by testing them against each configured criteria. A container is monitored if all criteria are met. For example: - If a container's name is on the monitoring name list (not emptyย --nameย argument) but it is not enabled (centurylinklabs.watchtower.enable=false), it won't be monitored; - If a container's name is not on the monitoring name list (not emptyย --nameย argument), even if it is enabled (centurylinklabs.watchtower.enable=trueย andย --label-enableย flag is set), it won't be monitored;
Monitor Onlyยถ
Individual containers can be marked to only be monitored (without being updated).
To do so, set theย com.centurylinklabs.watchtower.monitor-onlyย label toย trueย on that container.
LABEL com.centurylinklabs.watchtower.monitor-only="true"
Or, it can be specified as part of theย docker runย command line:
docker run -d --label=com.centurylinklabs.watchtower.monitor-only=true someimage
When the label is specified on a container, watchtower treats that container exactly as ifย WATCHTOWER_MONITOR_ONLYย was set, but the effect is limited to the individual container.
ย
Notifications
Example:
docker run -d \
--name watchtower \
-v /var/run/docker.sock:/var/run/docker.sock \
-e WATCHTOWER_NOTIFICATIONS=email \
-e WATCHTOWER_NOTIFICATION_EMAIL_FROM=fromaddress@gmail.com \
-e WATCHTOWER_NOTIFICATION_EMAIL_TO=toaddress@gmail.com \
-e WATCHTOWER_NOTIFICATION_EMAIL_SERVER=smtp.gmail.com \
-e WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=587 \
-e WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER=fromaddress@gmail.com \
-e WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD=app_password \
-e WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2 \
containrrr/watchtower
The previous example assumes, that you already have an SMTP server up and running you can connect to. If you don't or you want to bring up watchtower with your own simple SMTP relay the followingย docker-compose.ymlย might be a good start for you.
The following example assumes, that your domain is calledย your-domain.comย and that you are going to use a certificate valid forย smtp.your-domain.com. This hostname has to be used asย WATCHTOWER_NOTIFICATION_EMAIL_SERVERย otherwise the TLS connection is going to fail withย Failed to send notification emailย orย connect: connection refused. We also have to add a network for this setup in order to add an alias to it. If you also want to enable DKIM or other features on the SMTP server, you will find more information atย freinet/postfix-relay.
Example including an SMTP relay:
version: '3.8'
services:
watchtower:
image: containrrr/watchtower:latest
container_name: watchtower
environment:
WATCHTOWER_MONITOR_ONLY: 'true'
WATCHTOWER_NOTIFICATIONS: email
WATCHTOWER_NOTIFICATION_EMAIL_FROM: from-address@your-domain.com
WATCHTOWER_NOTIFICATION_EMAIL_TO: to-address@your-domain.com
# you have to use a network alias here, if you use your own certificate
WATCHTOWER_NOTIFICATION_EMAIL_SERVER: smtp.your-domain.com
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT: 25
WATCHTOWER_NOTIFICATION_EMAIL_DELAY: 2
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- watchtower
depends_on:
- postfix
# SMTP needed to send out status emails
postfix:
image: freinet/postfix-relay:latest
expose:
- 25
environment:
MAILNAME: somename.your-domain.com
TLS_KEY: '/etc/ssl/domains/your-domain.com/your-domain.com.key'
TLS_CRT: '/etc/ssl/domains/your-domain.com/your-domain.com.crt'
TLS_CA: '/etc/ssl/domains/your-domain.com/intermediate.crt'
volumes:
- /etc/ssl/domains/your-domain.com/:/etc/ssl/domains/your-domain.com/:ro
networks:
watchtower:
# this alias is really important to make your certificate work
aliases:
- smtp.your-domain.com
networks:
watchtower:
external: false๋๊ธ๋ชฉ๋ก
๋ฑ๋ก๋ ๋๊ธ์ด ์์ต๋๋ค.