# Watchtower
A process for automating Docker container base image updates.
[](https://circleci.com/gh/containrrr/watchtower)
[](https://codecov.io/gh/containrrr/watchtower)
[](https://godoc.org/github.com/containrrr/watchtower)
[](https://goreportcard.com/report/github.com/containrrr/watchtower)
[](https://github.com/containrrr/watchtower/releases)
[](https://www.apache.org/licenses/LICENSE-2.0)
[](https://www.codacy.com/gh/containrrr/watchtower/dashboard?utm_source=github.com&utm_medium=referral&utm_content=containrrr/watchtower&utm_campaign=Badge_Grade)
[](#contributors)
[](https://hub.docker.com/r/containrrr/watchtower)
## Quick Start
With watchtower you can update the running version of your containerized app simply by pushing a new image to the Docker Hub or your own image registry.
Watchtower will pull down your new image, gracefully shut down your existing container and restart it with the same options that were used when it was deployed initially. Run the watchtower container with the following command:
```
$ docker run --detach \
--name watchtower \
--volume /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower
```
Watchtower is intended to be used in homelabs, media centers, local dev environments, and similar. We do **not** recommend using Watchtower in a commercial or production environment. If that is you, you should be looking into using Kubernetes. If that feels like too big a step for you, please look into solutions like [MicroK8s](https://microk8s.io/) and [k3s](https://k3s.io/) that take away a lot of the toil of running a Kubernetes cluster.
### Using a custom registry CA (private registries)
If you run Watchtower against a private registry that uses a custom TLS certificate, provide the CA bundle and enable validation at startup so Watchtower fails fast on misconfiguration:
```
$ docker run --detach \
--name watchtower \
--volume /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower \
--registry-ca /etc/ssl/certs/my-registry-ca.pem \
--registry-ca-validate=true
```
Prefer providing a CA bundle and enabling `--registry-ca-validate` over disabling TLS verification with `--insecure-registry` in production environments.
## Documentation
The full documentation is available at https://containrrr.dev/watchtower.
## Contributors
Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
