Arguments
By default, Watchtower monitors all containers running on the Docker daemon it connects to (typically the local daemon, configurable via the --host
flag). To limit monitoring to specific containers, provide their names as arguments when starting Watchtower.
$ docker run -d \
--name watchtower \
-v /var/run/docker.sock:/var/run/docker.sock \
nickfedor/watchtower \
nginx redis
In this example, Watchtower monitors only the "nginx" and "redis" containers, ignoring others. To run a single update attempt and exit, use the --run-once
flag with the --rm
option to remove the Watchtower container afterward.
$ docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
nickfedor/watchtower \
--run-once \
nginx redis
This command triggers an update attempt for "nginx" and "redis" containers, displays debug output, and removes the Watchtower container upon completion. Without arguments, Watchtower monitors all running containers.
Secrets/Files¶
Certain flags support referencing a file, using its contents as the value, to securely handle sensitive data like passwords or tokens, avoiding exposure in configuration files or command lines.
Flag | Environment Variable |
---|---|
--notification-url |
WATCHTOWER_NOTIFICATION_URL |
--notification-email-server-password |
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD |
--notification-slack-hook-url |
WATCHTOWER_NOTIFICATION_SLACK_HOOK_URL |
--notification-msteams-hook |
WATCHTOWER_NOTIFICATION_MSTEAMS_HOOK |
--notification-gotify-token |
WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN |
--http-api-token |
WATCHTOWER_HTTP_API_TOKEN |
Example Docker Compose Usage¶
secrets:
access_token:
file: access_token
services:
watchtower:
secrets:
- access_token
environment:
- WATCHTOWER_HTTP_API_TOKEN=/run/secrets/access_token
Time Zone¶
Sets the time zone for Watchtower's logs and the --schedule
flag's cron expressions. Without this setting, Watchtower defaults to UTC. To specify a time zone, use a value from the TZ Database (e.g., Europe/Rome
). Alternatively, mount the host's /etc/localtime
file using -v /etc/localtime:/etc/localtime:ro
.
Argument: None
Environment Variable: TZ
Type: String
Default: UTC
General Options¶
Help¶
Displays documentation for supported flags.
Argument: --help
Environment Variable: N/A
Type: N/A
Default: N/A
Debug¶
Enables debug mode with verbose logging.
Argument: --debug, -d
Environment Variable: WATCHTOWER_DEBUG
Type: Boolean
Default: false
Note
Equivalent to --log-level debug
. See Maximum Log Level. As an argument, does not accept a value (e.g., --debug true
is invalid).
Trace¶
Enables trace mode with highly verbose logging, including sensitive information like credentials.
Argument: --trace
Environment Variable: WATCHTOWER_TRACE
Type: Boolean
Default: false
Note
Equivalent to --log-level trace
. See Maximum Log Level. As an argument, does not accept a value (e.g., --trace true
is invalid). Use with caution due to credential exposure.
Maximum Log Level¶
Sets the maximum log level output to STDERR, visible in docker logs
when running Watchtower in a container.
Argument: --log-level
Environment Variable: WATCHTOWER_LOG_LEVEL
Possible Values: panic, fatal, error, warn, info, debug, trace
Default: info
Logging Format¶
Specifies the format for console log output.
Argument: --log-format, -l
Environment Variable: WATCHTOWER_LOG_FORMAT
Possible Values: Auto, LogFmt, Pretty, JSON
Default: Auto
Disable ANSI Colors¶
Disables ANSI color escape codes in log output for plain text logs.
Argument: --no-color
Environment Variable: NO_COLOR
Type: Boolean
Default: false
Run Once¶
Triggers a single update attempt for specified containers and exits immediately.
Argument: --run-once, -R
Environment Variable: WATCHTOWER_RUN_ONCE
Type: Boolean
Default: false
Note
Enables debug output during execution, suitable for interactive use. Use with --rm
to remove the Watchtower container after completion.
Scheduling & Polling¶
Schedule¶
Defines when and how often Watchtower checks for new images using a 6-field Cron expression. Example: --schedule "0 0 4 * * *"
runs daily at 4 AM.
Argument: --schedule, -s
Environment Variable: WATCHTOWER_SCHEDULE
Type: String
Default: None
Note
Cannot be used with --interval
. Requires a time zone set via TZ
or a mounted /etc/localtime
file (see Time Zone).
Poll Interval¶
Sets the interval (in seconds) for polling new images.
Argument: --interval, -i
Environment Variable: WATCHTOWER_POLL_INTERVAL
Type: Integer
Default: 86400 (24 hours)
Note
Cannot be used with --schedule
. Overrides cron-based scheduling.
HTTP API Periodic Polls¶
Enables periodic updates when HTTP API mode is active, allowing both API-triggered and scheduled updates.
Argument: --http-api-periodic-polls
Environment Variable: WATCHTOWER_HTTP_API_PERIODIC_POLLS
Type: Boolean
Default: false
Note
Requires --http-api-update
. See HTTP API Mode.
Container Management¶
Include Stopped Containers¶
Includes created and exited containers in monitoring and updates.
Argument: --include-stopped, -S
Environment Variable: WATCHTOWER_INCLUDE_STOPPED
Type: Boolean
Default: false
Revive Stopped Containers¶
Restarts stopped containers after their images are updated.
Argument: --revive-stopped
Environment Variable: WATCHTOWER_REVIVE_STOPPED
Type: Boolean
Default: false
Note
Requires --include-stopped
.
Include Restarting Containers¶
Includes containers in the restarting state for monitoring and updates.
Argument: --include-restarting
Environment Variable: WATCHTOWER_INCLUDE_RESTARTING
Type: Boolean
Default: false
Disable Container Restart¶
Prevents restarting containers after updating, useful when an external system (e.g., systemd) manages container lifecycle.
Argument: --no-restart
Environment Variable: WATCHTOWER_NO_RESTART
Type: Boolean
Default: false
Warning
Combining --no-restart
with --cleanup
during Watchtower self-update may leave a renamed Watchtower container running without starting a new one, preventing cleanup of the old image. Use cautiously for self-updating Watchtower instances, and consider external lifecycle management (e.g., Docker Compose) to restart containers manually.
Rolling Restart¶
Restarts containers one at a time to minimize downtime, ideal for zero-downtime deployments with lifecycle hooks.
Argument: --rolling-restart
Environment Variable: WATCHTOWER_ROLLING_RESTART
Type: Boolean
Default: false
Note
When combined with --cleanup
, image cleanup is deferred until all containers are updated, which may temporarily increase disk usage for large numbers of containers (>50). This is typically negligible for homelab setups but monitor disk space on resource-constrained hosts.
Cleanup Old Images¶
Removes old images after updating containers to free disk space.
Argument: --cleanup
Environment Variable: WATCHTOWER_CLEANUP
Type: Boolean
Default: false
Note
During Watchtower self-updates, cleanup is deferred to the new container to prevent premature image deletion. Ensure --no-restart
is not used with --cleanup
to avoid incomplete updates.
Remove Anonymous Volumes¶
Deletes anonymous volumes when updating containers. Named volumes remain unaffected.
Argument: --remove-volumes
Environment Variable: WATCHTOWER_REMOVE_VOLUMES
Type: Boolean
Default: false
Monitor Only¶
Monitors for new images, sends notifications, and runs lifecycle hooks without updating containers.
Argument: --monitor-only
Environment Variable: WATCHTOWER_MONITOR_ONLY
Type: Boolean
Default: false
Note
Images may still be pulled due to Docker API limitations for digest comparison. Can be set per container via the com.centurylinklabs.watchtower.monitor-only
label. See Label Precedence.
Disable Image Pulling¶
Prevents pulling new images from registries, monitoring only local image cache changes. Useful for locally built images.
Argument: --no-pull
Environment Variable: WATCHTOWER_NO_PULL
Type: Boolean
Default: false
Note
Can be set per container via the com.centurylinklabs.watchtower.no-pull
label. See Label Precedence.
Enable Label Filter¶
Restricts monitoring to containers with the com.centurylinklabs.watchtower.enable
label set to true
when the --label-enable
flag is specified. Without --label-enable
, containers with this label set to false
are excluded, while others are monitored by default.
Argument: --label-enable
Environment Variable: WATCHTOWER_LABEL_ENABLE
Type: Boolean
Default: false
Note
When --label-enable
is unset, containers without the com.centurylinklabs.watchtower.enable
label or with it set to true
are monitored, and those with false
are excluded. When --label-enable
is set, only containers with true
are monitored, ignoring those with false
or no label.
Disable Specific Containers¶
Excludes containers by name from monitoring, even if they have the enable label set to true
.
Argument: --disable-containers, -x
Environment Variable: WATCHTOWER_DISABLE_CONTAINERS
Type: Comma- or space-separated string list
Default: None
Scope Filter¶
Monitors containers with a com.centurylinklabs.watchtower.scope
label matching the specified value, enabling multiple Watchtower instances.
Argument: --scope
Environment Variable: WATCHTOWER_SCOPE
Type: String
Default: None
Note
Set to none
to ignore scoped containers. Without this flag, Watchtower monitors all containers regardless of scope. For self-updates, ensure all Watchtower containers share the same com.centurylinklabs.watchtower.scope
label to guarantee cleanup of renamed containers and old images. Mismatched labels may prevent detection, leaving resources running. See Running Multiple Instances.
Label Precedence¶
Allows container labels (e.g., com.centurylinklabs.watchtower.monitor-only
, com.centurylinklabs.watchtower.no-pull
) to override corresponding flags.
Argument: --label-take-precedence
Environment Variable: WATCHTOWER_LABEL_TAKE_PRECEDENCE
Type: Boolean
Default: false
Registry & Authentication¶
Skip Registry TLS Verification¶
Disables TLS certificate verification for registry connections, useful for self-signed certificates or insecure registries.
Argument: --registry-tls-skip
Environment Variable: WATCHTOWER_REGISTRY_TLS_SKIP
Type: Boolean
Default: false
Note
Use cautiously, as it reduces security. Suitable for testing or private registries.
Minimum Registry TLS Version¶
Sets the minimum TLS version for registry connections, overriding the default (TLS 1.2).
Argument: --registry-tls-min-version
Environment Variable: WATCHTOWER_REGISTRY_TLS_MIN_VERSION
Possible Values: TLS1.0, TLS1.1, TLS1.2, TLS1.3
Default: TLS1.2
Warn on HEAD Failure¶
Controls warnings for failed HEAD requests to registries. Auto
warns for registries known to support HEAD requests (e.g., docker.io) that may rate-limit.
Argument: --warn-on-head-failure
Environment Variable: WATCHTOWER_WARN_ON_HEAD_FAILURE
Possible Values: always, auto, never
Default: auto
Docker Connection¶
Docker Host¶
Specifies the Docker daemon socket to connect to, supporting remote hosts via TCP (e.g., tcp://hostname:port
).
Argument: --host, -H
Environment Variable: DOCKER_HOST
Type: String
Default: unix:///var/run/docker.sock
Docker API Version¶
Sets the Docker API version for client-daemon communication. Defaults to autonegotiation.
Argument: --api-version, -a
Environment Variable: DOCKER_API_VERSION
Type: String
Default: Autonegotiated
Note
Minimum supported version is 1.24. Refer to Docker's API version matrix for compatibility.
Enable Docker TLS Verification¶
Enables TLS verification for Docker socket connections.
Argument: --tlsverify
Environment Variable: DOCKER_TLS_VERIFY
Type: Boolean
Default: false
Disable Memory Swappiness¶
Sets memory swappiness to nil
for Podman compatibility with crun and cgroupv2, overriding Podman's default of 0
.
Argument: --disable-memory-swappiness
Environment Variable: WATCHTOWER_DISABLE_MEMORY_SWAPPINESS
Type: Boolean
Default: false
HTTP API & Metrics¶
HTTP API Mode¶
Runs Watchtower in HTTP API mode, allowing updates only via HTTP requests, with support for tag-specific filtering (e.g., image=foo/bar:1.0
).
Argument: --http-api-update
Environment Variable: WATCHTOWER_HTTP_API_UPDATE
Type: Boolean
Default: false
Note
See HTTP API Mode for details.
HTTP API Token¶
Sets an authentication token for HTTP API requests. Can reference a file for security.
Argument: --http-api-token
Environment Variable: WATCHTOWER_HTTP_API_TOKEN
Type: String
Default: None
HTTP API Metrics¶
Enables a Prometheus metrics endpoint via HTTP.
Argument: --http-api-metrics
Environment Variable: WATCHTOWER_HTTP_API_METRICS
Type: Boolean
Default: false
Note
See Metrics for details.
HTTP API Port¶
Sets the listening port for the HTTP API.
Argument: --http-api-port
Environment Variable: WATCHTOWER_HTTP_API_PORT
Type: String
Default: 8080
Notifications¶
Notification URL¶
Configures the notification service URL. Can reference a file for sensitive values.
Argument: --notification-url
Environment Variable: WATCHTOWER_NOTIFICATION_URL
Type: String
Default: None
Notification Email Server Password¶
Sets the password for the email notification server. Can reference a file for security.
Argument: --notification-email-server-password
Environment Variable: WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD
Type: String
Default: None
Notification Slack Hook URL¶
Sets the Slack webhook URL for notifications. Can reference a file for security.
Argument: --notification-slack-hook-url
Environment Variable: WATCHTOWER_NOTIFICATION_SLACK_HOOK_URL
Type: String
Default: None
Notification Microsoft Teams Hook¶
Sets the Microsoft Teams webhook URL for notifications. Can reference a file for security.
Argument: --notification-msteams-hook
Environment Variable: WATCHTOWER_NOTIFICATION_MSTEAMS_HOOK
Type: String
Default: None
Notification Gotify Token¶
Sets the Gotify token for notifications. Can reference a file for security.
Argument: --notification-gotify-token
Environment Variable: WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN
Type: String
Default: None
Disable Startup Message¶
Suppresses the info-level notification sent when Watchtower starts.
Argument: --no-startup-message
Environment Variable: WATCHTOWER_NO_STARTUP_MESSAGE
Type: Boolean
Default: false
Lifecycle & Health¶
Container Stop Timeout¶
Sets the timeout (e.g., 30s
) before forcibly stopping a container during updates.
Argument: --stop-timeout
Environment Variable: WATCHTOWER_TIMEOUT
Type: Duration
Default: 30s
Health Check¶
Returns a success exit code for Docker HEALTHCHECK
, verifying another process is running in the container.
Argument: --health-check
Environment Variable: None
Type: N/A
Default: N/A
Note
Intended solely for Docker HEALTHCHECK
. Do not use on the main command line.
Output & Compatibility¶
Programmatic Output (Porcelain)¶
Outputs session results in a machine-readable format (version specified by VERSION
).
Argument: --porcelain, -P
Environment Variable: WATCHTOWER_PORCELAIN
Possible Values: v1
Default: None
Note
Equivalent to:
--notification-url logger://
--notification-log-stdout
--notification-report
--notification-template porcelain.VERSION.summary-no-log