Replies: 8 comments 6 replies
-
|
Your env config is structurally fine — The reason 27 updates were detected but none fired is almost certainly a trigger-level gate, not a per-container one. To narrow it down I need two things:
If you've configured notification rules in the UI (Settings → Notification rules), check the |
Beta Was this translation helpful? Give feedback.
-
|
Good news — your auto-update is firing. The second log set you posted is the proof: Drydock pulled the new image and then refused to replace the container because dry-run mode is on. That second line is the entire reason nothing seems to happen — it's working exactly as designed for Three things to fix / clarify: 1. You have a stale 2. 3. Side note on the 44 MB TL;DR: turn off the stray dry-run env var and your existing config will start replacing containers on the next maintenance window. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, this helped separate the setup issue from the comparison issue. There are two separate things here:
I have a fix queued for the next RC. It is not in the currently published RC yet. With that fix:
Once the next RC is cut, I would test with an exact image tag rather than image: codeswhat/drydock:<next-rc-tag>
environment:
- DD_WATCHER_LOCAL_HOST=socket-proxy-drydock
- DD_WATCHER_LOCAL_PORT=2375
- DD_WATCHER_LOCAL_WATCHALL=true
- DD_WATCHER_LOCAL_CRON=0 4 * * *
- DD_WATCHER_LOCAL_MAINTENANCE_WINDOW=0-10 4 * * *
- DD_WATCHER_LOCAL_MAINTENANCE_WINDOW_TZ=Europe/Bucharest
- DD_TRIGGER_DOCKER_LOCAL_AUTO=true
- DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
- DD_TRIGGER_DOCKER_LOCAL_BACKUPCOUNT=1
- DD_REGISTRY_HUB_PUBLIC_LOGIN=...
- DD_REGISTRY_HUB_PUBLIC_TOKEN=...Do not set |
Beta Was this translation helpful? Give feedback.
-
|
Following up: the floating-tag update fix I mentioned in my April 29 reply has shipped in v1.5.0-rc.19. With rc.19, floating tags ( To try it: update your drydock image to Note: the Release: https://github.com/CodesWhat/drydock/releases/tag/v1.5.0-rc.19 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the detailed rc.35 logs — that pinned both issues down. Two separate bugs, plus answers to your other asks: 1. We're changing the default: a fully-pinned tag like Workaround that works today on rc.35 — add an include filter so it can't leave the 1.13 line:
2. Maintenance window not respected. Also a real bug — confirmed. The window currently gates the scheduled scan but not every path that can apply an update, so a post-update rescan re-triggered your containers at 21:52 outside your 3. Relative-severity Trivy gating ( 4. "Floating tag for 1.5.x." The rolling Two minor things from your log, both harmless:
I'll follow up here when the next RC with the tag + maintenance-window fixes is cut. |
Beta Was this translation helpful? Give feedback.
-
|
v1.5.0-rc.36 is cut — it includes both fixes from this thread. 1. Pinned specific tags no longer climb across versions. A tag with 3+ numeric segments (e.g. If you do want updates on a pinned tag, opt in per container with an include filter scoped to the range you want:
2. Maintenance window now gates automatic updates. Auto-updates are deferred until the window is open (enforced when Drydock scans); a manual Update now from the UI/API still runs immediately. Pull it: Release notes: https://github.com/CodesWhat/drydock/releases/tag/v1.5.0-rc.36 This is a release candidate — I'll promote it to GA after a short soak with no new reports. A quick confirmation that the pinned-tag behavior now matches what you expected would be hugely helpful. Thanks again for the precise logs that pinned this down. 🙏 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the rc.37 results, both of these are useful. The "Check for updates" button applying updates outside the maintenance window is a real bug, and you found a gap in my rc.36 fix. I traced it. rc.36 added the window gate to the scheduled scan path (the cron tick checks the window before it runs). But the manual "Check for updates" button doesn't go through that path. It calls the watcher's The fix moves the window check onto the apply itself, so an automatic update only applies inside the window no matter how the update was detected (scheduled scan, manual recheck, or a post-update rescan). A manual Update now on a specific container stays immediate by design, that's you explicitly asking for it. This lands in the next 1.5.x release. On the pinned tags not updating under dry-run, that's actually the fix working. Since rc.36 a fully pinned tag like
So nothing's broken there, it's just doing the conservative thing now. If you expected a specific container to move and it didn't, tell me the image and tag and I'll check whether the registry actually has a newer digest. The relative-severity Trivy gating (allow an update when the new image's vuln counts are no worse than what you're already running) is still on the roadmap, not in this release. I'll circle back here when it's scoped. |
Beta Was this translation helpful? Give feedback.
-
|
I moved the window check onto the apply itself, so the "Check for updates" button can't auto-apply outside the window anymore no matter which path detects the update. Manual "Update now" still goes through immediately by design. If you can, pull If it holds on your end I think that's the last of the bugs from this thread and we can call it done. |
Beta Was this translation helpful? Give feedback.





Uh oh!
There was an error while loading. Please reload this page.
-
I would like to set up auto-update for all of my docker containers on a schedule at 4:00 AM with their tags being respected (ex.
:latestpulls the latest version, andpostgres:16-alpinepulls latest:16-alpineversion without using labels in other compose files.I've red through the docs/issues, been trying out different settings, asked 3 different Ais (they all started hallucinating), but nothing seems to work. Auto update never happens and I can't figure out what I'm doing wrong.
Logs with security completely disabled,
- DD_WATCHER_LOCAL_MAINTENANCE_WINDOW=* * * * *and- DD_WATCHER_LOCAL_CRON=22 * * * *:Manually triggering updates from GUI work fine.
I'm using portainer, so I'd stick to only triggering simple Docker updates only, without setting up
DD_TRIGGER_DOCKERCOMPOSE.Below my docker-compose file:
Beta Was this translation helpful? Give feedback.
All reactions