Container (5): Docker Best Practices Guide - Container Update Monitoring Tool WUD (What's Up Docker)

Background

This is the fifth article introducing Docker containers. Links to other articles in this series are as follows:

Container (1): Introduction to Container-related Knowledge - Containerization, Docker, Docker Compose, Kubernetes / K8s, etc.
Container (2): Docker Best Practices Guide - Docker Compose and Portainer
Container (3): Docker Best Practices Guide - Volume Management
Container (4): Docker Best Practices Guide - Container Update, Upgrade, and Migration
Container (6): Misconceptions, Bad Habits, and Issues When Using Docker

The previous article mentioned how to update or upgrade containers. When I was updating Docker containers, I found that many of them had not been updated for two or three years, and the version gap was too large, which led to some containers being unable to update directly. Some containers, on the other hand, had not been updated much and could be updated directly. Since the update frequency of each container is different, and there are many containers created, I don’t want to manually check whether the container has updates available every few days. So I thought of a question: Is there a tool that can automatically monitor container updates?

Of course, there are tools like WatchTower, but WatchTower is an automatic update tool for containers, and I don’t want it to update automatically. I just want to know if there are updates available for the container, so I haven’t used it. Recently, I found a tool called WUD (What’s Up Docker) that can monitor container updates and is easy to use, so I plan to give it a try.

Prerequisites

Docker and docker-compose must be installed
Understand the basic concepts and usage of Docker
Use docker-compose to manage containers (if you do not use docker-compose to manage containers, or do not want to use docker-compose to manage containers, then this article is for reference only)

WUD (What’s Up Docker) Introduction

WUD (What’s Up Docker) is an open-source Docker container update monitoring tool that can monitor whether container images on Docker Hub have updates and can notify users via email, Slack, and other methods.

WUD Installation and Usage

Install WUD

The installation of WUD is very simple, just follow the instructions in the official documentation. Here we use docker-compose to install WUD, the docker-compose.yml file is as follows:

1
2
3
4
5
6
7
8
services:
  whatsupdocker:
    image: getwud/wud
    container_name: wud
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - 3000:3000

After starting, you can access it in your browser at http://localhost:3000.

Create Admin Account

However, the WUD installed using the above method does not have an admin account. It is fine for local access, but if you want to expose the service to the public network, you need to create an admin account. WUD provides two methods to create an admin account:

Pass the username and password to the WUD container using environment variables
Use OpenidConnect (OIDC) to create an admin account

For details, see the official documentation.

The first method is very simple and convenient, so I used it directly. We just need to add the following environment variables to the docker-compose.yml file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
services:
  whatsupdocker:
    image: getwud/wud
    container_name: wud
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - 3001:3000
    environment:
      - WUD_AUTH_BASIC_ADMIN_USER=your_admin_name
      - WUD_AUTH_BASIC_ADMIN_HASH=your_admin_password_hash

The password is stored in hash form, and we can use the htpasswd command to generate the password hash:

1
htpasswd -nib admin doe

If you do not have the htpasswd command installed, you can generate the password hash on this website.

It is important to note that the generated hash value starts with the username, and we only need to take the part after the colon. The part after the colon may contain the $ symbol, so we need to replace the $ symbol with $$. For example, if the original hash value is $apr1$2c4a3d5e$e0f8b7c6d7f8b7c6d7f8b7c6, we need to replace it with $$apr1$$2c4a3d5e$$e0f8b7c6d7f8b7c6d7f8b7c6.

After restarting the WUD container and accessing it in the browser, you can see the following login interface: wud_login

Enter your username and password to log in. Note that you need to enter the password, not the hash value.

WUD Monitoring Container Updates

Through the web interface, you can monitor the update status of the containers. After logging in, you can see the following interface:

wud_main

It can be seen that WUD has detected 37 containers, of which 10 have updated versions available. Click in to view details:

wud_web2

You can see the current version number of the container as well as the latest version number, and we can decide whether to update the container based on our needs.

Set WUD Monitoring Rules

In WUD, the container status we see may look like this:

wud_web3

There are two issues here:

The tags used by our containers are in numeric form, but WUD monitors all tags, including some irregular tags. For example, the latest tag of authelia in the figure is feat-i18n-lang-attr. If we only want to monitor tags in numeric form, we need to set monitoring rules.
When we deploy a service, we may use multiple containers to deploy this service. For example, the chevereto service requires two containers to deploy: one is chevereto-free, and the other is chevereto-free-database. We do not need to monitor all containers; we only need to monitor the chevereto-free container. Otherwise, if we detect that chevereto-free-database has an update available, while chevereto-free does not, and we only update chevereto-free-database, it may lead to compatibility issues. We also need to set monitoring rules to avoid this situation.

Include Certain Tags

For the first case, we can add wud.tag.include to the docker-compose.yml file of the corresponding container to tell WUD which tags we only want to monitor. For example, if we only want to monitor tags in numeric form like xx.yy.zz, we can add the following configuration:

1
2
3
4
5
services:
  some_service:
    image: some_image
    labels:
      - wud.tag.include=^\d+\.\d+\.\d+$$

This method uses a regular expression to match the tags, where ^ indicates the start, \d indicates a digit, + indicates one or more, \. indicates a dot, and $$ indicates the end. This way, we can match tags in numeric form.

In tags in the form of xx.yy.zz, generally xx represents the major version number, yy represents the minor version number, and zz represents the patch number. We can set monitoring rules based on our needs. For example, if we only want to monitor updates to the major and minor version numbers and ignore the patch number, we can change the regular expression to:

1
2
3
4
5
services:
  some_service:
    image: some_image
    labels:
      - wud.tag.include=^(\d+\.\d+)\.\d+$$ => $$1

In this case, we use parentheses to group xx.yy together and specify that we only want to monitor updates to xx.yy after the =>. This way, we can monitor updates to the major and minor version numbers only.

Monitor Only Certain Containers

For the second case, we can add wud.watch to the docker-compose.yml file of the corresponding container to tell WUD whether we want to monitor this container. For example, if we do not want to monitor the chevereto-free-database container, we can add the following configuration:

1
2
3
4
5
6
7
services:
  chevereto-free-app:
    image: chevereto-free
  chevereto-free-database:
    image: chevereto-free-database
    labels:
      - wud.watch=false

This way, we can avoid monitoring the chevereto-free-database container.