Docker – detecting out-of-date containers

Amazingly there isn’t a built-in mechanism to check if docker containers are up-to-date, you can only do a pull and see if anything is downloaded. By doing so the images are anyway updated, so if the container is recreated for any reason it will also use those new images.

There’s a tool called Skopeo which should do this, but I could not get it to run (the Go dependencies are too complex on my older Linux installation).

There’s also Watchtower which automates the checking but does not ensure images aren’t downloaded.

I decided to write my own bash script to read the local docker container / image details and compare them against the latest version in the repo using the API. This turned out to be pretty complex – in the case of Docker Hub because the URLs and authentication aren’t very intuitive, and in the case of Github because they use the newer manifest schema which requires multiple calls to get the information.

However… I got a script which works, confirming whether local images are up-to-date (at least for my set of containers).

My scenario is that I run this script each week with the settings to check all containers and only output those that are out-of-date. Any output is then sent to me by email so I can decide when to update.

It can be found on Github: https://github.com/pseudocoder/docker-check

Example output from my media server

% docker-check -a
paperless-ng_gotenberg_1 (thecodingmachine/gotenberg) is up-to-date
mariadb (linuxserver/mariadb:latest) is up-to-date
wireguard (ghcr.io/linuxserver/wireguard) is up-to-date
heimdall (linuxserver/heimdall:latest) is up-to-date
plex (linuxserver/plex:latest) is up-to-date
wordpress-gee-family (wordpress:latest) is up-to-date
wordpress-pseudocode (wordpress:latest) is up-to-date
cops (linuxserver/cops) is up-to-date
paperless-ng_webserver_1 (jonaswinkler/paperless-ng:latest) is up-to-date
filebrowser (filebrowser/filebrowser:latest) is up-to-date
deluge (linuxserver/deluge) is up-to-date
filerun (afian/filerun:latest) is up-to-date
calibre-web (linuxserver/calibre-web) is up-to-date
influxdb2 (influxdb:latest) is up-to-date
syncthing (linuxserver/syncthing:latest) is up-to-date
grafana (grafana/grafana:latest) is up-to-date
paperless-ng_db_1 (postgres:13) is up-to-date
paperless-ng_broker_1 (redis:6.0) is up-to-date
paperless-ng_tika_1 (apache/tika) is up-to-date
portainer (portainer/portainer-ce) is up-to-date

Docker Compose – automated updates

Using docker-compose makes updating images and containers very easy – a simple command downloads any new images:

docker-compose pull

And another stops, updates and restarts containers:

docker-compose up -d

But what if you want to know about updates, without actually doing them – for example, to do a daily check but only update during non-critical times or when you’re around to fix any issues?

Unfortunately, neither docker or docker-compose seem to provide a way of reporting out-of-date images – but a simple pair of commands can do something similar.

docker-compose pull -q
docker images | fgrep '<none>'

This pulls any new images, quietly without reporting anything, and then looks for any images not associated with a tag – since the new images will now have the “latest” tag, the older ones show up.

After the update (docker-compose up -d) you should also delete the old images:

docker image prune -f

Probably there’s a better way to do this, but it works fine on my media centre to tell me of updates while still having control over when they are applied.