How do you keep up?
-
The good news is this still works despite no updates it does everything it used to. There is almost zero reason to update any working NAS if it is behind a firewall.
if all users and devices on the network are well behaved and don't install every random app, even if from the play store, then yeah, it's less of a risk
-
[email protected]replied to [email protected] last edited by
Automatically upgrading docker images sounds like a recipe for disaster because:
- could pull down change that requires manual intervention, so things "randomly" break
- docker holds on to everything, so you'd need to prune old images or you'll eventually run out of disk space; if a container is stopped, your prune would make it unbootable (good luck if the newer images are incompatible with when it last ran)
That's why I refuse to automate updates. I sometimes go weeks or months between using a given service, so I'd rather use vulnerable containers than have to go fix it when I need it.
I run OS updates every month or two, and honestly I'd be okay automating those. I run docker pulls every few months, and there's no way I'd automate that.
-
[email protected]replied to [email protected] last edited by
I've encountered that before with Watchtower updating parts of a serrvice and breaking everything the whole stack. But automating a stack update, as opposed to a service update, should mitigate all of that.
Most of my stacks are stable so aside from breaking changes I should be fine. If I hit a breaking change, I keep backups, I'll rebuild and update manually. I think that'll be a net time save over all.
I keep two docker lxcs, one for arrs and one for everything else. I might make a third lxc for things that currently require manual updates. Immich is my only one currently.
-
[email protected]replied to [email protected] last edited by
Watchtower
Glad it works for you.
Automatic updates of software with potential breaking changes scares me. I'm not familiar with watchtower, since I don't use it or anything like it, but I have several services that I don't use very often, but would suck if they silently stopped working properly.
When I think of a service, I think of something like Nextcloud, Immich, etc, even if they consist of multiple containers. For example, I have a separate containers for libre office online and Nextcloud, but I upgrade them together. I don't want automated upgrades of either because I never know if future builds will be compatible. So I go update things when I remember, but I make sure everything works after.
That said, it seems watchtower can be used to merely notify, so maybe I'll use it for that. I certainly want to be around for any automatic updates though.
-
[email protected]replied to [email protected] last edited by
This is why I'm still using a Synology ¯\(ツ)/¯
I can install all the fun stuff I want in Docker, but for the major OS stuff, it's outsourced to Synology to maintain for me
-
[email protected]replied to [email protected] last edited by
Depends on your stance on risk since WatchTower has to run as privileged
-
[email protected]replied to [email protected] last edited by
It's Watchtower that I had problems with because of what you described. Watchtower will drop your microservice, say a database to update it and then not reset the things that are dependent on it. It can be great just not in the ham fisted way I used it.
Uptime Kuma can alert you when a service goes down. I am constantly in my Homarr homepage that tells me if it can't ping a service, then I go investigating.
I get that it's scary, and after my Watchtower trauma I was hesitant to go automatic too. But, I'm managing 5 machines now, and scaling by getting more so I have to think about scale.
-
[email protected]replied to [email protected] last edited by
I run proxmox on the host with docker in a VM for 90% of my stuff, OS updates I do like every 6 months maybe, I've done 1 major version upgrade on proxmox with no issues at all.
The docker containers auto-update via Komodo, and nothing really ever breaks anymore other than the occasional container error that needs a simple fix.
Everything important is backed up nightly using both proxmox backup server, and to backblaze B2 with restic.
-
[email protected]replied to [email protected] last edited by
This is a good point. Generally if can accomplish what I want with my own scripts, I will go that route. I'll probably avoid adding additional software to the mix since what I have works fine enough.
-
[email protected]replied to [email protected] last edited by
I've never used true nass, but I've never had any issue with keeping up with releases. I use a proxmox host with Debian containers mostly, and then I use ansible to do any major changes to the hosts such as replacing certificates or upgrading the packages
Being said my backup structure isn't the most professional, I have a 8 TB external drive that I keep plugged in via USB and I have proxmox backup server on the same host and it creates backups nightly
-
[email protected]replied to [email protected] last edited by
I've never heard of kimodo, I've heard a lot about Watchtower but I found it more annoying to set up due to its labeling systems. Is there any added benefit for Komodo over using a standard watch tower setup?
I haven't set up either of them, but my main concern is having a breaking change be automatically updated
-
[email protected]replied to [email protected] last edited by
I don't use Watchtower myself for the same reasons described, but I was under the understanding if you had a container as a dependency on another container that if you took the dependency down it also took the container down. Is this not actually true?
-
[email protected]replied to [email protected] last edited by
I am not the person to be asking, I am no docker expert. It's is my understanding depends_on: defines starting order. Once a service is started, it's started. If it has an internal check for "healthy" I believe watchtower will restart unhealthy containers.
This is blind leading the blind though, I would check the documentation if using watchtower. We should both go read the "depends on" documents as we both use it.
-
[email protected]replied to [email protected] last edited by
Strangely it sounds like that's correct. I was under the understanding that depends_on cared about it past start as well but it does not. It doesn't look like there's a native way of turning containers that are depending on one another when you turn the dependency off. It looks like the current recommended way of doing it is either with a Docker compose file (which doesn't help if the process crashed), or having a third party script on the host monitor is the dependencies and if one is considered offline, it turns the dependees off.
-
[email protected]replied to [email protected] last edited by
That was my conclusion as well, however I am at work and it's not appropriate to be reading docker documentation. Thank you for the write up.
-
[email protected]replied to [email protected] last edited by
Komodo is a full management setup, similar to Portainer, Dockge, etc.. It works reasonably well.
Watchtower doesn't require any labeling unless you want to exclude a container.
