Watchtower alternative
freshdock: a maintained Watchtower alternative
Watchtower was archived on 17 December 2025 and no longer works with Docker Engine 29+. freshdock is an actively maintained, open-source replacement. It's a single Rust binary that adds health-gated rollback and opt-in, per-container update policies.
$cargo install freshdockWhat happened
Why Watchtower stopped being a safe default.
archived
The maintainers archived containrrr/watchtower on 17 December 2025. No more fixes, no more releases.
incompatible
It embeds an old Docker SDK (API 1.25). Docker Engine 29+ requires API ≥ 1.44, so Watchtower simply can’t talk to a current daemon.
fork caveat
Community forks exist and keep it running, but they’re stop-gaps on a Go codebase, not a rethink of the safety model.
Head to head
freshdock vs the alternatives
An honest scorecard. freshdock doesn’t win every row, and where a tool is deliberately different, it’s noted.
| Capability | freshdockRust | Watchtowerarchived | fedor forkGo | DiunGo | What's Up DockerNode |
|---|---|---|---|---|---|
| Maintained in 2026 | Yes | Noarchived Dec 2025 | Yes | Yes | Yes |
| Works with Docker Engine 29+ | Yes | NoAPI 1.25 | Yes | Yes | Yes |
| Auto-applies updates | Yes | Yes | Yes | Noby design | Yes |
| Health-gated rollback | Yes | No | No | Not applicableno updates | No |
| Per-container update policy | Yeslabels + modes | Yes | Yes | Yes | Yes |
| Notify-only mode | Yeswatch | Yesmonitor-only | Yes | Yesits whole job | Yes |
| Authenticated registries | Yes5 | Yes | Yes | Yes | Yes |
| Web dashboard | No | No | No | No | Yesits differentiator |
| Footprint | ≤10 MB binary | Go binary | Go binary | Go binary | Node + UI |
| License | Apache-2.0 | Apache-2.0 | Apache-2.0 | MIT | MIT |
“fedor fork” = nicholas-fedor/watchtower, the active community fork of the original.
Label translation
Your labels mostly just get a new prefix.
| Watchtower | freshdock | Notes |
|---|---|---|
| com.centurylinklabs.watchtower.enable=true | freshdock.enable=true | Opt in. |
| watchtower.monitor-only=true | freshdock.mode=watch | Detect + notify, never restart. |
| WATCHTOWER_SCHEDULE (global cron) | freshdock.mode + freshdock.schedule | Scheduling is per-container. |
| watchtower.no-pull=true | (no equivalent) | freshdock always pulls before recreate. |
| watchtower.depends-on | (no equivalent in v1) | No dependency ordering yet. |
The full label and flag/env translation table (including notifications and registry auth) lives in the migration guide ↗.
Replace it in compose
Swap the service, relabel the apps.
- before
# Watchtower (archived)
services:
app:
image: ghcr.io/example/app:latest
labels:
- "com.centurylinklabs.watchtower.enable=true"
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WATCHTOWER_SCHEDULE=0 0 4 * * *+ after
# freshdock
services:
app:
image: ghcr.io/example/app:latest
labels:
- "freshdock.enable=true"
- "freshdock.mode=nightly" # 04:00 daily
freshdock:
image: ghcr.io/turbootzz/freshdock:latest
command: ["run"]
volumes:
- /var/run/docker.sock:/var/run/docker.sock
restart: unless-stoppedRunnable example stacks live in examples/compose ↗.
Honesty block
When freshdock is the wrong tool.
It’s scoped on purpose. If any of these is you, a different tool will serve you better.
You run Kubernetes or Swarm
Those platforms have their own rollout and image-update mechanisms. freshdock targets plain Docker / Podman and deliberately stays out of their way.
You want a web dashboard
freshdock is a CLI and a daemon, with no UI. If a browser dashboard with manual approve buttons is the point, What’s Up Docker is the better fit.
What's Up DockerYou want a zero-relabel drop-in
freshdock uses freshdock.* labels and is opt-in, so you re-label intentionally. If you need Watchtower’s exact labels and behaviour untouched, the active community fork is the lift-and-shift option.
nicholas-fedor/watchtowerReady to retire Watchtower?
Install freshdock, run freshdock check read-only first, then graduate containers to an updating mode when you trust it.