Skip to content
freshdock
All posts
watchtowermigration

Watchtower is archived: here's what to do now

Watchtower was archived in December 2025 and no longer works with Docker Engine 29+. Here are your real options, and how to move to a maintained replacement.

If you run a homelab, you have probably leaned on Watchtower at some point. For the better part of a decade it was the default answer to "how do I keep my containers up to date?" That era is over.

On 17 December 2025, the maintainers archived containrrr/watchtower. Archived means read-only: no more releases, no more fixes, no more security patches. And there is a second, more urgent problem.

Why it doesn't just keep working

Watchtower ships an embedded Docker SDK pinned to API version 1.25. Docker Engine 29 and later require API 1.44 or newer. The two can no longer negotiate a common protocol, so on a current Docker host Watchtower simply fails to talk to the daemon. This isn't a slow deprecation you can ignore. Upgrade your Docker Engine and Watchtower stops working.

So "do nothing" has an expiry date attached to your next Docker upgrade.

Your options

There are a few honest paths forward:

  1. Pin Docker and freeze. You can hold Docker Engine below 29 and keep the archived Watchtower limping along. This trades your container security posture for your update tool's, not a good trade for long.
  2. Use the community fork. nicholas-fedor/watchtower is an active fork that keeps the original alive on modern Docker. If you want Watchtower's exact labels and behaviour with the least disruption, this is the lift-and-shift option. It's still the same Go codebase and the same safety model, though: a stop-gap, not a rethink.
  3. Move to a maintained successor. Switch to a tool that's built for current Docker and adds the safety net Watchtower never had.

What freshdock changes

freshdock is a from-scratch successor written in Rust. It targets modern Docker (tested 24.x through 29+, auto-negotiated) and adds the thing that makes unattended updates actually safe:

  • Health-gated rollback. A container counts as updated only after the new one passes its healthcheck, or stays up for a grace period if it has none. If the new image fails to come up, freshdock restores the previous container automatically and notifies you. No more waking up to a dead service.
  • Opt-in by design. Watchtower updates everything unless you exclude it. freshdock ignores every container until you set freshdock.enable=true, and an enabled container with no mode defaults to watch (detect and notify, never restart).
  • One small binary. A single static Rust binary, ≤ 10 MB, instead of a runtime managing your other containers.

It's not a drop-in for every Watchtower setup. There's no dependency ordering, no "update without pulling", and Kubernetes and Swarm are deliberately out of scope. The full comparison is honest about where each tool wins.

The five-minute version

If you want to try it without risk, install it and run the read-only check first, since it never touches a container:

cargo install freshdock
freshdock check

That prints a table of which containers have updates available. When you trust it, graduate one container to freshdock.mode=nightly and let the daemon take over.

Ready to switch? Start with the installation guide or read the step-by-step migration. The full label-and-flag translation lives in the migration guide on the docs site.