Comments (7)
This gives watchtower an actual business use case, acting as a gatekeeper for secure image deployment, rather than just being a fire&forget image updater.
from watchtower.
Outside the stuff not exactly the intention of watchtowers use case. There is capability to run and update remote hosts https://containrrr.dev/watchtower/remote-hosts/
from watchtower.
That would mean 1 watchtower instance = 1 remote host. Also, the image pull would still be performed on the remote host.
I'm working on a pipeline (gitlab-ci + ansible) that would pull images directly to the runner, perform security scans there, and from there deploy to the other docker hosts. This means my hosts don't need access to dockerhub, quay, nor do they need keys for private registries.
The last missing piece of the puzzle - Having a master watchtower instance, with a web ui, which pulls images on a schedule to that master host, and shows the admin a visual representation of images that are to be deployed, images that were recently pulled, image SHA history, etc.
from watchtower.
Oh. We solve this by shipping 'good' images from their source to a registry we own in Google Cloud and point watchtower to that. No need to have yet another scanning and validating tool since all public registries now provide this information.
We use 1 single instance of watchtower to control a fleet of 10 servers.
from watchtower.
Interesting. How do you "ship" images from their source to your registry?
And by pointing watchtower to your registry, what do you mean by that? Doesn't watchtower need to look at actively deployed images/containers?
As for the security scans, yes, most images have that information public by now, but I prefer having security policies checked at deploy time, rather than at "ship" time. By "ship", I mean from your terminology, when the image is passed to the internal registry.
Also, how can you control 10 servers with 1 watchtower instance?
from watchtower.
https://containrrr.dev/watchtower/private-registries/ For pointing it to Google Artifact registry and we're using https://github.com/tammert/replicant to sync our containers but we're migrating to a more open solution in Crane or GCrane https://github.com/google/go-containerregistry. So we have a bit of custom Golang that looks at GCP security center and based on some requirements we will flag "safe" images and we ship those to a 'pull' registry with an included latest tag. Watchtower is pointed to this pull registry as a source of truth.
And sorry, to clarify we use a single host to host multiple watchtower instances for their respective hosts. Since the footprint is low this is not a problem for us, and in fact, if you use something like a self hosted github style tooling with actions, you can even run a compose file with all the watchtower settings on the runner. Lot of ways to skin this cat though.
from watchtower.
Very interesting solution indeed. Thanks for the clarification!
from watchtower.
Related Issues (20)
- Support individual intervals HOT 2
- Watchtower Webhook Notifications Not Triggering MQTT Messages HOT 1
- Add notification (resp. notification filter) for monitored-only containers HOT 1
- Unable to authenticate with the `/v1/metrics` endpoint HOT 4
- add an argument that sends a test notification HOT 1
- Log output when lifecycle hooks fail HOT 1
- Not properly applying container.networks.mac_address gives random MAC HOT 4
- Nextcloud All-In-One fails to update, watchtover segfaults? HOT 8
- WatchTower Metrics: Add HOT 3
- Feature Req: Ability to selectively configure data to send via notification on a per service (or even per class within a service)
- Improved integration of Watchtower web interface with cronjob management HOT 1
- Avoid repeated notifications (of available updates) when using Watchtower in "monitor only" mode HOT 1
- Remove/Delete old image after successful update HOT 1
- REQUEST: label to cleanup images by container
- Can't filter logs by level in template (Incompatible types for comparison) HOT 1
- Cannot send notification using smtp: timed out HOT 3
- slack WATCHTOWER_NOTIFICATION_SLACK_IDENTIFIER not being used HOT 1
- Could not do a head request for ......... HOT 5
- SMTP timeout with Zoho and Mailjet (except at start) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from watchtower.