Rigor will often publish updates to our private location docker images and it is critical that your organization automates the upgrade of your locations.
Watchtower is entirely optional, but we do require that you have an auto-upgrade solution in place for the Rigor runner. Failing to automatically update our Docker container will result in inconsistent data and loss of functionality.
Using Watchtower
Watchtower is a 3rd party open source Docker container that will connect to remote Docker repositories on a schedule and check for updates. When an updated image is found Watchtower will instruct your Docker host to pull the newest image from the repository, stop the container, and start it again. It will ensure that environment variables, network settings, and links between containers are intact.
On your Docker host, you can simply launch the Watchtower container via command line:
docker run -d \ --name watchtower \ -v /var/run/docker.sock:/var/run/docker.sock \ v2tec/watchtower --label-enable --cleanup
Using the "label-enable" flag will ensure that only containers with the correct label, like the Rigor runner, will be auto-updated.
There are additional options available in the Watchtower documentation that you should explore, including auto-cleanup of old images to ensure that your Docker host does not hold on to outdated images.
It is important to note that in order for Watchtower to issue commands to the Docker host, it requires the docker.sock volume or TCP connection and this provides Watchtower with full administrative access to your Docker host. This level of access should not be taken lightly and it is one of the reasons Rigor decided to separate the auto-update procedure from the Rigor agent. If you are uncomfortable with providing Watchtower with this level of access you are encouraged to explore other options.
Using Amazon Elastic Container Service
You can still use Watchtower with Amazon's Elastic Container Service. Here is an same task definition that you can run as a DAEMON
within your cluster.
{ "requiresCompatibilities": [ "EC2" ], "containerDefinitions": [ { "command": [ "--label-enable", "--cleanup" ], "name": "watchtower", "image": "v2tec/watchtower:latest", "memory": "512", "essential": true, "environment": [], "linuxParameters": null, "cpu": "256", "mountPoints": [ { "readOnly": null, "containerPath": "/var/run/docker.sock", "sourceVolume": "dockerHost" } ] } ], "volumes": [ { "name": "dockerHost", "host": { "sourcePath": "/var/run/docker.sock" }, "dockerVolumeConfiguration": null } ], "networkMode": null, "memory": "512", "cpu": "256", "placementConstraints": [], "family": "watchtower" }
Using Another Solution
Due to the complexity and variability of our customers' infrastructure configurations and the security requirements for managing Docker containers, Rigor does not require any specific solution for automatically discovering and deploying updated Docker images.
If your operations team already has a mechanism established for deploying updates to Docker images you are able to use it without making any configuration changes to the Rigor runner.
Rigor recommends that your upgrade mechanism discovers and deploys new images at least once every 24 hours.