Usage overview

Watchtower is itself packaged as a Docker container so installation is as simple as pulling the containrrr/watchtower image. If you are using ARM based architecture, pull the appropriate containrrr/watchtower:armhf-<tag> image from the containrrr Docker Hub.

Since the watchtower code needs to interact with the Docker API in order to monitor the running containers, you need to mount /var/run/docker.sock into the container with the -v flag when you run it.

Run the watchtower container with the following command:

docker run -d \
  --name watchtower \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower

If pulling images from private Docker registries, supply registry authentication credentials with the environment variables REPO_USER and REPO_PASS or by mounting the host's docker config file into the container (at the root of the container filesystem /).

Passing environment variables:

docker run -d \
  --name watchtower \
  -e REPO_USER=username \
  -e REPO_PASS=password \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower container_to_watch --debug

Also check out this Stack Overflow answer for more options on how to pass environment variables.

Alternatively if you 2FA authentication setup on Docker Hub then passing username and password will be insufficient. Instead you can run docker login to store your credentials in $HOME/.docker/config.json and then mount this config file to make it available to the Watchtower container:

docker run -d \
  --name watchtower \
  -v $HOME/.docker/config.json:/config.json \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower container_to_watch --debug

Changes to config.json while running

If you mount config.json in the manner above, changes from the host system will (generally) not be propagated to the running container. Mounting files into the Docker daemon uses bind mounts, which are based on inodes. Most applications (including docker login and vim) will not directly edit the file, but instead make a copy and replace the original file, which results in a new inode which in turn breaks the bind mount.
As a workaround, you can create a symlink to your config.json file and then mount the symlink in the container. The symlinked file will always have the same inode, which keeps the bind mount intact and will ensure changes to the original file are propagated to the running container (regardless of the inode of the source file!).

If you mount the config file as described above, be sure to also prepend the URL for the registry when starting up your watched image (you can omit the https://). Here is a complete docker-compose.yml file that starts up a docker container from a private repo on the GitHub Registry and monitors it with watchtower. Note the command argument changing the interval to 30s rather than the default 24 hours.

version: "3"
services:
  cavo:
    image: ghcr.io/<org>/<image>:<tag>
    ports:
      - "443:3443"
      - "80:3080"
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /root/.docker/config.json:/config.json
    command: --interval 30