UPDATE: 06/04/2021 - Added Rocket.Chat docker-compose options for running this along side Pushover
Do I love Docker? I LOVE it! But, regardless do you run your apps on bare-metal devices or inside Docker, they have to be patched from time to time right?
Most apps or services will alert you that there is an update waiting, and, once you are backed up, you should update to the latest version. Of course, this doesn't mean that you should update day one or maybe update at all if there is no real reason to do so, but from time to time there might be some security elements that were fixed, and you will tell yourself, it's time.
When it comes to Docker repo or image updates the problem is this. Even though the app you are running in Docker did register that there is an update, that doesn't mean that the Docker image has been updated as well. In some cases, it can take days or weeks until the image is updated.
Ok if Docker is one of the "official" channels that the company or individual is providing the app itself it will be usually up-to-date all the time and in sync with any other method.
Still, it would be good to get notified when the image you are using has been updated. Enter Diun. This little tool does exactly that. It will scan your local Docker instance and compare all images with the repository to get info if there is an update or not.
As a great notification system, it offers multiple ways to get that information back to you.
Amqp Discord Gotify Mail Matrix MQTT Pushover Rocket.Chat Script Slack Teams Telegram Webhook
Look at that list of supported notification channels! Wow. I already see two that I know I will use, Pushover and Rocket.Chat.
So let's see how to get this up and running using Portainer and a quick "stack"/docker-compose setup to monitor all images and send notifications via Pushover.
Diun as a Docker image
Once you logged into your Portainer instance and selected the host you want Diun to run on, and monitor, select the Stacks menu and paste in the next block:
This docker-compose is for running with Pushover
version: "3.5" services: diun: image: crazymax/diun:latest container_name: diun volumes: - "/volume1/docker/diun:/data" - "/var/run/docker.sock:/var/run/docker.sock" environment: - "TZ=Europe/Paris" - "LOG_LEVEL=info" - "LOG_JSON=false" - "DIUN_WATCH_WORKERS=20" - "DIUN_WATCH_SCHEDULE=0 0 * * *" - "DIUN_PROVIDERS_DOCKER=true" - "DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true" - "DIUN_NOTIF_PUSHOVER_TOKEN=yourPushoverAppToken" - "DIUN_NOTIF_PUSHOVER_RECIPIENT=yourPushoverUserKey" restart: always
This docker-compose if for running with Pushover and Rocket.Chat
version: "3.5" services: diun: image: crazymax/diun:latest container_name: diun volumes: - "/volume1/docker/diun:/data" - "/var/run/docker.sock:/var/run/docker.sock" environment: - "TZ=Europe/Zagreb" - "LOG_LEVEL=info" - "LOG_JSON=false" - "DIUN_WATCH_WORKERS=20" - "DIUN_WATCH_SCHEDULE=0 */6 * * *" - "DIUN_PROVIDERS_DOCKER=true" - "DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true" - "DIUN_NOTIF_PUSHOVER_TOKEN=yourPushoverAppToken" - "DIUN_NOTIF_PUSHOVER_RECIPIENT=yourPushoverUserKey" - "DIUN_NOTIF_ROCKETCHAT_ENDPOINT=http://URLForYourRocketChat" - "DIUN_NOTIF_ROCKETCHAT_CHANNEL=#docker_repos" - "DIUN_NOTIF_ROCKETCHAT_USERID=yourRCUserID" - "DIUN_NOTIF_ROCKETCHAT_TOKEN=yourRCTokenValue" - "DIUN_NOTIF_ROCKETCHAT_TIMEOUT=15s" restart: always
NOTE: Keep in mind that if you want to run DIUN over Rocket.Chat you will have to have a complete RC instance up and running as well as a generated channel and UserID/Token. For more info on running your own Rocket.Chat instance, look here.
Open your My Account menu in Rocket.Chat instance > Personal Access Token. There you will be able to generate a new token. Once completed you will get your UserID and Token values that you can use.
Give your stack a name and deploy.
Just a few quick pieces of information on several commands in this compose.
DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT set to true means that it will monitor all images that it can detect.
DIUN_WATCH_SCHEDULE can be configured however you like using the cronjob generator. This example means once every 24h at midnight.
NOTE: Keep in mind that if you have a lot of images and set an aggressive check, you might hit the default 100/200 Docker HUB requests quickly and you will have to wait for the cooling period.
Here is an example of running Diun instance looking at the log:
Fri, 19 Mar 2021 14:41:45 CET INF Starting Diun version=4.14.0 Fri, 19 Mar 2021 14:41:45 CET INF Configuration loaded from 7 environment variable(s) Fri, 19 Mar 2021 14:41:45 CET INF Database migration v2... Fri, 19 Mar 2021 14:41:45 CET INF Cron triggered Fri, 19 Mar 2021 14:41:45 CET INF Found 35 image(s) to analyze provider=docker Fri, 19 Mar 2021 14:41:51 CET INF New image found image=docker.io/mayanedms/mayanedms:3.5.5 provider=docker Fri, 19 Mar 2021 14:41:52 CET INF New image found image=docker.io/linuxserver/nzbget:latest provider=docker Fri, 19 Mar 2021 14:41:52 CET INF New image found image=docker.io/linuxserver/swag:latest provider=docker . . . Fri, 19 Mar 2021 14:42:02 CET INF Jobs completed added=35 failed=0 skipped=0 unchanged=0 updated=0 Fri, 19 Mar 2021 14:42:02 CET INF Cron initialized with schedule 0 0 * * * Fri, 19 Mar 2021 14:42:02 CET INF Next run in 9 hours (2021-03-20 00:00:00 +0100 CET)
Now that you have it up and running you can test it using the command line.
Again using Portainer open the Console window for Diun contianer with the
sh command and you will get into the container command line.
Run the following command to test if the container is working (my result was a Pushover notification)
As an end result, I got a Pushover mobile notification
One of many similar tools out there but imho a necessary one once you start to get into Docker more and more. You will simply not be able to keep up and this tool will allow you to keep track if nothing else how often you don't patch and update.
Labels, how to fine tune your image update notifications (optional)
In case you are not interested in monitoring all of your images but would rather do a selected few, you can use Docker labels to achieve that.
Remove or set to
DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT variable, and in the docker-compose file on top, add the label section in the container you want to monitor with the following:
labels: - "diun.enable=true" - "diun.watch_repo=true"
For more info on how to use and what configuration parameters you have, check the Diun Provider page here.
Pushover configuration (optional)
This particular example was done with Pushover configuration. To make it work you will need a valid Pushover account and a Diun "app" configured.
As you can see from the compose file on top two environment parameters need to be added
So once you register at the Pushover site, you will get your User key in the upper right-hand corner.
To get the Diun app key, you need to make a new "app" in the UI.
In the Your application section on the bottom, click the URL that says Create an Application/API Token. This will open a new page where you can configure the name of the app, logo, and description.
Once you have done that your app will be ready and you will get its API Token/key.
Now that you have both values simply add them to the variables and you are done.