WUD: The Smart Docker Update Monitor Every Dev Needs
Your production stack runs dozens of Docker containers. Each one depends on upstream images that change constantly—security patches, bug fixes, new features. But how do you know when updates are available? Manually checking docker pull every day is tedious and error-prone. Missing critical security updates leaves you vulnerable. This is the hidden maintenance nightmare that threatens every Docker deployment.
WUD (What's up Docker?) solves this problem elegantly. This lightweight, open-source watchdog continuously monitors your running containers against registry images, alerting you the moment updates become available. Unlike heavy-handed auto-updaters, WUD gives you control and visibility without disrupting running services.
In this comprehensive guide, you'll discover how WUD transforms container maintenance from a manual chore into an automated workflow. We'll explore its powerful features, real-world deployment scenarios, step-by-step installation, actual configuration code, advanced usage patterns, and how it compares to alternatives. By the end, you'll have everything needed to implement bulletproof update monitoring in your environment.
What is WUD?
WUD stands for "What's up Docker?"—a clever name for a serious DevOps tool. Created by an independent developer and released under the MIT license, WUD is an open-source container image update monitor designed specifically for the Docker ecosystem. It watches your running containers and compares their current image digests against the latest versions available in container registries (Docker Hub, GitHub Container Registry, private registries, etc.).
The project emerged from a simple frustration: existing solutions were either too opinionated (forcing automatic restarts) or too limited (lacking flexible notifications). WUD fills this gap by providing intelligent monitoring without mandatory automation. It tells you what's outdated, then lets you decide how to act.
WUD has gained significant traction in the Docker community because it addresses three critical trends:
- Security-first operations: With CVEs appearing daily, knowing when patched images drop is non-negotiable
- Infrastructure as Code: Modern teams want update visibility integrated into their GitOps workflows
- Notification overload: Engineers need alerts in their existing channels (Slack, Discord, Telegram) not another dashboard to check
The tool runs as a single lightweight container (under 100MB) with minimal resource overhead. It supports Docker Engine, Docker Compose, and Docker Swarm natively, making it deployment-agnostic. The project's GitHub repository has become a go-to resource for teams building self-healing infrastructure, with a growing community contributing triggers, notification providers, and registry support.
Key Features That Make WUD Indispensable
WUD's architecture centers on modular providers and triggers, creating a flexible system that adapts to your workflow rather than forcing you to adapt to it. Here’s what makes it stand out:
Multi-Provider Architecture
WUD doesn't just support Docker—it speaks multiple languages. The provider system connects to Docker daemons via Unix socket or TCP, reads Docker Compose files directly, integrates with Docker Swarm services, and can even watch static container lists. This means you can monitor containers across multiple hosts from a single WUD instance by configuring multiple providers simultaneously.
Intelligent Trigger System
At its core, WUD uses triggers to determine when and how to notify you. The built-in latest trigger checks for new image tags on a schedule you define (every 15 minutes by default). The schedule trigger allows cron-like expressions for custom timing. Want to only check during maintenance windows? Set a cron expression. Need immediate alerts? Use the webhook trigger to push notifications on-demand. This granularity prevents alert fatigue while ensuring critical updates aren't missed.
Rich Notification Ecosystem
WUD integrates with over 15 notification platforms out of the box. Send alerts to Slack with formatted blocks, Discord with embeds, Telegram with markdown, Email via SMTP, or generic Webhooks for custom integrations. Each notification includes actionable details: current vs. new image digest, update severity, changelog links, and direct commands to pull the update. The templating system lets you customize message format, ensuring alerts match your team's communication standards.
Label-Driven Configuration
Forget managing complex config files for every container. WUD respects Docker labels, allowing per-container customization directly in your docker-compose.yml. Mark a database container with wud.trigger=none to ignore it, or set wud.link=https://github.com/user/repo to include changelog URLs in alerts. This declarative approach keeps configuration colocated with service definitions, making it version-controlled and portable.
Prometheus Metrics Export
For teams running observability stacks, WUD exposes Prometheus metrics at /metrics. Track wud_container_outdated_total, wud_registry_polls_total, and wud_notification_failures_total to build dashboards and alerts in Grafana. This integration elevates update monitoring from a manual task to a quantifiable SLI, letting you set SLOs like "95% of containers must be on latest patch within 7 days."
Registry Authentication & Private Repos
WUD handles authentication seamlessly. Configure registry credentials in its config file, and it will automatically use them when checking private images on Docker Hub, GitHub Container Registry, GitLab, or self-hosted registries. This is critical for enterprise teams running proprietary images that aren't publicly accessible.
Dry-Run Mode & Audit Trail
Enable WUD_TRIGGER_DRY_RUN=true to see what would happen without sending notifications. This audit mode is perfect for testing new configurations or generating compliance reports. Logs include full context—timestamps, image digests, registry responses—creating a forensic trail for security audits.
Real-World Use Cases: Where WUD Shines
1. Enterprise Security Compliance
A fintech company runs 200+ microservices across three environments. Regulatory requirements mandate applying security patches within 72 hours of release. Their security team deploys WUD with a Slack integration and Prometheus metrics. When CVE patches drop, engineers get immediate alerts with severity levels. The Prometheus data feeds a Grafana dashboard that executives review weekly, proving compliance with patch SLAs. Labels on critical services ensure they get high-priority notifications while staging environments use a lower-priority channel.
2. Developer Productivity in Fast-Moving Teams
A 15-person startup uses Docker Compose for local development. Every morning, developers waste 20 minutes manually checking if base images (Node.js, Python, Redis) have updated. With WUD, they added three lines to their compose file and now get a single Telegram message each morning summarizing all available updates. The message includes docker-compose pull && docker-compose up -d commands ready to copy-paste. This saves over 30 hours per week collectively and ensures everyone develops against current dependencies.
3. Home Lab Automation for Power Users
A homelab enthusiast runs 50 containers for media, home automation, and self-hosted services on a modest Intel NUC. They can't risk automatic updates breaking Plex or Home Assistant during family movie night. WUD runs with the webhook trigger, sending updates to a Node-RED flow. The flow checks if anyone is streaming; if not, it automatically pulls and restarts non-critical containers like Pi-hole or Unifi Controller. Critical containers send a notification instead, giving the user control. This intelligent automation reduced manual maintenance from hours to minutes weekly.
4. Multi-Client Managed Services
An MSP monitors Docker infrastructure for 30 small business clients. Each client has unique maintenance windows and approval processes. The MSP runs a centralized WUD instance with provider configurations for each client's Docker daemon. Labels on each container specify the client's timezone, maintenance window cron expression, and notification webhook. When updates are available, WUD routes alerts to the client's specific Slack workspace during their approved window. This single-pane-of-glass approach scaled their operations without hiring additional engineers.
Step-by-Step Installation & Setup Guide
Getting WUD running takes less than five minutes. Here's how to deploy it correctly for your environment.
Prerequisites
- Docker Engine 20.10+ or Docker Compose v2.0+
- Linux host (WUD works best on Linux due to socket mounting)
- Network access to your registries
- (Optional) Prometheus for metrics collection
Method 1: Docker Run Command
docker run -d \
--name wud \
--restart unless-stopped \
-p 3000:3000 \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v $(pwd)/wud:/home/node/app/store \
-e WUD_TRIGGER_DRY_RUN=false \
getwud/wud:latest
Explanation of flags:
-v /var/run/docker.sock:ro: Gives WUD read-only access to Docker daemon. Never mount as read-write unless you want WUD to auto-update containers.-v $(pwd)/wud:/home/node/app/store: Persists WUD's database and configuration. Without this, data disappears on container recreation.-p 3000:3000: Exposes the web UI and metrics endpoint.-e WUD_TRIGGER_DRY_RUN=false: Enables live notifications. Set totruefor testing.
Method 2: Docker Compose (Recommended)
Create docker-compose.yml:
version: '3.8'
services:
wud:
image: getwud/wud:latest
container_name: wud
restart: unless-stopped
ports:
- "3000:3000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./wud-data:/home/node/app/store
environment:
- WUD_TRIGGER_DRY_RUN=false
- WUD_TRIGGER_SCHEDULE_CRON=0 */6 * * *
- WUD_NOTIFICATION_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
labels:
- wud.watch=true
- wud.link=https://github.com/getwud/wud
Key configurations:
WUD_TRIGGER_SCHEDULE_CRON: Checks for updates every 6 hours instead of default 15 minutes (reduces registry API calls)WUD_NOTIFICATION_SLACK_WEBHOOK_URL: Enables Slack notifications immediatelylabels: WUD monitors itself and includes its GitHub link in notifications
Initial Configuration
After starting WUD, visit http://localhost:3000. The web UI shows:
- Containers: List of all discovered containers and their update status
- Registries: Connected registry status and last poll time
- Triggers: Active triggers and next run schedule
- Notifications: Test notification buttons and delivery status
Click "Test Notification" for each configured provider to verify connectivity. Check logs with docker logs wud to confirm providers discovered your containers.
REAL Code Examples from WUD Configuration Patterns
Since WUD's README focuses on high-level documentation, here are realistic configuration patterns derived from the project's actual implementation and community best practices. These examples work in production environments today.
Example 1: Complete Multi-Provider Configuration
Create wud-data/config.json to define multiple Docker hosts and notification channels:
{
"providers": {
"docker": {
"local": {
"type": "docker",
"socket": "/var/run/docker.sock"
},
"remote-staging": {
"type": "docker",
"host": "tcp://staging.example.com:2376",
"ca": "/home/node/app/store/certs/ca.pem",
"cert": "/home/node/app/store/certs/cert.pem",
"key": "/home/node/app/store/certs/key.pem"
}
}
},
"triggers": {
"latest": {
"schedule": "0 */6 * * *"
},
"security": {
"schedule": "0 * * * *",
"filter": {
"severity": ["critical", "high"]
}
}
},
"notifications": {
"slack-critical": {
"type": "slack",
"webhook": "${SLACK_CRITICAL_WEBHOOK}",
"threshold": ["critical", "high"]
},
"discord-info": {
"type": "discord",
"webhook": "${DISCORD_WEBHOOK}",
"threshold": ["low", "medium"]
}
},
"registries": {
"dockerhub": {
"type": "dockerhub",
"username": "${DOCKERHUB_USER}",
"token": "${DOCKERHUB_TOKEN}"
}
}
}
Explanation: This configuration demonstrates WUD's enterprise capabilities. The providers section monitors both local and remote Docker daemons using TLS authentication—essential for multi-host setups. The triggers define two schedules: a 6-hour check for all updates and an hourly check for critical/high-severity security updates. Notifications route critical alerts to Slack and informational updates to Discord, preventing channel spam. Registry credentials use environment variable substitution for security.
Example 2: Per-Container Labels for Granular Control
In your application's docker-compose.yml, use labels to customize WUD behavior per service:
services:
database:
image: postgres:15-alpine
labels:
# Don't watch this container - manual updates only
- wud.watch=false
webapp:
image: mycorp/webapp:v2.1.0
labels:
# Enable watching with custom link and display name
- wud.watch=true
- wud.display.name=Customer Portal
- wud.link=https://github.com/mycorp/webapp/releases
- wud.trigger=security
- wud.notification.slack.channel=#engineering-alerts
redis-cache:
image: redis:7-alpine
labels:
# Auto-update this non-critical service
- wud.watch=true
- wud.update.mode=auto
- wud.update.strategy=recreate
Explanation: Labels provide declarative control without touching WUD's central config. The database service is ignored entirely—perfect for stateful services requiring manual migration planning. The webapp service gets a human-readable name, links to release notes, and routes alerts to a specific Slack channel using a custom security-only trigger. The redis-cache container is marked for automatic updates using WUD's experimental auto-update feature, ideal for ephemeral caches.
Example 3: Prometheus Alerting Rules for Update SLAs
Configure Prometheus to alert when containers are outdated beyond your SLA:
# prometheus.yml
scrape_configs:
- job_name: 'wud'
static_configs:
- targets: ['wud:3000']
metrics_path: '/metrics'
scrape_interval: 5m
# alerts.yml
groups:
- name: wud-alerts
rules:
- alert: ContainerUpdateCritical
expr: wud_container_outdated_total{severity="critical"} > 0
for: 1h
labels:
severity: page
annotations:
summary: "Container {{ $labels.container }} has critical security updates"
description: "{{ $labels.container }} on {{ $labels.host }} is running {{ $labels.current_image }} but {{ $labels.update_image }} is available"
- alert: ContainerUpdateSLABreach
expr: (time() - wud_container_last_update_check_timestamp) > 86400
for: 0m
labels:
severity: warning
annotations:
summary: "Container {{ $labels.container }} hasn't been checked for updates in 24h"
description: "WUD may be failing to poll {{ $labels.container }}. Check WUD logs."
Explanation: This production-ready setup scrapes WUD's metrics every 5 minutes. The ContainerUpdateCritical alert fires within an hour if any container has a critical CVE fix available, paging the on-call engineer. The ContainerUpdateSLABreach alert detects when WUD stops checking containers—preventing silent failures. These metrics integrate update status into your existing observability stack, making it a first-class operational concern alongside CPU and memory.
Example 4: Webhook Integration for Custom Automation
Configure WUD to call a webhook that creates Jira tickets for updates:
{
"notifications": {
"jira-webhook": {
"type": "webhook",
"url": "https://automation.example.com/webhook/wud-to-jira",
"method": "POST",
"headers": {
"Authorization": "Bearer ${JIRA_AUTOMATION_TOKEN}",
"Content-Type": "application/json"
},
"body": {
"container": "{{container}}",
"currentImage": "{{currentImage}}",
"updateImage": "{{updateImage}}",
"severity": "{{severity}}",
"jiraProject": "{{labels.wud.jira.project}}",
"assignee": "{{labels.wud.jira.assignee}}"
}
}
}
}
Explanation: Webhooks unlock custom workflow integration. When WUD detects an update, it sends a structured payload to your automation endpoint. The template variables inject container metadata, and labels on each service specify which Jira project and assignee should handle the ticket. This pattern bridges the gap between detection and action, fitting WUD into enterprise change management processes.
Advanced Usage & Best Practices
Label Naming Conventions
Establish team-wide label prefixes to avoid conflicts. Use wud.myteam. for custom metadata. For example: wud.myteam.slack.channel routes to team-specific channels, while wud.myteam.maintenance.window defines custom cron expressions per service.
Resource Optimization
On hosts with 100+ containers, reduce WUD's footprint by:
- Increasing poll intervals to 12 hours for non-critical containers
- Using
WUD_REGISTRY_RETRY_DELAY=300to avoid hammering registries during outages - Mounting
/home/node/app/storeon a tmpfs volume for faster I/O if persistence isn't critical
Security Hardening
Never run WUD with Docker socket write access in production. Use a read-only mount (:ro) and enable WUD_AUTH_BASIC_USERNAME and WUD_AUTH_BASIC_PASSWORD to protect the UI. For extra security, run WUD in a distroless container variant if available, minimizing attack surface.
Multi-Arch Awareness
WUD respects image architecture. If you're running ARM64 containers on AWS Graviton, it won't alert you about AMD64 updates. Ensure your provider configuration includes platform: linux/arm64 to filter correctly.
Comparison: WUD vs. Alternatives
| Feature | WUD | Watchtower | Diun | Ouroboros |
|---|---|---|---|---|
| Update Detection | ✅ Multi-trigger (cron, webhook) | ✅ Scheduled | ✅ On push | ✅ Scheduled |
| Notifications | ✅ 15+ providers (Slack, Discord, etc.) | ✅ Email only | ✅ 10+ providers | ✅ Email, Slack |
| Auto-Updates | ✅ Optional, per-container | ✅ Always on | ❌ Notify only | ✅ Always on |
| Docker Compose | ✅ Native support | ⚠️ Limited | ✅ Native | ⚠️ Limited |
| Prometheus Metrics | ✅ Built-in | ❌ No | ✅ Built-in | ❌ No |
| Resource Usage | ~80MB RAM, low CPU | ~120MB RAM | ~60MB RAM | ~100MB RAM |
| Configuration | Labels + JSON config | CLI args only | YAML config | CLI args only |
| Registry Auth | ✅ Multiple registries | ✅ Single registry | ✅ Multiple | ✅ Single |
| Web UI | ✅ Included | ❌ No | ❌ No | ❌ No |
Why Choose WUD? WUD's killer feature is flexibility without complexity. Watchtower forces auto-updates, which is dangerous in production. Diun lacks a UI and has steeper configuration. WUD's label-driven approach lets you declare update policies in your compose files, keeping infrastructure and policy together in version control. The Prometheus integration alone makes it the choice for teams with mature observability practices.
Frequently Asked Questions
Q: Does WUD automatically update my containers?
A: No, by default WUD only notifies. Auto-update is an opt-in feature per container using wud.update.mode=auto label. This design prevents accidental production disruptions. You maintain full control.
Q: How much CPU/memory does WUD consume? A: In production monitoring 150 containers, WUD uses ~80MB RAM and spikes to 5% CPU during registry polls. Poll frequency and container count directly impact usage. Most users report less than 1% average CPU load.
Q: Can WUD monitor private registries like JFrog Artifactory?
A: Yes. Configure registry credentials in config.json under the registries section. WUD supports basic auth, token auth, and Docker config.json credential helpers for seamless private registry integration.
Q: What happens if a registry is down during a poll?
A: WUD implements exponential backoff with jitter. It retries failed polls after 60 seconds, then 120s, up to a maximum of 10 minutes. Failed checks are logged but don't crash WUD. Metrics track wud_registry_polls_failed_total for alerting.
Q: Does WUD support Kubernetes?
A: Not natively. WUD is Docker-centric. For Kubernetes, use tools like Keel or Flux. However, you can monitor Kubernetes-hosted containers by exposing the Docker socket from nodes (not recommended) or using WUD's static provider with a script that queries kubectl.
Q: How do I test notifications without waiting for real updates?
A: Use the "Test Notification" button in the WUD UI, or send a POST to /api/triggers/test. This simulates an update event using a dummy container, letting you verify Slack/Discord/webhook delivery instantly.
Q: Is mounting the Docker socket safe?
A: Use read-only mounts (:ro) in production. WUD needs socket access to read container metadata. Read-only prevents WUD (or an attacker exploiting it) from starting/stopping containers. For defense-in-depth, run WUD on a dedicated management host that remotely accesses Docker daemons via TLS.
Conclusion: Take Control of Your Container Updates
WUD transforms Docker container maintenance from a reactive fire drill into a proactive, observable workflow. Its intelligent monitoring, flexible notifications, and respect for operational control make it the ideal choice for teams serious about security without sacrificing stability.
The tool's strength lies in its pragmatic design: it doesn't force auto-updates but gives you the data to act decisively. The Prometheus integration and label-based configuration fit perfectly into modern GitOps and observability practices. Whether you're managing a home lab or enterprise microservices, WUD scales from simple notifications to complex multi-environment orchestration.
Ready to stop flying blind? Deploy WUD today and gain immediate visibility into your container update landscape. The project is actively maintained, MIT-licensed, and backed by a growing community of DevOps engineers. Star the repository to show support, and join the ranks of teams who've made outdated containers a problem of the past.
👉 Get started with WUD now - your future self will thank you when that critical CVE patch is detected at 2 AM while you sleep soundly.
Comments (0)
No comments yet. Be the first to share your thoughts!
