DrydockDrydock
Quick Start

Quick start

Deploy Drydock with Docker in seconds using a socket proxy or direct mount.

Run the Docker image

The easiest way to start is to deploy the official drydock image.

Using a socket proxy is the most secure way to expose the Docker API. The proxy limits which endpoints Drydock can access.

services:
  drydock:
    image: codeswhat/drydock
    container_name: drydock
    depends_on:
      socket-proxy:
        condition: service_healthy
    environment:
      - DD_WATCHER_LOCAL_HOST=socket-proxy
      - DD_WATCHER_LOCAL_PORT=2375
      - DD_AUTH_BASIC_ADMIN_USER=admin
      - "DD_AUTH_BASIC_ADMIN_HASH=argon2id$$65536$$3$$4$$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw=="
    ports:
      - 3000:3000

  socket-proxy:
    image: tecnativa/docker-socket-proxy
    container_name: drydock-socket-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - CONTAINERS=1
      - IMAGES=1
      - EVENTS=1
      - SERVICES=1
      # Add POST=1 for container actions (start/stop/restart) or auto-updates
      # Add NETWORKS=1 if using the Docker trigger for auto-updates
    healthcheck:
      test: wget --spider http://localhost:2375/version || exit 1
      interval: 5s
      timeout: 3s
      retries: 3
      start_period: 5s
    restart: unless-stopped
Direct socket access grants the container full control over the Docker daemon. Use the Socket Proxy tab above for production deployments. See Docker Socket Security for all available options.

The simplest setup — mount the Docker socket directly. Works out of the box on most systems.

services:
  drydock:
    image: codeswhat/drydock
    container_name: drydock
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - DD_AUTH_BASIC_ADMIN_USER=admin
      - "DD_AUTH_BASIC_ADMIN_HASH=argon2id$$65536$$3$$4$$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw=="
    ports:
      - 3000:3000
If you need a read-only socket mount (:ro), break-glass root mode requires both DD_RUN_AS_ROOT=true and DD_ALLOW_INSECURE_ROOT=true. Prefer socket proxy mode for least privilege. See Docker Socket Security for details.
Direct socket access grants the container full control over the Docker daemon. Use the Socket Proxy tab above for production deployments. See Docker Socket Security for all available options.
docker run -d --name drydock \
  -v "/var/run/docker.sock:/var/run/docker.sock" \
  -e DD_AUTH_BASIC_ADMIN_USER=admin \
  -e 'DD_AUTH_BASIC_ADMIN_HASH=argon2id$65536$3$4$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw==' \
  -p 3000:3000 \
  codeswhat/drydock
The official image is published on Github Container Registry: codeswhat/drydock
Authentication is required by default on fresh installs. The examples above use Basic auth with username admin and password password. See the auth docs for OIDC, anonymous access, and other options.

Migrating from WUD

If you are coming from What's Up Docker, you can switch images and keep your existing config (WUD_* env vars and wud.* labels still work).

To rewrite your local config to drydock naming (DD_* and dd.*), run:

# preview changes only
docker exec -it drydock node dist/index.js config migrate --dry-run

# apply changes to specific files
docker exec -it drydock node dist/index.js config migrate --file .env --file compose.yaml

config migrate reads/writes only local files in your deployment. It does not send usage data to external services.

Open the UI

Open the UI in a browser and check that everything is working as expected.

First 5 minutes in the UI

  1. Open the command palette with Cmd/Ctrl+K.
  2. Use prefix scopes to narrow search quickly:
    • / pages
    • @ runtime resources (containers, agents, triggers, watchers)
    • # config resources (registries, auth, notifications, settings)
  3. Leave the query empty to use recent results.
  4. Open Notifications and tune event rules (update-available, update-applied, update-failed, security-alert, agent-disconnect) plus trigger assignments.
  5. Reorder dashboard widgets by drag/drop; layout persists locally and can be reset.
Keyboard shortcuts: Enter confirms action dialogs, Escape cancels dialogs and closes detail panels.

Add your first trigger

Everything ok? It's time to add some triggers!

Going deeper

Need to fine configure how drydock must watch your containers? Take a look at the watcher documentation!
Need to integrate other registries (ECR, GCR...)? Take a look at the registry documentation.

Ready-to-go examples

You can find here a complete configuration example illustrating some common drydock options.

Introduction

Open source container update monitoring built in TypeScript. Auto-discover containers, detect image updates across 23 registries, and trigger notifications via 20+ services.

Configuration

Drydock is configured via environment variables and Docker labels.

On this page

Run the Docker imageMigrating from WUDOpen the UIFirst 5 minutes in the UIAdd your first triggerGoing deeperReady-to-go examples