Quick start
Deploy Drydock with Docker using a socket proxy or direct mount.
Run the Docker image
To get started, deploy the official drydock image:
Using a socket proxy is the most secure way to expose the Docker API. The proxy limits which endpoints Drydock can access.
services:
drydock:
image: codeswhat/drydock
container_name: drydock
depends_on:
socket-proxy:
condition: service_healthy
environment:
- DD_WATCHER_LOCAL_HOST=socket-proxy
- DD_WATCHER_LOCAL_PORT=2375
- DD_AUTH_BASIC_ADMIN_USER=admin
- "DD_AUTH_BASIC_ADMIN_HASH=argon2id$$65536$$3$$4$$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw=="
# - DD_SERVER_TRUSTPROXY=1 # uncomment if a TLS-terminating reverse proxy sits in front of Drydock
ports:
- 3000:3000
socket-proxy:
image: tecnativa/docker-socket-proxy
container_name: drydock-socket-proxy
labels:
- dd.watch=true
- dd.update.mode=infrastructure
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- CONTAINERS=1
- IMAGES=1
- EVENTS=1
- SERVICES=1
- INFO=1 # Required for daemon identity detection (notification prefixes)
# Add POST=1 for container actions (start/stop/restart) or auto-updates
# Add NETWORKS=1 if using the Docker trigger for auto-updates
healthcheck:
test: wget --spider http://localhost:2375/version || exit 1
interval: 5s
timeout: 3s
retries: 3
start_period: 5s
restart: unless-stoppedThe simplest setup — mount the Docker socket directly. Works out of the box on most systems.
services:
drydock:
image: codeswhat/drydock
container_name: drydock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- DD_AUTH_BASIC_ADMIN_USER=admin
- "DD_AUTH_BASIC_ADMIN_HASH=argon2id$$65536$$3$$4$$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw=="
# - DD_SERVER_TRUSTPROXY=1 # uncomment if a TLS-terminating reverse proxy sits in front of Drydock
ports:
- 3000:3000:ro), break-glass root mode requires both DD_RUN_AS_ROOT=true and DD_ALLOW_INSECURE_ROOT=true. Prefer socket proxy mode for least privilege. See Docker Socket Security for details.docker run -d --name drydock \
-v "/var/run/docker.sock:/var/run/docker.sock" \
-e DD_AUTH_BASIC_ADMIN_USER=admin \
-e 'DD_AUTH_BASIC_ADMIN_HASH=argon2id$65536$3$4$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw==' \
-p 3000:3000 \
codeswhat/drydockThe official image is published on Docker Hub and GitHub Container Registry.
Release tags use the same channel names in every registry:
| Tag | Behavior |
|---|---|
1.6.0-rc.1 | Immutable release candidate; best for reproducible testing |
1.6-rc | Rolling release-candidate channel; moves to the newest 1.6.0-rc.N |
1.6 | Rolling stable minor channel; published only for GA releases |
1 | Rolling stable major channel; published only for GA releases |
latest | Newest GA release; never points at a prerelease |
Use the exact RC tag when reporting a regression. Use 1.6-rc only when you intentionally want each candidate cut without editing your Compose file.
admin and password password. See the auth docs for OIDC, anonymous access, and other options.DD_SERVER_TRUSTPROXY=1 (the number of proxy hops) — otherwise every manual action in the UI fails with 403 CSRF validation failed. See the FAQ for details.Migrating from WUD
If you are coming from What's Up Docker, migrate WUD_* environment variables and wud.* labels before starting v1.6; those runtime aliases have been removed.
To rewrite your local config to drydock naming (DD_* and dd.*), run:
# preview changes only
docker exec -it drydock node dist/index.js config migrate --dry-run
# apply changes to specific files
docker exec -it drydock node dist/index.js config migrate --file .env --file compose.yamlconfig migrate reads/writes only local files in your deployment. It does not send usage data to external services.
If you use the Home Assistant wud-card or Homepage's native whatsupdocker widget against your old WUD instance, set DD_COMPAT_WUDCARD=true to keep them working against drydock — see wud-card compatibility.
Open the UI
Open the UI in a browser and check that everything is working as expected.
First 5 minutes in the UI
- Open the command palette with
Cmd/Ctrl+K. - Use prefix scopes to narrow search quickly:
/pages@runtime resources (containers, agents, triggers, watchers)#config resources (registries, auth, notifications, settings)
- Leave the query empty to use recent results.
- Open Notifications and tune all seven delivery rules, trigger assignments, audit-backed in-app bell categories, and per-provider templates. The update-available bell rule also offers a severity threshold; use Preview to render template drafts before saving.
- Reorder or resize dashboard widgets in edit mode; the custom grid persists responsive layouts locally (and across devices when signed-in preference sync is enabled) and can be reset.
Keyboard shortcuts: Enter confirms action dialogs, Escape cancels dialogs and closes detail panels.
Next steps
- Getting started guide — step-by-step walkthrough from watching containers to notifications and auto-updates.
- Add some triggers to get notified or auto-update containers.
- Configure watchers to fine-tune how drydock monitors your containers.
- Run with Podman if your host uses Podman's Docker-compatible API socket.
- Multi-host monitoring — run lightweight agents on remote hosts and aggregate them into one UI.
- Integrate other registries (ECR, GCR, GHCR, and more).
- See a complete configuration example illustrating common drydock options.
Introduction
Open source container update monitoring built in TypeScript. Auto-discover containers, detect image updates across 23 registries, and trigger notifications via 20+ services.
Getting started
A step-by-step walkthrough for configuring Drydock after your first deploy — from watching containers to notifications and auto-updates.