- 📖 Documentation
- 🚀 Quick Start
- 📸 Screenshots & Live Demo
- ✨ Features
- 🔌 Supported Integrations
- ⚖️ Feature Comparison
- 🔄 Migration
- 🗺️ Roadmap
- 📖 Documentation
- ⭐ Star History
- 🔧 Built With
- 🤝 Community QA
Recommended: use a socket proxy to restrict which Docker API endpoints Drydock can access. This avoids giving the container full access to the Docker socket.
services:
drydock:
image: codeswhat/drydock
depends_on:
socket-proxy:
condition: service_healthy
environment:
- DD_WATCHER_LOCAL_HOST=socket-proxy
- DD_WATCHER_LOCAL_PORT=2375
- DD_AUTH_BASIC_ADMIN_USER=admin
- "DD_AUTH_BASIC_ADMIN_HASH=<paste-argon2id-hash>"
ports:
- 3000:3000
socket-proxy:
image: tecnativa/docker-socket-proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- CONTAINERS=1
- IMAGES=1
- EVENTS=1
- SERVICES=1
# Add POST=1 and NETWORKS=1 for container actions and auto-updates
healthcheck:
test: wget --spider http://localhost:2375/version || exit 1
interval: 5s
timeout: 3s
retries: 3
start_period: 5s
restart: unless-stoppedAlternative: quick start with direct socket mount
docker run -d \
--name drydock \
-p 3000:3000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-e DD_AUTH_BASIC_ADMIN_USER=admin \
-e "DD_AUTH_BASIC_ADMIN_HASH=<paste-argon2id-hash>" \
codeswhat/drydock:latestWarning: Direct socket access grants the container full control over the Docker daemon. Use the socket proxy setup above for production deployments. See the Docker Socket Security guide for all options including remote TLS and rootless Docker.
Generate a password hash (
argon2CLI — install via your package manager):echo -n "yourpassword" | argon2 $(openssl rand -base64 32) -id -m 16 -t 3 -p 4 -l 64 -eOr with Node.js 24+ (no extra packages needed):
node -e 'const c=require("node:crypto");const s=c.randomBytes(32);const h=c.argon2Sync("argon2id",{message:process.argv[1],nonce:s,memory:65536,passes:3,parallelism:4,tagLength:64});console.log("argon2id$65536$3$4$"+s.toString("base64")+"$"+h.toString("base64"));' "yourpassword"Legacy v1.3.9 Basic auth hashes (
{SHA},$apr1$/$1$,crypt, and plain) are accepted for upgrade compatibility but deprecated (removed in v1.6.0). Argon2id is recommended for all new configurations. Authentication is required by default. See the auth docs for OIDC, anonymous access, and other options. To explicitly allow anonymous access on fresh installs, setDD_ANONYMOUS_AUTH_CONFIRM=true.
The image includes trivy and cosign binaries for local vulnerability scanning and image verification.
See the Quick Start guide for Docker Compose, socket security, reverse proxy, and alternative registries.
| Light | Dark |
 |
 |
Why look at screenshots when you can experience it yourself?
Fully interactive — real UI, mock data, no install required. Runs entirely in-browser.
| Auto-detect running containers and check for image updates across registries | Slack, Discord, Telegram, Teams, Matrix, SMTP, MQTT, HTTP webhooks, Gotify, NTFY, and more | Docker Hub, GHCR, ECR, GCR, GAR, GitLab, Quay, Harbor, Artifactory, Nexus, and more |
| Auto-pull and recreate services via Docker Engine API with YAML-preserving service-scoped image patching | Monitor remote Docker hosts with SSE-based agent architecture | Event-based audit trail with persistent storage, REST API, and Prometheus counter |
| Authelia, Auth0, Authentik — secure your dashboard with OpenID Connect | Built-in /metrics endpoint with optional auth bypass for monitoring stacks | Automatic pre-update image backup with configurable retention and one-click rollback |
| Start, stop, restart, and update containers from the UI or API with feature-flag control | Token-authenticated HTTP endpoints with per-endpoint token support for CI/CD integration to trigger watch cycles and updates | Smart stack detection via compose project or labels with collapsible groups and batch-update |
| Pre/post-update shell commands via container labels with configurable timeout and abort control | Automatic rollback on health check failure with configurable monitoring window and interval | DVD-style animated overlay during drydock's own container update with auto-reconnect |
| Auto-resolved container icons via selfhst/icons with homarr-labs fallback and bundled selfhst seeds for internetless startup | Fully responsive dashboard with optimized mobile breakpoints for all views | Available on GHCR, Docker Hub, and Quay.io for flexible deployment |
Docker Hub · GHCR · ECR · ACR · GCR · GAR · GitLab · Quay · LSCR · Harbor · Artifactory · Nexus · Gitea · Forgejo · Codeberg · MAU · TrueForge · Custom · DOCR · DHI · IBM Cloud · Oracle Cloud · Alibaba Cloud
Apprise · Command · Discord · Docker · Docker Compose · Google Chat · Gotify · HTTP · IFTTT · Kafka · Matrix · Mattermost · MQTT · MS Teams · NTFY · Pushover · Rocket.Chat · Slack · SMTP · Telegram
Anonymous (opt-in via DD_ANONYMOUS_AUTH_CONFIRM=true) · Basic (username + password hash) · OIDC (Authelia, Auth0, Authentik). All auth flows fail closed by default.
API note: POST /api/containers/:id/env/reveal is currently scoped to authentication only (no per-container RBAC yet), so any authenticated user is treated as a trusted operator for secret reveal actions.
OpenAPI note: machine-readable API docs are available at GET /api/v1/openapi.json (canonical) and GET /api/openapi.json (compatibility alias during transition).
API versioning note: third-party integrations should migrate to /api/v1/*. The unversioned /api/* alias is deprecated and will be removed in v1.6.0.
Trivy-powered vulnerability scanning blocks unsafe updates before they deploy. Includes cosign signature verification and SBOM generation (CycloneDX & SPDX).
How does drydock compare to other container update tools?
✅ = supported ❌ = not supported
⚠️ = partial / limited For the full itemized changelog, see CHANGELOG.md.
| Feature | drydock | WUD | Diun | Watchtower † | Ouroboros † |
|---|---|---|---|---|---|
| Web UI / Dashboard | ✅ | ✅ | ❌ | ❌ | ❌ |
| Auto-update containers | ✅ | ✅ | ❌ | ✅ | ✅ |
| Docker Compose updates | ✅ | ✅ | ❌ | ❌ | |
| Notification triggers | 20 | 16 | 17 | ~19 | ~6 |
| Registry providers | 23 | 13 | |||
| OIDC / SSO authentication | ✅ | ✅ | ❌ | ❌ | ❌ |
| REST API | ✅ | ✅ | ❌ | ||
| Prometheus metrics | ✅ | ✅ | ❌ | ✅ | ✅ |
| MQTT / Home Assistant | ✅ | ✅ | ✅ | ❌ | ❌ |
| Image backup & rollback | ✅ | ❌ | ❌ | ❌ | ❌ |
| Container grouping / stacks | ✅ | ✅ | ❌ | ❌ | |
| Lifecycle hooks (pre/post) | ✅ | ❌ | ❌ | ✅ | ❌ |
| Webhook API for CI/CD | ✅ | ❌ | ❌ | ✅ | ❌ |
| Container start/stop/restart/update | ✅ | ❌ | ❌ | ❌ | ❌ |
| Distributed agents (remote) | ✅ | ❌ | ✅ | ❌ | |
| Audit log | ✅ | ❌ | ❌ | ❌ | ❌ |
| Security scanning (Trivy) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Semver-aware updates | ✅ | ✅ | ✅ | ❌ | ❌ |
| Digest watching | ✅ | ✅ | ✅ | ✅ | ✅ |
| Multi-arch (amd64/arm64) | ✅ | ✅ | ✅ | ✅ | ✅ |
| Actively maintained | ✅ | ✅ | ✅ | ❌ | ❌ |
Data based on publicly available documentation as of February 2026. Contributions welcome if any information is inaccurate.
Migrating from WUD (What's Up Docker?)
Drop-in replacement — swap the image, restart, done. All WUD_* env vars and wud.* labels are auto-mapped at startup. State file migrates automatically. Use config migrate --dry-run to preview, then config migrate --file .env --file compose.yaml to rewrite config to drydock naming.
| Version | Theme | Highlights |
|---|---|---|
| v1.3.x ✅ | Security & Stability | Trivy scanning, Update Bouncer, SBOM, 7 new registries, 4 new triggers, rollback fixes, GHCR auth, self-hosted TLS, re2js regex engine, compose trigger fixes, DB persistence on shutdown |
| v1.4.0 ✅ | UI Modernization & Hardening | Tailwind CSS 4 + custom component library, 6 themes, 7 icon libraries, font size preference, Cmd/K command palette, OpenAPI 3.1.0 endpoint, standardized API responses with pagination, compose-native YAML-preserving updates, rename-first rollback with health gates, self-update controller with SSE ack, fail-closed auth enforcement, OIDC redirect URL validation, tag-family semver, notification rules, container grouping by stack, audit history view, dual-slot security scanning, scheduled scans, WUD migration CLI, bundled offline icons, dashboard drag-reorder, gzip compression, API error sanitization, agent log validation, TLS path redaction, audit store indexing with 30-day retention, type-safe store modules, durable batch scans, recent-status API, advisory-only security scanning, compose trigger hardening (auto-detection, validation, reconciliation, digest pinning, batch mode, multi-file awareness), reactive server feature flags, identity-aware rate limiting, API hardening |
| v1.4.1 ✅ | Patch & Polish | Headless mode (API-only), maturity-based update policy (NEW/MATURE badges), ?groupByStack=true URL param, agent handshake + SSE fix (#141), mangled hash detection + anonymous fallback + login error surfacing (#147), CSRF behind reverse proxies (#146), compose trigger affinity across remapped roots, CSP inline style elimination, connection-lost animation, LokiJS metadata stripping, timing side-channel fix, image hardening |
| v1.4.2 ✅ | Bug Fixes | Watcher container count fix (#155), container recreate alias filtering (#156), stale store data fix (#157), CI versioned-only images (#154), maturity badge sizing, dependency upgrades |
| v1.4.3 ✅ | DNS & Security | Configurable DNS result ordering for Alpine EAI_AGAIN fix (#161), Docker socket security guide, zizmor blocking in CI, scoped GitHub environments |
| v1.4.4 ✅ | UI Polish & Hardening | Alias dedup hardening with 30s transient window (#156), dashboard host-status for remote watchers (#155), tooltip viewport fix (#165), click-to-copy version tags (#164), Simple Icons dark mode inversion, theme switcher fix, search button polish, URL rebrand to getdrydock.com |
| v1.5.0 | Observability & User-Requested Features | Real-time log viewer, container resource monitoring, registry webhooks, auth endpoint telemetry/guardrails, image maturity/sort-by-age indicator, URL-driven filter/sort state, release notes in UI & notifications, smart tag suggestions, digest check deduplication, Podman setup docs |
| v1.5.1 | Scanner Decoupling | Backend-based scanner execution (docker/remote), Grype provider, scanner asset lifecycle |
| v1.6.0 | Notifications & Release Intel | Notification templates, MS Teams & Matrix triggers, remove all deprecated compatibility aliases (see DEPRECATIONS.md) |
| v1.7.0 | Smart Updates & UX | Dependency-aware ordering, clickable port links, image prune, static image monitoring, dashboard customization |
| v1.8.0 | Fleet Management & Live Config | YAML config, live UI config panels, volume browser, parallel updates, SQLite store migration, i18n framework |
| v2.0.0 | Platform Expansion | Docker Swarm, Kubernetes watchers and triggers, basic GitOps |
| v2.1.0 | Advanced Deployment Patterns | Health check gates, canary deployments, durable self-update controller |
| v2.2.0 | Container Operations | Web terminal, file browser, image building, basic Podman support |
| v2.3.0 | Automation & Developer Experience | API keys, passkey auth, TOTP 2FA, TypeScript actions, CLI |
| v2.4.0 | Data Safety & Templates | Scheduled backups (S3, SFTP), compose templates, secret management |
| v3.0.0 | Advanced Platform | Network topology, GPU monitoring, full i18n translations |
| v3.1.0 | Enterprise Access & Compliance | RBAC, LDAP/AD, environment-scoped permissions, audit logging, Wolfi hardened image |
| v3.2.0 | Drydock Socket Proxy | Built-in companion proxy container (allowlist-filtered Docker API), rootless Docker & remote TLS security docs |
| Resource | Link |
|---|---|
| Website | getdrydock.com |
| Live Demo | demo.getdrydock.com |
| Docs | getdrydock.com/docs |
| Configuration | Configuration |
| Quick Start | Quick Start |
| Changelog | CHANGELOG.md |
| Deprecations | DEPRECATIONS.md |
| Roadmap | See Roadmap section above |
| Contributing | CONTRIBUTING.md |
| Issues | GitHub Issues |
| Discussions | GitHub Discussions — feature requests & ideas welcome |
