Abstract monochrome image with a blurred person.

Monitor Docker updates

Published 25 May, 2026

Applications

Keeping containers updated is essential for maintaining security, stability, and reliability. In self-hosted infrastructure, outdated container images can quickly introduce vulnerabilities, compatibility problems, and maintenance risks.

This becomes increasingly important when services are internet-facing or support production workloads across multiple environments.

A practical and lightweight solution is combining with ntfy. Together, these tools can automatically monitor Docker image updates and send real-time notifications directly to your desktop or mobile device.

This approach works particularly well with platforms like Dokploy, where operators commonly manage multiple Docker services and stacks across servers.

DIUN brand logo.

DIUN

DIUN stands for Docker Image Update Notifier. It continuously monitors running Docker containers and checks whether newer image tags are available from container registries such as:

  • Docker Hub
  • GitHub
  • GitLab
  • Private registries

Instead of manually checking image versions or discovering outdated containers after a security advisory is published, DIUN provides immediate visibility whenever upstream images are updated.

This allows administrators to review and schedule updates proactively rather than reactively.

ntfy

provides lightweight push notifications using simple HTTP-based topics. For infrastructure monitoring, ntfy offers several operational advantages:

  • Push notifications
  • Desktop and mobile support
  • Self-hosted deployment
  • Webhook integrations

Because notifications are delivered instantly, operators can quickly assess whether updates should be deployed immediately or scheduled during maintenance windows.

Deployment

The following Docker Compose configuration checks for container image updates every six hours and sends notifications through ntfy.

text
services:
  diun:
    image: crazymax/diun:latest
    restart: unless-stopped
    pull_policy: always
    command: serve
    environment:
      TZ: "${NTFY_TZ}"
 
      DIUN_PROVIDERS_DOCKER: "true"
      DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT: "true"
 
      DIUN_WATCH_RUNONSTARTUP: "true"
      DIUN_WATCH_SCHEDULE: "0 */6 * * *"
      DIUN_WATCH_JITTER: "30s"
      DIUN_WATCH_FIRSTCHECKNOTIF: "true"
 
      DIUN_NOTIF_NTFY_ENDPOINT: "${NTFY_ENDPOINT}"
      DIUN_NOTIF_NTFY_TOPIC: "${NTFY_TOPIC}"
      DIUN_NOTIF_NTFY_TOKEN: "${NTFY_TOKEN}"
      DIUN_NOTIF_NTFY_TIMEOUT: "10s"
    volumes:
      - diun-data:/data
      - /var/run/docker.sock:/var/run/docker.sock
 
volumes:
  diun-data:

Variables

The following environment variables should be configured:

text
NTFY_ENDPOINT=https://ntfy.sh    // public or your private ntfy url
NTFY_TOPIC=docker                // The subscription topic
NTFY_TOKEN=secure-token          // The access token to your ntfy instance
 
NTFY_TZ=Australia/Melbourne      // Your current timezone

These values define the ntfy server endpoint, notification topic, and authentication token. For additional configuration options, refer to the DIUN documentation.

Dokploy provider screen showing a Docker Compose setup for DIUN with ntfy notification environment variables.

Dokploy

Depending on how your project is configured, these settings may need to be adjusted accordingly. In most cases, the DIUN container should be deployed within the same project as the containers being monitored.

Ensure that "Enable Isolated Deployment" is disabled. This allows DIUN to detect and monitor all containers running within the project network.

For internal or self-managed projects where update tracking is unnecessary, specific containers can be excluded from monitoring using labels.

text
labels:
      - "diun.enable=false"

Applying this label to a service instructs DIUN to exclude that container from update monitoring checks.

For example, the configuration below excludes a private PayloadCMS image from DIUN monitoring.

text
services:
  payload:
    image: rubixvi/rubix-payload:latest
    restart: unless-stopped
    pull_policy: always
    depends_on:
      infisical:
        condition: service_completed_successfully
    labels:
      - "diun.enable=false"

Monitoring container updates should be part of every self-hosted infrastructure workflow. Without visibility into upstream image releases, outdated containers can quickly introduce security, compatibility, and maintenance risks across production environments.

By combining DIUN with ntfy, operators can implement a lightweight and efficient monitoring solution that integrates cleanly with Docker and Dokploy deployments. The setup requires minimal resources, remains fully self-hosted, and provides immediate visibility whenever new container image updates become available.

This creates a simple operational workflow for identifying outdated services and scheduling updates before they escalate into operational or security issues.

Vincent Vu

Author

Vincent is the founder and director of Rubix Studios, with over 20 years of experience in branding, marketing, film, photography, and web development. He is a certified partner with industry leaders including Google, Microsoft, and HubSpot. Vincent also serves as a member of the Maribyrnong City Council, Business and Innovation Board and is undertaking an Executive MBA at RMIT University.

Tags

#tools#security