Container auto-updater

Isengard

The tower that never sleeps.

A lightweight, zero-config Docker container auto-updater. Detects newer images through registry digest checks, then recreates your containers with every port, volume, network, and label intact.

Stay updated View source

Registry-first detection

Checks remote digests via registry HEAD requests in ~50ms. Images are only pulled when an update is actually found.

Zero configuration

Mount the Docker socket and set an interval. Every running container is watched by default. Opt out with a single label.

Faithful recreation

Ports, volumes, networks, env vars, labels, restart policies, resource limits. Every detail preserved across updates.

Vanishingly small

~3MB scratch-based image. Static Go binary, no runtime dependencies. Uses fewer resources than the containers it guards.

Deploy

Up in seconds

Add Isengard to any existing Compose file, or run it standalone. All it needs is the Docker socket.

docker-compose.yml

services:
  isengard:
    image: ghcr.io/dirdmaster/isengard
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ~/.docker/config.json:/root/.docker/config.json:ro
    environment:
      - ISENGARD_INTERVAL=30m
      - ISENGARD_CLEANUP=true

Configuration

Variable	Default	Description
`ISENGARD_INTERVAL`	`30m`	Check interval (Go duration)
`ISENGARD_WATCH_ALL`	`true`	Watch all containers; set false for opt-in mode
`ISENGARD_RUN_ONCE`	`false`	Run a single cycle, then exit
`ISENGARD_CLEANUP`	`true`	Remove old images after update
`ISENGARD_STOP_TIMEOUT`	`30`	Seconds to wait for graceful stop
`ISENGARD_LOG_LEVEL`	`info`	debug, info, warn, error

Opt-out mode (default): all containers are watched. Label individual containers with isengard.enable=false to exclude them.

Opt-in mode: set ISENGARD_WATCH_ALL=false and label only the containers you want watched with isengard.enable=true.