Neutral Systems~products.ns
open for work
../products

// safe, reversible Docker updates

# Drydock

Watchtower, but it won't break your stack at 2am.

Drydock watches your running containers for new image versions and updates them safely: it health-checks every update and automatically rolls back if the container comes up unhealthy — and by default it asks before touching anything. The de-facto auto-updater (Watchtower) was archived in December 2025, and it applied every update blindly — no health check, no rollback, no approval. Drydock owns the safe, reversible middle.

status: "v0.1 — open source (AGPL-3.0), in active development" // latest: v0.1.0

What makes it different

Your original is never destroyed

Drydock stops and renames the running container aside, brings the new one up beside it, and only deletes the old one after the new one passes its health check. Any failure — bad image, failed pull, daemon hiccup — restarts your exact original. No update can ever leave you with nothing.

Health-checked updates

After updating, Drydock verifies the container is actually healthy — via an HTTP probe, an in-container command, or the image's own Docker HEALTHCHECK.

Automatic rollback

If the new version fails its health check, Drydock restores the previous container automatically. You wake up to a working stack, not a broken one.

Faithful recreate

Env, ports, volumes, mounts, capabilities, devices, restart policy, log config and user-defined networks (with their aliases) are carried over verbatim — not a hand-picked subset.

Approval mode by default

Drydock never auto-applies; it tells you what is available and you approve. Or switch to auto-safe to auto-apply patch/minor only.

Major-version guardrails

Semver-aware: major bumps (and non-semver tags like latest) are always flagged, never silent.

Install

Drydock runs anywhere Docker runs — Linux, Windows (Docker Desktop), and macOS — because it talks to Docker through the API. Run it as a container and point it at your socket:

# docker-compose.yml
services:
  drydock:
    image: neutralsystems/drydock:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - DRYDOCK_MODE=approve  # approve | auto-safe

Then opt a container in with labels:

labels:
  - drydock.enable=true
  - drydock.healthcheck=http://localhost:8080/health
  - drydock.rollback_window=60

// full docs, labels reference and the rollback test live in the repo

Open source & auditable

AGPL-3.0, open and auditable — no telemetry, no network calls except to your image registry. The safety contract is covered by tests you can run yourself. Read the code, run it, build on it.

//github.com/NeutralSystems/drydock Browse on GitHub

// get the launch + new tools

Drydock is the first of a suite of open-source tools. Get the release + what's next — no spam.