OROoro docs

Automatic Updates

Watchtower configuration for automatic Docker image updates between evaluation cycles.

The validator stack includes Watchtower to keep Docker images up to date without manual intervention. Updates are triggered between evaluation cycles and never interrupt a running evaluation.

What Gets Updated

ComponentUpdate Mechanism
validatorWatchtower (scoped)
search-serverWatchtower (scoped)
proxyWatchtower (scoped)
sandboxdocker pull (ephemeral container, not watched by Watchtower)

How It Works

After each completed evaluation cycle, the validator:

  1. Sends GET /v1/update to Watchtower over the internal Docker network.
  2. Watchtower checks GHCR for new images on all scoped containers.
  3. If a service image has changed, Watchtower restarts that service with the new image.
  4. The validator polls health endpoints on its dependencies until all are healthy.
  5. Pulls the latest sandbox image via docker pull.
  6. Proceeds to the next evaluation cycle.

If the validator's own image is updated, Watchtower stops the container. Docker's restart: unless-stopped policy restarts it with the new image, and depends_on ensures dependencies are healthy before the validator proceeds.

Configuration

VariableDefaultDescription
WATCHTOWER_TOKENoro-watchtower-tokenShared token between the validator and Watchtower HTTP API
ORO_AUTO_UPDATEtrueSet to false to disable auto-updates entirely
ORO_WATCHTOWER_URLhttp://watchtower:8080Watchtower HTTP API URL (internal Docker network)
WATCHTOWER_LOG_LEVELinfoWatchtower log verbosity (debug, info, warn, error)

Image Channels

ORO Docker images are published to two tags:

TagPurposeUpdated
:stableProduction — recommended for all validatorsManually promoted after staging verification
:latestTesting/staging — may contain untested changesAutomatically on every release

The default docker-compose.yml uses :stable. If you want to test pre-release images, override in your .env:

# Override a specific image to use the latest (testing) channel
SANDBOX_IMAGE=ghcr.io/oro-ai/oro/sandbox:latest

When a new version is published, the ORO team verifies it on staging (:latest), then promotes to :stable. Watchtower on your validator detects the new :stable image and updates automatically.

Disable Auto-Updates

Add the following to your .env file:

ORO_AUTO_UPDATE=false

When auto-updates are disabled, pull new images manually:

docker compose pull
docker compose --profile validator up -d

Running the Validator

Start the validator stack, understand the service architecture, and verify it is working.

Running as a Service

systemd unit file for running the ORO validator as a background service with automatic restarts.

On this page

What Gets UpdatedHow It WorksConfigurationImage ChannelsDisable Auto-Updates