Once you start accumulating enough applications running on docker you might realize that there is no automated mechanism for image updates.
Manually checking all of your containers for available updates is against the sysadmin mindset. Watchtower is your helping hand.
I happen to run portainer on both my local and cloud deployments so I used it for watchtower as well.
You simply create a new container with the name watchtower, give containrrr/watchtower as the image name and add the environment variable "WATCHTOWER_RUN_ONCE" with the value of "true" along with a volume mapping of "/var/run/docker.sock:/var/run/docker.sock". After this you hit "Deploy this container" and then you open the watchtower log to check if things are running smoothly.
I've chosen the RUN ONCE directive since I want to be present when the updates are happening in order to react if things go wrong.
Having internet facing self-hosted applications means that you have to be watching out for security updates along with new features and there is no better way than having this process semi or fully automated. Watchtower is a great helping hand that comes highly recomended.