docker service update

Estimated reading time: 12 minutes


Update a service

API 1.24+  The client and daemon API must both be at least 1.24 to use this command. Use the docker version command on the client to check your client and daemon API versions.


docker service update [OPTIONS] SERVICE


Name, shorthandDefaultDescription
--argsService command args
--config-addAPI 1.30+ 
Add or update a config file on a service
--config-rmAPI 1.30+ 
Remove a configuration file
--constraint-addAdd or update a placement constraint
--constraint-rmRemove a constraint
--container-label-addAdd or update a container label
--container-label-rmRemove a container label by its key
--credential-specAPI 1.29+ 
Credential spec for managed service account (Windows only)
--detach , -dAPI 1.29+ 
Exit immediately instead of waiting for the service to converge
--dns-addAPI 1.25+ 
Add or update a custom DNS server
--dns-option-addAPI 1.25+ 
Add or update a DNS option
--dns-option-rmAPI 1.25+ 
Remove a DNS option
--dns-rmAPI 1.25+ 
Remove a custom DNS server
--dns-search-addAPI 1.25+ 
Add or update a custom DNS search domain
--dns-search-rmAPI 1.25+ 
Remove a DNS search domain
--endpoint-modeEndpoint mode (vip or dnsrr)
--entrypointOverwrite the default ENTRYPOINT of the image
--env-addAdd or update an environment variable
--env-rmRemove an environment variable
--forceAPI 1.25+ 
Force update even if no changes require it
--generic-resource-addAdd a Generic resource
--generic-resource-rmRemove a Generic resource
--group-addAPI 1.25+ 
Add an additional supplementary user group to the container
--group-rmAPI 1.25+ 
Remove a previously added supplementary user group from the container
--health-cmdAPI 1.25+ 
Command to run to check health
--health-intervalAPI 1.25+ 
Time between running the check (ms|s|m|h)
--health-retriesAPI 1.25+ 
Consecutive failures needed to report unhealthy
--health-start-periodAPI 1.29+ 
Start period for the container to initialize before counting retries towards unstable (ms|s|m|h)
--health-timeoutAPI 1.25+ 
Maximum time to allow one check to run (ms|s|m|h)
--host-addAPI 1.32+ 
Add a custom host-to-IP mapping (host:ip)
--host-rmAPI 1.25+ 
Remove a custom host-to-IP mapping (host:ip)
--hostnameAPI 1.25+ 
Container hostname
--imageService image tag
--isolationAPI 1.35+ 
Service container isolation mode
--label-addAdd or update a service label
--label-rmRemove a label by its key
--limit-cpuLimit CPUs
--limit-memoryLimit Memory
--log-driverLogging driver for service
--log-optLogging driver options
--mount-addAdd or update a mount on a service
--mount-rmRemove a mount by its target path
--network-addAPI 1.29+ 
Add a network
--network-rmAPI 1.29+ 
Remove a network
--no-healthcheckAPI 1.25+ 
Disable any container-specified HEALTHCHECK
--no-resolve-imageAPI 1.30+ 
Do not query the registry to resolve image digest and supported platforms
--placement-pref-addAPI 1.28+ 
Add a placement preference
--placement-pref-rmAPI 1.28+ 
Remove a placement preference
--publish-addAdd or update a published port
--publish-rmRemove a published port by its target port
--quiet , -qSuppress progress output
--read-onlyAPI 1.28+ 
Mount the container’s root filesystem as read only
--replicasNumber of tasks
--reserve-cpuReserve CPUs
--reserve-memoryReserve Memory
--restart-conditionRestart when condition is met (“none”|”on-failure”|”any”)
--restart-delayDelay between restart attempts (ns|us|ms|s|m|h)
--restart-max-attemptsMaximum number of restarts before giving up
--restart-windowWindow used to evaluate the restart policy (ns|us|ms|s|m|h)
--rollbackAPI 1.25+ 
Rollback to previous specification
--rollback-delayAPI 1.28+ 
Delay between task rollbacks (ns|us|ms|s|m|h)
--rollback-failure-actionAPI 1.28+ 
Action on rollback failure (“pause”|”continue”)
--rollback-max-failure-ratioAPI 1.28+ 
Failure rate to tolerate during a rollback
--rollback-monitorAPI 1.28+ 
Duration after each task rollback to monitor for failure (ns|us|ms|s|m|h)
--rollback-orderAPI 1.29+ 
Rollback order (“start-first”|”stop-first”)
--rollback-parallelismAPI 1.28+ 
Maximum number of tasks rolled back simultaneously (0 to roll back all at once)
--secret-addAPI 1.25+ 
Add or update a secret on a service
--secret-rmAPI 1.25+ 
Remove a secret
--stop-grace-periodTime to wait before force killing a container (ns|us|ms|s|m|h)
--stop-signalAPI 1.28+ 
Signal to stop the container
--tty , -tAPI 1.25+ 
Allocate a pseudo-TTY
--update-delayDelay between updates (ns|us|ms|s|m|h)
--update-failure-actionAction on update failure (“pause”|”continue”|”rollback”)
--update-max-failure-ratioAPI 1.25+ 
Failure rate to tolerate during an update
--update-monitorAPI 1.25+ 
Duration after each task update to monitor for failure (ns|us|ms|s|m|h)
--update-orderAPI 1.29+ 
Update order (“start-first”|”stop-first”)
--update-parallelismMaximum number of tasks updated simultaneously (0 to update all at once)
--user , -uUsername or UID (format: <name|uid>[:<group|gid>])
--with-registry-authSend registry authentication details to swarm agents
--workdir , -wWorking directory inside the container

Parent command

docker serviceManage services
docker service createCreate a new service
docker service inspectDisplay detailed information on one or more services
docker service logsFetch the logs of a service or task
docker service lsList services
docker service psList the tasks of one or more services
docker service rmRemove one or more services
docker service rollbackRevert changes to a service’s configuration
docker service scaleScale one or multiple replicated services
docker service updateUpdate a service

Extended description

Updates a service as described by the specified parameters. This command has to be run targeting a manager node. The parameters are the same as docker service create. Please look at the description there for further information.

Normally, updating a service will only cause the service’s tasks to be replaced with new ones if a change to the service requires recreating the tasks for it to take effect. For example, only changing the --update-parallelism setting will not recreate the tasks, because the individual tasks are not affected by this setting. However, the --force flag will cause the tasks to be recreated anyway. This can be used to perform a rolling restart without any changes to the service parameters.


Update a service

$ docker service update --limit-cpu 2 redis

Perform a rolling restart with no parameter changes

$ docker service update --force --update-parallelism 1 --update-delay 30s redis

In this example, the --force flag causes the service’s tasks to be shut down and replaced with new ones even though none of the other parameters would normally cause that to happen. The --update-parallelism 1 setting ensures that only one task is replaced at a time (this is the default behavior). The --update-delay 30s setting introduces a 30 second delay between tasks, so that the rolling restart happens gradually.

Add or remove mounts

Use the --mount-add or --mount-rm options add or remove a service’s bind mounts or volumes.

The following example creates a service which mounts the test-data volume to /somewhere. The next step updates the service to also mount the other-volume volume to /somewhere-elsevolume, The last step unmounts the /somewhere mount point, effectively removing the test-data volume. Each command returns the service name.

  • The --mount-add flag takes the same parameters as the --mount flag on service create. Refer to the volumes and bind mounts section in the service create reference for details.

  • The --mount-rm flag takes the target path of the mount.

$ docker service create \
    --name=myservice \
    --mount \
      type=volume,source=test-data,target=/somewhere \
    nginx:alpine \


$ docker service update \
    --mount-add \
      type=volume,source=other-volume,target=/somewhere-else \


$ docker service update --mount-rm /somewhere myservice


Add or remove published service ports

Use the --publish-add or --publish-rm flags to add or remove a published port for a service. You can use the short or long syntax discussed in the docker service create reference.

The following example adds a published service port to an existing service.

$ docker service update \
  --publish-add published=8080,target=80 \

Roll back to the previous version of a service

Use the --rollback option to roll back to the previous version of the service.

This will revert the service to the configuration that was in place before the most recent docker service update command.

The following example updates the number of replicas for the service from 4 to 5, and then rolls back to the previous configuration.

$ docker service update --replicas=5 web


$ docker service ls

ID            NAME  MODE        REPLICAS  IMAGE
80bvrzp6vxf3  web   replicated  0/5       nginx:alpine

Roll back the web service…

$ docker service update --rollback web


$ docker service ls

ID            NAME  MODE        REPLICAS  IMAGE
80bvrzp6vxf3  web   replicated  0/4       nginx:alpine

Other options can be combined with --rollback as well, for example, --update-delay 0s to execute the rollback without a delay between tasks:

$ docker service update \
  --rollback \
  --update-delay 0s


Services can also be set up to roll back to the previous version automatically when an update fails. To set up a service for automatic rollback, use --update-failure-action=rollback. A rollback will be triggered if the fraction of the tasks which failed to update successfully exceeds the value given with --update-max-failure-ratio.

The rate, parallelism, and other parameters of a rollback operation are determined by the values passed with the following flags:

  • --rollback-delay
  • --rollback-failure-action
  • --rollback-max-failure-ratio
  • --rollback-monitor
  • --rollback-parallelism

For example, a service set up with --update-parallelism 1 --rollback-parallelism 3 will update one task at a time during a normal update, but during a rollback, 3 tasks at a time will get rolled back. These rollback parameters are respected both during automatic rollbacks and for rollbacks initiated manually using --rollback.

Add or remove secrets

Use the --secret-add or --secret-rm options add or remove a service’s secrets.

The following example adds a secret named ssh-2 and removes ssh-1:

$ docker service update \
    --secret-add source=ssh-2,target=ssh-2 \
    --secret-rm ssh-1 \

Update services using templates

Some flags of service update support the use of templating. See service create for the reference.

Specify isolation mode (Windows)

service update supports the same --isolation flag as service create See service create for the reference.