Have you ever ever heard of Dockerception?
Properly, maintain onto your hat. We’re taking place the rabbit gap.
Portainer, the net UI you’re about to put in on prime of Docker, is itself a Docker container.
It’s a instrument that runs on the very factor it manages. You spin it up with one docker run line, and the very first thing it does is attain again by a small gap within the host (a socket file) and ask the Docker daemon to point out it each different container, together with itself. From inside that browser tab, you’ll be able to replace Portainer. Restart Portainer. And handle all your different Docker containers.
The UI you’re looking at is one click on away from eradicating the UI you’re looking at.
On a VPS the place you’re already paying for the field and already snug with SSH, Portainer slots in cleanly on prime of Docker with out altering how something beneath works.
That’s the worth.
A 4 GB field runs Docker, Portainer, and a small fleet of self-hosted apps with out breaking a sweat. And it lands round the price of a few streaming subscriptions a month. Sufficient to run the house automation, the household photograph retailer, the AI assistant, and the publication you’ve been threatening to launch — on one server you really personal.
Right here’s find out how to get it operating, lock it down, and begin seeing worth.
What Is Portainer, Precisely?
Portainer is an online UI that runs as a Docker container and manages your different containers by the Docker socket.
It’s basically a browser-based entrance finish for a similar Docker instructions you’d in any other case kind by hand, plus stack administration, role-based entry (in case you improve), and a dashboard view of CPU and reminiscence.
The socket connection is what makes it work. The bind seems like -v /var/run/docker.sock:/var/run/docker.sock within the set up command, and that one line is doing all of the heavy lifting. With out it, Portainer is a UI for an empty Docker host. With it, Portainer is the Docker host’s distant management.
One factor to remember: any course of that may attain /var/run/docker.sock can successfully run something as root on the host. That’s a characteristic when it’s Portainer doing the asking and a downside when it’s some container you spun up final week and forgot you’d given socket entry to.
Deal with the socket bind as a privileged functionality, and audit each different container that wishes one.
Do You Want Portainer If You Already Have Docker?
Nope. Docker works high-quality from the terminal, and loads of folks run a few containers for years with out ever putting in a UI on prime.
You need Portainer if:
- You’ll juggle greater than two or three Docker containers throughout totally different apps.
- You’d reasonably click on “restart” than retype a Compose command at 11 pm.
- You’re sharing entry with somebody who doesn’t reside in a terminal.
- You need to deploy stack updates from a Git repo with out writing a deploy script.
Skip Portainer if:
- You’re operating one or two containers that not often change.
- You’re already snug with Docker Compose, and also you’re comfortable to remain there.
Docker itself is mainstream sufficient that this isn’t a fringe determination. In line with the 2025 Stack Overflow Developer Survey, Docker is essentially the most extensively adopted container platform amongst builders at over 70% utilization — the most important single-year bounce of any know-how the survey tracks. The Portainer venture has roughly 37,000 stars on GitHub.
Different choices exist. Coolify pushes additional towards PaaS-style abstractions, and Dokploy lands in related territory with a lighter footprint — however Portainer is the one most set up guides attain for first.
For those who reside in tmux and run one app, shut this tab. You’re high-quality. For those who’re operating 4 self-hosted apps and also you’ve googled, “What are Docker logs once more?” twice this month, preserve studying.
How Huge a VPS Do You Want To Run Docker and Portainer?
A 4 GB VPS handles Portainer plus a small stack of side-project containers comfortably.
Portainer recommends a number with at the least 2 GB of RAM and 1 CPU core, although the Portainer Server course of itself idles round 100 MB. The Docker daemon provides a couple of hundred MB of overhead earlier than any of your apps begin.
Right here’s how that maps to actual workloads:
At DreamHost, our Self-Managed VPS presents 4 RAM-based Stack tiers (Stack 4, 8, 16, and 32), with the entry-level Stack 4 sized for precisely this sort of small Docker host. (And yep, NVMe storage and full root entry are included.)
For those who’re on the fence about whether or not self-hosting is definitely worth the time, Stack 4 is the scale the place the maths begins working in your favor on day one.
One word on storage: Portainer’s storage footprint is minimal — it shops solely its personal configuration database. Portainer’s personal docs suggest SSD-level efficiency (≈3.5 MB/s sustained, 30,000+ IOPS, <10ms write latency), which any trendy NVMe drive clears comfortably. Disk solely turns into an actual concern in case you’re operating database-heavy containers like Postgres or MySQL alongside it. In case your VPS is on spinning disk in 2026, the Portainer UI will really feel sluggish lengthy earlier than RAM does. Our recommendation: improve the disk earlier than the plan.
How Do You Set up Docker and Portainer on a VPS?
It takes six steps, and roughly half-hour, most of it ready for picture pulls.
1. Decide a Linux distribution
Ubuntu 22.04 or 24.04 LTS is the trail of least resistance. Ubuntu is what DreamHost’s Self-Managed VPS runs by default, and most Docker set up snippets and neighborhood assist threads assume it. Debian and AlmaLinux work too, although.
Undecided what model of Ubuntu you’re operating? Study 5 methods to verify.
2. Set up Docker from the official repository
Don’t apt set up docker.io. That pulls an older Docker from the Ubuntu archive.
As an alternative, use Docker’s personal apt repo per the official Docker set up docs, which provides Docker’s GPG key, the repo, and docker-ce plus the Compose plugin in a single go.
3. Confirm Docker is operating
Run docker run hello-world.
For those who don’t get the “Howdy from Docker!” message, repair the daemon earlier than layering Portainer on prime.
4. Create a persistent quantity for Portainer’s knowledge
Subsequent, run docker quantity create portainer_data.
Protecting Portainer’s database on a Docker quantity (not contained in the container) means a Portainer improve received’t wipe your config.
Use the official set up command from Portainer’s Linux set up doc:
docker run -d
-p 8000:8000
-p 9443:9443
--name portainer
--restart=at all times
-v /var/run/docker.sock:/var/run/docker.sock
-v portainer_data:/knowledge
portainer/portainer-ce:ltsLet’s break that down line by line:
-druns it indifferent.-p 9443:9443is the Portainer net UI on HTTPS.-p 8000:8000is the Edge Agent tunnel; you solely want it in case you’re going to attach distant environments (Docker, Swarm, or Kubernetes) through Edge Brokers later, so drop it on a single-host set up.ker hosts later, so drop it on a single-host set up.--restart=at all timesbrings Portainer again up after a reboot.-vflags are the socket bind and the persistent quantity from step 4.:ltstag is Portainer’s Lengthy Time period Help launch channel — the secure, production-recommended construct.
6. Open the UI and create your admin account
Level your browser to https://YOUR_VPS_IP:9443.
Click on by the self-signed cert warning. You’ll land on the “create the preliminary administrator consumer” display. Decide a username that isn’t admin, set a powerful password, and put it aside someplace actual. And… you’re in!
Why Did Portainer Simply Time Out on Me?
As a result of Portainer waits precisely 5 minutes for somebody to assert it on first set up. If no person does, it locks the door.
Verbatim from Portainer’s personal FAQ:
“As a safety precaution, when Portainer is first put in, it would wait for five minutes for an administrator consumer to be created. If a consumer isn’t created inside these 5 minutes, the Portainer Server will cease listening for requests.“
Translation: in case you spent Step 5 making a sandwich, your set up is now refusing to speak to you —and also you didn’t do something improper.
The repair is easy. Run docker restart portainer.
That spins the container again up, provides you one other five-minute window, and drops you on the create-admin display. Repeat as wanted. Welcome to self-hosting.
For those who’re scripting the set up for a fleet (Ansible, Terraform, a deploy pipeline), Portainer accepts an --admin-password-file flag at startup that bypasses the timer solely by creating the admin consumer from a file at first run. The set up doc covers the syntax. For a one-off VPS set up, the restart trick is ok.
How Do You Cease Docker From Bypassing Your Firewall?
This one surprises folks in manufacturing, not simply in dev — so pay attention up.
If you docker run -p 80:80, the revealed port is reachable from the general public web even when ufw standing exhibits port 80 as denied. Docker routes container site visitors within the NAT desk, which signifies that packets are diverted earlier than they attain the INPUT and OUTPUT chains that UFW makes use of.
UFW isn’t damaged. It’s simply standing within the improper hallway.
The repair Docker itself recommends is the DOCKER-USER iptables chain, reserved for administrator guidelines so Docker received’t overwrite them on restart. (The principles don’t survive a full host reboot on their very own — persist them with iptables-persistent or a systemd service; ufw-docker handles this for you.) The community-standard instrument for wiring UFW into DOCKER-USER is chaifeng/ufw-docker, which automates the rule technology.
Set up it, then confirm with a port scan from exterior your VPS that the ports you suppose are closed are literally closed.
I’ve watched this catch a pointy engineer twice in the identical week, first on a private field, then on a buyer’s. UFW mentioned one factor, the general public web mentioned one other, and the reality was in iptables.
For Portainer particularly, port 9443 is revealed, which implies the admin UI is reachable from anyplace on the general public web the second the container begins. Two cheap paths: prohibit 9443 by DOCKER-USER guidelines (enable solely your own home or workplace IP), or entrance it with a VPN tunnel like WireGuard so the UI by no means has a public IP in any respect.
What Ought to You Lock Down Proper After the First Login?
You’re in. 5 issues price doing earlier than you shut that browser tab, per Portainer’s personal safety information:
- Power HTTPS solely. Portainer ships HTTPS on 9443 by default however doesn’t implement it. Flip the toggle in Settings so the UI refuses HTTP solely.
- Change the self-signed certificates. Add a cert you generated, or entrance Portainer with an NGINX reverse proxy holding a Let’s Encrypt certificates. Previous day one, clicking by the browser warning each time is a behavior you’ll remorse.
- Use an actual admin username. “Admin” is the primary guess in any credential-stuffing try. Decide one thing particular to you.
- Prohibit the UI to a VPN. WireGuard is Portainer’s personal beneficial sample. A public 9443 with robust credentials is ok. A 9443 that’s solely reachable on a personal community is healthier.
- Audit the Docker socket bind. Something with learn entry to
/var/run/docker.sockcan run something as root on the host. Don’t mount the socket casually into different containers. Each further bind is a brand new path to the host. If a container claims it wants the socket, ask why — and take into account a socket proxy if the reply is “for monitoring.”
How Do You Truly Use Portainer Day-to-Day?
The payoff for putting in Portainer is the day you cease SSH’ing in to restart a misbehaving container, and begin clicking a button as an alternative. The larger payoff is stack administration.
A Portainer stack is a multi-container app outlined by a Docker Compose file. Something you’ll be able to specific as a docker-compose.yml you’ll be able to deploy as a stack, with three most important routes (excluding customized templates) per the official stacks docs:
- Paste Compose into the UI
- Add a Compose file
- Level Portainer at a Git repository
The Git path is the one which issues. You level Portainer at a public or authenticated repo and a path to docker-compose.yml. Portainer both polls the repo on a schedule (the default is 5 minutes) or waits for a webhook from GitHub. When the Compose file modifications upstream, Portainer pulls and redeploys mechanically.
That’s the self-hosted model of “deploy on push” with out paying a PaaS for the privilege.
The smaller each day wins add up too. Assume logs in a panel as an alternative of docker logs -f, one-click restarts, rebuilding a stack from a button, and useful resource graphs you’ll be able to scan in three seconds as an alternative of operating Docker stats.
Portainer additionally helps distant Docker hosts by its Edge Agent, which is how a self-hosted AI assistant or media server lands throughout a number of containers.
What Does Portainer Price? (And When Does Free Cease Being Free?)
Portainer Neighborhood Version is free and limitless, interval. The set up you simply walked by is absolutely featured for one host with as many containers as your VPS can match. No node cap, no expiry, no nag screens.
| Version | Price | Nodes | Greatest for |
|---|---|---|---|
| Neighborhood Version | Free, open-source | Limitless | Private initiatives, homelab, single-VPS self-hosters |
| Enterprise Version (Take 3) | Free perpetually | As much as 3 | Small homelabs that need RBAC and audit logs |
| Enterprise Starter | From $99/mo | 5, 10, or 15 | Small groups managing actual infrastructure |
| Enterprise Scale | From $199/mo | As much as 25 | Rising groups needing 9×5 assist |
| Enterprise | Quote | Limitless | Compliance and 24/7 wants |
The perpetual free three-node tier (referred to as Take 3) is price understanding about: you renew the license yearly without charge so long as you keep at three nodes or fewer.
That’s the fitting plan for many homelabs and small groups who need role-based entry management (RBAC), audit logs, and exercise logging with out paying. Above that, Enterprise Starter is $99/mo on the Portainer enterprise pricing web page for five/10/15 nodes; Scale is $199/mo as much as 25 nodes; and Enterprise is on quote.
For nearly everybody studying this, your best option is Neighborhood Version. It’ll serve a single-VPS self-host for the lifetime of the field. The Enterprise editions solely earn their preserve while you’re managing actual node counts, want RBAC throughout a staff, or require business assist for compliance.
Ought to You Add Portainer or Skip It?
Right here’s the trustworthy two-sentence reply:
✅ For those who’re going to share this server, deploy from Git, or run greater than three containers a 12 months from now, set up Portainer whereas the host is contemporary and your habits are nonetheless forming round it.
❌ For those who’re operating one quiet app and also you’re comfortable within the terminal, you received’t miss the UI you didn’t set up.
The true query isn’t Portainer vs. no Portainer. It’s whether or not self-hosting is the fitting name for you in any respect — and also you answered that while you opened this tab.
A 4 GB VPS, Docker, and Portainer CE get you additional than most individuals count on — an automation stack, a photograph server, a publication platform, and an area AI assistant — for lower than you’re in all probability paying for 2 streaming providers you barely watch.
That’s not a foul deal for a field you really personal.
Ceaselessly Requested Questions About Docker and Portainer
What’s Portainer used for?
Portainer is used for managing Docker, Docker Swarm, and Kubernetes containers by an online interface. It runs as a Docker container itself, connects to the host’s Docker socket, and offers you a browser view and management floor over each different container on the host —beginning and stopping containers, deploying multi-container stacks, viewing logs, and managing consumer entry with out SSH’ing in.
Do I would like Portainer if I’ve Docker?
No, you don’t want Portainer to make use of Docker. Docker works fully from the terminal, and plenty of self-hosters by no means set up a UI on prime.
Portainer earns its preserve while you’re juggling greater than two or three containers, sharing entry with somebody who doesn’t reside in a terminal, or deploying stack updates from a Git repository. Skip it in case you’re operating one or two secure containers and also you’re snug with Docker Compose.
What port does Portainer run on?
Portainer runs on port 9443 by default for HTTPS entry to the net UI, plus port 8000 for the Edge Agent tunnel in case you join distant Docker hosts later. Port 8000 is non-obligatory on a single-host set up; you’ll be able to drop the -p 8000:8000 flag from the set up command with out affecting the native UI. The defaults come straight from Portainer’s official Linux set up doc.
How a lot RAM does Portainer want?
Portainer itself idles at round 100 MB earlier than you load the rest. Add a couple of hundred MB for the Docker daemon, after which measurement from there based mostly on what you’re really operating.
At DreamHost, we measurement our entry-level Self-Managed VPS at 4 GB of RAM for precisely this sort of workload — sufficient headroom for Portainer plus a small stack of side-project containers like Ghost, n8n, a Postgres database, and a reverse proxy.
Is Portainer free?
Sure. Portainer Neighborhood Version is completely free, and Enterprise Version additionally has a perpetual free 3-node tier referred to as Take 3, which renews yearly without charge so long as you keep at three nodes or fewer. Above three nodes, Enterprise pricing begins at $99/mo on the Starter plan per Portainer’s enterprise pricing web page.
What’s the distinction between Portainer CE and Enterprise Version?
Portainer Neighborhood Version is free, open-source, and absolutely featured for private use.
Enterprise Version provides role-based entry management, audit logs, exercise logging, and business assist, and begins at $99/mo for five nodes after the perpetual free 3-node Take 3 tier.
Can Portainer handle a number of Docker hosts?
Sure, Portainer can handle a number of Docker hosts by Edge Brokers, which run on every distant host and ballot the central Portainer Server on the UI port, with port 8000 used to open a safe tunnel again for administration instructions. For single-VPS self-hosters, that is overkill. For anybody operating three or extra containers that share a management aircraft, for this reason 8000 is within the set up line.
Does Docker bypass UFW on a VPS?
Sure, Docker bypasses UFW by default as a result of Docker manages container site visitors on the iptables NAT layer, which sits in entrance of UFW’s INPUT and OUTPUT chains.
Per Docker’s packet-filtering documentation, “Packets are diverted earlier than it reaches the INPUT and OUTPUT chains that UFW makes use of.” The repair is the DOCKER-USER iptables chain, and the community-standard instrument for wiring UFW into it’s chaifeng/ufw-docker.
Personal Your Total Stack. Apps, AI, Databases, and Extra.
Preserve each credential and dialog on a server you management, with NVMe velocity and unmetered bandwidth inbuilt.
Did you get pleasure from this text?
