Setting up Portainer for Docker container management

After running a dozen containers on my server, I got tired of SSH-ing in every time I needed to check logs or restart something. docker ps, docker logs, docker restart. Over and over. Portainer gives you a web UI for all of that, and the setup takes about two minutes.

What Portainer does

Portainer is a web-based management tool for Docker. It lets you view running containers, check logs, inspect environment variables, restart services, and deploy new stacks, all from a browser. It is not a replacement for the Docker CLI. It is a dashboard that handles the 80% of tasks where SSH-ing into a server is overkill.

If you are already comfortable with Docker basics (I wrote about those in my Docker post), Portainer just makes day-to-day management faster.

Installation

Portainer runs as a single Docker container. The quickest way to get it running:

docker run -d \
  -p 8000:8000 \
  -p 9443:9443 \
  --name portainer \
  --restart=always \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v portainer_data:/data \
  portainer/portainer-ce:lts

Or with Docker Compose:

services:
  portainer:
    image: portainer/portainer-ce:lts
    container_name: portainer
    restart: always
    ports:
      - "8000:8000"
      - "9443:9443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
 
volumes:
  portainer_data:

Port 9443 is the web UI over HTTPS (self-signed certificate by default). Port 8000 is for the Edge agent feature. If you are not using Edge agents, you can skip exposing port 8000.

A note on the Docker socket

Mounting /var/run/docker.sock gives Portainer full control over your Docker daemon. That means it can start, stop, and delete any container. It can also pull images and create new containers. This is necessary for Portainer to work, but it is worth understanding the tradeoff. If Portainer itself gets compromised, an attacker has root-level access to your Docker environment.

For a homelab on a private network, this is a reasonable tradeoff. For production, consider using a Docker socket proxy like Tecnativa's docker-socket-proxy to restrict which API calls Portainer can make.

First login

Open https://your-server-ip:9443 in your browser. You will get a certificate warning because of the self-signed cert. Accept it and create your admin account.

After login, Portainer asks you to connect an environment. Choose "Get Started" to connect to the local Docker instance. Portainer detects it automatically through the mounted socket.

Managing containers

The container list shows everything running on your Docker host. For each container you can:

• View live logs (with search and auto-scroll)
• Open a console session (like docker exec -it)
• Inspect environment variables, mounts, and network settings
• Change restart policies
• Stop, restart, or remove the container

The logs view alone is worth the install. Instead of docker logs -f --tail 100 container_name over SSH, you get a searchable, scrollable log viewer in the browser.

Stacks

Stacks are Portainer's way of handling Docker Compose deployments. You paste your Compose YAML into the web editor, give it a name, and deploy. Portainer creates all the containers, networks, and volumes defined in the file.

The real convenience is updates. Edit the YAML in the browser, click "Update the stack," and Portainer pulls new images and recreates the containers. No SSH, no docker compose pull && docker compose up -d.

You can also point a stack at a Git repository. Portainer pulls the Compose file from the repo and can re-deploy when you push changes. I do not use this feature because I prefer to control when things update, but it exists.

When the CLI is still better

Portainer is great for monitoring and quick management tasks. But some things are better done on the command line:

• Scripting and automation. If you need to restart containers on a schedule or trigger deployments from CI/CD, the Docker CLI or API is the right tool.
• Complex Compose files. Editing large Compose files with environment variable substitution, multiple override files, or build contexts is easier in a proper editor.
• Debugging networking. When containers cannot talk to each other, docker network inspect and docker exec with curl or nslookup are faster than clicking through a UI.
• Building images. Portainer can build images, but your local terminal with proper context and caching is better for iterating on Dockerfiles.

CE vs Business Edition

Portainer Community Edition is free and open source. It is what I run and what the install commands above use. Portainer Business Edition adds features aimed at teams and organizations:

• Role-based access control (RBAC)
• Registry management
• Activity logging and audit trails
• Support SLAs

For a homelab or small self-hosted setup, CE has everything you need. RBAC only matters when multiple people manage the same Docker hosts, which is not a homelab concern.

What is next

Portainer pairs well with monitoring. Once you can see and manage your containers, the next step is knowing when something goes down. I set up Uptime Kuma for exactly that.

Sources

• Portainer CE Documentation
• Portainer CE on Docker Hub
• Portainer CE on GitHub
• Docker Socket Security Discussion