🐳 Docker Dash

A full-featured Docker management dashboard that runs in two modes:
Standalone for homelab and small teams · HA for corporate always-on deploys.
Same codebase, same binary, zero vendor lock-in.

Deployment modes • Target audience • Quick Start • Features • Screenshots • Comparison • Contributing

Deployment modes

Docker Dash runs in two modes from a single codebase. Pick based on your needs:

	Standalone (default)	HA (opt-in, v7.0.0+) · Observability (opt-in, v7.1.0+)
Dependencies	Just Docker	Docker + Redis + sticky-session load balancer
Replicas	1	2–5 (production-validated)
Failover	Restart on crash (Docker restart policy)	Automatic — leader lock in Redis, ~30s worst case, milliseconds on graceful restart
Cross-replica events	N/A	Redis pub/sub (loop-safe, sub-ms delivery)
Rate limiter	In-process sliding window	Redis INCR fixed window, shared across replicas
Sessions	SQLite (works in both modes)	SQLite (single-writer on leader)
Best for	Homelab · dev/staging · SMB · single-office	Corporate dashboards · on-prem K8s · always-on infrastructure panels
Complexity	1 container, zero config beyond .env	3+ containers, LB config, failover runbook
Operational overhead	None	Prometheus monitoring recommended (cluster health alerts)

DD_MODE is the only switch. Unset (default) = standalone, identical to every prior v6.x release. DD_MODE=ha + REDIS_URL = HA mode.

Feature parity: every feature works in both modes. HA doesn't unlock "enterprise" features — it just adds redundancy.

Fully backwards-compatible. An existing standalone deployment upgrades to HA without migration, and downgrades back without data loss. Your SQLite volume carries over.

Deep reading: HA Mode reference · Failover runbook · LB configs (Caddy/Traefik/HAProxy/nginx)

Target audience

Good fit for Docker Dash:

You are…	Use mode	Why
Homelab enthusiast · self-hosting Plex/*arr/Nextcloud	Standalone	Single-host, simple, no build step, no database to babysit
Small team running a shared dev environment	Standalone (+ --profile tls Caddy)	HTTPS + SSO without fighting certificates manually
SMB with 1–3 Docker hosts, shared ops role	Standalone + multi-host SSH tunnel	Manage multiple hosts from one UI, no agent to deploy
NAS user (Synology · Unraid · TrueNAS · QNAP · OMV)	Standalone	Platform auto-detection, tailored How-To guides, works with Container Manager
VPS user (Hetzner · DO · EC2 · GCE · Azure · Linode · Vultr)	Standalone + DMI cloud detection	Cloud vendor badges, generic VPS How-To guide
Corporate team with 99.9% uptime SLA	HA mode (2–3 replicas)	Leader election + failover + shared rate limiter + cross-replica WS
On-prem Kubernetes with Docker Dash as internal tool	HA mode (StatefulSet, sticky session Ingress)	Survives pod restarts, rolling deploys with no dashboard downtime

Not a good fit:

• Kubernetes-native production workloads — use Rancher or Portainer BE instead. Docker Dash targets the Docker daemon directly; it doesn't manage K8s objects.
• Geographic distribution across regions — SQLite single-writer limits you to same-AZ HA. If you need multi-region active-active, you need a different tool (or wait for a hypothetical Docker Dash Postgres backend, which is not on the roadmap).
• Multi-tenant SaaS — Docker Dash assumes one organization per instance. RBAC works within that instance but there's no tenant isolation layer.
• CI/CD pipeline orchestration — Docker Dash manages running containers, not build pipelines. Use GitHub Actions, GitLab CI, Jenkins, etc. for that. Docker Dash's GitOps feature is for deploying from Git, not building.
• Image registry — Docker Dash uses registries (Docker Hub, GHCR, GitLab) but is not a registry itself. For self-hosted registry, use Harbor or distribution/distribution.

Screenshots

Dashboard (Dark)	Dashboard (Light)
Containers	Container Detail
Terminal (xterm.js)	Images
Volumes	Networks
Multi-Host Overview	Stacks
Security Scanning	Log Explorer
Event Timeline	Network Topology
Dependency Map	Cost Optimizer
Insights	Alerts
System Tools	How-To Guides
Feature Comparison	Enterprise Mode
API Playground	What's New

Features

Core

• Container Management — Start, stop, restart, pause, kill, remove, clone, rename, update/recreate
• Image Management — Pull with streaming progress, remove, tag, import/export, build from Dockerfile
• Volume Management — Create, remove, inspect with real disk usage sizes
• Network Management — Create, remove, connect/disconnect containers, inspect IPAM config
• Bulk Actions — Checkbox selection + floating bar for batch start/stop/restart/remove
• One-click Port Access — Each exposed TCP port shows a clickable link to open http://host:port directly
• Keyboard Navigation — Arrow keys to navigate container rows, r to restart, s to stop/start, Enter to open detail, l for logs
• Live CPU/RAM Mini-bars — Two 4px color-coded progress bars per running container, updated every 5 seconds
• Container File Browser — Navigate, view, upload, and download files inside running containers
• Container Diff — See filesystem changes vs base image with color-coded entries
• Image Picker — Browse 20 popular images (nginx, postgres, redis, etc.) when creating containers
• CIS Hardened Creation — One-click CIS benchmark hardening: cap_drop ALL, read-only rootfs, no-new-privileges, resource limits
• Log Time Filter — Filter container logs by time range: last 1h, 6h, 24h, 7 days

Monitoring & Intelligence

• Real-time Dashboard — Customizable live CPU/memory charts (WebSocket, 10s interval, toggle widgets)
• Container Health Score — Composite 0-100 score with color dots in list view + summary bar
• Resource Trends & Forecasting — 7-day linear regression with 24h CPU/memory projection
• Memory Exhaustion Prediction — "will exceed limit in N hours" warning
• Plain-English Status — Exit codes mapped to messages (137=OOM, 143=SIGTERM, etc.)
• Network Topology — Interactive canvas map with drag, zoom, pan, hover highlighting
• Dependency Map — Interactive graph showing container relationships (env vars, networks, links)
• Uptime Reports — Per-container uptime %, restart count, first/last seen
• Cost Optimizer — Per-container cost breakdown, idle detection, savings recommendations
• Image Freshness Dashboard — Freshness score based on age + vulnerability count
• Audit Log Analytics — Top users, top actions, activity heatmap by hour/day
• Notifications Center — Dedicated page with filters, pagination, bulk mark-read/delete

Security

• Vulnerability Scanning — Trivy + Grype + Docker Scout with automatic detection and fallback
• Safe-Pull Updates — Pull new image → scan for vulns → only swap if clean (blocks critical CVEs)
• Deployment Pipelines — Staged pull → scan → swap → verify → notify with full history
• Security Dashboard — Scan history, per-image status, AI-assisted remediation prompts
• AI Container Doctor — Diagnostics + 30 log pattern matchers + Ask AI (OpenAI/Ollama) directly from modal
• Guided Troubleshooting — 8-step diagnostic wizard (state, health, logs, ports, volumes, resources)
• Container Rollback — One-click revert to previous image with version history
• First-login Setup Wizard — Forces password change, recommends disabling default admin
• Outbound Network Filter (v6.7) — Per-container egress policy sidecar with TLS-SNI + HTTP-Host peek. Allowlist-based, blocks IMDS by default, logs denied connections. No TLS decryption
• Per-container Security tab (v6.10) — 2×2 grid combining Secrets score, Egress reachability + filter state, CIS findings, and Image Vulnerabilities on every container's detail page
• Stack-level Security Audits (v6.9.3) — One-click Secrets Audit + Egress Audit buttons on every stack, matching Security Scan + CIS Benchmark. Drill down to Fix via Remediation Wizard
• Remediation Wizard drill-down (v6.9.4) — Image-centric security findings now link to running containers using that image, then open Fix scoped to the container
• Error-response sanitization (v6.14.1) — Central error middleware scrubs /home/ and /data/ paths, redacts URL credentials, replaces raw error messages with "Internal server error" on 5xx. Closes an accidental info-leak from the pre-Express-5 try/catch pattern

Git Integration (GitOps)

• Deploy from Git — Clone repos, select branch, compose file path, deploy with one click
• Auto-Deploy — Webhook receiver (GitHub, GitLab, Gitea, Bitbucket) + polling-based updates
• Deployment History — Full audit trail with commit hash, trigger type, duration, rollback
• Diff View — See exactly what changed before redeploying
• Push to Git — Edit compose in UI, commit and push back to repository
• Git Credentials — Token, basic auth, SSH key (AES-256-GCM encrypted)
• Multi-file Compose — Multiple YAML override files per stack
• Environment Overrides — Per-stack env vars with sensitive value encryption

Multi-Host

• TCP + TLS — Connect remote Docker hosts over the network with mutual TLS
• SSH Tunnel — Secure tunnel via SSH (no need to expose Docker API). v6.8 adds a full exec / fileExists / readFile / writeFile channel so the Remediation Wizard Apply mode works end-to-end on remote hosts
• Docker Desktop — Connect to Windows/Mac Docker Desktop instances
• Podman Compatible — Works with Podman via Docker-compatible API socket
• Host Selector — Switch between hosts from the sidebar dropdown
• NAS support (v6.12) — Auto-detects Synology DSM, Unraid, TrueNAS SCALE, QNAP QTS/QuTS hero, OpenMediaVault from docker info. No SSH probes, no SDKs. Dedicated per-platform How-To guides cover the platform-specific quirks (Container Manager socket, User Home Service, ix-* managed containers, variable QTS socket path, omv-extras Docker plugin, etc.)
• Cloud vendor badges (v6.12.1) — Optional DMI probe (/sys/class/dmi/id/sys_vendor + product_name) identifies AWS EC2, Google Cloud, Azure VM, DigitalOcean, Hetzner, Linode, Vultr, Oracle Cloud, Scaleway, OVHcloud, plus on-prem hypervisors (VMware, VirtualBox, KVM/QEMU, Xen, Parallels). Renders as a second colored pill on the Multi-Host card

Operations

• Stacks Page — Unified Compose + Git stacks management with actions (up/down/restart/pull)
• Docker Swarm Mode — Full UI for Nodes, Services, Tasks; init/leave swarm, scale services, drain nodes, join tokens
• Docker Compose Editor — Edit, validate, save & deploy compose configs inline
• Terminal — Full xterm.js terminal with shell selection (sh, bash, zsh, ash)
• Alerts — CPU/memory threshold rules with 7 notification channels
• Notifications — Discord, Slack, Telegram, Ntfy, Gotify, Email (SMTP), Custom Webhook
• Workflow Automation — IF-THEN rules (CPU high → restart, container crash → notify, etc.)
• Scheduled Actions — Cron-based container actions with presets, history, run-now, enable/disable
• Maintenance Windows — Scheduled pull/scan/update with block-on-critical
• Firewall — View and manage UFW rules (Linux)
• Container Groups — User-defined grouping with colors, beyond Docker Compose projects

Sandbox Mode

• Ephemeral Sandbox — Launch a container with auto-delete on stop + optional TTL (30m / 1h / 4h); perfect for testing images risk-free
• Persistent Sandbox — Isolated container with resource limits that survives stop/restart
• Project Source (GitHub) — Paste a GitHub repo URL; Docker Dash downloads the tarball, auto-detects the tech stack (Node/Python/Go/Ruby/static), installs dependencies, and starts the app
• Project Source (Upload) — Upload a .tar/.tar.gz archive; same auto-detect + auto-run flow
• Auto-detect Stack — Recognizes package.json, requirements.txt, go.mod, Gemfile, index.html and selects the right base image (node:20-alpine, python:3.12-alpine, etc.)
• Security Defaults — Sandbox containers run with no-new-privileges, dedicated internal dd-sandbox network, resource limits, restart: no
• TTL Auto-cleanup — Background timer removes expired sandboxes every 30 seconds with WebSocket notification
• Visual Badges — EPHEMERAL (red + countdown) or SANDBOX (yellow) badges in containers list, detail card with Extend +1h / Remove buttons

Developer Tools

• API Playground — Browse and test all 230+ API endpoints from the UI with response viewer
• docker run → Compose — Paste any docker run command, get docker-compose YAML
• Dual AI Provider — Container Doctor supports OpenAI API and local Ollama; provider/model/key selector + inline response
• AI Log Analysis — Generate diagnostic prompts for ChatGPT/Claude from container logs
• Generate Compose from GitHub — Paste a public repo URL, AI (OpenAI or Ollama) generates a production-ready docker-compose.yml
• Traefik/Caddy Labels — Generate reverse proxy labels from domain + port
• App Templates — 33 built-in + custom templates with CRUD, preview, Template Configurator and modification tracking
• Image Layer Visualization — View all layers of any image with command, size, and relative-size bar per layer
• Deploy Preview — Check for image updates via digest comparison before pulling
• Resource Limits Editor — Visual sliders with presets for CPU and memory
• Resource Recommendations — Smart advice: over-provisioned, memory pressure, idle containers

Security & Compliance

• Enterprise Security Mode — SECURITY_MODE=strict: cookie-only auth, 8h sessions, password expiry, WS query-string auth disabled
• TOTP / MFA — Two-factor auth with RFC 6238 TOTP, encrypted secrets, 10 recovery codes
• LDAP / Active Directory — Two-bind authentication, group filter, attribute mapping, auto-provision local accounts
• CIS Docker Benchmark — 18 automated checks (daemon + container), scored report with remediation guidance
• Immutable Audit Log — SHA-256 hash-chained, tamper detection, JSON/CSV/Syslog export
• Security Alerts — 5 default rules (brute force, admin created, MFA disabled), threshold detection

Knowledge Base

• How-To Guides — 63 built-in bilingual guides (EN + RO) covering Docker basics, Linux, networking, security, Compose, Swarm, troubleshooting, backup, performance — plus dedicated platform setups for Synology DSM, Unraid, TrueNAS SCALE, QNAP, OpenMediaVault, Generic VPS (Hetzner/DO/EC2/GCE/Azure/Linode/Vultr), and a canonical SSH key auth guide with per-platform public-key placement instructions
• Guide Editor — Admins can create, edit, and delete custom guides with HTML content in both languages
• Search & Categories — Filter by 9 categories, difficulty level, and free-text search across all guides

Platform

• Multi-user — Admin, operator, viewer roles with session management
• SSO Authentication — Authelia, Authentik, Caddy forward_auth, Traefik (header-based)
• SSL Zero-Config — Caddy sidecar auto-reload via shared volume; enable HTTPS from UI with one click
• Audit Log — Every action logged with user, timestamp, IP address
• Public Status Page — Unauthenticated status page for selected services
• Container Metadata — Custom labels, descriptions, links, categories, owner, notes
• Dark/Light Theme — Per-user sync across devices, system-aware toggle, mobile responsive
• i18n — 11 languages: English, Romanian, German, Italian, French, Spanish, Portuguese, Chinese, Japanese, Korean, Klingon (add yours)
• Translations tab (v6.11) — Built-in Google Translate + DeepL integration for the 25% of keys missing in non-EN locales. Per-provider monthly quota tracking (500k chars each free tier), auto-accept toggle, chunked batch with progress bar + cancel, runtime DB overrides applied on login (no file download / git commit / container rebuild). AES-GCM encrypted API keys, hash-chained audit trail
• Klingon Easter Egg — Full activation animation with sound, dagger cursor, red theme
• Command Palette — Ctrl+K quick navigation with keyboard shortcuts
• Watchtower Detection — Auto-detect and migrate from Watchtower to native safe-pull
• Prometheus Metrics — /api/metrics endpoint for Grafana integration
• Self-Reporting Footprint — Docker Dash memory, uptime, DB size at /api/footprint
• Let's Encrypt Wizard — 3-step UI for issuing certs via DNS-01 (Cloudflare, Route53, DigitalOcean, Hetzner, Linode) or HTTP-01. Encrypted credential vault, auto-renewal via Caddy, hash-chained audit trail. Open source — no other Docker UI ships this
• Container Remediation Wizard — 3-step UI that turns Secrets Audit + CIS Benchmark findings into actionable fixes. 20-entry catalog, 4 live-updatable (zero downtime), 16 with compose-recreate + auto-rollback. Git-PR mode for git-backed stacks. No other OSS Docker UI ships this
• 1024 Tests — 64 test suites covering auth, RBAC, security, CRUD, services, ACME + remediation orchestrators, platform detection, DMI cloud detection, translations, Prometheus metrics, permissions RBAC, settings CRUD, security alert rule evaluation, event notifier dispatch, cluster abstraction (HA mode), rate-limiter memory + Redis paths, registry push + browse + delete, AI redactor + service abstraction (100% passing)

AI (v8.0.0+) — opt-in, BYOK, off by default

The first feature category that introduces optional outbound traffic to non-user-controlled hosts. Designed strategy-first (deep-spec, spikes). One sentence to defend: AI in Docker Dash exists to translate noisy data into ranked, explainable decisions — never to take actions on the user's behalf. Read-only or read-then-suggest. No always-on chat sidebar. No auto-remediation agent.

• Provider abstraction — Anthropic Claude, OpenAI, Ollama. BYOK — Docker Dash ships zero API keys. Off by default until operator configures + enables in Settings → AI tab.
• Privacy-first redactor — strips secrets/PII before any payload leaves the host. Built-in patterns cover Bearer auth, env-style assignments (incl. STRIPE_SECRET_KEY-style prefixes), connection-string credentials (13 schemes), high-entropy tokens, IPs, emails. Validated 100/100 on a 27-case corpus. Bad custom regex aborts the call (privacy beats utility).
• Compliance-grade audit — every AI call logged with provider, model, token counts, redaction counts, SHA-256 payload hash. Operators can prove "did this exact text get sent?" without storing the prompt.
• Audit log NL search (v8.0.0) — System → Audit page → magic-wand search box. Type "who deleted containers in the last 7 days" → translates to a structured filter via the AI provider, runs through existing audit query path. Never NL→SQL — only structured fields conforming to a JSON schema with a 161-entry action enum.
• Ollama is first-class for sovereignty-critical deployments — zero outbound traffic. Recommended local model: qwen2.5-coder:7b (≈6 GB RAM, $0/month).
• Cost example for cloud providers: 100 NL searches/day ≈ $1.50/month on Claude Haiku 4.5, $0.30/month on GPT-4o-mini.
• Roadmap: v8.1.0 vulnerability triage (ranks scan results by real exploitability via EPSS + LLM reasoning), v8.2.0 incident triage (container restart-loop diagnosis from inspect + logs + stats). Both ship after v8.0.0 has 2+ weeks in production with no compliance issues.

See docs/features/ai.md for the full setup walkthrough, provider tradeoffs, redactor reference, and programmatic API.

Feature Reference

Dedicated reference docs for the deeper features, in docs/features/:

• Prometheus Metrics — /api/metrics endpoint reference, metric names + types + labels, sample Grafana queries, cardinality notes
• Platform Detection — NAS + cloud + hypervisor detection logic; complete signature list; how to extend
• Translations Tooling — Google Translate + DeepL integration, quota tracking, review workflow, runtime DB overrides
• HA Mode — optional Redis-backed redundancy (production-ready in v7.0.0); architecture, trade-offs, when NOT to use it
• HA Failover Runbook — operator procedures: leader death, rolling restart, Redis failure, split-brain detection, recovery checklist
• HA Load Balancer Configs — copy-paste examples for Caddy + Traefik + HAProxy + nginx with sticky-session + WS upgrade + health checks
• Observability Stack (v7.1.0) — opt-in Prometheus + Grafana via docker compose --profile observability up -d, 8-panel dashboard auto-provisioned, recommended alerts, integration with existing Prometheus/Grafana
• Observability Wizard (v7.2.0) — admin UI at System → Observability. Detects existing Prometheus/Grafana on the host and offers 3 UX branches: integrate (both found → copy scrape snippet + one-click dashboard import via Grafana API), partial deploy, or full deploy with copy-paste instructions. Admin-only, audit-logged, token never persisted
• Image Registry (v7.5.0–v7.6.0) — Distribution one-click template + push from Images page (SSE progress stream) + Browse page (catalog + tags + manifest inspect) + delete-by-digest with two-step confirmation gate. Reuses the encrypted credential store from Settings → Registries. Multi-arch manifest lists deliberately not supported (use buildx imagetools)
• AI Features (v8.0.0) — opt-in, BYOK, off by default. Provider abstraction across Anthropic / OpenAI / Ollama. Privacy-first redactor (validated 100/100 on a hand-built corpus). SHA-256 payload hash in audit log for compliance evidence. Audit NL search (System → Audit) ships first; vulnerability triage + incident triage on the v8.1.0/v8.2.0 roadmap

Where to start

Three short reads, each tailored to a different background. Pick the one that matches you.

🚀 New to Docker? The recipe-and-kitchen metaphor, why containers fix "works on my machine", what you see in the first 30 seconds of opening Docker Dash, and what you can do in your first hour. No jargon. Read: Beginner's Guide →

⎇ Developer using Git? The git → Docker mental bridge (commit = image, package.json = compose), the 5 places dev-with-git gets stuck, and how Docker Dash compares against Portainer / Dockge / bash scripts. With a GitOps workflow. Read: Developers Using Git →

🛠 Ops / SRE evaluating HA? When to flip DD_MODE=ha, when to stay standalone, failover mechanics (Redis SET NX PX, leader lock TTL, Lua DEL-if-owned graceful handover), operational runbook covering 6 failure scenarios, and copy-paste LB configs for Caddy/Traefik/HAProxy/nginx. Read: HA Mode → ↳ Failover Runbook · LB Configs

The first two guides are also available inside the app under How-To Guides with bilingual EN/RO content and surfaced as buttons in the page header. HA docs are operator-facing and live in the repo / docs only.

Quick Start

One-Line Install (recommended)

curl -fsSL https://raw.githubusercontent.com/bogdanpricop/docker-dash/main/install.sh | bash

This will detect your OS, check Docker, generate secure secrets, and start Docker Dash. Works on Ubuntu, Debian, CentOS, Fedora, and macOS (amd64/arm64).

Set a custom install directory: DOCKER_DASH_DIR=/opt/docker-dash curl -fsSL ... | bash

Manual Install

# Clone the repository
git clone https://github.com/bogdanpricop/docker-dash.git
cd docker-dash

# Copy and configure environment
cp .env.example .env
# Edit .env — at minimum change APP_SECRET and ADMIN_PASSWORD

# Start with Docker Compose
docker compose up -d

# Open in browser
open http://localhost:8101

Default credentials: admin / admin — on first login, a security setup wizard will require you to change the password.

Enabling HA mode

Once standalone works, switching to HA is a flag flip:

# .env
DD_MODE=ha
REDIS_URL=redis://redis:6379

# Bring up Redis alongside Docker Dash
docker compose --profile ha up -d

# Then scale to multiple replicas behind a sticky-session LB (see LB configs doc)

See the HA Mode reference for the full enablement procedure, Failover runbook for operational scenarios, and LB configs for production-ready Caddy/Traefik/HAProxy/nginx configurations.

Requirements

Standalone

• Docker Engine 20.10+ (or Docker Desktop 4.x+)
• Docker Compose v2
• ~50MB RAM, minimal CPU, ~80MB disk for the image

HA mode (additional)

• Redis 7+ (ships as redis:7-alpine in the --profile ha compose profile; ~30MB image, ~5-15MB RAM)
• Sticky-session-capable load balancer for 2+ replica deploys (Caddy, Traefik, HAProxy, nginx — configs provided)
• Shared volume for SQLite (Docker named volume works on same host; K8s ReadWriteMany PVC for multi-node)
• Operator familiarity with Redis basics (single instance is fine — Sentinel only needed for Redis HA separately)

Architecture

Standalone mode (default)

┌─────────────────┐     ┌───────────────────┐
│   Browser SPA   │────▸│  Node.js/Express  │
│  (vanilla JS)   │◂────│   REST + WebSocket│
└─────────────────┘     └────────┬──────────┘
                                 │
                    ┌────────────┼────────────┐
                    │            │            │
              ┌─────┴──────┐ ┌───┴────┐ ┌─────┴─────┐
              │  SQLite    │ │ Docker │ │  Docker   │
              │ (embedded) │ │ Local  │ │  Remote   │
              │ WAL mode   │ │ Socket │ │ TCP/SSH   │
              └────────────┘ └────────┘ └───────────┘

HA mode (opt-in)

                  ┌─────────────────────────────────┐
                  │  Sticky-session Load Balancer   │
                  │  (Caddy / Traefik / HAProxy /   │
                  │   nginx — configs provided)     │
                  └─────────────────┬───────────────┘
                                    │
                  ┌─────────────────┼─────────────────┐
                  │                 │                 │
            ┌─────▼─────┐     ┌─────▼─────┐     ┌─────▼─────┐
            │ replica A │     │ replica B │     │ replica C │
            │  LEADER   │     │  reader   │     │  reader   │
            │ cron+WS   │     │ HTTP only │     │ HTTP only │
            │ event-    │     │           │     │           │
            │ stream    │     │           │     │           │
            └─────┬─────┘     └─────┬─────┘     └─────┬─────┘
                  │                 │                 │
                  │    ┌────────────┴────────────┐    │
                  │    │                         │    │
                  └────┤   shared SQLite volume  ├────┘
                       │  (single-writer: leader)│
                       └─────────────────────────┘
                  ┌────────────────────────────────────┐
                  │           Redis 7-alpine           │
                  │  ┌───────────┐  ┌──────────────┐  │
                  │  │ leader    │  │ rate-limit   │  │
                  │  │ lock +    │  │ INCR + PX    │  │
                  │  │ heartbeat │  │              │  │
                  │  └───────────┘  └──────────────┘  │
                  │  ┌────────────────────────────┐   │
                  │  │ ddash:pubsub (WS events)   │   │
                  │  └────────────────────────────┘   │
                  └────────────────────────────────────┘

One replica holds the Redis leader lock (30s TTL + 10s heartbeat). Leader runs cron jobs, Docker event stream, git polling. Readers serve HTTP + deliver WS events from pub/sub. Graceful handover on docker stop via Lua DEL-if-owned — failover in milliseconds. Ungraceful leader death — next heartbeat reader wins (≤30s worst case).

SSH tunnels run per-replica (readers need them to serve HTTP reads). No active-active write scale-out — SQLite stays single-writer.

Layer	Technology
Backend	Node.js 20, Express 5, dockerode, better-sqlite3, ws, ssh2, ldapts
Frontend	Vanilla JavaScript SPA, Chart.js, xterm.js, Font Awesome (CDN)
Database	SQLite with WAL mode, auto-aggregation, configurable retention
Security	bcrypt, Helmet CSP, rate limiting, session-based auth, Bearer token fallback
Scanning	Trivy (OSS), Grype (Anchore), Docker Scout (SARIF format)

Zero build step — no webpack, no bundler, no transpiler. Frontend files are served as-is.

Multi-Host

Docker Dash can manage multiple Docker hosts from a single instance:

Method	Use Case	Requirements
TCP + TLS	Remote Linux servers	Docker API exposed on port 2376 + TLS certificates
Docker Desktop	Windows / Mac	"Expose daemon on TCP" enabled in DD Settings
SSH Tunnel	Secure remote (no API exposure)	SSH access + socat installed + user in docker group
SSH to NAS	Synology / Unraid / TrueNAS SCALE / QNAP / OMV	SSH access + admin in docker group. Platform auto-detected from docker info — dedicated How-To guide per platform
Unix Socket	Local (default)	Docker socket mounted (automatic)

The app includes a built-in setup guide (Hosts page) with step-by-step instructions for each method, including TLS certificate generation, per-OS socat installation commands, SSH key authentication setup, and a 9-item Synology DSM 7.x security hardening checklist (added in v6.14.3).

Podman Support

Docker Dash works with Podman via its Docker-compatible API. No code changes needed.

# 1. Enable the Podman socket
systemctl --user enable --now podman.socket    # rootless
# or
sudo systemctl enable --now podman.socket      # rootful

# 2. Set the socket path in .env
echo 'DOCKER_SOCKET=/run/podman/podman.sock' >> .env   # rootful
# or
echo 'DOCKER_SOCKET=/run/user/1000/podman/podman.sock' >> .env  # rootless

# 3. Start Docker Dash
docker compose up -d   # or podman-compose up -d

Known differences: Podman lacks Docker Compose labels (com.docker.compose.project), so containers won't auto-group into stacks. Use Docker Dash's Container Groups feature instead.

Configuration

All config via environment variables. See .env.example for the full list.

Variable	Default	Description
APP_PORT	8101	HTTP port
APP_SECRET	—	Required. Session signing key
ADMIN_PASSWORD	admin	Initial admin password (first launch only)
ENCRYPTION_KEY	—	Encrypt registry credentials at rest
STATS_INTERVAL_MS	10000	Stats collection interval (ms)
STATS_RAW_RETENTION_HOURS	24	Keep raw stats for N hours
EVENT_RETENTION_DAYS	7	Keep Docker events for N days
ENABLE_EXEC	true	Allow terminal exec into containers
READ_ONLY_MODE	false	Disable all write operations
DD_MODE	(unset — standalone)	Set to ha to enable HA mode. Requires REDIS_URL.
REDIS_URL	redis://localhost:6379	Redis connection URL. Only consulted when DD_MODE=ha.
TRUST_PROXY	loopback (prod) / true (dev)	Trusted proxy range for X-Forwarded-* headers. Set to your load balancer's IP/CIDR in HA.
COOKIE_SECURE	false	Set true when behind HTTPS. Required for sticky-session cookies over TLS-terminating LBs.

Development

# Install dependencies
npm install

# Start in development mode (auto-reload on file changes)
npm run dev

# Open http://localhost:8101

No build step needed. Edit any .js or .css file and refresh the browser.

Adding a Language

Docker Dash uses a modular i18n system. To add a new language:

1. Copy public/js/i18n/TEMPLATE.js to public/js/i18n/{code}.js
2. Translate the values (keys stay in English)
3. Add one <script> tag in index.html

That's it — the language appears automatically in the selector. See public/js/i18n/README.md for full instructions.

Currently supported: English, Romanian, German, Italian, French, Spanish, Portuguese, Chinese, Japanese, Korean, Klingon (11 languages).

Project Structure

docker-dash/
├── src/
│   ├── config/          # Environment-based configuration
│   ├── db/              # SQLite setup + 60 auto-migrations
│   ├── middleware/       # Auth, rate limiting, hostId extraction
│   ├── routes/          # REST API (containers, images, volumes, networks, swarm, hosts, ...)
│   ├── services/        # Business logic (docker, stats, alerts, ssh-tunnel, registry, ldap, cis-benchmark, ssl)
│   ├── ws/              # WebSocket server (exec, live logs, live stats)
│   └── utils/           # Logger, helpers
├── public/
│   ├── js/
│   │   ├── i18n/        # Language files (11 languages + TEMPLATE.js)
│   │   ├── pages/       # SPA pages (dashboard, containers, images, security, swarm, hosts, ...)
│   │   ├── components/  # Reusable UI (modal, toast, data table)
│   │   ├── api.js       # HTTP client with auto host-context
│   │   ├── ws.js        # WebSocket client with reconnect
│   │   └── app.js       # Router, auth, sidebar, command palette
│   └── css/app.css      # Single stylesheet, CSS variables, dark/light themes
├── docs/
│   └── screenshots/     # UI screenshots for README
├── Dockerfile           # Multi-stage: base → deps → production
├── docker-compose.yml   # Production-ready with health check
└── .env.example         # All variables documented

Comparison

60 features compared across 8 tools. See the interactive comparison at #/compare in the app, or via GET /api/compare.

Feature	Docker Dash	Portainer CE	Portainer BE	Coolify	Yacht	Rancher	Dockge	Dockhand
Container CRUD	✅	✅	✅	✅	✅	✅	Compose only	✅
Image / Volume / Network	✅	✅	✅	✅	partial	✅	No	✅
Network Topology	✅	—	—	—	—	—	—	—
Dependency Map	✅	—	—	—	—	—	—	—
Real-time Stats	✅	✅	✅	✅	basic	✅	basic	✅
Terminal (xterm.js)	✅	✅	✅	✅	—	✅	✅	✅
Vulnerability Scanning	Trivy + Grype + Scout	—	—	—	—	NeuVector	—	Grype + Trivy
Safe-Pull + Pipeline	5-stage	—	—	—	—	—	—	basic
Container Rollback	✅	—	—	✅	—	✅	—	—
Multi-Host (agentless)	✅	agent req.	agent req.	agent	—	✅	agent	✅
Optional HA mode (no vendor lock-in)	✅ v7.0.0	—	commercial tier	—	—	K8s-based	—	—
Bundled Prometheus + Grafana + wizard	✅ v7.2.0	—	—	—	—	—	—	—
Git Integration	✅	BE only	✅	✅	—	Fleet	—	—
Webhooks + Polling	✅	BE only	✅	✅	—	✅	—	—
Docker Swarm Mode	✅	✅	✅	—	—	K8s focus	—	—
Audit Log	✅	BE only	✅	basic	—	✅	—	—
Alerts (7 channels)	✅	BE only	✅	✅	—	✅	—	—
SSO / LDAP / OAuth	✅	BE only	✅	✅	—	✅	—	—
CIS Docker Benchmark	✅	—	—	—	—	partial	—	—
Health Score (0-100)	✅	—	—	—	—	—	—	—
AI Container Doctor	✅	—	—	—	—	—	—	—
Resource Forecasting	✅	—	—	—	—	basic	—	—
Cost Optimizer	✅	—	—	—	—	basic	—	—
Insights Dashboard	✅	—	—	—	—	basic	—	—
Workflow Automation	✅	—	—	—	—	—	—	—
Scheduled Actions	✅	—	—	—	—	—	—	—
Cross-Host Migration	zero-downtime	—	—	—	—	✅	—	—
Public Status Page	✅	—	—	✅	—	—	—	—
Maintenance Windows	✅	—	—	—	—	—	—	—
API Playground	✅	Swagger ($)	✅	✅	—	✅	—	—
App Templates	33 + custom	500+ community	500+	many	basic	Helm	—	—
i18n	11 languages	partial	partial	partial	—	✅	—	—
Command Palette	✅	—	—	—	—	—	—	—
Mobile Responsive	✅	✅	✅	✅	✅	partial	✅	✅
Build Step	None	Angular	Angular	required	none	none	required	required
Container Size	~80MB	~250MB	~250MB	~200MB	~100MB	~500MB+	~100MB	~80MB
RAM Usage	~50MB	~200MB	~200MB	~150MB	~50MB	~500MB+	~50MB	~60MB
License	MIT	Zlib	commercial	Apache 2.0	MIT	Apache 2.0	MIT	BSL 1.1

✅ 30+ features exclusive to Docker Dash (no other free tool has them). Features Portainer Business locks behind paid license are free in Docker Dash. Rancher / K3s targets Kubernetes clusters; Docker Dash targets single-host and small multi-host Docker deployments.

License

MIT — free for personal and commercial use.

Security

Docker Dash takes security seriously. See SECURITY.md for our full security policy.

Docker Socket Access

Docker Dash requires access to the Docker socket (/var/run/docker.sock). This is equivalent to root access on the host. This is the same requirement as Portainer, Dockge, and all other Docker management UIs.

Mitigations in place:

• Socket mounted read-only (:ro) in production docker-compose
• no-new-privileges security option enabled
• Role-based access control (admin/operator/viewer)
• Feature flags to disable dangerous operations (ENABLE_EXEC=false, READ_ONLY_MODE=true)
• Audit log for every action with user, timestamp, and IP
• Rate limiting on all API endpoints
• Session-based auth with bcrypt + SHA-256 hashed tokens

Recommendations for production:

• Deploy behind HTTPS reverse proxy (Caddy config included)
• Set strong APP_SECRET and ENCRYPTION_KEY (app refuses to start without them)
• Set COOKIE_SECURE=true when behind HTTPS
• Disable exec terminal if not needed (ENABLE_EXEC=false)
• Use read-only mode for monitoring-only deployments (READ_ONLY_MODE=true)
• Restrict network access to trusted IPs
• Consider docker-socket-proxy to limit API access (allow only read operations)
• Review SECURITY.md for responsible disclosure process

Security Audit Results

Audit	Date	Score	Critical Issues
Tech Debt Scan	2026-03-27	33 items found	All 4 CRITICAL fixed
Production Readiness v5	2026-03-28	8.05/10 weighted (claimed 9.2)	All P0+P1 resolved
Shell Injection	2026-03-28	0 vectors	All execSync eliminated
Production Readiness v6.15.1	2026-04-22	9.1/10 (defensible weighted)	v5 gaps closed: error-response sanitization on all 500s (v6.14.1), expanded Prometheus metrics with job counters populated (v6.15.0–v6.15.1), setInterval leak fixed, CI test count dynamic, X-Frame-Options: DENY + Permissions-Policy, 0 lint warnings
Production Readiness v6.16.0	2026-04-22	9.5/10	Phase 2 shipped: containers.js (5774 lines, largest JS file) split into list-eager (3226 lines) + detail-lazy (2595 lines loaded on first /containers/:id navigation via script injection). Performance category 7 → 9, initial JS payload −45% for users not visiting a container detail page. 757 tests unchanged
Production Readiness v6.16.1	2026-04-22	9.7/10	Testing 8.5 → 9.5 (+86 tests across 4 previously-untested services: permissions RBAC, settings CRUD, security-alerts rule evaluation, event-notifier dispatch). Documentation 9 → 9.5 (3 new feature reference docs under docs/features/: Prometheus metrics, platform detection, translations tooling). Residual: Docker-in-Docker integration tests (v7), Redis HA mode (v7), external 3rd-party audit (v7) — 10/10 requires all three
Production Readiness v7.0.0	2026-04-22	9.8/10	HA mode production-ready: opt-in DD_MODE=ha + Redis. 4-phase rollout (v6.17.0 rate limiter, v6.17.1 WS pub/sub, v6.17.2 leader election, v7.0.0 observability + operator runbook + LB configs). Standalone default unchanged. Staging soak verified: 3-replica deploy with lock acquire, graceful leader handover, Redis restart recovery. /api/cluster/status + 4 Prometheus gauges. BACKLOG F30 closed. Residual gap to 10: external 3rd-party security audit (budget + vendor coordination)
v7.1.0–v7.2.0	2026-04-22	9.8/10	Observability bundle shipped: opt-in Prometheus + Grafana compose profile with 8-panel auto-provisioned dashboard (v7.1.0), then in-app wizard at System → Observability that detects existing monitoring stacks and offers integrate/deploy/hybrid paths with one-click dashboard import via Grafana API (v7.2.0). Admin-only, 10s outbound timeout, tokens never persisted. 28 new tests. No production-readiness score change — UX layer on top of v7.0.0's foundation

Known Security Tradeoffs

These are conscious design decisions documented in SECURITY.md:

1. CSP allows unsafe-eval (but NOT unsafe-inline) — unsafe-eval required by Chart.js. All 67 inline handlers were converted to addEventListener in v5.0. XSS mitigated by output escaping on all user content (400+ escapeHtml() calls).
2. WebSocket accepts token via query string — fallback for browsers that block cookies (Edge Tracking Prevention). Cookie-based auth is always preferred. Usage is logged.
3. Mixed auth model (cookie + Bearer + API key) — cookies for browser UI, Bearer for API/CLI, API keys for integrations. All validate against the same session store.

Test Coverage

• 843 tests across 55 test suites (100% passing — 4 skipped are live-CF integration tests gated on a CI secret)
• Unit tests: crypto, helpers, validation, git patterns, platform detection, DMI cloud detection, translations, filter escape, metrics rendering
• Integration tests: auth flow, API endpoints, RBAC, security, ACME + remediation orchestrators
• Service tests (v6.16.1): permissions RBAC filtering, settings key-value CRUD, security alert rule evaluation (threshold + windowed), event notifier dispatch + cooldown
• CI runs on every push via GitHub Actions (pinned to Node 24 actions as of v6.13.1, clearing the June 2026 deprecation; test count reported dynamically in the CI summary as of v6.15.0)

Contributing

Contributions are welcome! See CONTRIBUTING.md for:

• Development setup
• Architecture principles (no build step, no framework)
• How to add pages, API endpoints, database migrations
• How to add a language translation
• Pull request checklist

Acknowledgments

Built with:

• dockerode — Docker API client
• better-sqlite3 — SQLite driver
• xterm.js — Terminal emulator
• Chart.js — Charts
• Trivy — Vulnerability scanner
• Grype — Vulnerability scanner by Anchore
• ssh2 — SSH client
• Font Awesome — Icons