Most Docker management tools either oversimplify or take control away from you. Dockhand is built differently. Fully self-hosted, transparent by design, and powerful enough for everything from a single homelab server to enterprise deployments.
What is Dockhand?
Dockhand is a feature-rich Docker management application, designed for both individual developers and enterprise teams. It provides a clean interface for managing containers, images, volumes, networks, and compose stacks across local and remote Docker hosts in a lightweight, privacy-focused package.
Dashboard
The configurable dashboard displays environment tiles in sizes from compact 1x1 to full 2x4+. Each tile shows:
- Container counts and status
- CPU and memory usage bars
- Health status indicators
- Recent container events
- Top containers by CPU usage
- Historical usage charts
- Disk usage breakdown
Container management
Dockhand provides complete container lifecycle control - start, stop, restart, pause, and remove containers with a single click. The container creation wizard supports advanced configuration including port mappings, volume mounts, environment variables, labels, and resource limits. Clickable port links automatically detect your host IP and open services directly in your browser.
Compose stacks
Deploy and manage Docker Compose stacks with a visual editor. Dockhand automatically detects existing stacks and provides start/stop/restart controls for entire application stacks. The compose file editor includes syntax validation and environment variable management.
Image management
Browse all Docker images with detailed metadata, pull new images with real-time progress tracking, and view complete image layer history. Images can be tagged, exported, and removed through the interface.
Volumes and networks
Create and manage Docker volumes with full file browsing capabilities - navigate, upload, download, and export files directly from volumes. Network management includes creation of custom bridge and overlay networks with container connection controls.
Git integration
Deploy Docker Compose stacks directly from Git repositories with automatic sync capabilities:
- Repository management: Configure multiple Git repositories with SSH key or HTTPS authentication
- Auto-sync scheduling: Set cron schedules for automatic repository syncing
- Webhook deployment: GitHub/GitLab style webhooks trigger deployments on git push
- Change detection: Smart deployment that only recreates containers when configuration actually changes
- Commit tracking: Display the currently deployed commit hash for each stack
Environment file support allows .env files in repositories to be automatically loaded and applied during deployment.
Monitoring and observability
Real-time log streaming
Container logs stream in real-time using Server-Sent Events (no polling). Full ANSI color rendering, pause/resume functionality, and multi-container log viewing let you monitor multiple services simultaneously.
Metrics collection
Background subprocesses collect CPU, memory, and disk metrics for all environments without blocking the main application. Dashboard tiles display real-time gauges and historical trend charts.
Container events
Track container lifecycle events (start, stop, die, restart, OOM) with automatic activity logging. Events are stored in the database for historical analysis and can trigger notifications.
Vulnerability scanning
Scan container images for vulnerabilities using Grype and/or Trivy scanners. Results are cached by image SHA256 for efficiency and can be used to block auto-updates based on severity criteria.
Container auto-updates
Configure automatic container updates with flexible scheduling:
- Cron scheduling: Set per-container update schedules
- Vulnerability-based blocking: Block updates if new images contain critical vulnerabilities, or block only if they have more vulnerabilities than the current image
- Update notifications: Get notified on successful updates, failures, or when updates are blocked
- Manual triggers: Run updates on-demand when needed
Notifications
Dockhand supports 24 event types across container, stack, security, and system categories. Notification channels include:
- SMTP email: Traditional email notifications
- Apprise integration: Discord, Slack, Telegram, ntfy, Gotify, Pushover, and 50+ other services
Configure global system events and per-environment event subscriptions to receive only the notifications you care about.
Container terminal
Full terminal emulation powered by xterm.js provides interactive shell access to running containers. Works seamlessly with both local Docker and remote Hawser connections, supporting proper TTY handling and terminal resizing.
File browser
Browse container filesystems and Docker volumes with a full-featured file manager:
- Navigate directories with metadata display
- Upload and download files or entire directories
- Create, rename, and delete files and folders
- View file contents with syntax highlighting
- Change file permissions
Remote hosts connectivity options
Direct mode
Connect directly to Docker hosts via HTTP/HTTPS with full TLS support including mutual TLS (mTLS) authentication.
Dockhand includes Hawser, a lightweight Go agent that enables management of Docker hosts in various network configurations
Standard mode
The Hawser agent runs on remote hosts and listens for connections from Dockhand - ideal for LAN and homelab environments with static IPs.
Edge mode
For hosts behind NAT, firewalls, or with dynamic IPs, the Hawser agent initiates an outbound WebSocket connection to Dockhand. No inbound ports required on the Docker host, making it perfect for VPS and cloud deployments.
Token-based authentication with Argon2id hashing ensures secure agent connections. Each environment can be configured independently with its own connection settings, TLS certificates, and notification preferences.
Database flexibility
Dockhand supports both SQLite and PostgreSQL:
SQLite: Zero configuration default, perfect for single-node deployments. Just mount a data volume and you're ready.
PostgreSQL: Set the DATABASE_URL environment variable for high-availability and multi-node deployments. Same feature set, automatic migration handling.
Authentication and access control
Free edition authentication
Dockhand believes basic authentication shouldn't be a premium feature. The free edition includes:
- Local user accounts with secure password hashing
- OpenID Connect (OIDC/SSO) integration supporting Google, Azure AD, Okta, Keycloak, and other providers
- Multi-factor authentication: TOTP-based two-factor authentication (Google Authenticator, Authy compatible)
- Full session management with HttpOnly cookies
Enterprise edition enhancements
- LDAP/Active Directory: Full LDAP authentication with automatic user sync and group mapping
- Role-based access control: Fine-grained permissions per resource type with environment-scoped roles
- Audit logging: Complete audit trail of all user actions for compliance requirements
Licensing
The enterprise edition adds RBAC, LDAP, and audit logging on top of the comprehensive free feature set.
Open source commitment and transparency
Dockhand is developed with transparency in mind. The complete source code is publicly available on GitHub under the Business Source License 1.1 (BSL 1.1).
What BSL 1.1 means
The Business Source License is a source-available license that allows you to view and study the complete source code.
Why BSL?
It balances openness with sustainability:
- Full transparency: Every line of code is visible. You can audit the security, understand how your data is handled, and verify there are no hidden behaviors.
- No vendor lock-in: You can self-host Dockhand on your own infrastructure with complete control. If the project ever disappears, you have the source code.
- Community contributions: Bug reports, feature requests, and pull requests are welcome. The code is developed in the open.
What's in the repository
The GitHub repository https://github.com/Finsys/dockhand contains the full application:
- SvelteKit frontend and API routes
- All authentication and authorization logic
- Database schemas for SQLite and PostgreSQL
- Hawser agent integration code https://github.com/Finsys/hawser
- Enterprise features (RBAC, LDAP, audit logging)
Nothing is held back. The enterprise edition uses the same codebase - it's simply unlocked with a license key.
Summary
Dockhand aims to be the Docker management platform you've been looking for - whether you're running a homelab, self-hosting your applications, or managing containers at enterprise scale.
Built for everyone
Homelab enthusiasts: Dockhand makes managing your home server a pleasure. The clean interface, real-time monitoring, and Hawser Edge mode (which works behind NAT without opening ports) are perfect for home networks. Deploy compose stacks from Git, set up auto-updates, and monitor everything from a single dashboard.
Self-hosting advocates: Take control of your infrastructure with a tool that respects your autonomy. No cloud dependencies, no telemetry, no vendor lock-in. Run Dockhand on a Raspberry Pi or a powerful server - it scales to fit your needs. The SQLite default means zero configuration to get started.
Small and medium businesses: Dockhand is production-ready with PostgreSQL support, multi-environment management, and robust authentication options. SSO integration, vulnerability scanning, and notification channels provide the operational visibility growing teams need.
Enterprise deployments: The enterprise edition adds LDAP/Active Directory integration, role-based access control with environment scoping, multi-factor authentication, and comprehensive audit logging. Meet compliance requirements without sacrificing usability.
Dockhand's principles
Transparency first: The source code is public. Every feature, every security measure, every line of code is available for inspection. They don't hide functionality behind proprietary walls.
Authentication shouldn't be a premium feature: Unlike many competitors, Dockhand includes SSO/OIDC and local user management in the free edition. They are not on https://sso.tax. Basic security is a right, not an upsell.
No cloud required: Dockhand runs entirely on your infrastructure. Your data stays yours. No external services, no usage tracking, no "phone home" behavior.
- Website: https://dockhand.pro
- Source code: https://github.com/Finsys/dockhand
- Docker image: fnsys/dockhand
Stop wrestling with Docker CLI commands or settling for bloated management tools. Dockhand gives you the power to manage your containers the way you want - transparently, securely, and on your own terms.
Jeremy
Discussion