Features

Every feature ships
in the free binary.

16+ features covering the full Docker fleet management lifecycle — without tiers, feature gates, or trial limits.

prod-01
prod-02
staging
edge-eu
prod-01 eu-west up 47d · Docker 25.0.2
CPU
42%
MEM
68%
DISK
214GB
10:42:15deploy analytics v2.4.1
10:41:02pull postgres:16-alpine
10:39:44health check web
10:38:17·agent reconnect
mTLS OK ↓ 4.2MB/s ↑ 128KB/s agent v1.0.0

Deep dive · Fleet

One pane of glass across every Docker host you run.

Remote agents connect outbound over mTLS — no inbound ports, no VPN jumpbox, no reverse tunnel. dockmesh gives you a live, filtered view of every container across every host, and lets you deploy, scale, migrate, and exec as if they were all local.

  • Outbound-only mTLS agent protocol
  • Fan-out lists with host tag filter
  • Auto-agent upgrade on server update
  • Revocable per-host certificates
Read the multi-host docs

Deep dive · Security

Enterprise-grade controls, without the enterprise price tag.

Every feature Portainer Business charges for — custom RBAC roles, SSO group mapping, TOTP 2FA, tamper-proof audit log — ships in the free binary. Scope roles by host tag for per-team isolation.

  • Custom RBAC roles with granular permissions
  • OIDC SSO — Azure AD, Google, Keycloak, Okta, Authentik
  • TOTP 2FA with single-use recovery codes
  • SHA-256 hash-chained audit log
Read the security docs
Audit log
hash chain valid
14:02:31 alice 10.0.2.18 stack.deploy analytics @ prod-01
13:58:12 bob 10.0.4.22 host.drain staging
13:45:07 alice 10.0.2.18 rbac.update role:frontend-dev
13:32:44 carol 10.0.3.07 backup.run analytics-nightly
13:21:18 bob 10.0.4.22 stack.scale web · replicas=5
13:15:02 alice 10.0.2.18 sso.login azure-ad
6 of 24,318 entries hash-chained · tamper-proof
New backup job
✓ analyticsweb✓ postgresredis
SFTP backup.example.com connected
Daily · 02:00
Keep last 14
PRESET PostgreSQL · pg_dumpall

Deep dive · Backups

Air-tight backups to anywhere you have space.

Schedule encrypted backups of stack volumes and optional database dumps to local disk, NAS (SMB), SFTP, WebDAV, or S3. Pre-backup hooks guarantee consistency for databases. One-click restore to any host — including across the fleet.

  • Five target types: Local · SMB · SFTP · WebDAV · S3
  • age-encrypted archives, passphrase never leaves the server
  • Preset hooks for Postgres, MySQL, Redis · custom shell supported
  • Grandfather-Father-Son retention or simple keep-last-N
Read the backup docs

The full list

Everything in the binary.

No paid add-ons, no separate modules, no plugins to install. What you see is what you get.

Stack management
Compose-native editor, docker-run importer, Git integration
Multi-host fleet
Outbound mTLS agents, fan-out views, host tags
Smart scaling
Manual + auto (CPU/memory) with safety pre-flight checks
Stack migration
Move stacks between hosts with volume transfer + rollback
Host drain
Evacuate a host safely before maintenance
Backup & restore
Local, SMB, SFTP, WebDAV, S3 with age encryption
RBAC & roles
Custom roles with granular permissions, scope by host tag
SSO / OIDC
Azure AD, Google, Keycloak, Okta, Authentik with group mapping
Two-factor auth
TOTP with 1Password, Authy, Aegis + recovery codes
Agent mTLS
Internal CA, per-agent certs, revocable, auto-rotate
Audit log
SHA-256 hash-chained, tamper-proof, CSV export
Reverse proxy
Embedded Caddy with automatic HTTPS via ACME
Vulnerability scan
Embedded Grype for CVE scanning of deployed images
Alerts
Metric rules, 7+ channels (Slack, Discord, email, webhook)
Stack templates
Reusable compose templates with variable substitution
Terminal + logs
Browser-based exec, streaming logs with search and filters

Ready to install?

Single binary. Five minutes to first deploy.

Install dockmesh Read the Docs