Skip to content
dockmesh

Introduction

dockmesh is an open-source container management platform for Docker hosts and fleets. It ships as a single Go binary with an embedded SvelteKit UI, talks directly to the Docker SDK, and treats the filesystem as the source of truth for stack configs.

Why dockmesh?

Section titled “Why dockmesh?”

Most Docker management tools either lock critical features behind a paywall or require complex cluster setups. dockmesh takes a different approach:

  • Everything included — RBAC, SSO, multi-host, scaling, migration, backups. No tiers, no feature gates.
  • Single binary — Download, run, done. No external database, no Redis, no separate frontend server.
  • Compose-native — Your compose.yaml files live on disk. dockmesh reads them, not the other way around.
  • Outbound agents — Remote hosts connect to the server, not the other way. No inbound ports needed on agent hosts.
  • No telemetry — Nothing leaves your network unless you explicitly configure it (SMTP, webhooks, SSO).

Architecture at a glance

Section titled “Architecture at a glance”

dockmesh architecture: single server running Go API, embedded Caddy proxy, SvelteKit UI, and SQLite/PostgreSQL storage, connected to remote agents over mTLS WebSocket

The dockmesh server runs on a single host and exposes an HTTP(S) UI plus a WebSocket endpoint for agents. The local Docker daemon is managed directly via the Docker SDK. Remote hosts each run a tiny agent binary that dials outbound to the server over mTLS — no inbound ports required on the remote side.

Key features

Section titled “Key features”
FeatureDescription
Stack ManagementCompose-native deploy, stop, scale, migrate
Multi-HostFan-out views, per-host metrics, agent auto-upgrade
Smart ScalingManual + auto (CPU/memory thresholds), safety checks
Stack MigrationMove stacks between hosts with volume transfer
BackupLocal, NAS (SMB), SFTP, WebDAV, S3 with age encryption
RBACCustom roles with granular permissions
SSOOIDC with group mapping (Azure AD, Google, Keycloak)
AlertsMetric rules, 7+ notification channels
Reverse ProxyEmbedded Caddy with automatic HTTPS
Audit LogTamper-proof hash chain

License

Section titled “License”

dockmesh is licensed under AGPL-3.0. You can use it freely for any purpose, modify it, run it for your team or your customers. If you fork it and host it as a service, you must publish your modifications. Contributions are welcome.