§ 00 Features

Every feature ships in the free binary.

16+ features covering the full Docker fleet management lifecycle — without tiers, feature gates, or trial limits.

INDEX
§ 01Multi-Host Fleet § 02Enterprise Security § 03Backups § 04Everything in the binary
prod-01
prod-02
staging
edge-eu
prod-01 eu-west up 47d · Docker 25.0.2
CPU
42%
MEM
68%
DISK
214GB
10:42:15deploy analytics v2.4.1
10:41:02pull postgres:16-alpine
10:39:44health check web
10:38:17·agent reconnect
mTLS OK ↓ 4.2MB/s ↑ 128KB/s agent v1.0.0
§ 01 Deep dive · Fleet

One pane of glass across every Docker host you run.

Remote agents connect outbound over mTLS — no inbound ports, no VPN jumpbox, no reverse tunnel. dockmesh gives you a live, filtered view of every container across every host, and lets you deploy, scale, migrate, and exec as if they were all local.

  • 01 Outbound-only mTLS agent protocol
  • 02 Fan-out lists with host tag filter
  • 03 Auto-agent upgrade on server update
  • 04 Revocable per-host certificates
Read the multi-host docs
§ 02 Deep dive · Security

Enterprise-grade controls, without the enterprise price tag.

Every feature Portainer Business charges for — custom RBAC roles, SSO group mapping, TOTP 2FA, tamper-proof audit log — ships in the free binary. Scope roles by host tag for per-team isolation.

  • 01 Custom RBAC roles with granular permissions
  • 02 OIDC SSO — Azure AD, Google, Keycloak, Okta, Authentik
  • 03 TOTP 2FA with single-use recovery codes
  • 04 SHA-256 hash-chained audit log
Read the security docs
Audit log hash chain valid
14:02:31 alice stack.deploy analytics @ prod-01
13:58:12 bob host.drain staging
13:45:07 alice rbac.update role:frontend-dev
13:32:44 carol backup.run analytics-nightly
13:21:18 bob stack.scale web · replicas=5
13:15:02 alice sso.login azure-ad
6 of 24,318 entries hash-chained · tamper-proof
New backup job
Stacks
✓ analyticsweb✓ postgresredis
Target
SFTP backup.example.com connected
Schedule
Daily · 02:00
Retention
Keep last 14
Pre-backup hook
PRESET PostgreSQL · pg_dumpall
§ 03 Deep dive · Backups

Air-tight backups to anywhere you have space.

Schedule encrypted backups of stack volumes and optional database dumps to local disk, NAS (SMB), SFTP, WebDAV, or S3. Pre-backup hooks guarantee consistency for databases. One-click restore to any host — including across the fleet.

  • 01 Five target types: Local · SMB · SFTP · WebDAV · S3
  • 02 age-encrypted archives, passphrase never leaves the server
  • 03 Preset hooks for Postgres, MySQL, Redis · custom shell supported
  • 04 Grandfather-Father-Son retention or simple keep-last-N
Read the backup docs
§ 04 The full list

Everything in the binary.

No paid add-ons, no separate modules, no plugins to install. What you see is what you get.

01
Stack management
Compose-native editor, docker-run importer, Git integration
02
Multi-host fleet
Outbound mTLS agents, fan-out views, host tags
03
Smart scaling
Manual + auto (CPU/memory) with safety pre-flight checks
04
Stack migration
Move stacks between hosts with volume transfer + rollback
05
Host drain
Evacuate a host safely before maintenance
06
Backup & restore
Local, SMB, SFTP, WebDAV, S3 with age encryption
07
RBAC & roles
Custom roles with granular permissions, scope by host tag
08
SSO / OIDC
Azure AD, Google, Keycloak, Okta, Authentik with group mapping
09
Two-factor auth
TOTP with 1Password, Authy, Aegis + recovery codes
10
Agent mTLS
Internal CA, per-agent certs, revocable, auto-rotate
11
Audit log
SHA-256 hash-chained, tamper-proof, CSV export
12
Reverse proxy
Embedded Caddy with automatic HTTPS via ACME
13
Vulnerability scan
Embedded Grype for CVE scanning of deployed images
14
Alerts
Metric rules, 7+ channels (Slack, Discord, email, webhook)
15
Stack templates
Reusable compose templates with variable substitution
16
Terminal + logs
Browser-based exec, streaming logs with search and filters

Ready to install?

Single binary. Five minutes to first deploy.

Install dockmesh Read the Docs