Portainer Documentation
Official WebsiteKnowledge BasePricingGet 3 Nodes of BE Free
2.21 LTS
2.21 LTS
  • Welcome
  • What's new in version 2.21
  • Release Notes
  • Getting Started
    • Introduction
    • Portainer architecture
    • Lifecycle policy
    • Requirements and prerequisites
    • Install Portainer BE
      • Set up a new Portainer BE Server installation
        • Docker Standalone
          • Install Portainer BE with Docker on Linux
          • Install Portainer BE with Docker on WSL / Docker Desktop
          • Install Portainer BE with Docker on Windows Container Service
        • Docker Swarm
          • Install Portainer BE with Docker Swarm on Linux
          • Install Portainer BE with Docker Swarm on WSL / Docker Desktop
          • Install Portainer BE with Docker Swarm on Windows Container Service
        • Kubernetes
          • Install Portainer BE on your Kubernetes environment
          • Install Portainer BE with Kubernetes on WSL / Docker Desktop
        • Initial setup
    • Install Portainer CE
      • Set up a new Portainer CE Server installation
        • Docker Standalone
          • Install Portainer CE with Docker on Linux
          • Install Portainer CE with Docker on WSL / Docker Desktop
          • Install Portainer CE with Docker on Windows Container Service
        • Docker Swarm
          • Install Portainer CE with Docker Swarm on Linux
          • Install Portainer CE with Docker Swarm on WSL / Docker Desktop
          • Install Portainer CE with Docker Swarm on Windows Container Service
        • Kubernetes
          • Install Portainer CE on your Kubernetes environment
          • Install Portainer CE with Kubernetes on WSL / Docker Desktop
        • Initial setup
    • Add an environment to an existing installation
    • Updating Portainer
      • Updating on Docker Standalone
      • Updating on Docker Swarm
      • Updating on Kubernetes
      • Updating on Nomad
      • Updating the Edge Agent
      • Updating from Portainer 1.x
      • Switching to Portainer Business Edition
        • Upgrade to Business Edition from within Portainer Community Edition
        • Docker Standalone
        • Docker Swarm
        • Kubernetes
        • Upgrading Agent-only deployments
  • Using Portainer
    • Home
      • Snapshot browsing
      • OpenAMT
    • Docker/Swarm
      • Dashboard
      • Templates
        • Application
        • Custom templates
        • Deploy a stack
        • Deploy a container
      • Stacks
        • Add a new stack
        • Inspect or edit a stack
        • Create a template from a deployed stack
        • Webhooks
        • Migrate or duplicate a stack
        • Remove a stack
      • Services
        • Add a new service
        • Configure service options
        • Scale a service
        • View the status of a service task
        • View service logs
        • Roll back a service
        • Webhooks
      • Containers
        • Add a new container
        • View a container's details
        • Inspect a container
        • Edit or duplicate a container
        • Advanced container settings
        • Webhooks
        • Attach a volume to a container
        • View container logs
        • View container statistics
        • Access a container's console
        • Change container ownership
        • Remove a container
      • Images
        • Pull an image
        • Build a new image
        • Import an image
        • Export an image
      • Networks
        • Add a new network
        • Remove a network
      • Volumes
        • Add a new volume
        • Browse a volume
        • Remove a volume
      • Configs
        • Add a new config
        • Remove a config
      • Secrets
        • Add a new secret
        • Remove a secret
      • Events
      • Host
        • Details
        • Setup
        • Registries
      • Swarm
        • Details
        • Cluster visualizer
        • Setup
        • Registries
    • Kubernetes
      • Dashboard
      • kubectl shell
      • Kubeconfig
      • Custom Templates
        • Add a new custom template
        • Edit a custom template
        • Remove a custom template
      • Namespaces
        • Add a new namespace
        • Manage a namespace
        • Manage access to a namespace
        • Remove a namespace
      • Helm
      • Applications
        • Add a new application using a form
        • Add a new application using a manifest
        • Inspect an application
        • Inspect a Helm application
        • Edit an application
        • Webhooks
        • Detach a volume from an application
        • Remove an application
      • Networking
        • Services
        • Ingresses
          • Add an Ingress manually
          • Add an Ingress using a manifest
          • Remove an Ingress
      • ConfigMaps & Secrets
        • Add a ConfigMap
        • Add a Secret
      • Volumes
        • Inspect a volume
        • Remove a volume
      • More Resources
        • Service Accounts
        • Cluster Roles
        • Roles
      • Cluster
        • Details
        • Inspect a node
        • Setup
        • Security constraints
        • Registries
    • Azure ACI
      • Dashboard
      • Container instances
        • Add a new container
        • Remove a container
    • Nomad
    • Edge Compute
      • Edge Groups
      • Edge Stacks
        • Add a new Edge Stack
      • Edge Jobs
      • Edge Configurations
      • Waiting Room
      • Edge Templates
        • Application
        • Custom
    • Account settings
  • Administering Portainer
    • User-related
      • Users
      • Add a new user
      • Turn a user into an administrator
      • Reset a user's password
      • Teams
        • Add a new team
        • Add a user to a team
      • Roles
    • Environment-related
      • Environments
      • Add a new environment
        • Add a local environment
        • Add a Docker Standalone environment
          • Install Portainer Agent on Docker Standalone
          • Connect to the Docker API
          • Connect to the Docker Socket
          • Install Edge Agent Standard on Docker Standalone
          • Install Edge Agent Async on Docker Standalone
        • Add a Docker Swarm environment
          • Install Portainer Agent on Docker Swarm
          • Connect to the Docker API
          • Connect to the Docker Socket
          • Install Edge Agent Standard on Docker Swarm
          • Install Edge Agent Async on Docker Swarm
        • Add a Kubernetes environment
          • Install Portainer Agent on your Kubernetes environment
          • Install Edge Agent Standard on Kubernetes
          • Install Edge Agent Async on Kubernetes
          • Import an existing Kubernetes environment
        • Add an ACI environment
        • Add a Nomad environment
        • Provision KaaS Cluster
          • Civo
          • Akamai Connected Cloud
          • DigitalOcean
          • Google Cloud
          • AWS
          • Azure
        • Create a Kubernetes cluster
          • MicroK8s
            • Offline installation
        • Add an environment via the Portainer API
      • Auto onboarding
      • Groups
      • Tags
      • Manage access to environments
      • Manage access to environment groups
      • Update & Rollback
    • Registries
      • Add a new registry
        • Add a DockerHub account
        • Add an AWS ECR registry
        • Add a Quay.io registry
        • Add a ProGet registry
        • Add an Azure registry
        • Add a Gitlab registry
        • Add a GitHub registry
        • Add a custom registry
      • Browse a registry
      • Manage a registry
    • Licenses
    • Logs
      • Authentication
      • Activity
    • Notifications
    • Settings
      • General
      • Authentication
        • Authenticate via LDAP
        • Authenticate via Active Directory
        • Authenticate via OAuth
      • Shared credentials
        • Add Civo credentials
        • Add Akamai Connected Cloud credentials
        • Add DigitalOcean credentials
        • Add Google Cloud credentials
        • Add AWS credentials
        • Add Azure credentials
        • Add SSH credentials
      • Edge Compute
  • Frequently Asked Questions
    • Portainer Concepts
    • Installing
    • Upgrading
    • Troubleshooting
    • Contributing
  • Advanced Topics
    • CLI configuration options
    • App templates
      • Build and host your own app templates
      • App template JSON format
    • The Portainer Edge Agent
    • Access control
    • Reset the admin user's password
    • Security and compliance
    • Encrypting the Portainer database
    • Using your own SSL certificate with Portainer
    • Using mTLS with Portainer
    • Stream auth and activity logs to an external provider
    • Using Portainer with reverse proxies
      • Deploying Portainer behind Traefik Proxy
      • Deploying Portainer behind nginx reverse proxy
    • How Relative Path Support works in Portainer
    • Helm chart configuration options
    • Docker roles and permissions
    • Kubernetes roles and bindings
    • Deprecated and removed features
  • API
    • Accessing the Portainer API
    • API documentation
    • API usage examples
  • Get More Help
    • Knowledge Base
    • Portainer Academy
    • YouTube
    • GitHub
    • Slack
    • Discord
    • Open a support request
  • Contribute to Portainer
    • Contribute
    • Build instructions
      • Set up a macOS build environment
      • Set up a Linux build environment
Powered by GitBook
On this page
  • Configuration flags available at the command line
  • Creating an admin account and password
  • Method 1: Creating the account from the command line
  • Method 2: Creating the account using a file
  • Hiding specific containers
  • Using your own logo
  • Defining your own app templates

Was this helpful?

Edit on GitHub
  1. Advanced Topics

CLI configuration options

Configuration flags available at the command line

Flag
Description

--admin-password

Specifies a bcrypt hashed password for the admin user. This can only be used when first creating the admin user (such as during installation) and not to change the admin user's password after installation.

--admin-password-file

Specifies the path to the file containing the password for the admin user. This can only be used when first creating the admin user (such as during installation) and not to change the admin user's password after installation.

--base-url

Specifies the path that Portainer is running under if you are running Portainer within a subpath behind a reverse proxy (for example use --base-url /portainer if you are running Portainer at https://yourdomain/portainer). Defaults to /. Note: when using this option you will still need to ensure your reverse proxy configuration will strip the specified subpath.

--bind

-p

Specifies the address and port from which to serve Portainer (default: :9000).

--bind-https

Specifies the address and port from which to serve Portainer via HTTPS (default: :9443).

--data

-d

Specifes the directory where Portainer data will be stored (default: /data on Linux, C:\data on Windows).

--edge-compute

Automatically enables Edge Compute features.

--hide-label

-l

Hides containers with a specific label in the UI.

--http-disabled

Serve Portainer only on HTTPS. Overrides --http-enabled. Ensure your HTTPS configuration is fully working and any agents are configured for HTTPS before enabling this.

--http-enabled

Serve Portainer on HTTP. If used in combination with --http-disabled, this is ignored.

--host

-H

Specifies the Docker daemon endpoint.

--license-key

Specifies the license key to use. Only applicable to Portainer Business Edition.

--log-level

Set the log level of the Portainer application, for example --log-level DEBUG. This is useful when troubleshooting.

--log-mode

Set the formatting for the Portainer log output, for example --log-mode NOCOLOR. Options are: PRETTY (default), NOCOLOR (disables color codes), JSON (JSON-formatted logs).

--logo

Specifies the URL to the image to be displayed as a logo in the UI. If not specified, the Portainer logo is used instead.

--mtlscacert

Specifies the path to the certificate authority (CA) certificate used for mTLS communication. (BE only)

--mtlscert

Specifies the path to the certificate used for mTLS communication. (BE only)

--mtlskey

Specifies the path to the certificate key used for mTLS communication. (BE only)

--snapshot-interval

Specifies the time interval between two environment snapshot jobs expressed as a string. For example 30s, 5m, 1h… Supported by the time.ParseDuration method (default: 5m).

--sslcacert

--sslcert

Specifies the path to the SSL certificate used to secure the Portainer instance (default: /certs/portainer.crt on Linux, C:\certs\portainer.crt on Windows).

--sslkey

Specifies the path to the SSL key used to secure the Portainer instance (default: /certs/portainer.key on Linux, C:\certs\portainer.key on Windows).

--syslog-*

--templates

-t

Specifies the URL to the templates (apps) definitions.

--tlscacert

Specifies the path to the CA used for Docker daemon connections (default: /certs/ca.pem on Linux, C:\certs\ca.pem on Windows).

--tlscert

Specifies the path to the TLS certificate file used for Docker daemon connections (default: /certs/cert.pem, C:\certs\cert.pem on Windows).

--tlskey

Specifies the path to the TLS key used for Docker daemon connections (default: /certs/key.pem, C:\certs\key.pem on Windows).

--tlsverify

TLS support (default: false).

--tlsskipverify

Disable TLS server verification.

--tunnel-addr

Specifies the tunnel address to listen on for use with the Edge Agent. Defaults to 0.0.0.0 (all interfaces).

--tunnel-port

Specifies an alternate tunnel port to use with the Edge Agent. Use --tunnel-port 8001 with -p 8001:8001 to make the Edge Agent communicate on port 8001.

--version

Display the version of Portainer.

Creating an admin account and password

The commands in this section will automatically create an administrator account called admin with the password you specify. This can only be used when first creating the admin user (such as during installation) and not to change the admin user's password after installation.

Method 1: Creating the account from the command line

You can specify a bcrypt-encrypted password from the command line for the admin account. If you have installed the apache2-utils package, create the password using the following command:

htpasswd -nb -B admin "your-password" | cut -d ":" -f 2

If your system does not have that command, use a container to run the command instead:

docker run --rm httpd:2.4-alpine htpasswd -nbB admin "your-password" | cut -d ":" -f 2

Once the password has been created, specify the admin password from the command line by starting Portainer with the --admin-password flag:

docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ee:2.21.5 --admin-password='$2y$05$8oz75U8m5tI/xT4P0NbSHeE7WyRzOWKRBprfGotwDkhBOGP/u802u'
docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce:2.21.5 --admin-password='$2y$05$8oz75U8m5tI/xT4P0NbSHeE7WyRzOWKRBprfGotwDkhBOGP/u802u'

Method 2: Creating the account using a file

You can also store a plain text password inside a file and use the --admin-password-file flag. First, add the password to a file using the following example command as a guide:

echo -n mypassword > /tmp/portainer_password

Next, start the Portainer container:

docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/portainer_password:/tmp/portainer_password portainer/portainer-ee:2.21.5 --admin-password-file /tmp/portainer_password
docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/portainer_password:/tmp/portainer_password portainer/portainer-ce:2.21.5 --admin-password-file /tmp/portainer_password

This also works well with Docker Swarm and Docker Secrets:

echo -n mypassword | docker secret create portainer-pass -
docker service create \
    --name portainer \
    --secret portainer-pass \
    --publish 9443:9443 \
    --publish 8000:8000 \
    --replicas=1 \
    --constraint 'node.role == manager' \
    --mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
    portainer/portainer-ee:2.21.5 \
    --admin-password-file '/run/secrets/portainer-pass' \
    -H unix:///var/run/docker.sock
docker service create \
    --name portainer \
    --secret portainer-pass \
    --publish 9443:9443 \
    --publish 8000:8000 \
    --replicas=1 \
    --constraint 'node.role == manager' \
    --mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
    portainer/portainer-ce:2.21.5 \
    --admin-password-file '/run/secrets/portainer-pass' \
    -H unix:///var/run/docker.sock

Hiding specific containers

Portainer lets you hide containers with a specific label by using the -l flag. Here's an example showing a container labeled owner=acme:

docker run -d --label owner=acme nginx

To hide this container, when starting Portainer add the -l owner=acme option on the CLI:

docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ee:2.21.5 -l owner=acme
docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce:2.21.5 -l owner=acme

To hide multiple containers, repeat the -l flag:

docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ee:2.21.5 -l owner=acme -l service=secret
docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce:2.21.5 -l owner=acme -l service=secret

Using your own logo

Images must be exactly 155px by 55px in size.

Replace our logo with your own using the --logo flag to specify the location of the image file:

docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ee:2.21.5 --logo "https://www.docker.com/sites/all/themes/docker/assets/images/brand-full.svg"
docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce:2.21.5 --logo "https://www.docker.com/sites/all/themes/docker/assets/images/brand-full.svg"

You can also update the logo in the Portainer UI (Settings menu).

Defining your own app templates

Templates are loaded once when Portainer is first started. If you already deployed a Portainer instance then decide to use your own templates, you’ll need to clear the default templates either in the user interface or through the HTTP API. Use the --templates flag to specify a URL where the template file can be accessed via HTTP.

docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ee:2.21.5 --templates http://my-host.my-domain/templates.json
docker run -d -p 9443:9443 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce:2.21.5 --templates http://my-host.my-domain/templates.json
PreviousContributingNextApp templates

Last updated 4 months ago

Was this helpful?

Specifies the path to the certificate authority (CA) certificate used to validate the Edge Agent certificate. (BE only, deprecated, use instead)

The --syslog-* options are used to configure auth and activity log streaming to an external Syslog-compatible provider. See the for more on this experimental feature.

We suggest hosting template files on so Portainer can access them without authentication.

Portainer allows you to rapidly . By default, Portainer templates will be used but you can also define your own.

GitHub
deploy containers using app templates
mTLS
SIEM documentation