Portainer Documentation
Official WebsiteGet 5 Nodes of BE Free
Search…
2.14
Welcome
What's new in version 2.14
Release Notes
Getting Started
Introduction
Portainer architecture
Requirements and prerequisites
Install Portainer
Upgrading Portainer
Using Portainer
Home
Docker/Swarm
Dashboard
App Templates
Stacks
Services
Containers
Images
Networks
Volumes
Configs
Secrets
Events
Host
Setup
Registries
Swarm
Kubernetes
Azure ACI
Nomad
Edge Compute
Account settings
Administering Portainer
Users
Environments
Registries
Licenses
Authentication logs
Settings
Frequently Asked Questions
Portainer Concepts
Installing
Upgrading
Troubleshooting
Contributing
Advanced Topics
CLI configuration options
App templates
The Portainer Edge Agent
Access control
Reset the admin user's password
Security and compliance
Encrypting the Portainer database
Using your own SSL certificate with Portainer
Using Portainer with reverse proxies
Helm chart configuration options
Kubernetes roles and bindings
Deprecated and removed features
API
Accessing the Portainer API
API documentation
API usage examples
Get More Help
YouTube
Slack
Discord
Open a support request
Contribute to Portainer
Contribute
Build instructions
Powered By GitBook
Setup
The Setup section is only available to Docker Standalone environments.
Under Setup, you can make changes to your environment, enabling and disabling features and security settings.

Host and Filesystem

For environments running the Portainer Agent, this section is where you configure how Portainer interacts with elements of the host.
For security, these features are disabled by default. Be sure that you understand their impact before enabling them.

Enable host management features

Enabling host management features allows you to see the available devices and storage on the physical node as well as browse the node's filesystem. The environment must be running the Portainer Agent to use this functionality, and for filesystem browsing, the root of the host must be bind-mounted to/hostin the agent deployment:
-v /:/host
For example, starting the Portainer Agent on Linux with the host filesystem mounted at /host:
docker run -d -p 9001:9001 --name portainer_agent --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/docker/volumes:/var/lib/docker/volumes -v /:/host portainer/agent:2.10.0

Enable volume management for non-administrators

Enabling this feature allows non-administrator users to manage volumes on an environment. If this is disabled, users below administrator level have read-only access to volumes.

Change Window Settings

This setting allows you to specify a window within which automatic updates to your applications can be applied.
If this setting is enabled and an update is made to an application outside of this window, it will not be applied.

Docker Security Settings

This section allows you to toggle assorted Docker-related security settings for the environment.
Option
Overview
Disable bind mounts for non-administrators
Prevents non-admin users within Portainer from using bind mounts when creating containers and/or services/stacks. When toggled on, the option to attach to a host file system path is removed.
Disable privileged mode for non-administrators
Prevents non-admin users from elevating the privilege of a container to bypass SELinux/AppArmor. When toggled on, the option to select Privileged mode when adding a container is removed.
Disable the use of host PID 1 for non-administrators
Prevents non-admin users from requesting that a deployed container operates as the host PID. This is a security risk if used by a non-trustworthy authorized user because when they operate as PID1, they are in effect able to run any command in the container console as root on the host.
Disable the use of Stacks for non-administrators
This is a 'sledgehammer' approach to removing any possibility for non-admin users within Portainer to find and use weaknesses in the Docker architecture. Whilst Portainer has the ability to disable some of the more common exploits, we cannot possibly block them all because there are any number of capabilities that could be added to a container to attempt to gain access to the host. This feature simply allows an admin to disable all possible entry points.
Disable device mappings for non-administrators
Blocks users from mapping host devices into containers. Whilst the ability to map devices is generally used for good (e.g. mapping a GPU into a container), it can equally be used by non-trustworthy authorized users to map a physical storage device into a container. It is possible to mount /dev/sda1 into a container, and then from a console of that container, the user would have complete access to the sda1 device without restriction. By toggling this on, Portainer blocks the ability for non-admins to map ANY devices into containers.
Disable container capabilities for non-administrators
Toggle on to hide the Container capabilities tab for non-administrators when they are adding a container.
Disable sysctl settings for non-administrators
Toggle on to stop non-admin users from using sysctl options, preventing them from recreating, duplicating or editing containers.
Previous
Host
Next
Registries
Last modified 1mo ago
Copy link
Edit on GitHub
Outline
Host and Filesystem
Enable host management features
Enable volume management for non-administrators
Change Window Settings
Docker Security Settings