Portainer¶
Web UI for Docker container management at
portainer.448.global. The graphical control panel for the Docker hosts in the estate.
| Field | Value |
|---|---|
| Public URL | https://portainer.448.global |
| Audience | engineers / ops |
| Criticality | high — direct control over containers and hosts |
| Maturity | [INFO NEEDED] |
| Owner | [INFO NEEDED] |
| Last reviewed | 2026-05-05 |
1. At a glance¶
Portainer is a dashboard for Docker — start, stop, view logs, edit container settings without typing Docker commands. Used to manage the containers that run all of our self-hosted services. Anyone with Portainer admin can effectively run any command on any host it controls.
2. Business purpose¶
Lower-friction Docker operations. Faster troubleshooting. Visibility into running containers across multiple hosts.
3. Audience¶
Engineering / ops staff.
4. Hosting & cloud infrastructure¶
Infrastructure map¶
| Item | Value | Notes |
|---|---|---|
| Public hostname | portainer.448.global | should be internal-only (Wireguard) ideally |
| Public IP(s) | [INFO NEEDED] |
|
| Private/internal IP | [INFO NEEDED] |
|
| Open ports | 443, 9443 [CONFIRM] |
|
| TLS cert | [INFO NEEDED] |
|
| Reverse proxy | [INFO NEEDED] |
|
| Edition | Portainer CE / BE [INFO NEEDED] |
|
| Version | portainer/portainer-ce:[INFO NEEDED] |
|
| Host server name | [INFO NEEDED] |
|
| Endpoints (managed Docker hosts) | [INFO NEEDED] |
how many environments / agents |
Credentials in Vault¶
| Secret type | Vault path / link | Last rotated |
|---|---|---|
| Portainer admin login | [INFO NEEDED] |
|
| Portainer agent secrets (per managed host) | [INFO NEEDED] |
|
| Database / volume backup credentials | [INFO NEEDED] |
5. Technology behind it¶
- Type: off-the-shelf
- Product: Portainer Community Edition (or Business Edition)
- Stack: Go binary in container, talks to the Docker API on managed hosts via the Portainer agent or direct socket
6. Data it handles¶
- Docker daemon credentials / TLS certs to managed hosts.
- Stack definitions (compose files) — may contain inline secrets.
- Audit log of admin actions.
7. External dependencies¶
- Reverse proxy + TLS issuer.
- The Docker daemons it manages.
8. Authentication & access¶
- End-user login: Portainer local accounts
[CONFIRM] - Authentik / OIDC integration?
[INFO NEEDED]— supported in BE; CE supports OAuth. - MFA?
[INFO NEEDED]
9. Maturity assessment¶
| Dimension | Status | Evidence |
|---|---|---|
| Backups | [INFO NEEDED] |
Portainer settings volume |
| Monitoring | [INFO NEEDED] |
|
| Redundancy | [INFO NEEDED] |
typically single control plane |
| Patching cadence | [INFO NEEDED] |
10. Known risks & vulnerabilities¶
[CONFIRM]Effectively root on managed hosts — Portainer with Docker socket access can spawn privileged containers; admin access = host compromise.[INFO NEEDED]Public exposure — admin UI on the internet should require Wireguard or strict IP allow-list.[INFO NEEDED]Outdated agents — Portainer agents on managed hosts must match server version.[INFO NEEDED]Stack definitions with secrets — compose files in Portainer often have inlineMYSQL_ROOT_PASSWORD=...etc.; these should reference Vault, not be hardcoded.[INFO NEEDED]Patch lag — Portainer has had RCE CVEs.
11. Impact if it goes down¶
Loss of UI for container management; CLI alternatives still work. No customer-facing impact unless managed apps need restart during the outage.
12. Owner & on-call¶
[INFO NEEDED]
13. References & links¶
- Public URL: https://portainer.448.global
- Vendor docs: https://docs.portainer.io
- Domain: see domains.md