Configuration

Portainer can be easily tuned using CLI flags.

Admin password

From the command line

Portainer allows you to specify a bcrypt encrypted password from the command line for the admin account. You need to generate the bcrypt encrypted password first.

You can generate the encrypted password with the following command:

$ htpasswd -nb -B admin <password> | cut -d ":" -f 2

or if your system does not provide htpasswd you can use a docker container with the command:

$ docker run --rm httpd:2.4-alpine htpasswd -nbB admin <password> | cut -d ":" -f 2

To specify the admin password from the command line, start Portainer with the --admin-password flag:

$ docker run -d -p 9000:9000 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer --admin-password='$2y$05$qFHAlNAH0A.6oCDe1/4W.ueCWC/iTfBMXIHBI97QYfMWlMCJ7N.a6'

Inside a file

You can also store the plaintext password inside a file and use the --admin-password-file flag:

# mypassword is plaintext here
$ echo -n mypassword > /tmp/portainer_password
$ docker run -d -p 9000:9000 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/portainer_password:/tmp/portainer_password portainer/portainer --admin-password-file /tmp/portainer_password

This works well with Swarm & Docker secrets too:

# mypassword is plaintext here
$ echo -n mypassword | docker secret create portainer-pass -
$ docker service create \
  --name portainer \
  --secret portainer-pass \
  --publish 9000:9000 \
  --publish 8000:8000 \
  --replicas=1 \
  --constraint 'node.role == manager' \
  --mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
  portainer/portainer \
  --admin-password-file '/run/secrets/portainer-pass' \
  -H unix:///var/run/docker.sock

Note: This will automatically create an administrator account called admin with the specified password.

Hiding specific containers

Portainer allows you to hide containers with a specific label by using the -l flag.

For example, take a container started with the label owner=acme (note that this is an example label, you can define your own labels):

$ docker run -d --label owner=acme nginx

To hide this container, simply add the -l owner=acme option on the CLI when starting Portainer:

$ docker run -d -p 9000:9000 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer -l owner=acme

Note that the -l flag can be repeated multiple times to specify multiple labels:

$ docker run -d -p 9000:9000 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer -l owner=acme -l service=secret

Use your own templates

Portainer allows you to rapidly deploy containers using App Templates.

By default Portainer templates will be used but you can also define your own templates.

Note: at the moment, templates are only loaded once at first Portainer startup. If you already deployed a Portainer instance and want to use your own templates after this, you’ll need to clear any existing templates (default templates) via the HTTP API.

There are two ways to specify your own templates:

Bind-mount your own templates

Using the –template-file flag you can specify the path to your own template file on the file-system. By default, it points to /templates.json on both Linux and Windows hosts.

For example, you can mount your own template file inside the container:

$ docker run -d -p 9000:9000 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock -v /path/to/my/templates.json:/templates.json portainer/portainer

Or using the –template-file to specify a specific path to the templates file:

$ docker run -d -p 9000:9000 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock -v /path/to/template/folder:/templates portainer/portainer --template-file /templates/templates.json

Host your template file

Using the –templates flag you can specify an URL where the template file can be accessed via HTTP.

$ docker run -d -p 9000:9000 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer --templates http://my-host.my-domain/templates.json

For more information about hosting your own template definitions see Templates

Use an external endpoint source

Portainer gives you the option to define all the endpoints available in the UI from a JSON file.

You just need to start Portainer with the --external-endpoints flag and specify the path to the JSON file in the container.

Note: when using the external endpoint management, endpoint management will be disabled in the UI.

$ docker run -d -p 9000:9000 -p 8000:8000 -v /tmp/endpoints:/endpoints portainer/portainer --external-endpoints /endpoints/endpoints.json

For more information about the endpoint definition format see External endpoints

Available flags

The following CLI flags are available:

  • --admin-password: Specify a bcrypt hashed password for the admin user
  • --admin-password-file: Path to the file containing the password for the admin user
  • --bind, -p: Address and port to serve Portainer (default: :9000)
  • --data, -d: Directory where Portainer data will be stored (default: /data on Linux, C:\data on Windows)
  • --external-endpoints: Enable external endpoint management by specifying the path to a JSON endpoint source in a file
  • --hide-label, -l: Hide containers with a specific label in the UI
  • --host, -H: Docker daemon endpoint
  • --logo: URL to a picture to be displayed as a logo in the UI, use Portainer logo if not specified
  • --no-analytics: Disable analytics (default: false)
  • --no-snapshot: Disable periodic endpoint snapshot (default: false)
  • --snapshot-interval: Time interval between two endpoint snapshot jobs expressed as a string, e.g. 30s, 5m, 1h… as supported by the time.ParseDuration method (default: 5m)
  • --ssl: Secure Portainer instance using SSL (default: false)
  • --sslcert: Path to the SSL certificate used to secure the Portainer instance (default: /certs/portainer.crt, C:\certs\portainer.crt on Windows)
  • --sslkey: Path to the SSL key used to secure the Portainer instance (default: /certs/portainer.key, C:\certs\portainer.key on Windows)
  • --sync-interval: Time interval between two endpoint synchronization requests expressed as a string, e.g. 30s, 5m, 1h… as supported by the time.ParseDuration method (default: 60s)
  • --templates, -t: URL to templates (apps) definitions
  • --template-file: Path on disk to templates (apps) definitions (default: /templates.json)
  • --tlscacert: Path to the CA (default: /certs/ca.pem on Linux, C:\certs\ca.pem on Windows)
  • --tlscert: Path to the TLS certificate file (default: /certs/cert.pem, C:\certs\cert.pem on Windows)
  • --tlskey: Path to the TLS key (default: /certs/key.pem, C:\certs\key.pem on Windows)
  • --tlsverify: TLS support (default: false)
  • --tunnel-port: Specify an alternate tunnel port to use with the Edge agent. Use --tunnel-port 8001 with -p 8001:8001 to make the Edge agent communicate on port 8001