How To Run Docker and Portainer on a VPS (2026 Guide)

Have you ever heard of Dockerception?

Well, hold onto your hat. We’re going down the rabbit hole.

Portainer, the web UI you’re about to install on top of Docker, is itself a Docker container.

It’s a tool that runs on the very thing it manages. You spin it up with one docker run line, and the first thing it does is reach back through a small hole in the host (a socket file) and ask the Docker daemon to show it every other container, including itself. From inside that browser tab, you can update Portainer. Restart Portainer. And manage all of your other Docker containers.

The UI you’re staring at is one click away from removing the UI you’re staring at.

On a VPS where you’re already paying for the box and already comfortable with SSH, Portainer slots in cleanly on top of Docker without changing how anything underneath works.

That’s the value.

A 4 GB box runs Docker, Portainer, and a small fleet of self-hosted apps without breaking a sweat. And it lands around the cost of a couple of streaming subscriptions a month. Enough to run the home automation, the family photo store, the AI assistant, and the newsletter you’ve been threatening to launch — on one server you actually own.

Here’s how to get it running, lock it down, and start seeing value.

What Is Portainer, Exactly?

Portainer is a web UI that runs as a Docker container and manages your other containers through the Docker socket.

It’s essentially a browser-based front end for the same Docker commands you’d otherwise type by hand, plus stack management, role-based access (if you upgrade), and a dashboard view of CPU and memory.

The socket connection is what makes it work. The bind looks like -v /var/run/docker.sock:/var/run/docker.sock in the install command, and that one line is doing all the heavy lifting. Without it, Portainer is a UI for an empty Docker host. With it, Portainer is the Docker host’s remote control.

One thing to keep in mind: any process that can reach /var/run/docker.sock can effectively run anything as root on the host. That’s a feature when it’s Portainer doing the asking and a problem when it’s some container you spun up last week and forgot you’d given socket access to.

Treat the socket bind as a privileged capability, and audit every other container that wants one.

Do You Need Portainer If You Already Have Docker?

Nope. Docker works fine from the terminal, and plenty of people run a couple of containers for years without ever installing a UI on top.

You want Portainer if:

• You’ll juggle more than two or three Docker containers across different apps.
• You’d rather click “restart” than retype a Compose command at 11 pm. 
• You’re sharing access with someone who doesn’t live in a terminal. 
• You want to deploy stack updates from a Git repo without writing a deploy script. 

Skip Portainer if:

• You’re running one or two containers that rarely change. 
• You’re already comfortable with Docker Compose, and you’re happy to stay there.

Docker itself is mainstream enough that this isn’t a fringe decision. According to the 2025 Stack Overflow Developer Survey, Docker is the most widely adopted container platform among developers at over 70% usage — the largest single-year jump of any technology the survey tracks. The Portainer project has roughly 37,000 stars on GitHub.

Other options exist. Coolify pushes further toward PaaS-style abstractions, and Dokploy lands in similar territory with a lighter footprint — but Portainer is the one most install guides reach for first.

If you live in tmux and run one app, close this tab. You’re fine. If you’re running four self-hosted apps and you’ve googled, “What are Docker logs again?” twice this month, keep reading.

How Big a VPS Do You Need To Run Docker and Portainer?

A 4 GB VPS handles Portainer plus a small stack of side-project containers comfortably.

Portainer recommends a host with at least 2 GB of RAM and 1 CPU core, though the Portainer Server process itself idles around 100 MB. The Docker daemon adds a few hundred MB of overhead before any of your apps start.

Here’s how that maps to real workloads:

At DreamHost, our Self-Managed VPS offers four RAM-based Stack tiers (Stack 4, 8, 16, and 32), with the entry-level Stack 4 sized for exactly this kind of small Docker host. (And yep, NVMe storage and full root access are included.)

If you’re on the fence about whether self-hosting is worth the time, Stack 4 is the size where the math starts working in your favor on day one.

One note on storage: Portainer’s storage footprint is minimal — it stores only its own configuration database. Portainer’s own docs recommend SSD-level performance (≈3.5 MB/s sustained, 30,000+ IOPS, <10ms write latency), which any modern NVMe drive clears comfortably. Disk only becomes a real concern if you’re running database-heavy containers like Postgres or MySQL alongside it. If your VPS is on spinning disk in 2026, the Portainer UI will feel sluggish long before RAM does. Our advice: upgrade the disk before the plan.

How Do You Install Docker and Portainer on a VPS?

It takes six steps, and roughly 30 minutes, most of it waiting for image pulls.

1. Pick a Linux distribution

Ubuntu 22.04 or 24.04 LTS is the path of least resistance. Ubuntu is what DreamHost’s Self-Managed VPS runs by default, and most Docker install snippets and community help threads assume it. Debian and AlmaLinux work too, though.

Not sure what version of Ubuntu you’re running? Learn five ways to check.

2. Install Docker from the official repository

Don’t apt install docker.io. That pulls an older Docker from the Ubuntu archive.

Instead, use Docker’s own apt repo per the official Docker install docs, which adds Docker’s GPG key, the repo, and docker-ce plus the Compose plugin in one go.

3. Verify Docker is running

Run docker run hello-world.

If you don’t get the “Hello from Docker!” message, fix the daemon before layering Portainer on top.

4. Create a persistent volume for Portainer’s data

Next, run docker volume create portainer_data.

Keeping Portainer’s database on a Docker volume (not inside the container) means a Portainer upgrade won’t wipe your config.

5. Run Portainer Community Edition

Use the official install command from Portainer’s Linux install doc:

  docker run -d 
  -p 8000:8000 
  -p 9443:9443 
  --name portainer 
  --restart=always 
  -v /var/run/docker.sock:/var/run/docker.sock 
  -v portainer_data:/data 
  portainer/portainer-ce:lts

Let’s break that down line by line:

• -d runs it detached.
• -p 9443:9443 is the Portainer web UI on HTTPS. 
• -p 8000:8000 is the Edge Agent tunnel; you only need it if you’re going to connect remote environments (Docker, Swarm, or Kubernetes) via Edge Agents later, so drop it on a single-host install.ker hosts later, so drop it on a single-host install. 
• --restart=always brings Portainer back up after a reboot.
• -v flags are the socket bind and the persistent volume from step 4. 
• :lts tag is Portainer’s Long Term Support release channel — the stable, production-recommended build.

6. Open the UI and create your admin account

Point your browser to https://YOUR_VPS_IP:9443.

Click through the self-signed cert warning. You’ll land on the “create the initial administrator user” screen. Pick a username that isn’t admin, set a strong password, and save it somewhere real. And… you’re in!

Why Did Portainer Just Time Out on Me?

Because Portainer waits exactly five minutes for someone to claim it on first install. If nobody does, it locks the door.

Verbatim from Portainer’s own FAQ:

“As a security precaution, when Portainer is first installed, it will wait for 5 minutes for an administrator user to be created. If a user is not created within those 5 minutes, the Portainer Server will stop listening for requests.“

Translation: if you spent Step 5 making a sandwich, your install is now refusing to talk to you —and you didn’t do anything wrong.

The fix is simple. Run docker restart portainer.

That spins the container back up, gives you another five-minute window, and drops you on the create-admin screen. Repeat as needed. Welcome to self-hosting.

If you’re scripting the install for a fleet (Ansible, Terraform, a deploy pipeline), Portainer accepts an --admin-password-file flag at startup that bypasses the timer entirely by creating the admin user from a file at first run. The install doc covers the syntax. For a one-off VPS install, the restart trick is fine.

How Do You Stop Docker From Bypassing Your Firewall?

This one surprises people in production, not just in dev — so listen up.

When you docker run -p 80:80, the published port is reachable from the public internet even if ufw status shows port 80 as denied. Docker routes container traffic in the NAT table, which means that packets are diverted before they reach the INPUT and OUTPUT chains that UFW uses.

UFW isn’t broken. It’s just standing in the wrong hallway.

The fix Docker itself recommends is the DOCKER-USER iptables chain, reserved for administrator rules so Docker won’t overwrite them on restart. (The rules don’t survive a full host reboot on their own — persist them with iptables-persistent or a systemd service; ufw-docker handles this for you.) The community-standard tool for wiring UFW into DOCKER-USER is chaifeng/ufw-docker, which automates the rule generation.

Install it, then verify with a port scan from outside your VPS that the ports you think are closed are actually closed.

I’ve watched this catch a sharp engineer twice in the same week, first on a personal box, then on a customer’s. UFW said one thing, the public internet said another, and the truth was in iptables.

For Portainer specifically, port 9443 is published, which means the admin UI is reachable from anywhere on the public internet the moment the container starts. Two reasonable paths: restrict 9443 through DOCKER-USER rules (allow only your home or office IP), or front it with a VPN tunnel like WireGuard so the UI never has a public IP at all.

What Should You Lock Down Right After the First Login?

You’re in. Five things worth doing before you close that browser tab, per Portainer’s own security guide:

• Force HTTPS only. Portainer ships HTTPS on 9443 by default but doesn’t enforce it. Flip the toggle in Settings so the UI refuses HTTP entirely.
• Replace the self-signed certificate. Upload a cert you generated, or front Portainer with an NGINX reverse proxy holding a Let’s Encrypt certificate. Past day one, clicking through the browser warning every time is a habit you’ll regret.
• Use a real admin username. “Admin” is the first guess in any credential-stuffing attempt. Pick something specific to you.
• Restrict the UI to a VPN. WireGuard is Portainer’s own recommended pattern. A public 9443 with strong credentials is fine. A 9443 that’s only reachable on a private network is better.
• Audit the Docker socket bind. Anything with read access to /var/run/docker.sock can run anything as root on the host. Do not mount the socket casually into other containers. Every additional bind is a new path to the host. If a container claims it needs the socket, ask why — and consider a socket proxy if the answer is “for monitoring.”

How Do You Actually Use Portainer Day-to-Day?

The payoff for installing Portainer is the day you stop SSH’ing in to restart a misbehaving container, and start clicking a button instead. The bigger payoff is stack management.

A Portainer stack is a multi-container app defined by a Docker Compose file. Anything you can express as a docker-compose.yml you can deploy as a stack, with three main routes (excluding custom templates) per the official stacks docs:

• Paste Compose into the UI
• Upload a Compose file
• Point Portainer at a Git repository

The Git path is the one that matters. You point Portainer at a public or authenticated repo and a path to docker-compose.yml. Portainer either polls the repo on a schedule (the default is five minutes) or waits for a webhook from GitHub. When the Compose file changes upstream, Portainer pulls and redeploys automatically.

That’s the self-hosted version of “deploy on push” without paying a PaaS for the privilege.

The smaller daily wins add up too. Think logs in a panel instead of docker logs -f, one-click restarts, rebuilding a stack from a button, and resource graphs you can scan in three seconds instead of running Docker stats.

Portainer also supports remote Docker hosts through its Edge Agent, which is how a self-hosted AI assistant or media server lands across multiple boxes.

What Does Portainer Cost? (And When Does Free Stop Being Free?)

Portainer Community Edition is free and unlimited, period. The install you just walked through is fully featured for one host with as many containers as your VPS can fit. No node cap, no expiry, no nag screens.

Edition	Cost	Nodes	Best for
Community Edition	Free, open-source	Unlimited	Personal projects, homelab, single-VPS self-hosters
Business Edition (Take 3)	Free perpetually	Up to 3	Small homelabs that want RBAC and audit logs
Business Starter	From $99/mo	5, 10, or 15	Small teams managing real infrastructure
Business Scale	From $199/mo	Up to 25	Growing teams needing 9×5 support
Enterprise	Quote	Unlimited	Compliance and 24/7 needs

The perpetual free three-node tier (called Take 3) is worth knowing about: you renew the license yearly at no cost as long as you stay at three nodes or fewer.

That’s the right plan for most homelabs and small teams who want role-based access control (RBAC), audit logs, and activity logging without paying. Above that, Business Starter is $99/mo on the Portainer business pricing page for 5/10/15 nodes; Scale is $199/mo up to 25 nodes; and Enterprise is on quote.

For almost everyone reading this, the best choice is Community Edition. It’ll serve a single-VPS self-host for the life of the box. The Business editions only earn their keep when you’re managing real node counts, need RBAC across a team, or require commercial support for compliance.

Should You Add Portainer or Skip It?

Here’s the honest two-sentence answer:

✅ If you’re going to share this server, deploy from Git, or run more than three containers a year from now, install Portainer while the host is fresh and your habits are still forming around it.

❌ If you’re running one quiet app and you’re happy in the terminal, you won’t miss the UI you didn’t install.

The real question isn’t Portainer vs. no Portainer. It’s whether self-hosting is the right call for you at all — and you answered that when you opened this tab.

A 4 GB VPS, Docker, and Portainer CE get you further than most people expect — an automation stack, a photo server, a newsletter platform, and a local AI assistant — for less than you’re probably paying for two streaming services you barely watch.

That’s not a bad deal for a box you actually own.

Frequently Asked Questions About Docker and Portainer

What is Portainer used for?

Portainer is used for managing Docker, Docker Swarm, and Kubernetes containers through a web interface. It runs as a Docker container itself, connects to the host’s Docker socket, and gives you a browser view and control surface over every other container on the host —starting and stopping containers, deploying multi-container stacks, viewing logs, and managing user access without SSH’ing in.

Do I need Portainer if I have Docker?

No, you don’t need Portainer to use Docker. Docker works completely from the terminal, and many self-hosters never install a UI on top.

Portainer earns its keep when you’re juggling more than two or three containers, sharing access with someone who doesn’t live in a terminal, or deploying stack updates from a Git repository. Skip it if you’re running one or two stable containers and you’re comfortable with Docker Compose.

What port does Portainer run on?

Portainer runs on port 9443 by default for HTTPS access to the web UI, plus port 8000 for the Edge Agent tunnel if you connect remote Docker hosts later. Port 8000 is optional on a single-host install; you can drop the -p 8000:8000 flag from the install command without affecting the local UI. The defaults come straight from Portainer’s official Linux install doc.

How much RAM does Portainer need?

Portainer itself idles at around 100 MB before you load anything else. Add a few hundred MB for the Docker daemon, and then size from there based on what you’re actually running.

At DreamHost, we size our entry-level Self-Managed VPS at 4 GB of RAM for exactly this kind of workload — enough headroom for Portainer plus a small stack of side-project containers like Ghost, n8n, a Postgres database, and a reverse proxy.

Is Portainer free?

Yes. Portainer Community Edition is totally free, and Business Edition also has a perpetual free 3-node tier called Take 3, which renews annually at no cost as long as you stay at three nodes or fewer. Above three nodes, Business pricing starts at $99/mo on the Starter plan per Portainer’s business pricing page.

What’s the difference between Portainer CE and Business Edition?

Portainer Community Edition is free, open-source, and fully featured for personal use.

Business Edition adds role-based access control, audit logs, activity logging, and commercial support, and starts at $99/mo for 5 nodes after the perpetual free 3-node Take 3 tier.

Can Portainer manage multiple Docker hosts?

Yes, Portainer can manage multiple Docker hosts through Edge Agents, which run on each remote host and poll the central Portainer Server on the UI port, with port 8000 used to open a secure tunnel back for management commands. For single-VPS self-hosters, this is overkill. For anyone running three or more boxes that share a control plane, this is why 8000 is in the install line.

Does Docker bypass UFW on a VPS?

Yes, Docker bypasses UFW by default because Docker manages container traffic at the iptables NAT layer, which sits in front of UFW’s INPUT and OUTPUT chains.

Per Docker’s packet-filtering documentation, “Packets are diverted before it reaches the INPUT and OUTPUT chains that UFW uses.” The fix is the DOCKER-USER iptables chain, and the community-standard tool for wiring UFW into it is chaifeng/ufw-docker.