Skip to main content

Quick Start

Pull and run the latest Dockhand image:
Access Dockhand at http://localhost:3000

Image Details

The official Dockhand Docker image is based on a security-hardened Wolfi OS with minimal attack surface:
  • Base OS: Custom Wolfi (built with apko)
  • Runtime: Node.js 24 (from official node:24-slim)
  • Architecture: Multi-arch (amd64, arm64)
  • Size: ~350MB
  • User: Non-root by default (UID 1001)

Pre-installed Tools

The image includes these packages:
  • docker-cli - Docker command-line client
  • docker-compose - Docker Compose V2
  • docker-cli-buildx - Docker Buildx plugin
  • sqlite - SQLite database (default database)
  • postgresql-client - PostgreSQL client (for external databases)
  • git - Git version control
  • openssh-client + openssh-keygen - SSH support for Git
  • curl - HTTP client for health checks

Configuration

Port Mapping

Dockhand listens on port 3000 by default. Change the host port:

Data Persistence

Mount a volume or bind mount to persist data: Named volume (recommended):
Bind mount:
The data directory contains:
  • db/ - SQLite database (if not using PostgreSQL)
  • stacks/ - Compose file backups
  • git-repos/ - Cloned Git repositories
  • scanner-cache/ - Vulnerability scanner databases
  • tmp/ - Temporary files (TLS certificates, etc.)

Docker Socket

Dockhand requires access to the Docker socket to manage containers:
Mounting the Docker socket gives Dockhand full control over Docker. Only expose Dockhand to trusted users.

User and Permissions

Default User (UID 1001)

By default, Dockhand runs as user dockhand (UID 1001, GID 1001). The entrypoint automatically adds this user to the Docker socket’s group.

Custom UID/GID

Change the user ID at runtime:

Run as Root

To run as root:

User Directive (Rootless)

Use Docker’s user: directive:
When using --user, you must manually add the Docker socket group with --group-add.

Environment Variables

See Environment Variables for a complete list.

Health Check

The image includes a built-in health check:
Check container health:

Resource Limits

Set memory and CPU limits:

Networking

Bridge Network (Default)

Default bridge network allows container communication:

Custom Network

Create a custom network:

Host Network

Use host networking (not recommended for security):

Updates

Update to the latest version:
Dockhand supports self-update from the web UI (Settings > System > Self-Update).

Emergency Scripts

The image includes emergency scripts for recovery:

Logs

View container logs:

Troubleshooting

Permission Denied on Docker Socket

If you see “permission denied” errors:
  1. Check socket permissions:
  2. Add user to docker group:
  3. Restart container:

Container Won’t Start

Check logs for errors:
Common issues:
  • Port 3000 already in use (change with -p 8080:3000)
  • Data volume permissions (fix with chown -R 1001:1001 /path/to/data)
  • Docker socket not mounted

Database Locked

If using SQLite and seeing “database locked” errors:
  1. Stop Dockhand
  2. Check for other processes accessing the database
  3. Restart Dockhand
For production, consider PostgreSQL.