The single-binary Docker fleet manager. 100% open source. No paywalls.
dockmesh is a lightweight Docker fleet-management platform. One Go binary,
one SvelteKit UI, outbound-only agents on every other host. Stacks live on
disk as plain compose.yaml files — the filesystem is the source of truth,
the DB just indexes it. RBAC, SSO, audit log, encrypted backups, CVE
scanning, and multi-host orchestration ship free in the single binary —
no "community edition", no feature gates, no per-node pricing.
curl -fsSL https://get.dockmesh.dev | bash
sudo dockmesh initThat pulls the latest release binary to /usr/local/bin/dockmesh and walks
you through first-run setup: data directory, admin user, listen port,
optional systemd unit. Two minutes, then browse to http://<host>:8080.
Prefer Docker? See Docker Compose below.
For v1 the server + agent are Linux-native — systemd, /var/lib/dockmesh, unix sockets. The dmctl CLI is cross-platform so Mac and Windows users can already drive a Linux dockmesh server from their laptop. Native macOS + Windows server/agent support is on the near-term roadmap (driven by homelab demand for Mac-mini hosts).
Everything is included in the single binary. There is no paid tier.
|
Container & Stack management
|
Multi-host fleet
|
|
Security
|
Observability
|
|
Backups & DR
|
Networking & Extras
|
See dockmesh.dev for the live marketing carousel with all hero shots.
 |
 |
| Dashboard with live fleet overview | Multi-host agents with mTLS |
 |
 |
| CVE scanning via Grype | Scheduled encrypted backups |
- Single binary. Go 1.23+, SvelteKit UI embedded via
go:embed. No sidecars, no helm-chart, no external runtime deps beyond Docker itself. - Filesystem as source of truth. Stacks live at
stacks/<name>/compose.yaml. The DB indexes deployment state; the actual config is always on disk where you can grep,git log, andvimit. - Outbound-only agents. Remote hosts open a WebSocket to the server — no inbound port to firewall, no VPN, no reverse tunnel. mTLS client certs per agent, revokable.
- No Kubernetes. Docker + Compose + a spine of management tooling. If you want K8s, use Rancher. If you want zero-config Docker across a fleet, use dockmesh.
curl -fsSL https://get.dockmesh.dev | bash
sudo dockmesh init
sudo systemctl enable --now dockmeshservices:
dockmesh:
image: ghcr.io/dockmesh/dockmesh:latest
restart: unless-stopped
ports:
- "8080:8080"
- "8443:8443" # agent mTLS listener
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/var/lib/dockmesh/data
- ./stacks:/var/lib/dockmesh/stacks
environment:
DOCKMESH_BASE_URL: https://dockmesh.example.comFrom the UI: Agents → New agent, copy the one-line enroll command to the
remote host. The installer handles the systemd unit and first handshake.
After dockmesh init:
- Log in at
http://<host>:8080with the generated admin password - Create a stack:
Stacks → New→ paste a compose.yaml →Deploy - (Optional) Enroll a second host:
Agents → New agent→ run the install one-liner on the remote host - (Optional) Set up backups:
Backups → New job→ pick a target (SMB / S3 / SFTP / local) → pick sources → save - (Optional) Turn on the reverse proxy:
Proxy → Enable→ add a route → Caddy handles the Let's Encrypt dance
- Issues & bug reports: github.com/dockmesh/dockmesh/issues
- Feature requests: same — use the "enhancement" label
- Website: dockmesh.dev
# Frontend + backend in watch mode
make dev
# Build single binary with embedded UI
make build
# Run E2E tests
make testTech stack: Go 1.23+, SvelteKit 2 with Svelte 5 runes, Tailwind v4, SQLite (default) / Postgres, Caddy (embedded), Grype (embedded).
dockmesh is released under the GNU Affero General Public License v3.0 (AGPL-3.0-only). See LICENSE.
The AGPL is chosen deliberately: modifications made available as a network service must be contributed back. That keeps the project sustainable and prevents SaaS-loophole exploitation.
See CONTRIBUTING.md. By contributing you agree that your work is licensed under AGPL-3.0.
Never report vulnerabilities in public issues. See SECURITY.md.
