Self-hosted Docker management, honestly reviewed. What you actually get when you replace Portainer with something built in 2025.

TL;DR

What it is: A Docker management web UI — think Portainer but rebuilt with modern tooling (SvelteKit, Bun, shadcn) and a more honest free tier [1][website].
Who it’s for: Homelabbers, small dev teams, and sysadmins who want a clean interface for managing containers without paying enterprise prices for basic features like SSO [website].
License: Business Source License 1.1 (BSL 1.1) — free for personal and internal business use, not for reselling as SaaS. Converts to Apache 2.0 on January 1, 2029. This is not an MIT-style open source license [README].
Cost savings: Portainer Business charges for SSO and team features. Dockhand includes OIDC/SSO, MFA, and multi-environment management free. RBAC and LDAP cost $1,499/host/yr on Enterprise, but most teams won’t need them [website].
Key strength: SSO is genuinely free, not a paid-tier upsell. Git-based stack deployment with webhook auto-sync. Runs on a Raspberry Pi with SQLite — zero database setup [website][README].
Key weakness: BSL 1.1 license creates ambiguity for teams that care about open source purity. Sparse independent reviews make it hard to assess real-world stability. 3,313 GitHub stars is modest compared to Portainer’s 34K+ [merged profile].

What is Dockhand

Dockhand is a web-based Docker management interface — the kind of tool you install once on your server and use instead of running docker ps and docker compose up in your terminal every time you want to restart something.

The homepage pitches it as “Modern Docker management for everyone,” but the more useful framing is in the GitHub description: “Docker management you will like.” That implies they know what you don’t like about the alternatives — and having looked at Portainer, Dockge, and Komodo alongside it, the critique is implicit but legible: Portainer is bloated and started paywalling features people expected to be free; Dockge is elegant but single-server only; Komodo is GitOps-first and has a learning curve [4].

Dockhand is trying to be the middle path: multi-host, full-featured, clean enough for a non-sysadmin to use on day one, with the free tier drawing a smarter line than its competitors. The project is built by Jarek Krochmalski / Finsys and sits at 3,313 GitHub stars as of this review [merged profile].

The tech stack is notably modern: SvelteKit 2 with Svelte 5 on the frontend, Bun runtime on the backend, shadcn-svelte components, TailwindCSS, and SQLite or PostgreSQL via Drizzle ORM. The base image is built from scratch using Wolfi packages — meaning every dependency is explicitly declared, which is a meaningful security posture choice [README]. Direct Docker API calls rather than shelling out to the CLI. This is not a PHP app from 2017 with jQuery.

Why people choose it over Portainer, Dockge, and Komodo

The third-party coverage of Dockhand is thin — no dedicated review site has done a deep comparison yet, which itself tells you something about where it sits in the adoption curve. What we have: the official manual [1], a brief profile on toolhunt.net [2], a mention in Marius Hosting’s NAS guides [3], and indirect context from homelab blog posts comparing the Docker UI landscape [4][5].

That said, the pattern is clear from the feature set and the pricing table: the free tier is the argument.

Versus Portainer. Portainer is the 800-pound gorilla in this category, with tens of thousands of stars and years of community trust. But Portainer split its feature set aggressively between the free CE (Community Edition) and the paid Business edition. OIDC/SSO is in Business tier. Role-based access control is Business tier. If your team has more than one person touching containers, you’re paying. Dockhand includes OIDC/SSO and MFA free. RBAC is still gated behind Enterprise ($1,499/host/yr), but the baseline for “I want my team to log in with our existing identity provider” is free on Dockhand and not on Portainer [website].

Versus Dockge. Dockge, created by the developer of Uptime Kuma, became popular because it’s radically simple: compose stacks only, single server, beautiful YAML editor. If you run one server and care only about Compose stacks, Dockge may be enough. But it doesn’t do multi-host, doesn’t have a visual container management view, no git integration, no vulnerability scanning. Dockhand covers all of that while staying in the same “approachable UI” category [4].

Versus Komodo. Komodo has become the preference for homelab users who want proper GitOps — the author of one homelab migration post went Portainer → Dockge → Komodo and describes it as a “happy medium” between the two [4]. Komodo treats Docker environments as infrastructure-as-code with resource syncs and Git-native workflows. It’s powerful but has real conceptual overhead: you need to understand Servers, Stacks, Repos, and Resource Syncs as separate primitives [4]. Dockhand is more immediate — you open it, you see your containers, you click things. Less philosophy, more clicking.

On security posture. Toolhunt.net profiles Dockhand specifically as a “Security-Focused Docker Manager,” emphasizing vulnerability scanning (Grype/Trivy integration), controlled update workflows, and multi-host management as the core pitch for production-minded teams [2]. That framing is accurate — Dockhand includes vulnerability scanning in all tiers, including free, which is not a given in this category.

Features

Container management:

Start, stop, restart, remove containers; create with advanced configuration [README]
View running processes, environment variables, resource usage [README]
Interactive web terminal — no SSH required [README]
File browser: browse, upload, download files to/from containers [README]
Real-time log streaming with ANSI color rendering [website]
Live CPU and memory metrics per container [website]

Compose and stacks:

Visual Compose editor — the “no YAML headaches” pitch [website]
Deploy stacks from Git repositories (SSH and HTTPS auth) [README]
Webhook-triggered auto-deploy on push [README]
Re-pull images and force redeploy options [website]
Adopt stacks from other container managers [website]
Scheduled deployments and updates [website]

Multi-host:

Local Docker socket [README]
Remote TCP connections with TLS [website]
“Hawser agent” for NAT/firewall traversal — a lightweight agent that punches through network constraints without opening inbound ports [website]
Environment switching with one click; per-environment dashboard tiles [website]

Security:

OIDC/SSO with any provider — free tier [website]
MFA (TOTP) — free tier [website]
Vulnerability scanning via Grype/Trivy — free tier [website][2]
LDAP/Active Directory — Enterprise only [website]
Role-based access control — Enterprise only [website]
Audit logging (compliance-grade) — Enterprise only [website]

Observability:

Container activity log — free tier [website]
Email and webhook notifications [website]
Disk usage monitoring [website]

Deployment options:

SQLite by default (zero database setup, runs on Raspberry Pi) [README][website]
PostgreSQL via Drizzle ORM for teams that want it [README]
Docker run one-liner or Compose; documented paths for relative volume mounts [1]
First launch has auth disabled — you configure authentication via Settings on first boot [1]

Pricing: the actual math

Dockhand tiers (from the website pricing table):

Feature	Free	SMB	Enterprise
Container & stack management	✓	✓	✓
Git integration	✓	✓	✓
Vulnerability scanning	✓	✓	✓
OIDC/SSO	✓	✓	✓
MFA	✓	✓	✓
Container activity log	✓	✓	✓
Commercial usage license	—	✓	✓
Premium support	—	✓	✓
LDAP/Active Directory	—	—	✓
RBAC	—	—	✓
Audit logging	—	—	✓

SMB: $499/host/yr
Enterprise: $1,499/host/yr
[website]

The insight here is that SMB doesn’t add any functionality you don’t have in the free tier — it adds a commercial license and support SLA. If you’re using Dockhand internally (homelab, small team, non-profit), the free tier covers everything including SSO. You pay SMB only when you want a support relationship or when legal asks you to have a commercial agreement. You pay Enterprise when you need RBAC or LDAP, i.e. when your compliance team is involved.

Portainer for comparison:

Community Edition: free, but SSO/OIDC, RBAC, and registry management are gated behind Business
Business: $6/node/month (approximately $72/node/yr) for teams under 5 nodes, scales up
SSO on Portainer requires Business license

Savings example for a 3-person dev team:
Running 2 Docker hosts, need SSO so the team can log in with Google. On Portainer Business: roughly $144/yr minimum. On Dockhand free: $0. If you later need LDAP and proper RBAC for a 20-person team, Dockhand Enterprise at $1,499/host/yr starts looking expensive — at that point, Portainer Business or a managed Kubernetes control plane is worth pricing out. But for the “small team with an identity provider” case, Dockhand wins on cost.

Deployment reality check

The setup is genuinely one-command. The homepage isn’t lying about “30 seconds” for a basic install [website]. You run the docker run one-liner, open http://localhost:3000, enable authentication in Settings, create your first admin user, and you’re in.

The trickier path — which the manual documents clearly — is Docker socket permissions [1]. Dockhand runs as a non-root user by default, which means it may fail with a “permission denied” error when it tries to access /var/run/docker.sock. The manual gives six options for handling this, ranging from matching the Docker GID to running as root (documented as “simplest but less secure”) to using a UNIX socket proxy [1]. This is a standard Docker-in-Docker friction point, not specific to Dockhand, but it’s worth knowing it’s a first-launch stumbling block for people who haven’t hit it before.

Relative file paths in stacks are another documented gotcha: if your compose files reference ./config.yml, you need matching host paths rather than named volumes, or those relative references break. The manual covers this explicitly [1].

What you need:

Docker-capable host (including Raspberry Pi 4 — runs fine on SQLite) [website]
A port accessible from your browser (3000 by default)
Optional: reverse proxy for HTTPS, PostgreSQL for larger teams, SMTP for email notifications

What can go sideways:

Socket permissions on first launch (documented, solvable) [1]
Relative volume paths in compose stacks needing special DATA_DIR setup [1]
No independent stress tests or production incident reports available — the tool is young and the community coverage is sparse
BSL 1.1 means you can’t legally offer it as a managed service without a commercial agreement

Realistic setup time for a technical user: 10–20 minutes including reverse proxy. For someone new to Docker management UIs but comfortable with the command line: 30–60 minutes. For a non-technical user: this is probably not the right category of tool without someone guiding the initial install.

Pros and cons

Pros

SSO is genuinely free. OIDC with any provider, MFA, multi-environment — all in the free tier. This is the single biggest differentiator from Portainer, which charges for this [website].
Runs on a Raspberry Pi. SQLite default means zero database setup. Genuinely lightweight [website][README].
Git-based deployments with webhooks. Auto-sync on push is a real GitOps feature, not a checkbox. Includes SSH and HTTPS repo auth [README].
Vulnerability scanning included free. Grype/Trivy integration in all tiers — most competitors gate this [website][2].
Hawser agent for NAT traversal. Manage remote hosts without opening inbound ports, without a VPN [website].
Modern tech stack. Svelte 5, Bun, shadcn-svelte — the frontend isn’t going to feel like it was written for IE11 [README].
Minimal supply chain. Wolfi-based image with every dependency explicitly declared — a considered security choice [README].
Converts to Apache 2.0 in 2029. BSL 1.1 has a defined open-source end date, which is better than indefinite proprietary licensing [README].

Cons

BSL 1.1 is not open source. You can read the code, but you can’t redistribute it commercially or use it to build a competing SaaS. Teams that require OSI-approved licenses (MIT, Apache, GPL) can’t use this [README]. Portainer CE is Apache 2.0; Dockge is MIT; Komodo is AGPL — Dockhand is the only major Docker UI in this BSL category.
Low community coverage. 3,313 GitHub stars [merged profile] and minimal independent reviews means you’re trusting first-party documentation and a thin slice of NAS community guides [3]. Hard to know how it holds up under production load or with complex multi-host setups.
RBAC is Enterprise-only at $1,499/host/yr. If you need proper role-based access for a larger team, the jump from free to compliant is steep. No mid-tier that adds RBAC at a reasonable price.
LDAP/AD is Enterprise-only. Teams on corporate networks with Active Directory have to go Enterprise or use OIDC as a workaround [website].
No managed cloud option. It’s self-hosted or nothing — no SaaS tier if you want Dockhand without the ops overhead.
Relatively young project. The codebase is actively developed but the track record in production over years doesn’t exist yet for public evaluation.

Who should use this / who shouldn’t

Use Dockhand if:

You’re a homelab user or small dev team who wants SSO without paying Portainer’s Business license fee.
You’re comfortable with Docker but tired of the terminal for every container operation.
You want Git-based stack deployments with webhook auto-sync in a free tier.
Your team is under 10 people and you don’t need RBAC or LDAP.
You care about running lean — Raspberry Pi + SQLite is your preferred infrastructure philosophy.

Skip it (use Portainer CE) if:

You want an Apache 2.0 / OSI-approved license and the free tier features match your needs — Portainer CE is more battle-tested and community-supported [5].

Skip it (use Dockge) if:

You manage a single server and only care about Docker Compose stacks. Dockge is simpler, lighter, MIT-licensed, and purpose-built for that use case [4].

Skip it (use Komodo) if:

You want proper GitOps with infrastructure-as-code semantics, version-controlled resource sync, and you’re willing to invest time in the mental model [4].

Skip it (evaluate carefully) if:

Your legal team requires OSI-approved open source licenses.
You need RBAC for more than 2-3 people — the Enterprise price is hard to justify at small scale.
You’re building a product or service that would deploy Dockhand to customers — BSL 1.1 prohibits this without a commercial agreement.

Alternatives worth considering

Portainer — the category incumbent. 34K+ GitHub stars, Apache 2.0 CE, massive community. Paywalls SSO and RBAC behind Business tier. If community support and longevity matter more than free SSO, this is the safe default.
Dockge — by the Uptime Kuma developer. MIT-licensed, single-server, compose-only. Beautiful YAML editor. Zero multi-host, zero git integration. If simplicity is everything, Dockge is everything [4].
Komodo — GitOps-first Docker orchestration. Resource sync, infrastructure-as-code, multi-server. More learning curve, stronger declarative model [4]. AGPL licensed.
Arcane — newer entrant, mobile-responsive, modern UI, open source. XDA covered it as a clean alternative for users intimidated by Portainer [5]. Smaller feature set than Dockhand.
Yacht — MIT-licensed, lightweight, focuses on template-based deployments. Less active development.
Coolify — if your goal is deploying apps rather than managing raw containers, Coolify is in a different category (PaaS layer on top of Docker/Swarm/K8s) but worth evaluating alongside Dockhand for the “I want a web UI to run things on my server” use case.

Bottom line

Dockhand makes one genuinely differentiated bet: include OIDC/SSO, MFA, vulnerability scanning, and Git deployments in the free tier, then charge only when teams need compliance-grade features (RBAC, LDAP, audit logs). That’s a smarter free-tier line than Portainer drew. For the target audience — a homelab user or 3-5 person team who wants to stop typing docker ps and wants their colleagues to log in with Google — the free tier is complete.

The caveats are real: BSL 1.1 is not open source in the way that matters to some teams, the community track record is thin, and the Enterprise pricing for RBAC is steep if you outgrow the free tier. But if you’re comparing it to paying Portainer Business for SSO, the math is straightforward. Try the free tier on a Raspberry Pi in 20 minutes, and if it fits, you’ve got a solid Portainer replacement without writing a check.

If deploying it yourself is the blocker, that’s a one-time problem upready.dev solves for clients.

Sources

Dockhand User Manual — dockhand.pro. https://dockhand.pro/manual/
Dockhand — Security-Focused Docker Manager — toolhunt.net. https://toolhunt.net/sh/dockhand/
Marius Hosting — Asustor NAS: How to Update Dockhand — mariushosting.com. https://mariushosting.com/page/2/?blackhole=08526d4087
Brandon Brown — Orchestrating my homelab self-hosted services with Komodo and git — brandonb.ca. https://brandonb.ca/homelab-komodo-docker-orchestration
Megan Ellis — Arcane is a Portainer alternative with a modern, mobile-friendly interface — xda-developers.com. https://www.xda-developers.com/arcane-docker-management-platform/

Primary sources:

GitHub repository and README: https://github.com/finsys/dockhand (3,313 stars, BSL 1.1 license)
Official website: https://dockhand.pro
Documentation: https://dockhand.pro/manual

Features

Authentication & Access

Role-Based Access Control
Single Sign-On (SSO)

Integrations & APIs

REST API
Webhooks

Media & Files

WYSIWYG Editor

Replaces

Related DevOps & Infrastructure Tools

View all 196 →

Coolify

52K

Self-hosting platform that deploys apps, databases, and services to your own server with a single click. Open-source alternative to Heroku, Netlify, and Vercel.

devops Apache-2.0