Skip to content
Quick Start

Quick start

Deploy Drydock with Docker using a socket proxy or direct mount.

Run the Docker image

To get started, deploy the official drydock image:

Using a socket proxy is the most secure way to expose the Docker API. The proxy limits which endpoints Drydock can access.

services:
  drydock:
    image: codeswhat/drydock
    container_name: drydock
    depends_on:
      socket-proxy:
        condition: service_healthy
    environment:
      - DD_WATCHER_LOCAL_HOST=socket-proxy
      - DD_WATCHER_LOCAL_PORT=2375
      - DD_AUTH_BASIC_ADMIN_USER=admin
      - "DD_AUTH_BASIC_ADMIN_HASH=argon2id$$65536$$3$$4$$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw=="
      # - DD_SERVER_TRUSTPROXY=1  # uncomment if a TLS-terminating reverse proxy sits in front of Drydock
    ports:
      - 3000:3000

  socket-proxy:
    image: tecnativa/docker-socket-proxy
    container_name: drydock-socket-proxy
    labels:
      - dd.watch=true
      - dd.update.mode=infrastructure
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - CONTAINERS=1
      - IMAGES=1
      - EVENTS=1
      - SERVICES=1
      - INFO=1          # Required for daemon identity detection (notification prefixes)
      # Add POST=1 for container actions (start/stop/restart) or auto-updates
      # Add NETWORKS=1 if using the Docker trigger for auto-updates
    healthcheck:
      test: wget --spider http://localhost:2375/version || exit 1
      interval: 5s
      timeout: 3s
      retries: 3
      start_period: 5s
    restart: unless-stopped
Direct socket access grants the container full control over the Docker daemon. Use the Socket Proxy tab above for production deployments. See Docker Socket Security for all available options.

The simplest setup — mount the Docker socket directly. Works out of the box on most systems.

services:
  drydock:
    image: codeswhat/drydock
    container_name: drydock
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - DD_AUTH_BASIC_ADMIN_USER=admin
      - "DD_AUTH_BASIC_ADMIN_HASH=argon2id$$65536$$3$$4$$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw=="
      # - DD_SERVER_TRUSTPROXY=1  # uncomment if a TLS-terminating reverse proxy sits in front of Drydock
    ports:
      - 3000:3000
If you need a read-only socket mount (:ro), break-glass root mode requires both DD_RUN_AS_ROOT=true and DD_ALLOW_INSECURE_ROOT=true. Prefer socket proxy mode for least privilege. See Docker Socket Security for details.
Direct socket access grants the container full control over the Docker daemon. Use the Socket Proxy tab above for production deployments. See Docker Socket Security for all available options.
docker run -d --name drydock \
  -v "/var/run/docker.sock:/var/run/docker.sock" \
  -e DD_AUTH_BASIC_ADMIN_USER=admin \
  -e 'DD_AUTH_BASIC_ADMIN_HASH=argon2id$65536$3$4$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw==' \
  -p 3000:3000 \
  codeswhat/drydock

The official image is published on Docker Hub and GitHub Container Registry.

Release tags use the same channel names in every registry:

TagBehavior
1.6.0-rc.1Immutable release candidate; best for reproducible testing
1.6-rcRolling release-candidate channel; moves to the newest 1.6.0-rc.N
1.6Rolling stable minor channel; published only for GA releases
1Rolling stable major channel; published only for GA releases
latestNewest GA release; never points at a prerelease

Use the exact RC tag when reporting a regression. Use 1.6-rc only when you intentionally want each candidate cut without editing your Compose file.

Authentication is required by default on fresh installs. The examples above use Basic auth with username admin and password password. See the auth docs for OIDC, anonymous access, and other options.
Behind a reverse proxy? If a TLS-terminating reverse proxy (Nginx Proxy Manager, Traefik, Caddy, Synology DSM, etc.) sits in front of Drydock, set DD_SERVER_TRUSTPROXY=1 (the number of proxy hops) — otherwise every manual action in the UI fails with 403 CSRF validation failed. See the FAQ for details.

Migrating from WUD

If you are coming from What's Up Docker, migrate WUD_* environment variables and wud.* labels before starting v1.6; those runtime aliases have been removed.

To rewrite your local config to drydock naming (DD_* and dd.*), run:

# preview changes only
docker exec -it drydock node dist/index.js config migrate --dry-run

# apply changes to specific files
docker exec -it drydock node dist/index.js config migrate --file .env --file compose.yaml

config migrate reads/writes only local files in your deployment. It does not send usage data to external services.

If you use the Home Assistant wud-card or Homepage's native whatsupdocker widget against your old WUD instance, set DD_COMPAT_WUDCARD=true to keep them working against drydock — see wud-card compatibility.

Open the UI

Open the UI in a browser and check that everything is working as expected.

First 5 minutes in the UI

  1. Open the command palette with Cmd/Ctrl+K.
  2. Use prefix scopes to narrow search quickly:
    • / pages
    • @ runtime resources (containers, agents, triggers, watchers)
    • # config resources (registries, auth, notifications, settings)
  3. Leave the query empty to use recent results.
  4. Open Notifications and tune all seven delivery rules, trigger assignments, audit-backed in-app bell categories, and per-provider templates. The update-available bell rule also offers a severity threshold; use Preview to render template drafts before saving.
  5. Reorder or resize dashboard widgets in edit mode; the custom grid persists responsive layouts locally (and across devices when signed-in preference sync is enabled) and can be reset.

Keyboard shortcuts: Enter confirms action dialogs, Escape cancels dialogs and closes detail panels.

Next steps