Learn

Deploy Portainer with Docker on Ubuntu 24.04 (Free CE)

Daniel MercerDaniel MercerSenior Systems Engineer
Beginner
Updated Apr 4, 202611 min read~14 minutes total
Docker
Ubuntu
Containers
DevOps
Self-Hosted
Deploy Portainer with Docker on Ubuntu 24.04 (Free CE)
On This Page

Prerequisites

A Raff VM running Ubuntu 24.04 with at least 1 vCPU and 2 GB RAM (CPU-Optimized Tier 2 or higher), Docker installed, UFW firewall configured, SSH access with a non-root user with sudo privileges

Don't have a server yet? Deploy a Raff VM in 60 seconds.

Deploy a VM

Introduction

Portainer is an open-source web interface that lets you manage Docker containers, images, volumes, and networks through a visual dashboard instead of the command line. If you have been following our Docker tutorials — deploying Uptime Kuma, n8n, or Open WebUI — Portainer gives you a single pane of glass to start, stop, inspect, and update all of those containers without SSH.

The Community Edition (CE) is completely free and covers everything most users need: container lifecycle management, Docker Compose stack deployment, image management, volume inspection, network configuration, and real-time container logs. Over 30 million Portainer instances have been deployed worldwide, making it the most widely used Docker management UI.

In this tutorial, you will deploy Portainer CE as a Docker container with persistent storage, configure the firewall for web access, create your admin account, explore the management interface, and deploy a test stack through the UI. On a Raff Tier 2 VM, Portainer adds approximately 50 MB of RAM overhead — negligible alongside your application containers. We run Portainer on our internal staging environments to give the team quick visibility into running services without needing direct SSH access.

Step 1 — Create a Persistent Volume for Portainer

Portainer stores its configuration, user accounts, and settings in a Docker volume. Create a named volume so this data persists across container restarts and updates:

bashdocker volume create portainer_data

Verify the volume was created:

bashdocker volume ls

You should see portainer_data in the list. This volume lives independently of the Portainer container — if you remove and recreate the container, your settings and user accounts remain intact.

Step 2 — Deploy Portainer CE

Run the Portainer CE container with the following command:

bashdocker run -d \
  --name portainer \
  --restart=always \
  -p 8000:8000 \
  -p 9443:9443 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v portainer_data:/data \
  portainer/portainer-ce:latest

Each flag explained:

  • -d — Runs the container in detached mode (background).
  • --restart=always — Automatically restarts Portainer if the container stops or the server reboots.
  • -p 9443:9443 — Exposes the Portainer web UI on port 9443 (HTTPS by default).
  • -p 8000:8000 — Used for Edge Agent communication. You can omit this if you only manage a single Docker host.
  • -v /var/run/docker.sock:/var/run/docker.sock — Gives Portainer access to the Docker daemon so it can manage containers, images, and networks.
  • -v portainer_data:/data — Mounts the persistent volume for configuration storage.

Verify the container is running:

bashdocker ps | grep portainer

You should see the Portainer container with status Up and ports 8000 and 9443 mapped.

Check the container logs to confirm a clean startup:

bashdocker logs portainer 2>&1 | tail -5

You should see a line indicating Portainer is listening on port 9443. If you see any errors about binding ports, verify no other service is using ports 8000 or 9443 with sudo ss -tlnp | grep -E '8000|9443'.

Step 3 — Configure the Firewall

Allow access to Portainer's HTTPS port through UFW:

bashsudo ufw allow 9443/tcp

Verify the rule:

bashsudo ufw status

You should see 9443/tcp listed as ALLOW.

Tip

For production environments, restrict Portainer access to your own IP address instead of opening it to the internet: sudo ufw allow from your_ip to any port 9443. This prevents unauthorized access even if someone discovers your Portainer URL. You can also use a WireGuard VPN tunnel to access Portainer privately without exposing the port at all.

Step 4 — Create the Admin Account

Open your browser and navigate to:

https://your_server_ip:9443

Your browser will show a certificate warning because Portainer uses a self-signed SSL certificate by default. This is safe for private use — click "Advanced" and proceed to the site.

You will see the initial setup screen asking you to create an admin user:

  • Username: Choose a username (default is admin)
  • Password: Set a strong password (minimum 12 characters)

Click Create user to complete the setup.

Step 5 — Connect to the Local Docker Environment

After logging in, Portainer asks you to select an environment. Click Get Started to connect to the local Docker instance.

You will see the home dashboard showing your local Docker environment with a summary of running containers, images, volumes, and networks.

Click on the local environment to enter the management view. From here you can:

  • Containers — View all running and stopped containers. Start, stop, restart, remove, and inspect logs for each one. Click on any container name to see real-time resource usage (CPU, RAM, network I/O), environment variables, mounted volumes, and port mappings.
  • Images — See all Docker images on the system. Pull new images, remove unused ones, and check image sizes. Unused images accumulate over time and waste disk space — the Images view makes cleanup easy.
  • Volumes — Inspect and manage persistent storage volumes. See which containers use each volume and how much disk space they consume.
  • Networks — View Docker networks and create new ones for container isolation. Custom networks let containers communicate by name instead of IP address.
  • Stacks — Deploy and manage Docker Compose stacks through the web UI.

If you have existing containers running (like Uptime Kuma or n8n), you will see them listed in the Containers view immediately. You can inspect their logs, restart them, or change their settings — all without opening an SSH session.

Step 6 — Deploy a Stack Through the UI

Portainer's Stack feature lets you deploy Docker Compose applications directly from the web interface. This is useful for deploying new services without SSH.

Click Stacks in the left sidebar, then click Add stack.

Give your stack a name (e.g., test-nginx), select Web editor, and paste the following Docker Compose configuration:

yamlversion: "3.8"
services:
  web:
    image: nginx:alpine
    ports:
      - "8080:80"
    restart: unless-stopped

Click Deploy the stack. Portainer pulls the Nginx image and starts the container. You can watch the deployment progress in real time.

Once deployed, navigate to Containers — you should see the new Nginx container running. Allow port 8080 through the firewall to test:

bashsudo ufw allow 8080/tcp

Visit http://your_server_ip:8080 in your browser. You should see the default Nginx welcome page, confirming the stack deployed successfully.

To clean up the test stack, go to Stacks, select test-nginx, and click Remove. Portainer stops and removes the containers automatically. Remove the firewall rule when done:

bashsudo ufw delete allow 8080/tcp

Step 7 — Update Portainer

Portainer runs as a Docker container, so updating is straightforward. Pull the latest image, remove the old container, and start a new one with the same volume:

bashdocker stop portainer
docker rm portainer
docker pull portainer/portainer-ce:latest

Rerun the same deployment command from Step 2:

bashdocker run -d \
  --name portainer \
  --restart=always \
  -p 8000:8000 \
  -p 9443:9443 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v portainer_data:/data \
  portainer/portainer-ce:latest

Your admin account, settings, and stack configurations are preserved in the portainer_data volume. Log back in with your existing credentials.

Note

Portainer CE receives regular updates with new features and security fixes. Check the Portainer release notes periodically. Your Docker images for other services can also be updated through the Portainer web UI — click on the container, then Recreate with the Pull latest image option checked.

Conclusion

You have deployed Portainer CE on your Raff Ubuntu 24.04 VM, created an admin account, connected to your local Docker environment, and deployed a test stack through the web interface. You now have a visual dashboard to manage all your Docker containers without needing SSH for routine operations.

From here, you can:

  • Manage existing Docker deployments like Uptime Kuma, n8n, and Open WebUI from one interface
  • Deploy new applications using Portainer's App Templates — pre-configured Docker Compose stacks for popular software
  • Set up container restart policies and resource limits through the UI instead of editing YAML files
  • Restrict access to Portainer via WireGuard VPN so the management interface is never exposed to the public internet

Portainer uses approximately 50 MB of RAM on a Raff VM, which means it fits comfortably alongside multiple application containers even on a Tier 2 ($9.99/month) instance. Combined with NVMe SSD storage for fast image pulls and container startup, your Docker management workflow stays responsive.

For teams working together, Portainer CE supports multiple user accounts with environment-level access. Create separate accounts for each team member so everyone can manage containers without sharing SSH credentials or a single admin password. The Business Edition adds role-based access control if you need finer-grained permissions later.

This tutorial was tested by our systems engineering team on a Raff CPU-Optimized Tier 2 VM with Portainer CE 2.21.

Get notified when we publish new tutorials

Cloud tips, step-by-step guides, and infrastructure insights — straight to your inbox.

Frequently Asked Questions

Ready to get started?

Deploy an Ubuntu 24.04 VM and follow along in under 60 seconds.

Deploy a VM Now