Dozzle
Real-time Docker log viewer in your browser, read-only by design.
The stack
Generated output
services:
dozzle:
image: docker.io/amir20/dozzle:v10.6.2@sha256:dac897ce93cbc0db48d9a6014ba24fb9438edc95c27e283a6fcc9260ea474d6d
restart: unless-stopped
environment:
DOZZLE_ADDR: :8080
DOZZLE_NO_ANALYTICS: "true"
DOZZLE_AUTH_PROVIDER: ${DOZZLE_AUTH_PROVIDER}
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
# Caddyfile for Dozzle
# Replace dozzle.example.com with your real domain. Caddy issues TLS automatically.
dozzle.example.com {
encode zstd gzip
reverse_proxy dozzle:8080
}
# Traefik labels for Dozzle
# Merge into the dozzle service in docker-compose.yml.
# Assumes an external Traefik network named "proxy" and a
# certresolver named "letsencrypt". Replace dozzle.example.com.
services:
dozzle:
labels:
traefik.enable: "true"
traefik.http.routers.dozzle.rule: Host(`dozzle.example.com`)
traefik.http.routers.dozzle.entrypoints: websecure
traefik.http.routers.dozzle.tls: "true"
traefik.http.routers.dozzle.tls.certresolver: letsencrypt
traefik.http.services.dozzle.loadbalancer.server.port: "8080"
networks:
- proxy
- default
networks:
proxy:
external: true
Replace dozzle.example.com with your domain. Generate secrets below.
Environment
.env with generated secrets
Secrets are generated in your browser via crypto.getRandomValues. Nothing is sent anywhere.
Server-rendered .env template
# Built-in authentication mode. `none` (default) means Dozzle does no login of its own and you rely on the reverse proxy for access control. Set to `simple` to enable Dozzle file-based users (you must also mount a users.yml, generated with `dozzle generate` — see the docs), or `forward-proxy` to trust an upstream authenticating proxy. No secret is generated here. DOZZLE_AUTH_PROVIDER=none
About
What is Dozzle?
Dozzle is a lightweight, real-time log viewer for Docker. Point it at the Docker socket and it gives you a fast web UI that streams the live stdout and stderr of every container on the host — searchable, filterable, and updating as lines arrive, with no need to SSH in and tail logs by hand. It is deliberately small and stateless: there is no database and no agent to install, just a single Go binary that reads the Docker API and renders logs in the browser. You can watch several containers side by side, fuzzy-search across them, jump to any container from a list, and see simple charts of log activity. Crucially, this stack mounts the Docker socket read-only (/var/run/docker.sock:/var/run/docker.sock:ro). That is the important difference from a stack manager like Dockge: Dozzle only reads container state and log streams — it never starts, stops, or changes anything — so it does not need write access to the daemon, and this stack does not grant any. Read-only still means real exposure, though: anyone who reaches Dozzle can read the logs of every container, which routinely include tokens, queries, and other sensitive output. So this stack binds nothing to the host and is built to sit behind the reverse proxy at dozzle.example.com with authentication in front of it; Dozzle also ships an optional built-in auth provider you can turn on. It keeps no long-term history — it shows what Docker currently holds in its logging driver — and it does no alerting. It is a live window onto your logs, not a log store.
Requirements
Before you start
- Docker 24+ and Docker Compose v2 on the host — Dozzle reads the local Docker daemon.
- Read access to the Docker socket at `/var/run/docker.sock`, mounted read-only. This lets Dozzle see and stream the logs of every container on the host; treat that visibility as sensitive (see the limitations).
- 128 MB RAM is plenty — Dozzle is a single small Go process and stores nothing of its own.
- A reverse proxy with authentication in front of it. Dozzle exposes all container logs, so do not bind it to the host or publish it openly.
Deploy
How to deploy
- Decide on authentication. The default `DOZZLE_AUTH_PROVIDER=none` does no login inside Dozzle, so you must add auth at the reverse proxy. Alternatively set it to `simple` for Dozzle built-in users (which also needs a mounted `users.yml`; see the Dozzle docs).
- Start the stack: `docker compose up -d`.
- Open `https://dozzle.example.com`; live logs for every container on the host should start streaming immediately.
- Confirm access is gated before exposing it. Because Dozzle can read all container logs, never publish it without authentication — keep it behind the proxy and add a login layer.
- Leave the Docker socket mounted read-only (`:ro`). Dozzle only reads; it never needs write access to the daemon.
Errors
Common errors & fixes
Dozzle loads but shows no containers, or logs "permission denied" talking to Docker.
It cannot read the Docker socket. Confirm `/var/run/docker.sock:/var/run/docker.sock:ro` is mounted and that the socket exists on the host. On hosts with a restrictive socket group Dozzle may need to run with a matching group — but never switch the mount to read-write to "fix" this; read access is all it needs.
Dozzle is reachable on the LAN and anyone can read every container's logs.
Dozzle does no authentication by default (`DOZZLE_AUTH_PROVIDER=none`). Do not publish port 8080 directly; keep it behind the reverse proxy and add auth there, or enable `DOZZLE_AUTH_PROVIDER=simple` with a `users.yml`. Logs frequently contain secrets, so treat open access as a leak.
Older log lines are missing, or history disappears after a container restarts.
Dozzle is a live viewer, not a log store — it shows what Docker's logging driver currently holds. If you need history, configure Docker `json-file` log rotation generously or ship logs to a real log store such as Loki. Dozzle cannot show logs Docker has already rotated away.
There is no button to stop, restart, or otherwise control containers from Dozzle.
By design. This stack mounts the socket read-only, so Dozzle's optional container actions are unavailable. Read-only is the safe default; granting write access to the socket would make Dozzle root-equivalent on the host, which defeats the point of a log viewer.
Limitations
Honest limitations
- Read-only, but still powerful. The socket mount lets Dozzle read the logs of every container on the host, and logs routinely contain tokens, connection strings, and personal data. Read-only stops Dozzle from changing anything, but it does not hide log contents — protect access accordingly.
- No long-term log storage. Dozzle shows what Docker currently retains in its logging driver; it does not archive logs. Rotated or dropped logs are gone from Dozzle too.
- No alerting or notifications. Dozzle is for watching and searching live logs, not for triggering on patterns — pair it with a real log and alerting pipeline if you need that.
- Container control is intentionally absent here. Because the socket is mounted read-only, Dozzle cannot stop or restart containers; use a manager like Dockge, which takes a read-write socket, for that.
FAQ
Frequently asked
Why is the Docker socket mounted read-only?+
Dozzle only reads container metadata and log streams — it never starts, stops, or modifies anything — so it does not need write access to the daemon. Mounting `/var/run/docker.sock:ro` gives it exactly what it needs and nothing more. A read-write socket would make Dozzle root-equivalent on the host, which is unnecessary for a log viewer.
How is this different from Dockge or Portainer?+
Those are managers: they create, start, and stop containers, so they require a read-write socket and are effectively root on the host. Dozzle is read-only and single-purpose — it shows logs. Many people run both: Dockge to manage, Dozzle to watch.
Does Dozzle store my logs?+
No. It is a live viewer with no database. It streams whatever Docker currently holds in its logging driver and keeps nothing of its own. For retention, configure Docker log rotation or ship logs to a dedicated store.
How do I secure it?+
Keep it off the public internet and behind a reverse proxy with authentication. Dozzle also ships an optional built-in auth provider: set `DOZZLE_AUTH_PROVIDER=simple` and mount a `users.yml` (generated with `dozzle generate`), or use `forward-proxy` to trust an upstream auth proxy. Never expose it unauthenticated — its logs can leak secrets.
Can Dozzle watch more than one host?+
Yes, via remote agents: run a Dozzle agent on each additional host and connect them so one UI aggregates logs from several machines. This compose runs a single instance against the local read-only socket; adding agents is done afterward.
Related