The best Docker containers

There are Docker containers available for just about any application you can think of for self-hosting. In this article, I'll look at a list of the best Docker containers.

Author
Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

What are the best Docker containers?

While the following list may vary depending on the functionality needed in your containerized environment, the following Docker containers are excellent containers that you can run in a self-hosted environment:

Traefik
Pi-hole
Unbound
Adguard Home
Bitwarden
Unifi network controller
Uptime Kuma
Watchtower
Portainer
Mailrise

Quick Docker primer

The Docker containers referenced below can easily be provisioned using the Docker Compose code. As a quick primer, you can install Docker and Docker Compose using the following documentation: Install Docker Engine on Ubuntu.

Once you have Docker and Docker Compose installed, you can add the Docker Compose code for the Docker containers below to a docker-compose.yml file. You can then issue this command:

docker-compose up -d

The referenced Docker containers will automatically be downloaded and provisioned, since the repositories for each container reside within the code.

Traefik

Traefik is a free, open-source ingress controller that can route traffic into your Docker containers or Kubernetes clusters without exposing external IP addresses for each container. Instead, using ingress rules, you can route traffic based on the name of the host requested. You can think of this as "host headers" on a traditional web server.

Traefik also allows you to have proper SSL certificates for all your containers. Unfortunately, many container images are configured only with port 80 or insecure traffic out-of-the-box. Instead of configuring SSL on each container, you can have the Traefik proxy the SSL connection to each container.

You can find the official Traefik site here: Traefik Labs: Makes Networking Boring.

Below is the Docker Compose YAML code for Traefik:

version: '3'
services:
  traefik2:    
    image: traefik:latest
    restart: always
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    container_name: traefik

Traefik ingress controller for Docker and Kubernetes

Pi-hole

Pi-hole is one of the most popular DNS sinkhole solutions for home or SMB. It protects you from ads, data collection, malware, and other risks. Pi-hole is simple and easy to run as a single Docker container provisioned using Docker Run or Docker Compose. It is a great container to spin up on a home Docker host, providing extra security and filtering for your Internet traffic.

Visit the official Pi-hole site here: Pi-hole – Network-wide protection.

Below is the Docker Compose YAML code for Pi-hole:

version: '3'
pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: always
    ports:
      - "80:80/tcp"
      - "53:53/tcp"
      - "53:53/udp"
    environment:
      TZ: 'America/Chicago'
      WEBPASSWORD: 'password'
      PIHOLE_DNS_: 1.1.1.1;9.9.9.9
      DNSSEC: 'false'
      WEBTHEME: default-dark
    volumes:
      - /yourdata/pihole:/etc/pihole/
      - /yourdata/dnsmasq.d:/etc/dnsmasq.d/
    restart: always

Pi hole Docker container for DNS sinkhole

Unbound DNS Server

Many use Unbound DNS Server in their home lab environment. It is a recursive caching DNS resolve that supports DNS-over-TLS and DNS-over-HTTPS, allowing clients to have encrypted communication. It is common to run Pi-hole and Unbound together, as Pi-hole needs the Unbound server to support encrypted DNS.

Check out the official Unbound DNS site here: NLnet Labs - Unbound - About.

Below is the Docker Compose YAML code for Unbound:

version: '3'
services:
  unbound:
    container_name: unbound
    image: "mvance/unbound:latest"
    expose:
      - "53"
    networks:
      - dns
    network_mode: bridge
    ports:
      - target: 53
        published: 53
        protocol: tcp
        mode: host
      - target: 53
        published: 53
        protocol: udp
        mode: host
    volumes:
      - type: bind
        read_only: true
        source: ./my_conf/forward-records.conf
        target: /opt/unbound/etc/unbound/forward-records.conf
      - type: bind
        read_only: true
        source: ./my_conf/a-records.conf
        target: /opt/unbound/etc/unbound/a-records.conf
    restart: unless-stopped

networks:
  dns:

volumes:
  mydata:

You can see the official Unbound documentation here: unbound - Pi-hole documentation.

Unbound DNS server

Adguard Home

Adguard is another DNS sinkhole solution that can be run instead of Pi-hole. However, Adguard has additional features compared to Pi-hole, such as built-in support for encrypted DNS, parental controls, etc. It is easily run in Docker and can be configured as an upstream DNS server for your home router/firewall.

Check out the official Adguard Home page here: AdGuard Home | Network-wide software for any OS: Windows, macOS, Linux.

Below is the Docker Compose YAML code for Adguard:

version '3'
adguard:
    image: adguard/adguardhome
    restart: always
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 67:67/udp
      - 853:853/tcp
      - 853:853/udp
      - 3000:3000/tcp
      - 5443:5443/tcp
      - 5443:5443/udp
      - 8853:8853/udp
    volumes:
      - '/yourdata/work:/opt/adguardhome/work'
      - '/yourdata/conf:/opt/adguardhome/conf'
    container_name: adguard

Adguard DNS sinkhole solution

Bitwarden

With many reconsidering SaaS password managers in favor of self-hosted options after high-profile breaches, on-premises containerized password managers are a great option. Bitwarden has a new Bitwarden Unified solution that makes deploying a self-hosted Bitwarden instance even easier.

You can visit the official Bitwarden site here: Bitwarden Open Source Password Manager | Bitwarden.

Below is the Docker Compose YAML code for Bitwarden:

version: '3'
services:
  bitwarden:
    depends_on:
      - db
    env_file:
      - settings.env
    image: bitwarden/self-host:beta
    restart: always
    ports:
      - "80:8080"
    volumes:
      - bitwarden:/etc/bitwarden

  db:
    environment:
      MARIADB_USER: "bitwarden"
      MARIADB_PASSWORD: "super_strong_password"
      MARIADB_DATABASE: "bitwarden_vault"
      MARIADB_RANDOM_ROOT_PASSWORD: "true"
    image: mariadb:10
    restart: always
    volumes:
      - data:/var/lib/mysql

volumes:
  bitwarden:
  data:

Bitwarden Unified self hosted container

Unifi network controller

An application that makes sense to containerize, especially if you already have a Docker host in the environment, is your Unifi network controller. If you run Unifi access points and other gear, you need the Unifi network controller to manage your deployment. You can run this as a hardware device. However, running it as a container is easy and efficient.

You can learn more about the Unifi Network Application here: Ubiquiti - Downloads.

Below is the Docker Compose YAML code for Unifi:

version: '3'
unifi:
    container_name: unifi
    image: jacobalberty/unifi:latest
    restart: always
    networks:
      - traefik
    volumes:
      - '~/homelabservices/unifi/data/lib:/var/lib/unifi'
      - '~/homelabservices/unifi/data/log:/var/log/unifi'
      - '~/homelabservices/unifi/data/run:/var/run/unifi'
    ports:
      - '3478:3478/udp'
      - '10001:10001/udp'
      - '6789:6789/tcp'
      - '8080:8080/tcp'
      - '8443:8443/tcp'
      - '8880:8880/tcp'
      - '8843:8843/tcp'
    environment:
     - TZ=America/Chicago

Unifi network controller run as a Docker container

Uptime Kuma

Uptime Kuma is a great free, open-source monitoring solution that can be run inside a Docker container. You can easily create dashboards measuring the uptime of critical services and other Docker containers.

Check out the official GitHub site for Uptime Kuma here: louislam/uptime-kuma: A fancy self-hosted monitoring tool (github.com).

Below is the Docker Compose YAML code for Uptime-Kuma:

version: '3'
services:
uptime-kuma:
    image: louislam/uptime-kuma:1
    container_name: kuma
    volumes:
      - /yourdata/folder:/app/data
    restart: always

Uptime Kuma open source monitoring

Watchtower

Watchtower is an open-source container that monitors and keeps all your other containers updated. It provides an easy way to automate keeping your container images updated. You can set a specified interval for Watchtower to check for container updates. It will check the repository for a new container image, stop the existing container, and spin up the new container using the same run parameters as initially configured.

Learn more about Watchtower here: Watchtower (containrrr.dev)

Below is the Docker Compose YAML code for Watchtower:

version: '3'
watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    restart: always
    environment:
      WATCHTOWER_SCHEDULE: "0 0 1 * * *"
      TZ: America/Chicago
      WATCHTOWER_CLEANUP: "true"
      WATCHTOWER_DEBUG: "true"
      WATCHTOWER_NOTIFICATIONS: "email"
      WATCHTOWER_NOTIFICATION_EMAIL_FROM: "watchtower@example.com"
      WATCHTOWER_NOTIFICATION_EMAIL_TO: "admin@example.com"
      WATCHTOWER_NOTIFICATION_EMAIL_SERVER: "192.168.1.25"
      WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT: "25"
      WATCHTOWER_NOTIFICATION_EMAIL_DELAY: 2
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

Portainer

Portainer has been described as the best Docker container management tool. While there is a paid version, the community edition is free and has few limitations. It is a great solution, allowing you to have an excellent graphical user interface to manage your Docker container hosts and Kubernetes clusters.

Check out the official Portainer site here: Container management software for Docker, Kubernetes & Nomad (portainer.io).

Below is the Docker Compose YAML code for Portainer:

version: '3'
services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./yourfolder/data:/data
    ports:
      - 9443:9443

Portainer container management

Mailrise

Mailrise is an open-source tool you can run inside Docker, providing an easy way to interact with AppRise, a modern notification framework. Mailrise provides an SMTP gateway that legacy devices and applications can use to communicate with modern notification and messaging platforms.

Navigate to the official Mailrise GitHub page to learn more here: YoRyan/mailrise: An SMTP gateway for Apprise notifications. (github.com).

Below is the Docker Compose YAML code for Mailrise:

Subscribe to 4sysops newsletter!

version: '3'
mailrise:
  image: yoryan/mailrise
  container_name: mailrise
  restart: unless-stopped
  volumes:
    - ./mailrise.conf:/etc/mailrise.conf:ro

Wrapping up

As mentioned at the beginning, the list is not all inclusive. However, the outlined containers are excellent solutions and provide great capabilities in your self-hosted environment. Myriads of Docker containers exist, and each self-hosted environment may have a different list of "best Docker containers." Hopefully, you will find the list and Docker containers we have outlined beneficial.