# portainer

Docker container management UI. Used at both cloud and edge.

- **Network**: `mgmt`
- **Docker socket**: mounted read-only (`/var/run/docker.sock`) — effectively root-equivalent on the host. Restrict access via nginx-proxy + Keycloak.
- **Volume**: `portainer-data`
- **TODO**: edge-agent topology — each edge runs a portainer-agent that registers back to cloud-central portainer