StackPilot is a self-hosted control plane for running tenant-isolated Docker Compose stacks across one or more Docker hosts — lightweight, auditable, and easy to operate.
# Clone and configure
git clone https://gitlab.azuris.ch/azuris/stackpilot.git
cp .env.dev.example .env.dev
# Start local dev environment
make dev
# GUI → http://localhost:5173
# Hub → http://localhost:8113Small teams, agencies, and labs often need to run workloads for multiple tenants on shared infrastructure. A full PaaS is too heavy. Bare Docker has no multi-tenancy. StackPilot fills that gap with a lightweight, auditable, policy-enforcing control plane.
Every Docker Compose file a tenant submits is parsed, rewritten through a security pipeline, and deployed under strict isolation rules — before it ever touches the daemon.
See all features →StackPilot handles the hard parts — security policy, routing, certificates, storage — so you can focus on your tenants' workloads.
Every submitted compose file is parsed, filtered, and rewritten before deployment. Dangerous capabilities are stripped, resource limits enforced, and bind mounts sandboxed to tenant-owned directories.
Traefik integration with automatic Let's Encrypt certificates via ACME DNS challenges. HTTP and TCP routes per stack, with configurable entrypoints and cert resolvers.
Tenants can deploy directly from a Git repository. The agent clones, reads the compose file, and deploys — with auto-sync on a configurable interval to keep stacks up to date.
Define named storage locations (e.g. fast on SSD, large on HDD). Tenants reference them by name; the agent resolves them to host paths with security validation.
Per-tenant GB quotas per storage location, aggregated across all stacks on all hosts. Over-quota tenants are blocked from deploying new stacks with clear error reporting.
Full tenant lifecycle management: create, configure, deactivate. Per-tenant resource limits, allowed domain lists, port allowances, and owner/member user accounts.
Hub-to-agent communication is secured with mutual TLS. The hub acts as its own CA, issuing per-host client certificates. Agents never expose themselves directly to tenants.
Optional mail routing profile using Dovecot and Exim4. Route IMAP, SMTP, and submission traffic to tenant mail containers via compose labels — no per-tenant mail config files needed.
Real-time container stats — CPU %, memory usage, and network I/O — surfaced in the GUI per stack. Logs streaming with tail/since filters and per-service selection.
A clean separation between the control plane, the execution layer, and the user interface.
Get a local development environment running in under 5 minutes.
git clone https://gitlab.azuris.ch/azuris/stackpilot.git
cd stackpilotcp .env.dev.example .env.dev
# Edit .env.dev to set your local secretsmake devA Linux server with Docker and Docker Compose installed. Two servers are recommended: one for the hub, one (or more) for agents.
# On your hub server
cp docker-compose.hub.yml /opt/stackpilot/
# Set required environment variables:
# HUB_ADMIN_USERNAME, HUB_ADMIN_PASSWORD
# SECRET_ENCRYPTION_KEY (strong random key)
# ALLOWED_ORIGINS, DATABASE_URL
# HUB_DATA_DIR=/var/data/stackpilot/hub
docker compose -f docker-compose.hub.yml up -d# On each agent host
cp docker-compose.agent.yml /opt/stackpilot/
# Set required environment variables:
# HOST_STACKS_DIR=/var/data/stackpilot/agent/stacks
# STORAGE_LOCATIONS=fast:/var/users/ssd,large:/var/users/hdd
# AGENT_DATA_DIR=/var/data/stackpilot/agent
docker compose -f docker-compose.agent.yml up -dLog in as admin → Hosts → Add Host. Enter the agent URL and the admin API key. StackPilot will verify connectivity and generate mTLS certificates automatically.
StackPilot runs wherever Docker runs.
Docker Engine 24+ and Docker Compose v2 on each host. The hub and agents are themselves Docker Compose stacks.
Any modern Linux distribution. Tested on Debian/Ubuntu and Alpine-based systems. macOS is supported for local development via OrbStack or Multipass.
A valid TLS certificate for the hub's public domain. Let's Encrypt works well. Agents use auto-generated mTLS certificates managed by the hub.
DNS-01 ACME challenge support recommended for automatic certificate issuance for tenant domains. A DNS API is needed (e.g. Gandi, Cloudflare).
StackPilot enforces isolation at every layer of the deployment pipeline.
privileged, cap_add, pid, userns_mode, network_mode: host) are stripped or constrained.
ports: entries are stripped with a warning.
runsc runtime for additional container sandboxing on hosts where gVisor is installed.
tecnativa/docker-socket-proxy, exposing only the required API endpoints, not the raw socket.
StackPilot is an open-source project. Contributions, bug reports, and feedback are welcome.
Found something broken? Open an issue on GitLab with reproduction steps and logs.
Questions, ideas, and general discussion about StackPilot deployments and features.
Read the contribution guide, set up a local dev environment, and submit a merge request.
Follow the release notes for changelogs, migration guides, and new feature announcements.
# Fork and clone
git clone https://gitlab.azuris.ch/azuris/stackpilot.git && cd stackpilot
# Install Python deps (agent + hub)
pip install -r requirements.txt -r hub/requirements.txt
# Install frontend deps
cd gui && npm install && cd ..
# Run the test suite
pytest tests/ hub_tests/ -q
# Run linting
ruff check agent hub && mypy agent hub