Application Infrastructure Azure

Portainer CE on Ubuntu 24.04 on Azure User Guide

| Product: Portainer CE on Ubuntu 24.04 LTS on Azure

Overview

Portainer CE (Community Edition) gives you a browser-based control panel for Docker. Instead of memorising Docker CLI commands, you deploy and manage containers, images, volumes, networks and stacks from a clean web console, with live logs, an in-browser console into any container, and a docker compose editor for multi-service stacks. The cloudimg image installs Docker CE from the official Docker repository and runs Portainer CE 2.39.4 as a container (managed by Docker with a restart policy), bound to the loopback connector 127.0.0.1:9000 behind an nginx reverse proxy on port 80. nginx is configured with the WebSocket upgrade Portainer needs for its container console and live stats. Portainer's data lives on a dedicated Azure data disk, the local Docker environment is wired up automatically, and a unique admin password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • Portainer CE 2.39.4 running as a container managed by Docker
  • Docker CE preinstalled from the official Docker apt repository
  • The Portainer web console on :80, fronted by nginx with the WebSocket upgrade proxied
  • The local Docker environment connected automatically, so you can deploy straight away
  • A unique admin password generated on first boot and recorded in a root-only file (username admin)
  • A dedicated Azure data disk at /var/lib/portainer holding Portainer's database and state
  • docker.service + nginx.service as systemd units, enabled and active
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a reasonable starting point; size up for heavier container workloads. NSG inbound: allow 22/tcp from your management network and 80/tcp. Portainer serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain (see Maintenance), since the console gives full control of the Docker host.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Portainer by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name portainer \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name portainer --port 80 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active docker.service nginx.service

Both report active. Docker manages the Portainer CE container (bound to the loopback connector 127.0.0.1:9000), and nginx fronts it on port 80 with the WebSocket upgrade the console requires. Portainer's database and state live on the dedicated Azure data disk mounted at /var/lib/portainer.

docker.service and nginx.service active, the Portainer container running on the loopback connector 9000, and the dedicated data disk mounted at /var/lib/portainer

Step 5 - Retrieve your admin password

The Portainer admin password is generated uniquely on the first boot of your VM and written to a root-only file:

sudo cat /root/portainer-credentials.txt

This file contains PORTAINER_USERNAME (always admin), PORTAINER_PASSWORD and the URL to open. Store the password somewhere safe.

The Docker and Portainer versions and the per-VM credentials file with the generated admin password and URL

Step 6 - Confirm the health endpoint

nginx serves an unauthenticated health endpoint for load balancers and probes:

curl -s http://localhost/healthz

It returns ok. This endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe.

Step 7 - Verify authentication from the command line

Portainer issues a JWT for correct credentials and rejects a wrong password. Read the password from the credentials file first, then post it to the auth endpoint. Because the command embeds your unique password, run it interactively rather than from a script - substitute the value of PORTAINER_PASSWORD from Step 5 for <PORTAINER_PASSWORD>:

curl -s -X POST -H 'Content-Type: application/json' --data '{"Username":"admin","Password":"<PORTAINER_PASSWORD>"}' http://127.0.0.1/api/auth

A correct password returns a JSON body containing a jwt token. A wrong password returns a 4xx error with no token. The local Docker environment is already connected, so the console is ready to use immediately.

The nginx health endpoint returning ok, the admin auth round-trip rejecting a wrong password and issuing a JWT for the per-VM password, and the local Docker environment already connected

Step 8 - Sign in to the console

Browse to http://<vm-public-ip>/. Portainer shows a sign-in page; enter the username admin and the password from Step 5.

The Portainer CE sign-in page in the browser

Once signed in, the dashboard shows the local Docker environment, already connected and reporting the running containers, images, volumes and networks on the host.

The Portainer dashboard showing the connected local Docker environment with container, image, volume and network counts

Step 9 - Manage containers

Open Containers from the sidebar to see every container on the host. From here you can start, stop, restart, inspect, view logs, open an in-browser console, and deploy new containers with Add container.

The Portainer container list for the local Docker environment

Step 10 - Deploy a stack

Open Stacks -> Add stack to deploy a multi-service application from a docker compose file. Paste your compose definition into the web editor (or point Portainer at a Git repository), give the stack a name and click Deploy the stack.

The Portainer Create stack view with the docker compose web editor

Step 11 - Confirm data lives on the dedicated disk

Portainer's database and state - users, environments, stacks, settings - are stored under /var/lib/portainer on the dedicated Azure data disk (bind-mounted into the container as /data), so they survive OS changes and can be resized independently:

findmnt /var/lib/portainer

The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM.

Maintenance

  • Password: the admin password is set on first boot. To reset it, sign in and use My account -> Change password in the console, or reset the admin from the CLI following Portainer's documentation.
  • Upgrades: Portainer runs as the portainer container from the pinned portainer/portainer-ce:2.39.4 image; to upgrade, pull a newer tag, remove the container and re-run it with the same -v /var/lib/portainer:/data mount so your data is preserved.
  • Storage: all Portainer state lives under /var/lib/portainer on the data disk; back up that volume to protect your users, environments and stacks.
  • Docker: the host's Docker engine is managed by docker.service; containers you deploy through Portainer run directly on this host.
  • TLS: Portainer serves plain HTTP on port 80; front it with TLS (e.g. certbot with your own domain) before production use, since the console gives full control of the Docker host.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.