This page describes how portainer is used and set up on our servers. For usage info, see container hosting.
As a first point of reference, see the actual Portainer documentation: https://docs.portainer.io/. We run Portainer Business via a free license that gives us up to 5 nodes.
The main portainer server runs on Beryllium, itself within a Docker container. This is what https://portainer.uwcs.co.uk runs off. The server also exposes it's local Docker environment which is labelled as the Beryllium environment. This environment is only accessible to accounts with the exec role within keycloak. Any internal/exec services should run within this environment.
Portainer also allows adding additional environments via agents. The agent runs on another machine and connects to the server, allowing control of the agent's environment via the server. The Public Docker environment is just a portainer agent within an LXC on Localtoast
The advantage of agents is that they expose the contents of volumes in a file browser via the web app, allowing you to upload/download files. This is very useful.
Portainer access is OpenID Connect OAuth via Keycloak. It uses the groups claim from keycloak to figure out if someone is admin or not. See https://portainer.uwcs.co.uk/#!/settings/auth for full details, login as admin required.
Only the admin account can modify auth (and some other) settings. Login is in Vaultwarden. If OAuth is down or you need to login as admin, then https://portainer.uwcs.co.uk/#!/internal-auth will let you log in using internal auth.