README
¶
Oriel
The local Docker GUI an AI can drive, safely.
Manage containers, images, volumes, networks, and Compose from a clean browser UI. Or hand the job to an AI: any MCP client (Claude, Cursor, a local LLM) drives the same tools the UI does, with the same secret masking and destructive-action grant. It works with any Docker engine on macOS and Linux (Colima, Docker Engine, OrbStack, Podman, or a remote daemon). A free, open-source Docker Desktop alternative in one ~13 MB binary that idles at 15–30 MB of RAM, with no Electron, no account, and an Apache-2.0 license.
Try it live ↗ · the full UI in your browser, mock data, no install.
Drive it with AI
Point any MCP client at Oriel and ask in plain English. It calls the same validated, secret-masked tools the UI does, and it can chain several to actually answer a question instead of firing just one:
you: why does
apikeep restarting?assistant: reads
container.list,container.inspect, then the logs. It's exiting 137 (OOM): the container is capped at 256 MB and the Node heap runs past it. Raise the memory limit or fix the leak inworker.js.
oriel mcp # stdio MCP server for Claude, Cursor, or a local LLM
No model ships in the binary; your client brings its own. Reads run anytime, and destructive actions stay locked behind a grant. Setup & tool list ↓
Install
Homebrew (macOS & Linux):
brew install ParadoxInfinite/oriel/oriel
Script (detects your platform and verifies the checksum):
curl -fsSL https://raw.githubusercontent.com/ParadoxInfinite/oriel/main/install.sh | sh
⚠️ Piping a script to
shruns code from the internet on your machine. Readinstall.shbefore you run it, or download a binary from releases instead.
Manual binary, Go, or source
Download a binary from releases (oriel-darwin-arm64 for Apple Silicon, oriel-darwin-amd64 for Intel, oriel-linux-arm64, or oriel-linux-amd64), then chmod +x. Or:
go install github.com/ParadoxInfinite/oriel@latest # with Go
make build # from source (builds + embeds the UI)
Run
./oriel # opens http://127.0.0.1:4321
Flags: --port <n> (default 4321), --no-open. Run on login: ./oriel service install (launchd / systemd; also status, uninstall).
Needs any Docker Engine–compatible runtime + the docker CLI. Colima is first-class (adds VM start/stop); Docker Engine, OrbStack, Rancher/Docker Desktop, Podman, and remote daemons also work (docs/DAEMONS.md). For remote access over a private network, see docs/REVERSE-PROXY.md; read the security note first.
Features
- Containers: live CPU/mem, exit codes, bulk actions, streaming logs, full inspect.
- AI control (MCP): any MCP client drives Docker/Colima through the same validated, secret-masked tools, with destructive actions behind a grant. More ↓
- Images: pull with registry search, prune, one-click tag.
- Compose: manage stacks, plus discover & deploy projects from disk.
- Dashboard: CPU history, memory, disk, uptime/outage tracking.
- Command palette (
⌘K): fuzzy-run any action or jump to any view. - Editions & themes: swap the whole UI (Studio, or drop in your own), light/dark/system, custom accents.
- Light & live: ~15–30 MB RAM, one SSE stream (no polling), checksum-verified self-update.
How it compares
The usual ways to run containers on a Mac or Linux box, and where Oriel fits. (Figures drift; treat as a snapshot.)
| Oriel | Docker Desktop | OrbStack | lazydocker | Portainer | |
|---|---|---|---|---|---|
| License | Apache-2.0, free | Proprietary (paid for larger orgs) | Proprietary (paid for commercial use) | MIT, free | Free (CE) |
| Interface | Graphical web UI | Desktop app | Native app | Terminal (TUI) | Web UI (server) |
| Footprint | ~15–30 MB RAM, ~13 MB binary | Heavy (~3–4 GB VM) | Light (native) | Light | Container, ~200–300 MB |
| Install | Single static binary | Installer | Installer | Single binary | Run a container |
| Bring-your-own engine | Colima · Docker · OrbStack · Podman · remote | Bundled engine | Bundled engine | Any Docker socket | Any Docker socket |
| Runs locally, no account | Yes | Account/sign-in | Account | Yes | Server + auth |
| AI control (MCP) | Built-in, safety-gated | MCP Toolkit (runs other servers) | No | No | No |
It's the only one here an AI can drive directly, through the same checks the UI gives you. Reach for it over Docker Desktop / OrbStack (no paid license, bundled VM, or menu-bar app), over lazydocker (a real graphical UI, not a terminal one), or over Portainer (a binary you run for yourself, not a server to deploy and lock down).
For the full breakdown, including where Oriel loses (Windows, Kubernetes, multi-host, in-browser shell), see the exhaustive comparison in the live demo.
Coming: an in-browser shell, an audit log, and UI translations (i18n). Roadmap.
AI control (MCP)
oriel mcp runs Oriel as a Model Context Protocol server, so an MCP client (Claude Desktop, Claude Code, Cursor, a local LLM) manages your Docker/Colima in plain English, headless, with no GUI needed. Same tools, same guardrails:
- Secrets stay masked.
container.inspectandcontainer.logsredact secret-shaped values before they reach a model; an MCP client never gets fully-raw env or logs (the "off" setting applies only to the local UI). Log redaction is best-effort over free-form text. - Destructive actions are locked until you open a short, time-boxed window (
oriel ai allow-destructive --for 15m). Reads always work; remove/prune don't, until you say so. - No model in the binary. Your client brings the model, so Oriel stays vendor-neutral.
Point any MCP client at it. With Oriel installed:
{ "mcpServers": { "oriel": { "command": "oriel", "args": ["mcp"] } } }
Or with no install, via the published image (Linux hosts; mounts the Docker socket):
{ "mcpServers": { "oriel": { "command": "docker", "args": ["run", "-i", "--rm", "-v", "/var/run/docker.sock:/var/run/docker.sock", "ghcr.io/paradoxinfinite/oriel"] } } }
Claude Code: claude mcp add oriel -- oriel mcp. Setup, HTTP, scoping, and the full tool list: docs/MCP.md.
Editions & themes
The UI is a swappable plugin on a stable platform SDK: Studio (light/dark/system, custom accents). Recolor it, or drop in your own edition (see docs/THEMES.md).
Security
Out of the box Oriel has no login, and driving Docker is effectively root on the host. An optional bearer token gates remote and MCP-over-HTTP access (off by default), but the safe default is local use, or a private network only (Tailscale, ZeroTier, WireGuard, and the like). Never the public internet. Full trust model: SECURITY.md.
FAQ
Is there a GUI for Colima? Yes. Colima ships CLI-only by design, and Oriel is the browser UI it never shipped. It also drives Docker Engine, OrbStack, Podman, and remote daemons.
A free Docker Desktop alternative? Yes. Apache-2.0 licensed, no license fees, no account. Point it at any Docker-compatible engine.
Can an AI manage my containers? Yes. Run oriel mcp and point any MCP client (Claude, Cursor, a local LLM) at it. It gets the same validated, secret-masked tools as the UI, and destructive actions stay locked until you grant them.
How is it different from lazydocker? lazydocker is a terminal UI; Oriel is a graphical browser UI with dashboards, streaming logs, registry search, Compose discovery, and themeable editions.
Footprint and platforms? ~15–30 MB RAM, ~13 MB binary, no Electron. macOS (Apple Silicon + Intel) and Linux (amd64 + arm64).
Develop
make dev + make dev-web (Vite hot reload), make test. See CONTRIBUTING.md.
License
Apache-2.0 © The Oriel contributors. See NOTICE.
Documentation
¶
There is no documentation for this package.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
actions
Package actions wires concrete Docker/Colima operations into the generic tool Registry and supplies the entity resolver.
|
Package actions wires concrete Docker/Colima operations into the generic tool Registry and supplies the entity resolver. |
|
colima
Package colima wraps the `colima` CLI, which has no API.
|
Package colima wraps the `colima` CLI, which has no API. |
|
discovery
Package discovery finds Docker Compose projects on disk under user-configured roots, so the UI can offer "available but not yet deployed" stacks alongside the label-derived running ones.
|
Package discovery finds Docker Compose projects on disk under user-configured roots, so the UI can offer "available but not yet deployed" stacks alongside the label-derived running ones. |
|
docker
Package docker talks to the Docker Engine API exposed by Colima's unix socket.
|
Package docker talks to the Docker Engine API exposed by Colima's unix socket. |
|
execstream
Package execstream runs a command and streams its combined output line by line, used for long-running CLI operations (colima lifecycle, docker compose) that the UI displays as live progress.
|
Package execstream runs a command and streams its combined output line by line, used for long-running CLI operations (colima lifecycle, docker compose) that the UI displays as live progress. |
|
grant
Package grant implements the time-boxed "destructive actions" window that unlocks Destructive tools for non-interactive callers (the MCP server, a future in-app assistant).
|
Package grant implements the time-boxed "destructive actions" window that unlocks Destructive tools for non-interactive callers (the MCP server, a future in-app assistant). |
|
mcp
Package mcp exposes Oriel's validated tool Registry as a Model Context Protocol server over stdio.
|
Package mcp exposes Oriel's validated tool Registry as a Model Context Protocol server over stdio. |
|
secrets
Package secrets masks sensitive environment-variable values so they don't leak from the inspect panel (screenshots, screen-shares) or to an AI model over MCP.
|
Package secrets masks sensitive environment-variable values so they don't leak from the inspect panel (screenshots, screen-shares) or to an AI model over MCP. |
|
server
Package server wires the HTTP router for Oriel: a small JSON REST surface for actions, SSE channels for live data, and the embedded frontend.
|
Package server wires the HTTP router for Oriel: a small JSON REST surface for actions, SSE channels for live data, and the embedded frontend. |
|
service
Package service installs Oriel as a background service so it starts automatically and stays running: a launchd LaunchAgent on macOS, and a systemd service on Linux (a per-user unit, or a system unit with --system / when run as root).
|
Package service installs Oriel as a background service so it starts automatically and stays running: a launchd LaunchAgent on macOS, and a systemd service on Linux (a per-user unit, or a system unit with --system / when run as root). |
|
settings
Package settings owns the user's persisted configuration (settings.json): base path, allowed hosts, auth token, masking policy, and compose-discovery config.
|
Package settings owns the user's persisted configuration (settings.json): base path, allowed hosts, auth token, masking policy, and compose-discovery config. |
|
tools
Package tools is the canonical action layer.
|
Package tools is the canonical action layer. |
|
userdata
Package userdata resolves Oriel's per-user data directory.
|
Package userdata resolves Oriel's per-user data directory. |