--- title: "Docker" description: "A guide on installing Authelia in Docker." lead: "This is one of the primary ways we deliver Authelia to users and the recommended path." date: 2022-06-15T17:51:47+10:00 draft: false images: [] menu: integration: parent: "deployment" weight: 230 toc: true --- The [Docker] container is deployed with the following image names: * [authelia/authelia](https://hub.docker.com/r/authelia/authelia) * [docker.io/authelia/authelia](https://hub.docker.com/r/authelia/authelia) * [ghcr.io/authelia/authelia](https://github.com/authelia/authelia/pkgs/container/authelia) ## Get Started It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our [Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to bootstrapping *Authelia*. ## Container ### Environment Variables Several environment variables apply specifically to the official container. This table documents them. It is important to note these environment variables are specific to the container and have no effect on the *Authelia* daemon itself and this section is not meant to document the daemon environment variables. | Name | Default | Usage | |:-----:|:-------:|:---------------------------------------------------------------------------------------------:| | PUID | 0 | If the container is running as UID 0, it will drop privileges to this UID via the entrypoint | | PGID | 0 | If the container is running as UID 0, it will drop privileges to this GID via the entrypoint | | UMASK | N/A | If set the container will run with the provided UMASK by running the `umask ${UMASK}` command | ### Permission Context By default the container runs as the configured [Docker] daemon user. Users can control this behaviour in several ways. The first and recommended way is instructing the [Docker] daemon to run the *Authelia* container as another user. See the [docker run] or [Docker Compose file reference documentation](https://docs.docker.com/compose/compose-file/05-services/#user) for more information. The best part of this method is the process will never have privileged access, and the only negative is the user must manually configure the filesystem permissions correctly. The second method is by using the environment variables listed above. The downside to this method is that the entrypoint itself will run as UID 0 (root). The advantage is the container will automatically set owner and permissions on the filesystem correctly. The last method which is beyond our documentation or support is using the [user namespace](https://docs.docker.com/engine/security/userns-remap/) facility [Docker] provides. [docker run]: https://docs.docker.com/engine/reference/commandline/run/ ## Docker Compose We provide two main [Docker Compose] examples which can be utilized to help test *Authelia* or can be adapted into your existing [Docker Compose]. * [Unbundled Example](#standalone-example) * [Bundle: lite](#lite) * [Bundle: local](#local) ### Standalone Example The following examples are [Docker Compose] deployments with just *Authelia* and no bundled applications or proxies. It expects the following: * The file `data/authelia/config/configuration.yml` is present and the configuration file. * The directory `data/authelia/secrets/` exists and contain the relevant [secret](../../configuration/methods/secrets.md) files: * A file named `JWT_SECRET` for the [jwt_secret](../../configuration/miscellaneous/introduction.md#jwtsecret) * A file named `SESSION_SECRET` for the [session secret](../../configuration/session/introduction.md#secret) * A file named `STORAGE_PASSWORD` for the [PostgreSQL password secret](../../configuration/storage/postgres.md#password) * A file named `STORAGE_ENCRYPTION_KEY` for the [storage encryption_key secret](../../configuration/storage/introduction.md#encryptionkey) * You're using PostgreSQL. * You have an external network named `net` which is in bridge mode. #### Using Secrets Use this [Standalone Example](#standalone-example) if you want to use [docker secrets](https://docs.docker.com/engine/swarm/secrets/). {{< details "docker-compose.yml" >}} ```yaml --- version: "3.8" secrets: JWT_SECRET: file: ${PWD}/data/authelia/secrets/JWT_SECRET SESSION_SECRET: file: ${PWD}/data/authelia/secrets/SESSION_SECRET STORAGE_PASSWORD: file: ${PWD}/data/authelia/secrets/STORAGE_PASSWORD STORAGE_ENCRYPTION_KEY: file: ${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY services: authelia: container_name: authelia image: docker.io/authelia/authelia:latest restart: unless-stopped networks: net: aliases: [] expose: - 9091 secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY] environment: AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY volumes: - ${PWD}/data/authelia/config:/config networks: net: external: true name: net ... ``` {{< /details >}} #### Using a Secrets Volume Use this [Standalone Example](#standalone-example) if you want to use a standard [docker volume](https://docs.docker.com/storage/volumes/) or bind mount for your secrets. {{< details "docker-compose.yml" >}} ```yaml --- version: "3.8" services: authelia: container_name: authelia image: docker.io/authelia/authelia:latest restart: unless-stopped networks: net: aliases: [] expose: - 9091 environment: AUTHELIA_JWT_SECRET_FILE: /secrets/JWT_SECRET AUTHELIA_SESSION_SECRET_FILE: /secrets/SESSION_SECRET AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /secrets/STORAGE_PASSWORD AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /secrets/STORAGE_ENCRYPTION_KEY volumes: - ${PWD}/data/authelia/config:/config - ${PWD}/data/authelia/secrets:/secrets networks: net: external: true name: net ``` ... {{< /details >}} ### Bundles To use the bundles we recommend first cloning the git repository and checking out the latest release on a Linux Desktop: ```bash git clone https://github.com/authelia/authelia.git cd authelia git checkout $(git describe --tags `git rev-list --tags --max-count=1`) ``` #### lite The [lite bundle](https://github.com/authelia/authelia/tree/master/examples/compose/lite) can be used by following this process: 1. Perform the commands in [the bundles section](#bundles). 2. Run the `cd examples/compose/lite` command. 3. Edit `users_database.yml` and either change the username of the `authelia` user, or [generate a new password](../../reference/guides/passwords.md#passwords), or both. The default password is `authelia`. 4. Edit the `configuration.yml` and `docker-compose.yml` with your respective domains and secrets. 5. Run `docker compose up -d` or `docker-compose up -d`. #### local The [local bundle](https://github.com/authelia/authelia/tree/master/examples/compose/local) can be setup after cloning the repository as per the [bundles](#bundles) section then running the following commands on a Linux Desktop: ```bash cd examples/compose/local ./setup.sh ``` The bundle setup modifies the `/etc/hosts` file which is performed with `sudo`. Once it is successfully setup you can visit the following URL's to see Authelia in action (`example.com` will be replaced by the domain you specified): * [https://public.example.com](https://public.example.com) - Bypasses Authelia * [https://traefik.example.com](https://traefik.example.com) - Secured with Authelia one-factor authentication * [https://secure.example.com](https://secure.example.com) - Secured with Authelia two-factor authentication (see note below) You will need to authorize the self-signed certificate upon visiting each domain. To visit [https://secure.example.com](https://secure.example.com) you will need to register a device for second factor authentication and confirm by clicking on a link sent by email. Since this is a demo with a fake email address, the content of the email will be stored in `./authelia/notification.txt`. Upon registering, you can grab this link easily by running the following command: ```bash grep -Eo '"https://.*" ' ./authelia/notification.txt. ``` ## FAQ #### Running the Proxy on the Host Instead of in a Container If you wish to run the proxy as a systemd service or other daemon, you will need to adjust the configuration. While this configuration is not specific to *Authelia* and is mostly a [Docker] concept we explain this here to help alleviate the users asking how to accomplish this. It should be noted that we can't provide documentation or support for every architectural choice our users make and you should expect to do your own research to figure this out where possible. The example below includes the additional `ports` option which must be added in order to allow communication to *Authelia* from daemons on the [Docker] host. The other values are used to show context within the [Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs. {{< details "docker-compose.yml" >}} ```yaml --- services: authelia: container_name: authelia image: docker.io/authelia/authelia:latest restart: unless-stopped networks: net: aliases: [] expose: - 9091 ports: - "127.0.0.1:9091:9091" ... ``` {{< /details >}} [Docker]: https://docker.com [Docker Compose]: https://docs.docker.com/compose/