Docker Configuration

This document describes how to build and run the PyFIDO Server using Docker.

For deployment overview and other deployment options, see 3. Deployment.

Docker Image Overview

The PyFIDO Server Docker image is built using a multi-stage Dockerfile for optimal size and security.

Build Stages

Stage 1: Builder
  - Installs build dependencies
  - Compiles Python packages
  - Optionally encrypts source with PyArmor
  
Stage 2: Dependencies
  - Installs Python runtime packages
  - Creates cached dependency layer
  
Stage 3: Runtime
  - Minimal Python runtime
  - Non-root user execution
  - Application code only

Building the Image

Production Build (with encryption)

Development Build (without encryption)

Build for AWS (AMD64)

Build Arguments

Argument
Default
Description

PYTHON_VERSION

3.12

Python version

PYARMOR_ENABLED

true

Enable source encryption

PYARMOR_LICENSE

pyarmor-regfile-7333.zip

License file

Running the Container

Basic Run

With Custom Configuration

Full Configuration Example

Environment Variables

Core Configuration

Variable
Default
Description

PORT

5001

Server listening port

PROTOCOL

wsgi

Server protocol (wsgi, http, cert)

THREADS

12

Worker thread count

DEVMODE

3

Development mode level

Database Configuration

Variable
Default
Description

MONGOURL

mongodb://admin:pass@localhost:27017/

MongoDB connection string

Authentication Configuration

Variable
Default
Description

AUTH

off

Enable JWT authentication

SESSION

60

Session timeout (seconds)

ARCULUS_FIDO2_ADMIN_USER

admin

Admin username

ARCULUS_FIDO2_ADMIN_PASSWORD

ArculusRocks!

Admin password

ARCULUS_FIDO2_JWT_SECRET

Arculus

JWT signing secret

FIDO Configuration

Variable
Default
Description

EXCLUDE

on

Enable credential exclusion

REPLACE

on

Allow credential replacement

METADATA

off

Enable MDS verification

AAGUID

off

Enable AAGUID whitelist

Logging Configuration

Variable
Default
Description

LOGLEVEL

5

Log verbosity (1=minimal, 5=verbose)

LOGDIR

/app/logs

Log file directory

SERVERID

SERV-notset

Server identifier in logs

Health Check

The container includes a built-in health check:

Health check endpoint: GET /health

Check Container Health

Debugging

Interactive Shell

View Logs

Connect to Running Container

Check Application Status

Docker Compose

Basic Configuration

Production Configuration

Volume Mounts

Logs Volume

Configuration Volume

Network Configuration

Create Docker Network

Run with Network

Connect to External MongoDB

Security Considerations

Non-Root Execution

The container runs as a non-root user (appuser, UID 1000):

Read-Only Filesystem

For enhanced security, run with read-only root filesystem:

Secret Management

Never pass secrets via command line. Use:

Image Maintenance

View Image Size

Remove Old Images

Export Image

Load Image

Troubleshooting

Container Won't Start

Check logs for startup errors:

Common issues:

  • MongoDB connection string invalid

  • Port already in use

  • Missing environment variables

Health Check Failing

High Memory Usage

Connection Issues

Last updated