Docker Deployment¶
Privitty Edge ships as a minimal scratch-based container image. The image contains fully static Rust binaries — no shell, no package manager, no OS-level CVE surface.
Included binaries:
| Binary | Role |
|---|---|
privitty-edged |
Daemon (container entrypoint) |
privitty-edge |
CLI for docker exec and health checks |
Pull the image¶
See Registries for all available tags and platforms.
Run (minimal)¶
docker run -d \
--name privitty-edged \
--restart unless-stopped \
-e PRIVITTY_PROFILE=gateway01 \
-p 127.0.0.1:7200:7200 \
-v privitty-data:/var/lib/privitty \
privitty/edge:latest
Run (production recommendations)¶
docker run -d \
--name privitty-edged \
--restart unless-stopped \
-e PRIVITTY_PROFILE=factory-gw-01 \
-e PRIVITTY_LISTEN=0.0.0.0:7200 \
-e PRIVITTY_ACCOUNTS=/var/lib/privitty \
-e RUST_LOG=info \
-p 127.0.0.1:7200:7200 \
-v privitty-data:/var/lib/privitty \
--memory=512m \
--cpus=1 \
privitty/edge:latest
| Recommendation | Why |
|---|---|
Bind to 127.0.0.1 on the host |
Keeps the JSON-RPC API off the public network |
Named volume for /var/lib/privitty |
Persists keys, DB, blobs, and license across restarts |
--restart unless-stopped |
Survives host reboots |
| Resource limits | Prevents runaway memory on constrained gateways |
Security
Do not expose port 7200 on 0.0.0.0 without a reverse proxy, firewall, or mTLS in front. The API has no built-in authentication layer — it is designed for localhost or trusted network segments.
Volumes¶
| Mount | Purpose |
|---|---|
/var/lib/privitty |
Required for persistence. Account keys, SQLite DB, file blobs, privitty.lic |
/etc/privitty/privitty-edged.toml |
Optional reference config (documentation only — see Configuration) |
Backup example:
docker run --rm \
-v privitty-data:/data:ro \
-v "$(pwd)":/backup \
alpine tar czf /backup/privitty-backup.tar.gz -C /data .
Health check¶
The image includes a built-in Docker HEALTHCHECK:
HEALTHCHECK --interval=30s --timeout=5s --start-period=60s --retries=3 \
CMD ["/usr/local/bin/privitty-edge", "health"]
Manual check from the host:
Or inside the container (via exec on a debug sidecar — the scratch image has no shell):
Start period
First boot provisioning can take up to 60 seconds. The health check start-period accounts for this.
Using the CLI inside the container¶
# Account status
docker exec privitty-edged \
privitty-edge --accounts /var/lib/privitty status
# List chats
docker exec privitty-edged \
privitty-edge --accounts /var/lib/privitty chats
# License management
docker exec privitty-edged \
privitty-edge --accounts /var/lib/privitty license status
Always pass --accounts /var/lib/privitty when using CLI subcommands that touch the filesystem (license, etc.).
Sending files from the host¶
Files must exist inside the container at the path passed to privitty_send_file. Mount a data directory:
docker run -d \
--name privitty-edged \
-e PRIVITTY_PROFILE=gateway01 \
-p 127.0.0.1:7200:7200 \
-v privitty-data:/var/lib/privitty \
-v /host/telemetry:/data:ro \
privitty/edge:latest
Then reference /data/report.csv in your JSON-RPC call (not /host/telemetry/report.csv).
Image variants¶
| Tag | Contents |
|---|---|
privitty/edge:latest |
Daemon + CLI |
privitty/edge:latest-viewer |
Daemon + CLI + privitty-viewer |
Next steps¶
- Docker Compose — declarative multi-service setup
- Configuration — environment variables
- Getting Started — first boot walkthrough