Deployment with Docker Compose

tldr;

  1. Install docker and docker compose (v2) using your distribution’s packages.

  2. Login to CheckSec container registry with docker login containers.checksec.com. Get your credentials via support@checksec.com

  3. Copy this docker-compose.yml over to host, to let’s say /srv/canopy/.

  4. Copy Canopy license file to the same directory.

  5. Run docker compose up -d.

  6. Check logs with docker compose logs -f or tail -F logs/current.

Warning

Docker will expose ports 80/443 publicly on the server and your host firewall will not block them! This is how docker works. Do your firewalling outside the host. You can change the docker-compose.yml file to bind to a specific IP in required, see https://docs.docker.com/reference/compose-file/services/#ports

Notes

  • Get your containers.checksec.com registry account via support@checksec.com

  • Only x86_64 architecture is supported at this stage.

  • podman is also supported using the docker-compose provider.

TLS Certificate

After the first startup of the containers you will have a certs directory. Place your .pem file in there. It should contain the full certificate chain as well as the private key (without a password).

The filename doesn’t matter and you can place multiple certificates, for different hostnames.

Self-signed certificates will be generated on-demand for any non-matching hostname.

Restart the canopy container of changing certificates via docker compose restart canopy

Backups

As the root user, archive the whole docker-compose.yml directory: tar -zcvf /my_backup.tgz /srv/canopy/

Upgrades

  1. Run docker compose pull to pull new versions of the container images.

  2. Run docker compose up -d to recreate containers with updated images.

This will not lead to data loss as all data is stored on the host via mounts.

Directories

  • ./config will contain the Canopy config file canopy.ini.

  • ./data contains all user data (uploaded/generated files) as well as plugins, etc.

  • ./postgresql-data contains the Postgresql RDBMS’s data.

  • ./certs for your TLS certificates.

  • ./logs file based logs for canopy container.

These directories are mounted into their respective containers and their permissions will be set according to the requirements of the containers. Don’t change permissions or ownership of these directories manually.

Logging

By default all containers logs to stdout/stderr and Docker will capture these. They are viewable via docker compose logs -f or similar command.

Additionally the Canopy container will persist logs to the ./logs directory as docker doesn’t persist logs by default.

Docker can be configured to persist logs by setting "log-driver": "journald" in /etc/docker/daemon.json. e.g. echo '{"log-driver": "journald"}' > /etc/docker/daemon.json See https://docs.docker.com/engine/logging/drivers/journald/ This requires a docker daemon restart as well as container recreation.

Troubleshooting

Start off with checking if the containers are running via docker compose ps -a. All but the init container should be running.

Next check the logs, if the issue seems application based then look at the canopy container’s logs via docker compose logs canopy.

To create a log file for uploading to our support portal, use: docker compose logs | gzip > containers.log.gz