Skip to main content

Docker Deployment

Panguard provides Docker images and Compose configurations for containerized deployments. This guide covers single-container setup, full-stack Compose deployments, and production hardening.

Prerequisites

RequirementVersion
Docker>= 24.0
Docker Compose>= 2.20

Quick Start with Docker

1

Pull the Image

docker pull panguard/panguard-ai:latest
2

Run the Container

docker run -d \
  --name panguard \
  -p 3000:3000 \
  -v panguard-data:/data \
  panguard/panguard-ai:latest
3

Verify

docker logs panguard

Docker Compose: Basic Setup (API + Ollama)

This configuration runs the Panguard API server with a local Ollama instance for Layer 2 AI analysis at zero cost. 
# docker-compose.yml
services:
  panguard:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: panguard
    restart: unless-stopped
    ports:
      - '3000:3000'
    volumes:
      - panguard-data:/data
      - ./config:/app/config:ro
    environment:
      - PANGUARD_DATA_DIR=/data
      - PANGUARD_PORT=3000
      - OLLAMA_ENDPOINT=http://ollama:11434
    depends_on:
      ollama:
        condition: service_healthy

  ollama:
    image: ollama/ollama:latest
    container_name: panguard-ollama
    restart: unless-stopped
    ports:
      - '11434:11434'
    volumes:
      - ollama-models:/root/.ollama
    healthcheck:
      test: ['CMD', 'curl', '-f', 'http://localhost:11434/api/tags']
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 30s

volumes:
  panguard-data:
  ollama-models:

# Build and start
docker compose up -d

# Pull an Ollama model (first time only)
docker exec panguard-ollama ollama pull llama3

# View logs
docker compose logs -f panguard

Docker Compose: Full Stack (Guard + Ollama + Threat Cloud)

This configuration runs the complete Panguard platform with Guard protection and local AI. 
# docker-compose.full.yml
services:
  panguard:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: panguard
    restart: unless-stopped
    ports:
      - '3000:3000'
    volumes:
      - panguard-data:/data
      - ./config:/app/config:ro
    environment:
      - PANGUARD_DATA_DIR=/data
      - PANGUARD_PORT=3000
      - OLLAMA_ENDPOINT=http://ollama:11434
    depends_on:
      ollama:
        condition: service_healthy
    networks:
      - panguard-net

  ollama:
    image: ollama/ollama:latest
    container_name: panguard-ollama
    restart: unless-stopped
    ports:
      - '11434:11434'
    volumes:
      - ollama-models:/root/.ollama
    networks:
      - panguard-net
    healthcheck:
      test: ['CMD', 'curl', '-f', 'http://localhost:11434/api/tags']
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 30s

volumes:
  panguard-data:
  ollama-models:

networks:
  panguard-net:
    driver: bridge

docker compose -f docker-compose.full.yml up -d

Port Reference

PortServiceProtocolNotes
3000API ServerHTTPMain entry point
11434OllamaHTTPLocal AI inference
2222Trap: SSH HoneypotTCPDefault SSH trap port
8080Trap: HTTP HoneypotTCPDefault HTTP trap port
2121Trap: FTP HoneypotTCPDefault FTP trap port
4450Trap: SMB HoneypotTCPDefault SMB trap port
3307Trap: MySQL HoneypotTCPDefault MySQL trap port
3390Trap: RDP HoneypotTCPDefault RDP trap port
2323Trap: Telnet HoneypotTCPDefault Telnet trap port

Environment Variables

Guard Agent

VariableDefaultDescription
PANGUARD_DATA_DIR./dataData directory for baselines, logs, rules
PANGUARD_MODElearningGuard mode: learning or protection
OLLAMA_ENDPOINThttp://localhost:11434Ollama API endpoint
ANTHROPIC_API_KEY(none)Claude API key for cloud AI
OPENAI_API_KEY(none)OpenAI API key for cloud AI
ABUSEIPDB_KEY(none)AbuseIPDB API key for threat intel

API Server

VariableDefaultDescription
PANGUARD_PORT3000API server port
Never pass secrets via the environment key in production Compose files. Use env_file with restricted permissions instead:
env_file:
  - /etc/panguard/guard.env  # chmod 600

Production Hardening

Docker Image Security

The production Docker image includes:
  • Multi-stage build — Build dependencies are not in the final image
  • Non-root user — Runs as panguard (UID 1001)
  • tini — Proper PID 1 signal handling and zombie reaping
  • Minimal packages — Only tini and curl in the final image

Required Capabilities

For Guard response actions to function inside Docker, grant these capabilities: 
cap_add:
  - NET_ADMIN    # Block IPs via iptables
  - KILL         # Terminate malicious processes
  - SYS_PTRACE   # Memory scanning

Checklist

  • Set NODE_ENV=production (enables HSTS, disables wildcard CORS)
  • Generate strong secrets (openssl rand -hex 32)
  • Use TLS termination (nginx/Caddy reverse proxy in front)
  • Restrict network access to Manager port
  • Mount secrets as env files, not inline environment variables
  • Use named volumes for persistent data
  • Configure log rotation for container logs

Log Locations (Inside Container)

ComponentPathFormat
Guard events/data/events.jsonlJSONL
Guard actions/data/action-manifest.jsonlJSONL
Guard baseline/data/baseline.jsonJSON
Application logsstdout/stderrStructured JSON

Log Rotation

The ReportAgent handles log rotation automatically:
SettingDefault
Max file size50 MB
Max rotated files10
Retention90 days

Backup Strategy

Back up these critical files regularly:
  • Baseline data (/data/baseline.json) — Loss requires re-running learning mode
  • Threat Cloud database — Back up the SQLite database on schedule
  • Configuration — Store config and env files in version control or a secrets manager

System Service

Install Guard as a native systemd/launchd service instead of Docker.

Multi-Endpoint Setup

Connect Guard agents to a centralized Manager.

Threat Cloud

Deploy Threat Cloud alongside your Guard fleet.

Architecture

Full technical architecture of the platform.