Container Deployment
The IDIAL-APP is delivered as a Docker container. Before the first start, a master encryption key must be generated and persistent volumes must be configured. On every start, the container automatically validates its configuration — if any check fails, it exits with a defined exit code before the application starts.
Prerequisites
- Docker Engine ≥ 20.10 or Docker Compose ≥ 2.x
- Access to the BxC container registry
Generate the Master Key
The master key is the only external secret the IDIAL-APP requires. It encrypts and decrypts all credentials stored within the application (IDIAL API keys, OIDC secrets, etc.). The key must be base64-encoded and decode to exactly 32 bytes (256 bits).
Store this key securely. A lost master key means all stored credentials are permanently unrecoverable. The key must be identical on every container restart — a changed key will cause startup to fail with exit code 21.
The key is passed to the IDIAL-APP via an environment variable or a key file. In production environments, the IDIAL_MASTER_KEY environment variable is the preferred approach: the key can be injected at runtime from an HSM or KMS (e.g., PKCS#11, AWS KMS, HashiCorp Vault) and never resides unencrypted on the filesystem. For lab and test environments, the file-based approach (IDIAL_MASTER_KEY_FILE) is a simpler alternative.
openssl rand -base64 32
In production environments, ensure the key is generated with sufficient entropy, stored securely, and backed up separately.
Deployment with Docker Compose (recommended)
Create the directory structure
mkdir -p idial-app/{secrets,data,config,logs}
cd idial-app
Store the master key (lab setup)
openssl rand -base64 32 > secrets/master_key.txt
chmod 600 secrets/master_key.txt
docker-compose.yml
services:
idial-app:
image: registry.bxc-security.com/idial-app:latest
container_name: idial-app
restart: unless-stopped
environment:
- IDIAL_MASTER_KEY_FILE=/run/secrets/master_key
- PORT=5555
- LOG_LEVEL=INFO
secrets:
- source: master_key
target: /run/secrets/master_key
mode: 0400
volumes:
- ./data:/app/runtime_data
- ./config:/app/config
- ./logs:/app/logs
ports:
- "443:5555"
healthcheck:
test: ["CMD", "curl", "-fsk", "https://localhost:5555/api/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
secrets:
master_key:
file: secrets/master_key.txt
Start the container
docker compose up -d
First Start vs. Restart
First start
On the first start, the container automatically creates the following files and structures:
| Path in container | Content | Action |
|---|---|---|
/app/runtime_data/containers.json | Empty container list | Created automatically |
/app/runtime_data/users.json | Created on first login | — |
/app/config/crypto/encrypted_keystore.json | Encrypted test dataset for key validation | Created automatically |
/app/runtime_data/certs/cert.pem + key.pem | Self-signed TLS certificate (4096-bit RSA) | Generated automatically |
The first start typically takes 8–10 seconds (including TLS certificate generation).
Restart
On a restart, the container runs through the same validation chain but significantly faster (~2–3 seconds), since directories, keystore, and TLS certificate already exist.
The same master key is required. If a different key is provided on restart, keystore validation fails (exit code 23) and the container will not start.
Startup Validation Chain
The entrypoint script validates the following on every start, in order:
- Crypto configuration — master key present, Base64 format correct, exactly 32 decoded bytes, existing keystore decryptable
- Directories and write permissions — volumes mounted and writable
- Port availability — configured port not already in use
- Crypto health check — encryption and decryption functional
- TLS setup — load custom certificates or generate self-signed ones
- Application start — Gunicorn with 4 worker processes
If any step fails, the container exits with a defined exit code. See Configuration Reference for details.
Using Custom TLS Certificates
By default, the container generates a self-signed certificate on first start. To use your own certificate, place the files in the volume before starting:
cp /path/to/cert.pem data/certs/cert.pem
cp /path/to/key.pem data/certs/key.pem
The container detects existing certificates automatically and skips generation.
Verify Health
# Basic health check (no authentication required)
curl -sk https://localhost/api/health
# Response: {"status": "healthy", "service": "IDIAL Management API"}
# Crypto system status (admin authentication required)
curl -sk https://localhost/api/health/crypto
Check Logs
# Live log stream
docker compose logs -f idial-app
# Startup output only (last 50 lines)
docker compose logs --tail=50 idial-app
Expected output on successful start:
[OK] Master key provided via environment variable
[OK] Master key format validated (32 bytes)
[OK] Crypto system test passed
[OK] Write permissions verified
[OK] SSL certificates found
[OK] All validations passed - starting application
Starting IDIAL Web Backend with Gunicorn...
[INFO] Starting HTTPS server on port 5555