Official imagelinux/amd64 · linux/arm64alpine · non-root · binary-onlyfree · no license needed

One image. Every feature. Hardened before you ask.

Crowkis ships as a single Docker image with the entire engine compiled in. Pull it, run it, and the free Community edition is live at full power — a license file upgrades the same image to Enterprise at boot. There is no "remember to secure it later" step.

$ docker pull crowkis/crowkis:latest

Docker Hub and GHCR · signed releases · then step 2 below

:6379RESP3

Redis wire protocol — crowkis cli or any Redis client.

:6380HTTP

Dashboard + management REST API + /health.

:6381gRPC

h2c — Get / Set / GetStream / Stats / Invalidate.

Run it

One command, persistent volume included. Ports publish to localhost only — exposing Crowkis to a network is a decision you make explicitly, not a default you discover.

shell

docker run -d --name crowkis \
  -p 127.0.0.1:6379:6379 \
  -p 127.0.0.1:6380:6380 \
  -p 127.0.0.1:6381:6381 \
  -v crowkis-data:/data \
  crowkis/crowkis:latest

Prefer Compose? The hardened file below is the recommended production shape — copy it as docker-compose.yml and docker compose up -d.

docker-compose.yml

services:
  crowkis:
    image: crowkis/crowkis:latest
    container_name: crowkis
    ports:
      - "127.0.0.1:6379:6379"   # RESP3
      - "127.0.0.1:6380:6380"   # dashboard + REST
      - "127.0.0.1:6381:6381"   # gRPC
    volumes:
      - crowkis-data:/data
      # - ./license.json:/etc/crowkis/license.json:ro   # Enterprise
    environment:
      CROWKIS_ADMIN_KEY: change-me-admin-key
      CROWKIS_AUTH_TOKEN: change-me-resp-grpc-token
      CROWKIS_MEMORY_LIMIT: 512m
    read_only: true
    tmpfs:
      - /tmp
    cap_drop: [ALL]
    security_opt:
      - no-new-privileges:true
    pids_limit: 512
    restart: unless-stopped

volumes:
  crowkis-data:

Verify it's healthy

Ask the container itself. The health endpoint reports service status and whether admin auth is active.

$ curl http://127.0.0.1:6380/health

expect JSON with "admin_auth": "enabled"

$ docker logs -f crowkis

one structured log line per significant event

Prove the auth boundary

Don't trust it — test it. Unauthenticated management reads must be rejected when auth is on:

$ curl -i http://127.0.0.1:6380/api/metrics

should be rejected without a key

$ curl -H "x-crowkis-admin-key: $KEY" http://127.0.0.1:6380/api/metrics

authenticated read succeeds

Talk to it

The binary inside the container ships the interactive REPL — or point any Redis client at port 6379.

$ docker exec -it crowkis crowkis cli

built-in REPL against the running server

$ CSET "hello" "world" EX 3600 MODEL gpt-4o TENANT demo

then CGET a paraphrase and watch the dashboard

Hardened by default

The compose file is the security checklist.

Everything below is the stock deployment shape. You harden it by not editing it.

read_only: true

The container filesystem is immutable. Data lives on the mounted volume; /tmp is tmpfs.

cap_drop: ALL

Every Linux capability dropped. The process needs none of them.

no-new-privileges

Even a compromised process can't gain privileges it didn't start with.

Non-root user

Built into the image — not something you have to remember to configure.

pids_limit: 512

Fork bombs hit a wall.

Localhost-only ports

Published to 127.0.0.1 by default. Going public is an explicit choice.

HEALTHCHECK built in

/health endpoint wired into the image, so orchestrators see real readiness.

Binary-only image

One stripped Rust binary, a non-root user, /data. No shell tooling, no package manager, no supply chain.

Environment reference

The knobs that matter.

None are required — the image boots with sensible defaults. Full reference in the configuration docs.

Variable	Default	What it does
CROWKIS_ADMIN_KEY	change-me-admin-key	Auth key for the management API and dashboard metrics.
CROWKIS_AUTH_TOKEN	change-me-resp-grpc-token	Bearer token required for RESP and gRPC traffic.
CROWKIS_BIND_ADDR	127.0.0.1	Published-port bind address. Keep localhost until you mean it.
CROWKIS_MEMORY_LIMIT	512m	Runtime memory ceiling for the cache process.
CROWKIS_BLOCK_CACHE_BYTES	64m	Block cache capacity for hot SSTable reads.
CROWKIS_MAX_CONNECTIONS	10000	Concurrent connection ceiling.
CROWKIS_LOG_QUERY_PREVIEWS	0	Keeps prompt text out of logs. On by default, on purpose.
CROWKIS_LICENSE_PATH	/etc/crowkis/license.json	Enterprise license file. Absent = Community edition, free.

Local experiments only: CROWKIS_ALLOW_UNAUTHENTICATED_ADMIN=1 disables the management auth gate. Never set it on anything with a public interface.

Day-2 commands

$ docker pull crowkis/crowkis:latest && docker compose up -d

the entire upgrade path — binary swap, stable on-disk format, no migrations

$ docker compose down

stop, keep data

$ docker compose down -v

stop and remove the data volume

Where to next

Quickstart →

First commands against a running instance.

Configuration →

Every environment variable, explained.

MCP for AI apps →

Let Claude Code and agents use the cache.

Pricing →

Community is free. Enterprise unlocks with a license file.