One signed Docker image. Every feature compiled in. Free to run. docker pull crowkis/crowkis:latest

Getting started

Docker deployment

The production way to run Crowkis. One hardened image from Docker Hub or GHCR, a compose file you can paste, and an auth boundary you can prove in two curl commands.

Pull and run#

shell
docker pull crowkis/crowkis:latest

docker run -d --name crowkis \
  -p 127.0.0.1:6379:6379 \
  -p 127.0.0.1:6380:6380 \
  -p 127.0.0.1:6381:6381 \
  -v crowkis-data:/data \
  -e CROWKIS_ADMIN_KEY=change-me-admin-key \
  -e CROWKIS_AUTH_TOKEN=change-me-resp-grpc-token \
  crowkis/crowkis:latest
PortSurface
127.0.0.1:6379RESP3 — crowkis cli or any Redis client
127.0.0.1:6380Dashboard, management REST API, /health
127.0.0.1:6381gRPC h2c

Ports publish to localhost. If you bind to 0.0.0.0, the management API and dashboard metrics require CROWKIS_ADMIN_KEY or an RBAC API key — enforced by the server, not left to convention.

Compose, production shape#

The recommended deployment is the hardened compose file on the Docker image page — read-only filesystem, dropped capabilities, non-root, pids limit, localhost ports. Copy it, set the two credentials, docker compose up -d.

Health and auth checks#

shell
curl http://127.0.0.1:6380/health
# expect JSON with service status and "admin_auth": "enabled"

Verify the auth boundary holds before you trust it:

shell
# should be rejected when auth is enabled
curl -i http://127.0.0.1:6380/api/metrics

# authenticated read
curl -H "x-crowkis-admin-key: change-me-admin-key" \
  http://127.0.0.1:6380/api/metrics
CROWKIS_ALLOW_UNAUTHENTICATED_ADMIN=1 exists for local experiments only. Never set it where a non-loopback interface is exposed.

Mounting a license#

Without a license file Crowkis runs the free Community edition at full power. An Enterprise license is one read-only mount:

shell
docker run -d --name crowkis \
  -v /path/to/license.json:/etc/crowkis/license.json:ro \
  ... crowkis/crowkis:latest

The signature is verified offline (Ed25519) at boot and every six hours. Renewal is replacing the file — no downtime, picked up at the next check.

Upgrades#

shell
docker pull crowkis/crowkis:latest
docker compose up -d   # or docker restart after re-create

That's the entire upgrade path: binary swap. The on-disk format is stable — no schema migrations, no export/import.

Day-2 operations#

shell
docker logs -f crowkis           # structured JSON, one line per event
docker compose down              # stop, keep data
docker compose down -v           # stop and remove the data volume
docker exec -it crowkis crowkis cli   # REPL into the running server