Docker Deployment¶
Docker Compose is the official and only supported way to deploy SentriKat on-premises. The release bundle you download from the Customer Portal contains everything you need: the docker-compose.yml, an annotated .env.example, and the Nginx reverse-proxy configuration.
System Requirements¶
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 2 cores | 4+ cores |
| RAM | 4 GB | 8 GB |
| Disk | 20 GB SSD | 50 GB SSD |
| Docker | 20.10+ | Latest stable |
| Docker Compose | v2.0+ | Latest stable |
| Network | Outbound HTTPS (443) | Outbound HTTPS (443) |
Why 4 GB minimum RAM?
SentriKat runs the application, PostgreSQL, and background sync tasks, and maintains a full NVD CPE dictionary (~50K entries) in the database. The 4 GB minimum ensures stable operation under load.
Architecture¶
The stack consists of three services defined in the bundled docker-compose.yml:
| Service | Role | Port |
|---|---|---|
sentrikat | The SentriKat application (Flask, served by Gunicorn) | 5000 (inside the network) |
sentrikat-db | PostgreSQL database | 5432 (internal only) |
sentrikat-nginx | Reverse proxy in front of the app | 80 / 443 |
Database schema migrations run automatically when the application boots — there is no manual migration step, on first install or on upgrades.
Installation¶
1. Download SentriKat¶
- Log into the Customer Portal with your email (you'll receive a one-time code)
- Go to Downloads and download the latest release bundle (
sentrikat-<version>.tar.gz)
2. Extract and Configure¶
# Extract the bundle
tar -xzf sentrikat-*.tar.gz
cd sentrikat-*
# Load the Docker image shipped inside the bundle
docker load -i sentrikat-image-*.tar.gz
# Create your configuration from the annotated template
cp .env.example .env
${EDITOR:-nano} .env
No registry access needed
The application image ships inside the bundle — your server never needs to reach a container registry. Air-gapped installs work out of the box.
Set the required variables in .env (the .env.example in the bundle documents each one):
| Variable | Description | How to set |
|---|---|---|
SECRET_KEY | Application signing key | openssl rand -hex 32 |
ENCRYPTION_KEY | Key used to encrypt stored credentials | python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())" |
DB_PASSWORD | PostgreSQL password (used by the bundled DATABASE_URL) | Choose a strong password |
DATABASE_URL | PostgreSQL connection string | Pre-wired to the bundled database service — only change it for an external PostgreSQL |
SERVER_NAME | Hostname SentriKat is served on (e.g. sentrikat.example.com) | Your DNS name |
SENTRIKAT_URL | Full public base URL, used in emails and share links (e.g. https://sentrikat.example.com) | Your URL |
SENTRIKAT_INSTALLATION_ID | Unique identifier of this installation (SK-INST-…). Your license is bound to it — keep it stable and back it up | See the instructions in .env.example |
3. Start the Stack¶
docker compose up -d
# Wait for health — every service should be "Up (healthy)" within ~60 seconds
docker compose ps
On first boot the application applies all database migrations automatically (you'll see Applying schema migrations in the logs).
4. Complete the Setup Wizard¶
Open http://<your-host> (through the bundled Nginx) or http://<your-host>:5000 (direct to the app). On first run, SentriKat starts a setup wizard in the browser that walks you through:
- Admin account — create your administrator user
- Organization — name your first organization
- Catalog seed — initial product catalog data
- Initial sync — the first CISA KEV sync runs automatically
After the wizard, KEV data stays in sync automatically on a daily schedule — no extra configuration needed.
5. Activate Your License¶
- Go to Administration > License
- Find your Activation Code (
SK-XXXX-XXXX-XXXX-XXXX) in the Customer Portal or your purchase email - Enter the code in the Online Activation section and click Activate
- Done! The license is applied automatically
Firewall
Your server needs outbound HTTPS access to portal.sentrikat.com:443.
- Go to Administration > License and copy your Installation ID (
SK-INST-xxxxxxxx) - On any browser, log into portal.sentrikat.com/downloads
- Paste your Installation ID and click Activate
- Copy the signed license and add it to your
.env: - Restart:
docker compose restart sentrikat
For full details, see Licensing & Activation.
Verify the Installation¶
# All services healthy
docker compose ps
# The app answers (200, or a redirect to the wizard/login)
curl -s -o /dev/null -w "%{http_code}\n" http://localhost:5000/
Common Operations¶
View Logs¶
# All services
docker compose logs -f
# Application only
docker compose logs -f sentrikat
# Last 100 lines
docker compose logs --tail=100 sentrikat
Restart Services¶
# Restart all
docker compose restart
# Restart the application only
docker compose restart sentrikat
Update SentriKat¶
- Download the latest bundle from the Customer Portal
- Extract it and copy your existing
.envinto the new directory - Load the new image and start the new version:
Schema migrations for the new version run automatically at boot. Your data lives in Docker volumes and is preserved across updates — but take a backup first anyway.
Backups¶
See Backup & Restore for database backup and disaster-recovery procedures.
Production Hardening¶
TLS / HTTPS¶
The default deployment serves HTTP. For production, terminate TLS at the bundled Nginx — the TLS Setup runbook covers Let's Encrypt, internal CA, and self-signed paths.
Agents and HTTP
The agent installers refuse plain HTTP by default. Set up TLS before rolling out agents, or pass the explicit allow-HTTP flag for lab use (see the agent guides).
External PostgreSQL¶
To use an existing PostgreSQL cluster instead of the bundled sentrikat-db service, point DATABASE_URL at it — see External Postgres.
Container Permissions¶
For hardened hosts (SELinux, rootless Docker, custom UID/GID mappings), see Container Permissions.
Troubleshooting¶
A container won't start¶
# Check logs
docker compose logs sentrikat
# Check container status
docker compose ps -a
# Verify the resolved configuration
docker compose config
The most common cause is a missing required variable in .env — the application refuses to start and tells you which one in the logs.
Database connection issues¶
# Check PostgreSQL is running and healthy
docker compose ps sentrikat-db
# Inspect database logs
docker compose logs sentrikat-db
Port conflicts¶
The stack binds ports 80/443 (Nginx) and 5000 (app). If something else on the host already uses them:
Then change the published port in docker-compose.yml, e.g. "8080:5000".