Run privacyIDEA with Docker Compose and persistent volumes for database and config.
Create a docker-compose.yml file:
version: '3.8'
services:
mariadb:
image: mariadb:10.11
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: rootpassword
MYSQL_DATABASE: privacyidea
MYSQL_USER: privacyidea
MYSQL_PASSWORD: privacyideapassword
volumes:
- mariadb_data:/var/lib/mysql
networks:
- privacyidea-network
healthcheck:
test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-prootpassword"]
interval: 30s
timeout: 10s
retries: 5
privacyidea:
image: privacyidea/privacyidea:latest
restart: unless-stopped
depends_on:
mariadb:
condition: service_healthy
environment:
PI_DB_HOST: mariadb
PI_DB_NAME: privacyidea
PI_DB_USER: privacyidea
PI_DB_PASSWORD: privacyideapassword
PI_ENCFILE: /etc/privacyidea/enckey
PI_PUBLICFILE: /etc/privacyidea/public.pem
PI_PRIVATEFILE: /etc/privacyidea/private.pem
PI_LOGLEVEL: INFO
volumes:
- pi_data:/var/lib/privacyidea/data
- pi_config:/etc/privacyidea
ports:
- "5000:5000"
networks:
- privacyidea-network
command: >
bash -c "
if [ ! -f /etc/privacyidea/enckey ]; then
echo 'Initializing privacyIDEA...'
pi-manage create_enckey
pi-manage create_ca
pi-manage admin add admin admin@example.com
fi
pi-manage db upgrade
/usr/bin/supervisord -n
"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:5000/health"]
interval: 30s
timeout: 10s
retries: 5
volumes:
mariadb_data:
pi_data:
pi_config:
networks:
privacyidea-network:
driver: bridge
# Navigate to the directory containing docker-compose.yml
cd /path/to/privacyidea
# Start the services
docker compose up -d
# Follow logs to monitor initialization
docker compose logs -f privacyidea
After startup, access the web UI at:
admintest (change immediately!)/etc/privacyidea configFor production use with SSL, configure a reverse proxy like nginx:
server {
listen 443 ssl http2;
server_name mfa.example.com;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# View logs
docker compose logs -f
# Access privacyIDEA CLI inside container
docker exec -it <privacyidea-container> pi-manage --help
# Create backup
docker exec -it <privacyidea-container> pi-manage backup create
# Update to newer version
docker compose pull
docker compose up -d
If integrating with Shibboleth or other IdPs, test authentication flow end-to-end after each config change.
Running containers in production? We help with:
Need help? office@linux-server-admin.com or Contact Us