Docker and Docker Compose

This guide is for teams who prefer to run LyftData in containers instead of installing binaries onto hosts. It covers:

• A single-container server for evaluation (built-in worker only).
• A Docker Compose stack with external workers (licensed deployments).
• The master-key settings required for headless containers (no desktop keyring/DBus).

Note

Community Edition supports only the built-in worker. External workers require a licensed deployment.

Prerequisites

• Docker Engine + Docker Compose v2.
• A persistent directory on the host for server data (and worker data if using external workers).

Master keys (required in headless containers)

On desktops, LyftData can use the OS keyring. In headless containers, keyring calls commonly fail with DBus errors. Use env-backed master keys instead.

Generate three 32-byte keys (each can be 64 hex chars):

openssl rand -hex 32  # variables master key
openssl rand -hex 32  # credential manager master key
openssl rand -hex 32  # settings master key (built-in + external workers)

You will use these variables:

• Server variables encryption: LYFTDATA_VARIABLES_MASTER_KEY_SOURCE=env and LYFTDATA_VARIABLES_MASTER_KEY=<64-hex-chars>
• Server credential manager: LYFTDATA_CREDENTIAL_MANAGER_MASTER_KEY_SOURCE=env and LYFTDATA_CREDENTIAL_MANAGER_MASTER_KEY=<64-hex-chars>
• Worker settings encryption (built-in + external workers): LYFTDATA_SETTINGS_MASTER_KEY_SOURCE=env and LYFTDATA_SETTINGS_MASTER_KEY=<64-hex-chars>

See also: Configuration → Master keys.

Option A: Single-container server (evaluation)

This runs the server with the built-in worker. It is the fastest way to evaluate LyftData in Docker.

docker run --rm \
  -p 3000:3000 \
  -v "$PWD/lyft_data/server:/data" \
  -e LYFTDATA_LICENSE_EULA_ACCEPT=yes \
  -e LYFTDATA_ADMIN_INIT_PASSWORD=ChangeMeVerySoon1 \
  -e LYFTDATA_STAGING_DIR=/data \
  -e LYFTDATA_VARIABLES_MASTER_KEY_SOURCE=env \
  -e LYFTDATA_VARIABLES_MASTER_KEY=<64-hex-chars> \
  -e LYFTDATA_CREDENTIAL_MANAGER_MASTER_KEY_SOURCE=env \
  -e LYFTDATA_CREDENTIAL_MANAGER_MASTER_KEY=<64-hex-chars> \
  -e LYFTDATA_SETTINGS_MASTER_KEY_SOURCE=env \
  -e LYFTDATA_SETTINGS_MASTER_KEY=<64-hex-chars> \
  <your-image> \
  run server --disable-tls --bind-address 0.0.0.0:3000 --variables-master-key-source env

Open http://localhost:3000/ and sign in as admin.

Using the downloadable Docker image (no registry)

If you are using the downloads portal instead of a container registry, download the platform-matching server image archive and load it locally.

• Look for files like lyftdata-server-docker-linux-amd64.tar.xz or lyftdata-server-docker-linux-arm64.tar.xz (plus the matching .sha256).
• Load the image, then run it with the same flags and environment variables shown above.

Example:

sha256sum -c lyftdata-server-docker-linux-amd64.tar.xz.sha256
xz -dc lyftdata-server-docker-linux-amd64.tar.xz | docker load
docker images | head

docker load prints the loaded image name and tag. Use that image reference in docker run or Compose.

Building your own Docker image (Dockerfile)

If you want to customize the base image (for example: add custom CA certificates, ODBC drivers, or other runtime dependencies), you can package the lyftdata binary into your own image.

Notes:

• You can use the same image for server and workers. The combined lyftdata binary supports both lyftdata run server and lyftdata run worker.
• GNU/Linux builds require zlib at runtime (zlib1g on Debian/Ubuntu).
• Keep secrets (license JWTs and master keys) out of the image; pass them via environment variables at runtime.

Example Dockerfile:

FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    zlib1g \
    && rm -rf /var/lib/apt/lists/*

COPY lyftdata /usr/local/bin/lyftdata
RUN chmod 0755 /usr/local/bin/lyftdata

ENV LYFTDATA_LICENSE_EULA_ACCEPT=yes
EXPOSE 3000
ENTRYPOINT ["/usr/local/bin/lyftdata"]

Build it (make sure the lyftdata binary matches the image architecture, for example linux/amd64 vs linux/arm64):

docker build -t lyftdata:local .

Option B: Docker Compose (server + external workers)

Use this only for licensed deployments where you want external workers.

services:
  lyft-server:
    image: <your-image>
    restart: unless-stopped
    command:
      - run
      - server
      - --disable-tls
      - --bind-address
      - 0.0.0.0:3000
      - --variables-master-key-source
      - env
    ports:
      - "3000:3000"
    environment:
      LYFTDATA_LICENSE_EULA_ACCEPT: "yes"
      LYFTDATA_ADMIN_INIT_PASSWORD: "ChangeMeVerySoon1"
      # Optional but recommended: bootstrap the license non-interactively (required for external workers on first run)
      LYFTDATA_LICENSE: "<paste-your-license-jwt>"
      LYFTDATA_STAGING_DIR: "/data"
      LYFTDATA_AUTO_ENROLLMENT_KEY: "ChangeThisEnrollmentKey!"
      LYFTDATA_VARIABLES_MASTER_KEY_SOURCE: "env"
      LYFTDATA_VARIABLES_MASTER_KEY: "<64-hex-chars>"
      LYFTDATA_CREDENTIAL_MANAGER_MASTER_KEY_SOURCE: "env"
      LYFTDATA_CREDENTIAL_MANAGER_MASTER_KEY: "<64-hex-chars>"
      # Required in headless containers because the built-in worker runs inside the server
      LYFTDATA_SETTINGS_MASTER_KEY_SOURCE: "env"
      LYFTDATA_SETTINGS_MASTER_KEY: "<64-hex-chars>"
    volumes:
      - ./lyft_data/server:/data

  worker-alpha:
    image: <your-image>
    restart: unless-stopped
    command:
      - run
      - worker
      - --url
      - http://lyft-server:3000
      - --worker-name
      - worker-alpha
      - --worker-jobs-dir
      - /data
    depends_on:
      - lyft-server
    environment:
      LYFTDATA_LICENSE_EULA_ACCEPT: "yes"
      LYFTDATA_AUTO_ENROLLMENT_KEY: "ChangeThisEnrollmentKey!"
      LYFTDATA_SETTINGS_MASTER_KEY_SOURCE: "env"
      LYFTDATA_SETTINGS_MASTER_KEY: "<64-hex-chars>"
    volumes:
      - ./lyft_data/worker-alpha:/data

  worker-beta:
    image: <your-image>
    restart: unless-stopped
    command:
      - run
      - worker
      - --url
      - http://lyft-server:3000
      - --worker-name
      - worker-beta
      - --worker-jobs-dir
      - /data
    depends_on:
      - lyft-server
    environment:
      LYFTDATA_LICENSE_EULA_ACCEPT: "yes"
      LYFTDATA_AUTO_ENROLLMENT_KEY: "ChangeThisEnrollmentKey!"
      LYFTDATA_SETTINGS_MASTER_KEY_SOURCE: "env"
      LYFTDATA_SETTINGS_MASTER_KEY: "<64-hex-chars>"
    volumes:
      - ./lyft_data/worker-beta:/data

Bring it up:

docker compose up -d
docker compose logs -f lyft-server

TLS notes

For container stacks, it is common to run the server with --disable-tls and terminate TLS at a reverse proxy. If you keep TLS enabled with a self-signed certificate, workers must connect using --tls-insecure (or LYFTDATA_TLS_INSECURE=true) during evaluation.

Troubleshooting

• Keyring/DBus failures on startup: see Troubleshooting.