onecli/slim container (dashboard, API, and gateway in one) plus a PostgreSQL database. It takes about ten minutes. For the free, open source edition, see Deploy Community Edition.
This setup is ideal for evaluation and small-team use. Before going to production, work through the production checklist below.
Prerequisites
- Access to the
onecli/slimimage. The image is private; pull access is granted with your Enterprise agreement. If you don’t have access yet, contact us. - A Docker Hub login with that access active on the deploying machine:
docker login - Docker Engine with the Compose plugin (
docker compose versionshould work) - Outbound network access to pull images from Docker Hub
- PostgreSQL: the compose file below includes one. To use an external database instead, see Configuration
Deploy
Create the compose file
Create a directory for your deployment and save this as
docker-compose.yml:docker-compose.yml
The example pins nothing:
onecli/slim:latest tracks the latest stable release. For production, pin a specific tag; every release is also published under an immutable short commit SHA. The tag list is visible on Docker Hub once your account has image access.Configure secrets
Create a
.env file next to the compose file:ONECLI_ORG_API_KEY is your instance’s organization API key, the credential you’ll use to provision projects and agents over the API. The format is enforced: oc_org_ followed by 64 lowercase hex characters.If you omit
ONECLI_ORG_API_KEY, the instance generates one on first start and prints it to the container logs exactly once. To load the key from a mounted secret instead of the environment, set ONECLI_ORG_API_KEY_FILE to the file path. See Configuration.Start the stack
Verify the deployment
Check both health endpoints:Then open http://localhost:10254. You’ll land on the app-connection screen.
By default the instance runs in single-user mode: there is no login screen, and anyone who can reach port
10254 has admin access. The compose file binds to 127.0.0.1 for that reason. Keep the dashboard on a private network, or enable multi-user mode with Google OAuth.Next steps
- Connect the CLI and agents, including headless provisioning with your organization API key
- Connect apps with your own OAuth credentials
- Review the configuration reference
Upgrading
Releases update thelatest tag. To upgrade:
Production checklist
- Terminate TLS in front of the instance. Run a reverse proxy (nginx, Caddy, or your load balancer) with HTTPS, and set
APP_URLto the public URL. It’s also the base for OAuth callback URLs when you connect apps. - Pin the image tag instead of tracking
latest. - Use managed PostgreSQL where available, and schedule backups of both the database and the
onecli-datavolume. - Set
SECRET_ENCRYPTION_KEYexplicitly (for exampleopenssl rand -hex 32) and store it in your secrets manager, rather than relying on the auto-generated key in the volume. - Restrict network exposure. In single-user mode, treat port
10254as an admin interface. Port10255is the gateway your agents connect to; expose it only where agents run.
Troubleshooting
The container exits with a database migration error
The container exits with a database migration error
If the very first start fails with
Can't reach database server, PostgreSQL wasn’t ready when migrations ran. The compose file above guards against this with a healthcheck and depends_on: condition: service_healthy. Make sure yours has both.If a failed first boot left migrations in a broken state on an instance with no data yet, reset and start clean:The logs show "ONECLI_ORG_API_KEY is malformed"
The logs show "ONECLI_ORG_API_KEY is malformed"
The key must be The instance refuses to substitute a generated key for a malformed one, so a typo fails loudly instead of silently issuing a key you don’t know.
oc_org_ followed by exactly 64 lowercase hex characters. Regenerate one:Pulling fails with "pull access denied for onecli/slim"
Pulling fails with "pull access denied for onecli/slim"
The image is private. Two things need to be true: your Docker Hub account has been granted access as part of your Enterprise agreement, and the deploying machine is logged in with that account (
docker login). If you don’t have access yet, contact us.Port 10254 or 10255 is already in use
Port 10254 or 10255 is already in use
Change the host side of the port mappings in
docker-compose.yml (for example 127.0.0.1:20254:10254) and use that port in your browser and APP_URL.Where are the logs?
Where are the logs?
starting onecli-gateway and gateway ready); the dashboard and API log structured JSON. Request activity from agents is stored in your PostgreSQL and shown in the dashboard’s activity view.