{"token_count": 4475} # Installing Teleport on Docker This guide shows you how to install and run Teleport using the official Docker images. It covers selecting an image, configuring the container, running Teleport services, and upgrading. ## Images Teleport publishes a pre-built Docker image for every release. Images are hosted on [Amazon ECR Public](https://gallery.ecr.aws/gravitational). ### Image suffixes You can specify attributes of an image by appending a suffix to the repository name or tag. Images with the `-distroless` suffix include only the `teleport` binary and its runtime dependencies, with no shell or utility applications. An example is `public.ecr.aws/gravitational/teleport-distroless` for Teleport Community Edition. Images with the `-distroless-debug` suffix include a Busybox shell and tool suite in addition to Teleport, and are intended for troubleshooting deployments only. They are not intended for production use. An example is `public.ecr.aws/gravitational/teleport-distroless-debug`. `-distroless` and `-distroless-debug` images support multiple architectures natively, and do not require (or support) image suffixes. You can specify an architecture using the `--platform` flag of `docker pull` to pull the `arm`, `arm64`, or `amd64` version of an image. ### Version tags Images point to a static version of Teleport. Use the image's tag to specify either: - The major, minor, and patch version (e.g., `19.0.0-dev` for the latest version of Teleport Community Edition). - The major version only, which implies the latest minor and patch numbers for that major version. For example, `19` implies `19.0.0-dev`. **Teleport Enterprise (Managed)** | Image name | Includes troubleshooting tools | Image base | | ------------------------------------------------------------------- | ------------------------------ | -------------------------------------------------------------------------- | | `public.ecr.aws/gravitational/teleport-ent-distroless:18.8.3` | No | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | | `public.ecr.aws/gravitational/teleport-ent-distroless-debug:18.8.3` | Yes | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | For testing, we always recommend that you use the latest Cloud release version of Teleport Enterprise, which is currently `public.ecr.aws/gravitational/teleport-ent-distroless:18.8.3`. **Teleport Enterprise (Self-Hosted)** | Image name | Includes troubleshooting tools | Image base | | ------------------------------------------------------------------- | ------------------------------ | -------------------------------------------------------------------------- | | `public.ecr.aws/gravitational/teleport-ent-distroless:13.3.7` | No | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | | `public.ecr.aws/gravitational/teleport-ent-distroless-debug:13.3.7` | Yes | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | We provide the following images for FIPS builds of Teleport Enterprise: | Image name | Includes troubleshooting tools | Image base | | ---------------------------------------------------------------------------- | ------------------------------ | -------------------------------------------------------------------------- | | `public.ecr.aws/gravitational/teleport-ent-fips-distroless:19.0.0-dev` | No | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | | `public.ecr.aws/gravitational/teleport-ent-fips-distroless-debug:19.0.0-dev` | Yes | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | For testing, we always recommend that you use the latest release version of Teleport Enterprise, which is currently `public.ecr.aws/gravitational/teleport-ent-distroless:13.3.7`. **Teleport Community Edition** | Image name | Includes troubleshooting tools | Image base | | --------------------------------------------------------------- | ------------------------------ | -------------------------------------------------------------------------- | | `public.ecr.aws/gravitational/teleport-distroless:13.3.7` | No | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | | `public.ecr.aws/gravitational/teleport-distroless-debug:13.3.7` | Yes | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | For testing, we always recommend that you use the latest release version of Teleport, which is currently `public.ecr.aws/gravitational/teleport-distroless:13.3.7`. ### Interacting with distroless images Teleport images are based on Google's [Distroless](https://github.com/GoogleContainerTools/distroless) images. These images do not contain a shell. To execute Teleport commands on containers based on these images, run commands similar to the following: ``` in docker $ docker exec -it teleport-container tctl status in Kubernetes $ kubectl exec -i pod-name -- tctl status sending local files via stdin $ kubectl exec -i pod-name -- tctl create -f < my-local-file.yaml retrieving the teleport service config file from the configmap $ kubectl get configmap teleport-cluster-auth -o jsonpath="{.data['teleport\.yaml']}" retrieving output via stdout and tar $ kubectl exec -i pod-name -- tctl auth sign --user admin --format tls --ttl 10m --tar -o admin | tar xv -C local $ ls -l local total 24 -rw------- 1 trent staff 1318 Jul 24 15:52 admin.cas -rw------- 1 trent staff 1895 Jul 24 15:52 admin.crt -rw------- 1 trent staff 1679 Jul 24 15:52 admin.key ``` Alternatively, you can use the debug variant of the image, which contains [busybox](https://www.busybox.net/about.html) and a minimal shell invocable via `busybox sh`: ``` $ docker run -it --entrypoint="" public.ecr.aws/gravitational/teleport-distroless-debug:13.3.7 busybox sh ``` ### Machine & Workload Identity (tbot) image We also provide a slimmed-down distroless image that contains only the `tbot` binary for use with Teleport Machine & Workload Identity. | Image name | FIPS support | Image base | | -------------------------------------------------------------- | ------------ | -------------------------------------------------------------------------- | | `public.ecr.aws/gravitational/tbot-distroless:19.0.0-dev` | No | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | | `public.ecr.aws/gravitational/tbot-fips-distroless:19.0.0-dev` | Yes | [Distroless Debian 12](https://github.com/GoogleContainerTools/distroless) | The version tagging follows the same pattern as the main `teleport-distroless` image. While the `teleport-distroless` image also includes `tbot`, prefer the `tbot`-specific image for Machine & Workload Identity deployments. This image is smaller, which improves pull times, and has a smaller attack surface. The image is also customized to improve the experience of running `tbot` in a container environment. To learn more, read the [Deploying Machine & Workload Identity on Kubernetes](https://goteleport.com/docs/machine-workload-identity/deployment/kubernetes.md) guide. ## Running Teleport on Docker When running a container from one of the images listed above, treat the container as equivalent to running the `teleport` binary directly. The Teleport container requires access to a file system and network ports. ### Configuration While Teleport's default configuration path is `/etc/teleport.yaml`, the Docker image is configured to read from `/etc/teleport/teleport.yaml`. Mount your configuration directory to `/etc/teleport` in the container so Teleport can find it. ### Data directory All Teleport processes read from and write to a data directory, which by default is `/var/lib/teleport`. Make sure the data directory is mounted to your Teleport container. If you do not mount persistent storage, cluster state is lost when the container is recreated. ### License file If your Teleport Enterprise container runs the Auth Service, you will need to give it access to a license file at the path named in the configuration, which is `/var/lib/teleport/license.pem` by default. Make sure a license exists at this location in the Teleport container's data directory. ### Other file paths Depending on the configuration settings you assign on your Teleport container, you will need to make sure that any file paths you name are mounted on the container. For example, if you are running the Teleport Proxy Service on a container, mount the directory containing TLS credentials to your Teleport container, then assign the following fields in the container's configuration file to the appropriate paths: ``` proxy_service: https_keypairs: - key_file: /my/path/key.pem cert_file: /my/path/cert.pem ``` See the Teleport [Configuration Reference](https://goteleport.com/docs/reference/deployment/config.md) for whether a field you would like to assign requires a file path. ### Ports A single Teleport process can run multiple services, each of which listens on a specific set of ports depending on your configuration. See our [Networking Reference](https://goteleport.com/docs/reference/deployment/networking.md#ports) for the ports on your Teleport container to expose. ### Extracting certificates from distroless images Extracting certificates created with `tctl auth sign` from a container running a distroless image can be tricky due to the absence of a shell and other OS tools. Where possible, log into the Teleport cluster using `tsh` and use `tctl auth sign` locally to generate certificates. This way the action is logged against your Teleport user and is subject to all of the usual Teleport RBAC policies in your cluster. If this is not possible, use `tctl auth sign --tar` to collect all the files generated by `tctl auth sign` into a `tar` archive, which is streamed directly to `stdout`. When you use `--tar`, the `-o` flag changes meaning: instead of writing files to disk, it acts as a name prefix for the entries inside the tar stream. As a result, no certificate files are written to the container filesystem. You can either pipe this output directly to `tar`, or redirect it to a local file for later use. For example: ``` $ docker exec teleport-container \ tctl auth sign --user alice --format tls -o alice.local --tar | tar xv x alice.local.crt x alice.local.key x alice.local.cas ``` ## Example: running a Teleport container locally In this example, you will run the Teleport Auth Service and Proxy Service on a local Docker container using Teleport Community Edition. Since this container uses a self-signed certificate, we do not recommend using this configuration to protect any infrastructure outside your workstation. You can, however, join other local Docker containers to it using the [token method](https://goteleport.com/docs/installation/agents/join-token.md). 1. Create directories in your home directory to mount to the container. The Teleport container will write its configuration and data to these directories: ``` $ mkdir -p ~/teleport/config ~/teleport/data ``` 2. Run `teleport configure` from the Teleport container to generate a configuration file. This sets the container's name to `localhost` so your browser can trust the Proxy Service's self-signed TLS certificate: ``` $ docker run --hostname localhost --rm \ --entrypoint=/usr/local/bin/teleport \ public.ecr.aws/gravitational/teleport-distroless:13.3.7 configure --roles=proxy,auth > ~/teleport/config/teleport.yaml ``` 3. Start Teleport on your container. This container runs both the Auth Service and Proxy Service in a single process for local testing: ``` $ docker run --hostname localhost --name teleport \ -v ~/teleport/config:/etc/teleport \ -v ~/teleport/data:/var/lib/teleport \ -p 3025:3025 -p 3080:3080 \ public.ecr.aws/gravitational/teleport-distroless:13.3.7 ``` 4. In a new terminal, confirm that the Teleport container's web API is functioning as intended: ``` $ curl --insecure https://localhost:3080/webapi/ping | jq ``` The command returns JSON describing the cluster, including `server_version`, `cluster_name`, and details for each service. The `--insecure` flag is required because Teleport is using a self-signed certificate. In production, provision TLS credentials to the Proxy Service from a trusted CA, e.g., Let's Encrypt. ## Upgrading Teleport on Docker To upgrade a Teleport container running on Docker: 1. Back up the Teleport backend before upgrading. Major-version upgrades run schema migrations on the data directory that cannot be reversed by starting an older image. For backup procedures and supported upgrade paths, see [Upgrading Teleport](https://goteleport.com/docs/upgrading/overview.md). 2. Stop the container with `docker stop teleport`. 3. Leave the container's data directory in place. 4. Run a new container with an image based on a newer Teleport version, mounting the data directory as you did when running the container initially. As long as the data directory contains the same content as before the upgrade, the Teleport container does not need to re-join the cluster. 5. Verify the upgraded version: ``` $ curl --insecure https://localhost:3080/webapi/ping | jq '.server_version' ``` If the upgrade fails or the container doesn't start, see [Container fails to start after upgrade](#container-fails-to-start-after-upgrade) below. ## Troubleshooting The sections below cover common issues when running Teleport on Docker. Each section names a specific symptom so you can scan for what you are seeing. ### Port already in use If `docker run` fails with `bind: address already in use` for ports 3025 or 3080, another process on the host is using those ports. Find the conflicting process with `lsof -i :3080` (macOS or Linux), then either stop it or map Teleport to a different host port (for example, `-p 3081:3080`). ### Configuration file not found If the container exits immediately with `failed to read configuration` or `no such file or directory` for `/etc/teleport/teleport.yaml`, the configuration file is not mounted into the container at the expected path. Verify that the configuration file exists on the host and that you mount its parent directory to `/etc/teleport` inside the container, not the file itself. Mounting a single file rather than its parent directory can cause issues when the file is replaced or symlinked. ### Permission denied writing to the data directory If the container fails to start with `permission denied` errors against `/var/lib/teleport`, the container's user does not have write access to the mounted data directory. Distroless images run as a non-root user, so host directory permissions need to allow that user to write. Adjust permissions on the host directory with `chmod` or `chown` so the container's user can write to it. ### `tctl auth sign --tar` produces no output If `tctl auth sign --tar | tar xv` runs but no certificate files appear locally, the underlying `tctl auth sign` call most likely failed and emitted an error message instead of a tar archive. You may also see `tar: This does not look like a tar archive`. To diagnose, run `tctl auth sign` without the `--tar` flag and confirm that the user, format, and other parameters are valid. Once the command succeeds, add `--tar` back and pipe the output to `tar xv`. ### Container fails to start after upgrade If the container fails to start after upgrading to a newer Teleport version, check the logs with `docker logs teleport` for migration or compatibility errors. Confirm that you did not skip a major version: Teleport supports upgrades from one major version to the next, and skipping versions is not supported. Do not roll back by starting the previous image version against the upgraded data directory. Major-version upgrades run schema migrations that an older Auth Service cannot read, and doing so can leave the backend in an unusable state. To roll back safely, restore the backend from the backup taken before the upgrade. See [Upgrading Teleport](https://goteleport.com/docs/upgrading/overview.md) for the supported procedure.