This repo builds a Docker image for Monero, which allows
running monerod or monero-wallet-rpc or monero-wallet-cli inside a container.
This daemon is built from source: monero project.
- Monero stable for
stagenet/mainnet: Use version tags likev0.17.3.2(ormost_recent_tag). testnet: Use thelatesttag (or specific master branch commit hash, eg850edfe4199458314346e2910550b33663310f42).- Generally, it is recommended to use
masterbranch when working ontestnet. - Of course,
latest(from Master branch) can also be used withmainnetandstagenet, but typically this is not recommended.
- Generally, it is recommended to use
- The
latestdocker image is based onmasterbranch. - Monero tools can also be used through the Tor network, see Tor software below.
readline is finally compiled into the binaries, so using monero-wallet-cli is way more convenient.
Internal RINO Community infrastructure tracks new Monero releases and triggers CI jobs on this repo, to publish the images to DockerHub
:latest(This is the most recent Moneromasterbranch commit. Good fortestnet.)- A specific commit, like
:850edfe4199458314346e2910550b33663310f42(This is a specific Moneromasterbranch commit, specified by commit hash. Good fortestnet.) :most_recent_tag(This is the most recent Monerotag. Good forstagenet/mainnet.)- A specific tag, like
:v0.17.3.2(This is a specific Monerotag. Good forstagenet/mainnet.)
- docker container user running
moneroUSER_IDcan be used to set the user who runsmonero-e USER_ID=1000
- The container can also be started with
--user 1000- No existing user is used then
- Running
moneroasrootis not possible (USER_IDdefaults to 1000).- Of course, you can still disable the entrypoint with
--entrypoint=""and run as root with-u 0...
- Of course, you can still disable the entrypoint with
monerodandmonero-wallet-rpc--log-level=$LOG_LEVEL(default:0) (alsomonero-wallet-cli)--confirm-external-bind--rpc-bind-ip=$RPC_BIND_IP(default:0.0.0.0)--rpc-bind-port=$RPC_BIND_PORT(default:28081)--rpc-login $RPC_USER:$RPC_PASSWD(default RPC_USER:"", default RPC_PASSWD:"")- For authentication, please see below.
- only
monerod--p2p-bind-ip=$P2P_BIND_IP(default:0.0.0.0)--p2p-bind-port=$P2P_BIND_PORT(default:28080)
- only
monero-wallet-rpcandmonero-wallet-cli--daemon-host=$DAEMON_HOST(default:127.0.0.1)--daemon-port=$DAEMON_PORT(default:28081)--password=$WALLET_PASSWD(default:"")- For wallet password, please see below.
- Adapt default configuration using environment variables:
-e LOG_LEVEL=3-e RPC_USER=user-e RPC_PASSWD=passwd-e RPC_BIND_IP=127.0.0.1-e RPC_BIND_PORT=18081-e P2P_BIND_IP=0.0.0.0-e P2P_BIND_PORT=18080-e DAEMON_HOST=localhost(assuming daemon is running locally)-e DAEMON_PORT=18081(assuming daemon listens on port18081)
- Using
monerod,monero-wallet-rpcandmonero-wallet-cliwithtorsocks:-e USE_TORSOCKS=YES(default:NO)
- Running the Tor proxy (
tor) within the container:-e USE_TOR=YES(default:NO)
- Log files:
- The size of log files is limited to around
5.1 MB. - The number of log files is capped at
3. - By using
--max-log-file-size 5242880 --max-log-files 3in the entrypoint script.
- The size of log files is limited to around
- The IPs, the daemon or RPC are binding to, need to be
0.0.0.0instead of127.0.0.1within a docker container. - The path
/moneroin the docker container is a volume and can be mapped to a path on the client.
Check the repository for docker-compose templates. They show configuration examples of monerod and monero-wallet-rpc, respectively.
Authentication can be activated for monerod and monero-wallet-rpc.
If the environment variables RPC_USER and RPC_PASSWD are set, the container's entrypoint script adds the option --rpc-login $RPC_USER:$RPC_PASSWD.
If you don't provide user and password, you have two options:
- Add
--disable-rpc-loginwhen starting the container to remove authentication. - Use the default user
monero, password is a randomly generated string. In this case, the login information is written into a file:# log message on starting monero-walet-rpc WARN wallet.rpc src/wallet/wallet_rpc_server.cpp:225 RPC username/password is stored in file monero-wallet-rpc.38083.login # example output monero:6xsMGa/BPkHJJvf0y+fYRg==root@78b746205a4b
- You can get the information like this:
docker exec rpc_user cat /monero/monero-wallet-rpc.38083.login
Example requesting the rpc:
curl -u user:password --digest http://localhost:18081
It is always recommended to use RPC authentication.
The wallet password can be configured for monero-wallet-cli and monero-wallet-rpc.
If the environment variable WALLET_PASSWD is set, the container's entrypoint script adds the option --password $WALLET_PASSWD.
If you don't provide a wallet password that way:
- You could set
--password-file wallet.passwdand add a file containing the wallet password to the mounted voume.
It is always recommended to use a wallet password.
It is also possible to deactivate the entrpoint script.
This way, it is possible to define and configure e.g. the monero-wallet-rpc yourself:
docker run --rm -d --net host -v <path/to/and/including/wallet_folder>:/monero --entrypoint="" rinocommunity/monero:most_recent_tag monero-wallet-rpc --log-level 2 --daemon-host node.community.rino.io --daemon-port 18081 --confirm-external-bind --rpc-login user:passwd --rpc-bind-ip 0.0.0.0 --rpc-bind-port 18083 --wallet-file wallet --password-file wallet.passwd
Without any additional command
docker run --rm -it rinocommunity/monero:most_recent_tag
monerod starts with the above default configuration plus the following option:
--check-updates disabled
Any additional monerod parameters can be passed as command:
docker run --rm -d -p 18081:18081 -v <path/to/and/including/.bitmonero>:/monero rinocommunity/monero:most_recent_tag --data-dir /monero
Not specifying a host port in -p <host_port>:<container_port> docker will automatically assign a free port on the host.
docker run --rm -d -p 18081 -v <path/to/and/including/.bitmonero>:/monero rinocommunity/monero:most_recent_tag --data-dir /monero
However, this only works for the common Monero network ports:
180801808128080280813808038081
Run monerod as different user (uid != 1000 && uid != 0). This is useful if deployed to several systems (AWS ec2-user: uid=500).
Abbreviated command:
docker run --rm -d -p 18081:18081 -e USER_ID=500 -v <host>:<container> rinocommunity/monero:most_recent_tag <options>
The path /monero is supposed to be used as --data-dir configuration for monerod. Here the synchronized blockchain data is stored. So when mounted, /monero should contain the files from within .bitmonero.
When used as monero-wallet-rpc the full command is necessary as command to docker run:
Passing the pasword as environment variable:
docker run --rm -d --net host -e DAEMON_HOST=node.community.rino.io -e DAEMON_PORT=18081 -e RPC_BIND_PORT=18083 -e RPC_USER=user -e RPC_PASSWD=passwd -e WALLET_PASSWD=securePasswd -v <path/to/and/including/wallet_folder>:/monero rinocommunity/monero:most_recent_tag monero-wallet-rpc --wallet-file wallet
Using a password file:
docker run --rm -d --net host -e DAEMON_HOST=node.community.rino.io -e DAEMON_PORT=18081 -e RPC_BIND_PORT=18083 -e RPC_USER=user -e RPC_PASSWD=passwd -v <path/to/and/including/wallet_folder>:/monero rinocommunity/monero:most_recent_tag monero-wallet-rpc --wallet-file wallet --password-file wallet.passwd
Run monero-wallet-rpc as different user (uid != 1000 && uid != 0). This is useful if deployed to several systems (AWS ec2-user: uid=500).
Abbreviated command:
docker run --rm -d --net host -e DAEMON_HOST=node.community.rino.io -e DAEMON_PORT=18081 -e RPC_BIND_PORT=18083 -e USER_ID=500 -v <host>:<container> rinocommunity/monero:most_recent_tag monero-wallet-rpc <options>
monero-wallet-rpc starts with the above default configuration plus additional options passed in the actual docker run command, like -e RPC_BIND_PORT=18083.
The path /monero is supposed to contain the actual wallet files. So when mounted, /monero should contain the files from within e.g. ~/Monero/wallets/my_wallet/.
When used as monero-wallet-cli the full command is necessary as command to docker run:
docker run --rm -it -e DAEMON_HOST=node.community.rino.io -e DAEMON_PORT=18081 -v <path/to/and/including/wallet_folder>:/monero --net host rinocommunity/monero:most_recent_tag monero-wallet-cli --wallet-file wallet --password-file wallet.passwd
Due to -it (interactive terminal), you will end up within the container and can use the monero-wallet-cli commands.
Run monero-wallet-cli as different user (uid != 1000 && uid != 0). This is useful if deployed to several systems (AWS ec2-user: uid=500).
Abbreviated command:
docker run --rm -it --net host -e DAEMON_HOST=node.community.rino.io -e DAEMON_PORT=18081 -e USER_ID=500 -v <host>:<container> rinocommunity/monero:most_recent_tag monero-wallet-cli <options>
The path /monero is supposed to contain the actual wallet files. So when mounted, /monero should contain the files from within e.g. ~/Monero/wallets/my_wallet/.
Additional software installed:
torsockstor
You can find the following information within the docker image:
/torsocks.txtcontains output oftorsocks --version/tor.txtcontains output oftor --version
Every monero docker image comes with torsocks.
To start monerod, monero-wallet-rpc and monero-wallet-cli using torsocks, the environment variable USE_TORSOCKS=YES should be passed into the container.
In case you use an external Tor proxy, you should run the monero docker container with --net host (docker cli) or network_mode: "host" (docker-compose), in order to make the host's localhost (and hence the external Tor proxy port) available to torsocks - provided the Tor proxy runs on the host's localhost. Please see below.
The following configuraion file /etc/tor/torsocks.conf is used:
TorAddress 127.0.0.1
TorPort 9050
OnionAddrRange 127.42.42.0/24
AllowInbound 1
The option AllowInbound is set to 1, in order to allow binding the monero daemon to all interfaces (0.0.0.0) - within docker containers.
Please also refer to rinocommunity/tor for further details.
There are two options:
- a single container containing monero and Tor proxy,
- sparate containers for monero and Tor proxy.
Generally it is more recommended to have one single process within a docker container. separate containers
Every monero docker image comes with tor.
The tor proxy is started within the docker image, when the environment variable USE_TOR=YES is set.
Against docker best practices (1 service per container), this monero tor docker image bundles monero tools with the Tor proxy witihn a single docker image.
The following configuraion file /etc/tor/torrc is used:
RunAsDaemon 1
User debian-tor
SOCKSPort 0.0.0.0:9050
## comment for local use with e.g. curl
# SOCKSPolicy "reject *"
HiddenServiceDir /var/lib/tor/daemons/
HiddenServicePort 18081 127.0.0.1:18081
HiddenServicePort 28081 127.0.0.1:28081
HiddenServicePort 38081 127.0.0.1:38081
DataDirectory /var/lib/tor
Log notice file /var/log/tor/notices.log
In this case the monero daemon ports available in the clearnet, are forwarded by the Tor proxy into the Tor network.
The option SOCKSPort is bound to 0.0.0.0 (all interfaces), in order to make it run within the docker container.
The option HiddenServiceDir /var/lib/tor/daemons/ can be used as docker volume to provide the files hostname and private_key.
After starting the docker container you will find your hostname (.onion address) here:
docker exec <container_name> cat /var/lib/tor/daemons/hostname
Please also refer to rinocommunity/tor for further details.
The monero tools and the Tor proxy can also be run in separate containers (from separate images or processes on the host).
In this case, you need to make the host's localhost available within the monero docker container - see above using torsocks.
Please also refer to rinocommunity/tor for further details.
- serve
monerodin the Tor networkUSE_TOR=YESUSE_TORSOCKS=NO- Check tor configuration
- Consider using
SOCKSPolicy "reject *"
- run
monero-wallet-rpcormonero-wallet-cliover the Tor network- running Tor proxy contained in the image
USE_TOR=YESUSE_TORSOCKS=YES
- running an external Tor proxy
USE_TOR=NOUSE_TORSOCKS=YES
- Check tor configuration
- running Tor proxy contained in the image
Please also refer to rinocommunity/tor for further details.