Install with Docker
Quickstart
Try FMD Server on your laptop from the command line:
docker run --rm -p 8080:8080 registry.gitlab.com/fmd-foss/fmd-server:0.13.0
You can now visit FMD Server's web interface in your browser at http://localhost:8080.
You can register you FMD Android app using the server URL http://<your-laptops-ip>:8080.
Note that these steps are only for quick on-laptop testing and NOT for production!
With Docker Compose
The following is an (incomplete) example docker-compose.yml for deploying FMD Server with Docker Compose.
services:
fmd:
# Use the prebuilt image
image: registry.gitlab.com/fmd-foss/fmd-server:0.13.0
# Or build the image yourself (note the leading 'v')
# build: https://gitlab.com/fmd-foss/fmd-server.git#v0.13.0
container_name: fmd
ports:
- "127.0.0.1:8080:8080"
volumes:
- './fmddata/db/:/var/lib/fmd-server/db/'
restart: unless-stopped
Replace the version with the latest release.
Run the container:
docker compose up --build --detach
Persisting storage
FMD has a database and needs to persist it across container restarts.
You need to mount a Docker volume to the directory /var/lib/fmd-server/db/ (inside the container).
The database directory must be readable and writable by uid 1000 (ideally it is owned by uid 1000).
Networking
FMD Server listens for HTTP connections on port 8080. This example has a port mapping from "127.0.0.1:8080" (on the host) to port 8080 (inside the container).
You need to set up your own reverse proxy. The reverse proxy should terminate TLS and forward connections to the FMD container. Instead of the port binding you can also use Docker networks (e.g. to connect your proxy container to the FMD container).
Configuration
FMD Server can be configured via the config.yml file.
For details, see the configuration guide.
With Docker you can mount it with -v ./config.yml:/etc/fmd-server/config.yml:ro (for CLI)
or for Compose:
# other lines omitted
volumes:
- ./config.yml:/etc/fmd-server/config.yml:ro
Note: yml not yaml!
Container hardening
It is recommended to harden your Docker containers as decribed by OWASP. This means:
- Run a read-only container.
- The only path that FMD Server writes to is the database directory, which should be mounted as a volume.
- Drop all capabilities.
- Disallow acquiring new privileges.
On the Docker CLI, pass:
docker run --read-only --cap-drop=all --security-opt=no-new-privileges # ... rest of command
In Docker Compose, set:
services:
fmd:
# other lines omitted
read_only: true
cap_drop: [ALL]
security_opt: [no-new-privileges]
Available images and tags
Starting from 0.13.0, the FMD team builds three types of Docker images:
| Type | Tags | Approximate Disk Usage | UID | Description |
|---|---|---|---|---|
| Alpine | 0-alpine, 0.13.0-alpine | 55 MB | 1000 | Smaller image, based on Alpine Linux. |
| Debian | 0, 0-debian, 0.13.0, 0.13.0-debian | 160 MB | 1000 | Default image, recommended for beginners. |
| Distroless | 0-distroless, 0.13.0-distroless | 40 MB | 65532 | Tiny image, containing only the FMD Server binary and barely anything else. Based on Google's distroless base images. |
Using the tags you can select which type of image your want to run.
For example: registry.gitlab.com/fmd-foss/fmd-server:0.13.0-alpine.
While FMD Server is pre-1.0 it is recommended to pin a specific version such as 0.13.0, instead of only the major version.
For FMD Server 0.12.0 and earlier, only a Debian-based image was available.
It was tagged as v0.12.0 (note the leading "v").
The images run FMD Server with a specific UID.
You need to chown your database directory to that UID, to allow FMD Server to read/write the database file.