Production Docker Setup: Healthcheck, Auto-Updates, and Non-Root Security

Setting up production Docker infrastructure for AI agents requires careful attention to security, monitoring, and maintenance. WAIaaS provides a hardened Docker deployment with healthchecks, automatic updates, and non-root containers to keep your wallet infrastructure running reliably in production environments.

Why Production Docker Setup Matters

When AI agents handle real cryptocurrency transactions, infrastructure reliability becomes critical. A crashed container means stuck transactions, missed trading opportunities, or worse — agents that can't respond to market conditions. Production setups need automated health monitoring, security isolation, and hands-off maintenance to minimize operational overhead while maximizing uptime.

WAIaaS Production-Ready Docker Features

WAIaaS includes several production-hardened Docker features out of the box:

Built-in Healthcheck

The Docker container includes a native healthcheck that monitors the API endpoint:

healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:3100/health"]
  interval: 30s
  timeout: 5s
  start_period: 10s
  retries: 3

This configuration checks the /health endpoint every 30 seconds. If three consecutive checks fail, Docker marks the container as unhealthy, enabling orchestration systems to restart or replace it automatically.

Non-Root Security

The WAIaaS Docker image runs as UID 1001, not root:

# From the Dockerfile
USER 1001

This follows security best practices by limiting container privileges. Even if an attacker compromises the application, they can't escalate to root or modify system files.

Auto-Provisioning for Unattended Deployment

For production deployments where manual password entry isn't practical, enable auto-provisioning:

docker run -d \
  --name waiaas \
  -p 127.0.0.1:3100:3100 \
  -v waiaas-data:/data \
  -e WAIAAS_AUTO_PROVISION=true \
  ghcr.io/minhoyoo-iotrust/waiaas:latest

# Retrieve the auto-generated master password
docker exec waiaas cat /data/recovery.key

The auto-provision feature generates a cryptographically secure master password and saves it to /data/recovery.key for later retrieval.

Docker Compose Production Configuration

For production deployments, use the complete Docker Compose setup with monitoring and restart policies:

services:
  daemon:
    image: ghcr.io/minhoyoo-iotrust/waiaas:latest
    container_name: waiaas-daemon
    ports:
      - "127.0.0.1:3100:3100"
    volumes:
      - waiaas-data:/data
    environment:
      - WAIAAS_DATA_DIR=/data
      - WAIAAS_DAEMON_HOSTNAME=0.0.0.0
      - WAIAAS_AUTO_PROVISION=true
      - WAIAAS_DAEMON_LOG_LEVEL=info
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3100/health"]
      interval: 30s
      timeout: 5s
      start_period: 10s
      retries: 3

  # Watchtower for automatic updates
  watchtower:
    image: containrrr/watchtower
    container_name: waiaas-watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - WATCHTOWER_POLL_INTERVAL=3600
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_INCLUDE_STOPPED=true
    restart: unless-stopped

volumes:
  waiaas-data:
    driver: local

This configuration includes Watchtower for automatic container updates, ensuring your wallet infrastructure stays current with security patches and feature updates.

Secrets Management for Production

For production environments with sensitive configuration, use Docker Secrets to avoid exposing credentials in environment variables:

# Create secret files
mkdir -p secrets
echo "your-secure-master-password" > secrets/master_password.txt
echo "your-rpc-endpoint" > secrets/solana_rpc.txt
chmod 600 secrets/*.txt

# Deploy with secrets overlay
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d

The secrets overlay (docker-compose.secrets.yml) mounts secret files as read-only volumes, keeping sensitive data out of process environments where it might leak in logs or crash dumps.

Monitoring and Logging

Set up comprehensive logging for production troubleshooting:

# Follow logs from all services
docker compose logs -f

# Check container health status
docker ps --format "table {{.Names}}\t{{.Status}}"

# Monitor resource usage
docker stats waiaas-daemon

For structured logging, configure the log level via environment variable:

environment:
  - WAIAAS_DAEMON_LOG_LEVEL=info  # trace/debug/info/warn/error

Network Security Configuration

Bind the service to localhost only for security:

ports:
  - "127.0.0.1:3100:3100"  # Only accessible from localhost

If you need external access, use a reverse proxy like nginx with TLS termination rather than exposing the container port directly. This provides an additional security layer and enables features like rate limiting and authentication at the proxy level.

Backup and Data Persistence

The named volume waiaas-data persists wallet keys, transaction history, and configuration across container restarts:

# Create backup of wallet data
docker run --rm -v waiaas-data:/source -v $(pwd):/backup \
  ubuntu tar czf /backup/waiaas-backup-$(date +%Y%m%d).tar.gz -C /source .

# Restore from backup
docker run --rm -v waiaas-data:/target -v $(pwd):/backup \
  ubuntu tar xzf /backup/waiaas-backup-20240314.tar.gz -C /target

Resource Limits and Performance

Set resource constraints to prevent runaway resource usage:

services:
  daemon:
    # ... other config
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1.0'
        reservations:
          memory: 256M
          cpus: '0.5'

WAIaaS is designed to be lightweight, typically using under 100MB RAM for normal operations.

Quick Production Deployment

Here's a complete 5-step production setup:

1. Clone and prepare configuration:

   git clone https://github.com/minhoyoo-iotrust/WAIaaS.git
   cd WAIaaS
   cp .env.example .env

1. Configure secrets (optional but recommended):

   mkdir secrets
   echo "$(openssl rand -base64 32)" > secrets/master_password.txt
   chmod 600 secrets/master_password.txt

1. Deploy with auto-provisioning:

   docker compose up -d

1. Retrieve credentials:

   docker exec waiaas-daemon cat /data/recovery.key

1. Verify deployment:

   curl http://127.0.0.1:3100/health
   docker compose logs daemon

Maintenance and Updates

The Watchtower integration automatically pulls new images and restarts containers when updates are available. To manually update:

docker compose pull    # Pull latest images
docker compose up -d   # Restart with new images

WAIaaS uses semantic versioning. Patch updates (1.0.1 → 1.0.2) are automatically applied via Watchtower. For major version updates, review the changelog before upgrading.

What's Next

With your production Docker infrastructure running, you're ready to create wallets and deploy AI agents with confidence. The hardened container setup provides the reliability foundation needed for autonomous trading systems and DeFi protocols.

Check out the WAIaaS GitHub repository for the latest Docker configurations and visit waiaas.ai for comprehensive deployment guides and production best practices.