Running with Docker

Synentra publishes pre-built images to the GitHub Container Registry (GHCR). The latest tag is a multi-arch manifest and works on all supported platforms automatically:

Image Tag	Platforms	Notes
`ghcr.io/synentra/synentra:latest`	linux/amd64, linux/arm64	Recommended — Docker selects the correct variant automatically
`ghcr.io/synentra/synentra:1.1.0-linux-amd64`	linux/amd64	Platform-specific pin
`ghcr.io/synentra/synentra:1.1.0-linux-arm64`	linux/arm64	Platform-specific pin

All images:

Expose port 7080 (HTTP) by default
Set DOTNET_RUNNING_IN_CONTAINER=true

Pulling the Image

For most cases, pull the multi-arch latest tag and Docker will select the correct variant for your host:

docker pull ghcr.io/synentra/synentra:latest

To pin to a specific platform:

Linux (amd64)
Linux (arm64)

docker pull ghcr.io/synentra/synentra:1.1.0-linux-amd64

docker pull ghcr.io/synentra/synentra:1.1.0-linux-arm64

Running the Container

Minimal (in-memory cache, SQLite)

docker run -d \
  --name synentra \
  -p 7080:7080 \
  -e System__Storage__Database__Providers__Sqlite__ConnectionString="Data Source=/data/synentra.db" \
  -e Policy__Providers__Internal__Directory="/policies" \
  -v $(pwd)/data:/data \
  -v $(pwd)/policies:/policies \
  ghcr.io/synentra/synentra:latest

tip

ASP.NET Core reads configuration from environment variables using double-underscore __ as a section separator. System__Server__Http__Port=7080 maps to System → Server → Http → Port.

Environment Variables Reference

All appsettings.json keys can be overridden via environment variables using __ as a delimiter.

Environment Variable	Example Value	Description
`System__Server__Http__Port`	`7080`	HTTP listener port
`System__Server__Https__Enabled`	`true`	Enable HTTPS
`System__Server__Https__Port`	`7443`	HTTPS listener port
`System__Storage__Database__DefaultProvider`	`Sqlite`	Database provider
`System__Storage__Database__Providers__Sqlite__ConnectionString`	`Data Source=/data/synentra.db`	SQLite path
`System__Storage__Database__Providers__Postgres__ConnectionString`	`Host=db;Database=synentra;...`	PostgreSQL connection
`System__Storage__Cache__DefaultProvider`	`Memory` or `Redis`	Cache provider
`System__Storage__Cache__Providers__Redis__ConnectionString`	`redis:6379`	Redis address
`System__RateLimit__DefaultRequestsPerMinute`	`60`	Per-agent rate limit
`System__CircuitBreaker__FailureThreshold`	`5`	Failures before circuit opens
`Security__AgentAuth__Provider`	`SelfSigned` or `Jwt`	Auth provider
`Security__AgentAuth__Jwt__Issuer`	`https://auth.example.com`	JWT issuer
`Security__AgentAuth__Jwt__Audience`	`synentra-gateway`	JWT audience
`Security__AgentAuth__Jwt__SecretKey`	`your-key`	JWT signing key
`Policy__Enabled`	`true`	Enable policy engine
`Policy__DefaultProvider`	`Internal` or `Opa`	Policy provider
`Policy__Providers__Internal__Directory`	`/policies`	Policy files directory
`Policy__Providers__Opa__BaseUrl`	`http://opa:8181`	OPA server URL
`Semantic__Enabled`	`false`	Enable semantic analysis
`Semantic__DefaultProvider`	`Internal`	Semantic provider
`Semantic__Providers__OpenAi__ApiKey`	`sk-...`	OpenAI API key
`HumanInTheLoop__Enabled`	`true`	Enable HITL
`HumanInTheLoop__Threshold`	`0.8`	Risk score HITL trigger
`HumanInTheLoop__TimeoutSeconds`	`3600`	HITL request TTL
`HumanInTheLoop__NotificationWebhookUrl`	`https://hooks.example.com/...`	HITL webhook
`Observability__Logging__DefaultLogLevel`	`Information`	Log level
`Observability__Logging__Seq__Enabled`	`true`	Enable Seq sink
`Observability__Logging__Seq__ServerUrl`	`http://seq:5341`	Seq server URL
`SecretManagement__DefaultProvider`	`AzureKeyVault`	Secret provider
`SecretManagement__Providers__AzureKeyVault__VaultUri`	`https://vault.vault.azure.net/`	Key Vault URI

Volume Mounts

Container Path (Linux)	Container Path (Windows)	Purpose
`/data`	`C:\data`	SQLite database file
`/policies`	`C:\policies`	JSON policy files
`/app/logs`	`C:\app\logs`	Serilog file sink output
`/certs`	`C:\certs`	TLS certificate (if HTTPS enabled)

Docker Compose

A full example with Redis, Seq, and OPA:

docker-compose.yml
services:

  synentra:
    image: ghcr.io/synentra/synentra:latest
    ports:
      - "7080:7080"
    environment:
      System__Storage__Database__DefaultProvider: Sqlite
      System__Storage__Database__Providers__Sqlite__ConnectionString: "Data Source=/data/synentra.db"
      System__Storage__Cache__DefaultProvider: Redis
      System__Storage__Cache__Providers__Redis__ConnectionString: "redis:6379"
      System__RateLimit__DefaultRequestsPerMinute: "60"
      System__CircuitBreaker__FailureThreshold: "5"
      Security__AgentAuth__Provider: SelfSigned
      Policy__Enabled: "true"
      Policy__DefaultProvider: Internal
      Policy__Providers__Internal__Directory: /policies
      HumanInTheLoop__Enabled: "true"
      HumanInTheLoop__Threshold: "0.8"
      HumanInTheLoop__TimeoutSeconds: "3600"
      Observability__Logging__DefaultLogLevel: Information
      Observability__Logging__Seq__Enabled: "true"
      Observability__Logging__Seq__ServerUrl: http://seq:5341
    volumes:
      - synentra-data:/data
      - ./policies:/policies:ro
      - synentra-logs:/app/logs
    depends_on:
      - redis
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:7080/health"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

  redis:
    image: redis:7-alpine
    ports:
      - "6379:6379"
    restart: unless-stopped

  seq:
    image: datalust/seq:latest
    ports:
      - "5341:5341"
      - "8080:80"
    environment:
      ACCEPT_EULA: "Y"
    volumes:
      - seq-data:/data
    restart: unless-stopped

volumes:
  synentra-data:
  synentra-logs:
  seq-data:

Start everything:

docker compose up -d

HTTPS in Docker

Mount your certificate and set the relevant environment variables:

docker run -d \
  --name synentra \
  -p 7080:7080 \
  -p 7443:7443 \
  -e System__Server__Https__Enabled=true \
  -e System__Server__Https__Port=7443 \
  -e System__Server__Https__Certificate__Path=/certs/synentra.pfx \
  -e System__Server__Https__Certificate__Password=your-cert-password \
  -v $(pwd)/certs:/certs:ro \
  ghcr.io/synentra/synentra:latest

User Security

Image	Runs as
`ghcr.io/synentra/synentra:latest` (linux)	`root` (see warning below)

Linux containers and root

The Linux image currently runs as root. For production deployments it is recommended to run the container with a non-root user by adding --user to your docker run command or setting user: in your Compose service.

Health Check

Synentra exposes a /health endpoint. Use it for Docker health checks and orchestrator readiness probes:

curl http://localhost:7080/health
# {"status":"Healthy","healthCheckDuration":"00:00:00.0023456"}

Pulling the Image​

Running the Container​

Minimal (in-memory cache, SQLite)​

Environment Variables Reference​

Volume Mounts​

Docker Compose​

HTTPS in Docker​

User Security​

Health Check​