Docker Deployment
AI Guard is distributed as a multi-platform Docker image supporting both linux/amd64 and linux/arm64 architectures.
Docker Image
The production image is built from a Chainguard wolfi-base base image with:
| Path | Contents |
|---|---|
/usr/local/sbin/ai-guard | The compiled AI Guard binary |
/etc/ai-guard/config.yaml | Default configuration file |
/usr/local/share/ai-guard/profiles | Fallback classification profiles |
Port 4443 | Default service port (TLS) |
Pulling the Image
Release Versions
Semver-tagged releases are available with both the version tag and latest:
docker pull docker.onetrust.dev/ai-guard:1.2.3
docker pull docker.onetrust.dev/ai-guard:latestDevelopment Builds
Images built from development branches are tagged with the branch name:
docker pull docker.onetrust.dev/ai-guard:AIGI-106-feature-nameRunning the Container
Basic Usage
docker run -p 4443:4443 ai-guard:latestThe service starts with the default configuration at /etc/ai-guard/config.yaml.
Custom Configuration
Override the configuration by mounting a custom config file:
docker run -p 4443:4443 \
-v /path/to/my-config.yaml:/etc/ai-guard/config.yaml \
ai-guard:latestOr specify a completely different config path:
docker run -p 4443:4443 \
-v /path/to/my-config.yaml:/opt/config.yaml \
ai-guard:latest --config /opt/config.yamlMounting TLS Certificates
Mount your TLS key and certificate into the container:
docker run -p 4443:4443 \
-v /path/to/server.key:/etc/ssl/litenode/tls.key:ro \
-v /path/to/server.crt:/etc/ssl/litenode/tls.crt:ro \
ai-guard:latestEnvironment Variable Overrides
All configuration values support ${VAR} substitution, so you can override any setting via environment variables:
docker run -p 4443:4443 \
-e AI_GUARD_SERVICE_PORT=0.0.0.0:4443 \
-e OT_SERVICE_BASE_URL=https://your-tenant.onetrust.com \
-e TLS_KEY_PATH=/etc/ssl/litenode/tls.key \
-e CERTIFICATE_PATH=/etc/ssl/litenode/tls.crt \
-e RUST_LOG=info \
ai-guard:latestBuilding the Image
To build the image from source, you need a GIT_TOKEN environment variable for accessing private dependencies:
docker buildx build \
--platform linux/arm64,linux/amd64 \
--secret id=GIT_TOKEN,env=GIT_TOKEN \
--tag ai-guard:latest \
.Health Check
Verify the container is running:
curl -k https://localhost:4443/healthDocker Compose Health Check
services:
ai-guard:
image: ai-guard:latest
ports:
- "4443:4443"
healthcheck:
test: ["CMD", "curl", "-k", "-f", "https://localhost:4443/health"]
interval: 10s
timeout: 5s
retries: 3Graceful Shutdown
The AI Guard service handles Docker stop signals (SIGTERM, SIGINT) gracefully:
- The signal is logged
- The HTTP server stops accepting new connections
- The metrics exporter is flushed and shut down
- The process exits cleanly
docker stop <container-id> # Sends SIGTERMWhat's Next?
- Kubernetes Deployment β Deploy on the OneTrust Workernode
- Networking Requirements β Required network connectivity
- Service Configuration β Full configuration reference
Updated about 4 hours ago