> ## Documentation Index > Fetch the complete documentation index at: https://developer.onetrust.com/llms.txt > Use this file to discover all available pages before exploring further. # Docker Deployment AI Guard is distributed as a multi-platform Docker image supporting both `linux/amd64` and `linux/arm64` architectures. ## Docker Image The production image is built from a Chainguard `wolfi-base` base image with: | Path | Contents | | ------------------------------------ | -------------------------------- | | `/usr/local/sbin/ai-guard` | The compiled AI Guard binary | | `/etc/ai-guard/config.yaml` | Default configuration file | | `/usr/local/share/ai-guard/profiles` | Fallback classification profiles | | Port `4443` | Default service port (TLS) | ## Pulling the Image ### Release Versions Semver-tagged releases are available with both the version tag and `latest`: ```bash docker pull docker.onetrust.dev/ai-guard:1.2.3 docker pull docker.onetrust.dev/ai-guard:latest ``` ### Development Builds Images built from development branches are tagged with the branch name: ```bash docker pull docker.onetrust.dev/ai-guard:AIGI-106-feature-name ``` ## Running the Container ### Basic Usage ```bash docker run -p 4443:4443 ai-guard:latest ``` The service starts with the default configuration at `/etc/ai-guard/config.yaml`. ### Custom Configuration Override the configuration by mounting a custom config file: ```bash docker run -p 4443:4443 \ -v /path/to/my-config.yaml:/etc/ai-guard/config.yaml \ ai-guard:latest ``` Or specify a completely different config path: ```bash docker run -p 4443:4443 \ -v /path/to/my-config.yaml:/opt/config.yaml \ ai-guard:latest --config /opt/config.yaml ``` ### Mounting TLS Certificates Mount your TLS key and certificate into the container: ```bash docker run -p 4443:4443 \ -v /path/to/server.key:/etc/ssl/litenode/tls.key:ro \ -v /path/to/server.crt:/etc/ssl/litenode/tls.crt:ro \ ai-guard:latest ``` ### Environment Variable Overrides All configuration values support `${VAR}` substitution, so you can override any setting via environment variables: ```bash docker run -p 4443:4443 \ -e AI_GUARD_SERVICE_PORT=0.0.0.0:4443 \ -e OT_SERVICE_BASE_URL=https://your-tenant.onetrust.com \ -e TLS_KEY_PATH=/etc/ssl/litenode/tls.key \ -e CERTIFICATE_PATH=/etc/ssl/litenode/tls.crt \ -e RUST_LOG=info \ ai-guard:latest ``` ## Building the Image To build the image from source, you need a `GIT_TOKEN` environment variable for accessing private dependencies: ```bash docker buildx build \ --platform linux/arm64,linux/amd64 \ --secret id=GIT_TOKEN,env=GIT_TOKEN \ --tag ai-guard:latest \ . ``` ## Health Check Verify the container is running: ```bash curl -k https://localhost:4443/health ``` ### Docker Compose Health Check ```yaml services: ai-guard: image: ai-guard:latest ports: - "4443:4443" healthcheck: test: ["CMD", "curl", "-k", "-f", "https://localhost:4443/health"] interval: 10s timeout: 5s retries: 3 ``` ## Graceful Shutdown The AI Guard service handles Docker stop signals (SIGTERM, SIGINT) gracefully: 1. The signal is logged 2. The HTTP server stops accepting new connections 3. The metrics exporter is flushed and shut down 4. The process exits cleanly ```bash docker stop # Sends SIGTERM ``` ## What's Next? * [Kubernetes Deployment](https://developer.onetrust.com/onetrust/docs/ai-guard-kubernetes) — Deploy on the OneTrust Workernode * [Networking Requirements](https://developer.onetrust.com/onetrust/docs/ai-guard-networking) — Required network connectivity * [Service Configuration](https://developer.onetrust.com/onetrust/docs/ai-guard-service-configuration) — Full configuration reference