Docker and Container Deployment
Containerized tidecoind is straightforward when the data directory is a
persistent volume and RPC stays on a private network. Expose the P2P port when
the node should accept inbound peers. Do not expose wallet-capable RPC to the
public internet.
This page gives deployment patterns. It does not define an official container image; build or choose images through your normal supply-chain process.
Container rules
| Rule | Reason |
|---|---|
| Persist the data directory | Blocks, chainstate, wallets, indexes, and config must survive container replacement. |
| Keep RPC private | RPC can control the node and loaded wallets. |
| Run as a non-root user | Limits filesystem and host impact. |
| Stop cleanly | Lets the node flush chainstate, wallets, fee estimates, and mempool state. |
| Back up wallets outside the container lifecycle | Container deletion must not delete funds. |
| Monitor from outside the container | A healthy container process is not the same as a synced node. |
Minimal image pattern
An internal Dockerfile normally either copies verified release binaries or builds from source. For release binaries, keep the image small and put mutable state in a volume:
FROM debian:stable-slim
RUN useradd --create-home --home-dir /home/tidecoin --shell /usr/sbin/nologin tidecoin
COPY bin/tidecoind /usr/local/bin/tidecoind
COPY bin/tidecoin-cli /usr/local/bin/tidecoin-cli
USER tidecoin
VOLUME ["/home/tidecoin/.tidecoin"]
EXPOSE 8755
ENTRYPOINT ["tidecoind"]
CMD ["-printtoconsole"]This is a pattern, not a reproducible release recipe. Verify binaries and pin base images in production.
Docker Compose example
services:
tidecoind:
image: registry.example.com/tidecoin-core:local
user: "1000:1000"
command:
- -printtoconsole
- -server=1
- -rpcbind=0.0.0.0
- -rpcallowip=172.20.0.0/16
ports:
- "8755:8755"
volumes:
- tidecoin-data:/home/tidecoin/.tidecoin
networks:
- tidecoin-private
stop_grace_period: 2m
volumes:
tidecoin-data:
networks:
tidecoin-private:
internal: trueIf RPC is bound to 0.0.0.0 inside a container, restrict it with Docker network
policy, rpcallowip, strong authentication, and RPC whitelists. Do not publish
the RPC port to the host unless there is a deliberate protected access path.
Configuration volume
Put tidecoin.conf in the mounted data directory or mount it read-only into the
expected path. Example:
server=1
rpcbind=0.0.0.0
rpcallowip=172.20.0.0/16
rpcauth=<generated-user-salt-hash>
v2transport=1For infrastructure nodes without wallets:
disablewallet=1
txindex=1
blockfilterindex=basic
coinstatsindex=1Do not combine pruning with txindex=1.
Health checks
A container health check should call RPC, not only check whether the process is running:
tidecoin-cli getblockchaininfoBetter readiness checks parse:
| Field | Readiness use |
|---|---|
chain | Matches expected network. |
initialblockdownload | False for production readiness. |
blocks and headers | Not badly lagged. |
warnings | Empty or explicitly accepted. |
getnetworkinfo.connections | Above threshold. |
Kubernetes readiness should fail while the node is in IBD if the pod backs an exchange, explorer, pool, or wallet service.
Kubernetes notes
Use a StatefulSet or equivalent stable persistent-volume binding. Avoid Deployment-style ephemeral storage for nodes with wallets or full chain data.
Minimum production concerns:
| Concern | Recommendation |
|---|---|
| Storage | PersistentVolume with sufficient IOPS and free-space alerts. |
| Identity | Stable pod name and volume claim. |
| Shutdown | Grace period long enough for clean node stop. |
| RPC credentials | Kubernetes Secret or external secret manager. |
| P2P | Service for P2P only if inbound peers are desired. |
| RPC | Cluster-internal Service only, with authentication and whitelists. |
| Backups | Wallet backup job that calls backupwallet, not raw live file copy. |
Source of truth
| Topic | Canonical page |
|---|---|
| Data directory and wallet layout | Data Directory |
| RPC binding and authentication | RPC Security |
| Backups | Backups |
| Monitoring checks | Monitoring |
| Build from source | Build a Node from Source |
See also: systemd Service, Configuration.