Gateway with Docker

Instructions for installing Keeper Gateway on Docker

Overview

This document contains information on how to install, configure, and update your Keeper Gateway on Docker. The Keeper Gateway container is built upon the base image of Rocky Linux 8 and it is hosted in DockerHub.

Prerequisites

  • A Linux host with a x86 AMD processor for all PAM capabilities

  • docker and docker compose installed (see Docker Install for help)

Create a Gateway

A new Gateway deployment can be created by clicking on Create New > Gateway from the Web Vault or Desktop App.

You can also create a Gateway and configuration file from the Commander CLI:

pam gateway new -n "<Gateway Name>" -a <Application Name or UID> -c b64

The Application names and UIDs can be found with secrets-manager app list

Installation Options

Keeper provides 2 ways of setting up the Gateway:

Option 1: Auto Docker Installation

Keeper's automatic installer will set up the environment for you.

1

Create a Docker Gateway and Copy the Installation Command

Create a new Gateway with either the Gateway Wizard or using Keeper Secrets Manager for the Docker Operating System.

You will be provided with an installation command to paste into your Linux host.

2

Run the Installation Command

On your Linux host, navigate to your desired working directory and execute the copied installation command.

The installation command will:

  • Install Docker and Docker Compose (if needed)

  • Generate the Docker Compose, Seccomp and AppArmor files.

  • Prepare the service

3

Start the Service

Ensure that you are located in the folder where the docker-compose.yml, docker-seccomp.json and gateway-apparmor-profile files are saved.

Executing the following command will run the Keeper Gateway in the background:

docker compose up -d

Option 2: Manual Docker Installation

If you prefer to set up the Docker environment yourself, follow the instructions below.

1

Docker Compose

A Docker Compose file is provided through the Vault UI. Typically this file would be saved in your local environment as docker-compose.yml in your preferred folder. An example is below:

services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:latest
        shm_size: 16g
        restart: unless-stopped
        security_opt:
          - seccomp:docker-seccomp.json
          - apparmor:gateway-apparmor-profile
        environment:
          ACCEPT_EULA: Y
          GATEWAY_CONFIG: XXXXXXXXXXXXXXXXX

The shm_size is a critical parameter. We recommend maximizing this value to at least half of the available server memory. Production gateways should have as much memory and CPU allocated as possible. When using remote browser isolation sessions, Chromium uses a lot of memory for each process.

The only required environment variable setting is GATEWAY_CONFIG which is the resulting base64-encoded configuration provided by Keeper when creating a Gateway.

2

Seccomp File

The file called docker-seccomp.json needs to be downloaded and placed in the same folder as your Docker Compose file.

Download File or:

curl -O https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/docker-seccomp.json
3

AppArmor Profile (Required for Ubuntu/Debian distributions)

This step is required for Ubuntu and Debian-based distributions. For all other Linux distributions (RHEL, CentOS, Fedora, Amazon Linux, etc.) skip to Step 4.

The file called gateway-apparmor-profile needs to be placed in the same folder as your Docker Compose file.

Download File or:

curl -O https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/gateway-apparmor-profile

Activate the apparmor config

sudo apparmor_parser -r gateway-apparmor-profile
sudo cp gateway-apparmor-profile /etc/apparmor.d/
4

Start the Service

Ensure that you are located in the folder where the docker-compose.yml is saved. Executing the following command will run the Keeper Gateway container in the background, as specified in the docker compose file:

docker compose up -d

Note: There's a typo in Vault version 17.4 that references gateway-app-armor-profile instead of gateway-apparmor-profile in the provided docker-compose.yml file when creating a new gateway. To fix this issue, remove the extra dash. It needs to be labeled as gateway-apparmor-profile

Logging

When running the latest version of the Keeper Gateway, you'll see the output in the logs like below:

docker compose logs keeper-gateway
Docker Logs from Keeper Gateway

On the Vault UI in the Secrets Manager > Applications > Gateways screen, the Gateway will show Online.

Gateway is Online

Gateway Service Management

Starting the service

docker compose up -d

Stopping the service

docker compose stop

Restarting the service

docker compose restart

Connecting to the Gateway container

docker compose exec keeper-gateway bash

Starting the Gateway Automatically on Reboot

In the docker-compose.yml file, ensure that a restart policy is enabled. For example:

services:
  keeper-gateway:
    restart: unless-stopped

Adding the "restart: unless-stopped" or "restart: always" parameter in the docker-compose.yml file will assign a restart policy to the environment.

If you would like to force the host operating system to automatically start the Keeper Gateway on a Docker installation, follow these steps (Linux host).

First, create a file /etc/systemd/system/keeper-gateway.service

[Unit]
Description=Keeper Gateway Docker Compose
Requires=docker.service
After=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/path/to/install
ExecStart=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down
User=myusername
Group=docker

[Install]
WantedBy=multi-user.target

NOTE:

  • Replace /path/to/install with the path to your docker-compose.yml

  • Replace myusername user with your user running Docker

  • Replace docker group with your defined group

  • Ensure the binary path for ExecStart and ExecStop are correct

Then enable the service:

sudo systemctl daemon-reload
sudo systemctl enable keeper-gateway.service
sudo systemctl start keeper-gateway.service

Important: Ensure that the apparmor file is loaded up and available on reboot

sudo apparmor_parser -r gateway-apparmor-profile
sudo cp gateway-apparmor-profile /etc/apparmor.d/

After a reboot, verify that it's running:

systemctl status keeper-gateway

Debugging

If you need to enable verbose debug logs on the Gateway, enable debug logging by adding the below environment section variables to your Docker Compose file:

services:
      keeper-gateway:
        .....
        environment:
          KEEPER_GATEWAY_LOG_LEVEL: "debug" # logs for gateway
          LOG_LEVEL: "debug" # logs for guacd

After changing the log level, apply the changes to the docker

docker compose up -d

Tail the logs of the Keeper Gateway using this command:

docker compose logs -f keeper-gateway

Updating

Executing the following command will update the Keeper Gateway container to the latest version and restart the service:

docker compose pull
docker compose up -d

Health Checks

To monitor the Gateway service, you can configure health checks that expose its operational status. These checks are useful for Docker orchestration, load balancing, and automated monitoring. See the Health Check section for full setup details and examples.

Connecting to the Host Instance

A very useful capability of the Keeper Gateway is being able to open connections and tunnels to the host machine. By adding the extra_hosts section to your docker compose file with a value of host.docker.internal:host-gateway, you can open sessions directly to the host.

Example docker compose with the Gateway container:

services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:latest
        shm_size: 16g
        restart: always
        extra_hosts:
          - "host.docker.internal:host-gateway"
        security_opt:
          - seccomp:./docker-seccomp.json
          - apparmor=./gateway-apparmor-profile
        environment:
          ACCEPT_EULA: Y
          GATEWAY_CONFIG: xxxxxxxx

Enabling this option allows you to establish a Connection to the host. For example, to open an SSH connection:

  • Create a PAM User record with the SSH private key

  • Create a PAM Machine record with the hostname to host.docker.internal and port 22

  • Activate the SSH connection in PAM settings referencing the PAM User

Upgrading the Keeper Gateway service through the host

If you use KeeperPAM to SSH over to the host service, you can upgrade the container by running the container update of the gateway in the background:

docker compose pull
nohup docker compose up -d keeper-gateway &

Network Configuration

The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:

Destination
Port Needed
More Info

Keeper Cloud (keepersecurity.[com|eu|com.au|jp|ca|us])

TLS Port 443

Communicates with Keeper Cloud to access target infrastructure via native protocols (e.g., SSH, RDP)

Keeper Router (connect.keepersecurity.[com|eu|com.au|jp|ca|us])

TLS Port 443

Communicates with Keeper Router to establish secure, real-time WebSocket connections

Keeper KRelay Server (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])

TCP and UDP opened on Port 3478 Outbound access to TCP and UDP ports 49152 through 65535

Facilitates secure and encrypted relay connections between end-user's vault and target systems via the Gateway

The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.

Managing Disk Space

Over time, as new versions of the Gateway are deployed, old Docker images may accumulate on the host server. This can consume a significant amount of disk space. To ensure smooth operation and avoid storage issues, we recommend periodically checking your available disk space and removing unused Docker images.

Checking Disk Space Usage

To view your current disk usage, run the following command on your Keeper Gateway server:

df -h

This command displays available disk space on all mounted filesystems in a human-readable format. Pay particular attention to the partition where Docker stores its data (typically /var/lib/docker).

If you notice the disk space running low (for example, more than 80–90% full), it’s a good idea to clean up old Docker images.

Cleaning Up Old Docker Images

When you update the Keeper Gateway, Docker keeps older images on your system. To remove all unused Docker images, you can use the following command:

docker image prune -a

  • The -a flag ensures that all unused images are deleted (not just dangling ones).

  • You may be prompted to confirm the action — type y when prompted.

Example output:

WARNING! This will remove all images without at least one container associated to them.
Are you sure you want to continue? [y/N] y
Deleted Images:
...
Total reclaimed space: 4.8GB

This operation safely removes old images that are no longer used by any running containers.

References:

PreviousCreating a GatewayNextGateway on Linux Native

Last updated

Was this helpful?