Environment variables
DockLog is configured through environment variables in your docker run command or Compose file. Auth mode needs a persistent DB_PATH and a non-default SECRET_KEY in production.
Action permissions
In auth mode, container and pod actions need both a server ALLOW_* flag and the matching per-user can_* permission. In no-auth mode, ALLOW_* env vars are the only gate. Use EXCLUDE_CONTAINERS to hide Docker workloads from every user.
Kubernetes
Set RUNTIME_MODE to kubernetes or both and provide cluster access with KUBECONFIG or in-cluster credentials. Use K8S_NAMESPACES to limit which namespaces DockLog queries at the instance level.
Full reference
| Variable | Description | Default | Mode |
|---|---|---|---|
| DISABLE_AUTH | Disable login and JWT. Also accepted as NO_AUTH=true. Forces CLIENT_ACCESS off and uses an in-memory SQLite database when DB_PATH is unset. | false | Both |
| SECRET_KEY | JWT signing secret. Startup fails in production (ENV=production) if the default value is still in use. | secret-key-change-this | Auth |
| DB_PATH | SQLite file path. Defaults to docklog.db in auth mode and :memory: in no-auth mode when unset. | docklog.db | Both |
| PORT | HTTP listen port inside the container. | 8000 | Both |
| DOCKER_HOST | Docker daemon address (standard Docker SDK variable). Defaults to the local socket. | unix:///var/run/docker.sock | Both |
| RUNTIME_MODE | Runtime backend: docker, kubernetes, or both. Controls which APIs and UI sections are enabled. | docker | Both |
| K8S_NAMESPACES | Comma-separated namespace allowlist for Kubernetes. Empty means all namespaces allowed by cluster RBAC. | (empty) | Both |
| K8S_CONTEXT | Kubernetes context override from kubeconfig. | (empty) | Both |
| KUBECONFIG | Path to kubeconfig inside the container. Required for kubernetes or both unless in-cluster. | (empty) | Both |
| K8S_API_SERVER | Optional Kubernetes API server URL override. | (empty) | Both |
| K8S_REWRITE_LOCALHOST | Rewrite 127.0.0.1 API URLs to host.docker.internal for Docker Desktop clusters running in a container. | (auto on Docker Desktop) | Both |
| K8S_INSECURE_SKIP_TLS_VERIFY | Skip TLS verification for local cluster debugging only. Do not use in production. | false | Both |
| CLIENT_ACCESS | strict or off. In strict mode, browser clients must send X-DockLog-Client: web with an allowed Origin. Native apps use JWT without Origin. Forced off when DISABLE_AUTH=true. | strict | Auth |
| ALLOWED_ORIGINS | Comma-separated browser origins for the Vue UI. Full URLs (https://app.example.com) or host-only entries (app.example.com) are accepted. Use the public HTTPS URL when behind a reverse proxy. | (empty) | Auth |
| TRUST_PROXY | Honor X-Forwarded-Host and X-Forwarded-Proto from a trusted reverse proxy. Required for correct origin checks and login behind Nginx, Traefik, or Caddy. | false | Auth |
| ENV | Set to production (or GO_ENV=production) to enforce a non-default SECRET_KEY and disable localhost origin bypass. | (empty) | Auth |
| ALLOW_START | Server gate for start actions. In auth mode, every user (including admin) also needs can_start in the database. In no-auth mode, this is the only gate. | false | Both |
| ALLOW_STOP | Server gate for stop actions. In auth mode, every user (including admin) also needs can_stop in the database. In no-auth mode, this is the only gate. | false | Both |
| ALLOW_RESTART | Server gate for restart actions. In auth mode, every user (including admin) also needs can_restart in the database. In no-auth mode, this is the only gate. | false | Both |
| ALLOW_DELETE | Server gate for remove actions. In auth mode, every user (including admin) also needs can_delete in the database. In no-auth mode, this is the only gate. | false | Both |
| ALLOW_SHELL | Server gate for interactive shell over WebSocket. In auth mode, every user (including admin) also needs can_shell in the database. In no-auth mode, this is the only gate. | false | Both |
| ALLOW_BASH | Alias for ALLOW_SHELL=true. | false | Both |
| EXCLUDE_CONTAINERS | Comma-separated container names to hide from every user in the dashboard. The DockLog container itself is always hidden (matched by name docklog or image containing docklog). | (empty) | Both |
Tip
Typical RAM use is around 30–40 MB on a small VPS after startup.
Edit or suggest changes on GitHub.