(Copied from issue 2644 on arcane repo).
As a suggestion, maybe the documentation needs an update for the people who wants to run Arcane on SELinux enabled systems, and improve the compose generator to offer socket proxy or:
security_opt:
- label:disable
If docker.sock is mounted directly, also, a path where the stacks will be stored on the system.
Using socket proxy is the recommended way even for selinux, and for mounted paths, using :z is always needed to let docker create and set the correct labels for folders and files (container_file_t)
Compose example for SELinux systems without socket proxy:
# Arcane Docker Compose Configuration
# Generated at 19/5/2026, 4:35:26 p.m.
services:
arcane:
image: ghcr.io/getarcaneapp/arcane:latest
container_name: arcane
restart: unless-stopped
security_opt:
- label:disable
ports:
- 3552:3552
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- arcane-data:/app/data
- /path/to/stacks:/app/data/projects # The :z is only needed if security is enabled for the container.
environment:
- APP_URL=http://localhost:3552
- PUID=1000
- PGID=1000
- ENCRYPTION_KEY=<redacted>
- JWT_SECRET=<redacted>
- LOG_LEVEL=error
- LOG_JSON=false
- OIDC_ENABLED=false
- DATABASE_URL=file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate
volumes:
arcane-data:
driver: local
With socket proxy:
services:
# Docker Socket Proxy - see https://github.com/Tecnativa/docker-socket-proxy
docker-socket-proxy:
image: tecnativa/docker-socket-proxy:latest
container_name: arcane-docker-proxy
privileged: true # SELinux/AppArmor support
environment:
- EVENTS=1
- PING=1
- VERSION=1
# Security critical
- AUTH=0
- SECRETS=0
- POST=1
# Not always needed
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1
- DISTRIBUTION=0
- EXEC=1
- IMAGES=1
- INFO=1
- NETWORKS=1
- NODES=0
- PLUGINS=0
- SERVICES=0
- SESSION=0
- SWARM=0
- SYSTEM=0
- TASKS=0
- VOLUMES=1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- arcane-internal
restart: unless-stopped
security_opt:
- no-new-privileges:true
arcane:
image: ghcr.io/getarcaneapp/arcane:latest
container_name: arcane
ports:
- '3552:3552'
volumes:
- arcane-data:/app/data
- /path/to/stacks:/app/data/projects:z # The :z is needed if the security is enabled for the container and is only for bind mounts.
environment:
- APP_URL=http://localhost:3552
- PUID=1000
- PGID=1000
- ENCRYPTION_KEY=xxxxxxxxxxxxxxxxxxxxxx
- JWT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxx
- DOCKER_HOST=tcp://docker-socket-proxy:2375
- LOG_LEVEL=error
- LOG_JSON=false
- OIDC_ENABLED=false
- DATABASE_URL=file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate
networks:
- arcane-internal
depends_on:
- docker-socket-proxy
healthcheck:
test: ['CMD-SHELL', 'curl -fsS http://localhost:3552/api/health >/dev/null || exit 1']
interval: 10s
timeout: 3s
retries: 5
start_period: 15s
restart: unless-stopped
networks:
arcane-internal:
driver: bridge
name: arcane-internal
volumes:
arcane-data:
name: arcane-data
(Copied from issue 2644 on arcane repo).
As a suggestion, maybe the documentation needs an update for the people who wants to run Arcane on SELinux enabled systems, and improve the compose generator to offer socket proxy or:
If
docker.sockis mounted directly, also, a path where the stacks will be stored on the system.Using socket proxy is the recommended way even for selinux, and for mounted paths, using
:zis always needed to let docker create and set the correct labels for folders and files (container_file_t)Compose example for SELinux systems without socket proxy:
With socket proxy: