Environment:Langgenius Dify Docker Compose Environment
| Knowledge Sources | |
|---|---|
| Domains | Infrastructure, Deployment |
| Last Updated | 2026-02-12 08:00 GMT |
Overview
Docker Compose environment orchestrating 7+ services (API, Worker, Beat, Web, PostgreSQL, Redis, Sandbox) with profile-based vector database selection from 17+ supported options.
Description
This environment defines the complete containerized deployment of Dify using Docker Compose. It includes:
- Core services: API server (Gunicorn), Worker (Celery), Worker Beat (Celery scheduler), Web frontend (Next.js/PM2)
- Required middleware: PostgreSQL 15 (or MySQL 8.0), Redis 6, Sandbox (code execution), Plugin Daemon, SSRF Proxy (Squid)
- Vector database: Weaviate (default), with 17+ alternatives selectable via Docker Compose profiles
All services share a `.env` file with 1,500+ configuration variables. An init container (`busybox`) sets file permissions (UID/GID 1001:1001) before the API and Worker services start.
Usage
Use this environment for production deployment of Dify. It is the primary deployment method documented in the project. The environment requires Docker Engine with Docker Compose V2 support. The vector database is selected at deployment time via the `COMPOSE_PROFILES` environment variable.
System Requirements
| Category | Requirement | Notes |
|---|---|---|
| OS | Linux (recommended), macOS, Windows with WSL2 | Production deployments should use Linux |
| Software | Docker Engine 20+ with Compose V2 | `docker compose` command (not legacy `docker-compose`) |
| RAM | 4GB minimum (8GB+ recommended) | Some vector DBs need more (OceanBase: 6GB, Couchbase: 5GB+) |
| Disk | 20GB+ SSD | Volumes for database, storage, vector DB data |
| Network | Ports 80/443 (Nginx), 5001 (API) | SSRF proxy network isolates sandbox |
Dependencies
Container Images
- `langgenius/dify-api:1.13.0` (API server, Worker, Beat)
- `langgenius/dify-web:1.13.0` (Frontend)
- `postgres:15-alpine` (Database, default profile)
- `mysql:8.0` (Database, mysql profile)
- `redis:6-alpine` (Cache and message broker)
- `langgenius/dify-sandbox:0.2.12` (Code execution sandbox)
- `langgenius/dify-plugin-daemon:0.5.3-local` (Plugin runtime)
- `ubuntu/squid:latest` (SSRF proxy)
- `busybox:latest` (Init permissions container)
Vector Database Images (Profile-based)
- `semitechnologies/weaviate:1.27.0` (default)
- `langgenius/qdrant:v1.8.3`
- `milvusdb/milvus:v2.6.3` (requires etcd + MinIO)
- `pgvector/pgvector:pg16`
- `docker.elastic.co/elasticsearch/elasticsearch:8.14.3`
- `opensearchproject/opensearch:latest`
- `ghcr.io/chroma-core/chroma:0.5.20`
- `oceanbase/oceanbase-ce:4.3.5-lts`
- `myscale/myscaledb:1.6.4`
- `matrixorigin/matrixone:2.1.1`
- And 7+ more options
Credentials
The following must be configured in `docker/.env`:
- `SECRET_KEY`: Application signing key. Required. Generate with `openssl rand -base64 42`.
- `DB_PASSWORD`: PostgreSQL password (default: `difyai123456`).
- `REDIS_PASSWORD`: Redis password (default: `difyai123456`).
- `PLUGIN_DAEMON_KEY`: Plugin daemon server key.
- `CODE_EXECUTION_API_KEY`: Sandbox API key (default: `dify-sandbox`).
Vector DB credentials (profile-dependent):
- `WEAVIATE_API_KEY`: Weaviate authentication key.
- `QDRANT_API_KEY`: Qdrant authentication key.
- `ELASTICSEARCH_PASSWORD`: Elasticsearch password.
- `MILVUS_TOKEN`: Milvus authentication token.
Quick Install
cd docker
# Copy and configure environment
cp .env.example .env
# Edit .env to set SECRET_KEY, passwords, etc.
# Start with default vector DB (Weaviate)
docker compose up -d
# OR start with a different vector DB
COMPOSE_PROFILES=qdrant docker compose up -d
COMPOSE_PROFILES=milvus docker compose up -d
COMPOSE_PROFILES=pgvector docker compose up -d
# Upgrade to new version (sync env vars)
./dify-env-sync.sh
docker compose pull && docker compose up -d
Code Evidence
Init permissions container from `docker/docker-compose.yaml:698-715`:
init_permissions:
image: busybox:latest
command:
- sh
- -c
- |
FLAG_FILE="/app/api/storage/.init_permissions"
if [ -f "$${FLAG_FILE}" ]; then
echo "Permissions already initialized. Exiting."
exit 0
fi
chown -R 1001:1001 /app/api/storage && touch "$${FLAG_FILE}"
PostgreSQL tuning parameters from `docker/docker-compose.middleware.yaml:17-28`:
command: >
postgres
-c max_connections=${POSTGRES_MAX_CONNECTIONS:-100}
-c shared_buffers=${POSTGRES_SHARED_BUFFERS:-128MB}
-c work_mem=${POSTGRES_WORK_MEM:-4MB}
-c maintenance_work_mem=${POSTGRES_MAINTENANCE_WORK_MEM:-64MB}
-c effective_cache_size=${POSTGRES_EFFECTIVE_CACHE_SIZE:-4096MB}
MySQL tuning parameters from `docker/docker-compose.middleware.yaml:57-62`:
command: >
--max_connections=1000
--innodb_buffer_pool_size=${MYSQL_INNODB_BUFFER_POOL_SIZE:-512M}
--innodb_log_file_size=${MYSQL_INNODB_LOG_FILE_SIZE:-128M}
--innodb_flush_log_at_trx_commit=${MYSQL_INNODB_FLUSH_LOG_AT_TRX_COMMIT:-2}
Common Errors
| Error Message | Cause | Solution |
|---|---|---|
| `init_permissions` container fails | Volume mount permissions issue | Ensure `./volumes/app/storage` directory exists and is writable |
| API container exits with migration error | Database not ready when API starts | API depends on database healthcheck; verify PostgreSQL is healthy |
| `SSRF proxy connection refused` | Sandbox cannot reach proxy | Check `ssrf_proxy_network` is created; restart sandbox service |
| `Plugin daemon connection refused` | Plugin daemon not started | Verify `PLUGIN_DAEMON_KEY` matches between API and daemon configs |
| Vector DB connection timeout | Wrong profile or credentials | Verify `VECTOR_STORE` matches `COMPOSE_PROFILES` and credentials are set |
Compatibility Notes
- Database Choice: PostgreSQL 15 is default and recommended. MySQL 8.0 available via `COMPOSE_PROFILES=mysql`. OceanBase and SeekDB also supported.
- Vector DB Memory: OceanBase requires 6GB+ RAM (`OCEANBASE_MEMORY_LIMIT`). Couchbase needs 5GB+ across multiple services. OpenSearch needs `memlock` ulimits disabled.
- Milvus: Requires 3 containers (etcd + MinIO + milvus-standalone). Most resource-intensive vector DB option.
- OpenGauss: Requires `privileged: true` Docker mode.
- SSRF Protection: All API and sandbox HTTP requests route through the Squid proxy network to prevent SSRF attacks.
Related Pages
Page Connections
Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment