Deploying the Appliance

Containers: Docker & Kubernetes

You can start running an instance of Kloudless on Docker in 4 steps.

  1. Authenticate to our private Docker Registry.
docker login -u <email> -p <meta-token>

The Meta (Bearer) Token is available Developer Portal Account page.

  1. Pull an image of the latest version.
docker pull

See the enterprise downloads page for the latest version available, and Release Notes for recent changes.

  1. Look up your license code from the Enterprise License page.

Generate a configuration file template with this script, and fill in necessary values. The script creates unique private keys to protect your data at rest. You have the only copy of the keys. Keep backups and kept the keys secret.

./ > kloudless.yml

Customize the resulting YAML file for your deployment. It will later be deployed either as an environment variable or on a removable volume.

Your license code can be found on the Enterprise License page.

# ./kloudless.yml - Example Instantiation
license_code: XyzEnterpriseLicenseCodeXyz
# db:    # for persisting data outside the instance [host,port,user,password,name]
# redis: # for clustering Kloudless instances

A minimal kloudless.yml configuration file should include a hostname, which the appliance filters on, and a license_code.

# ./kloudless.yml
license_code: XyzEnterprieLicenseXyz
  1. Run the appliance.
docker run
 --name kenterprise
 --env KLOUDLESS_CONFIG="$(cat ./kloudless.yml)"
 --volume /sys/fs/cgroup:/sys/fs/cgroup:ro
 --tmpfs /run --tmpfs /run/lock --tmpfs /tmp
 -p 80:80 -p 8080:8080 -p 443:443 -p 8443:8443 -p 22:22
 --ulimit nofile=1024000:1024000
 --sysctl net.ipv4.ip_local_port_range='1025 65535'

For deploying containers on a Kubernetes cluster, see the Kubernetes Deployment appendix section. For unmanaged Docker, see the Docker Deployment section of the appendix, of the Container Deployment appendix.

Amazon Web Services (AWS)

Creating an Instance from an AMI

Provide Kloudless Support with the AWS Account Number to share the Kloudless Enterprise AMI with. Once shared, you should be able to launch an instance of that AMI. When creating an instance, make sure to choose an instance type that fulfills at least the Minimum Hardware Requirements (e.g. t2.large). For all disks, we recommend using EBS with gp2 SSDs.

While creating the instance, attach a separate EBS drive to use as the “data disk” to persist data on. A 50 GB EBS drive is sufficient.


When deploying the Kloudless Appliance it is important that it is reachable from wherever your application will be running. Security Groups should be used to isolate the Kloudless Appliance from sources that do not require access. The services that are exposed on the appliance are described in the Network Services section, care needs to be taken that there is no unauthorized access to the Developer portal and administrative consoles especially.

Accessing the Administrative Console

While creating the instance, an SSH key should have been configured. The key configured there can be used to access the administrative console over SSH as follows:

ssh -i yourkey.pem ubuntu@instance_ip

OVA (VMWare and VirtualBox)

Obtaining the OVA

The OVA files can be obtained by contacting the Kloudless Support Team.

Importing the OVA

During the initial import of the Virtual Appliance it is important to configure an external hard drive which will be used to store local configuration, logs, and the local database if used. Please refer to the Minimum Specifications section for details on how much CPU, memory, and disk to allocate. It is important that the primary disk in the appliance not be modified, otherwise the instance may fail to boot or upgrade properly.

Network Configuration

The appliance requires DHCP in order to configure its network interfaces, DNS servers, etc. Please ensure that this is available before booting the appliance.

Firewall Rules

By default the appliance does not have any firewall in place. Access to the appliance should be managed by an external firewall or by manually configuring iptables on the appliance (note that this will not be persisted across system upgrades by default). For information on what rules to apply see the Network Services section.

Accessing the Administrative Console

You should be able to log in on the console using the default user:password ubuntu:ubuntu. You should immediately change the password of user ubuntu, using the passwd command, and disable password authentication for SSH, by including the following snippet in /data/kloudless.yml and updating configuration by running sudo ke_update_configuration

# ./kloudless.yml
    password_auth: false

Docker containers need only apply these changes if the ssh port is exposed.

Monitoring Initialization

The initial configuration process of the container can be monitored from within the container via the following command:

sudo tail -f /var/log/journalctl/ke_init.service.log

Logs for the whole appliance can be monitored through /var/log/syslog.

If the license key is already configured, completion of initialization can also be checked by querying the /health endpoint of the container:

curl http://localhost/health

A successful response will look something like the following:

{"celery": {"status": "ok", "local": {"queues": {"celery": 0, "celery-bg": 0},
"tasks": {"bg": "ok", "fg": "ok"}}, "remote": {"queues": {"celery": 0,
"celery-bg": 0}, "tasks": {"bg": "ok", "fg": "ok"}}, "elapsed":
0.42250490188598633}, "api": {"status": "ok"}, "db": {"status": "ok", "elapsed":