Container Installation

Deploy the OnePAM agent in Docker and Kubernetes environments.

Container Images

Pull the official OnePAM Docker images from your preferred registry.

Docker Hub
Pull from any registry
Docker Hub 
docker pull onepam/agent:latest
GitHub (GHCR) 
docker pull ghcr.io/onepamcom/agent:latest
Amazon ECR Public 
docker pull public.ecr.aws/d6e7e5m3/onepam/agent:latest

Overview

Run the OnePAM agent as a Docker container alongside your existing containerised workloads. The agent container monitors the host system and reports to your OnePAM instance.

Docker / Podman
Kubernetes
Docker Compose

Quick Start

Run the OnePAM agent container with a single command: 

docker run -d \
  --name onepam-agent \
  --restart unless-stopped \
  --pid host \
  --network host \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /etc:/host/etc:ro \
  -e AGENT_API_URL=https://onepam.com \
  -e AGENT_TENANT_ID=00000000-0000-0000-0000-000000000000 \
  onepam/agent:latest

Docker Run

Full Configuration
docker run -d \
  --name onepam-agent \
  --restart unless-stopped \
  --pid host \
  --network host \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /etc:/host/etc:ro \
  -v onepam-data:/opt/onepam/data \
  -e AGENT_API_URL=https://onepam.example.com \
  -e AGENT_TENANT_ID=00000000-0000-0000-0000-000000000000 \
  -e AGENT_LOG_LEVEL=info \
  onepam/agent:latest
Using an Environment File

Store configuration in a file for easier management:

# agent.env
AGENT_API_URL=https://onepam.example.com
AGENT_TENANT_ID=00000000-0000-0000-0000-000000000000
AGENT_LOG_LEVEL=info
docker run -d \
  --name onepam-agent \
  --restart unless-stopped \
  --pid host \
  --network host \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /etc:/host/etc:ro \
  -v onepam-data:/opt/onepam/data \
  --env-file agent.env \
  onepam/agent:latest

Docker Compose

docker-compose.yml
version: "3.8"

services:
  onepam-agent:
    image: onepam/agent:latest
    container_name: onepam-agent
    restart: unless-stopped
    pid: host
    network_mode: host
    volumes:
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /etc:/host/etc:ro
      - onepam-data:/opt/onepam/data
    environment:
      AGENT_API_URL: "https://onepam.example.com"
      AGENT_TENANT_ID: "00000000-0000-0000-0000-000000000000"
      AGENT_LOG_LEVEL: "info"

volumes:
  onepam-data:
Alongside Your Application Stack
version: "3.8"

services:
  webapp:
    image: your-app:latest
    ports:
      - "8080:8080"

  database:
    image: postgres:16
    volumes:
      - pgdata:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: "${DB_PASSWORD}"

  onepam-agent:
    image: onepam/agent:latest
    restart: unless-stopped
    pid: host
    network_mode: host
    volumes:
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /etc:/host/etc:ro
      - onepam-data:/opt/onepam/data
    env_file:
      - .env.onepam

volumes:
  pgdata:
  onepam-data:

Kubernetes

Deploy the OnePAM agent as a DaemonSet to run on every node in your cluster:

Secret (store credentials)
apiVersion: v1
kind: Secret
metadata:
  name: onepam-agent
  namespace: onepam
type: Opaque
stringData:
  AGENT_TENANT_ID: "00000000-0000-0000-0000-000000000000"
DaemonSet
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: onepam-agent
  namespace: onepam
  labels:
    app: onepam-agent
spec:
  selector:
    matchLabels:
      app: onepam-agent
  template:
    metadata:
      labels:
        app: onepam-agent
    spec:
      hostPID: true
      hostNetwork: true
      containers:
        - name: agent
          image: onepam/agent:latest
          env:
            - name: AGENT_API_URL
              value: "https://onepam.example.com"
            - name: AGENT_TENANT_ID
              valueFrom:
                secretKeyRef:
                  name: onepam-agent
                  key: AGENT_TENANT_ID
            - name: AGENT_LOG_LEVEL
              value: "info"
          volumeMounts:
            - name: proc
              mountPath: /host/proc
              readOnly: true
            - name: sys
              mountPath: /host/sys
              readOnly: true
            - name: etc
              mountPath: /host/etc
              readOnly: true
          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              cpu: 200m
              memory: 128Mi
      volumes:
        - name: proc
          hostPath:
            path: /proc
        - name: sys
          hostPath:
            path: /sys
        - name: etc
          hostPath:
            path: /etc
# Apply the manifests
kubectl create namespace onepam
kubectl apply -f secret.yml
kubectl apply -f daemonset.yml

# Verify pods are running on each node
kubectl -n onepam get pods -o wide

Configuration

Environment Variables
Variable Default Description
AGENT_API_URL https://onepam.com OnePAM server URL
AGENT_TENANT_ID - Organisation UUID (required)
AGENT_LOG_LEVEL info Logging verbosity (debug, info, warn, error)
AGENT_DATA_DIR /opt/onepam/data Persistent data directory
Required Volume Mounts
Host Path Container Path Mode Purpose
/proc /host/proc read-only Process and system metrics
/sys /host/sys read-only Hardware and device information
/etc /host/etc read-only Host configuration and OS detection
Security Note: The --pid host and --network host flags are required for full host visibility. In Kubernetes, use hostPID: true and hostNetwork: true in your pod spec. Store the AGENT_TENANT_ID in Kubernetes Secrets or Docker secrets.

Available Images

OnePAM publishes container images to multiple registries. Use whichever is closest to your infrastructure.

Image Docker Hub GHCR Amazon ECR Public
Agent onepam/agent ghcr.io/onepamcom/agent public.ecr.aws/d6e7e5m3/onepam/agent
Gateway onepam/gateway ghcr.io/onepamcom/gateway public.ecr.aws/d6e7e5m3/onepam/gateway
Playground SSH onepam/playground-ssh ghcr.io/onepamcom/playground-ssh public.ecr.aws/d6e7e5m3/onepam/playground-ssh
Playground RDP onepam/playground-rdp ghcr.io/onepamcom/playground-rdp public.ecr.aws/d6e7e5m3/onepam/playground-rdp
Playground PostgreSQL onepam/playground-postgres ghcr.io/onepamcom/playground-postgres public.ecr.aws/d6e7e5m3/onepam/playground-postgres
Playground MySQL onepam/playground-mysql ghcr.io/onepamcom/playground-mysql public.ecr.aws/d6e7e5m3/onepam/playground-mysql
Playground HTTP onepam/playground-http ghcr.io/onepamcom/playground-http public.ecr.aws/d6e7e5m3/onepam/playground-http
All images are published simultaneously. Docker Hub is the default; use GHCR or ECR Public if your environment restricts Docker Hub access or for lower latency within AWS/GitHub infrastructure.

Gateway Container

Deploy a dedicated OnePAM Gateway as a container to proxy SSH, RDP, HTTPS, and database sessions within your own network.

Docker Run
docker run -d \
  --name onepam-gateway \
  --restart unless-stopped \
  -p 443:443 \
  -p 9443:9443 \
  -v gateway-data:/app/data \
  -e GATEWAY_API_URL=https://onepam.com \
  -e GATEWAY_ID=00000000-0000-0000-0000-000000000000 \
  -e GATEWAY_TOKEN=your-gateway-token \
  onepam/gateway:latest
Docker Compose
version: "3.8"

services:
  onepam-gateway:
    image: onepam/gateway:latest
    container_name: onepam-gateway
    restart: unless-stopped
    ports:
      - "443:443"
      - "9443:9443"
    volumes:
      - gateway-data:/app/data
    environment:
      GATEWAY_API_URL: "https://onepam.com"
      GATEWAY_ID: "00000000-0000-0000-0000-000000000000"
      GATEWAY_TOKEN: "your-gateway-token"

volumes:
  gateway-data: