Docker Deployment
Overview
Prism runs as a 3-service stack deployable via Docker Compose. There are no external dependencies — Chroma runs embedded inside the management plane. Images are hosted on GitHub Container Registry at ghcr.io/fencio-dev.
Quick Start
Create a docker-compose.yml with the following contents:
networks:
prism-network:
driver: bridge
volumes:
mgmt-data:
model-cache:
proxy-data:
services:
data-plane:
image: ghcr.io/fencio-dev/data-plane:latest
container_name: prism-data-plane
ports:
- "${DATA_PLANE_PORT:-50051}:50051"
volumes:
- mgmt-data:/app/data
networks:
- prism-network
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/localhost/50051' 2>/dev/null || exit 1"]
interval: 10s
timeout: 5s
retries: 5
start_period: 15s
environment:
- RUST_LOG=${RUST_LOG:-info}
- MANAGEMENT_PLANE_URL=http://management-plane:47000/api/v2
management-plane:
image: ghcr.io/fencio-dev/management-plane:latest
container_name: prism-management-plane
ports:
- "${PRISM_PORT:-47000}:47000"
volumes:
- mgmt-data:/app/data
- model-cache:/root/.cache/huggingface
networks:
- prism-network
depends_on:
data-plane:
condition: service_healthy
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-sf", "http://localhost:47000/health"]
interval: 10s
timeout: 5s
retries: 5
start_period: 120s
environment:
- PRISM_PORT=47000
- DATA_PLANE_URL=data-plane:50051
- LOG_LEVEL=${LOG_LEVEL:-INFO}
- PRISM_PROXY_URL=http://prism-proxy:47101
proxy:
image: ghcr.io/fencio-dev/proxy:latest
container_name: prism-proxy
ports:
- "${PROXY_PORT:-47100}:47100"
- "${PROXY_API_PORT:-47101}:47101"
volumes:
- proxy-data:/app/data
networks:
- prism-network
depends_on:
management-plane:
condition: service_healthy
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-sf", "http://localhost:47101/health"]
interval: 10s
timeout: 5s
retries: 5
start_period: 15s
environment:
- FENCIO_LISTEN_ADDR=:47100
- FENCIO_API_ADDR=:47101
- FENCIO_DB_TYPE=sqlite
- FENCIO_ENFORCE_ENABLED=true
- FENCIO_PRISM_URL=http://management-plane:47000
Then start all services in detached mode:
docker compose up -dServices & Ports
| Service | Port | Description |
|---|---|---|
| management-plane | 47000 | Prism UI + FastAPI management API + MCP server + embedded Chroma |
| data-plane | 50051 | gRPC bridge server |
| proxy | 47100 | HTTPS intercept proxy |
| proxy | 47101 | Proxy admin API |
Once running, open http://localhost:47000 to access the Prism UI. The REST API is at /api/v2/ and Swagger UI at /docs.
UI & CLI Access
The Prism UI is served directly from the management plane at http://localhost:47000. No additional setup needed — port 47000 is already mapped to your host.
The prism CLI is installed inside the management-plane container. Run CLI commands without installing anything on the host:
docker compose exec management-plane prism agents list
docker compose exec management-plane prism status
Trusting the Certificate
The proxy intercepts HTTPS traffic using a self-signed CA. You need to trust it once so your HTTP clients don't reject it. The CA certificate is stored in the proxy-data volume and survives container restarts — trust it once and you're done.
Extract the certificate
docker cp prism-proxy:/app/data/certs/fencio-root-ca.pem ~/Downloads/fencio-root-ca.pemmacOS
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/Downloads/fencio-root-ca.pemLinux (Debian/Ubuntu)
sudo cp ~/Downloads/fencio-root-ca.pem /usr/local/share/ca-certificates/fencio-root-ca.pem
sudo update-ca-certificates
Data Persistence
Three named volumes persist state across restarts: mgmt-data stores policies, sessions, and configuration; model-cache caches the embedding model (~90 MB) so it isn't re-downloaded on restart; proxy-data stores the proxy CA certificate chain. To reset all state:
docker compose down -v