fix(docker): fix container startup crash due to missing OD_API_TOKEN (#2928)

* fix(docker): fix container startup crash due to missing OD_API_TOKEN * fix(docker): forward OD_API_TOKEN to fix docker container boot loop * fix(docker): enforce non-empty OD_API_TOKEN for docker-compose * fix(deploy): automate OD_API_TOKEN generation in installer and close compose loop * docs(readme): guide manual deployment users to configure OD_API_TOKEN * docs(readme): align working directory paths for manual deployment instructions * docs(readme): align working directory paths for manual deployment instructions * docs(readme): restore git clone context for first-time users
2026-05-31 19:04:39 +07:00 · 2026-05-26 14:15:48 +08:00 · 2026-05-26 14:15:48 +08:00 · 1aa72b6d09
commit 1aa72b6d09
parent bfcafc81fd
6 changed files with 75 additions and 6 deletions
--- a/QUICKSTART.md
+++ b/QUICKSTART.md
@ -55,8 +55,24 @@ docker compose version

 From the repository root:

+1. Change to the deploy directory and copy the environment template:
+
+   ```bash
+   cd deploy
+   cp .env.example .env
+   ```
+
+2. Generate a secure token:
+
+   ```bash
+   openssl rand -hex 32
+   ```
+
+3. Open `.env` in your editor, find `OD_API_TOKEN=`, and paste the generated token there.
+
+Then start the service:
+
 ```bash
-cd deploy
 docker compose up -d
 ```

@ -107,7 +123,13 @@ docker compose down -v

 ## Environment Configuration

-Create a `deploy/.env` file to override the default configuration:
+Create a `deploy/.env` file to override the default configuration. Start from the provided example:
+
+```bash
+cp deploy/.env.example deploy/.env
+```
+
+Edit `deploy/.env` to set your own token and adjust other values as needed:

 ```env
 # Port exposed on the host
@ -121,6 +143,10 @@ OPEN_DESIGN_ALLOWED_ORIGINS=https://yourdomain.com

 # Docker image tag
 OPEN_DESIGN_IMAGE=docker.io/vanjayak/open-design:latest
+
+# Required API token for daemon security
+# Generate one with: openssl rand -hex 32
+OD_API_TOKEN=
 ```

 ---
--- a/README.md
+++ b/README.md
@ -338,9 +338,25 @@ docker compose version

 #### Start Open Design

-```bash id="m9w43w"
-git clone https://github.com/nexu-io/open-design.git
-cd open-design/deploy
+1. Clone the repository, change to the deploy directory, and copy the environment template:
+
+   ```bash
+   git clone https://github.com/nexu-io/open-design.git
+   cd open-design/deploy
+   cp .env.example .env
+   ```
+
+2. Generate a secure token:
+
+   ```bash
+   openssl rand -hex 32
+   ```
+
+3. Open `.env` in your editor, find `OD_API_TOKEN=`, and paste the generated token there.
+
+Then start the service:
+
+```bash
 docker compose up -d
 ```

--- a/deploy/.env.example
+++ b/deploy/.env.example
@ -10,9 +10,15 @@ OPEN_DESIGN_PORT=7456
 # domain, public IP, or reverse proxy, e.g. http://203.0.113.10:7456,https://od.example.com.
 OPEN_DESIGN_ALLOWED_ORIGINS=

+# REQUIRED. 
+# The daemon binds to 0.0.0.0 inside the container and strictly requires an API token for security.
+# Generate a secure 32-byte hex token by running `openssl rand -hex 32` and paste it below.
+OD_API_TOKEN=
+
 # Container memory limit. The idle service has been verified around 18-22 MiB.
 # Raise this for large exports, concurrent agent runs, or heavy upload workflows.
 OPEN_DESIGN_MEM_LIMIT=384m

 # Node.js heap cap inside the container.
 NODE_OPTIONS=--max-old-space-size=192
+
--- a/deploy/README.md
+++ b/deploy/README.md
@ -6,8 +6,25 @@ separate nginx container.

 ## Local compose

+Before starting:
+
+1. Copy the environment template:
+
+   ```bash
+   cp .env.example .env
+   ```
+
+2. Generate a secure token:
+
+   ```bash
+   openssl rand -hex 32
+   ```
+
+3. Open `.env` in your editor, find `OD_API_TOKEN=`, and paste the generated token there.
+
+Then pull and start the service:
+
 ```bash
-cd deploy
 OPEN_DESIGN_IMAGE=docker.io/vanjayak/open-design:latest docker compose pull
 OPEN_DESIGN_IMAGE=docker.io/vanjayak/open-design:latest docker compose up -d --no-build
 ```
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@ -15,6 +15,7 @@ services:
      OD_ALLOWED_ORIGINS: ${OPEN_DESIGN_ALLOWED_ORIGINS:-}
      OD_PORT: 7456
      OD_WEB_PORT: ${OPEN_DESIGN_PORT:-7456}
+      OD_API_TOKEN: ${OD_API_TOKEN:?Please run 'openssl rand -hex 32' to generate one, and set it in your .env file.}
    ports:
      - "127.0.0.1:${OPEN_DESIGN_PORT:-7456}:7456"
    volumes:
--- a/deploy/scripts/install.sh
+++ b/deploy/scripts/install.sh
@ -383,6 +383,8 @@ if [ -f "$ENV_FILE" ]; then
  cp "$ENV_FILE" "$BACKUP"
 fi

+GENERATED_TOKEN=$(openssl rand -hex 32 2>/dev/null || od -vAn -N32 -tx1 /dev/urandom | tr -d ' \n' 2>/dev/null)
+
 cat > "$ENV_FILE" << ENVFILE
 # Generated by install.sh on $(date -u +%Y-%m-%dT%H:%M:%SZ)
 OPEN_DESIGN_IMAGE=${IMAGE}
@ -390,6 +392,7 @@ OPEN_DESIGN_PORT=${PORT}
 OPEN_DESIGN_ALLOWED_ORIGINS=${ALLOWED_ORIGINS}
 OPEN_DESIGN_MEM_LIMIT=${MEM_LIMIT}
 NODE_OPTIONS=--max-old-space-size=192
+OD_API_TOKEN=${GENERATED_TOKEN}
 ENVFILE

 ok "Written ${ENV_FILE}"