CLI tools for deploying and monitoring Confidential VMs (CVMs) on dstack-vmm.
- Python 3.8+
jq- A running
dstack-vmminstance - A running
dstack-kmsinstance
Handles the full CVM app deployment:
- Loads configuration from
.env(creates a template on first run) - Generates a pre-launch script (token verification + optional Docker login)
- Builds
app-compose.jsonfrom yourdocker-compose.yaml - Injects
launch_token_hashfor security verification - Deploys the CVM to dstack-vmm
# 1. Create your app directory with a docker-compose.yaml
mkdir my-app && cd my-app
cat > docker-compose.yaml <<EOF
services:
my-service:
image: my-image:latest
ports:
- "8080:80"
EOF
# 2. Run the deploy script (first run creates a .env template)
/path/to/dstack-vmm-tools/deployer.sh
# 3. Edit the generated .env file with your values
vim .env
# 4. Run the deploy script again
/path/to/dstack-vmm-tools/deployer.sh| Variable | Required | Description |
|---|---|---|
APP_NAME |
✅ | Name of the app |
APP_ID |
✅ | App ID. For on-chain governance: the app smart contract address. For off-chain: a random hex string (e.g. openssl rand -hex 20) |
VMM_RPC |
✅ | URL of the dstack-vmm RPC service |
KMS_URL |
✅ | URL of the KMS service |
OS_IMAGE |
✅ | dstack OS image name (e.g. dstack-0.5.6) |
APP_LAUNCH_TOKEN |
✅ | Token for app launch verification (auto-generated in template) |
GUEST_AGENT_ADDR |
❌ | Host address for guest agent (e.g. 127.0.0.1:9205) |
DOCKER_REGISTRY |
❌ | Docker registry URL (e.g. docker-regis.iex.ec). All three DOCKER_* must be set together |
DOCKER_USER |
❌ | Docker registry username |
DOCKER_TOKEN |
❌ | Docker registry token |
CLOUDFLARE_API_TOKEN |
❌ | Cloudflare API token for DNS-01 challenge (used by dstack-ingress) |
VCPU |
❌ | Number of vCPUs (default: 2) |
MEMORY |
❌ | Memory size (default: 2G) |
DISK |
❌ | Disk size (default: 20G) |
NET_MODE |
❌ | Networking mode: user (default) or bridge |
PORT_MAP |
❌ | Space-separated port mappings (format: protocol[:address]:host_port:vm_port) |
| File | Description |
|---|---|
.env |
Configuration template (created on first run) |
.app_env |
Environment secrets injected into the CVM |
.app-compose.json |
App compose manifest sent to dstack-vmm |
Streams logs from a running CVM container via the Gateway:
./dstack-vmm-tools/monitor-container.sh \
--app-id 4139fa786b4e210cecbb37d62d86552fc659fbc8 \
--agent-port 8090 \
--gateway-url apps.ovh-tdx-dev.noxprotocol.dev \
--container nox-kms| Option | Required | Description |
|---|---|---|
--app-id |
✅ | App ID of the CVM |
--agent-port |
✅ | Guest agent port |
--gateway-url |
✅ | Gateway base URL (e.g. apps.ovh-tdx-dev.noxprotocol.dev) |
--container |
✅ | Container name to fetch logs from |
Scripts to install dstack components as persistent systemd services, so they survive SSH session disconnects and auto-restart on failure.
Creates and enables a dstack-vmm systemd service.
sudo ./dstack-vmm-tools/install-vmm-service.sh
sudo systemctl start dstack-vmm| Variable | Default | Description |
|---|---|---|
DSTACK_DIR |
/opt/dstack |
Directory containing dstack-vmm binary and vmm.toml |
Expects dstack-vmm and vmm.toml to be in DSTACK_DIR.
Creates and enables a dstack-auth systemd service for the auth-simple KMS authorization server.
sudo ./dstack-vmm-tools/install-auth-service.sh
sudo systemctl start dstack-auth| Variable | Default | Description |
|---|---|---|
DSTACK_DIR |
/opt/dstack |
Base directory (auth-simple expected in $DSTACK_DIR/auth-simple/) |
AUTH_PORT |
3001 |
Port the auth server listens on |
Expects index.ts, auth-config.json, and node_modules/ in $DSTACK_DIR/auth-simple/. Requires bun installed on the host.
# Check status
sudo systemctl status dstack-vmm
sudo systemctl status dstack-auth
# Follow logs
sudo journalctl -u dstack-vmm -f
sudo journalctl -u dstack-auth -f
# Restart / Stop
sudo systemctl restart dstack-vmm
sudo systemctl stop dstack-auth