Skip to main content
Not every item here will apply to your container. Use this as a starting point and adapt it to your workload.

Security

  • Don’t use debug mode in production. Debug mode enables SSH access and logging that you don’t want in a production enclave. Deploy a separate debug instance for troubleshooting.
  • Use secrets for all sensitive values. Database URLs, API keys, tokens, and credentials should be stored as secrets, not as environment variables in your config file or repo.
  • Use minimal registry credentials. If you’re pulling from a private registry, create access tokens with read-only scope. See registry auth.
  • Rotate secrets periodically. Update secret values in the dashboard, then redeploy your container to pick up the new values.
  • Only expose necessary paths. The paths list in your config acts as an allowlist — only list the endpoints your app needs to serve externally.

Reliability

  • Use blue-green updates. Always update running containers via the Update flow rather than deleting and redeploying. This gives you zero-downtime deploys and the ability to fix things if the new version is broken. Note: multi-GPU containers have downtime during updates by default, but zero-downtime updates are available if you pay for additional GPUs.
  • Test with debug mode first. Before deploying a new version to production, deploy it as a debug container to verify it works. Debug containers run on a separate domain and don’t affect production.

Resources

  • Right-size your container. Start with the smallest resource tier that works and scale up if needed. Over-provisioning wastes resources; under-provisioning causes OOM kills and slow responses. See resource options for guidance.
  • Monitor memory usage. If your container is using close to its memory limit, it may get killed under load. Allocate headroom above your typical usage.

Networking

  • Set up a custom domain. For production APIs, use a custom domain rather than the default *.containers.tinfoil.sh URL. This gives you control over DNS and makes it easier to migrate later.
  • Listen on the right port. Your app must listen on the port you configured as upstream-port in tinfoil-config.yml.

Secrets hygiene

  • Watch for stale secrets. The dashboard shows a warning when secrets have been updated since the container was last deployed. Redeploy promptly after rotating secrets.
  • Don’t log secret values. Even though secrets are only available inside the enclave, avoid printing them to stdout/stderr. Treat the enclave runtime the same way you’d treat any production server.
  • Clean up unused secrets. Remove secrets from your org that are no longer referenced by any container.

Deployment workflow

  • Start from the template. Create your repo from the tinfoil-containers-template to get the latest shim-version and cvm-version values.
  • Pin images with SHA256 digests. Always use image:tag@sha256:... in your config. This ensures the exact image binary is verified and recorded in the transparency log.
  • Tag releases in Git. Use semantic versioning or a consistent tagging scheme so you can track which version is deployed and roll back to a known-good tag.