This guide is for testing and evaluation purposes only and is not intended for production deployments. Please reach out to us at [email protected] if you’d like to learn how to set up OpenOps in a production environment.
This guide explains how to install the OpenOps Docker Compose release on a newly created EC2 instance.It assumes you have appropriate permissions on an existing AWS account.
Choose a name for your instance and configure the following settings:
Application and OS Images (Amazon Machine Image)
Choose Ubuntu as the instance image, as it simplifies Docker installation. Ubuntu Server 24.04 LTS was the latest available version when this guide was written.
Keep 64-bit (x86) as the instance architecture.
Instance type. The t3.large instance type provides decent performance. You can choose a different type according to your needs, but it’s not recommended to select a size smaller than t3.medium.
Key pair (login). Creating a new SSH key pair is recommended but not mandatory.
Network settings. Allow SSH traffic from your own IP address:
Configure storage. Choose 50GB to ensure you have enough space for Docker images and databases.
In the Summary section on the right, click Launch instance:
Once the instance is launched, navigate to instance details by clicking the instance ID:
Configure the network settings and open the necessary ports:
Open the Security tab, then click on the security group.
Click Edit inbound rules.
Add two new rules by clicking Add rule each time:
In the first rule, for Type, choose HTTP, and under Source, select My IP.
In the second rule, for Type, choose SSH. Click the text field next to Source, and search for ec2-instance-connect. Select the prefix list with the full name similar to com.amazonaws.us-east-1.ec2-instance-connect, depending on your region. This allows you to connect to the instance via AWS CloudShell.
The resulting set of inbound rules should look like this:
Update the application URL to use the instance’s public IP address:
Copy
Ask AI
sed -i 's/http:\/\/localhost/http:\/\/'$(wget -4qO - https://ifconfig.io/ip)'/g' .env
Open the .env file in the OpenOps installation folder. Change the values of the following variables that represent credentials. Do it now, as you won’t be able to change these values after the initial deployment:
OPS_OPENOPS_ADMIN_EMAIL: the email of your OpenOps installation’s root admin account.
OPS_OPENOPS_ADMIN_PASSWORD: the password of your OpenOps installation’s root admin account.
OPS_POSTGRES_USERNAME: the username of the Postgres database that OpenOps uses.
OPS_POSTGRES_PASSWORD: the password of the Postgres database that OpenOps uses.
OPS_ANALYTICS_ADMIN_PASSWORD: the password of the OpenOps Analytics admin account (the username is hardcoded to admin).
To use external PostgreSQL or Redis databases, modify the relevant variables in the .env file. You can disable the corresponding containers by adding a profile in the docker-compose.yml file:
For production usage, it’s recommended to enable TLS (HTTPS). In addition to the security aspect, this also ensures that workflow templates load properly in all browsers.
The easiest way to enable TLS is to use an OpenOps script that requests and sets up a TLS certificate from Let’s Encrypt. Before running the script, make sure you have a domain name that points to your ‘s external IP address. If you’re configuring DNS right before running the script, you may need to wait for the DNS change to propagate.
Run the following command in your terminal:
Copy
Ask AI
curl -fsS https://openops.sh/tls | sh
When prompted, enter a domain name that points to the external IP address of your .
When prompted, enter an email address to receive certificate-related notifications from Let’s Encrypt.
The script will use the Certbot library to request a certificate for your domain from Let’s Encrypt. It receives and saves the certificate, updates the OpenOps configuration file accordingly, and restarts OpenOps.By default, the certificate expires in 3 months. See https://certbot.org/renewal-setup if you want to configure auto-renewal.
Alternatively, you can create a TLS certificate yourself. This lets you use DNS validation from Let’s Encrypt (rather than the HTTP validation the automatic script performs) or request a certificate from a different provider.To set up TLS manually:
Obtain certificate and private key files from your certificate provider.
Upload the certificate files to your OpenOps installation under the tls directory:
By default, OpenOps does not allow workflows to call internal network addresses such as 127.0.0.1 or 192.168.0.0. This affects HTTP and SMTP actions, as well as webhook triggers. Host validation protects users from creating workflows that could accidentally or maliciously access internal services, scan networks, or escalate privileges.You may need to disable this check in certain circumstances, such as in non-production deployments or when workflows intentionally interact with internal-only infrastructure.To disable host validation, open the .env file in your installation folder and set the OPS_ENABLE_HOST_VALIDATION environment variable to false.After making any changes to the .env file, restart the OpenOps containers:
Copy
Ask AI
sudo docker compose downsudo docker compose up -d
Disabling this check removes an important safety guard and may allow workflows to access internal infrastructure. Use caution and avoid disabling it in production.
