Skip to main content
Applies to BloodHound Enterprise Deploy OpenHound with Docker Compose when you want to run OpenHound as a containerized service without Kubernetes.
OpenHound currently runs one extension per container. The example Compose file includes services for GitHub, Jamf, and Okta, but you should start only the service for the extension you want to run.

Prerequisites

Before you begin, ensure that you have the following:
  • A BloodHound Enterprise tenant with OpenHound enabled.
  • API credentials for each OpenHound collector client you plan to run. Use the token_id and token_key generated for the matching collector client.
  • The required credentials for the extension you want to collect:
  • Uploaded saved queries and Privilege Zone rules for each extension you want to collect.
  • Docker Desktop with WSL integration enabled, or a Linux host with Docker or Podman installed.
  • The Compose plugin installed, such as docker compose or podman compose.
On Windows, enable Docker Desktop WSL integration before you run OpenHound from a WSL terminal. In Docker Desktop, open Settings > Resources > WSL integration, then enable integration for the WSL distribution you use.

Deploy OpenHound

Follow these steps to deploy OpenHound with Docker Compose and run a collector for the extension you want to use.
1

Verify Docker Compose

From your Linux or WSL terminal, run:
The command returns the installed Docker Compose version.
2

Create the working directories

Create a workspace for the Compose file and a DLT configuration directory:
3

Download the OpenHound examples

Clone the OpenHound repository:
You’ll use the example Compose file in the next step.
4

Copy the Enterprise Compose file

Copy the Enterprise example Compose file into your OpenHound workspace:
5

Create the OpenHound configuration file

Create ~/.dlt/config.toml for non-sensitive OpenHound runtime settings.
~/.dlt/config.toml
See Configuration for the full list of common runtime settings.
6

Create the extension-specific secrets file

Create one secrets file for each extension you want to run.The example Compose file uses collector-specific files on the host and maps the matching file into the container as /app/.dlt/secrets.toml.
ExtensionHost secrets fileContainer secrets file
GitHub~/.dlt/secrets_github.toml/app/.dlt/secrets.toml
Jamf~/.dlt/secrets_jamf.toml/app/.dlt/secrets.toml
Okta~/.dlt/secrets_okta.toml/app/.dlt/secrets.toml
Each extension secrets file must include:
  • [destination.bloodhoundenterprise] with the BloodHound Enterprise tenant URL and the token_id and token_key for the matching OpenHound collector client
  • The collector-specific credentials section, such as [sources.source.github.credentials], [sources.source.jamf.credentials], or [sources.source.okta.credentials] The following GitHub example uses an organization GitHub App.
    ~/.dlt/secrets_github.toml
The scheduler uses destination.bloodhoundenterprise with collector client credentials. Do not use the JWT-based destination.bloodhound settings from Upload Extension Assets for scheduled collection.
7

Add extension secret files

Some extensions require an additional secret file.For example, the GitHub App authentication method requires you to copy the GitHub App private key to the path referenced by the Compose file:
8

Start one OpenHound scheduler

From the OpenHound workspace, start the scheduler for the extension you configured.
To run another extension, configure its secrets file and start the matching service, such as scheduler-jamf or scheduler-okta.
Running docker compose up -d without a service name starts every service defined in the Compose file. Start only the service for the extension you configured.
9

Verify the scheduler logs

Follow the logs for the service you started:
The scheduler checks BloodHound Enterprise for available collection jobs. After you run an on-demand scan or a scheduled scan starts, the logs show the job status.
10

Run a collection

In BloodHound Enterprise, run an on-demand scan or create a collection schedule for the OpenHound collector client.After the job completes, monitor ingest and analysis progress on the collection activity pages.

Troubleshooting

  • If Docker commands fail from WSL, confirm Docker Desktop WSL integration is enabled for your distribution.
  • If the scheduler starts but does not collect data, confirm that the OpenHound collector client credentials in the extension secrets file match the BloodHound Enterprise tenant.
  • If GitHub App authentication fails, confirm that the .pem file is mounted at the same path configured in key_path.
  • If a collection fails because of GitHub API rate limits, tune the HTTP request parameters.