Skip to main content

Configuration Reference

dstack-cloud uses three layers of configuration: a global CLI config, a per-project app.json, and a standard docker-compose.yaml for your application. This page documents every field and available option.

dstack-cloud Global Configuration

Location: ~/.config/dstack-cloud/config.json 
{
  "image_search_paths": ["/path/to/your/images"],
  "gcp": {
    "project": "your-gcp-project-id",
    "zone": "us-central1-a",
    "bucket": "gs://your-bucket-name"
  },
  "nitro": {
    "region": "us-east-1"
  }
}

Fields

FieldTypeDescription
image_search_pathsarray of stringLocal paths where dstack-cloud looks for OS images
gcp.projectstringGCP project ID
gcp.zonestringGCP zone for VM deployment
gcp.bucketstringGCS bucket for storing CVM images
nitro.regionstringAWS region for Nitro Enclave deployment

app.json (Project Configuration)

Location: <project-dir>/app.json Generated by dstack-cloud new and edited manually for advanced configuration. 
{
  "os_image": "dstack-cloud-0.6.0",
  "key_provider": "local",
  "instance_name": "my-app",
  "platform": "nitro"
}

Fields

FieldTypeDescription
os_imagestringThe dstack OS image version to use
key_providerstringKey provider mode: local (default), tpm, or kms
instance_namestringHuman-readable name for the instance
platformstringTarget platform: gcp or nitro

key_provider Values

ValueDescriptionUse Case
localKeys generated locally within the CVMDevelopment, testing, single-node
tpmUse the platform TPM as root of trustKMS instances on GCP
kmsUse an external dstack-kms for key deliveryProduction workloads that need attested key delivery

docker-compose.yaml

The standard Docker Compose file defines your application. dstack-cloud reads this file and packages all containers into the CVM.

dstack-specific Extensions

dstack-cloud reads the standard docker-compose.yaml format. No special extensions are required. Important notes:
  • All images must be pullable by the build system (use public registries or pre-pull images)
  • Use SHA256 digests for pinned images (recommended for reproducible measurements): 
    services:
  web:
    image: nginx:latest@sha256:abc123...
  • The runtime: nvidia field is supported for GPU workloads on compatible instances
  • volumes that reference /var/run/dstack.sock are automatically mounted for Guest Agent access

Example: Web Application

services:
  web:
    image: nginx:latest
    ports:
      - "80:80"

Example: AI Inference with GPU

services:
  vllm:
    image: vllm/vllm-openai:latest
    runtime: nvidia
    command: --model Qwen/Qwen2.5-7B-Instruct
    ports:
      - "8000:8000"
    volumes:
      - /var/run/dstack.sock:/var/run/dstack.sock

Example: KMS Instance

services:
  dstack-kms:
    image: phalanetwork/dstack-kms:latest
    environment:
      - KMS_HTTPS_PORT=12001
      - ETH_RPC_URL=https://sepolia.base.org
      - KMS_CONTRACT_ADDR=0x...
      - APP_CONTRACT_ADDR=0x...
    ports:
      - "12001:12001"

.env (Environment Variables)

Location: <project-dir>/.env Standard dotenv format. Used for environment variables that are injected into the CVM. 
API_KEY=your-api-key-here
DATABASE_URL=postgres://user:pass@host:5432/db

KMS Environment Variables

VariableDescriptionExample
KMS_HTTPS_PORTPort for KMS HTTPS/RA-TLS service12001
ETH_RPC_URLEthereum RPC endpoint URLhttps://sepolia.base.org
KMS_CONTRACT_ADDRDstackKms contract address0x1234...abcd
APP_CONTRACT_ADDRDstackApp contract address0x5678...efgh
USE_LIGHT_CLIENTUse helios light client instead of direct RPCtrue or false

Security of Environment Variables

  • Environment variables are encrypted before leaving your machine
  • They are decrypted only inside the CVM/TEE
  • The cloud provider and host OS cannot read them in plaintext

prelaunch.sh (Pre-launch Script)

Location: <project-dir>/prelaunch.sh An optional shell script that runs before the CVM/Enclave launches. Common uses:
  • Start the VSOCK proxy (Nitro)
  • Inject environment variables
  • Generate dynamic configuration
#!/bin/bash
# prelaunch.sh — runs before CVM launch

# Start VSOCK proxy (Nitro only)
socat VSOCK-LISTEN:8000,reuseaddr,fork TCP:localhost:8000 &

# Inject environment variables
export KMS_HTTPS_PORT=12001
export ETH_RPC_URL=https://sepolia.base.org

echo "Prelaunch complete"

dstack-cloud CLI Commands

CommandDescription
dstack-cloud new <name>Create a new project directory
dstack-cloud deployBuild and deploy the CVM/Enclave
dstack-cloud statusShow deployment status and measurements
dstack-cloud logs [--follow]View container logs
dstack-cloud stopStop the running CVM/Enclave
dstack-cloud startStart a stopped CVM/Enclave
dstack-cloud removeRemove the deployment and clean up resources
dstack-cloud fw allow <port>Allow inbound traffic on a port
dstack-cloud fw deny <port>Deny inbound traffic on a port
dstack-cloud pull --os-image <version>Download an OS image
dstack-cloud config-editEdit the global configuration

Next Steps