View on GitHub
docker pull lensesio/lenses

Lenses docker image can be configured via environment variables, or via volume mounts for the configuration files (lenses.conf, security.conf).

Environment variables prefixed with LENSES_ are transformed into corresponding configuration options. The environment variable name is converted to lowercase and underscores (_) are replaced with dots (.). As an example to set the option lenses.port use the environment variable LENSES_PORT.

Alternatively, the lenses.conf and security.conf can be mounted directly as

  • /mnt/settings/lenses.conf
  • /mnt/secrets/security.conf

Lenses license and connections to external services can be configured through wizard configuration, which will appear at Lenses start up, or via a Lenses CLI provision subcommand.

License file 

The license file may be provided to the Docker image via two methods:

  • Through the UI wizard at lenses start up. A step by step wizard guide will guide the configuration.
  • As a file, mounted as a volume and configured with Lenses CLI. Find more details about provisioning Lenses through CLI here .

See full examples for both configuration options below .

Docker volumes 

The Docker image exposes four volumes in total, where cache, logs, plugins and persistent data are stored:

  • /data/storage
  • /data/plugins
  • /data/logs
  • /data/kafka-streams-state.

Storage volume 

Resides under /data/storage and is used to store persistent data, such as Data Policies. For this data to survive between Docker runs and/or Lenses upgrades, the volume must be managed externally (persistent volume).

Plugins volume 

Resides under /data/plugins it’s where classes that extend Lenses may be added —such as custom serde, LDAP filters, UDFs for the Lenses SQL table engine and custom_http implementations. Learn more about plugins.

Logs volume 

Resides under /data/logs, logs are stored here. The application also logs to stdout, so for most cases, the log files aren’t needed. Learn more about logs.

KStreams state volume 

Resides under /data/kafka-streams-state, used when Lenses SQL is in IN_PROC configuration. In such a case, Lenses takes advantage of this scratch directory to cache Lenses SQL internal state. Whilst this directory can safely be removed, it can be beneficial to keep it around, so the Processors won’t have to rebuild their state during a restart.

Lenses TLS and Global JVM Trust Store 

By default Lenses serves connections over plaintext (HTTP). It is possible to use TLS instead, the Docker image offers the ability to provide the content for extra files via secrets, mounted as files or as environment variables. Especially for SSL, the Docker supports SSL/TLS keys and certificates in Java Keystore (JKS) formats.

This capability is optional and users can mount such files under custom paths and configure lenses.conf manually via environment variables, or lenses.append.conf.

There are two ways to use the File/Variable names of the table below.

  1. Create a file with the appropriate filename as listed bellow mount it under /mnt/settings, /mnt/secrets, or /run/secrets, or
  2. Set them as environment variables.

All settings with the exception of passwords, can be optionally encoded in base64. The docker will detect such encoding automatically.

File / Variable NameDescription
FILECONTENT_JVM_SSL_TRUSTSTOREThe SSL/TLS trust store to use as the global JVM trust store.
Add to LENSES_OPTS the property javax.net.ssl.trustStore
FILECONTENT_JVM_SSL_TRUSTSTORE_PASSWORDΤhe trust store password. If set, the startup script will add automatically to LENSES_OPTS the property javax.net.ssl.trustStorePassword (base64 not supported)
FILECONTENT_LENSES_SSL_KEYSTOREThe SSL/TLS keystore to use for the TLS listener for Lenses

Process UID/GUI 

The docker does not require running as root. The default user is set to root for convenience and to verify upon start up that all the directories and files have the correct permissions. The user drops to nobody and group nogroup (65534:65534) before starting Lenses.

If the image is started without root privileges, Lenses will start successfully using the effective uid:gid applied. Make sure any volumes mounted (i.e. for license, settings, data) have the correct permission set.

Deployment and Configuration examples 

UI Configuration 

You can configure Lenses through the newly introduced wizard . This way Docker configuration to run Lenses becomes pretty straight-forward. See the following docker-compose.yml example on how to deploy lenses.

version: '3.8'
    image: lensesio/lenses:5.0
      LENSES_PORT: 9991
      LENSES_SECURITY_PASSWORD: sha256:8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
      - 9991:9991
      - 9102:9102

You could also run:

docker run --name lenses lensesio/lenses:5.0 \
  -e LENSES_PORT=9991 \
  -e LENSES_SECURITY_PASSWORD=sha256:8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

Lenses will be available at http://localhost:9991. After login, you’ll see the Wizard page.

Lenses CLI Provisioning 

An alternative option is via a Lenses CLI provision subcommand. You can find all the details about constructing the required provision.yaml here .

The following docker-compose.yml deploys two services, lenses and lenses-provision. The second will read the provision.yaml file and configure all the specified connections and license using Lenses CLI . Container will stop after configuring lenses.

Running the lenses-cli command will override previous configurations. Use --setup-mode to check if wizard has not been completed and continue to provision only then. Read more here

To run the docker-compose, first define a .env file and run: docker-compose up

# .env
version: '3.8'
    image: lensesio/lenses:5.0
      - 9991:9991
      - 9102:9102

    image: lensesio/lenses-cli
      - ./provision.yaml:/mnt/provision-secrets/provision.yaml
      - ./license.json:/mnt/secrets/license.json
      - bash
      - -c
      - |
        lenses-cli provision --wait-for-lenses \
          --host="lenses:${LENSES_PORT}" \
          --user="${LENSES_SECURITY_USER}" \
          --pass="${LENSES_SECURITY_PASSWORD}" \

Alternatively both services can be run with docker run.

First run lenses:

docker run --name lenses \
  -e LENSES_PORT=9991 \
  -p 9991:9991 \
  --network lenses-network \

Once lenses is available, just execute:

docker run --rm --name lenses-cli --network lenses-network \
  -e LENSES_PORT=9991 \
  -v /path/to/provision.yaml:/mnt/provision-secrets/provision.yaml \
  -v /path/to/license.json:/mnt/secrets/license.json
  lensesio/lenses-cli \
  lenses-cli provision --host="lenses:9991" --user=admin --pass=admin /mnt/provision-secrets/provision.yaml

These could also be run in parallel by adding --wait-for-lenses after the lenses-cli provision command.