Docker
Run Qoc as a Docker Compose stack, mount your workspace as a volume, and start the agent with qoc up.
The recommended way to run Qoc is as a Docker Compose stack — one command brings up the agent runtime, the connector gateway, and the local API that the CLI talks to.
Prerequisites
You need Docker Engine 24+ and Docker Compose v2 on the host. Qoc does not require Kubernetes or any cloud-specific runtime.
Your workspace directory (the folder containing desk.toml) is mounted into the container as a volume. All workspace files — entities/, snapshots/, orders/, research/ — live on your host disk, not inside the container image.
Minimal compose file
services:
qoc:
image: ghcr.io/qoc-app/qoc:0.73.0
restart: unless-stopped
environment:
QOC_WORKSPACE: /workspace
QOC_AUTH_TOKEN_FILE: /run/secrets/auth_token
EQ_API_KEY: ${EQ_API_KEY}
EQ_API_SECRET: ${EQ_API_SECRET}
CX_API_KEY: ${CX_API_KEY}
CX_API_SECRET: ${CX_API_SECRET}
volumes:
- ./:/workspace
- qoc_state:/var/lib/qoc
ports:
- "127.0.0.1:7070:7070"
secrets:
- auth_token
secrets:
auth_token:
file: ./secrets/auth_token.txt
volumes:
qoc_state:Starting Qoc
- 1
Generate an auth token
Run
qoc init --token-file ./secrets/auth_token.txtto create a random 256-bit token. This token gates access to the local API and the remote tunnel. - 2
Set environment variables
Create a
.envfile next to the compose file with your venue credentials (EQ_API_KEY,EQ_API_SECRET, etc.). Docker Compose loads it automatically. - 3
Bring the stack up
Run
docker compose up -d. The container starts, loadsdesk.tomlfrom/workspace, connects configured venues, and begins the agent loop. - 4
Verify with qoc status
Run
qoc statusfrom the host. The CLI connects tohttp://127.0.0.1:7070(or your configured tunnel URL) and prints connector health, UTA buying power, and pending orders.
qoc up inside the container
docker compose exec qoc qoc up --workspace /workspace --log-level debugVolumes
The workspace mount (./:/workspace) is the only volume that needs to be backed up. It contains all agent decisions, orders, snapshots, and research. The qoc_state named volume holds connector session state and is reconstructed automatically from credentials on restart.
Do not mount the workspace as read-only — the agent writes proposed orders and snapshots during normal operation.
Never expose port 7070 to the public internet
The local API binds to 127.0.0.1 by default. Remote access should go through the secure tunnel described on the Remote access page — not by changing the bind address or adding a firewall rule.
Pin the image tag in production
Use an explicit version tag (0.73.0) rather than latest so that a docker compose pull never silently changes agent behavior. Review the release notes before upgrading.