Docker Compose
This guide covers setting up TBMQ in cluster mode using Docker Compose.
Prerequisites
Section titled “Prerequisites”- Docker installed.
Clone TBMQ repository
Section titled Clone TBMQ repositorygit clone -b release-2.3.0 https://github.com/thingsboard/tbmq.gitcd tbmq/dockerInstallation
Section titled “Installation”Create the necessary Docker volumes and update the HAProxy config in the created volume:
./scripts/docker-create-volumes.shRun the installation:
./scripts/docker-install-tbmq.shRunning
Section titled “Running”Start all services:
./scripts/docker-start-services.shOnce all services have started, open http://{your-host-ip} in your browser (e.g. http://localhost) and connect MQTT clients on port 1883.
You should see the TBMQ login page. Use the default System Administrator credentials:
Username:
Password:
sysadminOn first login, you are prompted to change the default password and re-login with the new credentials.
Logs, stop, and start commands
Section titled “Logs, stop, and start commands”To view TBMQ node logs:
docker compose logs -f tbmq1To view the state of all containers:
docker compose psTo inspect logs of all running services:
docker compose logs -fSee the docker compose logs reference for more details.
To stop services:
./scripts/docker-stop-services.shTo stop and completely remove deployed containers:
./scripts/docker-remove-services.shTo remove Docker volumes for all containers (warning: deletes all data):
./scripts/docker-remove-volumes.shTo apply config changes at runtime (e.g. edits to haproxy.cfg or logback.xml):
./scripts/docker-refresh-config.shTo reload HAProxy configuration without restarting the container, send a HUP signal:
docker exec -it haproxy-certbot sh -c "kill -HUP 1"Upgrading
Section titled “Upgrading”- Check the version-specific notes below for any preparation your target version requires.
- Back up your database (optional but recommended).
- Run the upgrade commands.
For full version history and supported upgrade paths, see the upgrade instructions page. If the documentation does not cover your specific upgrade path, contact us for guidance.
If there are no version-specific notes for your upgrade path, skip directly to Run upgrade.
Backup and restore (optional)
Section titled “Backup and restore (optional)”Backing up your PostgreSQL database before upgrading is highly recommended but optional. For guidance, follow the backup and restore instructions.
Upgrade to 2.3.0
Section titled Upgrade to 2.3.0This release migrates all third-party components from Bitnami images to official open-source alternatives. Review the third-party component updates for full details.
Then proceed with the upgrade.
Upgrade to 2.2.0
Section titled Upgrade to 2.2.0This release migrates MQTT authentication from YAML/env configuration into the database.
The upgrade script reads from the tbmq.env file. Environment variables in docker-compose.yml are not applied during the upgrade — only the values in tbmq.env are used. Make sure this file reflects your active configuration.
Supported variables in tbmq.env
SECURITY_MQTT_BASIC_ENABLED(true|false)SECURITY_MQTT_SSL_ENABLED(true|false)SECURITY_MQTT_SSL_SKIP_VALIDITY_CHECK_FOR_CLIENT_CERT(true|false) — usuallyfalse
Once the file is verified, proceed with the upgrade.
Upgrade to 2.1.0
Section titled Upgrade to 2.1.0This release adds the Integration Executor microservice and updates third-party service versions.
Add Integration Executor microservice
This release adds support for external integrations via the new Integration Executor microservice ( full example).
Pull the updates from the release branch by following the Run upgrade steps up to (but not including) the upgrade script. Then create the required Docker volumes:
./scripts/docker-create-volumes.shYou should see output similar to:
user@user:~/tbmq/docker$ ./scripts/docker-create-volumes.sh
tbmq-ie1-logstbmq-ie2-logstbmq-ie-configUpdate third-party services
This release updates third-party dependency versions ( pull request):
| Service | Previous version | Updated version |
|---|---|---|
| Redis | 7.0 | 7.2.5 |
| PostgreSQL | 15.x | 16.x |
| Kafka | 3.5.1 | 3.7.0 |
After addressing third-party service versions, proceed with the upgrade.
Run upgrade
Section titled “Run upgrade”Pull the latest changes from the release branch:
git pull origin release-2.3.0Note: Make sure any custom changes are not lost during the merge. Also ensure
TBMQ_VERSION in the .env file is set to the target version (e.g. 2.3.0 for the latest).
After pulling, execute the upgrade commands:
./scripts/docker-stop-services.sh./scripts/docker-upgrade-tbmq.sh./scripts/docker-start-services.shGenerate certificate for HTTPS
Section titled “Generate certificate for HTTPS”HAProxy handles traffic proxying and serves the web UI on ports 80 and 443 by default. To enable HTTPS with a valid certificate, run:
docker exec haproxy-certbot certbot-certonly --domain your_domain --email your_emaildocker exec haproxy-certbot haproxy-refreshEnable MQTTS (MQTT over SSL/TLS)
Section titled “Enable MQTTS (MQTT over SSL/TLS)”MQTTS allows clients to connect over an encrypted TLS/SSL channel. There are two common approaches:
- Two-way MQTTS (Mutual TLS) — TBMQ terminates TLS; clients must present valid certificates.
- One-way MQTTS (TLS termination at load balancer) — HAProxy handles TLS termination and forwards plain MQTT to TBMQ over the internal network.
Both approaches encrypt external connections. Two-way MQTTS adds client certificate verification for higher security; one-way MQTTS simplifies broker configuration and can reuse existing HTTPS certificates.
Two-way MQTTS
Section titled “Two-way MQTTS”In this configuration, TBMQ handles TLS termination and (optionally) client certificate authentication directly. This approach is suitable when you want the broker to fully control SSL/TLS and mutual authentication without relying on a load balancer for security.
For supported certificate formats and options, see the MQTT over SSL guide.
Provide SSL certificates
Obtain a valid SSL certificate and private key:
mqttserver.pem— public certificate (may include the full chain)mqttserver_key.pem— private key
Mount certificates into the container
In docker-compose.yml, uncomment and update the volume mount:
volumes: - PATH_TO_CERTS:/config/certificatesReplace PATH_TO_CERTS with the path to your certificate files. Ensure TBMQ has read access.
Configure environment variables
Edit the tbmq.env file and uncomment/configure the following lines:
LISTENER_SSL_ENABLED=trueLISTENER_SSL_PEM_CERT=/config/certificates/mqttserver.pemLISTENER_SSL_PEM_KEY=/config/certificates/mqttserver_key.pemLISTENER_SSL_PEM_KEY_PASSWORD=server_key_passwordLeave LISTENER_SSL_PEM_KEY_PASSWORD empty if your private key has no password.
Restart services
./scripts/docker-start-services.shOnce restarted, MQTT clients can connect securely on port 8883.
One-way MQTTS
Section titled “One-way MQTTS”TLS is terminated at HAProxy. Clients connect to HAProxy on port 8883, which forwards plain MQTT to TBMQ on port 1883. You can reuse the same certificate used for HTTPS.
Point HAProxy to your certificate bundle (PEM with full chain + private key). If you reuse the HTTPS certificate, reference the same bundle.
Update the haproxy.cfg file:
listen mqtts-in bind *:${MQTTS_PORT} ssl crt /usr/local/etc/haproxy/certs.d/fullchain-and-key.pem mode tcp option clitcpka # For TCP keep-alive timeout client 3h timeout server 3h option tcplog balance leastconn server tbMqtt1 tbmq1:1883 check inter 5s resolvers docker_resolver resolve-prefer ipv4 server tbMqtt2 tbmq2:1883 check inter 5s resolvers docker_resolver resolve-prefer ipv4Replace fullchain-and-key.pem with the actual filename of your certificate bundle.