Skip to main content

Docker images and CLI binaries

The Nitro Docker images bundle multiple CLI binaries that serve different roles in the Arbitrum ecosystem. This page documents the image variants, the binaries they contain, and how to override entrypoints to run specific tools.

Docker image variants

Nitro is published as several Docker image targets, each building on the previous one and adding more functionality:

Image targetRepository tagEntrypointDescription
nitro-node-slimoffchainlabs/nitro-node:*-slim/usr/local/bin/nitroMinimal node image with nitro, relay, nitro-val, seq-coordinator-manager, prover, and dbconv. No legacy WASM module roots for validation.
nitro-nodeoffchainlabs/nitro-node:*/usr/local/bin/nitro --validation.wasm.allowed-wasm-module-roots /home/user/nitro-legacy/machines,/home/user/target/machinesFull node image with DA tools, Timeboost binaries, and both legacy and current WASM module roots for validation.
nitro-node-validatoroffchainlabs/nitro-node:*-validator/usr/local/bin/split-val-entry.shRuns a single split validation server (nitro-val) alongside the main nitro process via split-val-entry.sh.
nitro-node-devoffchainlabs/nitro-node:*-dev/usr/local/bin/split-val-entry.shExtends nitro-node-validator with deploy, seq-coordinator-invalidate, mockexternalsigner, and the latest locally-built WASM module root. Intended for development and testing only.

All images run as a non-root user account by default. The working directory is /home/user/.

Default entrypoint and flags

The nitro-node image (the standard production image) uses this entrypoint:

/usr/local/bin/nitro --validation.wasm.allowed-wasm-module-roots /home/user/nitro-legacy/machines,/home/user/target/machines

The --validation.wasm.allowed-wasm-module-roots flag tells the node which WASM module roots are valid for block validation. The comma-separated value includes:

  • /home/user/nitro-legacy/machines — WASM roots from earlier Nitro versions, needed to validate historical blocks.
  • /home/user/target/machines — Current WASM roots shipped with this image version.
Warning

If you override the entrypoint (for example, --entrypoint relay), the default flags are not applied. You must pass --validation.wasm.allowed-wasm-module-roots manually if the binary you are running requires validation support.

The split validator entrypoint

The nitro-node-validator image uses split-val-entry.sh as its entrypoint. This script:

  1. Generates a shared JWT secret for authentication between the node and its validation servers.
  2. Launches a nitro-val instance on loopback addresses:
    • Port 52000 — current validator using /home/user/target/machines.
  3. Waits for the validation server to become available.
  4. Launches the main nitro process with --node.block-validator.validation-server-configs-list pointing to that validator.

You can pass validator-specific flags using the --val-options and --val-options-latest prefixes, separated by --. The legacy validator was removed upstream, so passing --val-options-legacy now causes the container to exit immediately.

docker run offchainlabs/nitro-node:v3.11.0-a618155-validator \
  --val-options-latest --validation.api-auth=false -- \
  --node.block-validator.enable

Binary catalog

Core node

BinaryDescription
nitroMain Arbitrum Nitro node. Runs as sequencer, full node, archive node, or batch poster depending on configuration.
nitro-valStandalone validation server. Validates state transitions using WASM fraud proofs.
relaySequencer feed relay. Receives the transaction feed from a sequencer and redistributes it to downstream nodes.
deployDeploys Arbitrum Rollup contracts to the parent chain. Used when launching new Arbitrum chains. Dev image only.
proverWASM prover binary for generating and verifying fraud proofs.
jitJust-in-time (JIT) WASM execution machine. Faster alternative to the interpreted prover, used during validation.

Data availability

BinaryDescription
anytrustserverAnyTrust Data Availability Committee (DAC) server. Stores and serves batch data for AnyTrust chains. Formerly named daserver; renamed in nitro#4142. The old name is no longer present in the image.
anytrusttoolCLI tool for AnyTrust key generation, keyset management, and certificate inspection. Formerly named datool; renamed in nitro#4142. The old name is no longer present in the image.
daproviderUnified data availability provider. Serves data from multiple backends (AnyTrust, blobs, or other DA layers).

Timeboost

BinaryDescription
autonomous-auctioneerRuns the Timeboost express lane auction. Accepts bids and determines express lane controllers.
bidder-clientSubmits bids to the Timeboost express lane auction on behalf of a searcher or application.
el-proxyExpress lane proxy for testing. Wraps eth_sendRawTransaction calls and forwards them as express lane transactions. Testing only.

Sequencer coordination

BinaryDescription
seq-coordinator-managerInteractive terminal interface (TUI) for managing sequencer coordination via Redis. Displays and controls active sequencer selection.
seq-coordinator-invalidateInvalidates a sequencer coordination message in Redis. Usage: seq-coordinator-invalidate [redis url] [signing key] [msg index]. Dev image only.

Utilities

BinaryDescription
dbconvConverts node databases between storage backends (for example, LevelDB to Pebble).
genesis-generatorGenerates genesis state and initialization data for new Arbitrum chains.
transaction-filtererFilters transactions based on configurable rules before they reach the sequencer. Exposes a /liveness health endpoint.
mockexternalsignerMock external transaction signer for testing. Accepts a private key and exposes an RPC signing interface. Dev image only.

Image availability

Not all binaries are present in every image. The following table shows which image targets include each binary. The images also bundle some additional internal utility binaries not listed in this reference (for example, blobtool, filtering-report, and validator in nitro-node, and stylus-raw-deploycode in nitro-node-dev).

Binarynitro-node:*-slimnitro-nodenitro-node-validatornitro-node-dev
nitroYesYesYesYes
relayYesYesYesYes
nitro-valYesYesYesYes
proverYesYesYesYes
dbconvYesYesYesYes
seq-coordinator-managerYesYesYesYes
jitNoYesYesYes
anytrustserverNoYesYesYes
anytrusttoolNoYesYesYes
daproviderNoYesYesYes
autonomous-auctioneerNoYesYesYes
bidder-clientNoYesYesYes
el-proxyNoYesYesYes
genesis-generatorNoYesYesYes
transaction-filtererNoYesYesYes
deployNoNoNoYes
seq-coordinator-invalidateNoNoNoYes
mockexternalsignerNoNoNoYes

Overriding entrypoints

Use --entrypoint to run a different binary from the same Docker image. The examples below use the nitro-node image.

Feed relay

docker run --rm \
  --entrypoint relay \
  offchainlabs/nitro-node:v3.11.0-a618155 \
  --node.feed.input.url wss://arb1.arbitrum.io/feed \
  --chain.id 42161

Validation node

docker run --rm \
  --entrypoint nitro-val \
  offchainlabs/nitro-node:v3.11.0-a618155 \
  --help

DA keyset dump

docker run --rm \
  --entrypoint anytrusttool \
  offchainlabs/nitro-node:v3.11.0-a618155 \
  dumpkeyset --url https://your-dac-url

DA key generation

docker run --rm \
  -v /path/to/keys:/data/keys \
  --entrypoint anytrusttool \
  offchainlabs/nitro-node:v3.11.0-a618155 \
  keygen --dir /data/keys

Docker Compose example

The following docker-compose.yml runs an Arbitrum One full node. Replace the placeholder URLs with your actual parent chain and beacon endpoints.

# Arbitrum One full node — Docker Compose
# Requires: parent chain RPC endpoint and beacon chain endpoint
version: '3.8'

services:
  nitro:
    image: offchainlabs/nitro-node:v3.11.0-a618155
    restart: unless-stopped
    ports:
      # HTTP JSON-RPC endpoint
      - '8547:8547'
      # WebSocket JSON-RPC endpoint
      - '8548:8548'
    volumes:
      # Persistent data directory for the node database
      - nitro-data:/home/user/.arbitrum
    command:
      # Structured JSON logging. Nitro reads this from the --log-type flag,
      # not an environment variable (NITRO_LOG_TYPE has no effect).
      - --log-type=json
      # Parent chain connection (Ethereum mainnet RPC)
      - --parent-chain.connection.url=https://your-parent-chain-rpc-url
      # Beacon chain endpoint for EIP-4844 blob retrieval
      - --parent-chain.blob-client.beacon-url=https://your-beacon-chain-url
      # Chain ID for Arbitrum One
      - --chain.id=42161
      # Initialize from the latest pruned snapshot to avoid syncing from genesis.
      # --init.latest accepts: archive | pruned | genesis. A full node uses the pruned snapshot.
      # To pin a specific snapshot instead, use --init.url=<URL>.
      - --init.latest=pruned
      # Enable HTTP RPC on all interfaces so the port mapping works
      - --http.addr=0.0.0.0
      - --http.port=8547
      - --http.vhosts=*
      - --http.corsdomain=*
      - --http.api=net,web3,eth,arb
      # Enable WebSocket RPC
      - --ws.addr=0.0.0.0
      - --ws.port=8548
      - --ws.origins=*
      - --ws.api=net,web3,eth,arb

volumes:
  nitro-data:
    driver: local

To start the node:

docker compose up -d

To follow the logs:

docker compose logs -f nitro

Ports and endpoints

PortProtocolServiceNotes
8547HTTPJSON-RPCMain RPC endpoint for eth_, net_, web3_, and arb_ namespaces.
8548WebSocketJSON-RPCWebSocket RPC endpoint. Supports subscriptions (eth_subscribe).
8549HTTPAuth RPCDefault JWT-authenticated RPC (the --auth.* engine API), bound to loopback (127.0.0.1) by default. The split validator reaches its nitro-val over ws://127.0.0.10:52000, not this port.
9642WebSocketSequencer feedOutbound transaction feed. Downstream nodes and relays connect here to receive new transactions.
6070HTTPMetrics serverPrometheus metrics endpoint at /debug/metrics/prometheus.

Health check endpoints

The main nitro binary does not expose a dedicated health check endpoint. Health is typically inferred by checking RPC availability (for example, calling eth_chainId on port 8547).

Other binaries provide explicit health endpoints:

  • transaction-filterer exposes /liveness for health monitoring.
  • anytrustserver (DA server) exposes /health for readiness checks.