Hosting the Code Execution Environment

self-hosting

Last updated:

Jul 14, 2025

💡 Deployment Steps

🏃 Run the Docker Image

Execute the Docker Run Command:

sudo docker run -d --name code-execution-environment -p 3004:3004 --env-file ~/envs/code-execution-environment.env querioorganization/code-execution-environment:latest

Version Tag:

The image version is latest by default. You can change it to a specific version by modifying the tag. It is recommended to use the latest version so that you receive automatic updates.

Environment Variables:

The following environment variables need to be set:

 ENCRYPTION_KEY=supersecureencriptionkey  # Used for encrypting/decrypting data. Set this to any secure value.
  JUPYTER_PLATFORM_DIRS=1

  MAIN_API_URL=https://python.querio.ai       # URL of the main API instance. This allows dynamic fetching of files from the API, eliminating the need to update the image with every patch.

You can specify these variables using the --env-file flag or by using the -e flag for each variable. For example:

sudo docker run -d --name code-execution-environment -p 3004:3004 \
  -e ENCRYPTION_KEY=supersecureencriptionkey \
  -e JUPYTER_PLATFORM_DIRS=1 \
  -e MAIN_API_URL=https://python.querio.ai \
  querioorganization/code-execution-environment:latest

👥 Make the Instance Publicly Accessible

This step depends on your hosting provider. Generally, you need to open port 3004 to the public so that the instance is accessible from the internet.
For example, if you are using EC2, you can set up an NGINX application to forward requests to the container's port 3004.
Please use HTTPS for a secure connection.
Once the setup is complete, send us the URL of your instance.

📄 (Optional) Configure mTLS

For enhanced security, you can configure mutual TLS (mTLS). If you are using NGINX, follow these steps:

Prepare Certificates

Create a Certificate Authority (CA):

Generate a self‑signed CA certificate (or use your internal CA) to sign both your server and client certificates.

Generate the Server Certificate:

Create a private key and a certificate signing request (CSR) for your server, then sign it with your CA. For example:

# Generate CA (if not already available)
openssl req -x509 -newkey rsa:4096 -nodes -keyout ca.key -out ca.crt -days 365 -subj "/CN=myCA"# Generate Server CSR and Key
openssl req -newkey rsa:4096 -nodes -keyout server.key -out server.csr -subj "/CN=yourdomain.com"# Sign the Server Certificate with the CA
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365

Generate the Client Certificate:

Similarly, generate a client certificate and sign it using the same CA. This certificate will be used on the client side to prove its identity.

# Generate Client CSR and Key
openssl req -newkey rsa:4096 -nodes -keyout client.key -out client.csr -subj "/CN=client"# Sign the Client Certificate with the CA
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

Edit the NGINX Configuration

Modify your NGINX configuration file (usually located in /etc/nginx/conf.d/ or /etc/nginx/sites-enabled/) to add SSL settings for the specific route. For example:

server {
    listen 3004 ssl;
    server_name yourdomain.com;

    # Server certificate and key
    ssl_certificate     /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;

    # mTLS settings: verify client certificates
    ssl_client_certificate /path/to/ca.crt;  # CA used to sign client certificates
    ssl_verify_client on;                    # Enforce client certificate authentication
    ssl_verify_depth 2;                      # Adjust if your certificate chain is longer

    # Optional security settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location /your-route {
        # Route configuration (e.g., proxy_pass, static content, etc.)
        proxy_pass http://backend_service;
    }
}

Test the mTLS Setup

Test with cURL:

Use cURL to simulate a client presenting a certificate:

curl --cert /path/to/client.crt \
     --key  /path/to/client.key \
     --cacert /path/to/ca.crt \
     https://yourdomain.com/health

If configured correctly, NGINX will authenticate the client certificate and allow access. If a client omits the certificate, NGINX should return an error (typically 400 or 403).

Reload NGINX:

Apply your changes by reloading NGINX:

sudo nginx -s reload

Send Us the Certificates

Once the certificates are generated, send us the client.crt and client.key files so we can add them to the Code Execution Environment.