Trento Docs :: Trento Documentation

Containerized deployment

A containerized deployment of Trento is identical to the systemd deployment. However, the web and check engine components are deployed as Docker containers.

Follow the steps in systemd installation, but skip the Install Trento using RPM packages step and follow the procedures as described below.

Install Trento using Docker

Install Docker container runtime

Enable the containers module (replace 15.x with the correct Service Pack version):
```
SUSEConnect --product sle-module-containers/15.x/x86_64
```
Install Docker:
```
zypper install docker
```
Enable and start Docker:
```
systemctl enable --now docker
```

Create a dedicated Docker network for Trento

Create the Trento Docker network:
```
docker network create trento-net
```

Verify the subnet of trento-net:

docker network inspect trento-net --format '{{range .IPAM.Config}}{{.Subnet}}{{end}}'

The output should be similar to this (the exact address may vary):

172.17.0.0/16

Open the /var/lib/pgsql/data/pg_hba.conf file for editing and replace 0.0.0.0/0 with the address returned by the command in the previous step.
Restart the PostgreSQL server using the systemctl restart postgresql command.

Install Trento on Docker

Create secret environment variables:

Consider using an environment variable file (see official Docker documentation). Adjust the docker command below for use with the env file. In any case, make sure you keep a copy of the generated keys in a safe location, in case you need to reuse them in the future.

WANDA_SECRET_KEY_BASE=$(openssl rand -out /dev/stdout 48 | base64)
TRENTO_SECRET_KEY_BASE=$(openssl rand -out /dev/stdout 48 | base64)
ACCESS_TOKEN_ENC_SECRET=$(openssl rand -out /dev/stdout 48 | base64)
REFRESH_TOKEN_ENC_SECRET=$(openssl rand -out /dev/stdout 48 | base64)

Install the checks on the system in a shared volume:

docker volume create trento-checks \
  && docker run \
  -v trento-checks:/usr/share/trento/checks \
  registry.suse.com/trento/trento-checks:latest

Deploy trento-wanda:

docker run -d --name wanda \
    -p 4001:4000 \
    --network trento-net \
    --add-host "host.docker.internal:host-gateway" \
    -v trento-checks:/usr/share/trento/checks:ro \
    -e CORS_ORIGIN=localhost \
    -e SECRET_KEY_BASE=$WANDA_SECRET_KEY_BASE \
    -e AMQP_URL=amqp://trento_user:trento_user_password@host.docker.internal/vhost \
    -e DATABASE_URL=ecto://wanda_user:wanda_password@host.docker.internal/wanda \
    -e OAS_SERVER_URL=https://trento.example.com/wanda \
    -e AUTH_SERVER_URL=http://localhost:4000 \
    --restart always \
    --entrypoint /bin/sh \
    registry.suse.com/trento/trento-wanda:latest \
    -c "/app/bin/wanda eval 'Wanda.Release.init()' && /app/bin/wanda start"

Deploy trento-web.

Make sure to change the ADMIN_USER and ADMIN_PASSWORD, these are the credentials that are required to login to the trento-web UI. Depending on how you intend to connect to the console, a working hostname, FQDN, or an IP is required in TRENTO_WEB_ORIGIN for HTTPS. Otherwise websockets fail to connect, causing no real-time updates on the UI.

Add CHARTS_ENABLED=false if Prometheus is not installed, or you do not want to use Trento’s charts functionality.

docker run -d \
-p 4000:4000 \
--name trento-web \
--network trento-net \
--add-host "host.docker.internal:host-gateway" \
-e AMQP_URL=amqp://trento_user:trento_user_password@host.docker.internal/vhost \
-e ENABLE_ALERTING=false \
-e DATABASE_URL=ecto://trento_user:web_password@host.docker.internal/trento \
-e EVENTSTORE_URL=ecto://trento_user:web_password@host.docker.internal/trento_event_store \
-e PROMETHEUS_URL='http://host.docker.internal:9090' \
-e SECRET_KEY_BASE=$TRENTO_SECRET_KEY_BASE \
-e ACCESS_TOKEN_ENC_SECRET=$ACCESS_TOKEN_ENC_SECRET \
-e REFRESH_TOKEN_ENC_SECRET=$REFRESH_TOKEN_ENC_SECRET \
-e ADMIN_USER='admin' \
-e ADMIN_PASSWORD='test1234' \
-e ENABLE_API_KEY='true' \
-e TRENTO_WEB_ORIGIN='trento.example.com' \
-e CHECKS_SERVICE_BASE_URL=/wanda \
-e OAS_SERVER_URL=https://trento.example.com \
--restart always \
--entrypoint /bin/sh \
registry.suse.com/trento/trento-web:latest \
-c "/app/bin/trento eval 'Trento.Release.init()' && /app/bin/trento start"

Email alerting are disabled by default, as described in enabling alerting guide. Enable alerting by setting ENABLE_ALERTING env to true. Additional required variables are: [ALERT_SENDER,ALERT_RECIPIENT,SMTP_SERVER,SMTP_PORT,SMTP_USER,SMTP_PASSWORD] All other settings should remain at their default.

Example:

docker run -d \

...[other settings]...

-e ENABLE_ALERTING=true \
-e ALERT_SENDER=<<SENDER_EMAIL_ADDRESS>> \
-e ALERT_RECIPIENT=<<RECIPIENT_EMAIL_ADDRESS>> \
-e SMTP_SERVER=<<SMTP_SERVER_ADDRESS>> \
-e SMTP_PORT=<<SMTP_PORT>> \
-e SMTP_USER=<<SMTP_USER>> \
-e SMTP_PASSWORD=<<SMTP_PASSWORD>> \

...[other settings]...

Check that everything is running as expected:

docker ps

Expected output:

CONTAINER ID   IMAGE                                         COMMAND                  CREATED          STATUS          PORTS                                       NAMES
8b44333aec39   registry.suse.com/trento/trento-web:2.2.0    "/bin/sh -c '/app/bi…"   6 seconds ago    Up 5 seconds    0.0.0.0:4000->4000/tcp, :::4000->4000/tcp   trento-web
e859c07888ca   registry.suse.com/trento/trento-wanda:1.2.0   "/bin/sh -c '/app/bi…"   18 seconds ago   Up 16 seconds   0.0.0.0:4001->4000/tcp, :::4001->4000/tcp   wanda

Both containers must run and listen on the specified ports.

Installing Trento MCP Server

The Trento MCP Server provides AI-assisted management capabilities for your SAP landscape by exposing Trento functionality through the Model Context Protocol (MCP). This optional component enables integration with AI tools and assistants. After the installation of Trento MCP Server, see [sec-trento-mcp-how-to-use] for instructions on how to connect MCP-compatible AI assistants and tools to your Trento Server.

Requirements

Docker or Podman container runtime
A running Trento Server installation (accessible via network)
Sufficient disk space for container images and logs

Configuration Overview

The Trento MCP Server must be configured to work with your Trento Server. The key configuration parameters are:

TRENTO_MCP_TRENTO_URL: The URL where your Trento Server is accessible. This is particularly important when Trento is deployed behind NGINX or other reverse proxies. Use the externally accessible URL (for example, https://trento.example.com) instead of internal service URLs. When set, the server will use this URL for OpenAPI specification autodiscovery.
TRENTO_MCP_OAS_PATH: Explicit paths to OpenAPI specification files. Use this when you want to directly specify the location of the API specifications instead of relying on autodiscovery. This is particularly useful when you want to connect to internal services (such as localhost or Kubernetes service names) instead of going through a reverse proxy.
TRENTO_MCP_TAG_FILTER: Filter which API operations to expose based on tags. Default is "MCP" to only expose operations specifically tagged for MCP usage.
TRENTO_MCP_VERBOSITY: Logging verbosity level (debug, info, warn, error). Default is "info".
TRENTO_MCP_PORT: Port on which the MCP Server listens. Default is 5000.
TRENTO_MCP_ENABLE_HEALTH_CHECK: Enable/disable health check HTTP server. Default is false.
TRENTO_MCP_HEALTH_PORT: Port for health check server. Default is 8080.

Container Image

The official container image is available at:

registry.suse.com/trento/mcp-server-trento:latest

Basic Docker Deployment

For a basic deployment connecting to a running Trento Server:

docker run -d \
  --name mcp-server-trento \
  -p 5000:5000 \
  -e TRENTO_MCP_TRENTO_URL=https://trento.example.com \
  -e TRENTO_MCP_TAG_FILTER=MCP \
  -e TRENTO_MCP_VERBOSITY=info \
  --restart unless-stopped \
  registry.suse.com/trento/mcp-server-trento:latest

Replace https://trento.example.com with your actual Trento Server URL.

Advanced Docker Configuration

For more control over the MCP Server behavior, use additional environment variables:

docker run -d \
  --name mcp-server-trento \
  -p 5000:5000 \
  -p 8080:8080 \
  -e TRENTO_MCP_TRENTO_URL=https://trento.example.com \
  -e TRENTO_MCP_PORT=5000 \
  -e TRENTO_MCP_TAG_FILTER=MCP \
  -e TRENTO_MCP_VERBOSITY=debug \
  -e TRENTO_MCP_ENABLE_HEALTH_CHECK=true \
  -e TRENTO_MCP_HEALTH_PORT=8080 \
  --restart unless-stopped \
  registry.suse.com/trento/mcp-server-trento:latest

The MCP Server’s health check HTTP server is primarily intended for Kubernetes environments, where liveness/readiness probes use it. For Docker deployments, you can leave health checks disabled unless you need them for monitoring. If enabled, expose the health port (default 8080) as shown above.

Network Integration with Trento Components

If running Trento components in containers on the same host, use Docker networks:

# Run the MCP Server connected to the trento-net network
docker run -d \
  --name mcp-server-trento \
  --network trento-net \
  -p 5000:5000 \
  -e TRENTO_MCP_OAS_PATH=http://trento-web:4000/api/all/openapi,http://trento-wanda:4000/wanda/api/all/openapi \
  -e TRENTO_MCP_TAG_FILTER=MCP \
  -e TRENTO_MCP_VERBOSITY=info \
  --restart unless-stopped \
  registry.suse.com/trento/mcp-server-trento:latest

When using Docker networks with internal service names (e.g., http://trento-web:4000), ensure the MCP Server container can resolve and reach these hostnames. For external access through NGINX, use the externally accessible URL with TRENTO_MCP_TRENTO_URL instead.

Docker Compose Deployment

For a complete deployment with Docker Compose, add the following to your docker-compose.yml file:

services:
  mcp-server-trento:
    image: registry.suse.com/trento/mcp-server-trento:latest
    container_name: mcp-server-trento
    ports:
      - "5000:5000"
      - "8080:8080"
    environment:
      TRENTO_MCP_TRENTO_URL: https://trento.example.com
      TRENTO_MCP_PORT: 5000
      TRENTO_MCP_TAG_FILTER: MCP
      TRENTO_MCP_ENABLE_HEALTH_CHECK: true
      TRENTO_MCP_HEALTH_PORT: 8080
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/8080"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

Start the service:

docker-compose up -d mcp-server-trento

Verifying the MCP Server Installation

Check that the container is running:
docker ps | grep mcp-server-trento
Expected output should show the container in "Up" status.

Check the container logs:

docker logs mcp-server-trento

Expected output should show successful connection to Trento Server and OpenAPI specification loading:

2025-10-31 17:31:20 INFO the MCP server has been created mcp.name=mcp-server-trento mcp.version=devel
...
2025-10-31 17:31:21 INFO the MCP server mcp-server-trento has 39 registered tools
2025-10-31 17:31:21 INFO the MCP server is listening server.address=:5000 server.transport=streamable

Test the MCP Server endpoint:
curl http://localhost:5000/mcp
Expected output should show the MCP protocol handshake information.

If health checks are enabled, verify the endpoints:

# Liveness endpoint:
curl http://localhost:8080/livez

# Example output:
# {"info":{"name":"trento-mcp-server","version":"0.1.0"},"status":"up"}

# Readiness endpoint:
curl http://localhost:8080/readyz

# Example output:
# {"status":"up","details":{"mcp-server":{"status":"up","timestamp":"2025-10-09T12:11:09.528898849Z"},"wanda-api":{"status":"up","timestamp":"2025-10-09T12:11:09.542078327Z"},"web-api":{"status":"up","timestamp":"2025-10-09T12:11:09.544855047Z"}}}