Container image & supply chain
StrataBI Enterprise runs as a container in your AWS account. The image is built from a parameterized Dockerfile that defaults to public registries but can pull its base image and Python packages from your own registry and index — important for regulated or air-gapped environments. You build the image; the deployment just consumes the resulting image URL (stratabi_image).
Defaults: public
With no configuration, the build uses the public python base image and PyPI:
docker build -t your-registry/stratabi:1.0 .Public base images and third-party Python packages are provided by their respective upstreams as is. When you build from public defaults, that supply chain is your responsibility; when you bring private repositories, it is entirely yours. See the license terms.
Private base image and package index
Override the build-args to source the base image and packages from your own registry/index (Harbor, Artifactory, Nexus, …):
docker build \
--build-arg BASE_IMAGE=harbor.example.com/library/python:3.11-slim \
--build-arg PIP_INDEX_URL=https://artifactory.example.com/api/pypi/pypi/simple \
--build-arg PIP_EXTRA_INDEX_URL=https://artifactory.example.com/api/pypi/internal/simple \
-t your-registry/stratabi:1.0 .A build.sh wrapper reads the same values from BASE_IMAGE / PIP_INDEX_URL / etc. environment variables if you prefer.
Credentials (never in a layer)
Authenticate the base image pull with your builder's docker login (outside the Dockerfile). For a private index, pass credentials as a BuildKit secret — never a build-arg, which would persist in image history:
docker build --secret id=pip_conf,src=./pip.conf ... # pip.conf holds index URL + authInternal certificate authorities
If your registry/index presents an internal CA, drop the CA bundle(s) as *.crt into ./certs/ before building. The Dockerfile installs and trusts them; if the directory is empty, the step is skipped. (mTLS, proxies, and other registry-specific setups may need additional handling — treat those as advanced/air-gapped cases.)
Bring your own image
For the strictest environments you can build the image entirely yourself and pass its URL to the deployment via stratabi_image. The compatibility contract is small: the image must run python -m stratabi.app, expose port 8050, and contain the StrataBI runtime plus its Python dependencies. The provided Dockerfile is the reference.
Enterprise runtime: account-entitled
The StrataBI Enterprise runtime is distributed as an account-entitled, signed artifact, not as source you build from. You fetch it with StrataCLI, which checks your account's entitlement, downloads the artifact, and verifies its signature:
stratacli fetch-runtime --version 1.4.0 # writes ./dist/<runtime>.whl (verified)
docker build --build-arg RUNTIME_WHEEL=dist/<runtime>.whl -t your-registry/stratabi:1.4.0 .Because the build requires a valid account entitlement to obtain the runtime, deploying outside your licensed scope is discouraged at this seam, and the boot-time entitlement check enforces it at runtime. Air-gapped: the signed, account-scoped artifact is delivered out of band and validated against an offline license token — no build-time network call.
The community/developer edition is source-available and is not gated this way; this applies to the Enterprise runtime artifact.
StrataHQ discovery
StrataCLI resolves the StrataHQ location (endpoint + artifact bucket) from a small discovery document. Hosting it behind a stable CDN URL lets StrataHQ migrate without a client update — point STRATA_DISCOVERY_URL (or hq.discovery_url in config) at it and the CLI follows. Explicit config (flag/env/file/SSM) always overrides it.
Shaleio