cleanstart/nats repository overview

CleanStart Container for Nats

NATS is a simple, secure and high-performance open source messaging system for cloud native applications, IoT messaging, and microservices architectures. This container provides a production-ready NATS server with enhanced security features, monitoring capabilities, and enterprise-grade reliability. It includes the core NATS server, built-in security mechanisms like TLS support, authentication, and authorization controls, along with monitoring endpoints for operational visibility.

📌 CleanStart Foundation: Security-hardened, minimal base OS designed for enterprise containerized environments.

Key Features

• High-performance publish-subscribe and request-reply messaging
• Built-in authentication and authorization
• TLS/SSL support for encrypted communications
• Clustering support for high availability

Common Use Cases

• Microservices communication backbone
• Cloud messaging and event streaming
• IoT device messaging and data collection
• Real-time data distribution systems

Quick Start

Pull Latest Image Download the container image from the registry

docker pull cleanstart/nats:latest
docker pull cleanstart/nats:latest-dev

Basic Run Run the container with basic configuration

docker run -d --name nats-server -p 4222:4222 cleanstart/nats:latest

Production Deployment Deploy with production security settings

docker run -d --name nats-prod \
  --read-only \
  --security-opt=no-new-privileges \
  --user 1000:1000 \
  -p 4222:4222 -p 8222:8222 \
  cleanstart/nats:latest

Volume Mount Mount local directory for persistent data

docker run -d -v $(pwd)/nats-config:/etc/nats cleanstart/nats:latest

Port Forwarding Run with custom port mappings

docker run -d -p 4222:4222 -p 8222:8222 -p 6222:6222 cleanstart/nats:latest

Configuration

Environment Variables

Security & Best Practices

Recommended Security Context

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: ['ALL']

Best Practices

• Use specific image tags for production (avoid latest)
• Configure resource limits: memory and CPU constraints
• Enable read-only root filesystem when possible
• Run containers with non-root user (--user 1000:1000)
• Use --security-opt=no-new-privileges flag
• Regularly update container images for security patches
• Implement proper network segmentation
• Monitor container metrics for anomalies

Architecture Support

Multi-Platform Images

docker pull --platform linux/amd64 cleanstart/nats:latest
docker pull --platform linux/arm64 cleanstart/nats:latest

• CleanStart Website: https://www.cleanstart.com⁠
• NATS Documentation: https://docs.nats.io⁠
• CleanStart Community Images: https://hub.docker.com/u/cleanstart⁠
• How-to-Run CleanStart Images & Sample Projects:  https://github.com/cleanstart-dev/cleanstart-containers⁠,
  • how-to-Run sample projects using dockerfile
  • how-to-Deploy via Kubernete YAML
  • how-to-Migrate from public images to CleanStart images

⁠Vulnerability Disclaimer

CleanStart offers Docker images that include third-party open-source libraries and packages maintained by independent contributors. While CleanStart maintains these images and applies industry-standard security practices, it cannot guarantee the security or integrity of upstream components beyond its control.

Users acknowledge and agree that open-source software may contain undiscovered vulnerabilities or introduce new risks through updates. CleanStart shall not be liable for security issues originating from third-party libraries, including but not limited to zero-day exploits, supply chain attacks, or contributor-introduced risks.

Security remains a shared responsibility: CleanStart provides updated images and guidance where possible, while users are responsible for evaluating deployments and implementing appropriate controls.