Engineering BotFarm: A Self-Hosted Platform for Secure Containerized Bot Management

Building a Self-Hosted Bot Management Platform with Docker, FastAPI and React

BotFarm is a self-hosted platform designed to deploy and monitor containerized Python bots without requiring manual SSH intervention. It enforces resource limits of 512MB RAM and 0.5 CPUs per container to ensure predictable performance across multiple automated scripts.

Why This Matters

Ad-hoc bot management often results in scattered scripts with plaintext credentials and zero visibility, leading to significant security risks and maintenance overhead. Moving from manual systemd services or cron jobs to a centralized, containerized dashboard with an isolated Docker socket proxy mitigates the blast radius of potential compromises while formalizing deployment workflows through versioned diffs and real-time observability.

Key Insights

• Security through isolation using tecnativa/docker-socket-proxy to allowlist only specific operations like BUILD and CONTAINERS, protecting the Docker daemon from compromised dashboard containers (BotFarm, 2026).
• Credential protection using AES-256-GCM encryption with random IVs; secrets are injected as environment variables at runtime and never written to disk.
• Real-time observability via WebSockets that stream Docker container logs directly to a React-based Monaco editor interface, replacing inefficient REST polling.
• Audit persistence using append-only database permissions where the application user is restricted from UPDATE or DELETE operations on audit logs.
• Infrastructure management using AlmaLinux 10 LTS and MariaDB 11 to support a production-grade Python 3.12 and FastAPI backend.

Working Examples

AES-256-GCM encryption for bot credentials with 96-bit random IVs.

import os
import base64
from cryptography.hazmat.primitives.ciphers.aead import AESGCM

def encrypt(plaintext: str, master_key: bytes) -> str:
    iv = os.urandom(12)
    aesgcm = AESGCM(master_key)
    ciphertext = aesgcm.encrypt(iv, plaintext.encode(), None)
    return base64.b64encode(iv + ciphertext).decode()

def decrypt(encrypted: str, master_key: bytes) -> str:
    data = base64.b64decode(encrypted)
    iv, ciphertext = data[:12], data[12:]
    aesgcm = AESGCM(master_key)
    return aesgcm.decrypt(iv, ciphertext, None).decode()

Real-time log streaming from Docker containers via WebSockets.

@router.websocket("/ws/logs/{bot_id}")
async def stream_logs(websocket: WebSocket, bot_id: int):
    await websocket.accept()
    try:
        container = docker_client.containers.get(f"bot_{bot_id}")
        for log_line in container.logs(stream=True, follow=True, tail=50):
            await websocket.send_text(log_line.decode().strip())
    except Exception as exc:
        await websocket.send_text(f"Stream error: {exc}")
    finally:
        await websocket.close()

Standard bot implementation using the shared logging and metrics library.

from bot_logger import BotLogger
import os
import json

logger = BotLogger()
try:
    creds = json.loads(os.environ.get("BOT_CREDENTIALS", "{}"))
    logger.log("INFO", "Bot started")
    records = process_data(creds)
    logger.metric("records_processed", records)
finally:
    logger.close(exit_code=0)

Practical Applications

• Multi-developer environments where team members need to deploy bots without full host access. Pitfall: Direct Docker socket exposure allows a single container to compromise the entire daemon.
• Secure credential injection where secrets are decrypted in memory and passed as environment variables. Pitfall: Committing hardcoded credentials or base64 strings to git repositories.
• Automated bot versioning and rollbacks using visual diffs in the Monaco Editor. Pitfall: Manual file overwrites leading to unrecoverable code states during production failures.

References:

• https://dev.to/tanwydd/building-a-self-hosted-bot-management-platform-with-docker-fastapi-and-react-4pdj