raylabpro/telemt

By raylabpro

Updated about 1 month ago

MTProxy for Telegram on Rust + Tokio

Image
Networking
Security
5

10K+

raylabpro/telemt repository overview

TeleMT

Docker Image Size Docker Pulls Architecture Security: non-root Base Image Upstream

A minimal, secure, and production-oriented Docker image for Telemt — a fast MTProto proxy server (MTProxy) written in Rust + Tokio.

Built as a fully static and semi static binary and shipped in a distroless runtime image, running as non-root by default.


✨ Features

  • 🔐 Secure by default: Distroless runtime + non-root user.
  • 🏗 Multi-arch: Supports amd64 and arm64.
  • 📦 Fully static binary (musl): Designed for gcr.io/distroless/static:nonroot.
  • 📦 Semi static binary (glibc): Designed for gcr.io/distroless/cc:nonroot.
  • 🧾 Config-driven: You mount a single /etc/telemt/config.toml and go.
  • 📈 Metrics-ready: Supports Telemt metrics port (9090) via config.

⚠️ Important Notice

Telemt is a Telegram proxy (MTProto). Operating proxies may be restricted or monitored depending on your country/ISP and may carry legal/operational risks.

You are responsible for compliance with local laws and for safe deployment (firewalling, access control, logs, monitoring).



📔 Image Variants

The telemt images come in many flavors, each designed for a specific use case.

telemt:<version>-distroless-cc

This is the defacto image. If you are unsure about what your needs are, you probably want to use this one.

Application build with glibc.

Image based on debian for build stage and gcr.io/distroless/cc:nonroot for runtime.

telemt:<version>-distroless-mc

This is the alternative defacto image. If you are want to smaller image than distroless-cc, you probably want to use this one.

Application build with musl.

Image based on alpine for build stage and gcr.io/distroless/static:nonroot for runtime.

This variant is useful when final image size being as small as possible is your primary concern. The main caveat to note is that it does use musl libc⁠ instead of glibc and friends⁠, so performance may be lower if depending on the depth of libc requirements/assumptions. See this Hacker News comment thread⁠ for more discussion of the issues that might arise and some pro/con comparisons of using musl-based builds.

telemt:<version>-debian

This image is based on the Debian project⁠, available in the debian official image. Used Debian Linux slim tag, that is much smaller than others, and thus leads slimmer images in general.

Application build with glibc.

This image contains some additional tools, like ping, telnet, curl, etc. to connectivity checks.

telemt:<version>-alpine

This image is based on the popular Alpine Linux project⁠, available in the alpine official image. Alpine Linux is much smaller than most distribution base images (~5MB), and thus leads to much slimmer images in general.

Application build with musl.

This variant is useful when final image size being as small as possible with additional is your primary concern. The main caveat to note is that it does use musl libc⁠ instead of glibc and friends⁠, so performance may be lower if depending on the depth of libc requirements/assumptions. See this Hacker News comment thread⁠ for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images.

This image contains some additional tools, like ping, telnet, curl, etc. to connectivity checks.


🚀 Quick Start (Docker Compose)

1. Generate a Secret

Telemt users require a 32-hex-char secret (16 bytes):

openssl rand -hex 16

or

head -c 16 /dev/urandom | xxd -ps

or

xxd -l 16 -p /dev/urandom

or

python3 -c 'import os; print(os.urandom(16).hex())'
2. Create config.toml

Refer to the upstream repository for the configuration format and examples:

👉 https://github.com/telemt/telemt

Place your configuration file as ./config.toml.

3. Create docker-compose.yml

Note: the container runs as non-root, but Telemt binds to 443 by default.
To allow binding to privileged ports, we add NET_BIND_SERVICE.

---
services:
  telemt:
    container_name: telemt
    image: "raylabpro/telemt:${TELEMT_TAG:-distroless-cc}"
    restart: "unless-stopped"
    pull_policy: "always"
    # network_mode: host
    ports:
      - "18443:443"
      - "127.0.0.1:19090:9090/tcp"
    ulimits:
      nofile:
        soft: 65536
        hard: 65536

    environment:
      TZ: "Europe/Moscow"
      RUST_LOG: info

    volumes:
      - "/etc/timezone:/etc/timezone:ro"
      - "/etc/localtime:/etc/localtime:ro"
      - "/etc/hostname:/etc/hostname:ro"
      - "./config.toml:/etc/telemt/config.toml:ro"

    # Hardening
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    read_only: true
    tmpfs:
      - /tmp:rw,nosuid,nodev,noexec,size=16m

    # Resource limits (optional)
    deploy:
      resources:
        limits:
          cpus: "0.50"
          memory: 256M

    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
4. Start
docker compose up -d

Logs:

docker compose logs -f

⚙️ Configuration

Environment Variables
VariableMandatoryDefaultDescription
RUST_LOGNoTelemt log level (e.g. info, debug, trace).
Volumes
Container PathPurpose
/etc/telemt/config.tomlMain Telemt configuration file (you mount it from the host).
Ports
PortPurpose
443/tcpMain MTProxy listener (commonly used for TLS-like traffic).
9090/tcpMetrics port (only if enabled in config.toml).

🧠 Container Behavior

  • ENTRYPOINT: /usr/local/bin/telemt
  • CMD (default): /etc/telemt/config.toml

So the container effectively runs:

/usr/local/bin/telemt /etc/telemt/config.toml

To use a different config path, override the command:

docker run ... raylabpro/telemt:latest /path/to/config.toml

Tag summary

Content type

Image

Digest

sha256:36914954b

Size

16.2 MB

Last updated

about 1 month ago

docker pull raylabpro/telemt