Deploying S7 PLUS OPC UA server with Docker

v4.1.2 / Oct 01, 2025

Docker image

Here is a minimalistic example of running an OPC UA server in Docker.

docker run -p 4840:4840 -e DPA_DEV=<s7-ip> -d xtensive/dpa.ua.s7plus:<version>

This command:

• sets the S7 PLUS controller address via DPA_DEV
• exposes the OPC UA server on host port 4840 mapped to container port 4840.
• runs the container in detached mode.

While this works end-to-end, it’s not production-ready yet.

On the first start, the OPC UA server generates a self-signed certificate for secure endpoints. If server data is not persisted, a new certificate will be generated on every restart, which is not desirable in production. In addition, any installed license file would need to be reinstalled after each restart.

Most importantly, on the first connection to the S7 PLUS controller, the OPC UA server downloads the symbol table needed to access optimized and non-optimized data blocks. For large projects, the symbol table can be very large and may take several minutes to download. Normally, the OPC UA server caches the symbol table to avoid unnecessary downloads — another reason to use persistent storage.

Persisting data (recommended for production)

Create a named volume:

docker volume create s7plus_data

Mount it to persist certificates and related configuration:

docker run \
  -v s7plus_data:/dpa/instances \
  -p 4840:4840 \
  -e DPA_DEV=<s7-ip> \
  -e DPA_UA_INSTANCE=device01 \
  -d xtensive/dpa.ua.s7plus:<version>

Notes:

• You don’t need a separate volume per container; sharing one named volume across multiple instances is supported and recommended.
• Ensure each container has a distinct DPA_UA_INSTANCE so its data is stored in a unique subdirectory under /dpa/instances/.
• If you need a different host port, use Docker port mapping (e.g., -p 4950:4840) rather than changing the internal port.

Docker compose

If the OPC UA client (the consumer of the OPC UA interface) is running inside a Docker container on the same virtual network as the OPC UA server, you do not need to expose or map ports to the host. In this setup, containers can communicate directly over Docker’s internal network.

This approach improves security - because the OPC UA endpoint remains internal - and is the recommended way to deploy the OPC UA server in containerized environments.

docker-compose.yaml:

services:
  ua_device01:
    image: xtensive/dpa.ua.s7plus:${S7PLUS_VERSION}
    environment:
      - DPA_DEV=192.168.0.1
      - DPA_UA_INSTANCE=device01
    volumes:
      - s7plus_data:/dpa/instances
    restart: unless-stopped

volumes:
  s7plus_data:
    name: s7plus_data

.env:

S7PLUS_VERSION=v4.1.1

With this configuration, other containers on the same virtual network can access the OPC UA server directly using the service name as the host name, for example: “opc.tcp://ua_device01”.

Environment Variables

DPA_DEV

Specifies SIEMENS S7 PLUS device host and port. Host can be a network name or IP address. Port is optional, default is 102. Example:

# Using default S7 port 102
DPA_DEV=192.168.0.1

# Using a non-default port 103
DPA_DEV=192.168.0.1:103

DPA_DEV_TLS

Optional. To enable secured communication over TLS. When enabled, all data exchanged with the controller is encrypted to ensure confidentiality and integrity.

• To enable TLS, set this variable to one of: 1, TRUE, YES, or ON (case-insensitive). Example:

DPA_DEV_TLS=YES

• If this variable is unset or set to one of: 0, FALSE, NO, or OFF, TLS is disabled and communication occurs without encryption.

DPA_DEV_PASSWORD

Optional. To supply a password for authenticating access to the controller.

DPA_DEV_TIMEOUT

Optional. Sets the controller request/response timeout (in seconds). Default is 15 seconds.

DPA_UA_INSTANCE

Optional. Specifies the name of a non-default OPC UA server instance. Instances are explained here.

• Use this variable when running multiple containers to clearly identify each instance.

• Because each containerized OPC UA server instance serves a single device, the instance name should include the device name or another meaningful identifier.

• Avoid spaces or special characters. The instance name is mapped directly to the directory name containing all related configuration files. Example:

DPA_UA_INSTANCE=device01

DPA_UA_NOCERT

Optional. Indicates that OPC UA server should not use x509 certificate and private key. Only unsecured OPC UA server endpoint is hosted. Avoid to use it in production environments. Set this variable to one of: 1, TRUE, YES, or ON to expose only unsecured enpoint.

DPA_UA_PORT

Optional. Specifies the internal TCP port used by the OPC UA server inside the container.

• Default: 4840

• By default, the container exposes the OPC UA server on port 4840 internally. It’s generally recommended not to change this value inside the container.

• To use a different external port on the host, configure it using Docker port mapping instead of changing this variable.