Daemon Configuration
Configuration options for Scanopy daemons.
Configuration Priority
Scanopy daemons use the following priority order (highest to lowest):
- Command-line arguments (highest priority)
- Environment variables
- Configuration file
- Default values (lowest priority)
Later sources override earlier ones. For example, an environment variable overrides the config file but is overridden by a command-line argument.
Configuration Methods
Command-line arguments (also accepted by scanopy-daemon install, which persists them to the config file — see Running as a Service):
scanopy-daemon --server-url http://192.168.1.100:60072 --api-key YOUR_KEYEnvironment variables:
export SCANOPY_SERVER_URL=http://192.168.1.100:60072
export SCANOPY_DAEMON_API_KEY=YOUR_KEY
scanopy-daemonDocker environment:
environment:
- SCANOPY_SERVER_URL=http://192.168.1.100:60072
- SCANOPY_DAEMON_API_KEY=YOUR_KEYConfiguration file:
The daemon automatically creates a config file at:
- Linux:
~/.config/scanopy/daemon/config.json - macOS:
~/Library/Application Support/com.scanopy.daemon/config.json - Windows:
%APPDATA%\scanopy\daemon\config.json
The config file stores runtime state (daemon ID, host ID) alongside your settings. Command-line and environment variables take priority over the file.
Parameter Reference
| Parameter | CLI Flag | Environment Variable | Config File Key | Default | Description |
|---|---|---|---|---|---|
| Server URL | --server-url | SCANOPY_SERVER_URL | server_url | http://127.0.0.1:60072 | URL where the daemon can reach the server |
| API Key | --daemon-api-key | SCANOPY_DAEMON_API_KEY | daemon_api_key | Required | Authentication key for daemon (generated via UI) |
| Network ID | --network-id | SCANOPY_NETWORK_ID | network_id | None | UUID of the network to scan |
| Name | --name | SCANOPY_NAME | name | scanopy-daemon | Name for this daemon |
| Daemon Mode | --mode | SCANOPY_MODE | mode | daemon_poll | DaemonPoll: Daemon connects to server; works behind NAT/firewall without opening ports. ServerPoll: Server connects to daemon, for deployments where daemon cannot make outbound connections - requires providing Daemon URL |
| Daemon URL | --daemon-url | SCANOPY_DAEMON_URL | daemon_url | Required | Base URL where server can reach daemon |
| Port | --daemon-port | SCANOPY_DAEMON_PORT | daemon_port | 60073 | Port the daemon listens on. |
| Interfaces | --interfaces | SCANOPY_INTERFACES | interfaces | None | Restrict daemon to specific network interface(s). Comma-separated for multiple (e.g., eth0,eth1). Leave empty for all interfaces |
| Bind Address | --bind-address | SCANOPY_BIND_ADDRESS | bind_address | None | IP address to bind daemon to |
| Allow Self-Signed Certificates | --allow-self-signed-certs | SCANOPY_ALLOW_SELF_SIGNED_CERTS | allow_self_signed_certs | false | Allow self-signed certs for daemon -> server connections |
| Accept Invalid Scan Certificates | --accept-invalid-scan-certs | SCANOPY_ACCEPT_INVALID_SCAN_CERTS | accept_invalid_scan_certs | true | Accept invalid TLS certificates when scanning endpoints. Enabled by default since scanners probe arbitrary internal services. |
| Log Level | --log-level | SCANOPY_LOG_LEVEL | log_level | info | Logging verbosity |
| Log File | --log-file | SCANOPY_LOG_FILE | log_file | None | Path to log file. Defaults to platform-specific path. Set to "none" to disable file logging. |
| Heartbeat Interval | --heartbeat-interval | SCANOPY_HEARTBEAT_INTERVAL | heartbeat_interval | 30 | Seconds between heartbeat updates to the server |
Seeding Credentials at Registration
--credential-id / SCANOPY_CREDENTIAL_IDS
Seeds one or more credentials for the daemon to use on its first scan — so it can gather SNMP, Docker, or Podman data before you assign credentials in the UI. Provide credentials as a repeatable --credential-id flag or as a comma-separated SCANOPY_CREDENTIAL_IDS environment variable.
Each entry is a credential ID, optionally targeted at specific IP addresses:
| Form | Applies the credential to |
|---|---|
<uuid> | The whole network (network default — tried on every host the daemon scans). |
<uuid>@<ip> | The host discovered at <ip>. |
<uuid>@<ip>+<ip> | Several specific hosts — join IPs with +. |
To target the daemon's own host — for example a local Docker or Podman socket credential — use its loopback address: <uuid>@127.0.0.1.
# CLI (repeatable)
scanopy-daemon --credential-id [email protected] --credential-id [email protected]
# Environment (comma-separated)
export SCANOPY_CREDENTIAL_IDS="[email protected],[email protected]"After the first scan, seeded credentials are auto-assigned to the matching hosts and used on every subsequent scan.
Seeded credentials are applied only at first registration. If the daemon is already registered, they are ignored and the daemon logs a reminder to manage its credentials in the Scanopy UI instead.
There is no flag for scanning the local Docker or Podman socket. Local sockets are ordinary credentials — create a Docker Socket or Podman Socket credential and, if seeding it here, reference it with the loopback form above.
Deprecated in v0.15.0
The following parameters are deprecated and will be removed in v0.16.0. Use Docker Proxy credentials instead. See the migration guide for steps.
--docker-proxy/SCANOPY_DOCKER_PROXY--docker-proxy-ssl-cert/SCANOPY_DOCKER_PROXY_SSL_CERT--docker-proxy-ssl-key/SCANOPY_DOCKER_PROXY_SSL_KEY--docker-proxy-ssl-chain/SCANOPY_DOCKER_PROXY_SSL_CHAIN
Scan speed settings (--scan-rate-pps, --arp-rate-pps, etc.) configured at the daemon level are no longer used. Scan speed is now configured per-discovery in the Speed tab. See the migration guide.
Concurrent Scans
Controls how many hosts the daemon scans simultaneously during network discovery.
Default behavior: Auto-detected based on system resources
- Calculates based on available memory
- Typical range: 10-20 for most systems
- Adjusts to prevent memory exhaustion
When to set manually:
- System crashes during scans
- Memory errors in logs
- Very large networks (100+ hosts)
- Resource-constrained devices (Raspberry Pi)
Recommended values:
- Raspberry Pi 4 (4GB): 5-10
- Standard desktop: 15-20
- Server: 20-30+
- Low memory: Start with 5, increase gradually
Setting:
# CLI
scanopy-daemon --concurrent-scans 10
# Environment
export SCANOPY_CONCURRENT_SCANS=10
# Docker
environment:
- SCANOPY_CONCURRENT_SCANS=10Symptoms of too high:
- Daemon crashes during scans
- "CONCURRENT_SCANS too high for this system" error
- Out of memory errors
- System becomes unresponsive
Impact:
- Lower value = slower scans, more stable
- Higher value = faster scans, more memory usage
Logging
Output Destination
The daemon logs to stdout and stderr on all platforms. Where those logs end up depends on how you run the daemon.
Log Levels
Set the log level with --log-level or SCANOPY_LOG_LEVEL:
| Level | Description |
|---|---|
error | Errors that prevent normal operation |
warn | Unexpected conditions that don't stop operation |
info | General operational messages (default) |
debug | Detailed diagnostic information |
trace | Very verbose output, including raw network data |
# CLI
scanopy-daemon --log-level debug
# Environment
export SCANOPY_LOG_LEVEL=debugViewing Logs by Platform
Foreground (all platforms): Logs appear directly in the terminal where you started the daemon.
Docker:
docker logs scanopy-daemon
docker logs -f scanopy-daemon # follow/stream logsThe daemon installs as a native service via scanopy-daemon install — see Running as a Service.
Linux (systemd): output goes to the journal.
journalctl -u scanopy-daemon -fmacOS (launchd): the service writes to /var/log/scanopy/scanopy-daemon.out.log; the daemon's own log file is at ~/Library/Logs/scanopy/scanopy-daemon.log.
tail -f /var/log/scanopy/scanopy-daemon.out.logWindows (service): the daemon writes its log file under %ProgramData%\scanopy\.
Get-Content "$env:ProgramData\scanopy\scanopy-daemon.log" -WaitCapturing Logs to a File
When running in the foreground, you can capture logs to a file for sharing with support:
Linux / macOS:
./scanopy-daemon 2>&1 | tee ~/scanopy-daemon.logWindows (PowerShell):
.\scanopy-daemon.exe 2>&1 | Tee-Object -FilePath "$env:USERPROFILE\scanopy-daemon.log"