Deploy an Orchestrator
An orchestrator is the engine that runs your agents. The Docker orchestrator runs agents as containers on your own infrastructure, locally alongside your brokers, so the agents sit close to the data they act on. It requires Docker on the host.
The orchestrator is outbound-only: it connects out to the HiveMQ Platform to receive its agents and report health. The HiveMQ Platform never calls into your infrastructure.
Add and Enroll an Orchestrator
You enroll an orchestrator either from a network’s Orchestrators section or as part of the deploy wizard when you choose a new or not-yet-enrolled orchestrator. Both paths use the same enrollment flow.
Add and enroll an Orchestrator from a network:
-
Open the Act tab, then Networks, and select your network.
-
In the Orchestrators section, click Add orchestrator.
-
Enter a Name for the orchestrator, then continue to Connect your orchestrator.
-
Click Copy command, then run the Docker enrollment command on the host where you want the orchestrator to run.
-
Wait while the page shows Waiting for first heartbeat…. The orchestrator must connect before you can finish.
The enrollment command carries a short-lived registration token. The page shows a token-expiry countdown and a Regenerate token button if the token expires before the orchestrator connects.
How Enrollment Works
When you run the command, the orchestrator connects to the HiveMQ Platform and generates its own certificates during registration. It then persists them so it can reconnect on later restarts without re-enrolling. You do not download, place, or manage any certificate files. Registration handles them for you.
The Orchestrator Detail Page
Open an orchestrator from its network’s Orchestrators section. The header shows the orchestrator’s name, type, network, status, communication, and labels.
Header actions:
-
Show enrollment instructions: Re-displays the Docker enrollment command, the same one shown during the wizard. Use this action to re-run enrollment on a host.
-
Edit: Change the orchestrator’s Name and Labels (for example
env=prod).
Sections:
-
Health & Performance: The orchestrator’s live operational metrics:
Metric What it Shows Status
The orchestrator’s overall health, for example
Healthy.Uptime
The percentage of time the orchestrator has stayed connected and checking in.
Avg CPU
Average CPU usage on the orchestrator, as a percentage.
Avg Memory
Average memory usage on the orchestrator, as a percentage.
Last Seen
When the orchestrator last checked in with the HiveMQ Platform.
CPU and memory are reported for the orchestrator (the engine that runs your agents), not for individual agents. There is no per-agent CPU or memory metric. -
Agents: A table of the agents running on this orchestrator (Name, Started, Status). Select a row to open the agent.
The Delete orchestrator button is at the bottom. Unlike a network, you can delete an orchestrator directly through an enabled confirmation. The dialog warns that after removal, the platform no longer manages any agents deployed on the orchestrator.
Reference: Running the Docker Orchestrator
The enrollment wizard fills the values below into the docker run command for you. Copy the command from the wizard rather than assembling it by hand. It already contains the correct Platform URL and a single-use registration token.
docker run -d \
--name hivemq-agentic-orchestrator \
-v /var/run/docker.sock:/var/run/docker.sock \
-v hivemq-agentic-orch-state:/var/lib/hivemq-agentic \
-e CONTROL_PLANE_URL=https://<your-platform-url> \
-e HIVEMQ_AGENTIC_REGISTRATION_TOKEN=<token-from-wizard> \
ghcr.io/hivemq/hivemq-agentic-orch-docker:latest \
orchestrator
The orchestrator argument starts the Docker orchestrator in fleet-management mode.
Environment Variables
| Variable | Required | Description |
|---|---|---|
|
Yes |
URL of the HiveMQ Platform the orchestrator connects to. |
|
First boot |
Single-use registration token from the enrollment wizard. Not required on later restarts once the state directory is populated. |
|
No |
Path to the persistent state directory (default |
Docker Socket Requirement
The orchestrator creates and removes agent containers through the Docker Engine API, so it needs access to the Docker socket:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
| Platform | Socket path |
|---|---|
Linux |
|
macOS (Docker Desktop) |
|
Windows |
|
On Linux, the user that runs the orchestrator must be in the docker group, or the container must run as root.
Supply LLM Keys and Secrets to Agents
Templates do not store LLM (large language model) API keys and similar secrets. Prefix them with AGENT_ on the orchestrator, and the orchestrator forwards them into each agent container with the prefix stripped. For example, the orchestrator delivers AGENT_OPENROUTER_API_KEY to the agent as OPENROUTER_API_KEY:
docker run -d \
--name hivemq-agentic-orchestrator \
-e AGENT_OPENROUTER_API_KEY="$OPENROUTER_API_KEY" \
-e AGENT_ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
# ... plus the volume, socket, CONTROL_PLANE_URL, and token flags above
ghcr.io/hivemq/hivemq-agentic-orch-docker:latest \
orchestrator
You can also supply per-deployment values through network tools or template parameters at deploy time.
Next Steps
-
Deploy an Agent: Run an agent on this orchestrator.
-
Create a Network: The network an orchestrator belongs to.
-
Monitor Agent Health: Keep an eye on the agents an orchestrator runs.