Oracle's Always Free ARM instance (4 OCPUs, 24 GB RAM) is a great host for Coolify, a self-hosted platform-as-a-service. There are two Oracle-specific gotchas before the standard Coolify install will work: root login is disabled by default, and Oracle Cloud has a two-layer firewall that blocks all incoming traffic.
1. Enable Root Login
Oracle ARM instances provision with a default user (usually ubuntu or opc) and root login disabled. Coolify's installer expects root SSH access.
SSH in as your default user, then:
sudo su -
Edit the SSH daemon config:
nano /etc/ssh/sshd_config
Find PermitRootLogin and set it to:
PermitRootLogin without-password
Restart SSH:
service sshd restart
Add your SSH public key to root's authorized keys:
mkdir -p /root/.ssh
nano /root/.ssh/authorized_keys
# paste your public key
You can now SSH in as root using key authentication.
Alternative: Non-Root User (Experimental)
If you prefer not to enable root login, Coolify supports a non-root user with sudo. This is marked experimental — blanket passwordless sudo is granted for now, with more granular permissions planned for the future.
Grant the user passwordless sudo by editing /etc/sudoers:
visudo
Add this line (replace with your username):
your-user ALL=(ALL) NOPASSWD: ALL
Then configure Coolify to connect via this user with the server's SSH key.
2. Open the Firewall
Oracle Cloud has two independent firewall layers, both of which block traffic by default. You need to open ports in both.
Layer 1: Oracle Security List (Console)
In the Oracle Cloud Console, go to: Networking → Virtual Cloud Networks → your VCN → Security Lists → Default Security List
Add Ingress Rules for each required port (protocol: TCP, source: 0.0.0.0/0):
| Port | Purpose |
|---|---|
| 22 | SSH |
| 80 | HTTP / SSL certificate generation |
| 443 | HTTPS |
| 8000 | Coolify dashboard (HTTP) |
| 6001 | Coolify real-time communications |
| 6002 | Coolify terminal access (v4.0.0-beta.336+) |
Once you have a custom domain pointing at your server and Coolify's reverse proxy (Traefik or Caddy) configured, you can close ports 8000, 6001, and 6002 and access the dashboard via HTTPS on 443.
Layer 2: OS-Level Firewall (iptables)
Oracle Linux and Ubuntu images ship with iptables rules that block incoming traffic independently of the Security List. You need to allow the same ports at the OS level.
On Ubuntu:
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 6001 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 6002 -j ACCEPT
Make the rules persistent:
sudo apt install iptables-persistent -y
sudo netfilter-persistent save
On Oracle Linux:
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=8000/tcp
sudo firewall-cmd --permanent --add-port=6001/tcp
sudo firewall-cmd --permanent --add-port=6002/tcp
sudo firewall-cmd --reload
Docker and UFW: Docker bypasses UFW by writing iptables rules directly via NAT. If you intend to restrict access to deployed apps using UFW, use ufw-docker to bridge the two. For Coolify itself, the Oracle Console Security List is the more reliable place to manage access.
3. Install Coolify
With root SSH access and both firewall layers open, install Coolify using the official one-liner:
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash
Once the install finishes, the dashboard is available at http://<your-instance-ip>:8000.
4. Post-Install
- Custom domain: Point a domain at your instance IP, configure it in Coolify under Settings, and Coolify will provision a Let's Encrypt certificate automatically. After that you can close ports 8000, 6001, and 6002 in the Oracle Security List.
- SSH key for remote servers: If you want to add your ARM instance as a remote server to a separate Coolify instance (rather than running Coolify on it directly), only ports 22, 80, and 443 need to be open.