I have been trying to setup vault using docker composer file. I have three requirements,
I tried these two configuration segments.
vault-server:
image: vault:latest
ports:
- "8204:8200"
environment:
VAULT_ADDR: "http://0.0.0.0:8204"
VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token"
cap_add:
- IPC_LOCK
volumes:
- ./vault/logs:/vault/logs
- ./vault/file:/vault/file:rw
vault_dev:
hostname: vault
container_name: vault
image: vault:latest
environment:
VAULT_ADDR: "http://0.0.0.0:8205"
VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token"
VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8205"
ports:
- "8205:8200"
volumes:
- ./vault/files:/vault/file:rw
cap_add:
- IPC_LOCK
entrypoint: vault server -dev
My problems are;
I really don't understand what is the difference between these two configuration segments and how to achieve step 1 and 3. For the persistence, since it says we need to add a volume, I tried mounting the file path, but still the content vanishes when the container is restarted. In some documents it says, in the dev mode you can't make it persist and have to run in prod mode. But I a, unable to figure out how modify the vault-server configuration set to make it run in prod mode.
Appreciate, if someone can help, as I have been going through several links for the past few days and kind of lost at the moment.
If you look at the Docker Hub page for the vault
image it documents:
Running the Vault container with no arguments will give you a Vault server in development mode.
/vault/file
[is used] for writing persistent storage data when using thefile
data storage plugin. By default nothing is written here (adev
server uses an in-memory data store); thefile
data storage backend must be enabled in Vault's configuration before the container is started.
(H/T @ChrisBecke who described this behavior in a comment; it is also in the well-commented Dockerfile.)
Later on that page is a section entitled "Running Vault in Server Mode for Development". The key point here is that you need to explicitly provide a command: vault server
to cause it to not start up in dev mode.
@HansKilian's answer on port setup is also important here. Incorporating that answer's simplifications and the need to explicitly run vault server
without -dev
, you should get something like:
version: '3.8' # most recent stable Compose file format
services:
vault:
image: vault:1.12.2
environment:
VAULT_LOCAL_CONFIG: >-
{
"storage": {
"file": {"path": "/vault/file"}
},
"listener": [{
"tcp": {
"address": "0.0.0.0:8200",
"tls_disable": true
}
}],
"default_lease_ttl": "168h",
"max_lease_ttl": "720h",
"ui": true
}
ports:
- "8204:8200"
cap_add:
- IPC_LOCK
volumes:
- vault_file:/vault/file:rw
volumes:
vault_file:
The JSON block is copied from the documentation, which also notes
Disabling TLS and using the
file
storage backend are not recommended for production use.
The underlying Vault storage can't be usefully accessed from the host (if nothing else, it is encrypted) and I've chosen to store it in a named Docker volume instead.
Since this is not running in dev mode, you will need to go through the steps of initializing Vault, which will give you a set of critical credentials, and then you'll need to create user identities and add credentials to Vault. It sounds like you're not looking for a fully-automated setup here, so be aware that there are some manual steps involved with some "no really don't lose these keys" output.