Running Hashicorp vault in development mode is really easy, but starting the vault in server mode under a docker container may have some changes described in this article.
There are several simple steps, which is hard to get in one place, to run a Hashicorp vault in server mode (under docker):
- Prepare the directories to map in the docker. The data in the directories will be safe and won’t be deleted if the container is deleted.
- Prepare an initial base configuration to start the server. Without it, the server won’t startup. Even it is really simple.
- Start the Hashicorp vault process in a docker container.
- Initiliza the vault. During this step, the server will generate the database backend storage (files or in-memory or cloud backends) and 5 unseal keys and an administrative root token will be generated. To manage the vault an administrative user is required.
- Unseal the vault. Unencrypt the database backend to use the service with at least three commands and three different unseal keys generated during the initialization step.
- Login with the administrative user and enable vault engine to store values (or generate tokens, passwords, and so on). The example here enables the secret engine to store key:value backend. Check out the secrets engines – https://www.vaultproject.io/docs/secrets
STEP 1) Summary of the mapped directories in the docker
Three directories are preserved:
- /vault/config – contains configuration files in HCL or JSON format.
- /vault/data – the place, where the encrypted database files will be kept only if a similar storage engine is used like “file” or “raft” storages. More information here – https://www.vaultproject.io/docs/configuration/storage
- /vault/log – writing persistent audit logs. This feature should be enabled explicitly in the configuration.
The base directory used is /srv/vault/. And the three directories are created as follow and will be mapped in the docker container:
mkdir -p /srv/vault/config /srv/vault/data /srv/vault/log chmod 777 /srv/vault/data
The server’s directory /srv/vault/config will be mapped in docker’s directory /vault/config and the other two, too.
STEP 2) Initial base configuration
The initial configuration file is placed in /vault/config/config.hcl and is using HCL format – https://github.com/hashicorp/hcl. The initial configuration is minimal:
storage "raft" { path = "/vault/data" node_id = "node1" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } disable_mlock = true api_addr = "http://127.0.0.1:8200" cluster_addr = "https://127.0.0.1:8201" ui = true
Place the file in /srv/vault/config/config.hcl
STEP 3) Start the Hashicorp vault server in docker
Mapping the three directories.
root@srv ~ # docker run --cap-add=IPC_LOCK -v /srv/vault/config:/vault/config -v /srv/vault/data:/vault/data -v /srv/vault/logs:/vault/logs --name=srv-vault vault server ==> Vault server configuration: Api Address: http://127.0.0.1:8200 Cgo: disabled Cluster Address: https://127.0.0.1:8201 Go Version: go1.14.7 Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled") Log Level: info Mlock: supported: true, enabled: false Recovery Mode: false Storage: raft (HA available) Version: Vault v1.5.3 Version Sha: 9fcd81405feb320390b9d71e15a691c3bc1daeef ==> Vault server started! Log data will stream in below: