Using official Docker container

594 views
Skip to first unread message

Tim Bell

unread,
Jul 17, 2018, 7:38:58 PM7/17/18
to Vault
Hi,

I've been using Vault for a while, but installed from the zip file. I'm now considering switching to a Docker deployment, so I've been trying out the official Vault container, following the docs at https://hub.docker.com/_/vault/.

I'm not very experienced with Docker, so I may be doing something wrong; but things don't seem to work the way the docs suggest they should.

$ docker run --cap-add=IPC_LOCK -d --name=dev-vault vault
Unable to find image 'vault:latest' locally
latest: Pulling from library/vault
911c6d0c7995: Pull complete 
118d396818d8: Pull complete 
9e22bb68ced7: Pull complete 
05617e4314c6: Pull complete 
ce9fd536dbf3: Pull complete 
Digest: sha256:af586d7f0ceb5b278673ef655bb688d299b031d07abbe157542011eeda48013e
Status: Downloaded newer image for vault:latest
8fc2302b86142bb0da1841738ee077b81f5fd1c577b9d7b82e4e11424a40a1b9

That's all fine.

The docs say:

The provided entry point script will also look for Vault subcommands and run vault with that subcommand. For example, you can execute docker run vault status and it will run the vault status command inside the container.

Let's try that:

$ docker run vault status
Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK
Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: connect: connection refused

Does it need --cap-add again? Let's try that:

$ docker run --cap-add=IPC_LOCK vault status
Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: connect: connection refused

So while it looks like vault status is being run, it's not connecting to the running Vault process. Do I need to do something to allow one Docker container to access another container? I suspect yes, but just following the Vault docs it doesn't mention it.

What about not trying to use the entry point script, but executing commands directly inside the container currently running Vault?

$ docker exec dev-vault vault status
Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: http: server gave HTTP response to HTTPS client

Ah, that looks better. It's defaulted to HTTPS, but we can fix that:

$ docker exec -e VAULT_ADDR='http://127.0.0.1:8200' dev-vault vault status
Key             Value
---             -----
Seal Type       shamir
Sealed          false
Total Shares    1
Threshold       1
Version         0.10.3
Cluster Name    vault-cluster-3d43f1ae
Cluster ID      afb2f2c8-cf88-c13e-acb1-da7cef205b4b
HA Enabled      false

Finally that looks like what I'm expecting to see from Vault.

As I said, it may be my unfamiliarity with Docker that's the problem; but just trying to follow along the Vault docs has been a bit frustrating, and I wonder whether other people have similar issues. Are there any other resources people can recommend for getting started with Vault using Docker? Or any other tips?

Thanks,

Tim

Justin DynamicD

unread,
Jul 20, 2018, 5:14:28 PM7/20/18
to Vault

Torsten Reinhard

unread,
Jul 26, 2018, 6:57:50 AM7/26/18
to Vault
Hi Tim,

I´m currently running into similar issues and there seems to be no more documentation available (except those you mentioned).

What I was missing:
- a link from the "Getting started" to the Docker based setup. Only the default way (extracting the files) is described.
- any short tutorial or a sample
docker run -p 8200:8200 \
       --name .... \
       --hostname... \
       volume .... \
       vault server

to get it running out of the box.
- a sample configuration. Like i understood the Docker based vault doesn´t support passing -config=/path/to/config.hcl - right ?
- a tutorial of how to migrate from the "classic" setup to the Docker based setup

Additionally I´m currently having problems in getting vault started properly. It tooks 3-5 attemps, most of the time it fails with
su-exec ....vault Text file busy error.

- there´s also no hint to that problem in the docs.

Let´s probably use this discussion here, to post our final solution - and maybe someone will pick up the ideas to complete the documentation , tutorials for the next releases.

Thx, Torsten

Tim Bell

unread,
Jul 26, 2018, 6:31:34 PM7/26/18
to Vault
Hi Torsten,

You're asking more questions which I haven't found answers for yet, but at least I can now answer my original questions, and as you suggest, make the info available to improve the documentation.

So, the first thing to address is making Vault available from outside the containing it's running in, which is what you'd typically want. As you wrote, we need to add -p 8200:8200 to expose the port:

$ docker run --cap-add=IPC_LOCK -d -p 8200:8200 --name=dev-vault vault
4f10bc70af8121a9295e5b9f7ecf212fffb9718d7967a6531918ce668d73f00a

Now, find out what IP address the container is using:

$ docker inspect dev-vault | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "172.18.0.3",
                    "IPAddress": "172.18.0.3",

Now we can start another vault container and use the documented entry point to demonstrate that vault is actually accessible from outside the container:

$ docker run --cap-add=IPC_LOCK -e VAULT_ADDR='http://172.18.0.3:8200' vault status
Key             Value
---             -----
Seal Type       shamir
Sealed          false
Total Shares    1
Threshold       1
Version         0.10.3
Cluster Name    vault-cluster-cef12344
Cluster ID      6f460a9e-2908-20ed-3ba6-792cdecaeb6e
HA Enabled      false

Previously, I had used docker exec to run vault status, which ran within the same container.

Next I'll be looking into some of the other issues you raised, like specifying a config file, and migrating from my previous setup.

Cheers,

Tim
Reply all
Reply to author
Forward
0 new messages