Keep state after Docker Vault restart
1,931 views
Skip to first unread message
lapwat
Apr 11, 2019, 6:51:22 AM4/11/19
to Vault
Hello,
The goal I want to achieve is to keep Vault state (secrets, aws creds, ...) after a Vault restart.
Right now I can successfully start the Docker container and use it :
docker run -d --name vault -e VAULT_DEV_ROOT_TOKEN_ID=myroot -e VAULT_LOCAL_CONFIG='{"backend":{"file":{"path":"/vault/file"}}}' -v "$PWD"/file:/vault/file -p 8200:8200 --cap-add=IPC_LOCK vault
But if I restart my machine and (re)start the container
docker start vault
I run into this error:
Error initializing Dev mode: Vault is already initializedSo I have to start a new container and go into Vault configuration again (secrets, aws creds, ...)...
Do you have ideas or best practices ?
Cheers,
lapwat
Alexander Rykalin
Apr 11, 2019, 7:05:21 AM4/11/19
to Vault
Hi, actually you're already keeping the state. You store it in the directory and it mounted into $PWD"/file on you PC. This error means that you Vault was already initialized with Vault init command and you can't run init again. Try just run "vault operator unseal" instead "vault operator init" when you restarting container.
четверг, 11 апреля 2019 г., 13:51:22 UTC+3 пользователь lapwat написал:
lapwat
Apr 11, 2019, 7:20:40 AM4/11/19
to Vault
Yes exactly, I don't know how to run docker start vault by skipping the initialization step. I don't have access to vault command outside of the container.
Alexander Rykalin
Apr 11, 2019, 8:32:23 AM4/11/19
to Vault
Oh, I see, it is because you're starting Vault in dev mode. Try start it in server mode:
After that you'll need to initialize it - https://www.vaultproject.io/docs/commands/operator/init.html
четверг, 11 апреля 2019 г., 14:20:40 UTC+3 пользователь lapwat написал:
docker run -d --name vault -e VAULT_DEV_ROOT_TOKEN_ID=myroot -e VAULT_LOCAL_CONFIG='{"backend":{"file":{"path":"/vault/file"}}}' -v "$PWD"/file:/vault/file -p 8200:8200 --cap-add=IPC_LOCK vault server
After that you'll need to initialize it - https://www.vaultproject.io/docs/commands/operator/init.html
четверг, 11 апреля 2019 г., 14:20:40 UTC+3 пользователь lapwat написал:
Quentin Lapointe
Apr 16, 2019, 4:26:17 AM4/16/19
to Vault
As I understand, the Vault can only be initialized once, but can be unsealed any number of times.
How do we manage to have a proper development environment if we lose all our secret each time we stop the docker instance ?
I have read somewhere that the production Vault server should be used in development environment and that the development Vault server is only for the Vault team.
Thank you for your help.
Reply all
Reply to author
Forward
0 new messages