Cannot connect to vault server running within Docker container
1,880 views
Skip to first unread message
Alexei Ledenev
Jul 21, 2015, 10:27:24 AM7/21/15
to vault...@googlegroups.com
I'm running Vault 0.2.0 in Docker container (with Boot2Docker) on OS X. Vault client and API works inside the container, but when I try to access API or use remote client (with "-address" parameter), I always get "connection refused" error. I'm running Docker with following command "docker run -d --name vault -p 8200:8200 <any docker image> server -dev" (also does not work with etcd and consul backends).
Armon Dadgar
Jul 21, 2015, 10:37:29 AM7/21/15
to vault...@googlegroups.com
Alexei,
The server in "-dev" mode binds to 127.0.0.1 so the listener is just not accepting any traffic from outside the container. You need to either bind to the host networking or configure the server to listen for incoming connections on IPs others than loopback. Hope that helps!
Sent from my iPhone
Best Regards,
Armon Dadgar
I'm running Vault 0.2.0 in Docker container (with Boot2Docker) on OS X. Vault client and API works inside the container, but when I try to access API or use remote client (with "-address" parameter), I always get "connection refused" error. I'm running Docker with following command "docker run -d --name vault -p 8200:8200 <any docker image> server -dev" (also does not work with etcd and consul backends).
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/6abea87c-8c14-41a7-b0e7-7f100d10a32e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Alexei Ledenev
Jul 21, 2015, 10:52:05 AM7/21/15
to vault...@googlegroups.com
I also try to run vault with etcd backend, running in other Docker container. etcd works as expected and I can connect to it from my machine (through port forwarding) both using API and etcdctl tool. I pass etcd server address to vault container and update configuration file with right IP. Still get the same error connecting to vault "connection refused"
Alexei Ledenev
Jul 21, 2015, 10:54:37 AM7/21/15
to vault...@googlegroups.com
Here is my etcd configuration file. Can you please, take a look and point to wrong setting. Note: __ETCD_ADDR__ being replaced with sed before vault is started.
---------
backend "etcd" {
address = "__ETCD_ADDR__"
path = "vault"
advertise_addr = "http://127.0.0.1"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
disable_mlock = true
---------
---------
backend "etcd" {
address = "__ETCD_ADDR__"
path = "vault"
advertise_addr = "http://127.0.0.1"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
disable_mlock = true
---------
Alexei Ledenev
Jul 21, 2015, 11:07:50 AM7/21/15
to vault...@googlegroups.com
changing listener "tcp" address to 0.0.0.0:8200 fixed access issue.
Is it possible to allow remote access to "-dev" mode too?
Thank you.
Is it possible to allow remote access to "-dev" mode too?
Thank you.
Armon Dadgar
Jul 21, 2015, 1:02:52 PM7/21/15
to vault...@googlegroups.com, Alexei Ledenev
Alexei,
We purposely use loopback for the dev mode to ensure that it is really only
ever used for development. It’s an extra barrier against an “oops” moment.
It’s fairly easy to simulate that mode, you just use the “inmem” backend and
configure the listener as you have done.
Best Regards,
Armon Dadgar
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/835e330e-3f18-4049-8613-ed2051eeedc8%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages