Help with Vault dockerfile

[Praneeth Cy]

Hi All,

How do I force Vault (v 0.10.1) server docker container running in dev mode to use version 1 of kv secret engine instead of the default version 2 that it gets kicked off with?

dockerfile:

FROM vault

CMD echo "hello" && \

vault server -dev -dev-listen-address=0.0.0.0:8200 -dev-root-token-id=topsecret && \

echo "hello 2" && \

vault secrets disable secret && \

vault secrets enable -version=1 -path=secret

docker-compose.yml:

vault:

build:

context: ./vault

image: "vault"

environment:

http_proxy: ${http_proxy}

https_proxy: ${https_proxy}

no_proxy: ${no_proxy}

VAULT_ADDR: http://127.0.0.1:8200

ports:

- "8200:8200"

cap_add:

- IPC_LOCK

Looks like, only the command 'server -dev -dev-listen-address=0.0.0.0:8200 -dev-root-token-id=topsecret' and the ones prior (echo "hello") to that are getting executed, but not the ones following it.

log file:

----------------------------------------------------------------------------------------------------------------

hello

==> Vault server configuration:

             Api Address: http://0.0.0.0:8200

                     Cgo: disabled

         Cluster Address: https://0.0.0.0:8201

              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "disabled")

               Log Level: info

                   Mlock: supported: true, enabled: false

                 Storage: inmem

                 Version: Vault v0.10.1

             Version Sha: 756fdc4587350daf1c65b93647b2cc31a6f119cd

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory

and starts unsealed with a single unseal key. The root token is already

authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://0.0.0.0:8200'

The unseal key and root token are displayed below in case you want to

seal/unseal the Vault or re-authenticate.

Unseal Key: p0OAkNygQpx47+zcCNZKR50JXYYyMNK4RL/oLQArBrk=

Root Token: topsecret

Development mode should NOT be used in production installations!

==> Vault server started! Log data will stream in below:

2018-06-06T12:37:41.894Z [INFO ] core: security barrier not initialized

2018-06-06T12:37:41.894Z [INFO ] core: security barrier initialized: shares=1 threshold=1

2018-06-06T12:37:41.895Z [INFO ] core: post-unseal setup starting

2018-06-06T12:37:41.908Z [INFO ] core: loaded wrapping token key

2018-06-06T12:37:41.908Z [INFO ] core: successfully setup plugin catalog: plugin-directory=

2018-06-06T12:37:41.908Z [INFO ] core: no mounts; adding default mount table

2018-06-06T12:37:41.909Z [INFO ] core: successfully mounted backend: type=kv path=secret/

2018-06-06T12:37:41.909Z [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/

2018-06-06T12:37:41.909Z [INFO ] core: successfully mounted backend: type=system path=sys/

2018-06-06T12:37:41.909Z [INFO ] core: successfully mounted backend: type=identity path=identity/

2018-06-06T12:37:41.911Z [INFO ] core: restoring leases

2018-06-06T12:37:41.911Z [INFO ] rollback: starting rollback manager

2018-06-06T12:37:41.912Z [INFO ] expiration: lease restore complete

2018-06-06T12:37:41.912Z [INFO ] identity: entities restored

2018-06-06T12:37:41.912Z [INFO ] identity: groups restored

2018-06-06T12:37:41.912Z [INFO ] core: post-unseal setup complete

2018-06-06T12:37:41.913Z [INFO ] core: root token generated

2018-06-06T12:37:41.913Z [INFO ] core: pre-seal teardown starting

2018-06-06T12:37:41.913Z [INFO ] core: cluster listeners not running

2018-06-06T12:37:41.913Z [INFO ] rollback: stopping rollback manager

2018-06-06T12:37:41.913Z [INFO ] core: pre-seal teardown complete

2018-06-06T12:37:41.913Z [INFO ] core: vault is unsealed

2018-06-06T12:37:41.913Z [INFO ] core: post-unseal setup starting

2018-06-06T12:37:41.913Z [INFO ] core: loaded wrapping token key

2018-06-06T12:37:41.913Z [INFO ] core: successfully setup plugin catalog: plugin-directory=

2018-06-06T12:37:41.913Z [INFO ] core: successfully mounted backend: type=kv path=secret/

2018-06-06T12:37:41.913Z [INFO ] core: successfully mounted backend: type=system path=sys/

2018-06-06T12:37:41.913Z [INFO ] core: successfully mounted backend: type=identity path=identity/

2018-06-06T12:37:41.913Z [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/

2018-06-06T12:37:41.914Z [INFO ] core: restoring leases

2018-06-06T12:37:41.914Z [INFO ] rollback: starting rollback manager

2018-06-06T12:37:41.914Z [INFO ] identity: entities restored

2018-06-06T12:37:41.914Z [INFO ] identity: groups restored

2018-06-06T12:37:41.914Z [INFO ] core: post-unseal setup complete

2018-06-06T12:37:41.914Z [INFO ] expiration: lease restore complete

2018-06-06T12:37:41.917Z [INFO ] core: mount tuning of options: path=secret/ options=map[version:2]

2018-06-06T12:37:41.919Z [INFO ] secrets.kv.kv_e5e5be74: collecting keys to upgrade

2018-06-06T12:37:41.919Z [INFO ] secrets.kv.kv_e5e5be74: done collecting keys: num_keys=1

2018-06-06T12:37:41.919Z [INFO ] secrets.kv.kv_e5e5be74: upgrading keys finished

Please let me know if you'd like to know any further details.

Appreciate your help.

Thank you

Praneeth

[Jeff Mitchell]

Hello,

You can't without recompiling. Dev mode uses v2 always. You could also just use non-dev mode which still defaults to v1, at least for this and the 0.11 release.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7dcfb164-0e42-42f3-8b21-7c5582bd9776%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Praneeth Cy]

Thanks for the reply Jeff. I wanted to use Dev mode that I can pass in the constant root token and automate the deployment and vault initialization process for my team on their local box.

So, why do you think that the commands appearing after the 'vault server ...' command are not being executed? I am able to change the version to 1 by executing the aforementioned commands using 'docker exec' once the container boots off.

I am new to both Vault and Docker, so I might be missing something silly. Appreciate your response.

Thanks

Praneeth

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHzZAoM41KwXQEuXJvJ%3D4cRz_D2OmL3pumzJ1pQc0eQHA%40mail.gmail.com.

[Jeff Mitchell]

Hi Praneeth,

"vault server" blocks until it is terminated...you'll need those commands to run via some separate thread.

Best,

Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CADHa2K%3DCVGJX4KgFbpAO4ZdkWRYJwNei1Geph677fkUpbhAByA%40mail.gmail.com.

[Praneeth Cy]

That makes sense. Thanks for your help, Jeff.

Regards

Praneeth