Can't access UI when running vault in dev mode from docker

Vault
1

Hello. I try to start with vault. I try to run it in developer mode from docker container. Here is my last docker command:
docker run --cap-add=IPC_LOCK --name=dev-vault -e 'VAULT_LOCAL_CONFIG={\"ui\":\"true\" }' -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=127.0.0.1:8200' -e 'VAULT_ADDR=http://localhost:8200' -p 8200:8200 vault

Container starts without errors, I get vault status from CLI.
But attempt to open UI in Chrome results in ERR_EMPTY_RESPONSE error, Firefox reports connection dropped.
I have another docker containers (for example Grafana) and their UI is reachable, so doesn’t seem to be a network problem or firewall, etc.

same with this command:
docker run --cap-add=IPC_LOCK --name=dev-vault -e 'VAULT_DEV_LISTEN_ADDRESS=127.0.0.1:8200' -p 8200:8200 vault

If I try to use Transit engine to encode some data using Python:

client = hvac.Client(url='http://127.0.0.1:8200')
encrypt_data_response = client.secrets.transit.encrypt_data(name='hvac-key', plaintext='hi its me hvac')

i get ‘Connection aborted.’ error:

raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

If I stop the container and run above commands, then I get connection time-out response (as expected), so in the above case, there is a connection with an engine. I wonder why I can’t reach UI.

What am I missing?

some details:
host OS: windows 10

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.11.0
Build Date      2022-06-17T15:48:44Z
Storage Type    inmem
Cluster Name    vault-cluster-2f2a5189
Cluster ID      4f18 ..... 7ca74
HA Enabled      false

==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.17.11
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.11.0, built 2022-06-17T15:48:44Z
             Version Sha: ea296 ..... eb2f1

==> Vault server started! Log data will stream in below:
2

This is more of a docker networking question than Vault.

You can use this as an example configuration on how to do the setup and mapping of docker ports:

3

You could also consider just not using Docker here at all - it’s unnecessary for this scenario: Vault ships Windows binaries which can simply unpack and run - no installation needed, no dependencies.

This would remove complexity from your environment.

4

Found a solution myself, share it for community

Why it was not working:
UI is off by default. I tried to enable it passing the configuration as an environment variable (-e 'VAULT_LOCAL_CONFIG={\"ui\":\"true\"}'). For some reason it doesn’t work.

In the official docker image from HashiCorp, the command to run Vault in developer mode is:
$ docker run --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:1234' vault

It looks like in this mode it doesn’t accept (or ignores) VAULT_LOCAL_CONFIG variable where I tried to turn UI on. And seems UI is still off in “dev” mode.

So, I decided to run it in “server” mode, with separate configuration file and mapping to volumes. Then I’m able to turn UI on.

Below are my docker compose file and configuration:

version: '3.9'

services:
  vault:
    image: vault
    container_name: vault-dev
    ports:
      - "8200:8200"
    environment:
      - VAULT_ADDR=http://0.0.0.0:8200
      - VAULT_API_ADDR=http://0.0.0.0:8200
      - VAULT_ADDRESS=http://0.0.0.0:8200
   
    volumes:
      - /f/docker/vault/file:/vault/file
      - /f/docker/vault/config:/vault/config
    cap_add:
      - IPC_LOCK
    entrypoint: vault server -config=/vault/config/vault.json

volumes’ path fit Windows paths here as my host OS is Windows
And config file vault.json:

{
"ui":"true",
"listener": {"tcp": {"address" : "0.0.0.0:8200", "tls_disable" : 1}},
"storage": {"file" : {"path": "/vault/file"}},
}

With above configuration UI starts and I can also access vault using Python scripts.

If anybody can suggest how to run Vault in “dev” mode and turn UI on at the same time - would be interesting to know.

P.S. thanks to others who tried to help!

5

I was able to enable the UI in dev mode.

docker run --entrypoint vault \
-p 8200:8200 \
-v "$(pwd)"/vault:/vault \
vault:latest \
server -dev \
-dev-listen-address="0.0.0.0:8200" \
-dev-root-token-id="dev-only-token" \
-config=/vault/vault-dev-server.hcl

vault-dev-server.hcl file in $(pwd)/vault directory.

disable_mlock = true
ui            = true
6

Hello everyone!

I got the vault container running easily with Web UI, by this command

docker run --cap-add=IPC_LOCK --name vault-dev -p 8200:8200 -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:
8200' hashicorp/vault

hope it helps.

7

Yes, thanks. I think the issue was to do with Vault listening only on localhost, instead of the external IP address of the Docker container, rather than anything specifically related to dev mode. :slight_smile: