Vault in Docker container in production mode without TLS

Hello team.

I’m trying to install a vault using docker compose.

I want to have production mode, but without TLS, because the vault server will stay behind a nginx reverse proxy.

According to documentaion, this is only possible if I provide a config file and provide command

command: server -config=/vault/config/config.hcl

I have the following problem:

There always seems to be a default listener.

When I provide an extra config I always get the error:

„Error initializing listener of type tcp: listen tcp 127.0.0.1:8200: bind: address already in use”

this is my config file:

storage "raft" {
  path    = "/vault/data"
  node_id = "node1"
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = "true"
  cluster_address = "127.0.0.1:8201" 
}

api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201" 
ui = true

and this my compose file:

services:
  vault:
    image: hashicorp/vault:1.19.5
    container_name: vault-new
    restart: unless-stopped
    command: >
      server -config=/vault/config/config.hcl
    ports:
      - "8200:8200"
      - "8201:8201"
      
    cap_add:
      - IPC_LOCK
    volumes:
      - c:\data\vault\data:/vault/data
      - c:\data\vault\config:/vault/config

so question is

how to setup vault in production mode in docker conatiner using a config file

I am grateful for every help.

Thank you

Does the vault config work if you just start a Vault locally? Help ensure the config is valid. You could also try setting the listener addresses to 0.0.0.0:xxxx or the specific address on the target subnet you want the listener to respond on (0.0.0.0 = any address (okay for testing but would advise against it for production) vs 10.0.0.1 = only respond on that IP)

Hi Jonathan,

thanks for the advise will try.

cu

Try to remove -config parameter in command and put your config inside configs in docker-compose. Related to this issue? HELP: Always said "bind: address already in use" when trying to start up a HA vault cluster in docker compose · Issue #109 · hashicorp/docker-vault · GitHub

configs:
      - source: vault_config_json
        target: /vault/config/vault-config.json

configs:
  vault_config_json:
    content: |
   .... your config

So finally i was able to get it up and running using default paths that are also used if Vault is installed on a linux machine.
Vault starts now in prod mod using raft storage.
After starting the container, go to localhost:8200 in your prefered browser and create your amount of unseal keys and define number of unseal keys to provide to unseal cluster.

• Copy your root token
• Enter unseal keys as configured
• Unseal vault
• login using root token

do your business

this is the portainer stack / docker compose file runing docker desktop at windows.

for linux modify volume path and remove the c:\ accordingly

version: “3.8”

services:
vault:
image: hashicorp/vault:1.19.5
container_name: vault-new
restart: unless-stopped
command: >
server -config=/etc/vault.d/vault.hcl
ports:
- “8200:8200”
- “8201:8201”

cap_add:
  - IPC_LOCK
volumes:
  - c:\data\vault\data:/data/vault
  - c:\data\vault\config:/etc/vault.d

 

this is the vault config file vault.hcl located at c:\data\vault\config

in my prod environemt i configured auto unseal with Azure secret.

if you like too, you need to uncomment seal "azurekeyvault” part and add your data

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

# Full configuration options can be found at https://developer.hashicorp.com/vault/docs/configuration

ui = true

#mlock = true
disable_mlock = true

storage "raft" {
  path    = "/data/vault"
  node_id = "vault-node-2"
}

# HTTP listener
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}
# API-Adresse (für CLI und Clients)
api_addr     = "http://0.0.0.0:8200"

# Cluster-Adresse (für interne Raft-Kommunikation zwischen Nodes)
cluster_addr = "http://0.0.0.1:8201"
# HTTPS listener
#listener "tcp" {
#  address       = "0.0.0.0:8200"
#  tls_cert_file = "/opt/vault/tls/tls.crt"
#  tls_key_file  = "/opt/vault/tls/tls.key"
#}

# Enterprise license_path
# This will be required for enterprise as of v1.8
#license_path = "/etc/vault.d/vault.hclic"

# Example AWS KMS auto unseal
#seal "awskms" {
#  region = "us-east-1"
#  kms_key_id = "REPLACE-ME"
#}

# Example HSM auto unseal
#seal "pkcs11" {
#  lib            = "/usr/vault/lib/libCryptoki2_64.so"
#  slot           = "0"
#  pin            = "AAAA-BBBB-CCCC-DDDD"
#  key_label      = "vault-hsm-key"
#  hmac_key_label = "vault-hsm-hmac-key"
#}
#seal "azurekeyvault" {
#  tenant_id     = "xxx"
#  client_id     = "xxx"
#  client_secret = "xxx"
#  vault_name    = "xxx"
#  key_name      = "xxx"
#}

Thanks all for your responses.

Hope this is helpfull.

best regards

Andreas