Vault with Docker Compose

bhardwaj.nithin131 · September 21, 2021, 8:53pm

Hi Team,

I am new to docker.Currently we are trying to launch vault using docker-compose.

Following is the setup we used to launch vault using docker container.Does this setup looks good or any changes needed.Can anyone please provide your suggestions.

Also i have one query, since i am using docker-compose, should i still configure the vault.service file or is it not needed.

Following is the vault-configuration file

listener “tcp” {
address = “0.0.0.0:8200”
tls_disable = “true”
}

storage “raft” {
path = “/vault/file”
node_id=“raft_node1”
}

plugin_directory="/vault/plugins"
cluster_addr = “http://127.0.0.1:8201”
disable_mlock = “true”
ui = “true”

As per the content present in Docker Hub, prepared the following docker-compose file

version: ‘3.6’
services:
vault:
image: vault:latest
container_name: vault
ports:
- “8201:8201”
- “8200:8200”
environment:
VAULT_API_ADDR: “http://0.0.0.0:8200”
cap_add:
- IPC_LOCK
volumes:
- vault-backend:/vault/file
- vault-logs:/vault/logs
- ./configs:/vault/config
- ./plugins:/vault/plugins
healthcheck:
retries: 5
entrypoint: vault server -config=/vault/config/vault-config.hcl
volumes:
vault-backend:
driver: local
vault-logs:
driver: local

aram · September 21, 2021, 9:33pm

You’re missing a lot of pieces. SSL certs, docker networking, the different instances cannot use the same config file as the node_id has to be different on each node. cluster_address needs to be reachable from other nodes.

Take a look at github.com/hashicorp/vault-guides.git

It’s more for testing and doing the vault-guide lessons but it contains a lot of useful information for someone starting out.
There are various configuration. onboarding/docker-compose for docker-compose and opertions/raft-storage/local for just docker (using consul as the backend).

bhardwaj.nithin131 · September 22, 2021, 6:33am

Thanks for the input Aram. This is very helpful.
I will add cert files in the listener section of the config file

tls_cert_file = “/vault/certs/.cer”
tls_key_file = “/vault/certs/.pem”
Currently we are planning to use only one node and later increase the nodes. In case if we increase the nodes, then definitely will have separate config file for each node.

For single node setup, does this docker-compose file looks good

As per the content in Docker Hub, vault will expose the volume /vault/file that has the persisted data.

Can we change this path?

Also is vault.service still need if we run vault through docker?

aram · September 22, 2021, 6:48am

Thanks for the updated requirements.
Normally you cannot change the internal docker path, but you can map it to whatever path you wish on your host machine. In this case, you can, but shouldn’t, vault has no hard configurations for paths, so you can in theory map them to whatever path you want – I would recommend against it simply as it gains you nothing but adds complexity. The important path is on your host, not inside of a docker machine.

The left side is your host path and can be anything on your host, the right side is static and is inside of the docker machine.

Three notes on docker-compose:

it’s best-practice to use full paths on the left side (host side).
If it’s a directory mapping, map it with a “/” to denote that [ although directory mount is the default option, this visually tells the admin looking at it, the different between a file and a directory in the mapping.
Mark config files (and any other read resources) as read-only. This has fallen out of favor lately but I still think it’s a valid best-practice. Specially if you’re just starting out with docker.

   volumes:
      - vault-backend:/vault/file
      - vault-logs:/vault/logs
      - ./configs:/vault/config
      - ./plugins:/vault/plugins

Example:

      - /opt/vault/data/database:/vault:file
      - /opt/vault/logs/:/vault/logs/
      - /opt/vault/etc/:/vault/config/,ro
      - /opt/vault/plugins/:/vault/plugins/,ro

To answer your last question, no you don’t need a service file inside of a docker-compose you have a “entrypoint” in docker that starts the service.

bhardwaj.nithin131 · September 22, 2021, 9:40am

Thanks aram. These are very helpful.

In my docker-compose file, the first two mappings under volumes section
- vault-backend:/vault/file
- vault-logs:/vault/logs
are docker named volumes as a result of which i haven’t given the full path. Should i give the full path incase of named volumes.

For remaining two(i.e mentioned below), i will definitely change.

  - ./configs:/vault/config
  - ./plugins:/vault/plugins

aram · September 22, 2021, 9:54am

Yes, sorry I missed that they were volumes.
All bind mappings should have full paths.

bhardwaj.nithin131 · September 22, 2021, 11:48am

Thanks Aram. Also is vault auto seal possible when vault is setup using docker.

aram · September 22, 2021, 12:19pm

Sure, one has nothing to do with the other. You can use a cloud provider or another vault instance to store your key in, to auto unseal.

Topic		Replies	Views
Need help for vault https access with self-signed certificate Vault	0	872	November 9, 2020
Issue to configure vault nodes Vault	12	1965	March 8, 2022
[Tutorial][Proof-of-Concept] You can use docker init Containers to provision your Vault container within your compose file Vault vault	0	9494	April 14, 2022
Hashicorp Vault : “ Error initializing listener of type tcp: error loading TLS cert ” Where is my mistake? Vault	9	8711	November 15, 2020
Docker TLS issue Vault	3	2809	May 16, 2020

Vault with Docker Compose

Related topics