This assumes you have installed Docker on Linux and Docker is running.
A Docker image contains the code used to create a Docker container, such as creating a Nginx web server, or a mySQL server, or a home grown app, and the list goes on. In this way, an image is like a template used to create a container. An image is kind of like a virtual machine, but much more light weight, using significantly less storage a memory (containers are usually megabytes in size).
The docker pull command can be used to pull down the Hashicorp vault image, version 1.13.3 in this example.
docker pull vault:1.13.3
Or you could create Dockerfile so that the Dockerfile contains something like this.
FROM vault:latest
Then use the docker build command to create the image, running this command in the same directory as the Dockerfile.
docker build . --tag vault:latest
The docker images command can be used to confirm the Hashicorp vault image was pulled down.
[root@lab1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vault latest b5e03ae6c19e 2 weeks ago 181MB
By default, the vault will be bound on HTTP port 8200, as can be seen by inspecting the docker image.
~]# docker inspect vault
"Config": {
"ExposedPorts": {
"8200/tcp": {}
}
}
By default, you will not be allowed to create secrets, so let's create the config.hcl file on your Docker system with the following.
path "secret/data/*" {
capabilities = ["list", "read", "create", "update", "delete"]
}
Before issuing the docker run command, ensure firewalld is running.
systemctl start firewalld
The following command can be used to create the vault container. Let's break down this command.
- The docker run command is used to create the container if it doesn't exist and to start the container.
- --cap-add=IPC_LOCK is used so that the vault is run in memory instead of on storage.
- The --env option is used to set the VAULT_ADDR variable to contain a value of http://<hostname or ip address of the container>:8200
- The --env option is used to set the VAULT_LOCAL_CONFIG variable to contain certain configuration values. The configuration key value pairs will be at /vault/config/local.json in the container. Or, the --volume option is used to mount the /usr/local/docker/hashicorp/vault/config directory on the Docker system to the /vault/config directory in the container. This assumes the config.hcl file is located at /usr/local/docker/hashicorp/vault/config/config.hcl on the Docker system. However, this can create a permission issue as the /vault/config directory and /vault/config/config.hcl file in the container will be owned by root:root instead of vault:vault.
- "vault server &" starts the vault, running in the background
sudo docker run
--cap-add=IPC_LOCK
--name hashicorp_vault
--env VAULT_ADDR=http://<hostname or ip address>:8200
--env VAULT_LOCAL_CONFIG='{"backend": {"file": {"path": "/vault/file"}}, "listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": "true" }}, "api_addr": "http://<hostname or ip address of your Docker server>:8200", "cluster_addr": "https://<hostname or ip address of your Docker server>:8201", "ui": "true"}'
--publish 8200:8200
--volume /path/to/config.hcl:/tmp/config.hcl
vault:latest server -config=/tmp/config.hcl &
Create the /vault/data directory in the container.
sudo docker exec hashicorp_vault mkdir /vault/data
sudo docker exec hashicorp_vault chown vault /vault/data
sudo docker exec hashicorp_vault chgrp vault /vault/data
You should now be able to go to http://<hostname or ip address of your Docker server>:8200 and the Hashicorp Vault UI should be displayed.
The very first thing you do after installing Hashicorp Vault is to initialize the vault.
And then unseal the vault.
And then login to the vault.
Did you find this article helpful?
If so, consider buying me a coffee over at 