From 84975465d450b842d8a3c60c03a18b12cebf588d Mon Sep 17 00:00:00 2001 From: Theo Diefenthal Date: Wed, 7 Dec 2022 02:29:14 +0100 Subject: [PATCH 1/2] Improve Hashicorp Vault docker run example for server mode to actually be directly usable and fix backend to current wording of storage --- vault/content.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/content.md b/vault/content.md index 03ab0129bdec..f6f7574a6581 100644 --- a/vault/content.md +++ b/vault/content.md @@ -48,7 +48,7 @@ $ docker run --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DE ## Running Vault in Server Mode ```console -$ docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' %%IMAGE%% server +$ docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' -p 8200:8200 %%IMAGE%% server ``` This runs a Vault server using the `file` storage backend at path `/vault/file`, with a default secret lease duration of one week and a maximum of 30 days. From b1cec03aae0f045b1b62499c6c21d17712005e2c Mon Sep 17 00:00:00 2001 From: Theo Diefenthal Date: Tue, 13 Dec 2022 11:41:20 +0100 Subject: [PATCH 2/2] Upgrade hashicorp vault readme by suggestions from @mladlow making it explicit that docker run example is not meant for productional use --- vault/content.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/vault/content.md b/vault/content.md index f6f7574a6581..d3a27503d7e0 100644 --- a/vault/content.md +++ b/vault/content.md @@ -45,16 +45,24 @@ As an example: $ docker run --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:1234' %%IMAGE%% ``` -## Running Vault in Server Mode +## Running Vault in Server Mode for Development ```console $ docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' -p 8200:8200 %%IMAGE%% server ``` -This runs a Vault server using the `file` storage backend at path `/vault/file`, with a default secret lease duration of one week and a maximum of 30 days. +This runs a Vault server with TLS disabled, the `file` storage backend at path `/vault/file` and a default secret lease duration of one week and a maximum of 30 days. Disabling TLS and using the `file` storage backend are not recommended for production use. Note the `--cap-add=IPC_LOCK`: this is required in order for Vault to lock memory, which prevents it from being swapped to disk. This is highly recommended. In a non-development environment, if you do not wish to use this functionality, you must add `"disable_mlock: true"` to the configuration information. At startup, the server will read configuration HCL and JSON files from `/vault/config` (any information passed into `VAULT_LOCAL_CONFIG` is written into `local.json` in this directory and read as part of reading the directory for configuration files). Please see Vault's [configuration documentation](https://www.vaultproject.io/docs/config/index.html) for a full list of options. +We suggest volume mounting a directory into the Docker image in order to give both the configuration and TLS certificates to Vault. You can accomplish this with: + +```console +$ docker run --volume config/:/vault/config.d ... +``` + +For more scalability and reliability, we suggest running containerized Vault in an orchestration environment like k8s or OpenShift. + Since 0.6.3 this container also supports the `VAULT_REDIRECT_INTERFACE` and `VAULT_CLUSTER_INTERFACE` environment variables. If set, the IP addresses used for the redirect and cluster addresses in Vault's configuration will be the address of the named interface inside the container (e.g. `eth0`).