Vault with docker
docker vault 를 빠르게 실행해보자
--cap-add=IPC_LOCK
Memory Locking and ‘setcap’ The container will attempt to lock memory to prevent sensitive values from being swapped to disk and as a result must have –cap-add=IPC_LOCK provided to docker run. Since the Vault binary runs as a non-root user, setcap is used to give the binary the ability to lock memory. With some Docker storage plugins in some distributions this call will not work correctly; it seems to fail most often with AUFS. The memory locking behavior can be disabled by setting the SKIP_SETCAP environment variable to any non-empty value.
-e 'VAULT_ADDR=http://127.0.0.1:8200'
기본적으로 vault client 에서 https 를 사용하고 있기 때문에, http 를 사용하려면 vault 어쩌고 명령어를 할때마다 –address=https://127.0.0.1:8200 을 같이 써야한다. 귀찮으니까 환경변수로 넣자. 환경변수가 없고 https 없이 (환경변수에서 tls_disable) 컨테이너를 기동하면 vault 명령어시 아래와 같은 오류가 나온다.
Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: http: server gave HTTP response to HTTPS client
-v vaultdata:/vault/file:z
vaultdata 라는 docker volume 이 미리 준비되어있어야한다. 마지막에 z 옵션은 SELinux 가 활성화 되어있으면 사용해야한다.
$ docker volume create vaultdata
$ docker run \
-d \
-p 8200:8200 \
--name=dev-vault \
--cap-add=IPC_LOCK \
--restart=always \
-e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": {"tcp": { "address": "0.0.0.0:8200", "tls_disable": "true"}}, "ui": "true", "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' \
-e 'VAULT_ADDR=http://127.0.0.1:8200' \
-v vaultdata:/vault/file:z \
docker.io/vault:1.4.0 server