To be brief I’m struggling persisting the data saved in a vault container in my local machine after I put a docker-compose down
and re-deploy it with docker-compose up -d
, the data is lost. I’ll show you how my .yml
looks like very simple:
version: '3.7'
services:
vault_dev:
image: vault:latest
volumes:
- vault-file:/vault/file
ports:
- "8200:8200/tcp"
environment:
VAULT_DEV_ROOT_TOKEN_ID: 'root'
VAULT_DEV_LISTEN_ADDRESS: '0.0.0.0:8200'
cap_add:
- IPC_LOCK
container_name: vault_dev
entrypoint: "vault server -dev"
volumes:
vault-file: {}
2
Answers
When Vault is started with the
-dev
option it stores secrets in memory only. They are lost when it shuts down. Nothing to do with Docker.You probably want to remove the
-dev
option in your Dockerfile entrypoint and usefile
storage option in your configuration file.Using production Vault server in docker-compose for local development is not convenient, because you have to unseal it often, typically every time the container is restarted.
I find it much easier to use the Vault dev server mode with one additional bootstrapping container that is initializing the Vault state as I need it.
Here’s how to do it. First define the Vault Dev Server in compose.
http://localhost:8200/ui/vault
from your dev machinedocker-compose.yml
Now the Vault is ready for use but it’s empty – no keys or additional secret engines are enabled. To fill it with the necessary data I use a second container which is started just once and is enabling/creating the engines/keys which will be used during my work.
docker-compose.yml
This container is executing a
vault-init.sh
script which I have prepared in a directory (in this example it’s the same dir as the docker-compose file, but you can place it in another and change the mount path). The script is making the following steps:After you start it with
docker-compose up -d
you can open the Vault UI with a browser and verify that the Vault is in the state that you desire:http://localhost:8200/ui/vault