5

I have a docker compose setup that successfully starts consul (config here). Vault seems to start ok, except for some errors around setting the TTL (logs here).

Further on, consul seems to be hiccuping when trying to reach /v1/agent/check/fail/vault:127.0.0.1:8200:vault-sealed-check?note=Vault+Sealed. Apparently 'vault:127.0.0.1:8200:vault-sealed-check' status is now critical. 

consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Check 'vault:127.0.0.1:8200:vault-sealed-check' status is now critical
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Service 'vault:127.0.0.1:8200' in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Service 'consul' in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Check 'vault:127.0.0.1:8200:vault-sealed-check' in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] agent: Node info in sync
consul1    |     2016/11/05 20:50:04 [DEBUG] http: Request PUT /v1/agent/check/fail/vault:127.0.0.1:8200:vault-sealed-check?note=Vault+Sealed (92.314µs) from=172.18.0.3:48742

When vault container starts (with consul backend) 1) how do we get the initial i) key and ii) root token. I'm using Hashicorp's official vault image with my custom /vault/config/vault.hcl (and consul image).

Ultimately, I want to know 2) how to unseal a vault server. And in this case, I want to unseal the vault server, that's running in the docker container. And 3) is this all I need, to start writing secrets to vault.

Frye
  • 253
  • 3
  • 11
  • `vault --help` is a good starting point. – Florin Asăvoaie Nov 05 '16 at 22:01
  • @FlorinAsăvoaie Yes **1)** `vault unseal` and `vault unseal` are available at the vault command-line. And **2)** running within the docker container, should will out the initial key and token. But I can't see those values from outside the container. – Frye Nov 06 '16 at 02:11
  • Run the container for the first time in attached mode? – Florin Asăvoaie Nov 06 '16 at 07:54
  • You can unseal Vault using different KMS services (or Kubernetes) with our Vault Kubernetes operator https://banzaicloud.com/blog/vault-unsealing/ – matyix Jun 18 '18 at 19:08

2 Answers2

2

In order to unseal a vault-in-a-container using official source vault image I would initiate the vault container with:

vm# docker run -it --cap-add IPC_LOCK -p 8200:8200 -p 8215:8125 --name vault --volume /my/vault:/my/vault vault server -config=/my/vault/vaultCfg.hcl

where the vm is running 1.12.4 docker engine and the vault hcl config lists:

backend "consul" {
  address = "myconsul.com:8500"
  path = "vault"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

and then on the same docker host:

vm# VAULT_ADDR=http://myvault.com:8200 
vm# docker exec -it vault vault  "$@" init -address=${VAULT_ADDR}

And expect output like:

2016/12/11 10:21:10.628736 [WARN ] physical/consul: appending trailing forward slash to path
2016/12/11 12:09:12.117238 [INFO ] core: security barrier not initialized
2016/12/11 12:09:12.136037 [INFO ] core: security barrier initialized: shares=5 threshold=3
2016/12/11 12:09:12.169987 [INFO ] core: post-unseal setup starting
2016/12/11 12:09:12.181963 [INFO ] core: successfully mounted backend: type=generic path=secret/
2016/12/11 12:09:12.181990 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2016/12/11 12:09:12.182057 [INFO ] core: successfully mounted backend: type=system path=sys/
2016/12/11 12:09:12.182156 [INFO ] rollback: starting rollback manager
2016/12/11 12:09:12.218527 [INFO ] core: post-unseal setup complete
2016/12/11 12:09:12.218733 [INFO ] core/startClusterListener: starting listener
2016/12/11 12:09:12.218899 [INFO ] core/startClusterListener: serving cluster requests: cluster_listen_address=[::]:8201
2016/12/11 12:09:12.228888 [INFO ] core: root token generated
2016/12/11 12:09:12.228905 [INFO ] core: pre-seal teardown starting
2016/12/11 12:09:12.228911 [INFO ] core/stopClusterListener: stopping listeners
2016/12/11 12:09:12.228921 [INFO ] core/startClusterListener: shutting down listeners
2016/12/11 12:09:12.724179 [INFO ] core/startClusterListener: listeners successfully shut down
2016/12/11 12:09:12.724209 [INFO ] core/stopClusterListener: success
2016/12/11 12:09:12.724225 [INFO ] rollback: stopping rollback manager
2016/12/11 12:09:12.724250 [INFO ] core: pre-seal teardown complete

This link may help. Requires working Internet connection for docker run

volvox
  • 202
  • 1
  • 2
  • 8
0

So I found a working solution. A working setup with i. a consul node, ii. a vault instance talking to it then iii. the ability to connect to vault, and generate initial unseal and root tokens.

A) With this dockerfile, I can i. docker-compose build && docker-compose up.

B) Then in another shell, I can connect with a $ docker exec -i -t gently_vault_1 /bin/sh.

C) And then, in that shell, simply run vault init.

/ # vault init
Unseal Key 1: asdf...
Unseal Key 2: qwer...
Unseal Key 3: zxcv...
Unseal Key 4: piou...
Unseal Key 5: lkjh...
Initial Root Token: mbnv...

Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.
Frye
  • 253
  • 3
  • 11
  • 1
    I would avoid using someone else's own-rolled apparently secure vault image, irrespective of how [hagiographically](http://www.interruptsoftware.com) other people describe them. Unless you've verified their src. Or they're Ken Thompson or Dennis Ritchie. – volvox Dec 13 '16 at 17:42
  • Dockerfile is no longer available. Consider pasting it in a response here. – Kevin Buchs Oct 18 '18 at 14:27