Get consul Docker image to be persistent with Vault data

Question

I am using Vault Docker image with Consul Docker image as its storage. My problem is that if supposedly the Consul container will go down, and I will try to run a new container, I need to init the vault all over again, and the data that was saved by Consul get lost.

Anyone know what I need to do in order to get the data to be persistent?

Command to run the Consul image:

docker run -d -p 8400:8400 -p 8500:8500 -p 8600:53/udp -it consul

Command to run the Vault image:

docker run -d -p 8200:8200 -v /root/vault:/vault --cap-add=IPC_LOCK vault server

And the vault configuration file content:

{
            "listener": [{
                    "tcp": {
                            "address": "0.0.0.0:8200",
                            "tls_disable" : 1
                    }
            }],

            "storage" :{
                    "consul" : {
              "address" :"172.17.0.4:8500"
              "path"    :"vault/"

                    }
            }
            "max_lease_ttl": "10h",
            "default_lease_ttl": "10h",
            "ui": true,
}

Answer 1

According to consul's docker description, VOLUME /consul/data isn't used in any way when in development mode, which is default for consul agent.

For running a sandbox of 1 consul agent running in server mode + 1 vault server (which is not recommended), you can:

• Use a persistent volume for consul and mount it on the container:

  docker volume create consul --label description='Persistent data for consul'
  

• Start the consul container:

  docker run -d \
  -p 8400:8400 -p 8500:8500 -p 8600:53/udp \
  --net host \
  --mount type=volume,source=consul,target=/consul/data \
  --name consul \
  -it consul agent -server -bind=127.0.0.1 -bootstrap-expect=1
  

• Configure the consul storage address for vault's server configuration matching the bind address (127.0.0.1 for this example):

      "storage" :{
              "consul" : {
        "address" :"127.0.0.1:8500"
  

• Run the Vault image:

  docker run -d \
  -p 8200:8200 \
  -v /root/vault:/vault \
  --cap-add=IPC_LOCK \
  --net host \
  --name vault \
  vault server
  

Then check that consul is properly mounting the volume:

$ docker inspect --format '{{ .Mounts }}' consul

Vault has consul configured as storage:

$ docker logs vault 2>&1 | grep Storage                                                                    
             Storage: consul (HA available)

Then init/unseal vault as usual.

Answer 2

You need to cause the Consul container to persist its /consul/data directory. (That Hashicorp documentation also recommends backing up Consul, separately from this.) A typical way is to change your docker run command

docker run -v ./consul:/consul/data ... consul

(It's possible the image is set up to attempt this behind your back, if you launch the same container with the same options, but it's probably good practice to be explicit about this, doubly so in order to know what directories to back up.)