I am using Vault Docker image with Consul Docker image as its storage. My problem is that if supposedly the Consul container will go down, and I will try to run a new container, I need to init the vault all over again, and the data that was saved by Consul get lost.
Anyone know what I need to do in order to get the data to be persistent?
Command to run the Consul image:
docker run -d -p 8400:8400 -p 8500:8500 -p 8600:53/udp -it consul
Command to run the Vault image:
docker run -d -p 8200:8200 -v /root/vault:/vault --cap-add=IPC_LOCK vault server
And the vault configuration file content:
{
"listener": [{
"tcp": {
"address": "0.0.0.0:8200",
"tls_disable" : 1
}
}],
"storage" :{
"consul" : {
"address" :"172.17.0.4:8500"
"path" :"vault/"
}
}
"max_lease_ttl": "10h",
"default_lease_ttl": "10h",
"ui": true,
}
According to consul's docker description, VOLUME /consul/data
isn't used in any way when in development mode, which is default for consul agent.
For running a sandbox of 1 consul agent running in server mode + 1 vault server (which is not recommended), you can:
Use a persistent volume for consul and mount it on the container:
docker volume create consul --label description='Persistent data for consul'
Start the consul container:
docker run -d \
-p 8400:8400 -p 8500:8500 -p 8600:53/udp \
--net host \
--mount type=volume,source=consul,target=/consul/data \
--name consul \
-it consul agent -server -bind=127.0.0.1 -bootstrap-expect=1
Configure the consul storage address for vault's server configuration matching the bind address (127.0.0.1
for this example):
"storage" :{
"consul" : {
"address" :"127.0.0.1:8500"
Run the Vault image:
docker run -d \
-p 8200:8200 \
-v /root/vault:/vault \
--cap-add=IPC_LOCK \
--net host \
--name vault \
vault server
Then check that consul is properly mounting the volume:
$ docker inspect --format '{{ .Mounts }}' consul
Vault has consul configured as storage:
$ docker logs vault 2>&1 | grep Storage
Storage: consul (HA available)
Then init/unseal vault as usual.
You need to cause the Consul container to persist its /consul/data
directory. (That Hashicorp documentation also recommends backing up Consul, separately from this.) A typical way is to change your docker run
command
docker run -v ./consul:/consul/data ... consul
(It's possible the image is set up to attempt this behind your back, if you launch the same container with the same options, but it's probably good practice to be explicit about this, doubly so in order to know what directories to back up.)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With