Public | Automated Build

Last pushed: 8 months ago
Short Description
Vault container for use with DC/OS
Full Description

Vault on DC/OS

This is an example of how to run HashiCorp's Vault on DC/OS. By default, it's configured in HA mode with ZooKeeper as the backend.

Running on DC/OS

Step 1: Launch Vault server

Copy the following JSON:

  "id": "scale-vault",
  "cpus": 1,
  "mem": 1000,
  "instances": 1,
  "container": {
    "type": "DOCKER",
    "docker": {
      "image": "geoint/scale-vault",
      "forcePullImage": true,
      "network": "BRIDGE",
      "portMappings": [{
        "containerPort": 8200,
        "hostPort": 8282,
        "protocol": "tcp",
        "labels": {
          "VIP_0": "scale-vault:8200"
  "healthChecks": [{
      "protocol": "COMMAND",
      "command": {
        "value": "curl -X GET -s -o /dev/null -k https://localhost:8200/v1/sys/health"
      "gracePeriodSeconds": 20,
      "intervalSeconds": 30,
      "timeoutSeconds": 10,
      "maxConsecutiveFailures": 6,
      "ignoreHttp1xx": false

In the DC/OS interface go to Services > Deploy Service > Check the JSON Mode toggle > Paste in the configuration.

Note: you may configure some parameters via environment variables, from the wrapper script run-vault. You may set the following environment variables:

  • VAULT_TLS_KEY: TLS key file contents
  • VAULT_TLS_CERT: TLS cert file contents
  • VAULT_CONFIG_HCL: HCL config file contents
  • VAULT_CONFIG_JSON: JSON config file contents

Step 2: Initialize the vault

SSH into one of the DC/OS cluster nodes, and initialize the vault with the following:

$ docker run -e "VAULT_SKIP_VERIFY=true" -e "VAULT_ADDR=" --entrypoint=vault -t geoint/scale-vault init
Key 1: 62b6e5c157446c05c067bb41fadf931fd8f422f4af2a4c0ee056acbd5a89d3ed01
Key 2: a065dbfd663c5a619bfdc74ebce68051f9e7004d19c67bc6726daf49e209d4ea02
Key 3: 91e97d22436508a67905e535f636bb3e4550a8ad77b9f69da43717baa4012b5b03
Key 4: dcef79c03925db47c8494decfe959be39079ac987ac774fc5fb7148528dcb33a04
Key 5: ed63df1f1c7c89802ab16f97b445a08c2cce047814b8f9a789edac766ed44c8b05
Initial Root Token: 11aaf733-f280-fbaf-251d-69b9606bf4fa

Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.

After, check to make sure it was properly initialized:

$ docker run -e "VAULT_SKIP_VERIFY=true" -e "VAULT_ADDR=" --entrypoint=vault -t geoint/scale-vault status
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0

High-Availability Enabled: true
    Mode: sealed

Step 3: Unseal your vault

Repeat the following command 3 times, pasting a separate key each time:

$ docker run -i -e "VAULT_SKIP_VERIFY=true" -e "VAULT_ADDR=" --entrypoint=vault -t geoint/scale-vault unseal
Key (will be hidden):
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 1

Once it says Sealed: false, your vault is unsealed.

Note: You'll have to run the command above with each key for each instance of Vault you're running. For example, if you run 3 instances (in HA mode), you'll have to repeatedly run the command and enter each key 3 times to unseal all 3 Vault instances. That's a total of 9 commands, if you're counting.

Step 4: Start using your vault!

Run an interactive shell to test your vault:

$ docker run -i -e "VAULT_SKIP_VERIFY=true" -e "VAULT_ADDR=" --entrypoint=/bin/sh -t geoint/scale-vault
$ vault auth 11aaf733-f280-fbaf-251d-69b9606bf4fa # use root token from init
Successfully authenticated!
token: 11aaf733-f280-fbaf-251d-69b9606bf4fa
token_duration: 0
token_policies: [root]
$ vault token-create
Key                Value
token              d72b4cc0-a0a2-9be8-7c69-8fde5fe8bbe5
token_duration     0
token_renewable    false
token_policies     [root]
$ vault write secret/hello value=world
Success! Data written to: secret/hello
$ vault read secret/hello
Key               Value
lease_duration    2592000
value             world

For more examples, take a look at the Vault getting started guide.

Reinitializing your Vault Server

If you misplaced your unseal keys or you want to start with a fresh service you need to delete the vault tree in ZooKeeper. To interact with Zookeeper:

  • Browse to http://[DCOS_URL]/exhibitor.
  • Under the Explorer tab highlight vault.
  • Select the Modify button at bottom of the page.
  • Choose the Delete operation type, ensure the path is /vault, and fill out the tacking info.
  • Select Next... and verify the operation.

You will have to restart the Vault service in DC/OS to see the change with the client.

Next steps

After you get Vault up and running, you may want to consider running multiple instances, and enabling discovery via marathon-lb.

Docker Pull Command
Source Repository