Vault 开发模式初始化错误,作为高山容器中的 non-root 用户:/dev/null/.vault 不是目录
Vault dev mode initialization error as non-root user in alpine container: /dev/null/.vault not a directory
标题有点概括。 Dockerfile 如下。我在构建中没有其他错误。当我在 ENTRYPOINT
.
之前将用户设置为 vault 时,docker 运行 命令吐出如下所示的 Error initializing
- 如果我注释掉
USER vault
服务器将正常启动。
- 如果我删除
vault server
的 -dev 选项但保留 USER vault
服务器将正常启动。
它在 /dev/null 中寻找什么,或者它为什么在那里寻找?我无法在任何相关的谷歌搜索中找到对 /dev/null 的任何引用。
> docker build -t vault-deploy .
> docker run --rm -it --cap-add=IPC_LOCK -p 127.0.0.1:8200:8200 vault-deploy
Api Address: http://0.0.0.0:8200
Cgo: enabled
Cluster Address: https://0.0.0.0:8201
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: trace
Mlock: supported: true, enabled: false
Storage: file
Version: Vault v0.11.0
Error initializing Dev mode: open /dev/null/.vault: not a directory
vault-dev-config.hcl:
storage "file" {
path = "/var/vault/data"
}
(如果我使用 storage "inmem" {}
或让它使用默认配置,我会得到相同的行为。)
Docker文件:
FROM [INTERNAL DOCKER IMAGE REPOSITORY]/alpine-python3
# Vault is in the testing repository, edge branch.
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
# - - - - - - - - - - - - - - - - - - - - - - - -
# Container packages.
# libcap: For the setcap executable.
# - - - - - - - - - - - - - - - - - - - - - - - -
RUN apk update \
&& apk --no-cache add -u vault \
&& apk add --update libcap \
&& rm -rf /var/cache/apk/*
# - - - - - - - - - - - - - - - - - - - - - - - -
# Execution configuration.
# - - - - - - - - - - - - - - - - - - - - - - - -
# We won't run as root.
RUN mv /usr/sbin/vault /usr/bin
RUN chown vault /usr/bin/vault
# Make sure the vault executable can run mlock to prevent swapping to disk. We
# also have to run the container with --cap-add=IPC_LOCK.
RUN setcap cap_ipc_lock=+ep $(readlink -f /usr/bin/vault)
# - - - - - - - - - - - - - - - - - - - - - - - -
# Create and set ownership of /var/vault.
# Only needed if we're putting a file storage back end here.
# - - - - - - - - - - - - - - - - - - - - - - - -
RUN mkdir /var/vault
RUN chown -R vault:vault /var/vault
# - - - - - - - - - - - - - - - - - - - - - - - -
# Create, populate and set ownership of /etc/vault.
# - - - - - - - - - - - - - - - - - - - - - - - -
RUN mkdir /etc/vault
COPY vault-dev-config.hcl /etc/vault/vault-dev-config.hcl
RUN chmod 600 /etc/vault/vault-dev-config.hcl
RUN chown -R vault:vault /etc/vault
# - - - - - - - - - - - - - - - - - - - - - - - -
# Prepare for launch.
# - - - - - - - - - - - - - - - - - - - - - - - -
USER vault
#Error initializing Dev mode: open /dev/null/.vault: not a directory
ENTRYPOINT vault server \
-dev \
-log-level trace \
-dev-listen-address 0.0.0.0:8200 \
-config /etc/vault/vault-dev-config.hcl
喜欢 Vault google 小组的答案。在开发模式下,Vault 将根密钥写入 $HOME/.vault
。在我的容器中,保险库用户没有登录或 $HOME
,因此 $HOME
默认为 /dev/null
。将 $HOME
设置为 /var/vault
解决了问题。
标题有点概括。 Dockerfile 如下。我在构建中没有其他错误。当我在 ENTRYPOINT
.
Error initializing
- 如果我注释掉
USER vault
服务器将正常启动。 - 如果我删除
vault server
的 -dev 选项但保留USER vault
服务器将正常启动。
它在 /dev/null 中寻找什么,或者它为什么在那里寻找?我无法在任何相关的谷歌搜索中找到对 /dev/null 的任何引用。
> docker build -t vault-deploy .
> docker run --rm -it --cap-add=IPC_LOCK -p 127.0.0.1:8200:8200 vault-deploy
Api Address: http://0.0.0.0:8200
Cgo: enabled
Cluster Address: https://0.0.0.0:8201
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: trace
Mlock: supported: true, enabled: false
Storage: file
Version: Vault v0.11.0
Error initializing Dev mode: open /dev/null/.vault: not a directory
vault-dev-config.hcl:
storage "file" {
path = "/var/vault/data"
}
(如果我使用 storage "inmem" {}
或让它使用默认配置,我会得到相同的行为。)
Docker文件:
FROM [INTERNAL DOCKER IMAGE REPOSITORY]/alpine-python3
# Vault is in the testing repository, edge branch.
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
# - - - - - - - - - - - - - - - - - - - - - - - -
# Container packages.
# libcap: For the setcap executable.
# - - - - - - - - - - - - - - - - - - - - - - - -
RUN apk update \
&& apk --no-cache add -u vault \
&& apk add --update libcap \
&& rm -rf /var/cache/apk/*
# - - - - - - - - - - - - - - - - - - - - - - - -
# Execution configuration.
# - - - - - - - - - - - - - - - - - - - - - - - -
# We won't run as root.
RUN mv /usr/sbin/vault /usr/bin
RUN chown vault /usr/bin/vault
# Make sure the vault executable can run mlock to prevent swapping to disk. We
# also have to run the container with --cap-add=IPC_LOCK.
RUN setcap cap_ipc_lock=+ep $(readlink -f /usr/bin/vault)
# - - - - - - - - - - - - - - - - - - - - - - - -
# Create and set ownership of /var/vault.
# Only needed if we're putting a file storage back end here.
# - - - - - - - - - - - - - - - - - - - - - - - -
RUN mkdir /var/vault
RUN chown -R vault:vault /var/vault
# - - - - - - - - - - - - - - - - - - - - - - - -
# Create, populate and set ownership of /etc/vault.
# - - - - - - - - - - - - - - - - - - - - - - - -
RUN mkdir /etc/vault
COPY vault-dev-config.hcl /etc/vault/vault-dev-config.hcl
RUN chmod 600 /etc/vault/vault-dev-config.hcl
RUN chown -R vault:vault /etc/vault
# - - - - - - - - - - - - - - - - - - - - - - - -
# Prepare for launch.
# - - - - - - - - - - - - - - - - - - - - - - - -
USER vault
#Error initializing Dev mode: open /dev/null/.vault: not a directory
ENTRYPOINT vault server \
-dev \
-log-level trace \
-dev-listen-address 0.0.0.0:8200 \
-config /etc/vault/vault-dev-config.hcl
喜欢 Vault google 小组的答案。在开发模式下,Vault 将根密钥写入 $HOME/.vault
。在我的容器中,保险库用户没有登录或 $HOME
,因此 $HOME
默认为 /dev/null
。将 $HOME
设置为 /var/vault
解决了问题。