Install Hashicorp Vault for testing using Docker

In this post we going to install and run a vault server in dev mode

Hashicorp offers Vault in Linux, Mac and Windows and you can run vault in dev mode for testing as it writes all in memory, this means no changes will be persistent

Once you stop the dev server you loose the data

Vault, depending on the OS, have one or more ways to be installed, although Hashicorp recommends to update regularly  I recommend to install manually in production for preventing someone with access to the server updates Vault. This is because you need a consistent version of vault to know everything is working properly, if the binary is upgrade without the knowledge, is possibly some of the commands can stop to work, or even you can loss the communication with a cluster.

We going to learn how to install it manually

If you update by accident Vault in production, you can loss compatibility and connectivity with the cluster

You need to remember that the Dev method is only recommended for testing purpose, is more insecure and is not recommended by any way running for production

Requirements:

• Linux commands basic knowledge
• Debian computer (In my case Ubuntu 20.04 aarch64)
• Basic Docker knowledge, you can see my other Docker post here

Hands-on

1. Run a container with the latest ubuntu

docker container run -it -d --name ubuntu_vault_dev ubuntu /bin/bash

2. Connect to the container to install and run vault from there

docker container exec -it ubuntu_vault_dev /bin/bash

3. Now we need to install some tools we going to need later wget and unzip

apt update && apt install -y wget unzip

If you see an error, is possible that you need to use the command sudo in front in some distributions like ubuntu, if you are not using the ubuntu container, example: sudo apt update && sudo apt install wget -y

4. Now we need to know what architecture you are working on, you can use uname -m to check it

uname -m
aarch64

In my case as I’m running the image in a Raspberry pi 4, my architecture is aarch64 (arm64)

5. Go to the Hasihcorp Vault download page here and we need to select the right binary and architecture to download

And instead on hitting the Download button do a right click on it and select “Copy Link Location”

6. Run the command wget and paste the link

wget https://releases.hashicorp.com/vault/1.5.4/vault_1.5.4_linux_arm64.zip
--2020-10-03 13:40:21--  https://releases.hashicorp.com/vault/1.5.4/vault_1.5.4_linux_arm64.zip
Resolving releases.hashicorp.com (releases.hashicorp.com)... 151.101.185.183, 2a04:4e42:53::439
Connecting to releases.hashicorp.com (releases.hashicorp.com)|151.101.185.183|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 48076803 (46M) [application/zip]
Saving to: ‘vault_1.5.4_linux_arm64.zip’

vault_1.5.4_linux_arm64.zip         100%[==================================================================>]  45.85M  9.31MB/s    in 1m 40s  

2020-10-03 13:42:01 (471 KB/s) - ‘vault_1.5.4_linux_arm64.zip’ saved [48076803/48076803]

7. When the download is finish unzip the file

unzip vault_1.5.4_linux_arm64.zip

8. Delete the zip file

rm vault_1.5.4_linux_arm64.zip

9. Test the vault binary

./vault version
Vault v1.5.4 (1a730771ec70149293efe91e1d283b10d255c6d1)

If you get an Exec format error, instead the version this means the binary is not for your architecture, you need to delete the binary and zip file and repeat from 5 step with the right architecture of your processor

./vault version
./vault: cannot execute binary file: Exec format error

10. Check the environment path to be able to execute everywhere, use the command echo $PATH to know what are the path's directory

root@60af5e1b7139:/# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

11. Move the vault binary to a PATH environment folder, personally I prefer /usr/local/bin/ because is always empty (most of the time)

mv vault /usr/local/bin/

12. Check the installation

13. Now that everything is working, lets start the vault in dev mode

vault server -dev

14. You are going to get something like this

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: j8i4C8CelXhbDN8AyUb0jUP40db7HhrvIMUTzeZV8Oc=
Root Token: s.EXiJeOOc838l848XrdxioI6Q

Development mode should NOT be used in production installations!

Every time you start the vault server on dev mode, you will get and unseal key, and a root token

The root token is the access to your vault server, always look for it, when you initialized

15. Now the vault server is running in this terminal, connect to the docker container in a new terminal and check the server status

docker container exec -it ubuntu_vault_dev /bin/bash

vault status

16. You will get an error, this is normal

vault status
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client

This is because we have not export the VAULT_ADDR, to do so, put the next command

17. Export the VAULT_ADDR

export VAULT_ADDR='http://127.0.0.1:8200'

18. Check the status again and we will get something like this

root@60af5e1b7139:/# vault status
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client
root@60af5e1b7139:/# export VAULT_ADDR='http://127.0.0.1:8200'
root@60af5e1b7139:/# vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.5.4
Cluster Name    vault-cluster-8c2a9073
Cluster ID      240d9b52-07ed-148d-3395-ea0e4eb082a3
HA Enabled      false

Well done, the vault server in dev mode is working, we alredy check how to use a basic command to see the status of vault, when you run dev mode vault automatically export the VAULT_TOKEN variable and put the root token on it, this means that you can run any command that needs a high level authorization, lets test this

19. Run vault auth list

vault auth list
Path      Type     Accessor               Description
----      ----     --------               -----------
token/    token    auth_token_2f444c91    token based credentials

In a production server, you will not have permissions to run the last command and you will need to use an authenticate method with the correct permission

Remember Hashicorp Dev mode run in memory and all you do it will not be persistent, that means once you stop the server no data will be written

To stop the server you can just do a control + C command in the vault running terminal

For exit the container you only need to use the exit command

exit

For clean up after you finish tests, you need to stop the container, remove the container and remove the image in this order

docker container stop ubuntu_vault_dev

docker container rm ubuntu_vault_dev

docker image rm ubuntu:latest

References:

• Hashicorp Vault official install guide
• Hashicorp Vault getting started guide
• Hashicorp Vault Dev Mode