kastem34 Posted June 29, 2022 Share Posted June 29, 2022 (edited) Application Name: Vault Application Site: https://www.vaultproject.io/ Docker Hub: https://hub.docker.com/_/vault Github: https://github.com/hashicorp/docker-vault Manage secrets and protect sensitive data. Create and secure access to tokens, passwords, certificates, and encryption keys. Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. Here is a video about this container. This image is an official one, I do not manage it, though, I will do my best to support it here. The app is going to install HashiCorp Vault with a file backend (default), you can change this backend if you want to, with other parameters in VAULT_LOCAL_CONFIG variable : NOTE : At startup, the container will read configuration HCL and JSON files from /vault/config (any information passed into VAULT_LOCAL_CONFIG is written into local.json in this directory and read as part of reading the directory for configuration files). Please see Vault's configuration documentation for a full list of options. {"backend": {"file": {"path": "/vault/file"}},"listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": 1}}, "ui": true} Port : Vault is using port 8200 (default). Volumes : We have two volumes in your installation : - file : mandatory as you want the secrets to persist to your disks. - logs : only if you want to audit logs. (commands in General usage section) Setup : You can setup Vault from the WebUI, but I will go with the CLI. After launching the app, install vault in your OS as a client : https://www.vaultproject.io/downloads Set VAULT_ADDR to your Unraid server IP. export VAULT_ADDR='http://192.168.0.100:8200' Create key shares and set a threshold about how many keys you need to unseal Vault. vault operator init -key-shares=6 -key-threshold=3 e.g output (Keep these keys and Root token safe and do not share them!): Unseal Key 1: xDElr...IofCZFSvPe Unseal Key 2: 2TQgn...vyQ7fSdSWR Unseal Key 3: JALI...EpHFSw7SsI Unseal Key 4: knzg...xEFwfwWSbKQ Unseal Key 5: bJJmA...DSwfsddOTc Unseal Key 6: xft8...aTdVSTYZg5 Initial Root Token: hvs.tnhE...y8NkA Run unseal command 3 times with different keys every time (depends of your threshold number): NOTE : best practice would be to not write the key directly, and only type "vault operator unseal", so the keys is not in your cli history. vault operator unseal xDElr...IofCZFSvPe vault operator unseal 2TQgn...vyQ7fSdSWR vault operator unseal knzg...xEFwfwWSbKQ After 3 times running this command, you should see Sealed false Now Vault is unsealed, you can login to vault : NOTE : best practice would be to not write the token directly, and only type "vault login", so the token is not in your cli history. vault login hvs.tnhE...y8NkA Example Usage : There is many secret engine you can use : https://www.vaultproject.io/docs/secrets/ In this example, I will use the KV Engine as it's the most basic one. Enable the KV (Key Value) Engine https://www.vaultproject.io/docs/secrets/kv : vault secrets enable -version=1 -path=secret kv Create our first secret : vault kv put secret/my-vault/password password=123456 List our secret : vault kv list secret/ vault kv list secret/my-vault/ Read the secret (defaults in table format): vault kv get secret/my-vault/password ====== Data ====== Key Value --- ----- password 123456 Read the secret in json format: vault kv get --format=json secret/my-vault/password { "request_id": "31915c6c-2f8f-f7c4-146c-3dc81e80033c", "lease_id": "", "lease_duration": 2764800, "renewable": false, "data": { "password": "123456" }, "warnings": null } Read only the password value in the secret: vault kv get -field=password secret/my-vault/password 123456 Create a key with multiple secrets : vault kv put secret/nextcloud/db db_name=nextcloud username=nextcloud_user password=secret Read secrets in json : vault kv get --format=json secret/nextcloud/db { "request_id": "db9604e4-f2eb-a529-c7f3-448b2846f565", "lease_id": "", "lease_duration": 2764800, "renewable": false, "data": { "db_name": "nextcloud", "password": "secret", "username": "nextcloud_user" }, "warnings": null } Only read username field : vault kv get -field=username secret/nextcloud/db nextcloud_user Delete our secrets : vault kv delete secret/nextcloud/db If you want to activate the audit logs : vault audit enable file file_path=/vault/logs/vault_audit.log If you want to disable the audit logs : vault audit disable file Vault is pretty fun and there is ton of different usages, from your bash scripts, in your code, in your CI/CD pipeline, SSH OTP, dynamic secrets, cloud provider authentication... have fun! Please post any questions/issues relating to this docker you have in this thread. Edited July 4, 2022 by kastem34 Being more concise 2 Quote Link to comment
kastem34 Posted June 29, 2022 Author Share Posted June 29, 2022 Asking kindly to a moderator to move this topic in the DOCKER CONTAINERS section. Thanks! Quote Link to comment
kastem34 Posted June 30, 2022 Author Share Posted June 30, 2022 Hello, I have created a video about this application yesterday and added it in the main message. Enjoy! 1 Quote Link to comment
Jclendineng Posted July 16, 2022 Share Posted July 16, 2022 Can you use vault to store docker secrets? I am not aware of any way to based on the docs but thought I would ask. An example is, say, a DB connection you are passing creds to in a docker application in unraid. I know you can use docker secrets (not easily in unraid) but vault would be nice to use for this. Quote Link to comment
kastem34 Posted July 18, 2022 Author Share Posted July 18, 2022 Hi @Jclendineng, I think you would need to create/build a Dockerfile yourself in this case. on another way, after some research, there is some hints here for example : https://github.com/ehazlett/docker-volume-libsecret not sure if the installation of libsecret would work on unraid OS, but if it does, then you should be able to call vault in templates with extra parameters. Quote Link to comment
onetx Posted October 11, 2022 Share Posted October 11, 2022 How use a secret as enviroment variable in a Docker/Template? Quote Link to comment
Jclendineng Posted December 23, 2022 Share Posted December 23, 2022 How use a secret as enviroment variable in a Docker/Template?No way to do it currently so I don’t use it, I don’t want to manually unseal every time I patch unraid unfortunately Sent from my iPhone using Tapatalk Quote Link to comment
GamingWolf Posted July 2, 2023 Share Posted July 2, 2023 Vault has moved their docker image, making this no longer useable. You can find the new home of Vault here https://hub.docker.com/r/hashicorp/vault. There is also a note about this on the old Docker Hub page. Quote Link to comment
kastem34 Posted July 2, 2023 Author Share Posted July 2, 2023 I have updated the file https://github.com/KasteM34/unraid-templates/blob/main/vault/vault.xml Quote Link to comment
LTM Posted July 2, 2023 Share Posted July 2, 2023 I am not able to start the container. I get the following: Unable to find image 'vault:latest' locally docker: Error response from daemon: manifest for vault:latest not found: manifest unknown: manifest unknown. See 'docker run --help'. I have tried :latest, :1.14, 1:13 and they all end in the same error. I was able to successfully install another container after trying this one so I don't believe it is something unraid/my system related. Quote Link to comment
UnraidCitadel Posted July 2, 2023 Share Posted July 2, 2023 6 hours ago, LTM said: I am not able to start the container. I get the following: Unable to find image 'vault:latest' locally docker: Error response from daemon: manifest for vault:latest not found: manifest unknown: manifest unknown. See 'docker run --help'. I have tried :latest, :1.14, 1:13 and they all end in the same error. I was able to successfully install another container after trying this one so I don't believe it is something unraid/my system related. Same issue here. Quote Link to comment
jinx8503 Posted July 2, 2023 Share Posted July 2, 2023 I was able to fix this by adjusting the docker extra parameters. The template lists "vault server" after the memory lock option in extra parameters, I believe the docker run command is accepting this as the repository value instead of hashicorp/vault. From the Vault Docker hub site it only shows server as the post command argument, vault appears to not be needed. Full disclosure though I'm by no means a Vault expert, I was just trying to spin up the container to try it out. Quote Link to comment
kastem34 Posted July 2, 2023 Author Share Posted July 2, 2023 (edited) 21 minutes ago, jinx8503 said: I was able to fix this by adjusting the docker extra parameters. The template lists "vault server" after the memory lock option in extra parameters, I believe the docker run command is accepting this as the repository value instead of hashicorp/vault. From the Vault Docker hub site it only shows server as the post command argument, vault appears to not be needed. Full disclosure though I'm by no means a Vault expert, I was just trying to spin up the container to try it out. Thank you for the hint, I have updated the template, in like 2 hours from now it should be updated, feel free to tell me if it works. Edited July 2, 2023 by kastem34 Quote Link to comment
jinx8503 Posted July 3, 2023 Share Posted July 3, 2023 22 hours ago, kastem34 said: Thank you for the hint, I have updated the template, in like 2 hours from now it should be updated, feel free to tell me if it works. Worked for me, I removed the container and previous template. I reinstalled the container from Community Applications and the container started up without issues, Thanks! Quote Link to comment
kastem34 Posted July 5, 2023 Author Share Posted July 5, 2023 On 7/3/2023 at 6:19 PM, jinx8503 said: Worked for me, I removed the container and previous template. I reinstalled the container from Community Applications and the container started up without issues, Thanks! Thanks for the feedback! Quote Link to comment
Rudder2 Posted December 14, 2023 Share Posted December 14, 2023 (edited) Does the Vault/File folder have to be on the cache drive or can it live on the array? I would prefer the protection for such data on the array. Thank you for creating this unRAID template! I appreciate the work that the Devs do to make our OS AWESOME! Thank you for your time and help. Edited December 14, 2023 by Rudder2 I suck at spelling... Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.