Hashicorp Vault in docker compose throws 127.0.0.1:8200: bind: address already in use

[subhasisbanik]

Description I am trying to set up a Hashicorp Vault cluster with docker-compose and passing the config file as a parameter in the "command" section like:

command: "server -config=/vault/config/vault.hcl"

But it fails with the error line below: Error initializing listener of type tcp: listen tcp 127.0.0.1:8200: bind: address already in use

Steps to reproduce the issue:

1. Set up docker swarm with 2 nodes
2. Build a docker network type overlay in the swam
3. Prepare docker-compose.yml with the details below :

version: "3.8" services: consul1: image: consul:1.8.0 user: root ports:

• 8500:8500 command: "agent -server -syslog=false -log-level=INFO -bootstrap -node=consul1 -data-dir=/consul/data -datacenter=dc1 -client 0.0.0.0 -bind '{{ GetInterfaceIP \"eth0\" }}'" volumes:
• "/opt/docker/vault_cluster/data_server1:/consul/data" networks: vault-cluster-network: deploy: placement: constraints:
  • "node.hostname==partner1-pt3-bke-10" consul2: image: consul:1.8.0 ports:
• 8600:8500 depends_on:
• consul1 command: "agent -server -syslog=false -log-level=INFO -node=consul2 -data-dir=/consul/data -datacenter=dc1 -retry-join consul1 -client 0.0.0.0 -bind '{{ GetInterfaceIP \"eth0\" }}'" volumes:
• "/opt/docker/vault_cluster/data_server2:/consul/data" networks: vault-cluster-network: deploy: placement: constraints:
  • "node.hostname==partner1-pt3-bke-11" consul3: image: consul:1.8.0 ports:
• 8700:8500 depends_on:
• consul1 command: "agent -server -syslog=false -log-level=INFO -node=consul3 -data-dir=/consul/data -datacenter=dc1 -retry-join consul1 -client 0.0.0.0 -bind '{{ GetInterfaceIP \"eth0\" }}'" volumes:
• "/opt/docker/vault_cluster/data_server3:/consul/data" networks: vault-cluster-network: deploy: placement: constraints:
  • "node.hostname==partner1-pt3-bke-11" vault1: image: vault:latest deploy: replicas: 1 ports:
• 8200:8200 environment:
• VAULT_INIT=true
• GEN_CERT=true
• CERT_CONF_COUNTRY=US
• CERT_CONF_STATE=Test
• CERT_CONF_LOCALITY=Test
• CERT_CONF_ORGANIZATION=Test
• CERT_EXPIRY_DAYS=750
• SECRET_PASS=vault_cluster123$$
• VAULT_DISABLE_MLOCK=true volumes:
• "/opt/docker/vault_cluster/unseal1:/vault/unseal"
• "/opt/docker/vault_cluster/config1:/vault/config"
• "/opt/docker/vault_cluster/certs1:/vault/certs"
• "/var/log/vault_cluster/vault1:/vault/logs" command: "server -config=/vault/config/vault.hcl" cap_add:
• ALL depends_on:
• consul3 networks: vault-cluster-network: deploy: placement: constraints:
  • "node.hostname==partner1-pt3-bke-10" vault2: image: vault:latest deploy: replicas: 1 ports:
• 9200:8200 environment:
• VAULT_INIT=true
• GEN_CERT=true
• CERT_CONF_COUNTRY=US
• CERT_CONF_STATE=Test
• CERT_CONF_LOCALITY=Test
• CERT_CONF_ORGANIZATION=Test
• CERT_EXPIRY_DAYS=750
• SECRET_PASS=vault_cluster123$$
• VAULT_DISABLE_MLOCK=true volumes:
• "/opt/docker/vault_cluster/unseal2:/vault/unseal"
• "/opt/docker/vault_cluster/config2:/vault/config"
• "/opt/docker/vault_cluster/certs2:/vault/certs"
• "/var/log/vault_cluster/vault2:/vault/logs" command: "server -config=/vault/config/vault.hcl" cap_add:
• ALL depends_on:
• consul3 networks: vault-cluster-network: deploy: placement: constraints:
  • "node.hostname==partner1-pt3-bke-11" vault3: image: vault:latest deploy: replicas: 1 ports:
  • 10020:8200 environment:
• VAULT_INIT=true
• GEN_CERT=true
• CERT_CONF_COUNTRY=US
• CERT_CONF_STATE=Test
• CERT_CONF_LOCALITY=Test
• CERT_CONF_ORGANIZATION=Test
• CERT_EXPIRY_DAYS=750
• SECRET_PASS=vault_cluster123$$
• VAULT_DISABLE_MLOCK=true volumes:
• "/opt/docker/vault_cluster/unseal3:/vault/unseal"
• "/opt/docker/vault_cluster/config3:/vault/config"
• "/opt/docker/vault_cluster/certs3:/vault/certs"
• "/var/log/vault_cluster/vault3:/vault/logs" command: "server -config=/vault/config/vault.hcl" cap_add:
• ALL depends_on:
• consul3 networks: vault-cluster-network: deploy: placement: constraints:
  • "node.hostname==partner1-pt3-bke-11" networks: vault-cluster-network: external: true name: vault-cluster-network

4. Run the following command to start the stack:

docker stack deploy -c docker-compose.yml vcs

Describe the results you received: The consul services started up as expected. But for the vault below is the error log:

Error initializing listener of type tcp: listen tcp 127.0.0.1:8200: bind: address already in use

Describe the results you expected:

The below log was expected after the vault started up:

Vault server started! Log data will stream in below:

Additional information you deem important (e.g. issue happens only occasionally): The above error of address binding was resolved when the -config paramter was removed. Even when a docker run was tried with the -config parameter was tried on the same docker image(vault:latest). So this can be expected that the issue is persistin in docker-compose

Output of docker compose version:

docker-compose version 1.27.4, build 40524192
docker-py version: 4.3.1
CPython version: 3.7.7
OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019

Output of docker info:

Client: Docker Engine - Community
 Version:           20.10.9
 API version:       1.41
 Go version:        go1.16.8
 Git commit:        c2ea9bc
 Built:             Mon Oct  4 16:08:29 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.9
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.8
  Git commit:       79ea9d3
  Built:            Mon Oct  4 16:06:34 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.11
  GitCommit:        5b46e404f6b9f661a205e28d59c982d3634148f8
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Additional environment details:

2 files were used to run the vault image. Attached below:

1. vault.hcl:

"default_lease_ttl" = "24h" "disable_mlock" = "true" "max_lease_ttl" = "24h"

// Enable UI "ui" = "true"

// Consul Backend storage "consul" { address = "consul1:8500" path = "vault/" }

"api_addr" = "127.0.0.1:8200"

// TCP Listener "listener" "tcp" { "address" = "127.0.0.1:8200" "cluster_address" = "vault1:8200" "tls_disable" = true "tls_cert_file" = "/vault/certs/vault.crt" "tls_client_ca_file" = "/vault/certs/ca.crt" "tls_key_file" = "/vault/certs/vault.key"

} "plugin_directory" = "/vault/plugin"

2. openssl:

[req] default_bits = 2048 encrypt_key = no default_md = sha256 prompt = no utf8 = yes

Speify the DN here so we aren't prompted (along with prompt = no above).

distinguished_name = req_distinguished_name

Extensions for SAN IP and SAN DNS

req_extensions = v3_req

Be sure to update the subject to match your organization.

[req_distinguished_name] C = GE ST = Test L = Test O = Test CN = 1.2.3.4

Allow client and server auth. You may want to only allow server auth.

Link to SAN names.

[v3_req] basicConstraints = CA:FALSE subjectKeyIdentifier = hash keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names

Alternative names are specified as IP.# and DNS.# for IP addresses and

DNS accordingly.

[alt_names] IP.1 = 127.0.0.7 IP.2 = 1.2.3.4 IP.3 = 1.2.3.4 IP.4 = 127.0.0.1 DNS.1 = localhost

Kindly help in this

[subhasisbanik]

any update on this?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically closed because it had not recent activity during the stale period.