upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-03-22 02:20:20 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
vault/scripts/docker/Dockerfile
Vault Automation b13c695c81
dockerfile: ensure user directive gets set for vault alpine and ubi containers (#12920) (#13080) 
* update user directive for dockerfile

run as vault user by default

* add changelog

* also set the user to vault in ent dockerfile

* update changelog

* add the user directive in the Dockerfile of the repo root

it is the one used for production builds

* remove user directive from build stage, add user directive to alpine stage

Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-03-18 16:13:42 -04:00

69 lines
2.2 KiB
Docker
Raw Permalink Blame History

# Copyright IBM Corp. 2016, 2025
# SPDX-License-Identifier: BUSL-1.1
# Multi-stage builder to avoid polluting users environment with wrong
# architecture binaries.
ARG VERSION
FROM golang:${VERSION} AS builder
ARG CGO_ENABLED=0
ARG BUILD_TAGS
WORKDIR /go/src/github.com/hashicorp/vault
COPY . .
RUN make bootstrap \
&& CGO_ENABLED=$CGO_ENABLED BUILD_TAGS="${BUILD_TAGS}" VAULT_DEV_BUILD=1 sh -c "'./scripts/build.sh'"
# Docker Image
FROM alpine:3.13
# Create a vault user and group first so the IDs get set the same way,
# even as the rest of this may change over time.
RUN addgroup vault && \
adduser -S -G vault vault
# Set up certificates, our base tools, and Vault.
RUN set -eux; \
apk add --no-cache ca-certificates libcap su-exec dumb-init tzdata
COPY --from=builder /go/src/github.com/hashicorp/vault/bin/vault /bin/vault
# /vault/logs is made available to use as a location to store audit logs, if
# desired; /vault/file is made available to use as a location with the file
# storage backend, if desired; the server will be started with /vault/config as
# the configuration directory so you can add additional config files in that
# location.
RUN mkdir -p /vault/logs && \
mkdir -p /vault/file && \
mkdir -p /vault/config && \
chown -R vault:vault /vault
# Expose the logs directory as a volume since there's potentially long-running
# state in there
VOLUME /vault/logs
# Expose the file directory as a volume since there's potentially long-running
# state in there
VOLUME /vault/file
# 8200/tcp is the primary interface that applications use to interact with
# Vault.
EXPOSE 8200
# The entry point script uses dumb-init as the top-level process to reap any
# zombie processes created by Vault sub-processes.
#
# For production derivatives of this container, you should add the IPC_LOCK
# capability so that Vault can mlock memory.
COPY ./scripts/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# Use the Vault user as the default user for starting this container.
USER vault
# By default you'll get a single-node development server that stores everything
# in RAM and bootstraps itself. Don't use this configuration for production.
CMD ["server", "-dev"]
Reference in a new issue View git blame Copy permalink