1# Multi-stage builder to avoid polluting users environment with wrong 2# architecture binaries. Since this binary is used in an alpine container, 3# we're explicitly compiling for 'linux/amd64' 4FROM debian:buster AS builder 5 6ARG VERSION=1.16.7 7ARG CGO_ENABLED=0 8ARG BUILD_TAGS 9ENV JOBS=2 10 11RUN apt-get update -y && apt-get install --no-install-recommends -y -q \ 12 curl \ 13 zip \ 14 build-essential \ 15 gcc-multilib \ 16 g++-multilib \ 17 ca-certificates \ 18 git mercurial bzr \ 19 gnupg \ 20 libltdl-dev \ 21 libltdl7 22 23RUN curl -sL https://deb.nodesource.com/setup_14.x | bash - 24RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - 25RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list 26 27RUN apt-get update -y && apt-get install -y -q nodejs yarn 28 29RUN rm -rf /var/lib/apt/lists/* 30 31RUN mkdir /goroot && mkdir /go 32RUN curl https://storage.googleapis.com/golang/go${VERSION}.linux-amd64.tar.gz \ 33 | tar xvzf - -C /goroot --strip-components=1 34ENV GOPATH /go 35ENV GOROOT /goroot 36ENV PATH $GOROOT/bin:$GOPATH/bin:$PATH 37 38WORKDIR /go/src/github.com/hashicorp/vault 39COPY . . 40RUN make bootstrap static-dist \ 41 && CGO_ENABLED=$CGO_ENABLED BUILD_TAGS="${BUILD_TAGS} ui" VAULT_DEV_BUILD=1 XC_OSARCH='linux/amd64' sh -c "'./scripts/build.sh'" 42 43# Docker Image 44 45FROM alpine:3.13 46 47# Create a vault user and group first so the IDs get set the same way, 48# even as the rest of this may change over time. 49RUN addgroup vault && \ 50 adduser -S -G vault vault 51 52# Set up certificates, our base tools, and Vault. 53RUN set -eux; \ 54 apk add --no-cache ca-certificates libcap su-exec dumb-init tzdata 55 56COPY --from=builder /go/bin/vault /bin/vault 57 58# /vault/logs is made available to use as a location to store audit logs, if 59# desired; /vault/file is made available to use as a location with the file 60# storage backend, if desired; the server will be started with /vault/config as 61# the configuration directory so you can add additional config files in that 62# location. 63RUN mkdir -p /vault/logs && \ 64 mkdir -p /vault/file && \ 65 mkdir -p /vault/config && \ 66 chown -R vault:vault /vault 67 68# Expose the logs directory as a volume since there's potentially long-running 69# state in there 70VOLUME /vault/logs 71 72# Expose the file directory as a volume since there's potentially long-running 73# state in there 74VOLUME /vault/file 75 76# 8200/tcp is the primary interface that applications use to interact with 77# Vault. 78EXPOSE 8200 79 80# The entry point script uses dumb-init as the top-level process to reap any 81# zombie processes created by Vault sub-processes. 82# 83# For production derivatives of this container, you should add the IPC_LOCK 84# capability so that Vault can mlock memory. 85COPY ./scripts/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh 86ENTRYPOINT ["docker-entrypoint.sh"] 87 88# By default you'll get a single-node development server that stores everything 89# in RAM and bootstraps itself. Don't use this configuration for production. 90CMD ["server", "-dev"] 91