1# Multi-stage builder to avoid polluting users environment with wrong
2# architecture binaries.  Since this binary is used in an alpine container,
3# we're explicitly compiling for 'linux/amd64'
4FROM debian:buster AS builder
5
6ARG VERSION=1.16.7
7ARG CGO_ENABLED=0
8ARG BUILD_TAGS
9ENV JOBS=2
10
11RUN apt-get update -y && apt-get install --no-install-recommends -y -q \
12                         curl \
13                         zip \
14                         build-essential \
15                         gcc-multilib \
16                         g++-multilib \
17                         ca-certificates \
18                         git mercurial bzr \
19                         gnupg \
20                         libltdl-dev \
21                         libltdl7
22
23RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
24RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
25RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
26
27RUN apt-get update -y && apt-get install -y -q nodejs yarn
28
29RUN rm -rf /var/lib/apt/lists/*
30
31RUN mkdir /goroot && mkdir /go
32RUN curl https://storage.googleapis.com/golang/go${VERSION}.linux-amd64.tar.gz \
33           | tar xvzf - -C /goroot --strip-components=1
34ENV GOPATH /go
35ENV GOROOT /goroot
36ENV PATH $GOROOT/bin:$GOPATH/bin:$PATH
37
38WORKDIR /go/src/github.com/hashicorp/vault
39COPY . .
40RUN make bootstrap static-dist \
41  && CGO_ENABLED=$CGO_ENABLED BUILD_TAGS="${BUILD_TAGS} ui" VAULT_DEV_BUILD=1 XC_OSARCH='linux/amd64' sh -c "'./scripts/build.sh'"
42
43# Docker Image
44
45FROM alpine:3.13
46
47# Create a vault user and group first so the IDs get set the same way,
48# even as the rest of this may change over time.
49RUN addgroup vault && \
50    adduser -S -G vault vault
51
52# Set up certificates, our base tools, and Vault.
53RUN set -eux; \
54    apk add --no-cache ca-certificates libcap su-exec dumb-init tzdata
55
56COPY --from=builder /go/bin/vault /bin/vault
57
58# /vault/logs is made available to use as a location to store audit logs, if
59# desired; /vault/file is made available to use as a location with the file
60# storage backend, if desired; the server will be started with /vault/config as
61# the configuration directory so you can add additional config files in that
62# location.
63RUN mkdir -p /vault/logs && \
64    mkdir -p /vault/file && \
65    mkdir -p /vault/config && \
66    chown -R vault:vault /vault
67
68# Expose the logs directory as a volume since there's potentially long-running
69# state in there
70VOLUME /vault/logs
71
72# Expose the file directory as a volume since there's potentially long-running
73# state in there
74VOLUME /vault/file
75
76# 8200/tcp is the primary interface that applications use to interact with
77# Vault.
78EXPOSE 8200
79
80# The entry point script uses dumb-init as the top-level process to reap any
81# zombie processes created by Vault sub-processes.
82#
83# For production derivatives of this container, you should add the IPC_LOCK
84# capability so that Vault can mlock memory.
85COPY ./scripts/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
86ENTRYPOINT ["docker-entrypoint.sh"]
87
88# By default you'll get a single-node development server that stores everything
89# in RAM and bootstraps itself. Don't use this configuration for production.
90CMD ["server", "-dev"]
91