FROM alpine:3.15 as default ARG BIN_NAME # NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com # and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3. ARG NAME=vault ARG PRODUCT_VERSION # TARGETARCH and TARGETOS are set automatically when --platform is provided. ARG TARGETOS TARGETARCH LABEL maintainer="Vault Team " LABEL version=${PRODUCT_VERSION} # Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD ENV NAME=$NAME ENV VERSION=$VERSION # Create a non-root user to run the software. RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME} RUN apk add --no-cache libcap su-exec dumb-init tzdata COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/ # /vault/logs is made available to use as a location to store audit logs, if # desired; /vault/file is made available to use as a location with the file # storage backend, if desired; the server will be started with /vault/config as # the configuration directory so you can add additional config files in that # location. RUN mkdir -p /vault/logs && \ mkdir -p /vault/file && \ mkdir -p /vault/config && \ chown -R ${NAME}:${NAME} /vault # Expose the logs directory as a volume since there's potentially long-running # state in there VOLUME /vault/logs # Expose the file directory as a volume since there's potentially long-running # state in there VOLUME /vault/file # 8200/tcp is the primary interface that applications use to interact with # Vault. EXPOSE 8200 # The entry point script uses dumb-init as the top-level process to reap any # zombie processes created by Vault sub-processes. # # For production derivatives of this container, you shoud add the IPC_LOCK # capability so that Vault can mlock memory. COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh ENTRYPOINT ["docker-entrypoint.sh"] # # By default you'll get a single-node development server that stores everything # # in RAM and bootstraps itself. Don't use this configuration for production. CMD ["server", "-dev"]