The latest articles on DEV Community by Katt (@katt_coffee_linux). https://dev.to/katt_coffee_linux https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3969245%2F5402bae0-8c4a-4ba2-86c6-085e0f947296.png https://dev.to/katt_coffee_linux en Katt Fri, 05 Jun 2026 06:22:07 +0000 https://dev.to/katt_coffee_linux/hashicorp-vault-in-docker-compose-fails-with-address-already-in-use-on-port-8200-and-ipclock-43k7 https://dev.to/katt_coffee_linux/hashicorp-vault-in-docker-compose-fails-with-address-already-in-use-on-port-8200-and-ipclock-43k7 <p>I'm trying to run HashiCorp Vault (v1.15.0) in Docker Compose on Ubuntu 26.04 LTS (ARM64), but the container immediately exits with two errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IPC_LOCK warning: "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK" Port binding error: "Error initializing listener of type tcp: listen tcp4 0.0.0.0:8200: bind: address already in use" </code></pre> </div> <p>Despite lsof, netstat, and ss showing nothing listening on port 8200, Docker insists the port is occupied. This happens consistently even after:</p> <p>Stopping all containers<br> Restarting Docker daemon<br> Changing Vault to use port 8201<br> Removing all Docker networks and containers<br> What I've tried: Basic troubleshooting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>lsof <span class="nt">-i</span> :8200 → No output <span class="nb">sudo </span>netstat <span class="nt">-tulpn</span> | <span class="nb">grep</span> :8200 → No output ss <span class="nt">-tulpn</span> | <span class="nb">grep</span> :8200 → No output docker container prune <span class="nt">-f</span> and docker network prune <span class="nt">-f</span> <span class="nb">sudo </span>systemctl restart docker </code></pre> </div> <p>Docker-specific checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker ps <span class="nt">-a</span> <span class="nt">--format</span> <span class="s1">'{{.ID}} {{.Names}} {{.Ports}}'</span> | <span class="nb">grep </span>8200 → No containers docker inspect &lt;container&gt; <span class="nt">--format</span><span class="o">=</span><span class="s1">'{{.State.ExitCode}}'</span> → Returns 1 <span class="o">(</span>failure<span class="o">)</span> Changed Vault port mapping from 8200:8200 to 8201:8200 <span class="k">in </span>docker-compose </code></pre> </div> <p>Configuration verification:</p> <p>TLS certificates exist and are mounted correctly<br> Vault config file syntax validated<br> Volume mounts confirmed working<br> Current configuration: docker-compose.yml (Vault section):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">vault</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">container.name</span> <span class="na">image</span><span class="pi">:</span> <span class="s">hashicorp/vault:1.15.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8201:8200"</span> <span class="c1"># Changed from 8200</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">VAULT_ADDR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://0.0.0.0:8200"</span> <span class="na">VAULT_DISABLE_MLOCK</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./vault-data:/vault/data</span> <span class="pi">-</span> <span class="s">./vault-config:/vault/config</span> <span class="pi">-</span> <span class="s">./vault-logs:/vault/logs</span> <span class="na">command</span><span class="pi">:</span> <span class="s">server -config=/vault/config/vault.hcl</span> <span class="na">vault.hcl</span><span class="pi">:</span> <span class="s">storage "file" {</span> <span class="s">path = "/vault/data"</span> <span class="err">}</span> <span class="s">listener "tcp" {</span> <span class="s">address = "0.0.0.0:8200"</span> <span class="s">tls_cert_file = "/vault/config/tls.crt"</span> <span class="s">tls_key_file = "/vault/config/tls.key"</span> <span class="s">tls_min_version = "tls12"</span> <span class="s">tls_disable = </span><span class="kc">false</span> <span class="err">}</span> <span class="s">api_addr = "https://0.0.0.0:8200"</span> <span class="s">cluster_addr = "https://0.0.0.0:8201"</span> <span class="s">ui = </span><span class="kc">true</span> <span class="s">disable_mlock = </span><span class="kc">true</span> </code></pre> </div> <p>Logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>container.name | Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK container.name | Error parsing listener configuration. container.name | Error initializing listener of type tcp: listen tcp4 0.0.0.0:8200: bind: address already in use container.name | 2026-06-03T14:59:08.290Z [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy="" container.name | 2026-06-03T14:59:08.297Z [INFO] incrementing seal generation: generation=1 </code></pre> </div> <p>Environment:</p> <p>Docker version 29.5.2<br> Docker Compose version v5.1.4<br> Ubuntu 26.04 LTS (ARM64)<br> Kernel: 7.0.0-15-generic<br> Questions:</p> <p><del>IPC_LOCK: Should I add --cap-add IPC_LOCK to the Docker Compose service? If so, how do I properly configure this in compose? I tried adding cap_add: ["IPC_LOCK"] but got "unknown field" errors.</del><br> <del>Port 8200 "already in use": How can I diagnose what's actually holding this port when standard Linux tools show it's free? This feels like a Docker port allocator issue, but I've already restarted Docker and pruned everything.</del><br> General approach: Am I missing something fundamental about running Vault in Docker? The goal is to use Vault to securely store API credentials for an Airflow DAG instead of using environment variables or Airflow Variables. Any insights would be greatly appreciated, I've been stuck on this for days!</p> <p><strong>UPDATE!</strong><br> I also posted this in r/docker on reddit and was offered a suggestion for the IPC_LOCK error that worked phenomenally. As simple as adding<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">cap_add</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">IPC_LOCK</span> </code></pre> </div> <p>to my HashiCorp file fixed my IPC_LOCK warning: "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK" Port error. I could still use help with my Port 8200 error. </p> <p><strong>FINAL UPDATE</strong></p> <p>After days of troubleshooting, I finally found the root cause. The <code>docker compose prune</code> and <code>docker network prune</code> commands weren't cleaning up the old container metadata because Docker keeps internal state about port allocations even after containers exit. I thought <code>docker container prune -f</code> was killing everything but ultimately <code>docker container prune -f</code> doesn't always remove orphaned containers. I'm not even going to call that container an orphan... <code>docker container prune -f</code> kills orphan containers, it just doesn't kill zombie containers. I had to use <code>docker rm -f whatever.your.container.name.is</code>. Then, the magic happened... Am I being dramatic? Probably, but damn it... This zombie has been kicking my ass for two days. Also... It took 7 cups of coffee and 4 hours of sleep respectively. Alright... Thank you again Begalldota from reddit's r/docker community. My journey is still going but Im passed this phase.</p> docker linux networking security