I'm trying to run HashiCorp Vault (v1.15.0) in Docker Compose on Ubuntu 26.04 LTS (ARM64), but the container immediately exits with two errors:
IPC_LOCK warning: "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK" Port binding error: "Error initializing listener of type tcp: listen tcp4 0.0.0.0:8200: bind: address already in use"
Despite lsof, netstat, and ss showing nothing listening on port 8200, Docker insists the port is occupied. This happens consistently even after:
Stopping all containers
Restarting Docker daemon
Changing Vault to use port 8201
Removing all Docker networks and containers
What I've tried: Basic troubleshooting:
sudo lsof -i :8200 → No output
sudo netstat -tulpn | grep :8200 → No output
ss -tulpn | grep :8200 → No output
docker container prune -f and docker network prune -f
sudo systemctl restart docker
Docker-specific checks:
docker ps -a --format '{{.ID}} {{.Names}} {{.Ports}}' | grep 8200 → No containers
docker inspect <container> --format='{{.State.ExitCode}}' → Returns 1 (failure)
Changed Vault port mapping from 8200:8200 to 8201:8200 in docker-compose
Configuration verification:
TLS certificates exist and are mounted correctly
Vault config file syntax validated
Volume mounts confirmed working
Current configuration: docker-compose.yml (Vault section):
services:
vault:
container_name: container.name
image: hashicorp/vault:1.15.0
ports:
- "8201:8200" # Changed from 8200
environment:
VAULT_ADDR: "https://0.0.0.0:8200"
VAULT_DISABLE_MLOCK: "1"
volumes:
- ./vault-data:/vault/data
- ./vault-config:/vault/config
- ./vault-logs:/vault/logs
command: server -config=/vault/config/vault.hcl
vault.hcl:
storage "file" {
path = "/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/vault/config/tls.crt"
tls_key_file = "/vault/config/tls.key"
tls_min_version = "tls12"
tls_disable = false
}
api_addr = "https://0.0.0.0:8200"
cluster_addr = "https://0.0.0.0:8201"
ui = true
disable_mlock = true
Logs:
container.name | Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK
container.name | Error parsing listener configuration.
container.name | Error initializing listener of type tcp: listen tcp4 0.0.0.0:8200: bind: address already in use
container.name | 2026-06-03T14:59:08.290Z [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""
container.name | 2026-06-03T14:59:08.297Z [INFO] incrementing seal generation: generation=1
Environment:
Docker version 29.5.2
Docker Compose version v5.1.4
Ubuntu 26.04 LTS (ARM64)
Kernel: 7.0.0-15-generic
Questions:
IPC_LOCK: Should I add --cap-add IPC_LOCK to the Docker Compose service? If so, how do I properly configure this in compose? I tried adding cap_add: ["IPC_LOCK"] but got "unknown field" errors.
Port 8200 "already in use": How can I diagnose what's actually holding this port when standard Linux tools show it's free? This feels like a Docker port allocator issue, but I've already restarted Docker and pruned everything.
General approach: Am I missing something fundamental about running Vault in Docker? The goal is to use Vault to securely store API credentials for an Airflow DAG instead of using environment variables or Airflow Variables. Any insights would be greatly appreciated, I've been stuck on this for days!
UPDATE!
I also posted this in r/docker on reddit and was offered a suggestion for the IPC_LOCK error that worked phenomenally. As simple as adding
cap_add:
- IPC_LOCK
to my HashiCorp file fixed my IPC_LOCK warning: "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK" Port error. I could still use help with my Port 8200 error.
Top comments (0)