From 9a3ac6141e44e4e7769182860a417edcca18b7a9 Mon Sep 17 00:00:00 2001 From: "Rodrigo Rodriguez (Pragmatismo)" Date: Fri, 19 Dec 2025 13:19:50 -0300 Subject: [PATCH] fix: pass VAULT_ADDR inside container via bash -c - env() on Command only sets host env, not container env - Use bash -c with VAULT_ADDR=... prefix for init and unseal commands --- src/core/package_manager/facade.rs | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/src/core/package_manager/facade.rs b/src/core/package_manager/facade.rs index 901b74d4..781a243a 100644 --- a/src/core/package_manager/facade.rs +++ b/src/core/package_manager/facade.rs @@ -316,19 +316,16 @@ impl PackageManager { std::thread::sleep(std::time::Duration::from_secs(5)); // Initialize Vault and capture output + // Note: VAULT_ADDR must be set inside the container, not on host let output = Command::new("lxc") .args(&[ "exec", container_name, "--", - "/opt/gbo/bin/vault", - "operator", - "init", - "-key-shares=5", - "-key-threshold=3", - "-format=json", + "bash", + "-c", + "VAULT_ADDR=http://127.0.0.1:8200 /opt/gbo/bin/vault operator init -key-shares=5 -key-threshold=3 -format=json", ]) - .env("VAULT_ADDR", format!("http://127.0.0.1:8200")) .output()?; if !output.status.success() { @@ -405,20 +402,16 @@ impl PackageManager { } // Unseal Vault with the first 3 keys + // Note: VAULT_ADDR must be set inside the container, not on host for i in 0..3 { if let Some(key) = unseal_keys.get(i) { let key_str = key.as_str().unwrap_or(""); + let unseal_cmd = format!( + "VAULT_ADDR=http://127.0.0.1:8200 /opt/gbo/bin/vault operator unseal {}", + key_str + ); let unseal_output = Command::new("lxc") - .args(&[ - "exec", - container_name, - "--", - "/opt/gbo/bin/vault", - "operator", - "unseal", - key_str, - ]) - .env("VAULT_ADDR", "http://127.0.0.1:8200") + .args(&["exec", container_name, "--", "bash", "-c", &unseal_cmd]) .output()?; if !unseal_output.status.success() {