Resolving "No Such Host" During Vault Auto-Snapshot Setup with MinIO S3 Storage

Avatar
Priyansh Setia
  • Updated

Introduction: 

HashiCorp Vault's auto-snapshot feature is vital for disaster recovery, allowing automated backups of your Vault data. When configuring auto-snapshots to an S3-compatible storage like MinIO, a common error "dial tcp: lookup <IP-or-hostname> on <DNS-server-IP>:53: no such host" can arise. 

Root cause:

When you configure Vault auto-snapshots with an aws_s3_endpoint that points to an IP address (like http://x.x.x.x:9000) and also specify an aws_s3_bucket (e.g., vault), Vault, by default, attempts to use the virtual-hosted style URL construction.

This means that Vault attempts to create a URL similar to http://<aws_s3_bucket>.<aws_s3_endpoint>/ which in our example translates to http://vault.56.47.127.218:9000/

Since vault.56.47.127.218 is not a valid DNS hostname (it's a literal string containing an IP address), Vault's underlying networking library (or the operating system's resolver) attempts to perform a DNS lookup on this malformed hostname. This lookup inevitably fails with "no such host," as there's no DNS record for it.

MinIO and similar S3-compatible services often expect path-style access, especially when they run on custom endpoints or lack full DNS integration for virtual hosts.

Solution:

The fix for this specific "No Such Host" error is to explicitly instruct Vault to use the path-style URL format when interacting with your S3-compatible backend. This is achieved by setting the s3_force_path_style parameter to true in your auto-snapshot configuration.

By setting s3_force_path_style=true, Vault will construct the URL as, http://<aws_s3_endpoint>/<aws_s3_bucket>/ which, in our example, becomes http://56.47.127.218:9000/vault/

This is the correct and expected format for MinIO and many other S3-compatible storage solutions when accessed directly by IP or specific non-virtual-hosted endpoints.

Here's an example with correct format of values for Vault auto-snapshot configuration:

vault write sys/storage/raft/snapshot-auto/config/testsnap \
   storage_type=aws-s3 \
   aws_s3_bucket=vault \
   aws_s3_region=ap-southeast-1 \
   aws_access_key_id=xxxxxxxx \
   aws_secret_access_key=xxxxxxx \
   aws_s3_endpoint=http://56.47.127.218:9000 \
   aws_s3_disable_tls=true \
   s3_force_path_style=true

 

Reference:

 

Articles in this section

See more

Related articles