Introduction:
HashiCorp Vault's auto-snapshot feature is vital for disaster recovery, allowing automated backups of your Vault data. When configuring auto-snapshots to an S3-compatible storage like MinIO, a common error "dial tcp: lookup <IP-or-hostname> on <DNS-server-IP>:53: no such host"
can arise.
Root cause:
When you configure Vault auto-snapshots with an aws_s3_endpoint
that points to an IP address (like http://x.x.x.x:9000
) and also specify an aws_s3_bucket
(e.g., vault
), Vault, by default, attempts to use the virtual-hosted style URL construction.
This means that Vault attempts to create a URL similar to http://<aws_s3_bucket>.<aws_s3_endpoint>/
which in our example translates to http://vault.56.47.127.218:9000/
Since vault.56.47.127.218
is not a valid DNS hostname (it's a literal string containing an IP address), Vault's underlying networking library (or the operating system's resolver) attempts to perform a DNS lookup on this malformed hostname. This lookup inevitably fails with "no such host," as there's no DNS record for it.
MinIO and similar S3-compatible services often expect path-style access, especially when they run on custom endpoints or lack full DNS integration for virtual hosts.
Solution:
The fix for this specific "No Such Host" error is to explicitly instruct Vault to use the path-style URL format when interacting with your S3-compatible backend. This is achieved by setting the s3_force_path_style
parameter to true
in your auto-snapshot configuration.
By setting s3_force_path_style=true
, Vault will construct the URL as, http://<aws_s3_endpoint>/<aws_s3_bucket>/
which, in our example, becomes http://56.47.127.218:9000/vault/
This is the correct and expected format for MinIO and many other S3-compatible storage solutions when accessed directly by IP or specific non-virtual-hosted endpoints.
Here's an example with correct format of values for Vault auto-snapshot configuration:
vault write sys/storage/raft/snapshot-auto/config/testsnap \ storage_type=aws-s3 \ aws_s3_bucket=vault \ aws_s3_region=ap-southeast-1 \ aws_access_key_id=xxxxxxxx \ aws_secret_access_key=xxxxxxx \ aws_s3_endpoint=http://56.47.127.218:9000 \ aws_s3_disable_tls=true \ s3_force_path_style=true