Skip to main content

server

The server command starts an OpenBao server that responds to API requests. By default, OpenBao will start in a "sealed" state. The OpenBao cluster must be initialized before use, usually by the bao operator init command. Each OpenBao server must also be unsealed using the bao operator unseal command or the API before the server can respond to requests.

For more information, please see:

Examples

Start a server with a configuration file:

$ bao server -config=/etc/openbao/config.hcl

Run in "dev" mode with a custom initial root token:

$ bao server -dev -dev-root-token-id="root"

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Command options

  • -config (string: "") - Path to a configuration file or directory of configuration files. This flag can be specified multiple times to load multiple configurations. If the path is a directory, all files which end in .hcl or .json are loaded.

  • -log-level (string: "info") - Log verbosity level. Supported values (in order of descending detail) are trace, debug, info, warn, and error. This can also be specified via the BAO_LOG_LEVEL environment variable.

  • -log-format (string: "standard") - Log format. Supported values are standard and json. This can also be specified via the BAO_LOG_FORMAT environment variable.

  • -log-file - the absolute path where OpenBao should save log messages in addition to other, existing outputs like journald / stdout. Paths that end with a path separator use the default file name, openbao.log. Paths that do not end with a file extension use the default .log extension. If the log file rotates, OpenBao appends the current timestamp to the file name at the time of rotation. For example:

    log-fileFull log fileRotated log file
    /var/log/var/log/openbao.log/var/log/openbao-{timestamp}.log
    /var/log/my-diary/var/log/my-diary.log/var/log/my-diary-{timestamp}.log
    /var/log/my-diary.txt/var/log/my-diary.txt/var/log/my-diary-{timestamp}.txt

  • -log-rotate-bytes - to specify the number of bytes that should be written to a log before it needs to be rotated. Unless specified, there is no limit to the number of bytes that can be written to a log file.

  • -log-rotate-duration - to specify the maximum duration a log should be written to before it needs to be rotated. Must be a duration value such as 30s. Defaults to 24h.

  • -log-rotate-max-files - to specify the maximum number of older log file archives to keep. Defaults to 0 (no files are ever deleted). Set to -1 to discard old log files when a new one is created.

  • VAULT_ALLOW_PENDING_REMOVAL_MOUNTS (bool: false) - (environment variable) Allow OpenBao to be started with builtin engines which have the Pending Removal deprecation state. This is a temporary stopgap in place in order to perform an upgrade and disable these engines. Once these engines are marked Removed (in the next major release of OpenBao), the environment variable will no longer work and a downgrade must be performed in order to remove the offending engines. For more information, see the deprecation faq.

Dev options

  • -dev (bool: false) - Enable development mode. In this mode, OpenBao runs in-memory and starts unsealed. As the name implies, do not run "dev" mode in production.

  • -dev-tls (bool: false) - Enable TLS development mode. In this mode, OpenBao runs in-memory and starts unsealed with a generated TLS CA, certificate and key. As the name implies, do not run "dev" mode in production.

  • -dev-tls-cert-dir (string: "") - Directory where generated TLS files are created if -dev-tls is specified. If left unset, files are generated in a temporary directory.

  • -dev-listen-address (string: "127.0.0.1:8200") - Address to bind to in "dev" mode. This can also be specified via the VAULT_DEV_LISTEN_ADDRESS environment variable.

  • -dev-root-token-id (string: "") - Initial root token. This only applies when running in "dev" mode. This can also be specified via the VAULT_DEV_ROOT_TOKEN_ID environment variable.

    Note: The token ID should not start with the s. prefix.

  • -dev-no-store-token (string: "") - Do not persist the dev root token to the token helper (usually the local filesystem) for use in future requests. The token will only be displayed in the command output.

  • -dev-plugin-dir (string: "") - Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.