Why does Vault by HashiCorp require the ipc_lock capability to be enabled?
api_addr (string: "") – Specifies the address (full URL) to advertise to other Vault servers in the cluster for client redirection. This value is also used for plugin backends. This can also be provided via the environment variable VAULT_API_ADDR .
Here is a Linux example that names one configuration file, /etc/vault/vault-server. hcl . This file contains all of the actual Vault server configuration.
Running the Vault container with no arguments will give you a Vault server in development mode. The provided entry point script will also look for Vault subcommands and run vault with that subcommand. For example, you can execute docker run vault status and it will run the vault status command inside the container.
It's required for this server config option: https://www.vaultproject.io/docs/configuration/index.html#disable_mlock
It uses the mlock syscall which blocks process memory from being swapped to disk. By default this is enabled as you want to avoid swapping your Vault memory onto unencrypted disk.
Usually that capability comes up when running Vault within a container, which I believe allows the container to access the mlock syscall without escalating privileges.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With