Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does Vault by HashiCorp require the ipc_lock capability to be enabled?

Why does Vault by HashiCorp require the ipc_lock capability to be enabled?

like image 263
Daniel Gartmann Avatar asked Apr 25 '18 20:04

Daniel Gartmann


People also ask

What is Api_addr in vault?

api_addr (string: "") – Specifies the address (full URL) to advertise to other Vault servers in the cluster for client redirection. This value is also used for plugin backends. This can also be provided via the environment variable VAULT_API_ADDR .

Where is Vault config stored?

Here is a Linux example that names one configuration file, /etc/vault/vault-server. hcl . This file contains all of the actual Vault server configuration.

How do you run a vault container?

Running the Vault container with no arguments will give you a Vault server in development mode. The provided entry point script will also look for Vault subcommands and run vault with that subcommand. For example, you can execute docker run vault status and it will run the vault status command inside the container.


1 Answers

It's required for this server config option: https://www.vaultproject.io/docs/configuration/index.html#disable_mlock

It uses the mlock syscall which blocks process memory from being swapped to disk. By default this is enabled as you want to avoid swapping your Vault memory onto unencrypted disk.

Usually that capability comes up when running Vault within a container, which I believe allows the container to access the mlock syscall without escalating privileges.

like image 184
sidewinder12s Avatar answered Sep 30 '22 14:09

sidewinder12s