CODEWITHSUNDEEP
dockerubuntuhashicorp-vault
dzieciou
dzieciou

Reputation: 4514

Running HashiCorp Vault in root-less docker container

I'm trying to run Vault in container using root-less docker on Ubuntu 20.2. However, I keep getting the following error:

vault    | Error initializing core: Failed to lock memory: cannot allocate memory
vault    |
vault    | This usually means that the mlock syscall is not available.

The problem does not occur when running a container with docker having root privileges.

Is there a way to provide root-less docker with privileges for mlock without disabling mlock and thus breaking vault security?

docker-compose.yml:

version: "3"
services:
  vault:
    image: "hashicorp/vault:1.8.0-rc2"
    user: "root"
    container_name: vault
    restart: on-failure:10
    volumes:
      - ./config:/vault/config:rw
      - ./file:/vault/file:rw
    ports:
      - 8200:8200
    cap_add:
      - IPC_LOCK
    environment:
      - VAULT_ADDR=http://0.0.0.0:8200
    command: vault server -config=/vault/config

config.hcl:

storage "file" {
  path    = "/vault/file"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = "true"
}

api_addr = "http://127.0.0.1:8200"
ui = true

Upvotes: 1

Views: 3371

Answers (1)

whites11
whites11

Reputation: 13260

From the documentation:

On Linux, Vault may fail to start with the following error:

Error initializing core: Failed to lock memory: cannot allocate memory

This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.

Try adding disable_mlock = true to your config.hcl file like this:

...
api_addr = "http://127.0.0.1:8200"
ui = true
disable_mlock = true

Upvotes: 2

Related Questions