disable_mlock option
3,233 views
Skip to first unread message
Elizabeth
May 11, 2016, 7:39:04 AM5/11/16
to Vault
Hi,
I'm trying to bring up vault in a CoreOS docker container. When I bring up vault without the "disable_mlock option in my config file and deploy vault it gives the following error:
./vault server -config vault-server-config.hcl
Error initializing core: Failed to lock memory: cannot allocate memory
This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.
So I include the disable_mlock="true" in the vault-server-config.hcl and also run sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) before deploying vault.
However, on deploying vault I now get the error "Operation not permitted".
So looks like mlock access has not been granted.
Any suggestions to overcome this issue?
thanks,
Elizabeth
vishal nayak
May 11, 2016, 9:19:58 AM5/11/16
to vault...@googlegroups.com
Hi Elizabeth,
The disable_mlock option is documented as a boolean and not as a string.
I would try disable_mlock=true instead of disable_mlock="true".
Regards,
Vishal
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/227cd41f-a1c9-4e47-b664-e75fbf5ff2d6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
vn
Elizabeth
May 12, 2016, 6:14:38 AM5/12/16
to Vault
Hi Vishal,
I tried your suggestion and changed the config file accordingly. I still get the same error. Here's the config file:
listener "tcp"{
address = "0.0.0.0:8200"
tls_disable=1
}
backend "etcd" {
address = "http://0.0.0.0:2379"
path = "vault"
advertise_addr="http://0.0.0.0:2379"
}
disable_mlock = true
thanks,
Elizabeth
vishal nayak
May 12, 2016, 6:26:46 AM5/12/16
to vault...@googlegroups.com
Hi Elizabeth,
Are you still getting this error: "Error initializing core: Failed to lock memory: cannot allocate memory"?
Can you provide the logs?
Regards,
Vishal
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f0cd10f6-693e-4e7e-9835-352f7d6c5c16%40googlegroups.com.
vn
Elizabeth
May 12, 2016, 7:05:33 AM5/12/16
to Vault
Vishal,
As mentioned in my earlier mail, I get the " "Error initializing core: Failed to lock memory: cannot allocate memory" when I do not include the disable_mlock =true option in the vault server config file.
When I include the disable_mlock =true in the server config file, I get the error "Operation not permitted" even though I run "sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))".
I haven't configured the Vault server as yet with any audit backend - so where will I find logs?
BTW, I'm running vault in a docker container on CoreOS. I tried running Vault directly on CoreOs with the disable_mlock set to true and Vault server came up fine. So looks like it is a container related issue now.
So it is something specific to my environment.
Thanks,
Elizabeth
Jeff Mitchell
May 12, 2016, 1:39:26 PM5/12/16
to vault...@googlegroups.com
Hi Elizabeth,
> When I include the disable_mlock =true in the server config file, I get the
> error "Operation not permitted" even though I run "sudo setcap
> cap_ipc_lock=+ep $(readlink -f $(which vault))".
Can you explain why you are adjusting capabilities at the same time as
*disabling* mlock in Vault? I would have expected that you were trying
to adjust capabilities in order to allow enabling mlock.
We don't have much CoreOS experience so we may end up having to point
you towards them -- without some kind of log showing *what* operation
isn't permitted I'm not sure how to help. It should presumably be in
the Vault stdout/stderr but may live elsewhere if it's ending up going
to syslog.
Best,
Jeff
> When I include the disable_mlock =true in the server config file, I get the
> error "Operation not permitted" even though I run "sudo setcap
> cap_ipc_lock=+ep $(readlink -f $(which vault))".
*disabling* mlock in Vault? I would have expected that you were trying
to adjust capabilities in order to allow enabling mlock.
We don't have much CoreOS experience so we may end up having to point
you towards them -- without some kind of log showing *what* operation
isn't permitted I'm not sure how to help. It should presumably be in
the Vault stdout/stderr but may live elsewhere if it's ending up going
to syslog.
Best,
Jeff
Elizabeth
May 18, 2016, 2:18:58 PM5/18/16
to Vault
Hi Jeff,
You are right in that I do not need the 'sudo setcap
> cap_ipc_lock=+ep $(readlink -f $(which vault))". ' when I'm disabling the mlock option.
> cap_ipc_lock=+ep $(readlink -f $(which vault))". ' when I'm disabling the mlock option.
I resolved my issue by using the option --cap-add IPC_LOCK to the docker run command used to bring up the Vault server container and it works fine.
Shanthi
TechBeasto
Feb 28, 2019, 12:01:39 PM2/28/19
to Vault
hell all i am getting the same problem but in my ubuntu os will you pls help me , when i am trying to run this command vault server -config=config.hcl
it shows me error
so how can i slove this problem?
this is my config.hcl
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
Sophie N.
Feb 28, 2019, 12:05:44 PM2/28/19
to Vault
In config.hcl, you need to add a line at the beginning with `disable_mlock = true`
Reply all
Reply to author
Forward
0 new messages