我试图在Ubuntu 20.2上使用无根docker在容器中运行Vault。然而,我一直得到以下错误:
vault | Error initializing core: Failed to lock memory: cannot allocate memory
vault |
vault | This usually means that the mlock syscall is not available.
当docker拥有root权限运行容器时,不会出现此问题。
是否有一种方法可以为无根的docker提供mlock的特权而不禁用mlock,从而破坏保险库安全性?
docker-compose.yml:
version: "3"
services:
vault:
image: "hashicorp/vault:1.8.0-rc2"
user: "root"
container_name: vault
restart: on-failure:10
volumes:
- ./config:/vault/config:rw
- ./file:/vault/file:rw
ports:
- 8200:8200
cap_add:
- IPC_LOCK
environment:
- VAULT_ADDR=http://0.0.0.0:8200
command: vault server -config=/vault/config
config.hcl:
storage "file" {
path = "/vault/file"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "true"
}
api_addr = "http://127.0.0.1:8200"
ui = true
来自文档:
On Linux, Vault may fail to start with the following error:
Error initializing core: Failed to lock memory: cannot allocate memory
This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.
尝试将disable_mlock = true添加到config.hcl文件中,如下所示:
...
api_addr = "http://127.0.0.1:8200"
ui = true
disable_mlock = true