Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Guide should indicate need to re-run setcap to enable mlock #3605

Closed
rberlind opened this issue Nov 23, 2017 · 2 comments
Closed

Update Guide should indicate need to re-run setcap to enable mlock #3605

rberlind opened this issue Nov 23, 2017 · 2 comments

Comments

@rberlind
Copy link
Contributor

The Upgrade Guide at https://www.vaultproject.io/guides/upgrading/index.html should indicate that the command sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) needs to be re-run against the new binary on platforms that support mlock.

This particular command is documented at https://www.vaultproject.io/docs/configuration/#disable_mlock.

What is not obvious is that the command targets the actual binary file itself rather than the path the binary lives at. So, when you replace one version of the vault binary with a newer version, you need to re-run that command.

The command could be run from the command line. Alternatively, if systemd is being used, the equivalent cold be entered in the systemd vault.service file as "ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault" (assuming that the vault binary is installed in /usr/local/bin).

brianshumate added a commit that referenced this issue Nov 27, 2017
jefferai pushed a commit that referenced this issue Dec 4, 2017
@rberlind
Copy link
Contributor Author

rberlind commented Dec 4, 2017

Hi @jefferai and @brianshumate: One more note on this. I discovered on Friday that if you do add "ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault" to a systemd service file like vault.service, you also need to add "PermissionsStartOnly=true" or the attempt to invoke setcap will fail and prevent startup of the Vault service. See https://github.com/hashicorp/vault-guides/blob/master/shared/vault/init/systemd/vault.service for example of this.

You'll need to add that to your addition. Sorry for not reporting sooner.

chrishoffman pushed a commit that referenced this issue Dec 6, 2017
* oss/master:
  changelog++
  Support MongoDB session-wide write concern (#3646)
  Clarify api_addr related errors on VaultPluginTLSProvider (#3620)
  allowed/disallowed_policies as TypeCommaStringSlice (#3641)
  Update example payload and response for pem_keys field which needs \n after header and before footer in order to be accepted as a valid RSA or ECDSA public key (#3632)
  Docs: Update /sys/policies/ re: beta refs to address #3624 (#3629)
  Update secrets page
  Remove beta notice
  Expanding on the quick start guide with how to set up an intermediate authority (#3622)
  Docs: mlock() notes, fixes #3605 (#3614)
  Fix spelling (#3609)
  Add command to example to register plugin (#3601)
  update relatedtools, add Goldfish UI. (#3597)
  Fix docs for Transit API (#3588)
  Update cassandra docs with consistency value.
  Remove Trailing White space in Kubernetes Doc (#3360)
  Missing  command for vault PUT operation (#3355)
  Update some rekey docs
@jen20
Copy link
Contributor

jen20 commented Dec 18, 2017

I just opened #3704 before spotting this, but a better way with a modern systemd is to add the following to the systemd unit:

LimitMEMLOCK=infinity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants