-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Guide should indicate need to re-run setcap to enable mlock #3605
Comments
Hi @jefferai and @brianshumate: One more note on this. I discovered on Friday that if you do add "ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault" to a systemd service file like vault.service, you also need to add "PermissionsStartOnly=true" or the attempt to invoke setcap will fail and prevent startup of the Vault service. See https://github.com/hashicorp/vault-guides/blob/master/shared/vault/init/systemd/vault.service for example of this. You'll need to add that to your addition. Sorry for not reporting sooner. |
* oss/master: changelog++ Support MongoDB session-wide write concern (#3646) Clarify api_addr related errors on VaultPluginTLSProvider (#3620) allowed/disallowed_policies as TypeCommaStringSlice (#3641) Update example payload and response for pem_keys field which needs \n after header and before footer in order to be accepted as a valid RSA or ECDSA public key (#3632) Docs: Update /sys/policies/ re: beta refs to address #3624 (#3629) Update secrets page Remove beta notice Expanding on the quick start guide with how to set up an intermediate authority (#3622) Docs: mlock() notes, fixes #3605 (#3614) Fix spelling (#3609) Add command to example to register plugin (#3601) update relatedtools, add Goldfish UI. (#3597) Fix docs for Transit API (#3588) Update cassandra docs with consistency value. Remove Trailing White space in Kubernetes Doc (#3360) Missing command for vault PUT operation (#3355) Update some rekey docs
I just opened #3704 before spotting this, but a better way with a modern systemd is to add the following to the systemd unit:
|
The Upgrade Guide at https://www.vaultproject.io/guides/upgrading/index.html should indicate that the command
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
needs to be re-run against the new binary on platforms that support mlock.This particular command is documented at https://www.vaultproject.io/docs/configuration/#disable_mlock.
What is not obvious is that the command targets the actual binary file itself rather than the path the binary lives at. So, when you replace one version of the vault binary with a newer version, you need to re-run that command.
The command could be run from the command line. Alternatively, if systemd is being used, the equivalent cold be entered in the systemd vault.service file as "ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault" (assuming that the vault binary is installed in /usr/local/bin).
The text was updated successfully, but these errors were encountered: