Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error initializing core: Failed to lock memory: cannot allocate memory #53

Closed
memotype opened this Issue Sep 14, 2017 · 5 comments

Comments

Projects
None yet
5 participants
@memotype
Copy link

commented Sep 14, 2017

I ran in to #24 trying to set up the Vault Docker image. When I try the suggested workaround ("-e SKIP_SETCAP=true") I get this error:

ubuntu@svs-vault:~/vault-docker/vault$ sudo docker run -e SKIP_SETCAP=true --name vaultc -v $PWD:/vault --expose 8200 --cap-add IPC_LOCK vault server
Error initializing core: Failed to lock memory: cannot allocate memory

This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.

Same problem if I use --privileged too...

I'm running on Ubuntu Xenial.

uname -a:

Linux svs-vault 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Docker version (from official Docker repository):

Docker version 17.06.2-ce, build cec0b72

@rkgyellowjacket

This comment has been minimized.

Copy link

commented Sep 19, 2017

So just looking at:

https://docs.docker.com/samples/library/vault/#memory-locking-and-setcap

During docker run you tried using:

.. --cap-add=IPC_LOCK

In the config you could pass to vault:

.. { "disable_mlock: true" }

I know when I had this problem it was because I was not root, which I used (sudo) to set up vault initially. In the docs, it's also important to note that;

"The memory locking behavior can be disabled by setting the SKIP_SETCAP environment variable to any non-empty value." This might mean true/false as a boolean should work. I will look into this more for my setup.

@memotype

This comment has been minimized.

Copy link
Author

commented Oct 16, 2017

I was able to get the IPC_LOCK to work in CentOS Atomic Host, not sure why it didn't work in Ubuntu. I didn't want to use the disable_mlock work-around because it seems like it would circumvent some of the security of vault (decrypted secrets being written to swap).

@jefferai

This comment has been minimized.

Copy link
Member

commented Oct 17, 2017

Given that you're on Xenial, likely a duplicate of #19. Nothing we can do on our end, unfortunately; you need to either switch the storage driver or the host OS (to one defaulting to a different storage driver).

@jefferai jefferai closed this Oct 17, 2017

@bittu664

This comment has been minimized.

Copy link

commented Feb 28, 2019

same probelm in my ubuntu system

Error initializing core: Failed to lock memory: cannot allocate memory

This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the disable_mlock configuration option in your configuration
file.

how can i solve this problem?

@johnavirtek

This comment has been minimized.

Copy link

commented Mar 15, 2019

same probelm in my ubuntu system

Error initializing core: Failed to lock memory: cannot allocate memory

This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the disable_mlock configuration option in your configuration
file.

how can i solve this problem?

The Vault Configuration File Documentation mentions the solution in the disable_mlock section:

On Linux, to give the Vault executable the ability to use the mlock syscall without running the process as root, run:

sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))

Note: Since each plugin runs as a separate process, you need to do the same for each plugin in your plugins directory.

If you use a Linux distribution with a modern version of systemd, you can add the following directive to the "[Service]" configuration section:

LimitMEMLOCK=infinity

Please see the link for the excerpt in the future to ensure you are using the most up to date information and following best practices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.