From 6f292e3dac458ec9845d03cab78764b6610bb61a Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Thu, 21 May 2026 09:37:08 -0600
Subject: [PATCH] go: remove SKIP_SETCAP env vars and add IPC_LOCK when using
 vault containers

* go: remove SKIP_SETCAP env vars and add IPC_LOCK when using vault containers

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
---
 .github/workflows/test-go.yml                  | 10 +++++-----
 command/server/server_seal_transit_acc_test.go |  2 +-
 helper/testhelpers/testimages/hsm.go           |  4 ++--
 sdk/helper/testcluster/docker/environment.go   |  7 +++++--
 4 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/test-go.yml b/.github/workflows/test-go.yml
index fbd20a582c..94c8707e52 100644
--- a/.github/workflows/test-go.yml
+++ b/.github/workflows/test-go.yml
@@ -347,20 +347,20 @@ jobs:
         name: Build Docker image with custom vault binary
         run: |
           set -exo pipefail
-          
+
           if [ "${{ needs.test-matrix.outputs.is-ent-branch }}" == "true" ]; then
             go run ./tools/testimagemaker/ -source=docker.io/hashicorp/vault-enterprise:latest -target=hashicorp/vault-enterprise-ci:latest -binary=./vault-binary
-            go run ./tools/testimagemaker/ -source=docker.io/hashicorp/vault-enterprise:2.0.0-ent.hsm -target=hashicorp/vault-enterprise-ci:latest-hsm -binary=./vault-hsm-binary -hsm
-          
+            go run ./tools/testimagemaker/ -source=docker.io/hashicorp/vault-enterprise:2.0.1-ent.hsm -target=hashicorp/vault-enterprise-ci:latest-hsm -binary=./vault-hsm-binary -hsm
+
             # Verify the images were built successfully
             docker images hashicorp/vault-enterprise-ci:latest
             echo "image=hashicorp/vault-enterprise-ci:latest" >> "$GITHUB_OUTPUT"
-          
+
             docker images hashicorp/vault-enterprise-ci:latest-hsm
             echo "hsmimage=hashicorp/vault-enterprise-ci:latest-hsm" >> "$GITHUB_OUTPUT"
           else
             go run ./tools/testimagemaker/ -source=docker.io/hashicorp/vault:latest -target=hashicorp/vault-ci:latest -binary=./vault-binary
-          
+
             # Verify the images was built successfully
             docker images hashicorp/vault-ci:latest
             echo "image=hashicorp/vault-ci:latest" >> "$GITHUB_OUTPUT"
diff --git a/command/server/server_seal_transit_acc_test.go b/command/server/server_seal_transit_acc_test.go
index c7e7deb653..0e453750d7 100644
--- a/command/server/server_seal_transit_acc_test.go
+++ b/command/server/server_seal_transit_acc_test.go
@@ -135,9 +135,9 @@ func prepareTestContainer(t *testing.T) (func(), *DockerVaultConfig) {
 
 	runner, err := docker.NewServiceRunner(docker.RunOptions{
 		ContainerName: "vault",
+		Capabilities:  []string{"IPC_LOCK"},
 		ImageRepo:     "docker.mirror.hashicorp.services/hashicorp/vault",
 		ImageTag:      "latest",
-		Env:           []string{"SKIP_SETCAP=true"},
 		Cmd: []string{
 			"server", "-log-level=trace", "-dev", fmt.Sprintf("-dev-root-token-id=%s", rootToken),
 			"-dev-listen-address=0.0.0.0:8200",
diff --git a/helper/testhelpers/testimages/hsm.go b/helper/testhelpers/testimages/hsm.go
index e81dd1de26..1a4d41af4b 100644
--- a/helper/testhelpers/testimages/hsm.go
+++ b/helper/testhelpers/testimages/hsm.go
@@ -58,7 +58,7 @@ func GetImageRepoAndTag(t *testing.T, hsm bool) (string, string) {
 // If vaultImage is populated, it is split by ":" and the two pieces are returned
 // as the repo and tag.  If vault_binary is populated, an image is created based on
 // the latest hsm image.
-// (TODO: currently hardcoded as "docker.io/hashicorp/vault-enterprise:2.0.0-ent.hsm")
+// (TODO: currently hardcoded as "docker.io/hashicorp/vault-enterprise:2.0.1-ent.hsm")
 // This is done by installing SoftHSM and the vaultBinary on top of that image.
 // If neither is populated an error is returned.
 func CreateOrReturnDockerImage(hsm bool) (repo string, tag string, output []byte, err error) {
@@ -86,7 +86,7 @@ func CreateOrReturnDockerImage(hsm bool) (repo string, tag string, output []byte
 		tag := "latest"
 		source := "docker.io/" + base + ":latest"
 		if hsm {
-			source = "docker.io/hashicorp/vault-enterprise:2.0.0-ent.hsm"
+			source = "docker.io/hashicorp/vault-enterprise:2.0.1-ent.hsm"
 			tag = "latest-hsm"
 		}
 		target := fmt.Sprintf("%s:%s", repo, tag)
diff --git a/sdk/helper/testcluster/docker/environment.go b/sdk/helper/testcluster/docker/environment.go
index b6b04a4241..3d95109d3e 100644
--- a/sdk/helper/testcluster/docker/environment.go
+++ b/sdk/helper/testcluster/docker/environment.go
@@ -423,12 +423,16 @@ func (n *DockerClusterNode) setupCert(ip string) error {
 }
 
 func NewTestDockerCluster(t *testing.T, opts *DockerClusterOptions) *DockerCluster {
+	t.Helper()
+
 	dc, err := NewTestDockerClusterWithErr(t, opts)
 	require.NoError(t, err)
 	return dc
 }
 
 func NewTestDockerClusterWithErr(t *testing.T, opts *DockerClusterOptions) (*DockerCluster, error) {
+	t.Helper()
+
 	if opts == nil {
 		opts = &DockerClusterOptions{DisableMlock: true}
 	}
@@ -921,7 +925,6 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 	envs := []string{
 		// For now we're using disable_mlock, because this is for testing
 		// anyway, and because it prevents us using external plugins.
-		"SKIP_SETCAP=true",
 		"VAULT_LOG_FORMAT=json",
 		"VAULT_LICENSE=" + opts.VaultLicense,
 		"VAULT_DISABLE_MLOCK=" + strconv.FormatBool(opts.DisableMlock),
@@ -946,7 +949,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 		PreDelete:         true,
 		DoNotAutoRemove:   true,
 		PostStart:         postStartFunc,
-		Capabilities:      []string{"NET_ADMIN"},
+		Capabilities:      []string{"NET_ADMIN", "IPC_LOCK", "SETFCAP"},
 		OmitLogTimestamps: true,
 		VolumeNameToMountPoint: map[string]string{
 			n.DataVolumeName: "/vault/file",