mirror of
https://github.com/hashicorp/vault.git
synced 2026-06-10 17:32:29 -04:00
aca7f3740c
In prior versions of the Vault container we'd set `ICP_LOCK` on the `vault` binary at runtime via the entrypoint script. As we now run the Vault container as an unprivileged user we have to set this capability at build time as `setcap` cannot be run by unprivileged users. This change updates the Alpine OCI and UBI container entrypoints to not attempt to run `setcap` when running as non-root user. Importantly, these changes introduce a *new requirement* whereby users of the container must add `IPC_LOCK` capability to the container or pod or the Vault service will fail to start. As running with locked memory is always our guidance for Vault the containers now require this. Users that do not wish to grant the `IPC_LOCK` capability will want to wrap the container unset the capability on the binary during build time: `setcap cap_ipc_lock=-ep /bin/vault`. Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec> |
||
|---|---|---|
| .. | ||
| main.tf | ||
| raft-config.hcl | ||
| variables.tf | ||