mirror of
https://github.com/hashicorp/vault.git
synced 2026-07-10 01:33:19 -04:00
The entrypoint scripts assumed they always started as root. After the Dockerfile switched to USER vault, setcap fails with EPERM and the container exits before vault ever runs. This change adds an explicit non-root branch so that: - SKIP_SETCAP / SKIP_CHOWN warnings are still printed - VAULT_DISABLE_MLOCK is honoured - the vault binary is executed directly instead of via su-exec Fixes #31919 Signed-off-by: goingforstudying-ctrl <goingforstudying-ctrl@users.noreply.github.com>
123 lines
4.9 KiB
Bash
Executable file
123 lines
4.9 KiB
Bash
Executable file
#!/usr/bin/dumb-init /bin/sh
|
|
# Copyright IBM Corp. 2016, 2025
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
set -e
|
|
|
|
# Note above that we run dumb-init as PID 1 in order to reap zombie processes
|
|
# as well as forward signals to all processes in its session. Normally, sh
|
|
# wouldn't do either of these functions so we'd leak zombies as well as do
|
|
# unclean termination of all our sub-processes.
|
|
|
|
# Prevent core dumps
|
|
ulimit -c 0
|
|
|
|
# Allow setting VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR using an interface
|
|
# name instead of an IP address. The interface name is specified using
|
|
# VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If
|
|
# VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port
|
|
# number with the IP of the named interface.
|
|
get_addr () {
|
|
local if_name=$1
|
|
local uri_template=$2
|
|
ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \
|
|
ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \
|
|
print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \
|
|
exit}'
|
|
}
|
|
|
|
if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then
|
|
export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"})
|
|
echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR"
|
|
fi
|
|
if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then
|
|
export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"})
|
|
echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR"
|
|
fi
|
|
|
|
# VAULT_CONFIG_DIR isn't exposed as a volume but you can compose additional
|
|
# config files in there if you use this image as a base, or use
|
|
# VAULT_LOCAL_CONFIG below.
|
|
VAULT_CONFIG_DIR=/vault/config
|
|
|
|
# You can also set the VAULT_LOCAL_CONFIG environment variable to pass some
|
|
# Vault configuration JSON without having to bind any volumes.
|
|
if [ -n "$VAULT_LOCAL_CONFIG" ]; then
|
|
echo "$VAULT_LOCAL_CONFIG" > "$VAULT_CONFIG_DIR/local.json"
|
|
fi
|
|
|
|
# If the user is trying to run Vault directly with some arguments, then
|
|
# pass them to Vault.
|
|
if [ "${1:0:1}" = '-' ]; then
|
|
set -- vault "$@"
|
|
fi
|
|
|
|
# Look for Vault subcommands.
|
|
if [ "$1" = 'server' ]; then
|
|
shift
|
|
set -- vault server \
|
|
-config="$VAULT_CONFIG_DIR" \
|
|
-dev-root-token-id="$VAULT_DEV_ROOT_TOKEN_ID" \
|
|
-dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \
|
|
"$@"
|
|
elif [ "$1" = 'version' ]; then
|
|
# This needs a special case because there's no help output.
|
|
set -- vault "$@"
|
|
elif vault --help "$1" 2>&1 | grep -q "vault $1"; then
|
|
# We can't use the return code to check for the existence of a subcommand, so
|
|
# we have to use grep to look for a pattern in the help output.
|
|
set -- vault "$@"
|
|
fi
|
|
|
|
# If we are running Vault, make sure it executes as the proper user.
|
|
if [ "$1" = 'vault' ]; then
|
|
# When the container starts as a non-root user (e.g. USER vault in Dockerfile),
|
|
# we cannot chown or setcap. Honor the explicit opt-out flags and also
|
|
# skip setcap when the runtime doesn't grant IPC_LOCK (e.g. AWS ECS Fargate).
|
|
if [ "$(id -u)" != '0' ]; then
|
|
if [ -n "$SKIP_CHOWN" ]; then
|
|
echo "Container is running as non-root user, ignoring SKIP_CHOWN" >&2
|
|
fi
|
|
if [ -n "$SKIP_SETCAP" ]; then
|
|
echo "Container is running as non-root user, ignoring SKIP_SETCAP" >&2
|
|
fi
|
|
|
|
# If mlock is disabled via config or env, nothing else to do.
|
|
# Otherwise warn that memory won't be locked.
|
|
if [ -z "$VAULT_DISABLE_MLOCK" ] && [ -z "$disable_mlock" ]; then
|
|
: # Vault will try mlock; on restricted runtimes it may fail later
|
|
fi
|
|
else
|
|
if [ -z "$SKIP_CHOWN" ]; then
|
|
# If the config dir is bind mounted then chown it
|
|
if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then
|
|
chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)"
|
|
fi
|
|
|
|
# If the logs dir is bind mounted then chown it
|
|
if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then
|
|
chown -R vault:vault /vault/logs
|
|
fi
|
|
|
|
# If the file dir is bind mounted then chown it
|
|
if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
|
|
chown -R vault:vault /vault/file
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$SKIP_SETCAP" ]; then
|
|
# Allow mlock to avoid swapping Vault memory to disk
|
|
setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
|
|
|
|
# In the case vault has been started in a container without IPC_LOCK privileges
|
|
if ! vault -version 1>/dev/null 2>/dev/null; then
|
|
>&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK"
|
|
setcap cap_ipc_lock=-ep $(readlink -f $(which vault))
|
|
fi
|
|
fi
|
|
|
|
set -- su-exec vault "$@"
|
|
fi
|
|
fi
|
|
|
|
exec "$@"
|