Search code examples
dockeripcdocker-swarmhashicorp-vault

How to solve "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK" and "Cluster address must be set when using raft storage" errors?

I use this following stack file to deploy the vault service in docker swarm mode.

The stack file:

version: '3.8'
services:

  faume-vault:
    image: vault:1.6.0
    environment:
      TZ: UTC
      VAULT_ADDR: 'http://0.0.0.0:8200'
      VAULT_LOCAL_CONFIG: |-
        {
          "disable_cache": true,
          "disable_mlock": true,
          "ui": true,
          "backend": {
            "raft": {
              "node_id": "vault",
              "path": "/vault"
            }
          },
          "default_lease_ttl": "168h",
          "max_lease_ttl": "720h",
          "seal": {
            "awskms": {
              "access_key": "xxxxxxxxxxxxxxxxxxxxxxx"
              "secret_key": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
              "kms_key_id": "xxxxxxxxxxxxxxxxxxxxxxx"
            }
          },
          "listener": {
            "tcp": {
              "address": "0.0.0.0:8200",
              "cluster_address": "0.0.0.0:8201",
              "tls_disable": true
            }
          },
          "cluster_addr": "http://vault.faume.local:8201",
          "api_addr": "http://vault.faume.local:8200"
        }
    command: server
    volumes:
      - 'faume-vault:/vault'
    ports:
      - '8200:8200'
    networks:
      faume:
        aliases:
          - vault.faume.local
    deploy:
      mode: replicated
      replicas: 1
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.role==manager


volumes:
  faume-vault:

networks:
  faume:

When deploy the stack file, the service is created without errors, but service does not run.

Service logs are as following:

faume-vault_faume-vault.1.xztddsvjaa2c@DevOps-Dhanushka    | Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK
faume-vault_faume-vault.1.xkh8abjlzyel@DevOps-Dhanushka    | Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK
faume-vault_faume-vault.1.xkh8abjlzyel@DevOps-Dhanushka    | 2021-07-26T08:20:15.705Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
faume-vault_faume-vault.1.xztddsvjaa2c@DevOps-Dhanushka    | 2021-07-26T08:20:31.553Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
faume-vault_faume-vault.1.xkh8abjlzyel@DevOps-Dhanushka    | Cluster address must be set when using raft storage
faume-vault_faume-vault.1.xztddsvjaa2c@DevOps-Dhanushka    | Cluster address must be set when using raft storage
faume-vault_faume-vault.1.5g7wzqm7fn0f@DevOps-Dhanushka    | Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK
faume-vault_faume-vault.1.5g7wzqm7fn0f@DevOps-Dhanushka    | 2021-07-26T08:20:23.070Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
faume-vault_faume-vault.1.5g7wzqm7fn0f@DevOps-Dhanushka    | Cluster address must be set when using raft storage
faume-vault_faume-vault.1.kf0k9eoou749@DevOps-Dhanushka    | Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK
faume-vault_faume-vault.1.kf0k9eoou749@DevOps-Dhanushka    | Cluster address must be set when using raft storage
faume-vault_faume-vault.1.kf0k9eoou749@DevOps-Dhanushka    | 2021-07-26T08:20:39.894Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=

It seems error is "mlock". But I have configure "mlock" variable successfully. Can you please, make some suggestions?

Solution

  • You need to run your faume-vault container in privileged mode.

    Just add privileged: true option.

    This is supported by docker swarm only in recent releases (see privileged mode in docker compose in a swarm) do please ensure you are running a recent enough version.

    Please make sure you understand the security concerns involved with running privileged pods.