disable_mlock must now be explicitly included in config #29974
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5818a2b to
084be9c
Compare
|
CI Results: |
e977c8f to
7aececf
Compare
guygrigsby
commented
Mar 21, 2025
command/server.go
Outdated
| entCheckRequestLimiter(c, config) | ||
|
|
||
| if config != nil { |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
7aececf to
c44c565
Compare
71b840e to
8780c7a
Compare
sgmiller
reviewed
Mar 24, 2025
|
Build Results: |
|
@sgmiller I took another look at the requirements and you're right. I'll switch this back to draft on continue working on it. |
…sablemlock-config
…sablemlock-config
ej-hashi
previously approved these changes
Apr 9, 2025
…sablemlock-config
rculpepper
previously approved these changes
Apr 10, 2025
schavis
requested changes
Apr 11, 2025
Use active voice. Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
10626a9
…sablemlock-config
schavis
approved these changes
Apr 11, 2025
ej-hashi
approved these changes
Apr 11, 2025
rculpepper
approved these changes
Apr 14, 2025
…sablemlock-config
…sablemlock-config
…sablemlock-config
…sablemlock-config
ryancragun
added a commit
that referenced
this pull request
Apr 22, 2025
Synchronize the `enos` directory on 1.19 with that of `main` after changes introduced in #29974 were not backported. Signed-off-by: Ryan Cragun <me@ryan.ec>
6 tasks
ryancragun
added a commit
that referenced
this pull request
Apr 23, 2025
Synchronize the `enos` directory on 1.19 with that of `main` after changes introduced in #29974 were not backported. Signed-off-by: Ryan Cragun <me@ryan.ec>
Erfankam
pushed a commit
to Erfankam/vault
that referenced
this pull request
Sep 1, 2025
) * require explicit value for disable_mlock * set disable_mlock back to true for all docker tests * fix build error * update test config files * change explicit mlock check to apply to integrated storage only. * formatting and typo fixes * added test for raft * remove erroneous test * remove unecessary doc line * remove unecessary var * pr suggestions * test compile fix * add mlock config value to enos tests * enos lint * update enos tests to pass disable_mlock value * move mlock error to runtime to check for env var * fixed mlock config detection logic * call out mlock on/off tradeoffs to docs * rewording production hardening section on mlock for clarity * update error message when missing disable_mlock value to help customers with the previous default * fix config doc error and update production-hardening doc to align with existing recommendations. * remove extra check for mlock config value * fix docker recovery test * Update changelog/29974.txt Explicitly call out that Vault will not start without disable_mlock included in the config. Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com> * more docker test experimentation. * passing disable_mlock into test cluster * add VAULT_DISABLE_MLOCK envvar to docker tests and pass through the value * add missing envvar for docker env test * upate additional docker test disable_mlock values * Apply suggestions from code review Use active voice. Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --------- Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com> Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR eliminates a default value for
disable_mlockfor integrated storage.disable_mlockmust now be set explicitly in a configuration file or env var if using integrated storage.When Vault starts up with mlock enabled, Vault with integrated storage is prone to running out of memory because it doesn't allow the use of swap disk. However, while disabling mlock helps not run into OOM problems, it is a security issue because allowing for swapping to disk means that secret values can be viewed in plaintext if the swap files are inspected.
As such, Vault will no longer initialize until this value has been explicitly configured, and we will provide a clear explanation in the error message of the tradeoffs of choosing to enable or disable mlock on Integrated Storage.
We must also update documentation to include the new behavior.
TODO only if you're a HashiCorp employee
backport/label that matches the desired release branch. Note that in the CE repo, the latest release branch will look likebackport/x.x.x, but older release branches will bebackport/ent/x.x.x+ent.of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.