简体繁体 English

为什么Vault by HashiCorp需要启用ipc_lock功能？

[英]Why does Vault by HashiCorp require the ipc_lock capability to be enabled?

原文 2018-04-25 20:45:48 8 1 linux/ docker/ linux-kernel/ hashicorp-vault

为什么Vault by HashiCorp需要启用ipc_lock功能？

1 个解决方案

It's required for this server config option: https://www.vaultproject.io/docs/configuration/index.html#disable_mlock 这个服务器配置选项是必需的： https ： //www.vaultproject.io/docs/configuration/index.html#disable_mlock

It uses the mlock syscall which blocks process memory from being swapped to disk. 它使用mlock系统调用来阻止进程内存交换到磁盘。 By default this is enabled as you want to avoid swapping your Vault memory onto unencrypted disk. 默认情况下，此功能已启用，因为您希望避免将Vault内存交换到未加密的磁盘上。

Usually that capability comes up when running Vault within a container, which I believe allows the container to access the mlock syscall without escalating privileges. 通常在容器中运行Vault时会出现这种功能，我相信这允许容器在不升级权限的情况下访问mlock系统调用。

为什么读/写锁需要锁？ - Why read/write locks require a lock?

Hashicorp保险柜-仅创建身份验证令牌，请勿读取机密 - Hashicorp Vault — Create Auth Tokens Only, Don't read secrets

为什么getaddrinfo需要3个标头？ - Why does getaddrinfo require 3 headers?

为什么加载 seccomp 过滤器会影响允许和有效的能力集？ - Why does loading seccomp filter affect permitted and effective capability set?

为什么gammu需要sudo才能工作？ - Why does gammu require sudo to work?

为什么groovysh需要X显示？ - Why does groovysh require X display?

我可以在 Hashicorp Vault 上创建一个策略以允许令牌所有者仅读取他们自己的秘密吗？ - Can I create a policy on Hashicorp Vault to allow token owners to only read their own secrets?

为什么 RedHat dotnet 核心漏洞需要重建您的应用程序？ - Why does the RedHat dotnet core vulnerability require rebuilding your application?

为什么 linkat 需要路径名而不是文件描述符？ - Why does linkat require a path name instead of a file descriptor?

为什么execl要求我在运行进程后点击“Enter”？ - Why does execl require me to hit “Enter” after running a process?

暂无

暂无

声明:本站的技术帖子网页，遵循CC BY-SA 4.0协议，如果您需要转载，请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么读/写锁需要锁？ - Why read/write locks require a lock? Hashicorp保险柜-仅创建身份验证令牌，请勿读取机密 - Hashicorp Vault — Create Auth Tokens Only, Don't read secrets 为什么getaddrinfo需要3个标头？ - Why does getaddrinfo require 3 headers? 为什么加载 seccomp 过滤器会影响允许和有效的能力集？ - Why does loading seccomp filter affect permitted and effective capability set? 为什么gammu需要sudo才能工作？ - Why does gammu require sudo to work? 为什么groovysh需要X显示？ - Why does groovysh require X display? 我可以在 Hashicorp Vault 上创建一个策略以允许令牌所有者仅读取他们自己的秘密吗？ - Can I create a policy on Hashicorp Vault to allow token owners to only read their own secrets? 为什么 RedHat dotnet 核心漏洞需要重建您的应用程序？ - Why does the RedHat dotnet core vulnerability require rebuilding your application? 为什么 linkat 需要路径名而不是文件描述符？ - Why does linkat require a path name instead of a file descriptor? 为什么execl要求我在运行进程后点击“Enter”？ - Why does execl require me to hit “Enter” after running a process?

相关标签

粤ICP备18138465号 © 2020-2024 STACKOOM.COM