Add a Docker entrypoint script and modify Dockerfiles to mimic Vault, to enable mlock inside Docker containers #1269
Conversation
… to enable mlock. * Add entrypoint script with logic borrowed from Vault's. This script adds IPC_LOCK capability at runtime and then executes Boundary under its own user. * Modify Dockerfiles to use the entrypoint script. * Remove USER directives from the Boundary Dockerfiles. This is required to allow the entrypoint to run setcap. Because Boundary itself is no longer the entrypoint, the behavior of the container with respect to passing or overriding arguments is different now. The Vault script's logic around handling this was not copied entirely -- only to the extent required to allow the `server` subcommand to run properly.
|
|
omkensey
changed the title
|
I'm running the Docker container for Boundary v0.7.1, but I'm running into the IPC lock error message when my Boundary container starts up.
|
You'll still get that if you run it as an ordinary |
|
@omkensey thanks for getting back to me on this! My problem was that I added the "ipc_lock" capability and not "IPC_LOCK". :) In this case I was using Nomad. |
* bump ui commit to 64e568bd (#5150) * test(e2e): Add user name to AWS resources (#5149) This change makes it easier to identify who generated these resources when looking at the AWS console * update CHANGELOG with UI specific updates (#5156) * bump ui commit to 0d55812 (#5158) * Update multi-hop.mdx (#5153) * Update multi-hop.mdx added blurb about using HCP-managed workers for outbound-only scenarios. * Update multi-hop.mdx misspelled "intermediary" * docs: Minor rewrite --------- Co-authored-by: Dan Heath <[email protected]> * Update controller.mdx - public_cluster_addr (#5151) * Update controller.mdx - public_cluster_addr Updating public_cluster_addr to indicate that it is used if a load balancer is used for controllers. Also added a note about not including https:// and http:// in the address * docs: Minor rewrite * docs: Minor rewrite --------- Co-authored-by: Dan Heath <[email protected]> * Rab create bucket add filters link (#5157) * adds link to worker filters examples * adds terraform tabs for minio and s3-compliant storage * internal/clientcache/cmd/cache: restart cache on version mismatch (#5165) Restart the client cache if it is found to be a version below the version of the CLI during client cache hook execution. --------- Co-authored-by: Cameron Perera <[email protected]> Co-authored-by: Michael Li <[email protected]> Co-authored-by: vanphan24 <[email protected]> Co-authored-by: Dan Heath <[email protected]> Co-authored-by: Robin Beck <[email protected]> Co-authored-by: Johan Brandhorst-Satzkorn <[email protected]>
Add entrypoint script with logic borrowed from Vault's. This script adds
IPC_LOCK capability at runtime and then executes Boundary under its own user.
Modify Dockerfiles to use the entrypoint script.
Remove USER directives from the Boundary Dockerfiles. This is required to
allow the entrypoint to run setcap.
Because Boundary itself is no longer the entrypoint, the behavior of the
container with respect to passing or overriding arguments is different now.
The Vault script's logic around handling this was not copied entirely -- only
to the extent required to allow the
serversubcommand to run properly.