Skip to content

disable_mlock must now be explicitly included in config #29974

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 42 commits into from
Apr 17, 2025
Merged

disable_mlock must now be explicitly included in config #29974

merged 42 commits into from
Apr 17, 2025

Conversation

guygrigsby
Copy link
Member

@guygrigsby guygrigsby commented Mar 20, 2025
edited
Loading

Description

This PR eliminates a default value for disable_mlock for integrated storage. disable_mlock must now be set explicitly in a configuration file or env var if using integrated storage.

When Vault starts up with mlock enabled, Vault with integrated storage is prone to running out of memory because it doesn't allow the use of swap disk. However, while disabling mlock helps not run into OOM problems, it is a security issue because allowing for swapping to disk means that secret values can be viewed in plaintext if the swap files are inspected.

As such, Vault will no longer initialize until this value has been explicitly configured, and we will provide a clear explanation in the error message of the tradeoffs of choosing to enable or disable mlock on Integrated Storage.

We must also update documentation to include the new behavior.

TODO only if you're a HashiCorp employee

  • Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
    • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.
  • ENT PR: If this change has an associated ENT PR, please link it in the
    description. Also, make sure the changelog is in this PR, not in your ENT PR.

@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Mar 20, 2025
@guygrigsby guygrigsby force-pushed the guygrigsby/VAULT-34786/explicitly-require-disablemlock-config branch from 5818a2b to 084be9c Compare March 20, 2025 18:10
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 20, 2025
edited
Loading

CI Results:
All Go tests succeeded! ✅

@guygrigsby guygrigsby force-pushed the guygrigsby/VAULT-34786/explicitly-require-disablemlock-config branch from e977c8f to 7aececf Compare March 21, 2025 17:09
guygrigsby
guygrigsby commented Mar 21, 2025
View reviewed changes
command/server.go Outdated
entCheckRequestLimiter(c, config)

if config != nil {

This comment was marked as outdated.

Sign in to view

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 21, 2025
View reviewed changes
@guygrigsby guygrigsby force-pushed the guygrigsby/VAULT-34786/explicitly-require-disablemlock-config branch from 7aececf to c44c565 Compare March 21, 2025 19:02
@guygrigsby guygrigsby force-pushed the guygrigsby/VAULT-34786/explicitly-require-disablemlock-config branch from 71b840e to 8780c7a Compare March 24, 2025 14:16
@guygrigsby guygrigsby marked this pull request as ready for review March 24, 2025 15:45
@guygrigsby guygrigsby requested a review from a team as a code owner March 24, 2025 15:45
@guygrigsby guygrigsby requested a review from mladlow March 24, 2025 15:45
sgmiller
sgmiller reviewed Mar 24, 2025
View reviewed changes
Copy link
Collaborator

@sgmiller sgmiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we wanted this to be mandatory only if using integrated storage?

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 24, 2025
edited
Loading

Build Results:
All builds succeeded! ✅

@guygrigsby
Copy link
Member Author

@sgmiller I took another look at the requirements and you're right. I'll switch this back to draft on continue working on it.

@guygrigsby guygrigsby marked this pull request as draft March 24, 2025 17:21
@guygrigsby guygrigsby marked this pull request as ready for review March 25, 2025 17:51
@guygrigsby guygrigsby requested a review from a team as a code owner March 25, 2025 17:51
ej-hashi
ej-hashi previously approved these changes Apr 9, 2025
View reviewed changes
miagilepner
miagilepner previously approved these changes Apr 10, 2025
View reviewed changes
Copy link
Collaborator

@miagilepner miagilepner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

rculpepper
rculpepper previously approved these changes Apr 10, 2025
View reviewed changes
schavis
schavis requested changes Apr 11, 2025
View reviewed changes
@guygrigsby @schavis
Apply suggestions from code review
10626a9 
Use active voice.

Co-authored-by: Sarah Chavis <[email protected]>
@guygrigsby guygrigsby dismissed stale reviews from rculpepper, miagilepner, and ej-hashi via 10626a9 April 11, 2025 17:52
@guygrigsby guygrigsby requested a review from schavis April 11, 2025 17:53
@guygrigsby guygrigsby requested a review from miagilepner April 11, 2025 18:35
@guygrigsby guygrigsby requested a review from rculpepper April 11, 2025 20:28
@miagilepner miagilepner merged commit 08c5a52 into main Apr 17, 2025
95 checks passed
@miagilepner miagilepner deleted the guygrigsby/VAULT-34786/explicitly-require-disablemlock-config branch April 17, 2025 13:35
ryancragun added a commit that referenced this pull request Apr 22, 2025
@ryancragun
enos(mlock): sync enos changes from main to 1.19
5cbd4c8 
Synchronize the `enos` directory on 1.19 with that of `main` after
changes introduced in #29974 were
not backported.

Signed-off-by: Ryan Cragun <[email protected]>
@ryancragun ryancragun mentioned this pull request Apr 22, 2025
Merged
6 tasks
ryancragun added a commit that referenced this pull request Apr 23, 2025
@ryancragun
enos(mlock): sync enos changes from main to 1.19 (#30321)
3f1abe2 
Synchronize the `enos` directory on 1.19 with that of `main` after
changes introduced in #29974 were
not backported.

Signed-off-by: Ryan Cragun <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raskchanky raskchanky raskchanky left review comments

@sgmiller sgmiller sgmiller left review comments

@mladlow mladlow mladlow left review comments

@mickael-hc mickael-hc mickael-hc left review comments

@schavis schavis schavis approved these changes

@rculpepper rculpepper rculpepper approved these changes

@ej-hashi ej-hashi ej-hashi approved these changes

@kubawi kubawi Awaiting requested review from kubawi

@miagilepner miagilepner Awaiting requested review from miagilepner

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed pr/no-milestone
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@guygrigsby @raskchanky @sgmiller @miagilepner @mladlow @kubawi @schavis @rculpepper @mickael-hc @ej-hashi