Remove setcap.

Having setcap set on the binary broke upstream Helm chart compatability due to hashicorp/vault-helm#198. Signed-off-by: Adrian Mouat <adrian@chainguard.dev>
amouat · Jun 2, 2023 · 336f473 · 336f473
1 parent dbeb7ea
commit 336f473
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 22 deletions.
diff --git a/vault.yaml b/vault.yaml
@@ -1,7 +1,7 @@
 package:
   name: vault
   version: 1.13.2
-  epoch: 3
+  epoch: 4
   description: Tool for encryption as a service, secrets and privileged access management
   copyright:
     - license: MPL-2.0
@@ -56,19 +56,15 @@ pipeline:
 
       install -m755 -D ./vault/bin/vault "${{targets.destdir}}/usr/bin/vault"
 
-      # Directory for config
-      mkdir "${{targets.destdir}}/etc/vault"
-      # Vault user must be able to write to this
-      chmod 777 "${{targets.destdir}}/etc/vault"
+      # Directory for config. Vault user needs write privileges
+      install -m777 -d "${{targets.destdir}}/etc/vault"
 
-      # Directory for logs
+      # Directory for logs. Vault user needs write privilveges.
       install -m777 -d "${{targets.destdir}}/var/lib/vault"
       install -m777 -d "${{targets.destdir}}/var/log/vault"
 
   - uses: strip
 
-  - runs: setcap cap_ipc_lock=+ep "${{targets.destdir}}/usr/bin/vault"
-
 subpackages:
   - name: "vault-entrypoint"
     description: "Container entrypoint script for vault and required dependencies"

diff --git a/vault/docker-entrypoint.sh b/vault/docker-entrypoint.sh
@@ -104,23 +104,19 @@ if [ "$1" = 'vault' ] && [ "$(id -u)" = '0' ]; then
         fi
     fi
 
-    # In the case vault has been started in a container without IPC_LOCK privileges
-    # Note this will probably require running as root and setcap
-    if ! vault -version 1>/dev/null 2>/dev/null; then
-	>&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK"
-	setcap cap_ipc_lock=-ep "$(readlink -f $(which vault))"
-    fi
 
-    set -- su-exec vault "$@"
-fi
+    if [ -z "$SKIP_SETCAP" ]; then
+        # Allow mlock to avoid swapping Vault memory to disk
+        setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
 
-# Check if we can run (have IPC_LOCK cap)
-if [ "$1" = 'vault' ]; then
-    if ! vault -version 1>/dev/null 2>/dev/null; then
-	>&2 echo "Vault requires the IPC_LOCK capability. Use --cap-add IPC_LOCK or equivalent to run Vault." 
-	>&2 echo "If this isn't possible, use --user=root to disable IPC_LOCK."
-	exit 1
+        # In the case vault has been started in a container without IPC_LOCK privileges
+        if ! vault -version 1>/dev/null 2>/dev/null; then
+            >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK"
+            setcap cap_ipc_lock=-ep $(readlink -f $(which vault))
+        fi
     fi
+
+    set -- su-exec vault "$@"
 fi
 
 exec "$@"