docs: document raft and mlock interaction (#9093)

* docs: document raft and mlock interaction

* docs: expand on mlock issue when raft is used

* Update website/pages/docs/configuration/index.mdx

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
This commit is contained in:
Calvin Leung Huang 2020-06-05 15:02:55 -07:00 committed by GitHub
parent e2d5d92b77
commit 0565e28592
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 1 deletions

View file

@ -81,6 +81,17 @@ to specify where the configuration is.
process's entire memory address space from spilling to disk and is therefore
automatically disabled on unsupported platforms.
Disabling `mlock` is strongly recommended if using [integrated
storage](/docs/internals/integrated-storage) due to
the fact that `mlock` does not interact well with memory mapped files such as
those created by BoltDB, which is used by Raft to track state. When using
`mlock`, memory-mapped files get loaded into resident memory which causes
Vault's entire dataset to be loaded in-memory and cause out-of-memory
issues if Vault's data becomes larger than the available RAM. In this case,
even though the data within BoltDB remains encrypted at rest, swap should be
disabled to prevent Vault's other in-memory sensitive data from being dumped
into disk.
On Linux, to give the Vault executable the ability to use the `mlock`
syscall without running the process as root, run:
@ -88,7 +99,9 @@ to specify where the configuration is.
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
```
Note: Since each plugin runs as a separate process, you need to do the same for each plugin in your [plugins directory](/docs/internals/plugins#plugin-directory).
Note: Since each plugin runs as a separate process, you need to do the same
for each plugin in your [plugins
directory](/docs/internals/plugins#plugin-directory).
If you use a Linux distribution with a modern version of systemd, you can add
the following directive to the "[Service]" configuration section:

View file

@ -42,6 +42,9 @@ backend cannot be declared.
~> **Note:** Raft cannot be used as the configured `ha_storage` backend at this
time. To use Raft for HA coordination users must also use Raft for storage.
~> **Note:** When using the Raft storage backend, it is strongly recommended to
set `disable_mlock` to `true`, and to disable memory swapping on the system.
## `raft` Parameters
- `path` `(string: "")` The file system path where all the Vault data gets