From 71c462b3b2e93ffbffa38ab1b0518856ef12dbe6 Mon Sep 17 00:00:00 2001 From: Sheldon Hearn Date: Thu, 28 May 2015 12:40:56 +0200 Subject: [PATCH] Clarify the disable_mlock option --- website/source/docs/config/index.html.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/website/source/docs/config/index.html.md b/website/source/docs/config/index.html.md index 77c93c16c..9e334eab5 100644 --- a/website/source/docs/config/index.html.md +++ b/website/source/docs/config/index.html.md @@ -39,7 +39,7 @@ to specify where the configuration is. * `disable_mlock` (optional) - A boolean. If true, this will disable the server from executing the `mlock` syscall to prevent memory from being - swapped to disk. This is not recommended. + swapped to disk. This is not recommended in production (see below). * `statsite_addr` (optional) - An address to a [Statsite](https://github.com/armon/statsite) instances for metrics. This is highly recommended for production usage. @@ -47,6 +47,16 @@ to specify where the configuration is. * `statsd_addr` (optional) - This is the same as `statsite_addr` but for StatsD. +In production, you should only consider setting the `disable_mlock` option +on Linux systems that only use encrypted swap or do not use swap at all. +Vault does not currently support memory locking on Mac OS X and Windows +and so the feature is automatically disabled on those platforms. To give +the Vault executable access to the `mlock` syscall on Linux systems: + +```shell +sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) +``` + ## Backend Reference For the `backend` section, the supported backends are shown below.