Vault: Error initializing core: Failed to lock memory: cannot allocate memory

Avatar
Irving
  • Updated

Problem

The Terraform Enterprise application fails to start. The tfe-base-startup container exits with a non-zero status code.

Container tfe-base-startup failed: Container 5275bd7d6892a2dd400dab2e47f9529f4fe75d95a3ded95e16bb06d87d1b5e38 exited with non-zero exit status 1:

Inspecting the startup container logs shows a timeout error when waiting for a Vault token.

INFO: Vault token retrieval timeout not yet reached
ERROR: Operation timed out waiting for vault token

Checking the logs for the tfe-vault container reveals a memory allocation error.

Error initializing core: Failed to lock memory: cannot allocate memory

This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.

The tfe-vault container may restart several times before exiting completely.

Prerequisites

  • Terraform Enterprise versions v202205-1 through v202308-1
  • Replicated installer

Cause

This issue occurs when the no-new-privileges option is enabled in the Docker daemon configuration file, located at /etc/docker/daemon.json.

{ 
  "no-new-privileges": true
}

This security option prevents container processes from gaining additional privileges. As a result, commands like su or sudo fail inside the container. In the affected Terraform Enterprise versions, the vault server process is associated with the systemd daemon and requires these privileges to lock memory during startup, causing the process to fail.

Solution

To resolve this issue, you must disable the no-new-privileges option in the Docker configuration and restart the services.

  1. Stop the Terraform Enterprise application using the Replicated console or CLI.

    # replicatedctl app stop -f

  2. Remove the "no-new-privileges": true option from /etc/docker/daemon.json and reload the daemon configuration.

    # sudo systemctl daemon-reload

  3. Restart the Docker service to apply the changes.

    # sudo systemctl restart docker

  4. Confirm the Replicated service is ready, then start the Terraform Enterprise application.

    # replicatedctl system status
##... 
{ 
  "Replicated": "ready", 
  "Retraced": "ready"
}

# replicatedctl app start

Outcome

The Terraform Enterprise application should now start successfully. You can check the container logs to confirm that Vault initialized correctly and created a token.

Verifying the tfe-base-startup container logs shows the token was decrypted.

# docker logs tfe-base-startup
##...
INFO: Vault token retrieval timeout not yet reached
INFO: Decrypting token

Verifying the tfe-vault container logs shows that Vault is initialized and unsealed.

# docker logs tfe-vault
##...
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.10.2
Storage Type postgresql
Cluster Name vault-cluster-3e9a1e9d
Cluster ID e37de6c2-6ec2-8d37-c8fb-f8b4de7227db
HA Enabled false
+ Creating vault token for use by services
+ Successfully created vault token
+ renewing vault token

Additional Information

Articles in this section

See more

Related articles