Terraform Enterprise - FDO: Error initializing core: Failed to lock memory: cannot allocate memory This usually means that the mlock syscall is not available.

Introduction

This article provides a solution for a startup failure in Terraform Enterprise Flexible Deployment Options (FDO) when using Docker in rootless mode. The failure is related to Vault's mlock syscall and memory allocation permissions.

Problem

When you deploy Terraform Enterprise FDO with Docker in rootless mode, the application may hang during startup. The primary log output shows a connection refused error for Vault.

{"component":"archivist","log":"Error checking seal status: Get \"http://127.0.0.1:8200/v1/sys/seal-status\": dial tcp 127.0.0.1:8200: connect: connection refused"}

The Vault log file at /var/log/terraform-enterprise/vault.log contains a more specific error message indicating a failure to lock memory.

Waiting for Vault to become active.
Error initializing core: Failed to lock memory: cannot allocate memory
This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine

Cause

This issue occurs because Docker in rootless mode lacks the necessary permissions to allow the embedded Vault service to use the mlock syscall. The mlock syscall prevents memory from being swapped to disk, which is a security feature that requires elevated privileges not available in a rootless environment.

Solution

To resolve this issue, you must disable the mlock functionality for the embedded Vault service.

1. Add the TFE_VAULT_DISABLE_MLOCK environment variable to your Docker Compose file, compose.yml, under the tfe-vault service definition.

   services:
     tfe-vault:
       # ... other settings
       environment:
         TFE_VAULT_DISABLE_MLOCK: "true"
       # ... other settings

2. After updating the compose.yml file, restart the Terraform Enterprise application using the following commands.

   $ docker compose down
   $ docker compose up --detach

This configuration change allows Vault to start without requiring mlock privileges, resolving the startup failure.

Additional Information

• For more details on Docker installation for Terraform Enterprise FDO, refer to the Docker Installation documentation.
• For a complete list of Vault settings, see the Configuration Reference for Vault Settings.