Problem
When deploying Terraform Enterprise Flexible Deployment Options (FDO) with Docker rootless, the application will hang at startup with the following message:
{"component":"archivist","log":"Error checking seal status: Get \"http://127.0.0.1:8200/v1/sys/seal-status\": dial tcp 127.0.0.1:8200: connect: connection refused"}
The vault.log file in /var/log/terraform-enterprise/vault.log will show the following error:
Waiting for Vault to become active.
Error initializing core: Failed to lock memory: cannot allocate memory
This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
Cause
This issue is caused because Docker rootless does not have the proper permissions to start Vault with the mlock setting enabled.
Solution
In order to avoid this startup failure, the following configuration needs to be added to your Docker Compose file (compose.yml):
TFE_VAULT_DISABLE_MLOCK: true
After changing this setting, the application will need to be restarted with the following commands:
docker compose down
docker compose up --detach
Additional Information
References
- Docker - Installation - Flexible Deployment Options - Terraform Enterprise
- Configuration Reference - Vault Settings - Flexible Deployment Options