From c748b43e1c9e266f3ec3c19a4879ed06008aec14 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Tue, 11 Jun 2024 09:50:05 +0300 Subject: [PATCH] initial commit --- .gitignore | 1 + Dockerfile | 15 ++ Dockerfile.deps | 49 ++++++ LICENSE | 175 +++++++++++++++++++ docker-entrypoint.sh | 405 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 645 insertions(+) create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 Dockerfile.deps create mode 100644 LICENSE create mode 100755 docker-entrypoint.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6d5d25a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/vault-v* diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..4c61257 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +FROM docker.io/rockdrilla/vault:deps +SHELL [ "/bin/sh", "-ec" ] + +ARG VAULT_VERSION +ENV VAULT_VERSION=${VAULT_VERSION} + +ARG PLATFORM_SUFFIX +COPY /vault-v${VAULT_VERSION}${PLATFORM_SUFFIX} /usr/local/bin/vault +COPY /docker-entrypoint.sh /usr/local/bin/ + +## qa/smoke +RUN set -x ; \ + vault --version + +USER vault diff --git a/Dockerfile.deps b/Dockerfile.deps new file mode 100644 index 0000000..e69b6ea --- /dev/null +++ b/Dockerfile.deps @@ -0,0 +1,49 @@ +FROM docker.io/library/debian:bookworm-slim +SHELL [ "/bin/sh", "-ec" ] + +## install tools +RUN apt-get update ; \ + apt-get -y upgrade ; \ + apt-get -y install \ + ca-certificates \ + curl \ + dumb-init \ + gnupg \ + iproute2 \ + jq \ + less \ + libcap2-bin \ + lsof \ + netbase \ + openssl \ + procps \ + psmisc \ + tzdata \ + vim-tiny \ + ; \ + ## install vim-tiny as variant for vim + update-alternatives --install /usr/bin/vim vim /usr/bin/vim.tiny 1 ; \ + ## quirk for vim-tiny + find /usr/share/vim/ -name debian.vim -print0 \ + | sed -z 's/debian.vim/defaults.vim/' \ + | xargs -0 -r touch ; \ + ## cleanup + find /var/lib/apt/lists/ /var/cache/apt/archives/ -mindepth 1 -delete + +## setup user/group/homedir +RUN _uid=22222 ; \ + echo "vault:x:${_uid}:${_uid}:vault:/home/vault:/bin/false" >> /etc/passwd ; \ + echo "vault:!:::::::" >> /etc/shadow ; \ + echo "vault:x:${_uid}:" >> /etc/group ; \ + install -d -o vault -g vault -m 0750 /home/vault /vault +WORKDIR /home/vault + +## setup layout & volumes +RUN env -C /vault \ + install -d -o vault -g vault -m 0750 config file logs +VOLUME [ "/vault/file", "/vault/logs" ] + +EXPOSE 8200 + +ENTRYPOINT [ "dumb-init", "--", "docker-entrypoint.sh" ] +CMD [ "server", "-dev" ] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..67db858 --- /dev/null +++ b/LICENSE @@ -0,0 +1,175 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100755 index 0000000..ba1ac24 --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,405 @@ +#!/bin/sh +# SPDX-License-Identifier: Apache-2.0 +# (c) 2024, Konstantin Demin + +set -ef + +# Prevent core dumps +set +e +ulimit -Sc 0 +ulimit -Hc 0 +set -e + +# not needed anyway +unset LD_PRELOAD + +binary=$(command -v vault) ; : "${binary:?}" +binary=$(readlink -e "${binary}") ; : "${binary:?}" + +have_capability() { + # local cap=$1 + setpriv -d | awk -F: '/^Capability bounding set:/{print $2}' | grep -Eiq "(^\s*|,)$1(,|\$)" +} + +have_ipc_lock=1 +have_capability ipc_lock || have_ipc_lock=0 + +# ref: https://pkg.go.dev/strconv#ParseBool +gobool_to_int() { + # local value=$1 + # local default=$2 + case "$1" in + 1 | t | T | TRUE | true | True ) echo 1 ;; + 0 | f | F | FALSE | false | False ) echo 0 ;; + * ) echo "${2:-error}" ;; + esac +} + +int_to_gobool() { + # local int=$1 + case "$1" in + 0 ) echo false ;; + 1 ) echo true ;; + esac +} + +# ref: https://developer.hashicorp.com/vault/docs/configuration#disable_mlock +with_mlock=$(gobool_to_int "${VAULT_DISABLE_MLOCK:-0}" 1) +with_mlock=$((1 - with_mlock)) + +# VAULT_CONFIG_DIR isn't exposed as a volume but you can compose additional +# config files in there if you use this image as a base, or use +# VAULT_LOCAL_CONFIG below. +VAULT_CONFIG_DIR=${VAULT_CONFIG_DIR:-/vault/config} + +case "$1" in +vault ) + # no adjustments are required - running Vault with directly specified command and options + : +;; +-* ) + # running with options + set -- vault "$@" +;; +server ) + shift + + dev_mode=0 + have_dev_listen=0 + for i ; do + case "$i" in + -dev | -dev-tls ) + dev_mode=1 + ;; + -dev-listen-address ) + have_dev_listen=1 + ;; + esac + done ; unset i + # adjust environment for dev mode + if [ "${dev_mode}" = 1 ] && [ "${have_dev_listen}" = 0 ] ; then + export VAULT_DEV_LISTEN_ADDRESS="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" + fi + # not needed anymore + unset dev_mode have_dev_listen + + set -- vault server \ + -config="${VAULT_CONFIG_DIR}" \ + "$@" +;; +version ) + set -- vault "$@" +;; +* ) + if vault --help "$1" 2>&1 | grep -Fq "vault $1" ; then + # We can't use the return code to check for the existence of a subcommand, so + # we have to use grep to look for a pattern in the help output. + set -- vault "$@" + fi +;; +esac + +if [ "$1" != 'vault' ] ; then + unset SKIP_PERMCHECK SKIP_IPC_LOCK SKIP_VAULT_PRECONF SKIP_CHOWN SKIP_SETCAP + SKIP_PERMCHECK=1 SKIP_IPC_LOCK=1 SKIP_VAULT_PRECONF=1 SKIP_CHOWN=1 SKIP_SETCAP=1 +fi + +if [ "${SKIP_PERMCHECK:-0}" != 1 ] ; then + # Due to OpenShift environment compatibility, we have to allow group write + # access to the Vault configuration. This requires us to disable the stricter + # file permissions checks introduced in Vault v1.11.0. + # ref: https://developer.hashicorp.com/vault/docs/configuration + with_permcheck=0 + + x=none + + # Vault 1.11 and older + if [ -n "${VAULT_DISABLE_FILE_PERMISSIONS_CHECK}" ] ; then + x=$(gobool_to_int "${VAULT_DISABLE_FILE_PERMISSIONS_CHECK}") + case "$x" in + 0 | 1 ) with_permcheck=$((1 - x)) ;; + esac + fi + + # Vault 1.12 and newer + if [ -n "${VAULT_ENABLE_FILE_PERMISSIONS_CHECK}" ] ; then + x=$(gobool_to_int "${VAULT_ENABLE_FILE_PERMISSIONS_CHECK}") + case "$x" in + 0 | 1 ) with_permcheck=$x ;; + esac + fi + + unset x + + # adjust variables + set -a + VAULT_ENABLE_FILE_PERMISSIONS_CHECK=$(int_to_gobool "${with_permcheck}") + VAULT_DISABLE_FILE_PERMISSIONS_CHECK=$(int_to_gobool $((1 - with_permcheck)) ) + set +a + unset with_permcheck +fi +unset SKIP_PERMCHECK + +if [ "${SKIP_IPC_LOCK:-0}" != 1 ] ; then + if [ "${have_ipc_lock}" = 1 ] ; then + set +e + + echo "Limits before:" + # sed -En '1p;/[Ll]ocked/p' < /proc/$$/limits + awk 'NR==1{print} /[Ll]ocked/{print}' /proc/$$/limits + + ulimit -Hl "${MEMLOCK_LIMIT:-unlimited}" + x=$(ulimit -Hl) + ulimit -Sl "$x" + unset x + + echo "Limits after:" + # sed -En '1p;/[Ll]ocked/p' < /proc/$$/limits + awk 'NR==1{print} /[Ll]ocked/{print}' /proc/$$/limits + + set -e + fi >&2 + + if [ "${with_mlock}" = 1 ] && [ "${have_ipc_lock}" = 0 ] ; then + echo + echo '!!!' + echo + echo "missing CAP_IPC_LOCK privilege: please run container with \`--cap-add IPC_LOCK'" + echo 'ref: https://developer.hashicorp.com/vault/docs/configuration#disable_mlock' + echo + echo '!!!' + echo + fi >&2 +fi +unset SKIP_IPC_LOCK + +if [ "${SKIP_VAULT_PRECONF:-0}" != 1 ] ; then + # You can also set the VAULT_LOCAL_CONFIG environment variable to pass some + # Vault configuration JSON without having to bind any volumes. + VAULT_LOCAL_CONFIG_FILE=${VAULT_LOCAL_CONFIG_FILE:-"${VAULT_CONFIG_DIR}/local.json"} + while [ -n "${VAULT_LOCAL_CONFIG}" ] ; do + touch "${VAULT_LOCAL_CONFIG_FILE}" || break + printf '%s' "${VAULT_LOCAL_CONFIG}" > "${VAULT_LOCAL_CONFIG_FILE}" || break + break + done + unset VAULT_LOCAL_CONFIG VAULT_LOCAL_CONFIG_FILE + + # Allow setting VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR using an interface + # name instead of an IP address. The interface name is specified using + # VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If + # VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port + # number with the IP of the named interface. + + have_iproute2=1 + command -v ip >/dev/null 2>&1 || have_iproute2=0 + err_iproute2_missing() { + printf '%s\n' "$1: iproute2 (/usr/sbin/ip) is missing" >&2 + } + + err_iface_missing() { + printf '%s\n' "$1: interface error" >&2 + } + err_ipv4_addr_missing() { + printf '%s\n' "$1: no IPv4 addresses are present on interface" >&2 + } + + iface_exist() { + # local if_name=$1 + ip link show dev "$1" >/dev/null + } + get_iface_ipv4_addr () { + # local if_name=$1 + # local uri_template=$2 + ip address show dev "$1" \ + | awk -v "uri=$2" \ + '/^\s*inet\s/ { + ip=gensub(/(.+)\/.+/, "\\1", "g", $2) + print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri) + exit + }' + } + + while [ -n "${VAULT_REDIRECT_INTERFACE}" ] ; do + new_vault_redirect_addr=${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"} + errmsg_vault_redirect_interface="unable to adjust VAULT_REDIRECT_ADDR='${new_vault_redirect_addr}' with VAULT_REDIRECT_INTERFACE='${VAULT_REDIRECT_INTERFACE}'" + + if [ "${have_iproute2}" = 0 ] ; then + err_iproute2_missing "${errmsg_vault_redirect_interface}" + break + fi + if ! iface_exist "${VAULT_REDIRECT_INTERFACE}" ; then + err_iface_missing "${errmsg_vault_redirect_interface}" + break + fi + + set +e + new_vault_redirect_addr=$(get_iface_ipv4_addr "${VAULT_REDIRECT_INTERFACE}" "${new_vault_redirect_addr}") + set -e + if [ -z "${new_vault_redirect_addr}" ] ; then + err_ipv4_addr_missing "${errmsg_vault_redirect_interface}" + break + fi + + if [ -n "${VAULT_REDIRECT_ADDR}" ] && [ "${VAULT_REDIRECT_ADDR}" != "${new_vault_redirect_addr}" ]; then + echo "changing VAULT_REDIRECT_ADDR: ${VAULT_REDIRECT_ADDR} -> ${new_vault_redirect_addr}" >&2 + fi + export VAULT_REDIRECT_ADDR="${new_vault_redirect_addr}" + echo "using interface ${VAULT_REDIRECT_INTERFACE} for VAULT_REDIRECT_ADDR: ${VAULT_REDIRECT_ADDR}" >&2 + break + done + unset VAULT_REDIRECT_INTERFACE new_vault_redirect_addr errmsg_vault_redirect_interface + + while [ -n "${VAULT_CLUSTER_INTERFACE}" ] ; do + new_vault_cluster_addr=${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"} + errmsg_vault_cluster_interface="unable to adjust VAULT_CLUSTER_ADDR='${new_vault_cluster_addr}' with VAULT_CLUSTER_INTERFACE='${VAULT_CLUSTER_INTERFACE}'" + + if [ "${have_iproute2}" = 0 ] ; then + err_iproute2_missing "${errmsg_vault_cluster_interface}" + break + fi + if ! iface_exist "${VAULT_CLUSTER_INTERFACE}" ; then + err_iface_missing "${errmsg_vault_cluster_interface}" + break + fi + + set +e + new_vault_cluster_addr=$(get_iface_ipv4_addr "${VAULT_CLUSTER_INTERFACE}" "${new_vault_cluster_addr}") + set -e + if [ -z "${new_vault_cluster_addr}" ] ; then + err_ipv4_addr_missing "${errmsg_vault_cluster_interface}" + break + fi + + if [ -n "${VAULT_CLUSTER_ADDR}" ] && [ "${VAULT_CLUSTER_ADDR}" != "${new_vault_cluster_addr}" ] ; then + echo "changing VAULT_CLUSTER_ADDR: ${VAULT_CLUSTER_ADDR} -> ${new_vault_cluster_addr}" >&2 + fi + export VAULT_CLUSTER_ADDR="${new_vault_cluster_addr}" + echo "using ${VAULT_CLUSTER_INTERFACE} for VAULT_CLUSTER_ADDR: ${VAULT_CLUSTER_ADDR}" + break + done + unset VAULT_CLUSTER_INTERFACE new_vault_cluster_addr errmsg_vault_cluster_interface +fi +unset SKIP_VAULT_PRECONF + +while [ "${SKIP_CHOWN:-0}" != 1 ] ; do + vault_uid=$(id -u vault) || break + + fix_ownership() { + x=0 + for i ; do + [ -n "$i" ] || continue + + if ! [ -d "$i" ] ; then + # NB: running through `env' to avoid shell glitch + env printf 'not a directory: %q\n' "$i" >&2 + continue + fi + + # NB: running through `env' to avoid shell glitch + x=$(env stat -Lc '%u' "$i") + if [ "$x" = "${vault_uid}" ] ; then + # nothing to fix (probably) + continue + fi + + if ! chown -R vault:vault "$i" ; then + # NB: running through `env' to avoid shell glitch + env printf 'Could not chown %q (may not have appropriate permissions)\n' "$i" >&2 + fi + done + unset x i + } + + find_fast() { + find "$@" -printf . -quit | grep -Fq . + } + + check_ownership() { + for i ; do + [ -n "$i" ] || continue + + if ! [ -d "$i" ] ; then + # NB: running through `env' to avoid shell glitch + env printf 'not a directory: %q\n' "$i" >&2 + continue + fi + + find_fast "$i/" ! -uid "${vault_uid}" || continue + + echo "files not owned by Vault:" >&2 + set +e + find "$i/" ! -uid "${vault_uid}" -ls + set -e + done + unset i + } + + fix_ownership /vault/config /vault/logs /vault/file + check_ownership /vault/config /vault/logs /vault/file + + break +done +unset SKIP_CHOWN + +if [ "${SKIP_SETCAP:-0}" != 1 ] ; then + have_libcap2=1 + command -v setcap >/dev/null 2>&1 || have_libcap2=0 + err_libcap2_missing() { + printf '%s\n' "$1: libcap2-bin (/usr/sbin/setcap) is missing" >&2 + } + + drop_ipc_lock=0 + # try running Vault with CAP_IPC_LOCK + while [ "${with_mlock}" = 1 ] ; do + errmsg_vault_mlock="unable to run Vault with CAP_IPC_LOCK" + + if [ "${have_libcap2}" = 0 ] ; then + err_libcap2_missing "${errmsg_vault_mlock}" + break + fi + + if ! setcap cap_ipc_lock=+ep "${binary}" ; then + echo "${errmsg_vault_mlock}: setcap failed (read-only filesystem?)" + break + fi + + # In the case vault has been started in a container without IPC_LOCK privileges + if ! "${binary}" -version >/dev/null 2>&1 ; then + echo "${errmsg_vault_mlock}" + drop_ipc_lock=1 + break + fi + + break + done + unset errmsg_vault_mlock + + # not needed anymore + unset have_libcap2 + + if [ "${drop_ipc_lock}" = 1 ] ; then + # ignore any error + setcap cap_ipc_lock=-ep "${binary}" || : + fi + unset drop_ipc_lock +fi +unset SKIP_SETCAP + +# not needed anymore +unset have_ipc_lock have_iproute2 with_mlock + +# In case of Docker, where swap may be enabled, we +# still require mlocking to be available. So this script +# was executed as root to make this happen, however, +# we're now rerunning the entrypoint script as the Vault +# user but no longer need to run setup code for setcap +# or chowning directories (previously done on the first run). +if [ "$(id -u)" = '0' ] ; then + export SKIP_PERMCHECK=1 SKIP_IPC_LOCK=1 SKIP_VAULT_PRECONF=1 SKIP_CHOWN=1 SKIP_SETCAP=1 + exec \ + setpriv --reuid=vault --regid=vault --init-groups \ + env USER=vault LOGNAME=vault HOME=/home/vault SHELL=/bin/sh \ + "$0" "$@" +else + exec "$@" +fi