Skip to content

plugincontainer: Support mlock#94

Merged
tomhjp merged 6 commits intomainfrom
plugincontainer/support-mlock-for-plugins
Sep 22, 2023
Merged

plugincontainer: Support mlock#94
tomhjp merged 6 commits intomainfrom
plugincontainer/support-mlock-for-plugins

Conversation

@tomhjp
Copy link
Copy Markdown
Contributor

@tomhjp tomhjp commented Sep 21, 2023

When Vault's disable_mlock config setting is not set, it also tells plugins to call unix.Mlockall to ensure they don't swap any memory (with potentially sensitive data) out to disk. Without the IPC_LOCK capability, this is not possible inside a container, and previously meant containerized plugins would fail to start. hashicorp/vault#23215 is a WIP PR with the consumption of the new Config.CapIPCLock option.

To ensure better test coverage, I formalised the options we are interested in into a TestCompatibilityMatrix test. Some tests are skipped as they are known not to work, and some are skipped as TODO items, waiting to set up CI so they can pass. I'll be working to remove most/all of these skips over the coming weeks.

Also fixes a couple of small bugs and tidy-ups:

  • Config's Tag field was not correctly set, found in one of the new tests
  • The error message for a plugin that needs updating reported one of the wrong directories
  • Refactors most of the tests into an external plugincontainer_test package so they are forced to use the library like an external consumer (Vault) would.
  • A couple of errors are made more descriptive.

swenson
swenson reviewed Sep 21, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks mostly good. One question in the main().

I appreciate all of the automated tests, as it is a pain to get all of the combinations working on my own Linux desktop :)

Comment thread plugincontainer/compatibility_matrix_test.go
Comment thread plugincontainer/compatibility_matrix_test.go
Comment thread plugincontainer/examples/container/plugin-counter/main.go Outdated
swenson
swenson approved these changes Sep 21, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tomhjp tomhjp mentioned this pull request Sep 21, 2023
Merged
@tomhjp
Copy link
Copy Markdown
Contributor Author

tomhjp commented Sep 22, 2023

Thanks!

@tomhjp tomhjp merged commit 707a9aa into main Sep 22, 2023
@tomhjp tomhjp deleted the plugincontainer/support-mlock-for-plugins branch September 22, 2023 10:38
Closed
@campaigner-prod campaigner-prod Bot mentioned this pull request Apr 23, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fairclothjm fairclothjm Awaiting requested review from fairclothjm

@mickael-hc mickael-hc Awaiting requested review from mickael-hc

@jefferai jefferai Awaiting requested review from jefferai

1 more reviewer

@swenson swenson swenson approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomhjp @swenson