I am in the process of setting up a hashicorp vault container, this wasn’t a huge issue when I set it up on vanilla LXC which seem to support it if it was manually started but on Incus I cannot for the life of me figure out why it cannot start with mlock capabilities.
I have some memory at least to be locked, not much but…
ulimit -l
8192
And from what I can see I do have the IPC_LOCK capability in container.
Did some tests myself. Fixed the issue, it seems to have been a lack of memory.
1Gb was too little, I didn’t try anywhere between 1.5Gb and 1Gb, but 1.5Gb seems sufficient to start the service. I do not know how well it runs though.
Simply had to change the containers available memory with:
sudo incus config set foobar limits.kernel.memlock=1610612736
I also did an attempt to give the LimitMEMLOCK entry the specified memory from limits.kernel.memlock this did not seem to work, I am unsure what extra option LimitMEMLOCK=infinity , which works, enables. Could be I had to give LimitMEMLOCK less memory than the provided, did not try.
Sadly I couldn’t find too much documentation on the behind the scenes part of it.
EDIT: 1.5GB seems too unstable, vault starts but crashes after some time. Changed to 2GB, has been running for 3 hours for now without crashes, might update later if stable.
