Skip to content

Vault 2.0.1 UBI image cannot start in rootless environments due to IPC_LOCK requirement #31977

Description

@andy66k

Description

Upgrading from Vault 1.21.4 to Vault 2.0.1 (official container image based on UBI / Red Hat registry variant) causes the container to fail to start in rootless Podman environments.

The Vault binary (/usr/bin/vault) is shipped with the file capability cap_ipc_lock=ep. In rootless container environments, this capability cannot be applied or used, resulting in the kernel rejecting execution of the binary with Operation not permitted.

As a result, Vault does not start at all and never reaches configuration parsing. Therefore, disable_mlock (or any Vault configuration) has no effect.

This effectively breaks rootless deployments that worked with Vault 1.21.x.


To Reproduce

Steps to reproduce the behavior:

  • Pull Vault 2.0.1 UBI-based container image:
    podman pull registry.connect.redhat.com/vault:2.0.1-ubi

  • Start an interactive shell in a rootless Podman environment:
    podman run --rm -it --entrypoint /bin/sh

  • Verify file capabilities of Vault binary:
    getcap /usr/bin/vault

  • Attempt to execute Vault binary:
    /usr/bin/vault version

  • Observe error:
    sh: /usr/bin/vault: Operation not permitted

  • Running the default container also fails:
    podman run

Error:
Vault requires the IPC_LOCK capability.
Please use --cap-add IPC_LOCK or add it to the securityContext capabilities
/usr/bin/vault: Operation not permitted2

Expected behavior

Vault binary should start successfully in rootless container environments, optionally falling back to disable_mlock=true when IPC_LOCK capability is not available.

At minimum, the binary should not fail at execution time due to a required file capability in environments where that capability cannot be granted.

Actual behavior

  • /usr/bin/vault cannot be executed at all in rootless Podman.

  • Execution fails with:
    Operation not permitted

  • Vault never starts, so configuration is never loaded.

  • disable_mlock is never evaluated.

  • Rootless deployments that worked in Vault 1.21.4 are broken in Vault 2.0.1.

Environment:

  • Vault version: 2.0.1
  • Previous working version: 1.21.4
  • Container runtime: Podman (rootless)
  • Base image: registry.connect.redhat.com/vault:2.0.1-ubi
  • OS: Linux (RHEL-compatible environment)
  • User namespace: enabled (rootless container execution)

Additional context

The Vault 2.0.1 container image ships /usr/bin/vault with the file capability:
cap_ipc_lock=ep

In rootless container environments, this prevents execution of the binary at the kernel level with:
Operation not permitted

This occurs before Vault can read configuration or apply disable_mlock.

As a result, rootless deployments that worked with Vault 1.21.4 are no longer functional with Vault 2.0.1 using the official container image, even when disable_mlock=true is configured.

This appears to be a regression in container compatibility for rootless runtimes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dockerregressionUsed to indicate possible regressions between versions

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions