Description
Upgrading from Vault 1.21.4 to Vault 2.0.1 (official container image based on UBI / Red Hat registry variant) causes the container to fail to start in rootless Podman environments.
The Vault binary (/usr/bin/vault) is shipped with the file capability cap_ipc_lock=ep. In rootless container environments, this capability cannot be applied or used, resulting in the kernel rejecting execution of the binary with Operation not permitted.
As a result, Vault does not start at all and never reaches configuration parsing. Therefore, disable_mlock (or any Vault configuration) has no effect.
This effectively breaks rootless deployments that worked with Vault 1.21.x.
To Reproduce
Steps to reproduce the behavior:
-
Pull Vault 2.0.1 UBI-based container image:
podman pull registry.connect.redhat.com/vault:2.0.1-ubi
-
Start an interactive shell in a rootless Podman environment:
podman run --rm -it --entrypoint /bin/sh ![]()
-
Verify file capabilities of Vault binary:
getcap /usr/bin/vault
-
Attempt to execute Vault binary:
/usr/bin/vault version
-
Observe error:
sh: /usr/bin/vault: Operation not permitted
-
Running the default container also fails:
podman run ![]()
Error:
Vault requires the IPC_LOCK capability.
Please use --cap-add IPC_LOCK or add it to the securityContext capabilities
/usr/bin/vault: Operation not permitted2
Expected behavior
Vault binary should start successfully in rootless container environments, optionally falling back to disable_mlock=true when IPC_LOCK capability is not available.
At minimum, the binary should not fail at execution time due to a required file capability in environments where that capability cannot be granted.
Actual behavior
-
/usr/bin/vault cannot be executed at all in rootless Podman.
-
Execution fails with:
Operation not permitted
-
Vault never starts, so configuration is never loaded.
-
disable_mlock is never evaluated.
-
Rootless deployments that worked in Vault 1.21.4 are broken in Vault 2.0.1.
Environment:
- Vault version: 2.0.1
- Previous working version: 1.21.4
- Container runtime: Podman (rootless)
- Base image: registry.connect.redhat.com/vault:2.0.1-ubi
- OS: Linux (RHEL-compatible environment)
- User namespace: enabled (rootless container execution)
Additional context
The Vault 2.0.1 container image ships /usr/bin/vault with the file capability:
cap_ipc_lock=ep
In rootless container environments, this prevents execution of the binary at the kernel level with:
Operation not permitted
This occurs before Vault can read configuration or apply disable_mlock.
As a result, rootless deployments that worked with Vault 1.21.4 are no longer functional with Vault 2.0.1 using the official container image, even when disable_mlock=true is configured.
This appears to be a regression in container compatibility for rootless runtimes.
Description
Upgrading from Vault 1.21.4 to Vault 2.0.1 (official container image based on UBI / Red Hat registry variant) causes the container to fail to start in rootless Podman environments.
The Vault binary (
/usr/bin/vault) is shipped with the file capabilitycap_ipc_lock=ep. In rootless container environments, this capability cannot be applied or used, resulting in the kernel rejecting execution of the binary withOperation not permitted.As a result, Vault does not start at all and never reaches configuration parsing. Therefore,
disable_mlock(or any Vault configuration) has no effect.This effectively breaks rootless deployments that worked with Vault 1.21.x.
To Reproduce
Steps to reproduce the behavior:
Pull Vault 2.0.1 UBI-based container image:
podman pull registry.connect.redhat.com/vault:2.0.1-ubi
Start an interactive shell in a rootless Podman environment:![]()
podman run --rm -it --entrypoint /bin/sh
Verify file capabilities of Vault binary:
getcap /usr/bin/vault
Attempt to execute Vault binary:
/usr/bin/vault version
Observe error:
sh: /usr/bin/vault: Operation not permitted
Running the default container also fails:![]()
podman run
Error:
Vault requires the IPC_LOCK capability.
Please use --cap-add IPC_LOCK or add it to the securityContext capabilities
/usr/bin/vault: Operation not permitted2
Expected behavior
Vault binary should start successfully in rootless container environments, optionally falling back to disable_mlock=true when IPC_LOCK capability is not available.
At minimum, the binary should not fail at execution time due to a required file capability in environments where that capability cannot be granted.
Actual behavior
/usr/bin/vault cannot be executed at all in rootless Podman.
Execution fails with:
Operation not permitted
Vault never starts, so configuration is never loaded.
disable_mlock is never evaluated.
Rootless deployments that worked in Vault 1.21.4 are broken in Vault 2.0.1.
Environment:
Additional context
The Vault 2.0.1 container image ships /usr/bin/vault with the file capability:
cap_ipc_lock=ep
In rootless container environments, this prevents execution of the binary at the kernel level with:
Operation not permitted
This occurs before Vault can read configuration or apply disable_mlock.
As a result, rootless deployments that worked with Vault 1.21.4 are no longer functional with Vault 2.0.1 using the official container image, even when disable_mlock=true is configured.
This appears to be a regression in container compatibility for rootless runtimes.