Clarify the disable_mlock option

2026-01-11 14:35:27 +00:00 · 2015-05-28 12:40:56 +02:00
parent 2a71cf4f0b
commit d1ec264eff
1 changed files with 11 additions and 1 deletions
--- a/website/source/docs/config/index.html.md
+++ b/website/source/docs/config/index.html.md
@@ -39,7 +39,7 @@ to specify where the configuration is.

 * `disable_mlock` (optional) - A boolean. If true, this will disable the
  server from executing the `mlock` syscall to prevent memory from being
-  swapped to disk. This is not recommended.
+  swapped to disk. This is not recommended in production (see below).

 * `statsite_addr` (optional) - An address to a [Statsite](https://github.com/armon/statsite)
  instances for metrics. This is highly recommended for production usage.
@@ -47,6 +47,16 @@ to specify where the configuration is.
 * `statsd_addr` (optional) - This is the same as `statsite_addr` but
  for StatsD.

+In production, you should only consider setting the `disable_mlock` option
+on Linux systems that only use encrypted swap or do not use swap at all.
+Vault does not currently support memory locking on Mac OS X and Windows
+and so the feature is automatically disabled on those platforms.  To give
+the Vault executable access to the `mlock` syscall on Linux systems:
+
+```shell
+sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
+```
+
 ## Backend Reference

 For the `backend` section, the supported backends are shown below.