Skip to content

Vault

Overview

The secret store is a central repository where secrets, such as tokens, passwords and certificates, can be stored.

Edge Xpert uses HashiCorp Vault to allow secure access to the secret store.

The Secret Store deployment consists of the following:

Image Description
Vault The Vault service
SecretStore Setup A service to unseal and initialize vault.
During initialization, client tokens are created for each Edge Xpert microservice. Any microservice started under secure mode can use their token to access Vault

The Vault service is started when either the --secret or the --api-gateway option is used with the edgexpert up command.

To access the Vault user interface, please refer to How to get Vault root token

Rootless Environment Limitation and Solution

The Vault container will attempt to lock memory to prevent sensitive information from being swapped to disk, so --cap-add=IPC_LOCK must be provided to docker run, see the Vault documentation for more information.

The following error will return as shown below if deploying the Vault in the rootless environment as a non-root user. 

unable to set CAP_SETFCAP effective capability: Operation not permitted
This is a known issue from the Vault github page, the non-root users are not authorized to add the capability.

To resolve this issue, we disable the memory lock from the Vault and remove the --cap-add=IPC_LOCK from the container, and prevent memory swap by using memory and memory-swap settings.

Once memory and memory-swap are set to the same value, it can prevent containers from using any swap, since memory-swap is the amount of combined memory and swap that can be used, while memory is the amount of physical memory that can be used only, see the Docker documentation for more information.

We provide the following environment variables for the user to set up memory limitation as below,

  • XPERT_SER_MEM_LIMIT used to set the memory limit
  • XPERT_SER_MEM_SWAP_LIMIT to set the memory swap limit

For example, the user can customize 500MB limitation for the Vault container. 

# export env variables
export XPERT_SER_MEM_LIMIT=500m
export XPERT_SER_MEM_SWAP_LIMIT=500m

# deploy services
edgexpert up --secret

Note

The memory limitation should be a positive integer, followed by a suffix of b, k, m, g, to indicate bytes, kilobytes, megabytes, or gigabytes.

Verify by the docker inspect vault command 

$ podman inspect vault
[
     {
          ...
          "HostConfig": {
               ...
               "Memory": 524288000,
               ...
               "MemorySwap": 524288000,
               ...
          }
     }
]