search

mongodb / vault-plugin-secrets-mongodbatlas

ARCHIVED - Hashicorp Vault MongoDB Atlas Secrets Engine - Now hosted at https://github.com/hashicorp/vault-plugin-secrets-mongodbatlas/
Mozilla Public License 2.0
15 stars 11 forks source link

[ERROR] plugin shutting down: error="cannot allocate memory" #22

Closed drweber closed 4 years ago

drweber commented 4 years ago

Doesn't work with Vault versions 1.1.5, 1.2.2, 1.2.3

# vault secrets enable mongodbatlas
Error enabling: Error making API request.

URL: POST http://127.0.0.1:8200/v1/sys/mounts/mongodbatlas
Code: 400. Errors:

* plugin not found in the catalog: mongodbatlas

Then plugins were compiled

-->     linux/amd64: github.com/mongodb/vault-plugin-secrets-mongodbatlas/plugins/database/mongodbatlas/mongodbatlas-database-plugin
==> Removing old directory...
==> Building...
Number of parallel builds: 1

-->     linux/amd64: github.com/mongodb/vault-plugin-secrets-mongodbatlas/plugins/logical/mongodbatlas/cmd/vault-plugin-secrets-mongodbatlas
==> Packaging...
--> linux_amd64
  adding: mongodbatlas-database-plugin (deflated 51%)
  adding: vault-plugin-secrets-mongodbatlas (deflated 52%)
# vault write sys/plugins/catalog/secret/vault-plugin-secrets-mongodbatlas sha_256="$(sha256sum /vault/plugins/vault-plugin-secrets-mongodbatlas | cut -d " " -f1)" command="vault-plugin-secrets-mongodbatlas"
Success! Data written to: sys/plugins/catalog/secret/vault-plugin-secrets-mongodbatlas
# vault secrets enable --plugin-name='vault-plugin-secrets-mongodbatlas' --path="vault-plugin-secrets-mongodbatlas" plugin
Error enabling: Error making API request.

URL: POST http://127.0.0.1:8200/v1/sys/mounts/vault-plugin-secrets-mongodbatlas
Code: 400. Errors:

* plugin exited before we could connect

In Vault logs

2019-11-13T15:42:36.894Z [DEBUG] secrets.vault-plugin-secrets-mongodbatlas.vault-plugin-secrets-mongodbatlas_777081f5.vault-plugin-secrets-mongodbatlas: starting plugin: metadata=true path=/vault/plugins/vault-plugin-secrets-mongodbatlas args=[/vault/plugins/vault-plugin-secrets-mongodbatlas]
2019-11-13T15:42:36.895Z [DEBUG] secrets.vault-plugin-secrets-mongodbatlas.vault-plugin-secrets-mongodbatlas_777081f5.vault-plugin-secrets-mongodbatlas: plugin started: metadata=true path=/vault/plugins/vault-plugin-secrets-mongodbatlas pid=2442
2019-11-13T15:42:36.895Z [DEBUG] secrets.vault-plugin-secrets-mongodbatlas.vault-plugin-secrets-mongodbatlas_777081f5.vault-plugin-secrets-mongodbatlas: waiting for RPC address: metadata=true path=/vault/plugins/vault-plugin-secrets-mongodbatlas
2019-11-13T15:42:36.899Z [DEBUG] secrets.vault-plugin-secrets-mongodbatlas.vault-plugin-secrets-mongodbatlas_777081f5.vault-plugin-secrets-mongodbatlas.vault-plugin-secrets-mongodbatlas: 2019-11-13T15:42:36.899Z [ERROR] plugin shutting down: error="cannot allocate memory": metadata=true
2019-11-13T15:42:36.900Z [DEBUG] secrets.vault-plugin-secrets-mongodbatlas.vault-plugin-secrets-mongodbatlas_777081f5.vault-plugin-secrets-mongodbatlas: plugin process exited: metadata=true path=/vault/plugins/vault-plugin-secrets-mongodbatlas pid=2442 error="exit status 1"
2019-11-13T15:42:36.900Z [ERROR] secrets.system.system_4046ec67: mount failed: path=vault-plugin-secrets-mongodbatlas/ error="plugin exited before we could connect"

current resources for POD

   resources:
     requests:
       memory: 1024Mi
       cpu: 750m
     limits:
       memory: 1024Mi
       cpu: 750m
drweber commented 4 years ago

@themantissa @thetonymaster

themantissa commented 4 years ago

@drweber thank you. I'll ensure our developers have a look.

thetonymaster commented 4 years ago

What is your vault configuration file? Also, maybe this is related to your issue https://github.com/hashicorp/docker-vault/issues/53

drweber commented 4 years ago

after changing vault configuration file from

      ui = true
      plugin_directory = "/vault/plugins"
      log_level = "trace"
      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "file" {
        path = "/vault/data"
      }

to

# cat /tmp/storageconfig.hcl
ui = true
plugin_directory = "/vault/plugins"
disable_cache = true
disable_mlock = true
api_addr         = "http://0.0.0.0:8200"
max_lease_ttl         = "10h"
default_lease_ttl    = "10h"
cluster_name         = "vault"
raw_storage_endpoint     = true
disable_sealwrap     = true
disable_printable_check = true
log_level = "trace"
listener "tcp" {
  tls_disable = 1
  address = "[::]:8200"
  cluster_address = "[::]:8201"
}
storage "file" {
  path = "/vault/data"
}

and switching to Vault 1.2.4

vault secrets enable vault-plugin-secrets-mongodbatlas
Success! Enabled the vault-plugin-secrets-mongodbatlas secrets engine at: vault-plugin-secrets-mongodbatlas/
themantissa commented 4 years ago

@drweber it sounds like you've had some success with the above config?

thetonymaster commented 4 years ago

Hey, @drweber sorry for the late response, I am using the following configuration

{
  "backend": {"file": {"path": "/data"}},
  "listener": [{"tcp": {"address": "0.0.0.0:8200", "tls_disable": true}}],
  "plugin_directory": "/example",
  "log_level": "debug",
  "disable_mlock": true,
  "api_addr": "http://localhost:8200"
}

My money is on this line "disable_mlock": true I think if you only change this line it should work

heprotecbuthealsoattac commented 4 years ago

Make sure that the capabilities are set on the binary: https://www.vaultproject.io/docs/configuration/#disable_mlock If you want mlock enabled you'll have to set that capability for the plugin

themantissa commented 4 years ago

@drweber wanted to let you know this work is now included in the 1.4Beta1 version of Vault released by HashiCorp and will be in the GA 1.4 Vault version. I'll close this PR as you won't need to build this on your own now.