Merge pull request #19 from tmillz/mlock

Mlock
Comcast · Aug 17, 2020 · 3b18e96 · 3b18e96
2 parents fc65fb5 + ac2a759
commit 3b18e96
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 0 deletions.
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -2,3 +2,4 @@
 - [Tyler Rivera](mailto:[email protected])
 - [Ryan Eskin](mailto:[email protected])
 - [Peter Shrom](mailto:[email protected])
+- [Terrance Miller](mailto:[email protected])
diff --git a/README.md b/README.md
@@ -59,6 +59,11 @@ export DC="one"
 
 *A Note About Vault:* If you have `secrets` defined in either the global or environment scope, it's a mapping from environment variable to the path in vault. Buildenv uses all the standard vault environment variables to communicate with vault (`VAULT_ADDR` and `VAULT_TOKEN` being the two you're most likely to use.)
 
+Running on Linux or in Docker container
+----------
+
+It is recommended to use the flag `-m` when running on linux or docker container with swap enabled.  This will attempt to lock memory and prevent secrets from being written to swap space.  If running on a docker container it may be necessary to add `--cap-add=IPC_LOCK` to the `docker run` command or in the `docker-compose` file to allow this. More info can be found at https://hub.docker.com/_/vault under Memory Locking and 'setcap'.
+
 Developing
 ----------
 

diff --git a/buildenv.go b/buildenv.go
@@ -70,6 +70,7 @@ func main() {
 	var env string
 	var dc string
 	var varsFile string
+	var mlockBool = false
 
 	type EnvVars map[string]string
 
@@ -118,12 +119,22 @@ func main() {
 			EnvVar:      "VARIABLES_FILE",
 			Destination: &varsFile,
 		},
+		cli.BoolFlag{
+			Name:        "mlock_enabled, m",
+			Usage:       "Will attempt system mlock if set (prevent write to swap)",
+			Required:    false,
+			Destination: &mlockBool,
+		},
 	}
 
 	app.Version = version
 	app.Name = "buildenv"
 	app.Usage = "Get the Build Environment from a settings yaml file."
+
 	app.Action = func(c *cli.Context) error {
+
+		enableMlock(mlockBool)
+
 		if env == "" {
 			return cli.NewExitError("environment is required", EnvErrorCode)
 		}

diff --git a/mlock-win.go b/mlock-win.go
@@ -0,0 +1,17 @@
+// +build windows
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/urfave/cli"
+)
+
+func enableMlock(mlockBool bool) error {
+
+	if mlockBool {
+		return cli.NewExitError(fmt.Sprintf("mlock not necessary for windows"), 1)
+	}
+	return nil
+}
diff --git a/mlock.go b/mlock.go
@@ -0,0 +1,22 @@
+// +build !windows
+
+package main
+
+import (
+	"fmt"
+	"syscall"
+
+	"github.com/urfave/cli"
+	"golang.org/x/sys/unix"
+)
+
+func enableMlock(mlockBool bool) error {
+
+	if mlockBool {
+		mlockError := unix.Mlockall(syscall.MCL_CURRENT | syscall.MCL_FUTURE)
+		if mlockError != nil {
+			return cli.NewExitError(fmt.Sprintf("mlock error: %s", mlockError), 1)
+		}
+	}
+	return nil
+}