Backport of add noswap to secretdir tmpfs into release/1.9.x (#24782)

Co-authored-by: Charles Z. <[email protected]>
hashicorp · Jan 6, 2025 · 93d1d36 · 93d1d36
1 parent 22a295d
commit 93d1d36
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/.changelog/24645.txt b/.changelog/24645.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+client: Add noswap mount option to secrets directory where supported on Linux
+```
diff --git a/client/allocdir/fs_linux.go b/client/allocdir/fs_linux.go
@@ -73,9 +73,15 @@ func createSecretDir(dir string, size int) error {
 		}
 
 		flags := uintptr(syscall.MS_NOEXEC)
-		options := fmt.Sprintf("size=%dm", size)
-		if err := syscall.Mount("tmpfs", dir, "tmpfs", flags, options); err != nil {
-			return os.NewSyscallError("mount", err)
+		// Permanently disable swap for tmpfs for SecretDir.
+		options := fmt.Sprintf("size=%dm,noswap", size)
+		err := syscall.Mount("tmpfs", dir, "tmpfs", flags, options)
+		if err != nil {
+			// Not all kernels support noswap, remove if unsupported.
+			options = fmt.Sprintf("size=%dm", size)
+			if fallbackErr := syscall.Mount("tmpfs", dir, "tmpfs", flags, options); fallbackErr != nil {
+				return os.NewSyscallError("mount", fallbackErr)
+			}
 		}
 
 		// Create the marker file so we don't try to mount more than once

diff --git a/website/content/docs/concepts/filesystem.mdx b/website/content/docs/concepts/filesystem.mdx
@@ -353,7 +353,7 @@ $ mount
 ...
 /dev/mapper/root on /alloc type ext4 (rw,relatime,errors=remount-ro,data=ordered)
 tmpfs on /private type tmpfs (rw,noexec,relatime,size=1024k)
-tmpfs on /secrets type tmpfs (rw,noexec,relatime,size=1024k)
+tmpfs on /secrets type tmpfs (rw,noexec,relatime,size=1024k,noswap)
 ...
 ```