Support compose "cap_add: [IPC_LOCK]"

[troyready]

Description

I'd like to be able to run a container that requires the IPC_LOCK capability (specifically HashiCorp's Vault) and it appears that cap_add: [IPC_LOCK] on the compose file service is ignored (based on the app's error "Failed to lock memory: cannot allocate memory ... This usually means that the mlock syscall is not available.")

This same issue occurs when using lima nerdctl compose up (using the default VM template) or docker-compose (using the docker VM template).

To reproduce (currently tested using lima v0.11.2):

limactl start default
mkdir -p volumes/{config,file,logs}

cat > volumes/config/vault.hcl << EOF
storage "file" {
  path = "/vault/file"
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = 1
}

EOF

cat > docker-compose.yml << EOF
version: '2'
services:
  vault:
    image: vault
    container_name: vault
    ports:
      - "8200:8200"
    restart: always
    volumes:
      - ./volumes/logs:/vault/logs
      - ./volumes/file:/vault/file
      - ./volumes/config:/vault/config
    privileged: true
    cap_add:
      - IPC_LOCK
    entrypoint: vault server -config=/vault/config/vault.hcl

EOF

lima nerdctl compose up

[AkihiroSuda]

Does it work with this?

lima sudo systemctl enable --now containerd
lima sudo nerdctl compose up

or

lima sudo systemctl enable --now docker
lima sudo docker-compose up

[troyready]

Ah, yes, that's exactly it. Thanks a ton @AkihiroSuda for pointing me in the right direction.

For anyone else following along in the future, this is expected behavior with running the containers as non-root by default. When more permissions are needed, it's fairly simple to modify the docker template to remove the parts that make it non-root and share the root (/var/run/docker.sock) socket instead (incorporating a fix to ensure the VM user has access to the socket)