capabilities
Give executable the ability to use the mlock syscall without running the process as root
setcap cap_ipc_lock=+ep /usr/local/bin/vault
Allow listen on privileged port (<1024) to a non-root process (capability)
setcap CAP_NET_BIND_SERVICE=+eip /path/to/binary