Start through systemd code=exited, status=226/NAMESPACE

I installed vault from repository https://apt.releases.hashicorp.com/ on ubuntu focal
My vault.hcl has the following content

ui = true
cluster_addr = “https://sm-ela-mku01.sm.local:8200/
api_addr = “https://sm-ela-mku01.sm.local:8201/

storage “raft” {
path = “/var/vault/data”
node_id = “sm-ela-mku01.sm.local”
}

listener “tcp” {
address = “0.0.0.0:8200”
tls_cert_file = “/etc/vault.d/ssl/sm-ela-mku01.sm.local.pem”
tls_key_file = “/etc/vault.d/ssl/sm-ela-mku01.sm.local.key”
tls_client_ca_file = “/etc/ssl/certs/ca-certificates.crt”
}

when i do a systemctl start vault I get errors in the log


Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[1]: /lib/systemd/system/vault.service:29: Unknown key name ‘StartLimitIntervalSec’ in section ‘Service’, ignoring.Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[1]: Started “HashiCorp Vault - A tool for managing secrets”.
Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[440273]: vault.service: Failed to set up mount namespacing: /run/systemd/unit-root/dev: Invalid argument
Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[440273]: vault.service: Failed at step NAMESPACE spawning /usr/bin/vault: Invalid argument
Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[1]: vault.service: Main process exited, code=exited, status=226/NAMESPACE

When I start as user vault on the commandline (vault server -config /etc/vault.d/vault.hcl) then all is ok

When I comment out the following in the systemd unit file things are ok as well


#ProtectSystem=full
#ProtectHome=read-only
ProtectSystem=false
ProtectHome=false
#PrivateTmp=yes
#PrivateDevices=yes
PrivateTmp=false
PrivateDevices=false

Which specifically makes it work when commented out?
Are you saying you uncomment ProtectSystem then you have ProtectSystem=full and ProtectSystem=false?
Take a look at the ProtectSystem manual - I think full means /etc/ is going to be readonly.

I’m not sure which one specifically made it work. I commented out 4 original values in de unit file and put new values in their place (all false). I can try narrow it down tomorrow

I enabled them one by one and it appears that PrivateDevices=yes causes the error