Start through systemd code=exited, status=226/NAMESPACE

puikerduiker · August 18, 2021, 2:33pm

I installed vault from repository https://apt.releases.hashicorp.com/ on ubuntu focal
My vault.hcl has the following content

ui = true
cluster_addr = “https://sm-ela-mku01.sm.local:8200/”
api_addr = “https://sm-ela-mku01.sm.local:8201/”

storage “raft” {
path = “/var/vault/data”
node_id = “sm-ela-mku01.sm.local”
}

listener “tcp” {
address = “0.0.0.0:8200”
tls_cert_file = “/etc/vault.d/ssl/sm-ela-mku01.sm.local.pem”
tls_key_file = “/etc/vault.d/ssl/sm-ela-mku01.sm.local.key”
tls_client_ca_file = “/etc/ssl/certs/ca-certificates.crt”
}

when i do a systemctl start vault I get errors in the log

Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[1]: /lib/systemd/system/vault.service:29: Unknown key name ‘StartLimitIntervalSec’ in section ‘Service’, ignoring.Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[1]: Started “HashiCorp Vault - A tool for managing secrets”.
Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[440273]: vault.service: Failed to set up mount namespacing: /run/systemd/unit-root/dev: Invalid argument
Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[440273]: vault.service: Failed at step NAMESPACE spawning /usr/bin/vault: Invalid argument
Aug 18 15:11:15 sm-ela-mku01.sm.local systemd[1]: vault.service: Main process exited, code=exited, status=226/NAMESPACE

When I start as user vault on the commandline (vault server -config /etc/vault.d/vault.hcl) then all is ok

When I comment out the following in the systemd unit file things are ok as well

#ProtectSystem=full
#ProtectHome=read-only
ProtectSystem=false
ProtectHome=false
#PrivateTmp=yes
#PrivateDevices=yes
PrivateTmp=false
PrivateDevices=false

mikegreen · August 18, 2021, 2:46pm

Which specifically makes it work when commented out?
Are you saying you uncomment ProtectSystem then you have ProtectSystem=full and ProtectSystem=false?
Take a look at the ProtectSystem manual - I think full means /etc/ is going to be readonly.

puikerduiker · August 18, 2021, 3:02pm

I’m not sure which one specifically made it work. I commented out 4 original values in de unit file and put new values in their place (all false). I can try narrow it down tomorrow

puikerduiker · August 19, 2021, 6:32am

I enabled them one by one and it appears that PrivateDevices=yes causes the error

Topic		Replies	Views
Having trouble bringing up Vault node w/ integrated storage Vault	11	556	December 28, 2023
Vault Fails to start Vault	20	11131	March 6, 2022
Vault Failed to Start on New Installation of Integrated Storage with error code 203 Vault	6	4843	July 13, 2021
Vault Service Starting Error Vault vault	0	416	September 14, 2021
Vault startup fails while I use my certificate Vault	3	979	July 23, 2023

Start through systemd code=exited, status=226/NAMESPACE

I installed vault from repository https://apt.releases.hashicorp.com/ on ubuntu focal My vault.hcl has the following content

listener “tcp” { address = “0.0.0.0:8200” tls_cert_file = “/etc/vault.d/ssl/sm-ela-mku01.sm.local.pem” tls_key_file = “/etc/vault.d/ssl/sm-ela-mku01.sm.local.key” tls_client_ca_file = “/etc/ssl/certs/ca-certificates.crt” }

#ProtectSystem=full #ProtectHome=read-only ProtectSystem=false ProtectHome=false #PrivateTmp=yes #PrivateDevices=yes PrivateTmp=false PrivateDevices=false

Related topics

I installed vault from repository https://apt.releases.hashicorp.com/ on ubuntu focal
My vault.hcl has the following content

listener “tcp” {
address = “0.0.0.0:8200”
tls_cert_file = “/etc/vault.d/ssl/sm-ela-mku01.sm.local.pem”
tls_key_file = “/etc/vault.d/ssl/sm-ela-mku01.sm.local.key”
tls_client_ca_file = “/etc/ssl/certs/ca-certificates.crt”
}

#ProtectSystem=full
#ProtectHome=read-only
ProtectSystem=false
ProtectHome=false
#PrivateTmp=yes
#PrivateDevices=yes
PrivateTmp=false
PrivateDevices=false