Start through systemd code=exited, status=226/NAMESPACE

I installed vault from repository on ubuntu focal
My vault.hcl has the following content

ui = true
cluster_addr = “
api_addr = “

storage “raft” {
path = “/var/vault/data”
node_id = “”

listener “tcp” {
address = “”
tls_cert_file = “/etc/vault.d/ssl/”
tls_key_file = “/etc/vault.d/ssl/”
tls_client_ca_file = “/etc/ssl/certs/ca-certificates.crt”

when i do a systemctl start vault I get errors in the log

Aug 18 15:11:15 systemd[1]: /lib/systemd/system/vault.service:29: Unknown key name ‘StartLimitIntervalSec’ in section ‘Service’, ignoring.Aug 18 15:11:15 systemd[1]: Started “HashiCorp Vault - A tool for managing secrets”.
Aug 18 15:11:15 systemd[440273]: vault.service: Failed to set up mount namespacing: /run/systemd/unit-root/dev: Invalid argument
Aug 18 15:11:15 systemd[440273]: vault.service: Failed at step NAMESPACE spawning /usr/bin/vault: Invalid argument
Aug 18 15:11:15 systemd[1]: vault.service: Main process exited, code=exited, status=226/NAMESPACE

When I start as user vault on the commandline (vault server -config /etc/vault.d/vault.hcl) then all is ok

When I comment out the following in the systemd unit file things are ok as well


Which specifically makes it work when commented out?
Are you saying you uncomment ProtectSystem then you have ProtectSystem=full and ProtectSystem=false?
Take a look at the ProtectSystem manual - I think full means /etc/ is going to be readonly.

I’m not sure which one specifically made it work. I commented out 4 original values in de unit file and put new values in their place (all false). I can try narrow it down tomorrow

I enabled them one by one and it appears that PrivateDevices=yes causes the error