[GH-ISSUE #363] issue setting as a service #208

New issue

Closed

opened 2026-03-03 01:26:47 +03:00 by kerem · 7 comments

kerem commented 2026-03-03 01:26:47 +03:00

Owner

Copy link

Originally created by @Geobert on GitHub (Jan 23, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/363

With this .service file:

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
After=network.target

[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=bitwarden_rs
Group=bitwarden_rs
# The location of the .env file for configuration
EnvironmentFile=/home/bitwarden_rs/.env
# The location of the compiled binary
ExecStart=/home/bitwarden_rs/bitwarden_rs
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/home/bitwarden_rs
ReadWriteDirectories=/home/bitwarden_rs
# Allow bitwarden_rs to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

I got with systemctl status bitwarden_rs:

● bitwarden_rs.service - Bitwarden Server (Rust Edition)
   Loaded: loaded (/etc/systemd/system/bitwarden_rs.service; disabled)
   Active: failed (Result: exit-code) since Wed 2019-01-23 20:04:20 GMT; 12s ago
     Docs: https://github.com/dani-garcia/bitwarden_rs
  Process: 14005 ExecStart=/home/bitwarden_rs/bitwarden_rs (code=exited, status=226/NAMESPACE)
 Main PID: 14005 (code=exited, status=226/NAMESPACE)

Jan 23 20:04:20 geob-vps systemd[1]: Started Bitwarden Server (Rust Edition).
Jan 23 20:04:20 geob-vps systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE
Jan 23 20:04:20 geob-vps systemd[1]: Unit bitwarden_rs.service entered failed state.

with journalctl -u bitwarden_rs.service

Jan 23 20:04:18 geob-vps systemd[1]: [/etc/systemd/system/bitwarden_rs.service:21] Failed to parse protect system value, ignoring: strict
Jan 23 20:04:18 geob-vps systemd[1]: [/etc/systemd/system/bitwarden_rs.service:26] Unknown lvalue 'AmbientCapabilities' in section 'Service'
Jan 23 20:04:20 geob-vps systemd[1]: Starting Bitwarden Server (Rust Edition)...
Jan 23 20:04:20 geob-vps systemd[1]: Started Bitwarden Server (Rust Edition).
Jan 23 20:04:20 geob-vps systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE
Jan 23 20:04:20 geob-vps systemd[1]: Unit bitwarden_rs.service entered failed state.

and in /var/log/syslog I can see:

Failed at step NAMESPACE spawning /home/bitwarden_rs/bitwarden_rs: Permission denied

What am I missing?

Originally created by @Geobert on GitHub (Jan 23, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/363 With this .service file: ``` [Unit] Description=Bitwarden Server (Rust Edition) Documentation=https://github.com/dani-garcia/bitwarden_rs After=network.target [Service] # The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group User=bitwarden_rs Group=bitwarden_rs # The location of the .env file for configuration EnvironmentFile=/home/bitwarden_rs/.env # The location of the compiled binary ExecStart=/home/bitwarden_rs/bitwarden_rs # Set reasonable connection and process limits LimitNOFILE=1048576 LimitNPROC=64 # Isolate bitwarden_rs from the rest of the system PrivateTmp=true PrivateDevices=true ProtectHome=true ProtectSystem=strict # Only allow writes to the following directory and set it to the working directory (user and password data are stored here) WorkingDirectory=/home/bitwarden_rs ReadWriteDirectories=/home/bitwarden_rs # Allow bitwarden_rs to bind ports in the range of 0-1024 AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target ``` I got with `systemctl status bitwarden_rs`: ``` ● bitwarden_rs.service - Bitwarden Server (Rust Edition) Loaded: loaded (/etc/systemd/system/bitwarden_rs.service; disabled) Active: failed (Result: exit-code) since Wed 2019-01-23 20:04:20 GMT; 12s ago Docs: https://github.com/dani-garcia/bitwarden_rs Process: 14005 ExecStart=/home/bitwarden_rs/bitwarden_rs (code=exited, status=226/NAMESPACE) Main PID: 14005 (code=exited, status=226/NAMESPACE) Jan 23 20:04:20 geob-vps systemd[1]: Started Bitwarden Server (Rust Edition). Jan 23 20:04:20 geob-vps systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE Jan 23 20:04:20 geob-vps systemd[1]: Unit bitwarden_rs.service entered failed state. ``` with `journalctl -u bitwarden_rs.service` ``` Jan 23 20:04:18 geob-vps systemd[1]: [/etc/systemd/system/bitwarden_rs.service:21] Failed to parse protect system value, ignoring: strict Jan 23 20:04:18 geob-vps systemd[1]: [/etc/systemd/system/bitwarden_rs.service:26] Unknown lvalue 'AmbientCapabilities' in section 'Service' Jan 23 20:04:20 geob-vps systemd[1]: Starting Bitwarden Server (Rust Edition)... Jan 23 20:04:20 geob-vps systemd[1]: Started Bitwarden Server (Rust Edition). Jan 23 20:04:20 geob-vps systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE Jan 23 20:04:20 geob-vps systemd[1]: Unit bitwarden_rs.service entered failed state. ``` and in `/var/log/syslog` I can see: ``` Failed at step NAMESPACE spawning /home/bitwarden_rs/bitwarden_rs: Permission denied ``` What am I missing?

kerem closed this issue 2026-03-03 01:26:47 +03:00

kerem commented 2026-03-03 01:26:48 +03:00

Author

Owner

Copy link

@Geobert commented on GitHub (Jan 23, 2019):

Btw, in .env I have:
ROCKET_ADDRESS=127.0.0.1 # Enable this to test mobile app
ROCKET_PORT=8000

and ROCKET_TLS pointing to my certificate and key

<!-- gh-comment-id:456950254 --> @Geobert commented on GitHub (Jan 23, 2019): Btw, in `.env` I have: ROCKET_ADDRESS=127.0.0.1 # Enable this to test mobile app ROCKET_PORT=8000 and ROCKET_TLS pointing to my certificate and key

kerem commented 2026-03-03 01:26:48 +03:00

Author

Owner

Copy link

@pgaskin commented on GitHub (Jan 24, 2019):

Try enabling the backports repository and updating systemd from there. I had a similar issue myself when setting up sandboxing.

Alternatively, you can remove most of the sandboxing options, as they aren't present in the version of systemd in debian 9 stable.

<!-- gh-comment-id:457020293 --> @pgaskin commented on GitHub (Jan 24, 2019): Try enabling the backports repository and updating systemd from there. I had a similar issue myself when setting up sandboxing. Alternatively, you can remove most of the sandboxing options, as they aren't present in the version of systemd in debian 9 stable.

kerem commented 2026-03-03 01:26:48 +03:00

Author

Owner

Copy link

@Geobert commented on GitHub (Jan 24, 2019):

Thanks, I'll try that if I come back to bitwarden. I manage to launch with supervisord and was disappointed by the desktop client lack of Autofill and ssh agent :(

Let's close this issue for now :)

<!-- gh-comment-id:457126834 --> @Geobert commented on GitHub (Jan 24, 2019): Thanks, I'll try that if I come back to bitwarden. I manage to launch with supervisord and was disappointed by the desktop client lack of Autofill and ssh agent :( Let's close this issue for now :)

kerem commented 2026-03-03 01:26:48 +03:00

Author

Owner

Copy link

@pgaskin commented on GitHub (Jan 24, 2019):

Um, there is autofill. Go to the settings page and you can turn it on.

<!-- gh-comment-id:457190017 --> @pgaskin commented on GitHub (Jan 24, 2019): Um, there is autofill. Go to the settings page and you can turn it on.

kerem commented 2026-03-03 01:26:48 +03:00

Author

Owner

Copy link

@Geobert commented on GitHub (Jan 24, 2019):

Are you sure? I've search a lot and stumble upon feature request: https://community.bitwarden.com/t/auto-type-autofill-for-logging-into-other-desktop-apps/158

<!-- gh-comment-id:457191814 --> @Geobert commented on GitHub (Jan 24, 2019): Are you sure? I've search a lot and stumble upon feature request: https://community.bitwarden.com/t/auto-type-autofill-for-logging-into-other-desktop-apps/158

kerem commented 2026-03-03 01:26:48 +03:00

Author

Owner

Copy link

@pgaskin commented on GitHub (Jan 24, 2019):

Oh, I thought you meant browser autofill, not desktop app autofill.

<!-- gh-comment-id:457192035 --> @pgaskin commented on GitHub (Jan 24, 2019): Oh, I thought you meant browser autofill, not desktop app autofill.

kerem commented 2026-03-03 01:26:48 +03:00

Author

Owner

Copy link

@ver-nyan commented on GitHub (Sep 25, 2025):

Hi srry for the necro, this issue can remain closed, im posting my fix in case anyone also ended up in the same situation as me.

I'm running the service in a proxmox privileged lxc on debian 12 and also got this error:

vaultwarden.service: Failed to set up mount namespacing: Permission denied
vaultwarden.service: Failed at step NAMESPACE spawning /opt/vaultwarden/bin/vaultwarden: Permission denied

It wasn't the security configs in the service file that was causing the error, but the nesting disabled in the lxc that cause it (since I set the container as privileged).
Enabling nesting back fixed it for me while keeping the same service configs (im using the service config from https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/vaultwarden-install.sh).

<!-- gh-comment-id:3336213347 --> @ver-nyan commented on GitHub (Sep 25, 2025): Hi srry for the necro, this issue can remain closed, im posting my fix in case anyone also ended up in the same situation as me. I'm running the service in a proxmox privileged lxc on debian 12 and also got this error: ``` vaultwarden.service: Failed to set up mount namespacing: Permission denied vaultwarden.service: Failed at step NAMESPACE spawning /opt/vaultwarden/bin/vaultwarden: Permission denied ``` It wasn't the security configs in the service file that was causing the error, but the `nesting` disabled in the lxc that cause it (since I set the container as privileged). Enabling `nesting` back fixed it for me while keeping the same service configs (im using the service config from https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/vaultwarden-install.sh).

kerem referenced this issue 2026-03-03 08:52:52 +03:00

[PR #486] [CLOSED] [WIP/RFC] MySQL / MariaDB database backend support #2743

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#208

No description provided.