I’m toying around with the idea of running a Vault server to manage secrets. It’s a kind of cooler more advanced iteration of the scecret storage system I wrote for the interview with Uber I did a while back. They apparently use stuff like this at Ebay too. I’m surprised Hashicorp’s Vault is my first encounter with this kind of store though. Anyway, the unit file was non-trivial and looks something like the following. I used Vivekv’s unit as a base.

[Unit]
Description=Vault Dev instances
After=network-online.target

[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectSystem=full
SecureBits=keep-caps
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/home/vault/bin/vault server -config=/home/vault/dev.config
KillSignal=SIGINT
TimeoutStopSec=30s
Restart=on-failure
StartLimitInterval=60s
StartLimitBurst=3

[Install]
WantedBy=multi-user.target

Hmm, as I review that I realize I’ve forgotten a few things such as specifying the user and group. The service also complaining it can’t read it’s file back storage on disk. I think I’m more concerned about the user and groups first. Getting distracted by the shiny things: DyanmicUser looks like a really freaking cool option. I’ll have to use that one for network only services. Anyway, I always forget which section User and Group go into. Apparently it’s just in the Service section.

(In a think southern accent) Well that aint no good. With the user and group specified it just fails to start. No log message at all. Perhaps it’s a user/group issue with the binary? Nope, but wow that is a large binary.

-rwxr-xr-x 1 vault vault 60M Aug 9 09:15 vault

I probably shouldn’t have the binary writtable at all though. Easy fix.

Main process exited, code=exited, status=213/SECUREBITS

Turns out if I read the journal entry it tells me much more. Let’s find out what it means. Well SecureBits in the manual doesn’t mean much to me at this time. The version of SystemD I’m running doesn’t support the Capabilities attribute, so I’m wondering if that is the root of my problem. All well, it’s my bed time. I’ll have to save this issue for another day.