Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with setting as service #445

Closed
shd128 opened this issue Mar 26, 2019 · 14 comments
Closed

Issue with setting as service #445

shd128 opened this issue Mar 26, 2019 · 14 comments

Comments

@shd128
Copy link

shd128 commented Mar 26, 2019
edited
Loading

I'm trying to set bitwarden_rs as service with this .service file:

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
After=network.target

[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=bitwarden_rs
Group=bitwarden_rs
# The location of the .env file for configuration
EnvironmentFile=/root/bitwarden_rs-1.8.0/bitwarden_rs.env
# The location of the compiled binary
ExecStart=/root/bitwarden_rs-1.8.0
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/root/bitwarden_rs-1.8.0
ReadWriteDirectories=/root/bitwarden_rs-1.8.0
# Allow bitwarden_rs to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

And I get this:

[root@preprod-bitwarden01 bitwarden_rs-1.8.0]#  journalctl -u bitwarden_rs.service
-- Logs begin at Tue 2019-03-26 09:25:40 EDT, end at Tue 2019-03-26 15:27:11 EDT. --
Mar 26 15:27:03 preprod-bitwarden01 systemd[1]: [/etc/systemd/system/bitwarden_rs.service:21] Failed to parse protect system va
Mar 26 15:27:03 preprod-bitwarden01 systemd[1]: Started Bitwarden Server (Rust Edition).
Mar 26 15:27:03 preprod-bitwarden01 systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=217/USER
Mar 26 15:27:03 preprod-bitwarden01 systemd[1]: Unit bitwarden_rs.service entered failed state.
Mar 26 15:27:03 preprod-bitwarden01 systemd[1]: bitwarden_rs.service failed.
Mar 26 15:27:11 preprod-bitwarden01 systemd[1]: [/etc/systemd/system/bitwarden_rs.service:21] Failed to parse protect system va
[root@preprod-bitwarden01 bitwarden_rs-1.8.0]#  systemctl status bitwarden_rs.service
● bitwarden_rs.service - Bitwarden Server (Rust Edition)
   Loaded: loaded (/etc/systemd/system/bitwarden_rs.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2019-03-26 15:27:03 EDT; 32s ago
     Docs: https://github.com/dani-garcia/bitwarden_rs
 Main PID: 20453 (code=exited, status=217/USER)

Mar 26 15:27:03 preprod-bitwarden01 systemd[1]: Started Bitwarden Server (Rust Edition).
Mar 26 15:27:03 preprod-bitwarden01 systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=217/USER
Mar 26 15:27:03 preprod-bitwarden01 systemd[1]: Unit bitwarden_rs.service entered failed state.
Mar 26 15:27:03 preprod-bitwarden01 systemd[1]: bitwarden_rs.service failed.
Mar 26 15:27:11 preprod-bitwarden01 systemd[1]: [/etc/systemd/system/bitwarden_rs.service:21] Failed to parse protect system va
[root@preprod-bitwarden01 bitwarden_rs-1.8.0]#

Any ideas?
@dani-garcia
Copy link
Owner

The error message seems to imply there is a problem with the line 21, the protect system one. I'd try to delete it to see if that helps. Maybe your system has an old systemd version that doesn't support that functionality?

This is a bit of a guess, since I don't know a lot about systemd.

@mqus
Copy link
Contributor

mqus commented Mar 27, 2019
edited
Loading

I don't know about the ProtectSystem variable, this looks correct to me... i googled the setting quickly, it was added in 2016, and I think that your systemd version should include that feature by now. If not, just comment it out by placing a # in front of it and try starting the service without it, like dani-garcia recommended.

But it still won't work because ExecStart= is wrong. this path should point to the binary directly, not some folder.(systemd doesn't know what to execute in that folder). If /root/bitwarden_rs-1.8.0 is the directory you downloaded and compiled bitwarden_rs in, the line should be ExecStart=/root/bitwarden_rs-1.8.0/target/release/bitwarden_rs

Another thing: as the binary seems to be in roots home directory (/root/), did you create a bitwarden_rs user and group and allow access to /root/bitwarden_rs-1.8.0? If not, you should do that, or, if you don't need the extra layer of security since it's in a vm anyway, simply set the User and Group to root

Edit: don't forget to systemctl daemon-reload after updating your service file!

@shd128
Copy link
Author

shd128 commented Mar 27, 2019
edited
Loading

I tried both of your recommendations, but I'm still having some issues.
I have RHEL 7.6 so I think I have a recent version of systemd.

With this file:

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
After=network.target

[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=root
Group=root
# The location of the .env file for configuration
EnvironmentFile=/root/bitwarden_rs-1.8.0/bitwarden_rs.env
# The location of the compiled binary
ExecStart=/root/bitwarden_rs-1.8.0/target/release/bitwarden_rs
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
#ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/root/bitwarden_rs-1.8.0
ReadWriteDirectories=/root/bitwarden_rs-1.8.0
# Allow bitwarden_rs to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

I get this:

[root@preprod-bitwarden01 ~]# cd /etc/systemd/system
[root@preprod-bitwarden01 system]# systemctl daemon-reload
[root@preprod-bitwarden01 system]# systemctl status bitwarden_rs.service
● bitwarden_rs.service - Bitwarden Server (Rust Edition)
   Loaded: loaded (/etc/systemd/system/bitwarden_rs.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2019-03-27 08:37:14 EDT; 13min ago
     Docs: https://github.com/dani-garcia/bitwarden_rs
 Main PID: 3330 (code=exited, status=226/NAMESPACE)

Mar 27 08:37:14 preprod-bitwarden01 systemd[1]: Started Bitwarden Server (Rust Edition).
Mar 27 08:37:14 preprod-bitwarden01 systemd[3330]: Failed at step NAMESPACE spawning /root/bitwarden_rs-1.8.0/target/release/bitwarden_rs: ...rectory
Mar 27 08:37:14 preprod-bitwarden01 systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE
Mar 27 08:37:14 preprod-bitwarden01 systemd[1]: Unit bitwarden_rs.service entered failed state.
Mar 27 08:37:14 preprod-bitwarden01 systemd[1]: bitwarden_rs.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@preprod-bitwarden01 system]#

@shd128
Copy link
Author

shd128 commented Mar 27, 2019

Just in case, I do have that file:

[root@preprod-bitwarden01 release]# pwd
/root/bitwarden_rs-1.8.0/target/release
[root@preprod-bitwarden01 release]# ll
total 18920
-rwxr-xr-x.  2 root root 19310672 Mar 26 13:50 bitwarden_rs
-rw-r--r--.  1 root root     3407 Mar 26 11:59 bitwarden_rs.d
drwxr-xr-x. 88 root root     4096 Mar 26 10:08 build
drwxr-xr-x.  2 root root    32768 Mar 26 13:50 deps
drwxr-xr-x.  2 root root        6 Mar 26 10:08 examples
drwxr-xr-x.  2 root root        6 Mar 26 10:08 incremental
drwxr-xr-x.  2 root root        6 Mar 26 10:08 native

@dani-garcia
Copy link
Owner

The NAMESPACE issue appeared to someone else too #363. A user recommended removing the sandboxing options, but we didn't get an answer if that worked or not.

@mqus
Copy link
Contributor

mqus commented Mar 27, 2019
edited
Loading

could you do systemctl status bitwarden_rs.service -l? the error message was cut off.

I'm not familiar with RHEL but it seems like systemd was only patched, not upgraded since 2015 in RHEL 7.

@shd128
Copy link
Author

shd128 commented Mar 27, 2019

could you do systemctl status bitwarden_rs.service -l? the error message was cut off.

I'm not familiar with RHEL but it seems like systemd was only patched, not upgraded since 2015 in RHEL 7.

[root@preprod-bitwarden01 system]# systemctl status bitwarden_rs.service -l
● bitwarden_rs.service - Bitwarden Server (Rust Edition)
Loaded: loaded (/etc/systemd/system/bitwarden_rs.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2019-03-27 08:59:24 EDT; 17min ago
Docs: https://github.com/dani-garcia/bitwarden_rs
Main PID: 3326 (code=exited, status=226/NAMESPACE)

Mar 27 08:59:23 preprod-bitwarden01.prep.siif2 systemd[1]: Started Bitwarden Server (Rust Edition).
Mar 27 08:59:24 preprod-bitwarden01.prep.siif2 systemd[3326]: Failed at step NAMESPACE spawning /root/bitwarden_rs-1.8.0/target/release/bitwarden_rs: No such file or directory
Mar 27 08:59:24 preprod-bitwarden01.prep.siif2 systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE
Mar 27 08:59:24 preprod-bitwarden01.prep.siif2 systemd[1]: Unit bitwarden_rs.service entered failed state.
Mar 27 08:59:24 preprod-bitwarden01.prep.siif2 systemd[1]: bitwarden_rs.service failed.
Warning: bitwarden_rs.service changed on disk. Run 'systemctl daemon-reload' to reload units.
[root@preprod-bitwarden01 system]#

@shd128
Copy link
Author

shd128 commented Mar 27, 2019

The NAMESPACE issue appeared to someone else too #363. A user recommended removing the sandboxing options, but we didn't get an answer if that worked or not.

I will try this and let you know

@shd128
Copy link
Author

shd128 commented Mar 27, 2019

The NAMESPACE issue appeared to someone else too #363. A user recommended removing the sandboxing options, but we didn't get an answer if that worked or not.

I will try this and let you know

I went to the config file but couldn't figure out which are this options.
Could you please clarify?

@mqus
Copy link
Contributor

mqus commented Mar 27, 2019

you can comment out PrivateTmp, PrivateDevices, ProtectHome and ReadWriteDirectories.

@mqus
Copy link
Contributor

mqus commented Mar 27, 2019

Could you also post the output of systemctl --version?

@shd128
Copy link
Author

shd128 commented Mar 27, 2019

Could you also post the output of systemctl --version?

[root@preprod-bitwarden01 ~]# systemctl --version
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN

@shd128
Copy link
Author

shd128 commented Mar 27, 2019

you can comment out PrivateTmp, PrivateDevices, ProtectHome and ReadWriteDirectories.

It's working now!!!
Thank you so much to both of you!

@dani-garcia
Copy link
Owner

Seeing as this is solved, I'll close it now. Feel free to open another one if you have more problems.

yalh76 added a commit to YunoHost-Apps/vaultwarden_ynh that referenced this issue Jan 26, 2020
@yalh76
Applying recommandations
9f39148 
dani-garcia/vaultwarden#445
@yalh76 yalh76 mentioned this issue Jan 26, 2020
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dani-garcia @mqus @shd128