issue setting as a service #2205

New Issue

OVERLORD · 2025-10-09T17:50:38+03:00

OVERLORD commented

2025-10-09 17:50:38 +03:00

Originally created by @Geobert on GitHub.

With this .service file:

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
After=network.target

[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=bitwarden_rs
Group=bitwarden_rs
# The location of the .env file for configuration
EnvironmentFile=/home/bitwarden_rs/.env
# The location of the compiled binary
ExecStart=/home/bitwarden_rs/bitwarden_rs
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/home/bitwarden_rs
ReadWriteDirectories=/home/bitwarden_rs
# Allow bitwarden_rs to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

I got with systemctl status bitwarden_rs:

● bitwarden_rs.service - Bitwarden Server (Rust Edition)
   Loaded: loaded (/etc/systemd/system/bitwarden_rs.service; disabled)
   Active: failed (Result: exit-code) since Wed 2019-01-23 20:04:20 GMT; 12s ago
     Docs: https://github.com/dani-garcia/bitwarden_rs
  Process: 14005 ExecStart=/home/bitwarden_rs/bitwarden_rs (code=exited, status=226/NAMESPACE)
 Main PID: 14005 (code=exited, status=226/NAMESPACE)

Jan 23 20:04:20 geob-vps systemd[1]: Started Bitwarden Server (Rust Edition).
Jan 23 20:04:20 geob-vps systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE
Jan 23 20:04:20 geob-vps systemd[1]: Unit bitwarden_rs.service entered failed state.

with journalctl -u bitwarden_rs.service

Jan 23 20:04:18 geob-vps systemd[1]: [/etc/systemd/system/bitwarden_rs.service:21] Failed to parse protect system value, ignoring: strict
Jan 23 20:04:18 geob-vps systemd[1]: [/etc/systemd/system/bitwarden_rs.service:26] Unknown lvalue 'AmbientCapabilities' in section 'Service'
Jan 23 20:04:20 geob-vps systemd[1]: Starting Bitwarden Server (Rust Edition)...
Jan 23 20:04:20 geob-vps systemd[1]: Started Bitwarden Server (Rust Edition).
Jan 23 20:04:20 geob-vps systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE
Jan 23 20:04:20 geob-vps systemd[1]: Unit bitwarden_rs.service entered failed state.

and in /var/log/syslog I can see:

Failed at step NAMESPACE spawning /home/bitwarden_rs/bitwarden_rs: Permission denied

What am I missing?

Originally created by @Geobert on GitHub. With this .service file: ``` [Unit] Description=Bitwarden Server (Rust Edition) Documentation=https://github.com/dani-garcia/bitwarden_rs After=network.target [Service] # The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group User=bitwarden_rs Group=bitwarden_rs # The location of the .env file for configuration EnvironmentFile=/home/bitwarden_rs/.env # The location of the compiled binary ExecStart=/home/bitwarden_rs/bitwarden_rs # Set reasonable connection and process limits LimitNOFILE=1048576 LimitNPROC=64 # Isolate bitwarden_rs from the rest of the system PrivateTmp=true PrivateDevices=true ProtectHome=true ProtectSystem=strict # Only allow writes to the following directory and set it to the working directory (user and password data are stored here) WorkingDirectory=/home/bitwarden_rs ReadWriteDirectories=/home/bitwarden_rs # Allow bitwarden_rs to bind ports in the range of 0-1024 AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target ``` I got with `systemctl status bitwarden_rs`: ``` ● bitwarden_rs.service - Bitwarden Server (Rust Edition) Loaded: loaded (/etc/systemd/system/bitwarden_rs.service; disabled) Active: failed (Result: exit-code) since Wed 2019-01-23 20:04:20 GMT; 12s ago Docs: https://github.com/dani-garcia/bitwarden_rs Process: 14005 ExecStart=/home/bitwarden_rs/bitwarden_rs (code=exited, status=226/NAMESPACE) Main PID: 14005 (code=exited, status=226/NAMESPACE) Jan 23 20:04:20 geob-vps systemd[1]: Started Bitwarden Server (Rust Edition). Jan 23 20:04:20 geob-vps systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE Jan 23 20:04:20 geob-vps systemd[1]: Unit bitwarden_rs.service entered failed state. ``` with `journalctl -u bitwarden_rs.service` ``` Jan 23 20:04:18 geob-vps systemd[1]: [/etc/systemd/system/bitwarden_rs.service:21] Failed to parse protect system value, ignoring: strict Jan 23 20:04:18 geob-vps systemd[1]: [/etc/systemd/system/bitwarden_rs.service:26] Unknown lvalue 'AmbientCapabilities' in section 'Service' Jan 23 20:04:20 geob-vps systemd[1]: Starting Bitwarden Server (Rust Edition)... Jan 23 20:04:20 geob-vps systemd[1]: Started Bitwarden Server (Rust Edition). Jan 23 20:04:20 geob-vps systemd[1]: bitwarden_rs.service: main process exited, code=exited, status=226/NAMESPACE Jan 23 20:04:20 geob-vps systemd[1]: Unit bitwarden_rs.service entered failed state. ``` and in `/var/log/syslog` I can see: ``` Failed at step NAMESPACE spawning /home/bitwarden_rs/bitwarden_rs: Permission denied ``` What am I missing?

OVERLORD closed this issue

2025-10-09 17:50:40 +03:00

OVERLORD commented

2025-10-09 17:50:41 +03:00

@pgaskin commented on GitHub:

Try enabling the backports repository and updating systemd from there. I had a similar issue myself when setting up sandboxing.

Alternatively, you can remove most of the sandboxing options, as they aren't present in the version of systemd in debian 9 stable.

@pgaskin commented on GitHub: Try enabling the backports repository and updating systemd from there. I had a similar issue myself when setting up sandboxing. Alternatively, you can remove most of the sandboxing options, as they aren't present in the version of systemd in debian 9 stable.

OVERLORD commented

2025-10-09 17:50:42 +03:00

@Geobert commented on GitHub:

Thanks, I'll try that if I come back to bitwarden. I manage to launch with supervisord and was disappointed by the desktop client lack of Autofill and ssh agent :(

Let's close this issue for now :)

@Geobert commented on GitHub: Thanks, I'll try that if I come back to bitwarden. I manage to launch with supervisord and was disappointed by the desktop client lack of Autofill and ssh agent :( Let's close this issue for now :)

OVERLORD commented

2025-10-09 17:50:42 +03:00

@Geobert commented on GitHub:

Btw, in .env I have:
ROCKET_ADDRESS=127.0.0.1 # Enable this to test mobile app
ROCKET_PORT=8000

and ROCKET_TLS pointing to my certificate and key

@Geobert commented on GitHub: Btw, in `.env` I have: ROCKET_ADDRESS=127.0.0.1 # Enable this to test mobile app ROCKET_PORT=8000 and ROCKET_TLS pointing to my certificate and key

OVERLORD commented

2025-10-09 17:50:44 +03:00

@Geobert commented on GitHub:

Are you sure? I've search a lot and stumble upon feature request: https://community.bitwarden.com/t/auto-type-autofill-for-logging-into-other-desktop-apps/158

@Geobert commented on GitHub: Are you sure? I've search a lot and stumble upon feature request: https://community.bitwarden.com/t/auto-type-autofill-for-logging-into-other-desktop-apps/158

OVERLORD commented

2025-10-09 17:50:44 +03:00

@pgaskin commented on GitHub:

Um, there is autofill. Go to the settings page and you can turn it on.

@pgaskin commented on GitHub: Um, there is autofill. Go to the settings page and you can turn it on.

OVERLORD commented

2025-10-09 17:50:45 +03:00

@tyrone-wu commented on GitHub:

Hi srry for the necro, this issue can remain closed, im posting my fix in case anyone also ended up in the same situation as me.

I'm running the service in a proxmox privileged lxc on debian 12 and also got this error:

vaultwarden.service: Failed to set up mount namespacing: Permission denied
vaultwarden.service: Failed at step NAMESPACE spawning /opt/vaultwarden/bin/vaultwarden: Permission denied

It wasn't the security configs in the service file that was causing the error, but the nesting disabled in the lxc that cause it (since I set the container as privileged).
Enabling nesting back fixed it for me while keeping the same service configs (im using the service config from https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/vaultwarden-install.sh).

@tyrone-wu commented on GitHub: Hi srry for the necro, this issue can remain closed, im posting my fix in case anyone also ended up in the same situation as me. I'm running the service in a proxmox privileged lxc on debian 12 and also got this error: ``` vaultwarden.service: Failed to set up mount namespacing: Permission denied vaultwarden.service: Failed at step NAMESPACE spawning /opt/vaultwarden/bin/vaultwarden: Permission denied ``` It wasn't the security configs in the service file that was causing the error, but the `nesting` disabled in the lxc that cause it (since I set the container as privileged). Enabling `nesting` back fixed it for me while keeping the same service configs (im using the service config from https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/vaultwarden-install.sh).

OVERLORD commented

2025-10-09 17:50:45 +03:00

@pgaskin commented on GitHub:

Oh, I thought you meant browser autofill, not desktop app autofill.

@pgaskin commented on GitHub: Oh, I thought you meant browser autofill, not desktop app autofill.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2205