Unable to work in systemd

[MomentQYC]

Bug describtion

I run it using a configuration that follows the documentation similarly, and when I run /usr/local/bin/kes server --config=/opt/kes/config/kes-config.yml manually it works fine, but in systemd it won't work, but there's no error output either.

Expected behavior

Additional context

1. What version of Go are you using (go version)? go1.20.6 linux/amd64
2. What operating system and processor architecture are you using (go env)? Ubuntu 20.04

   GO111MODULE=""
   GOARCH="amd64"
   GOBIN=""
   GOCACHE="/root/.cache/go-build"
   GOENV="/root/.config/go/env"
   GOEXE=""
   GOEXPERIMENT=""
   GOFLAGS=""
   GOHOSTARCH="amd64"
   GOHOSTOS="linux"
   GOINSECURE=""
   GOMODCACHE="/root/go/pkg/mod"
   GONOPROXY=""
   GONOSUMDB=""
   GOOS="linux"
   GOPATH="/root/go"
   GOPRIVATE=""
   GOPROXY="https://proxy.golang.org,direct"
   GOROOT="/snap/go/current"
   GOSUMDB="sum.golang.org"
   GOTMPDIR=""
   GOTOOLDIR="/snap/go/current/pkg/tool/linux_amd64"
   GOVCS=""
   GOVERSION="go1.20.6"
   GCCGO="gccgo"
   GOAMD64="v1"
   AR="ar"
   CC="gcc"
   CXX="g++"
   CGO_ENABLED="1"
   GOMOD="/dev/null"
   GOWORK=""
   CGO_CFLAGS="-O2 -g"
   CGO_CPPFLAGS=""
   CGO_CXXFLAGS="-O2 -g"
   CGO_FFLAGS="-O2 -g"
   CGO_LDFLAGS="-O2 -g"
   PKG_CONFIG="pkg-config"
   GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1747026042=/tmp/go-build -gno-record-gcc-switches"

3. Anything else that is important? kes.service

   
   [Unit]
   Description=KES
   Documentation=https://github.com/minio/kes/wiki
   Wants=network-online.target
   After=network-online.target
   AssertFileIsExecutable=/usr/local/bin/kes

[Service] WorkingDirectory=/opt/kes/ AmbientCapabilities=CAP_IPC_LOCK User=kes Group=kes ProtectProc=invisible

ExecStart=/usr/local/bin/kes server --config=/opt/kes/config/kes-config.yml

Let systemd restart this service always

Restart=always

Specifies the maximum file descriptor number that can be opened by this process

LimitNOFILE=65536

Specifies the maximum number of threads this process can create

TasksMax=infinity

Disable timeout logic and wait until process is stopped

TimeoutStopSec=infinity SendSIGKILL=no

[Install] WantedBy=multi-user.target

`kes-config.yaml`

address: 0.0.0.0:7373

Disable the root administrator identity, as we do not need that level of access for

supporting SSE operations.

admin: identity: disabled

Specify the TLS keys generated in the previous step here

For production environments, use keys signed by a known and trusted

Certificate Authority (CA).

tls: key: /opt/kes/certs/privatekes.key cert: /opt/kes/certs/certificatekes.crt

Sets access policies for KES

The minio policy grants access to the listed APIs.

policy: minio: allow:

• /v1/key/create/ # You can replace these wildcard '' with a string prefix to restrict key names
• /v1/key/generate/* # e.g. '/minio-'
• /v1/key/decrypt/*
• /v1/key/bulk/decrypt
• /v1/key/list
• /v1/status
• /v1/metrics
• /v1/log/audit
• /v1/log/error identities:
• *** # Replace with the output of 'kes identity of minio-kes.cert'

  In production environments, each client connecting to KES must

                       # Have their TLS hash listed under at least one `policy`.

Specify the connection information for the Vault server.

The endpoint should be resolvable from the host.

This example assumes that Vault is configured with an AppRole ID and

Secret for use with KES.

keystore: vault: endpoint: https://127.0.0.1:8200 engine: "kv" # Replace with the path to the K/V Engine version: "v2" # Specify v1 or v2 depending on the version of the K/V Engine approle: id: "" # Hashicorp Vault AppRole ID secret: "" # Hashicorp Vault AppRole Secret ID retry: 15s status: ping: 10s

Required if Vault uses certificates signed by an unknown CA,

# e.g. self-signed or internal (non-globally trusted).
# Replace this value with the full path to the Vault CA certificate.
tls:
  ca: /opt/vault/tls/certificate2.crt