Bug 1966445 - Unmasking a service doesn't work if it masked using MCO
Summary: Unmasking a service doesn't work if it masked using MCO
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.10.0
Assignee: mkenigsb
QA Contact: Rio Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-01 08:15 UTC by Praveen Kumar
Modified: 2022-03-10 16:04 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: systemd units are only cleaned up when completely removed Consequence: systemd units cannot be unmasked, because masks are not removed unless the systemd unit is completely removed Fix: when mask is false for a unit, remove any existing masks Result: systemd units can be unmasked
Clone Of:
Environment:
Last Closed: 2022-03-10 16:03:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 2818 0 None open Bug 1966445: Cleanup systemd unit files for empty units 2021-11-25 22:00:20 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:04:25 UTC

Description Praveen Kumar 2021-06-01 08:15:58 UTC
I was trying to mask chronyd service using following machineconfig (mc) resource and it works but then when I edit this resource and make mask as false, respective service is not removed from masked.

Version-Release number of selected component (if applicable):
$ oc version
Client Version: 4.7.5
Server Version: 4.8.0-0.nightly-2021-06-01-002052
Kubernetes Version: v1.21.0-rc.0+4b2b6ff

```
$ cat test.yaml 
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: chronyd-mask
spec:
  config:
    ignition:
      version: 3.2.0
    systemd:
      units:
       - name: chronyd.service
         mask: true
$ oc apply -f test.yaml
$ oc debug node/ip-10-0-189-42.us-east-2.compute.internal
sh-4.4# systemctl status chronyd
● chronyd.service
   Loaded: masked (Reason: Unit chronyd.service is masked.)
   Active: inactive (dead)
$ oc edit mc chronyd-mask
< make mask entry to false >
Wait till the mco changes apply
$ oc get mc
NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
00-master                                          80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
00-worker                                          80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
01-master-container-runtime                        80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
01-master-kubelet                                  80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
01-worker-container-runtime                        80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
01-worker-kubelet                                  80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
99-master-generated-registries                     80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
99-master-ssh                                                                                 3.2.0             84m
99-worker-generated-registries                     80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
99-worker-ssh                                                                                 3.2.0             84m
chronyd-mask                                                                                  3.2.0             48m
rendered-master-2d1194e5d1fe93f6ed4fb7e4e409d637   80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             34m
rendered-master-c4316fd090a885c5fd44d0e112052833   80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             48m
rendered-master-cfdfb5a96a3be8f0480fdb1f48e1170b   80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
rendered-worker-faf298319d2cb532d3abdcbc3041f6ac   80393f74b29a44d44c4fcbf1b1976fd4ef5f3303   3.2.0             76m
$ oc debug node/ip-10-0-189-42.us-east-2.compute.internal
sh-4.4# systemctl status chronyd
● chronyd.service
   Loaded: masked (Reason: Unit chronyd.service is masked.)
   Active: inactive (dead)
< -- I am expecting that this should be unmasked now --->
```

Actual results: service is not unmasked

Expected results: service should be unmasked


Additional info:
When `oc delete mc chronyd-mask` performed then service is no longer masked and active.

Comment 6 errata-xmlrpc 2022-03-10 16:03:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.