Cause: systemd units are only cleaned up when completely removed
Consequence: systemd units cannot be unmasked, because masks are not removed unless the systemd unit is completely removed
Fix: when mask is false for a unit, remove any existing masks
Result: systemd units can be unmasked
I was trying to mask chronyd service using following machineconfig (mc) resource and it works but then when I edit this resource and make mask as false, respective service is not removed from masked.
Version-Release number of selected component (if applicable):
$ oc version
Client Version: 4.7.5
Server Version: 4.8.0-0.nightly-2021-06-01-002052
Kubernetes Version: v1.21.0-rc.0+4b2b6ff
```
$ cat test.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: chronyd-mask
spec:
config:
ignition:
version: 3.2.0
systemd:
units:
- name: chronyd.service
mask: true
$ oc apply -f test.yaml
$ oc debug node/ip-10-0-189-42.us-east-2.compute.internal
sh-4.4# systemctl status chronyd
● chronyd.service
Loaded: masked (Reason: Unit chronyd.service is masked.)
Active: inactive (dead)
$ oc edit mc chronyd-mask
< make mask entry to false >
Wait till the mco changes apply
$ oc get mc
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE
00-master 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
00-worker 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
01-master-container-runtime 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
01-master-kubelet 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
01-worker-container-runtime 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
01-worker-kubelet 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
99-master-generated-registries 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
99-master-ssh 3.2.0 84m
99-worker-generated-registries 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
99-worker-ssh 3.2.0 84m
chronyd-mask 3.2.0 48m
rendered-master-2d1194e5d1fe93f6ed4fb7e4e409d637 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 34m
rendered-master-c4316fd090a885c5fd44d0e112052833 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 48m
rendered-master-cfdfb5a96a3be8f0480fdb1f48e1170b 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
rendered-worker-faf298319d2cb532d3abdcbc3041f6ac 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m
$ oc debug node/ip-10-0-189-42.us-east-2.compute.internal
sh-4.4# systemctl status chronyd
● chronyd.service
Loaded: masked (Reason: Unit chronyd.service is masked.)
Active: inactive (dead)
< -- I am expecting that this should be unmasked now --->
```
Actual results: service is not unmasked
Expected results: service should be unmasked
Additional info:
When `oc delete mc chronyd-mask` performed then service is no longer masked and active.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2022:0056
I was trying to mask chronyd service using following machineconfig (mc) resource and it works but then when I edit this resource and make mask as false, respective service is not removed from masked. Version-Release number of selected component (if applicable): $ oc version Client Version: 4.7.5 Server Version: 4.8.0-0.nightly-2021-06-01-002052 Kubernetes Version: v1.21.0-rc.0+4b2b6ff ``` $ cat test.yaml apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: labels: machineconfiguration.openshift.io/role: master name: chronyd-mask spec: config: ignition: version: 3.2.0 systemd: units: - name: chronyd.service mask: true $ oc apply -f test.yaml $ oc debug node/ip-10-0-189-42.us-east-2.compute.internal sh-4.4# systemctl status chronyd ● chronyd.service Loaded: masked (Reason: Unit chronyd.service is masked.) Active: inactive (dead) $ oc edit mc chronyd-mask < make mask entry to false > Wait till the mco changes apply $ oc get mc NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 00-master 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m 00-worker 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m 01-master-container-runtime 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m 01-master-kubelet 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m 01-worker-container-runtime 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m 01-worker-kubelet 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m 99-master-generated-registries 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m 99-master-ssh 3.2.0 84m 99-worker-generated-registries 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m 99-worker-ssh 3.2.0 84m chronyd-mask 3.2.0 48m rendered-master-2d1194e5d1fe93f6ed4fb7e4e409d637 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 34m rendered-master-c4316fd090a885c5fd44d0e112052833 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 48m rendered-master-cfdfb5a96a3be8f0480fdb1f48e1170b 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m rendered-worker-faf298319d2cb532d3abdcbc3041f6ac 80393f74b29a44d44c4fcbf1b1976fd4ef5f3303 3.2.0 76m $ oc debug node/ip-10-0-189-42.us-east-2.compute.internal sh-4.4# systemctl status chronyd ● chronyd.service Loaded: masked (Reason: Unit chronyd.service is masked.) Active: inactive (dead) < -- I am expecting that this should be unmasked now ---> ``` Actual results: service is not unmasked Expected results: service should be unmasked Additional info: When `oc delete mc chronyd-mask` performed then service is no longer masked and active.