What is the difference between "systemctl mask" and "systemctl disable"?
If a service is enabled
, then there is a symlink somewhere in
/etc/systemd/system
to a unit file, most often somewhere in
/lib/systemd/system
Helpfully, when you enable
a service, the full paths of the created link and target will be printed to stdout.
Disabling the service deletes the symlink, so the unit file itself is not affected, but the service is not loaded at the next boot, when systemd reads /etc/systemd/system
.
However, a disabled service can be loaded, and will be started if a service that depends on it is started; enable
and disable
only configure auto-start behaviour for units, and the state is easily overridden.
A masked service is one whose unit file is a symlink to /dev/null
. This makes it "impossible" to load the service, even if it is required by another, enabled service.
When you mask
a service, a symlink is created from /etc/systemd/system
to /dev/null
, leaving the original unit file elsewhere untouched. When you unmask
a service the symlink is deleted.
However, I have noticed that these commands are not always honoured.
When I try to mask most services, it fails:
$ sudo systemctl mask bluetooth.service
Failed to execute operation: Invalid argument
Of course, I stopped the service first. @Anwar suggests masking is only possible for non-critical services.
Unmasking a masked service, unless I masked it myself, also fails (silently). I believe this is because there is no unit file for the service anywhere, except in the form of a symlink to /dev/null
, this time in /lib/systemd/system
:
$ file $(locate fuse.service)
/lib/systemd/system/fuse.service: symbolic link to /dev/null
$ sudo systemctl unmask fuse.service
$ systemctl status fuse
● fuse.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
I'm not the only one having this problem
To actually unmask the masked service x11-common, I had to delete the symlink to /dev/null
and sudo apt-get install --reinstall x11-common && sudo systemctl daemon-reload
. Now when I query it with systemctl status x11-common
I see the service has a nice green circle and is loaded and active (exited) although it has no unit file.
For further reference this article on How to Use Systemctl may be of some use.
It is pretty simple.
systemctl start
,systemctl stop
: starts (stops) the unit in question immediately;systemctl enable
,systemctl disable
: marks (unmarks) the unit for autostart at boot time (in a unit-specific manner, described in its[Install]
section);systemctl mask
,systemctl unmask
: disallows (allows) all and any attempts to start the unit in question (either manually or as a dependency of any other unit, including the dependencies of the default boot target). Note that marking for autostart in systemd is implemented by adding an artificial dependency from the default boot target to the unit in question, so "mask" also disallows autostarting.
Ref.: systemctl(1).
More: Lennart Poettering (2011-03-02). "The Three Levels of Off". systemd for Administrators. 0pointer.de.
In short,
disable
makes the unit disabled during boot. But that unit can be started anytime after boot.mask
disables the unit completely. It can't be started without unmasking. That automatically implies it will fail during boot.