Unable to disable zincati.service using Ignition

[dustymabe]

As reported by a user in a discussion forum thread for some reason disabling zincati.service via Ignition doesn't seem to be working right. There is probably a corner case in here that isn't being accounted for somehow.

Here is my fcc:

variant: fcos
version: 1.0.0
systemd:
  units:
    - name: [email protected]
      dropins:
      - name: autologin-core.conf
        contents: |
          [Service]
          # Override Execstart in main unit
          ExecStart=
          # Add new Execstart with `-` prefix to ignore failure
          ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM
          TTYVTDisallocate=no
    - name: zincati.service
      enabled: false

Here is what I see on the booted system:

[core@localhost ~]$ systemctl is-enabled zincati
enabled
[core@localhost ~]$ systemctl is-active zincati
active
[core@localhost ~]$ 
[core@localhost ~]$ grep zincati /etc/systemd/system-preset/20-ignition.preset
disable zincati.service
[core@localhost ~]$ grep zincati /usr/lib/systemd/system-preset/40-coreos.preset
enable zincati.service

So the disable preset did get put in /etc/ appropriately but for some reason it wasn't applied properly. If I ask systemd to re-evaluate it seems to do the right thing:

[core@localhost ~]$ sudo systemctl preset zincati.service
Removed /etc/systemd/system/multi-user.target.wants/zincati.service.
[core@localhost ~]$ systemctl is-enabled zincati
disabled

Version Info:

[core@localhost ~]$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora:fedora/x86_64/coreos/testing
                   Version: 31.20200210.2.0 (2020-02-10T21:52:48Z)
                    Commit: 3e4a6a48ed8d6817081c902bc2aa2bbe9df3302e659d4f42d933f9abb22914e8
              GPGSignature: Valid signature by 7D22D5867F2A4236474BF7B850CB390B3C3359C4
[core@localhost ~]$ rpm -q ignition systemd
ignition-2.1.1-5.git40c0b57.fc31.x86_64
systemd-243.6-1.fc31.x86_64

[dustymabe]

Looks like this and #229 may be the same problem

[dustymabe]

ok here may be a clue:

[   15.943369] systemd[1]: Running with unpopulated /etc.

Welcome to Fedora CoreOS 31.20200319.dev.3!

[   15.949061] systemd[1]: Initializing machine ID from KVM UUID.
[   16.244489] systemd[1]: Populated /etc with preset unit settings.

so when systemd first starts /etc/ is empty so it can't see what units are or are not enabled

[dustymabe]

well I guess it depends on what is really meant by Running with unpopulated /etc

[jlebon]

Re. presets, a lot of discussions here: coreos/fedora-coreos-config#77. That said, the enabled: false from Ignition should result in a later disable zincati preset entry which wins over the default. (Which yeah, this approach runs against coreos/ignition#588). Hmm, so something funny is going on here.

[dustymabe]

if I use rd.break=pre-pivot on the kernel command line I see the presets file:

pre-pivot:/# cat /sysroot/etc/systemd/system-preset/20-ignition.preset 
disable zincati.service

and running preset-all against the real root does the right thing:

pre-pivot:/# systemctl --root=/sysroot/ preset-all
Removed /sysroot/etc/systemd/system/multi-user.target.wants/zincati.service.

[jlebon]

systemd/systemd#15205

[dustymabe]

wow, thanks @jlebon - that was certainly not what I expected to be the problem.

[cgwalters]

A workaround until the systemd PR lands is probably something like adding a fragment with ConditionPathExists=/enoent or whatever instead of directly disabling.

Edit: Yep, I can confirm that works.

[sgohl]

A workaround until the systemd PR lands is probably something like adding a fragment with ConditionPathExists=/enoent or whatever instead of directly disabling.

how would a butane config unit look like with this approach?
My main problem is that my provisioning script collides with zincati:

May 26 21:06:06 rdbla229 zincati[744]: [INFO ] target release '34.20210427.3.0' selected, proceeding to stage it
May 26 21:06:07 rdbla229 zincati[744]: [ERROR] failed to stage deployment: rpm-ostree deploy failed:
May 26 21:06:07 rdbla229 zincati[744]:     error: Transaction in progress: --idempotent install open-vm-tools htop cronie

and it will not recover for a long time, showing:

May 26 21:14:26 rdbla229 zincati[732]: [ERROR] failed to register as driver: rpm-ostree deploy --register-driver failed:
May 26 21:14:26 rdbla229 zincati[732]:     error: Transaction in progress: --idempotent install open-vm-tools htop cronie
May 26 21:14:26 rdbla229 zincati[732]:      You can cancel the current transaction with `rpm-ostree cancel`
May 26 21:14:26 rdbla229 zincati[732]:
May 26 21:14:27 rdbla229 zincati[732]: [INFO ] initialization complete, auto-updates logic enabled
May 26 21:14:27 rdbla229 zincati[732]: [INFO ] update strategy: immediate
May 26 21:14:27 rdbla229 systemd[1]: Started Zincati Update Agent.
May 26 21:14:27 rdbla229 zincati[732]: [INFO ] current release detected as not a dead-end

But I want to have an updated system quite after provisioning. I think your approach would fit my need to enable zincati only after my provision script is done

[bgilbert]

@sgohl Something like this:

variant: fcos
version: 1.0.0
systemd:
  units:
    - name: zincati.service
      dropins:
        - name: disable-zincati.conf
          contents: |
            [Unit]
            ConditionPathExists=/enoent

[jlebon]

But I want to have an updated system quite after provisioning. I think your approach would fit my need to enable zincati only after my provision script is done

Assuming your provisioning script reboots, another approach is to run it with Before=zincati.service. That'll save you from having to then re-enable Zincati on reboot. You'll also want After=systemd-machine-id-commit.service.

[dustymabe]

Might be good to have a f-c-c external kola test for this too.

[dustymabe]

This landed in ignition v2.14.0.

[dustymabe]

The fix for this went into testing stream release 36.20220522.2.1. Please try out the new release and report issues.

[dustymabe]

The fix for this went into stable stream release 36.20220522.3.0.