The k3s_upgrade role is broken when SELinux is enabled

Moving the k3s service to /tmp changes the file's security context and breaks the service.

I'm happy to log a PR if needed, just let me know which option makes more sense to you:

Keep the service under /etc/systemd/system, just rename it to .disabled (or .backup)
Move the file to /tmp but run restorecon after moving it back to /etc/systemd/system

Details below.

❯ ansible-playbook -i inventory.yml playbook/upgrade.yml

PLAY [Upgrade K3s Servers] ****************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************
Sunday 25 February 2024  16:43:21 +1030 (0:00:00.021)       0:00:00.021 *******
ok: [rhel.lan]

TASK [k3s_upgrade : Save current K3s service] *********************************************************************************************
Sunday 25 February 2024  16:43:27 +1030 (0:00:06.348)       0:00:06.370 *******
changed: [rhel.lan]

TASK [k3s_upgrade : Install new K3s Version] **********************************************************************************************
Sunday 25 February 2024  16:43:31 +1030 (0:00:03.600)       0:00:09.970 *******
changed: [rhel.lan]

TASK [k3s_upgrade : Restore K3s service] **************************************************************************************************
Sunday 25 February 2024  16:43:44 +1030 (0:00:13.108)       0:00:23.079 *******
changed: [rhel.lan]

TASK [k3s_upgrade : Restart K3s service [server]] *****************************************************************************************
Sunday 25 February 2024  16:43:46 +1030 (0:00:02.336)       0:00:25.415 *******
fatal: [rhel.lan]: FAILED! => {"changed": false, "msg": "Could not find the requested service k3s: host"}

PLAY RECAP ********************************************************************************************************************************
rhel.lan                   : ok=4    changed=3    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Sunday 25 February 2024  16:43:50 +1030 (0:00:03.484)       0:00:28.900 *******
===============================================================================
k3s_upgrade : Install new K3s Version --------------------------------------------------------------------------------------------- 13.11s
Gathering Facts -------------------------------------------------------------------------------------------------------------------- 6.35s
k3s_upgrade : Save current K3s service --------------------------------------------------------------------------------------------- 3.60s
k3s_upgrade : Restart K3s service [server] ----------------------------------------------------------------------------------------- 3.48s
k3s_upgrade : Restore K3s service -------------------------------------------------------------------------------------------------- 2.34s

[root@rhel ~]# systemctl restart k3s
Failed to restart k3s.service: Unit k3s.service not found.

[root@rhel ~]# journalctl -u k3s.service --since='5 minutes ago'
Feb 25 16:43:44 rhel.lan systemd[1]: k3s.service: Current command vanished from the unit file, execution of the command list won't be resumed.
Feb 25 16:43:50 rhel.lan systemd[1]: k3s.service: Failed to open /etc/systemd/system/k3s.service: Permission denied

[root@rhel ~]# ls -lZ /etc/systemd/system/k3s.service
-rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 2787 Feb 25 16:43 /etc/systemd/system/k3s.service

[root@rhel ~]# restorecon /etc/systemd/system/k3s.service

[root@rhel ~]# ls -lZ /etc/systemd/system/k3s.service
-rw-r--r--. 1 root root unconfined_u:object_r:container_unit_file_t:s0 848 Feb 25 16:46 /etc/systemd/system/k3s.service

[root@rhel ~]# systemctl restart k3s

k3s-io / k3s-ansible

The k3s_upgrade role is broken when SELinux is enabled #304