Issues enabling and disabling services with systemd in EIB definition

[fdegir]

The snippet below belongs to an EIB ISO definition file used for building an image using EIB 1.1 RC2 and SL Micro 6.0 to provision a system with in an automated manner. As it can be seen in the snipped, systemd service rebootmgr is disabled and rsyncd service is enabled.

  systemd:
    disable:
      - rebootmgr
    enable:
      - rsyncd

The script 14-systemd.sh located under combustion folder in the build directory contains correct systemctl commands for rebootmgr and rsyncd services.

cat combustion/14-systemd.sh
#!/bin/bash
set -euo pipefail

  systemctl disable rebootmgr
  systemctl mask rebootmgr

  systemctl enable rsyncd

However when the system completes the initial boot, the rebootmgr service stays active/enabled and rsyncd service stays inactive/disabled as oppose to what is configured in the EIB ISO definition file.

systemctl status rebootmgr
● rebootmgr.service - Reboot Manager
     Loaded: loaded (/usr/lib/systemd/system/rebootmgr.service; enabled; preset: enabled)
     Active: active (running) since Fri 2024-09-06 08:49:38 UTC; 11min ago
       Docs: man:rebootmgrd(8)
             man:rebootmgrctl(1)
   Main PID: 1373 (rebootmgrd)
      Tasks: 1
        CPU: 7ms
     CGroup: /system.slice/rebootmgr.service
             └─1373 /usr/sbin/rebootmgrd --verbose

Sep 06 08:49:38 node1.suse.com systemd[1]: Starting Reboot Manager...
Sep 06 08:49:38 node1.suse.com systemd[1]: Started Reboot Manager.

systemctl status rsyncd
○ rsyncd.service - Start the rsync server daemon
     Loaded: loaded (/usr/lib/systemd/system/rsyncd.service; disabled; preset: disabled)
     Active: inactive (dead)

The reason for why rsyncd service is not started is perhaps because SELinux preventing it.

systemd[1]: Started Start the rsync server daemon.
systemd[1]: rsyncd.service: Main process exited, code=killed, status=11/SEGV
systemd[1]: rsyncd.service: Failed with result 'signal'.
setroubleshoot[4749]: SELinux is preventing rsyncd from execute access on the file /usr/bin/bash. For complete SELinux messages run: sealert -l c7938ede-5860-4410-922c-a1fc8d9df4e2
setroubleshoot[4749]: SELinux is preventing rsyncd from execute access on the file /usr/bin/bash.

                      *****  Plugin catchall (100. confidence) suggests   **************************

                      If you believe that rsyncd should be allowed execute access on the bash file by default.
                      Then you should report this as a bug.
                      You can generate a local policy module to allow this access.
                      Do
                      allow this access for now by executing:
                      # ausearch -c 'rsyncd' --raw | audit2allow -M my-rsyncd
                      # semodule -X 300 -i my-rsyncd.pp

systemd[1]: setroubleshootd.service: Deactivated successfully.

For rebootmgr, it seems the service gets disabled during the initial boot as configured in the EIB ISO definition file but then it gets started again.

journalctl -u rebootmgr
Sep 06 09:18:49 node1.suse.com systemd[1]: Starting Reboot Manager...
Sep 06 09:18:49 node1.suse.com systemd[1]: Started Reboot Manager.
Sep 06 09:19:17 node1.suse.com systemd[1]: Stopping Reboot Manager...
Sep 06 09:19:17 node1.suse.com systemd[1]: rebootmgr.service: Deactivated successfully.
Sep 06 09:19:17 node1.suse.com systemd[1]: Stopped Reboot Manager.
-- Boot 96e5a3ea98bb422ea9a943ab5a3ad02f --
Sep 06 09:19:34 node1.suse.com systemd[1]: Starting Reboot Manager...
Sep 06 09:19:34 node1.suse.com systemd[1]: Started Reboot Manager.

[jdob]

@fdegir Can you confirm if this is still an issue? Sounds like there was a discussion about it but I don't want to close it without confirming.

[jdob]

One possibility of a resolution to this will be to have EIB output a warning if SELinux is enabled certain services may or may not be disabled.