Loading...

VONDS ©

Lab 36: Managing Services with systemctl

Back to Lab Index

Inventory the system’s active services and targets, then validate operational control by safely restarting SSH. Disable and hard-block a non-approved service, then apply unit changes correctly using manager reload and re-exec.

services core troubleshooting

Scenario

You are on a production server that runs multiple services. Your team lead asks you to confirm the default boot target, review loaded services, validate SSH health, and remove a non-approved web service from startup. You also need to apply systemd configuration changes correctly after unit edits.

Operator context

This is baseline service-control work. You gather evidence, make controlled changes, and prove the manager and units are in the state you think they are.

Objective

  • Confirm the system’s default boot target.
  • List loaded services and identify key daemons.
  • Inspect and restart the SSH service safely.
  • Disable a service from starting at boot.
  • Mask a service to prevent manual starts.
  • Apply systemd changes via daemon-reload and daemon-reexec.

Concepts

  • Targets are systemd’s boot intent. The default target tells you what the system is designed to boot into.
  • Loaded services are runtime state. Unit files and enablement are configuration state. Do not confuse them.
  • status is your single view for health, unit file location, and recent logs.
  • Disable vs mask: disable removes startup links; mask hard-blocks the unit from starting at all.
  • Reload vs re-exec: daemon-reload re-reads unit files; daemon-reexec re-executes the manager process.

Walkthrough

Step 1 : Confirm the default boot target.
Command 
systemctl get-default

The default target is the intended boot mode. It is the first quick check when you need to understand what the system is supposed to be doing at startup. 

multi-user.target
Step 2 : List loaded service units.
Command 
systemctl list-units --type=service

This is runtime state: what systemd currently has loaded, active, and running. Use it to confirm what is actually on the box right now. 

UNIT                           LOAD   ACTIVE SUB     DESCRIPTION
ssh.service                    loaded active running OpenBSD Secure Shell server
cron.service                   loaded active running Regular background program processing daemon
systemd-journald.service       loaded active running Journal Service
... (truncated)
Step 3 : Inspect SSH service health.
Command 
systemctl status ssh

status shows whether the unit is active, where it is defined, and the most recent log lines. This is where you confirm “healthy” versus “running but degraded.” 

● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
   Active: active (running) since Fri 2025-07-18 10:22:13 UTC; 3h 22min ago
   Docs: man:sshd(8)
         man:sshd_config(5)
Step 4 : Restart SSH safely.
Safety note

Restarting SSH can disrupt remote access. In a real change window, ensure you have a fallback session or console access before you restart.

Command 
sudo systemctl restart ssh

Restart is a controlled way to prove you can operate the unit. After restart, verify the unit is still active and that your session remains stable. 

# No output on success
Step 5 : Disable a non-approved service at boot.
Command 
sudo systemctl disable apache2

Disabling removes the startup linkage so the unit does not come up on reboot. It does not prevent a manual start by an operator or dependency. 

Removed /etc/systemd/system/multi-user.target.wants/apache2.service.
Step 6 : Mask the unit to hard-block starts.
Command 
sudo systemctl mask apache2

Masking is stronger than disabling. It prevents the unit from being started, even manually, by linking it to /dev/null. 

Created symlink /etc/systemd/system/apache2.service → /dev/null.
Step 7 : Reload unit files after changes.
Command 
sudo systemctl daemon-reload

Use daemon-reload after editing unit files or drop-ins so systemd re-reads definitions. Without this, you can be operating on stale configuration. 

# No output on success
Step 8 : Re-exec the manager when needed.
Command 
sudo systemctl daemon-reexec

daemon-reexec re-executes the systemd manager process itself. Use it when manager-level behavior changes must be picked up without a reboot. 

# No output on success

Common breakpoints

systemctl reports “Unit not found”

The service name may differ by distro. Confirm the unit name with systemctl list-unit-files --type=service | grep -i ssh and retry using the exact unit name.

Restarting SSH breaks your session

This is an operational failure. Use console access or a second session for safety when operating on remote access services. Validate configuration before restart in change windows.

disable succeeds but the service still runs

Disable affects startup, not current runtime. If you need it stopped now, use a stop operation, then confirm state with systemctl status.

mask fails due to dependencies or aliases

Some services are templated or have alias units. Confirm the real unit name, then mask the correct unit file. Use systemctl cat <unit> to see what is being loaded.

daemon-reload did nothing

daemon-reload re-reads unit files, but does not restart services. If you changed unit content, you may still need a controlled restart to apply runtime behavior.

Cleanup checklist

This lab can leave the web service disabled and masked. If this was a controlled exercise, revert those changes so the system returns to its original policy state.

Commands 
systemctl status ssh
systemctl get-default
systemctl list-units --type=service

sudo systemctl unmask apache2
sudo systemctl enable apache2
Success signal

The system target and service inventory look normal, SSH remains healthy, and the web service policy is set to the expected state for your environment.

Reference

  • systemctl get-default : Prints the default boot target (intended boot mode).
  • systemctl list-units --type=service : Lists loaded service units and their runtime state.
    • --type=service : Restricts output to service units.
  • systemctl status <unit> : Shows unit health, recent log lines, and unit file location.
  • systemctl restart <unit> : Restarts a unit immediately (may disrupt active connections).
  • systemctl disable <unit> : Prevents a unit from starting at boot by removing enablement links.
  • systemctl mask <unit> : Hard-blocks a unit from starting by linking it to /dev/null.
  • systemctl unmask <unit> : Removes a mask so the unit can be started again.
  • systemctl enable <unit> : Enables a unit to start at boot by creating target wants links.
  • systemctl daemon-reload : Re-reads unit files after changes to unit definitions or drop-ins.
  • systemctl daemon-reexec : Re-executes the systemd manager process to pick up manager-level changes.
Vonds | Lab 036
Loading...

VONDS ©

Lab 36: Managing Services with systemctl

Back to Lab Index

Inventory the system’s active services and targets, then validate operational control by safely restarting SSH. Disable and hard-block a non-approved service, then apply unit changes correctly using manager reload and re-exec.

services core troubleshooting

Scenario

You are on a production server that runs multiple services. Your team lead asks you to confirm the default boot target, review loaded services, validate SSH health, and remove a non-approved web service from startup. You also need to apply systemd configuration changes correctly after unit edits.

Operator context

This is baseline service-control work. You gather evidence, make controlled changes, and prove the manager and units are in the state you think they are.

Objective

  • Confirm the system’s default boot target.
  • List loaded services and identify key daemons.
  • Inspect and restart the SSH service safely.
  • Disable a service from starting at boot.
  • Mask a service to prevent manual starts.
  • Apply systemd changes via daemon-reload and daemon-reexec.

Concepts

  • Targets are systemd’s boot intent. The default target tells you what the system is designed to boot into.
  • Loaded services are runtime state. Unit files and enablement are configuration state. Do not confuse them.
  • status is your single view for health, unit file location, and recent logs.
  • Disable vs mask: disable removes startup links; mask hard-blocks the unit from starting at all.
  • Reload vs re-exec: daemon-reload re-reads unit files; daemon-reexec re-executes the manager process.

Walkthrough

Step 1 : Confirm the default boot target.
Command 
systemctl get-default

The default target is the intended boot mode. It is the first quick check when you need to understand what the system is supposed to be doing at startup. 

multi-user.target
Step 2 : List loaded service units.
Command 
systemctl list-units --type=service

This is runtime state: what systemd currently has loaded, active, and running. Use it to confirm what is actually on the box right now. 

UNIT                           LOAD   ACTIVE SUB     DESCRIPTION
ssh.service                    loaded active running OpenBSD Secure Shell server
cron.service                   loaded active running Regular background program processing daemon
systemd-journald.service       loaded active running Journal Service
... (truncated)
Step 3 : Inspect SSH service health.
Command 
systemctl status ssh

status shows whether the unit is active, where it is defined, and the most recent log lines. This is where you confirm “healthy” versus “running but degraded.” 

● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
   Active: active (running) since Fri 2025-07-18 10:22:13 UTC; 3h 22min ago
   Docs: man:sshd(8)
         man:sshd_config(5)
Step 4 : Restart SSH safely.
Safety note

Restarting SSH can disrupt remote access. In a real change window, ensure you have a fallback session or console access before you restart.

Command 
sudo systemctl restart ssh

Restart is a controlled way to prove you can operate the unit. After restart, verify the unit is still active and that your session remains stable. 

# No output on success
Step 5 : Disable a non-approved service at boot.
Command 
sudo systemctl disable apache2

Disabling removes the startup linkage so the unit does not come up on reboot. It does not prevent a manual start by an operator or dependency. 

Removed /etc/systemd/system/multi-user.target.wants/apache2.service.
Step 6 : Mask the unit to hard-block starts.
Command 
sudo systemctl mask apache2

Masking is stronger than disabling. It prevents the unit from being started, even manually, by linking it to /dev/null. 

Created symlink /etc/systemd/system/apache2.service → /dev/null.
Step 7 : Reload unit files after changes.
Command 
sudo systemctl daemon-reload

Use daemon-reload after editing unit files or drop-ins so systemd re-reads definitions. Without this, you can be operating on stale configuration. 

# No output on success
Step 8 : Re-exec the manager when needed.
Command 
sudo systemctl daemon-reexec

daemon-reexec re-executes the systemd manager process itself. Use it when manager-level behavior changes must be picked up without a reboot. 

# No output on success

Common breakpoints

systemctl reports “Unit not found”

The service name may differ by distro. Confirm the unit name with systemctl list-unit-files --type=service | grep -i ssh and retry using the exact unit name.

Restarting SSH breaks your session

This is an operational failure. Use console access or a second session for safety when operating on remote access services. Validate configuration before restart in change windows.

disable succeeds but the service still runs

Disable affects startup, not current runtime. If you need it stopped now, use a stop operation, then confirm state with systemctl status.

mask fails due to dependencies or aliases

Some services are templated or have alias units. Confirm the real unit name, then mask the correct unit file. Use systemctl cat <unit> to see what is being loaded.

daemon-reload did nothing

daemon-reload re-reads unit files, but does not restart services. If you changed unit content, you may still need a controlled restart to apply runtime behavior.

Cleanup checklist

This lab can leave the web service disabled and masked. If this was a controlled exercise, revert those changes so the system returns to its original policy state.

Commands 
systemctl status ssh
systemctl get-default
systemctl list-units --type=service

sudo systemctl unmask apache2
sudo systemctl enable apache2
Success signal

The system target and service inventory look normal, SSH remains healthy, and the web service policy is set to the expected state for your environment.

Reference

  • systemctl get-default : Prints the default boot target (intended boot mode).
  • systemctl list-units --type=service : Lists loaded service units and their runtime state.
    • --type=service : Restricts output to service units.
  • systemctl status <unit> : Shows unit health, recent log lines, and unit file location.
  • systemctl restart <unit> : Restarts a unit immediately (may disrupt active connections).
  • systemctl disable <unit> : Prevents a unit from starting at boot by removing enablement links.
  • systemctl mask <unit> : Hard-blocks a unit from starting by linking it to /dev/null.
  • systemctl unmask <unit> : Removes a mask so the unit can be started again.
  • systemctl enable <unit> : Enables a unit to start at boot by creating target wants links.
  • systemctl daemon-reload : Re-reads unit files after changes to unit definitions or drop-ins.
  • systemctl daemon-reexec : Re-executes the systemd manager process to pick up manager-level changes.