systemctl-mask

Mask a service

$ systemctl mask [service_name]

$ systemctl mask [service_name] --now

systemctl mask [OPTIONS...] UNIT...

UNIT...
    One or more systemd unit names (e.g., apache2.service, network.target). Unit types can be omitted if ambiguity is not present.

--runtime
    Mask the unit only for the current runtime session. The change will not persist across reboots. The symbolic link is created in /run/systemd/system/ instead of /etc/systemd/system/.

--dry-run
    Perform a trial run, showing what changes would be made without actually modifying the system. No actual masking takes place.

--quiet
    Suppress output messages from the command.

The systemctl mask command provides the strongest possible method to prevent a systemd unit from being started, either manually or automatically via dependencies. Unlike systemctl disable, which merely removes auto-start links, mask effectively makes the unit unstartable under any circumstance. It achieves this by creating a symbolic link from the unit file (e.g., /etc/systemd/system/foo.service) to /dev/null. When systemd attempts to load or start a masked unit, it encounters /dev/null and considers the unit unusable. This command is particularly useful for critical system services that should never run, for troubleshooting to isolate problematic services, or to definitively prevent a service from being enabled or started by other means.

If the unit is currently running, systemctl mask will prevent future starts but will not stop the currently active instance.
You must explicitly stop the unit using systemctl stop before masking if you wish for it to cease running immediately.
Masking essential system services can lead to an unbootable or unstable system. Use this command with extreme caution and only when you fully understand the implications.
A masked unit cannot be started or enabled without first being unmasked using systemctl unmask.
Dependencies: If other units depend on a masked unit, those dependent units might fail to start or operate correctly.

The core of the mask operation is the creation of a symbolic link from the unit's configuration file (typically in /etc/systemd/system/ or /run/systemd/system/) to /dev/null. When systemd tries to read the unit file, it effectively reads nothing, leading it to mark the unit as 'masked' and preventing its activation. This design ensures that the unit cannot be loaded or executed by any other means as long as the symlink exists.

Masking a unit takes absolute precedence over other systemctl commands like enable or start. If a unit is masked, attempting to enable or start it will fail with an error, reinforcing its status as definitively disabled. You must first unmask the unit before any other activation commands can succeed.

systemctl is the primary command-line tool for controlling the systemd init system, which replaced traditional SysVinit and Upstart in many modern Linux distributions. The mask functionality was introduced as part of systemd's design to provide a robust and definitive way to manage unit activation, offering a stronger control mechanism than simple disabling. It has been a core feature of systemd since its widespread adoption, enhancing system administrators' ability to manage service lifecycle and system stability.

systemctl unmask(1), systemctl enable(1), systemctl disable(1), systemctl start(1), systemctl stop(1), systemctl status(1)