cr0x.net — Hard Problems. Clean Solutions.
English

Debian 13: “Unit masked” surprises — unmask safely and fix why it got masked (case #47)

December 9, 2025 • February 3, 2026 • Read: 21 min • Views: 10

Was this helpful?

You go to restart a service on Debian 13 and systemd answers with the operational equivalent of a locked door: “Unit is masked.” No restart, no status that makes sense, and your change window is evaporating in real time.

The instinct is to unmask it and move on. Sometimes that’s fine. Sometimes that’s how you accidentally re-enable a service that was intentionally disabled for safety, security, or boot correctness. The point of this write-up is to get you back to green and prevent the next surprise, because “unit masked” is rarely the whole story.

What “masked” actually means (and what it doesn’t)

In systemd terms, a masked unit is a unit that has been deliberately made unstartable. Not “disabled.” Not “stopped.” Unstartable. systemd implements masking by placing a symlink named like the unit file (or its drop-in) that points to /dev/null. That’s a hard veto: no manual start, no dependency start, no accidental activation.

Masking is used for a few legitimate reasons:

  • Stop a problematic service from starting via dependencies or sockets.
  • Keep a legacy service from being auto-pulled in by other units.
  • Prevent an admin from “just trying to start it” in a panic.
  • Override vendor units when the package doesn’t offer a clean knob.

And it’s used for a few illegitimate reasons:

  • Automation scripts use mask as a blunt tool and never clean up.
  • Someone masks a unit during an incident and forgets to document it.
  • A cloud image ships with services masked to avoid boot-time surprises, then you expect those services to work.

Masking is not the same as:

  • Disabled: doesn’t start at boot, but can be started manually (systemctl start works).
  • Static: cannot be enabled (no [Install] section) but can start via dependencies.
  • Failed: started and crashed, or never started due to runtime errors.
  • Not-found: unit file doesn’t exist (or generator didn’t create it).

Masking is a policy decision. Your job is to learn what made that policy decision happen, and whether it should remain in place.

Fast diagnosis playbook (check first/second/third)

First: confirm the unit state and where the masking lives

  • Is it masked at runtime, or via a persistent symlink?
  • Is it masked in the system instance or user instance?
  • Is it the unit itself, or an alias/template/socket that is masked?

Second: find who/what asked for masking

  • Look at package scripts (dpkg logs), config management logs, and shell history where appropriate.
  • Check if a metapackage or preset policy is forcing a state you didn’t expect.
  • Look for drop-ins that conflict with the unit’s activation path.

Third: decide whether unmasking is safe

  • Does starting this service create data loss risk (storage mounts, encryption, replication)?
  • Does it open network listeners you don’t want (e.g., debug daemons)?
  • Will it fight another service (two DHCP clients, two time sync services, two firewalls)?

Only after that do you unmask. “Unmask first, ask later” is how you turn a simple outage into a postmortem.

Practical tasks: commands, outputs, decisions (12+)

These are the exact moves I use in production. Each task includes a command, realistic output, and the decision you make from it.

Task 1: Reproduce the failure and capture the exact error

cr0x@server:~$ sudo systemctl start fstrim.timer
Failed to start fstrim.timer: Unit fstrim.timer is masked.

What it means: systemd refused before even evaluating dependencies. This is policy-level, not runtime-level.

Decision: Don’t “just unmask” yet. Identify where the mask is located and whether it’s intentional.

Task 2: Check status (it tells you how systemd sees it)

cr0x@server:~$ systemctl status fstrim.timer
○ fstrim.timer
     Loaded: masked (Reason: Unit fstrim.timer is masked.)
     Active: inactive (dead)

What it means: “Loaded: masked” confirms the unit definition is overridden to /dev/null (or equivalent mask).

Decision: Next: locate the symlink and determine if it’s system-wide or a transient runtime mask.

Task 3: Find the unit file path (or the fact it’s /dev/null)

cr0x@server:~$ systemctl show -p FragmentPath -p UnitFileState fstrim.timer
FragmentPath=/etc/systemd/system/fstrim.timer
UnitFileState=masked

What it means: The mask is in /etc, not a vendor file in /lib. Someone (human or automation) did this on purpose.

Decision: Inspect the file to confirm it’s a symlink to /dev/null.

Task 4: Verify the mask symlink target

cr0x@server:~$ ls -l /etc/systemd/system/fstrim.timer
lrwxrwxrwx 1 root root 9 Dec 29 03:12 /etc/systemd/system/fstrim.timer -> /dev/null

What it means: Classic mask. No ambiguity.

Decision: Determine who created it and whether you actually want fstrim.timer running on this host class (VMs? SSDs? thin-provisioned SAN?).

Task 5: Check if this is a runtime mask instead (less common, but sneaky)

cr0x@server:~$ systemctl show -p FragmentPath fstrim.timer
FragmentPath=/etc/systemd/system/fstrim.timer

What it means: Not runtime. If it were runtime-masked, you’d often see masking under /run/systemd/system.

Decision: Move to audit trails: dpkg logs, config management, or admin actions.

Task 6: Confirm whether the vendor unit exists (it matters when unmasking)

cr0x@server:~$ systemctl cat fstrim.timer
# /etc/systemd/system/fstrim.timer
# (null)

What it means: systemd is literally loading “nothing” because /dev/null is the unit. You need to know what file should be used instead.

Decision: Check the vendor-provided unit in /lib/systemd/system and whether it’s installed.

Task 7: Locate the vendor unit and its install behavior

cr0x@server:~$ ls -l /lib/systemd/system/fstrim.timer
-rw-r--r-- 1 root root 402 Jan  5 10:02 /lib/systemd/system/fstrim.timer

What it means: The unit exists and can be restored by unmasking (systemd will fall back to vendor unit).

Decision: Before unmasking, evaluate if enabling is required, or only starting manually.

Task 8: Check if the unit is enabled/disabled after unmasking (don’t assume)

cr0x@server:~$ systemctl is-enabled fstrim.timer
masked

What it means: It’s masked, so the enablement state is irrelevant until unmasked.

Decision: Plan: unmask, then decide between enable and start.

Task 9: Unmask safely (unit only, no surprise restarts)

cr0x@server:~$ sudo systemctl unmask fstrim.timer
Removed "/etc/systemd/system/fstrim.timer".

What it means: The symlink was removed. That does not mean it’s enabled or started.

Decision: Reload the daemon if you’re changing unit files in bulk; for simple unmask it’s usually not required, but I still verify state immediately.

Task 10: Verify the unit is now loadable, and see its default state

cr0x@server:~$ systemctl show -p FragmentPath -p UnitFileState fstrim.timer
FragmentPath=/lib/systemd/system/fstrim.timer
UnitFileState=disabled

What it means: Now systemd uses the vendor unit and it’s disabled (won’t start on boot).

Decision: Decide whether you need it enabled. For a timer like fstrim, you almost always do, but check storage and policy first.

Task 11: Enable (for boot persistence) or start (for immediate use)

cr0x@server:~$ sudo systemctl enable --now fstrim.timer
Created symlink '/etc/systemd/system/timers.target.wants/fstrim.timer' → '/lib/systemd/system/fstrim.timer'.

What it means: It will run per schedule and is started now. Timers are a safe-ish class to enable, but verify the behavior.

Decision: Confirm it’s active and check next trigger time.

Task 12: Confirm timer schedule and last/next runs

cr0x@server:~$ systemctl list-timers --all | sed -n '1,6p'
NEXT                        LEFT          LAST                        PASSED       UNIT                         ACTIVATES
Mon 2025-12-30 03:15:00 UTC 2h 11min left Mon 2025-12-29 03:15:01 UTC 21h ago      fstrim.timer                 fstrim.service

What it means: You’re back to a predictable schedule. If “LAST” is empty, it may not have run yet.

Decision: If this timer is expected to fire weekly but your storage team hates DISCARD, stop here and coordinate.

Task 13: Identify whether a related unit is masked instead (socket, path, template)

cr0x@server:~$ systemctl list-unit-files | grep -E '^(ssh|ssh@|ssh\.socket)'
ssh.service                              enabled
ssh.socket                               masked
ssh@.service                             static

What it means: You might be trying to start a service that’s normally triggered by a socket. If the socket is masked, activation never happens.

Decision: Decide whether you want socket activation at all. Unmasking the socket may have security implications (listeners appear).

Task 14: Follow the dependency chain to see who would pull it in

cr0x@server:~$ systemctl list-dependencies --reverse fstrim.service | head
fstrim.service
● multi-user.target

What it means: If reverse dependencies include high-level targets, enabling may change boot behavior.

Decision: If it’s pulled in broadly, ensure it won’t deadlock boot (storage/network ordering issues).

Task 15: Inspect dpkg logs for package scripts that might have masked something

cr0x@server:~$ grep -n "mask" /var/log/dpkg.log | tail -n 5
23341:2025-12-29 03:11:52 status installed util-linux:amd64 2.40.2-1
23342:2025-12-29 03:12:03 configure util-linux:amd64 2.40.2-1 <none>

What it means: dpkg itself doesn’t log masking as “mask”; most masking comes from systemctl calls in maintainer scripts or config management. Absence of evidence isn’t evidence of absence.

Decision: If you suspect a package script, inspect the maintainer scripts on-disk.

Task 16: Check maintainer scripts for unit manipulation (where masking can be hidden)

cr0x@server:~$ dpkg -L util-linux | grep -E '/(postinst|prerm|postrm)$'
/var/lib/dpkg/info/util-linux.postinst
/var/lib/dpkg/info/util-linux.prerm
/var/lib/dpkg/info/util-linux.postrm
cr0x@server:~$ sudo grep -n "systemctl .*mask" /var/lib/dpkg/info/util-linux.postinst

What it means: No explicit masking in that script (in this example). Good to check anyway when a mask appears right after an upgrade.

Decision: If scripts are clean, focus on automation, cloud-init, and human action.

Task 17: Audit who ran systemctl (best-effort)

cr0x@server:~$ sudo journalctl -u systemd-logind --since "2025-12-29" | head -n 6
Dec 29 03:09:18 server systemd-logind[610]: New session 42 of user root.
Dec 29 03:09:18 server systemd-logind[610]: Removed session 41.
Dec 29 03:12:01 server systemd-logind[610]: Session 42 logged out. Waiting for processes to exit.

What it means: This is not a perfect audit trail, but it can correlate sessions with the time the mask symlink appeared (from filesystem timestamps or backup diffs).

Decision: If you need real accountability, deploy auditd rules for /etc/systemd/system changes. Otherwise, treat this as a clue, not proof.

Why units get masked on Debian 13 (real reasons)

“It’s masked” is the symptom. The root causes tend to cluster. If you learn the clusters, you stop being surprised.

1) A human masked it to stop a boot loop or incident

This is common with network services (dhcpcd vs NetworkManager), storage services (multipath, iscsid), and anything that can stall boot (remote-fs.target dependencies). Masking is the nuclear option used at 03:00 when “disable” didn’t stop activation via dependencies.

2) Configuration management used masking as idempotent “off”

Some playbooks treat “masked” as a stricter version of disabled. That’s not wrong. It’s just a bigger commitment than many teams realize. The surprise comes later when a role expects the unit to start and you get a hard refusal.

3) A cloud or appliance image shipped with units masked

Image builders mask services to avoid slow boots, noisy logs, or insecure defaults. Debian-based images in particular may ship with certain timers or services disabled/masked to keep the base image generic. When you later install a package that expects the service to start, you get “masked” and the package maintainer gets blamed for your image policy.

4) The unit is intentionally masked by the vendor to force migration

Sometimes a service is deprecated and masked to stop it being started accidentally. This is less common in Debian than in some vendor distros, but it happens in transitions (e.g., when a service is replaced by a socket-activated version, or when an old daemon is unsafe).

5) You masked the wrong thing (aliases, sockets, templates)

systemd units come in families: .service, .socket, .timer, .path, and templates like foo@.service. Masking one can make the whole feature look dead. I’ve seen people unmask the service but leave the socket masked and then swear systemd is “ignoring” them. It’s not. It’s obeying your earlier decision.

6) A unit is generated, and you masked the generated name

Some units are generated at boot by systemd generators (for example, from fstab entries). If you mask a generated unit name, you can force it off. But if the generator changes the name (or you move from device paths to UUIDs), your mask stops matching and the mount starts again. That’s not systemd being “random”; that’s you pinning policy to an unstable identifier.

One quote I keep taped to the inside of my skull:

Werner Vogels: “Everything fails, all the time.” (paraphrased idea)

Masking is one of the mechanisms we use to make failures predictable. When it’s accidental, it does the opposite.

Unmask safely: the correct sequence and the traps

Here’s the safe posture: treat unmasking like you’d treat enabling a firewall rule or remounting a filesystem. You can do it quickly, but you do it consciously.

Step 1: Identify exactly what is masked

Don’t assume it’s the .service. It might be the timer that should trigger it, the socket that should activate it, or an alias you keep typing out of habit.

Step 2: Identify where the mask is defined

If it’s in /etc/systemd/system, it’s local policy. If it’s in /run/systemd/system, it may be transient. If it’s in /lib/systemd/system (rare for masking), it’s vendor policy.

Step 3: Decide whether you want it enabled long-term

Unmasking only removes the “do not start” policy. It does not enable. Don’t reflexively run enable --now unless you’re sure the unit should run at boot. For a one-off recovery, you may want unmask + start only.

Step 4: Watch for the “starts something else” effect

Unmasking a socket or path unit can immediately change how requests are accepted. Unmasking a timer can cause it to start firing based on persistent timers (missed runs). That’s a feature, but it surprises people.

Short joke #1: systemd masking is like putting a “DO NOT OPEN” sign on a door—then acting shocked when it doesn’t open.

Step 5: If the unit was masked for a reason, fix the reason

Masking is rarely the true fix. It’s the tourniquet. You still need to treat the injury: conflicting daemons, broken config, bad dependencies, or an environment mismatch (containers, chroots, minimal images).

Interesting facts and history that explains today’s behavior

  • Fact 1: systemd masking is implemented primarily via a symlink to /dev/null, which beats almost every other unit source in the load path.
  • Fact 2: Debian’s systemd integration leans heavily on the “vendor preset” mechanism: packages can ship suggested enablement states, but local admins can override.
  • Fact 3: The distinction between disabled and masked is intentional: disabled stops boot activation; masked prevents any activation, including dependencies.
  • Fact 4: systemd’s unit search order prefers /etc/systemd/system over /run over /lib/systemd/system. That’s why local masking in /etc is so decisive.
  • Fact 5: A unit can be “static” and still start automatically via dependencies; many admins first meet “static” when they try to enable something that was never meant to be enabled directly.
  • Fact 6: Timers replaced a lot of old-school cron jobs in modern distros, and some images mask timers to reduce background churn on tiny instances.
  • Fact 7: Socket activation means the .socket can be more important than the .service; masking the socket is effectively masking the feature.
  • Fact 8: In early systemd adoption years, “mask it” became a common workaround to stop SysV-compat services from respawning due to legacy init scripts or dependencies.
  • Fact 9: Masking is reversible without reinstalling packages, which is why it’s used operationally during incidents—fast, deterministic, and blunt.

Three corporate mini-stories from the trenches

Mini-story 1: The outage caused by a wrong assumption

A retail company ran Debian on edge gateways in stores. The gateways used a VPN service with a systemd unit. During a migration, a senior engineer decided “we’ll temporarily disable the legacy VPN unit so the new one can be tested.” They used systemctl mask because it made the unit stop starting immediately, and it also prevented the old service from being pulled in by other units.

The assumption: masking behaves like a stronger disable and will be removed later by the migration role. The reality: the migration role only called disable/enable, never unmask. It didn’t even check for masked state. The playbook was “correct” in the narrow sense, but it was blind to the policy hammer that had been used earlier.

Weeks later, a security patch required restarting the VPN service. The rollout hit the masked units first (because of unlucky ordering). The orchestration system interpreted “failed to start” as a fatal error and stopped mid-flight. Stores went half-upgraded: some gateways had a patched kernel, some did not; some had VPN, some didn’t.

The fix was trivial—unmask and restart. The lesson wasn’t. They added a preflight check: any unit critical to connectivity must be enabled or disabled, never masked, unless the change record explicitly documents it. They also updated the migration role to treat masked as a separate state requiring intentional handling.

Mini-story 2: The optimization that backfired

A media company wanted faster boot times on their Debian 13 render nodes. Someone noticed a handful of units waiting on network-online and remote mounts. The quick “optimization” was to mask services that looked optional: a time sync daemon, a trim timer, and a remote mount helper. Boot got faster. Everyone congratulated themselves and went back to arguing about GPU drivers.

The backfire arrived quietly. The render farm ran long-lived nodes, and without periodic trim, SSD performance degraded slowly. The time sync daemon being masked caused certificates to intermittently fail validation after reboots where the clock drifted far enough. The remote mount helper being masked meant a fallback path kicked in: jobs wrote caches to local disks instead of shared storage.

None of these failures were dramatic. They were the worst kind: sporadic, cross-team, and hard to correlate. The storage team complained about SSD wear, the security team complained about TLS errors, and the compute team complained about “random job slowness.” Masking was the common denominator, but it took a week to notice because “masked” isn’t a failure state—it’s a policy state.

They rolled back the masks, then did the boring work: fix ordering dependencies, reduce network-online usage, and set sane timeouts. Boot stayed reasonably fast, and the fleet stopped accumulating invisible debt.

Mini-story 3: The boring but correct practice that saved the day

A fintech ran Debian 13 for internal services. They had one habit that looked bureaucratic: a daily audit job that compared /etc/systemd/system against a known-good baseline for each server role. It wasn’t fancy; it just flagged unexpected symlinks, especially those pointing to /dev/null.

One morning, the audit lit up: a database backup timer was masked on a handful of hosts. No one had opened an incident. No pager. Just a diff. They investigated before backups were missed long enough to matter.

Root cause: a junior engineer ran a “temporary” cleanup script during a disk-pressure event. The script masked several timers to stop I/O churn, with every intention of unmasking later. They got pulled into another task and forgot. The audit found it the next day, before compliance did.

They unmasked the timer, ran an on-demand backup, and added a runbook: if you mask something as a stopgap, create a ticket that expires and auto-pages if unresolved. The practice was dull. It worked. Dull is underrated in operations.

Common mistakes: symptom → root cause → fix

1) “systemctl enable says unit is masked”

Symptom: Failed to enable unit: Unit file is masked

Root cause: You’re trying to change enablement state while a /dev/null override exists.

Fix: systemctl unmask UNIT, then re-run systemctl enable. Verify FragmentPath moved off /etc and onto /lib or a valid override.

2) “I unmasked the service but it still won’t start”

Symptom: Service unmasked, but activation still fails or never occurs.

Root cause: The trigger unit is masked (socket/timer/path) or the unit is static and only started by dependencies you’re not satisfying.

Fix: Check related units: systemctl list-unit-files | grep NAME. Unmask the trigger (if appropriate) and validate dependencies with list-dependencies.

3) “It’s masked again after reboot”

Symptom: You unmask, but the unit ends up masked later.

Root cause: Automation (Ansible/Puppet/Salt), cloud-init, or a hardening role re-applies the mask.

Fix: Find and remove the policy. Grep your configuration repo for the unit name and for systemctl mask. If you can’t change automation quickly, add a managed override: enforce unmasked state as code.

4) “Package install didn’t start the service”

Symptom: You install a package and expect the service to start; it doesn’t, and later you find it masked.

Root cause: The host image had the unit masked already, or preset policy disabled it, and your package’s postinst respected admin policy.

Fix: Confirm vendor preset with systemctl preset-status (where supported), and check for existing masks in /etc/systemd/system. Decide whether to follow the image policy or override it for this role.

5) “Masking to fix a crash”

Symptom: Someone masked a unit to stop it crashing repeatedly.

Root cause: Masking is being used as a substitute for fixing the crash or misconfiguration.

Fix: Unmask in a controlled window, inspect logs (journalctl -u), fix config, then re-enable. If you must keep it off, prefer disable unless dependency activation is a risk.

6) “Masked mount units and storage weirdness”

Symptom: Storage mounts don’t happen; services fail waiting for filesystems.

Root cause: A mount unit generated from fstab was masked to avoid hangs, but the underlying storage issue was never resolved (DNS, iSCSI, multipath, credentials).

Fix: Fix the underlying storage dependency. Use sane timeouts and nofail where appropriate. Masking mounts is acceptable as a stopgap, not as architecture.

Short joke #2: If your “fix” is masking services, you’re not doing SRE—you’re doing systemd whack-a-mole.

Checklists / step-by-step plan

Checklist A: One-unit recovery (fast, safe)

  1. Capture error: systemctl start UNIT and copy the exact message.
  2. Confirm state: systemctl status UNIT and systemctl is-enabled UNIT.
  3. Locate mask: systemctl show -p FragmentPath UNIT.
  4. Verify symlink: ls -l FRAGMENTPATH and confirm -> /dev/null.
  5. Check vendor unit exists: ls -l /lib/systemd/system/UNIT.
  6. Decide safety: does starting it open ports, mount storage, modify disks, or conflict with another daemon?
  7. Unmask: systemctl unmask UNIT.
  8. Verify FragmentPath moved to a real file.
  9. Start (temporary) or enable –now (persistent), explicitly.
  10. Validate: logs (journalctl -u UNIT -b), health checks, and timers/sockets where relevant.

Checklist B: Fleet-wide prevention

  1. Inventory masks: find symlinks to /dev/null under /etc/systemd/system.
  2. Classify: intentional (documented) vs accidental (unknown origin).
  3. For intentional masks, add a comment in your config management and a ticket reference in your runbook.
  4. For accidental masks, unmask and fix the underlying issue (conflicts, ordering, broken configs).
  5. Add CI checks to prevent new masks in roles unless explicitly approved.
  6. Baseline drift detection: alert on new /etc/systemd/system/*.service -> /dev/null.

Task pack: fleet inventory commands (bonus, still practical)

cr0x@server:~$ sudo find /etc/systemd/system -maxdepth 2 -type l -lname /dev/null -printf '%p -> %l\n' | head
/etc/systemd/system/fstrim.timer -> /dev/null
/etc/systemd/system/ssh.socket -> /dev/null

What it means: These are your masks. Each line is a policy decision somebody made.

Decision: For each, decide: keep (document) or remove (unmask + fix root cause).

FAQ

1) What’s the difference between disable and mask?

disable removes symlinks that start the unit at boot. The unit can still be started manually or as a dependency. mask makes it unstartable in any scenario.

2) Does systemctl unmask start the service?

No. It only removes the veto. You still need start for immediate activation and enable for boot persistence.

3) Why is the masked unit located in /etc/systemd/system?

Because masking is usually a local admin policy. systemd searches /etc first, so local overrides win over vendor defaults.

4) Can a unit be masked in a way that doesn’t show a symlink in /etc?

Yes. It can be masked transiently in /run/systemd/system, or you can be hitting a different unit name (alias/socket/template) than you think.

5) Why did masking happen during an upgrade?

More often than not, it didn’t. Upgrades reveal existing policy because packages change defaults, add timers, or shift activation paths. If you suspect maintainer scripts, inspect /var/lib/dpkg/info/*.postinst for systemctl calls.

6) If I unmask, will Debian “remember” and keep it unmasked through upgrades?

Yes, because the mask was a file in /etc. Once removed, it stays removed—unless automation or a hardening role recreates it.

7) What’s the safest way to test unmasking on a production system?

Unmask without enabling, then start manually and watch logs. For network listeners, confirm sockets/ports before and after. For storage-related services, validate mounts and dependencies before the restart.

8) Can I mask a unit to prevent it being started indirectly?

Yes, that’s a valid use case. If dependency activation is the problem and disable isn’t strong enough, masking is the right tool—just document it and audit for drift.

9) Why does systemctl cat show “(null)”?

Because the unit file is literally /dev/null. systemd is telling you “I loaded nothing, by design.” That’s the mask.

10) How do I avoid masking mounts and then forgetting?

Treat masks as expiring incident mitigations. File a ticket, add an alert on mask symlinks, and fix the real issue (timeouts, ordering, credentials, network readiness).

Conclusion: next steps that stick

When Debian 13 says “Unit is masked,” it’s not being mysterious. It’s being obedient. A mask is a deliberate policy override, implemented in the simplest possible way: a symlink to nowhere.

Do these next:

  1. For the unit that bit you: capture FragmentPath, verify the symlink target, and record where the policy lived.
  2. Unmask only after you decide it’s safe, then choose start vs enable --now intentionally.
  3. Find the author: automation, image policy, or a human incident fix. Remove the surprise at the source.
  4. Fleet hygiene: audit /etc/systemd/system for -> /dev/null symlinks and treat undocumented masks as defects.

If you remember one operational rule: unmasking fixes the symptom; understanding why it got masked fixes the system.

← Previous
Email “Sender address rejected”: authentication and policy fixes
Next →
TGP in Laptops: The Number Brands Love to Bury

Related articles

Ubuntu 24.04: rsyslog vs journald — choose logging without losing important events January 31, 2026 Debian 13: Memory leaks in services — find them with the least disruption (case #43) January 26, 2026 Ubuntu 24.04 servers: Snap vs apt — where Snap quietly causes pain (and what to do) January 24, 2026 Email: Brute force on IMAP/SMTP — lock it down without locking yourself out January 24, 2026 Ubuntu 24.04: Cron Runs Manually but Not on Schedule — PATH/Env Gotchas and Fixes January 21, 2026 Debian 13: Thermal throttling ruins throughput — prove it and fix cooling/power limits January 16, 2026 Debian 13 IRQ storms and weird latency: check irqbalance and fix interrupts January 15, 2026 Ubuntu 24.04: sudo is slow — DNS/hostname fixes that remove the delay (case #66) January 15, 2026 Ubuntu 24.04 systemd unit overrides: fix services cleanly without editing vendor files (case #8) January 13, 2026 Debian 13: Journald ate your disk — cap logs without losing what matters January 8, 2026

Leave a comment