When loading a rendered configuration from a file as a candidate config systemd requires authentication to stop/start the units managing the containers.
This does not happen when you type/paste in the commands that would produce the rendered configuration.
yzguy@test-R1# run add container image cloudflare/gortr [edit] yzguy@test-R1# set container name gortr allow-host-networks [edit] yzguy@test-R1# set container name gortr arguments '-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082' [edit] yzguy@test-R1# set container name gortr image 'cloudflare/gortr' [edit] yzguy@test-R1# set container name gortr port http destination '8082' [edit] yzguy@test-R1# set container name gortr port http source '8082' [edit] yzguy@test-R1# compare [] + container { + name gortr { + allow-host-networks { } + arguments "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082" + image "cloudflare/gortr" + port http { + destination "8082" + source "8082" + } + } + } [edit] yzguy@test-R1# commit [edit] yzguy@test-R1# run show container CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 40c7fabd236e docker.io/cloudflare/gortr:latest -cache https://dn... 14 seconds ago Up 14 seconds ago gortr [edit]
It seems perhaps related to polkit: https://lateambichon.com/en/authenticating-for-org-freedesktop-systemd1-manage-units-2/ and it being done as a non-root/sudo operation.
yzguy@test-R1# load /var/tmp/candidate_running.conf Loading configuration from '/var/tmp/candidate_running.conf' ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ==== Authentication is required to stop 'vyos-container-gortr.service'. Multiple identities can be used for authentication: 1. salt minion user,,, (minion) 2. RADIUS mapped user at privilege level admin,,, (radius_priv_user) 3. vyos 4. testuser1 5. testuser2 Choose identity to authenticate as (1-5): ^CTraceback (most recent call last): File "/usr/libexec/vyos/vyos-load-config.py", line 92, in <module> migration.run() File "/usr/lib/python3/dist-packages/vyos/migrator.py", line 191, in run rev_versions = self.run_migration_scripts(cfg_versions, sys_versions) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/migrator.py", line 127, in run_migration_scripts out = cmd([migrate_script, self._config_file]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 141, in cmd decoded, code = popen( ^^^^^^ File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 82, in popen pipe = p.communicate(input, timeout) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/subprocess.py", line 1207, in communicate stdout, stderr = self._communicate(input, endtime, timeout) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/subprocess.py", line 2059, in _communicate ready = selector.select(timeout) ^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/selectors.py", line 415, in select fd_event_list = self._selector.poll(timeout) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ KeyboardInterrupt
Seems maybe to be related to the container 0-to-1 migration script: https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/container/0-to-1#L38-L47
yzguy@test-R1# /opt/vyatta/etc/config-migrate/migrate/container/0-to-1 /tmp/tmp6uqa5gmw ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ==== Authentication is required to stop 'vyos-container-gortr.service'. Multiple identities can be used for authentication:
Seems related to this change: https://vyos.dev/T4870
Seems perhaps in the migration script it should detect if the container has a non-overlay FS and then proceed, otherwise continue on. Although, if is a non-overlay FS it's still not really a great experience to request authentication when doing load
Just as a test, if I add sudo in front of the two systemctl commands it works fine without the prompt
diff --git a/src/migration-scripts/container/0-to-1 b/src/migration-scripts/container/0-to-1 index 9fcf295e8..9f4ce3b64 100755 --- a/src/migration-scripts/container/0-to-1 +++ b/src/migration-scripts/container/0-to-1 @@ -39,7 +39,7 @@ config = ConfigTree(config_file) if config.exists(base): for container in config.list_nodes(base): # Stop any given container first - call(f'systemctl stop vyos-container-{container}.service') + call(f'sudo systemctl stop vyos-container-{container}.service') # Export container image for later re-import to new filesystem. We store # the backup on a real disk as a tmpfs (like /tmp) could probably lack # memory if a host has too many containers stored. @@ -69,7 +69,7 @@ if config.exists(base): call(f'podman image load --quiet --input {image_path}') # Start any given container first - call(f'systemctl start vyos-container-{container}.service') + call(f'sudo systemctl start vyos-container-{container}.service') # Delete temporary container image if os.path.exists(image_path):
If you let it sit it will eventually move through each container and finish. However with the automation pipeline we have, it errors out because of hitting a timeout as it's waiting for the prompt to come back after the configuration is loaded.
Sample configuration for containers
container { name gortr { allow-host-networks { } arguments "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082" image "cloudflare/gortr" port http { destination "8082" source "8082" } } } ...