Page MenuHomeVyOS Platform

Container systemd units require authentication
Closed, ResolvedPublicBUG

Description

When loading a rendered configuration from a file as a candidate config systemd requires authentication to stop/start the units managing the containers.

This does not happen when you type/paste in the commands that would produce the rendered configuration.

yzguy@test-R1# run add container image cloudflare/gortr
[edit]
yzguy@test-R1# set container name gortr allow-host-networks
[edit]
yzguy@test-R1# set container name gortr arguments '-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082'

[edit]
yzguy@test-R1# set container name gortr image 'cloudflare/gortr'
[edit]
yzguy@test-R1# set container name gortr port http destination '8082'
[edit]
yzguy@test-R1# set container name gortr port http source '8082'
[edit]
yzguy@test-R1# compare
[]
+ container {
+     name gortr {
+         allow-host-networks { }
+         arguments "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082"
+         image "cloudflare/gortr"
+         port http {
+             destination "8082"
+             source "8082"
+         }
+     }
+ }

[edit]
yzguy@test-R1# commit
[edit]
yzguy@test-R1# run show container
CONTAINER ID  IMAGE                              COMMAND               CREATED         STATUS             PORTS       NAMES
40c7fabd236e  docker.io/cloudflare/gortr:latest  -cache https://dn...  14 seconds ago  Up 14 seconds ago              gortr
[edit]

It seems perhaps related to polkit: https://lateambichon.com/en/authenticating-for-org-freedesktop-systemd1-manage-units-2/ and it being done as a non-root/sudo operation.

yzguy@test-R1# load /var/tmp/candidate_running.conf
Loading configuration from '/var/tmp/candidate_running.conf'
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'vyos-container-gortr.service'.
Multiple identities can be used for authentication:
 1.  salt minion user,,, (minion)
 2.  RADIUS mapped user at privilege level admin,,, (radius_priv_user)
 3.  vyos
 4.  testuser1
 5.  testuser2
Choose identity to authenticate as (1-5): 
^CTraceback (most recent call last):
  File "/usr/libexec/vyos/vyos-load-config.py", line 92, in <module>
    migration.run()
  File "/usr/lib/python3/dist-packages/vyos/migrator.py", line 191, in run
    rev_versions = self.run_migration_scripts(cfg_versions, sys_versions)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/migrator.py", line 127, in run_migration_scripts
    out = cmd([migrate_script, self._config_file])
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 141, in cmd
    decoded, code = popen(
                    ^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 82, in popen
    pipe = p.communicate(input, timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/subprocess.py", line 1207, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/subprocess.py", line 2059, in _communicate
    ready = selector.select(timeout)
            ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/selectors.py", line 415, in select
    fd_event_list = self._selector.poll(timeout)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyboardInterrupt

Seems maybe to be related to the container 0-to-1 migration script: https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/container/0-to-1#L38-L47

yzguy@test-R1# /opt/vyatta/etc/config-migrate/migrate/container/0-to-1 /tmp/tmp6uqa5gmw
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'vyos-container-gortr.service'.
Multiple identities can be used for authentication:

Seems related to this change: https://vyos.dev/T4870

Seems perhaps in the migration script it should detect if the container has a non-overlay FS and then proceed, otherwise continue on. Although, if is a non-overlay FS it's still not really a great experience to request authentication when doing load

Just as a test, if I add sudo in front of the two systemctl commands it works fine without the prompt

diff --git a/src/migration-scripts/container/0-to-1 b/src/migration-scripts/container/0-to-1
index 9fcf295e8..9f4ce3b64 100755
--- a/src/migration-scripts/container/0-to-1
+++ b/src/migration-scripts/container/0-to-1
@@ -39,7 +39,7 @@ config = ConfigTree(config_file)
 if config.exists(base):
     for container in config.list_nodes(base):
         # Stop any given container first
-        call(f'systemctl stop vyos-container-{container}.service')
+        call(f'sudo systemctl stop vyos-container-{container}.service')
         # Export container image for later re-import to new filesystem. We store
         # the backup on a real disk as a tmpfs (like /tmp) could probably lack
         # memory if a host has too many containers stored.
@@ -69,7 +69,7 @@ if config.exists(base):
         call(f'podman image load --quiet --input {image_path}')

         # Start any given container first
-        call(f'systemctl start vyos-container-{container}.service')
+        call(f'sudo systemctl start vyos-container-{container}.service')

         # Delete temporary container image
         if os.path.exists(image_path):

If you let it sit it will eventually move through each container and finish. However with the automation pipeline we have, it errors out because of hitting a timeout as it's waiting for the prompt to come back after the configuration is loaded.

Sample configuration for containers

container {
    name gortr {
        allow-host-networks { }
        arguments "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082"
        image "cloudflare/gortr"
        port http {
            destination "8082"
            source "8082"
        }
    }
}
...

Details

Version
1.4-rolling-202307161346
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

yzguy updated the task description. (Show Details)
yzguy updated the task description. (Show Details)
yzguy updated the task description. (Show Details)
yzguy updated the task description. (Show Details)

@c-po just added the sudo on a live box to test the changes and I can confirm that fixes it. No auth prompt when doing a load config.
Now I did notice that every time I do a load config it runs that migration script which stops/starts the container which is not ideal.

I suspect because the migration is specifically for migrating from vfs to overlay that we just need to add a check for each container image to see if it's VFS then migrate it, otherwise don't touch it.

c-po claimed this task.