Page MenuHomeVyOS Platform
Create Task
Maniphest T6673

Unexpected error when restart container via native Podman command
Open, NormalPublicBUG
Actions

Description

The configuration:

set container name suricata allow-host-networks
set container name suricata arguments '-q 1'
set container name suricata capability net-admin
set container name suricata capability sys-admin
set container name suricata capability sys-nice
set container name suricata memory '1024'
set container name suricata image jasonish/suricata:6.0.14
set container name suricata volume ETC source '/config/suricata/etc'
set container name suricata volume ETC destination '/etc/suricata'
set container name suricata volume LOGS source '/config/suricata/logs'
set container name suricata volume LOGS destination '/var/log/suricata'
set container name suricata volume RULES source '/config/suricata/rules'
set container name suricata volume RULES destination '/var/lib/suricata/rules/'

Checking container:

vyos@VyOS-Test01# run sh container
CONTAINER ID  IMAGE                               COMMAND     CREATED        STATUS        PORTS       NAMES
7347697ca3c4  docker.io/jasonish/suricata:6.0.14  -q 1        2 minutes ago  Up 2 minutes              suricata

Executing the podman command:

vyos@VyOS-Test01# sudo podman restart suricata
ERRO[0002] Cleaning up container 7347697ca3c48fd3bc1eebd054504036fe51bfeaaf2b581b15e6bbf1af44e6ec: unmounting container 7347697ca3c48fd3bc1eebd054504036fe51bfeaaf2b581b15e6bbf1af44e6ec storage: cleaning up container 7347697ca3c48fd3bc1eebd054504036fe51bfeaaf2b581b15e6bbf1af44e6ec storage: unmounting container 7347697ca3c48fd3bc1eebd054504036fe51bfeaaf2b581b15e6bbf1af44e6ec root filesystem: removing mount point "/usr/lib/live/mount/persistence/container/storage/overlay/d5de3349ae4e7a6453c988bcc437c822509b972f214a26683add88d4eac091e0/merged": directory not empty
Error: crun: executable file `/docker-entrypoint.sh` not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found
[edit]
vyos@VyOS-Test01# run sh container
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES
[edit]

Journal logs:

Aug 23 05:39:55 VyOS-Test01 systemd[1]: Started vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:39:55 VyOS-Test01 vyos-configd[751]: Sending response 1
Aug 23 05:39:55 VyOS-Test01 sudo[3714]: pam_unix(sudo:session): session closed for user root
Aug 23 05:39:55 VyOS-Test01 suricata[3783]: Checking for capability sys_nice: yes
Aug 23 05:39:55 VyOS-Test01 suricata[3783]: Checking for capability net_admin: yes
Aug 23 05:39:55 VyOS-Test01 suricata[3783]: 23/8/2024 -- 05:39:55 - <Notice> - This is Suricata version 6.0.14 RELEASE running in SYSTEM mode
Aug 23 05:39:56 VyOS-Test01 systemd[1]: opt-vyatta-config-tmp-new_config_3300.mount: Deactivated successfully.
Aug 23 05:39:56 VyOS-Test01 suricata[3783]: 23/8/2024 -- 05:39:56 - <Notice> - all 3 packet processing threads, 4 management threads initiali>
Aug 23 05:39:57 VyOS-Test01 sudo[3841]:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/bin/mv /tmp/config.boot.3825 /opt/vy>
Aug 23 05:39:57 VyOS-Test01 sudo[3841]: pam_unix(sudo:session): session opened for user root(uid=0) by vyos(uid=1002)
Aug 23 05:39:57 VyOS-Test01 sudo[3841]: pam_unix(sudo:session): session closed for user root
Aug 23 05:39:57 VyOS-Test01 sudo[3844]:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/sbin/logrotate -f -s /opt/vyatta/etc>
Aug 23 05:39:57 VyOS-Test01 sudo[3844]: pam_unix(sudo:session): session opened for user root(uid=0) by vyos(uid=1002)
Aug 23 05:39:57 VyOS-Test01 sudo[3844]: pam_unix(sudo:session): session closed for user root
Aug 23 05:39:57 VyOS-Test01 commit[3848]: Successful change to active configuration by user vyos on /dev/pts/0
Aug 23 05:40:01 VyOS-Test01 CRON[3850]: pam_unix(cron:session): session opened for user smmsp(uid=116) by (uid=0)
Aug 23 05:40:01 VyOS-Test01 CRON[3851]: (smmsp) CMD (test -x /etc/init.d/sendmail && test -x /usr/share/sendmail/sendmail && test -x /usr/lib>
Aug 23 05:40:01 VyOS-Test01 CRON[3850]: pam_unix(cron:session): session closed for user smmsp
Aug 23 05:40:05 VyOS-Test01 sudo[3946]:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/libexec/vyos/op_mode/container.py sh>
Aug 23 05:40:05 VyOS-Test01 sudo[3946]: pam_unix(sudo:session): session opened for user root(uid=0) by vyos(uid=1002)
Aug 23 05:40:05 VyOS-Test01 sudo[3946]: pam_unix(sudo:session): session closed for user root
Aug 23 05:42:33 VyOS-Test01 sudo[4026]:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/libexec/vyos/op_mode/container.py sh>
Aug 23 05:42:33 VyOS-Test01 sudo[4026]: pam_unix(sudo:session): session opened for user root(uid=0) by vyos(uid=1002)
Aug 23 05:42:33 VyOS-Test01 sudo[4026]: pam_unix(sudo:session): session closed for user root
Aug 23 05:44:13 VyOS-Test01 sudo[4042]:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/bin/podman restart suricata
Aug 23 05:44:13 VyOS-Test01 sudo[4042]: pam_unix(sudo:session): session opened for user root(uid=0) by vyos(uid=1002)
Aug 23 05:44:13 VyOS-Test01 podman[4044]: 2024-08-23 05:44:13.632665482 +0000 UTC m=+0.038648547 container restart 7347697ca3c48fd3bc1eebd054>
Aug 23 05:44:13 VyOS-Test01 systemd[1]: tmp-crun.Ci5g0B.mount: Deactivated successfully.
Aug 23 05:44:13 VyOS-Test01 suricata[3783]: 23/8/2024 -- 05:44:13 - <Notice> - Signal Received.  Stopping engine.
Aug 23 05:44:15 VyOS-Test01 suricata[3783]: 23/8/2024 -- 05:44:15 - <Notice> - (RX-NFQ#1) Treated: Pkts 0, Bytes 0, Errors 0
Aug 23 05:44:15 VyOS-Test01 suricata[3783]: 23/8/2024 -- 05:44:15 - <Notice> - (RX-NFQ#1) Verdict: Accepted 0, Dropped 0, Replaced 0
Aug 23 05:44:15 VyOS-Test01 systemd[1]: libpod-7347697ca3c48fd3bc1eebd054504036fe51bfeaaf2b581b15e6bbf1af44e6ec.scope: Deactivated successful>
Aug 23 05:44:15 VyOS-Test01 systemd[1]: libpod-7347697ca3c48fd3bc1eebd054504036fe51bfeaaf2b581b15e6bbf1af44e6ec.scope: Consumed 2.755s CPU ti>
Aug 23 05:44:15 VyOS-Test01 conmon[3783]: conmon 7347697ca3c48fd3bc1e <nwarn>: Failed to open cgroups file: /sys/fs/cgroup/machine.slice/libp>
Aug 23 05:44:15 VyOS-Test01 podman[4044]: 2024-08-23 05:44:15.330415656 +0000 UTC m=+1.736398751 container stop 7347697ca3c48fd3bc1eebd054504>
Aug 23 05:44:15 VyOS-Test01 conmon[3783]: conmon 7347697ca3c48fd3bc1e <nwarn>: stdio_input read failed Input/output error
Aug 23 05:44:15 VyOS-Test01 podman[4044]: 2024-08-23 05:44:15.34161293 +0000 UTC m=+1.747596025 container died 7347697ca3c48fd3bc1eebd0545040>
Aug 23 05:44:15 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Main process exited, code=killed, status=9/KILL
Aug 23 05:44:15 VyOS-Test01 systemd[1]: tmp-crun.o2fD5w.mount: Deactivated successfully.
Aug 23 05:44:15 VyOS-Test01 systemd[1]: usr-lib-live-mount-persistence-container-storage-overlay-d5de3349ae4e7a6453c988bcc437c822509b972f214a>
Aug 23 05:44:15 VyOS-Test01 systemd[1]: tmp-crun.Sf0Itf.mount: Deactivated successfully.
Aug 23 05:44:15 VyOS-Test01 systemd[1]: Started libpod-7347697ca3c48fd3bc1eebd054504036fe51bfeaaf2b581b15e6bbf1af44e6ec.scope - libcrun conta>
Aug 23 05:44:15 VyOS-Test01 systemd[1]: libpod-7347697ca3c48fd3bc1eebd054504036fe51bfeaaf2b581b15e6bbf1af44e6ec.scope: Deactivated successful>
Aug 23 05:44:15 VyOS-Test01 conmon[4059]: conmon 7347697ca3c48fd3bc1e <nwarn>: Failed to get console terminal settings
Aug 23 05:44:15 VyOS-Test01 conmon[4059]: conmon 7347697ca3c48fd3bc1e <nwarn>: runtime stderr: executable file `/docker-entrypoint.sh` not fo>
Aug 23 05:44:15 VyOS-Test01 conmon[4059]: conmon 7347697ca3c48fd3bc1e <error>: Failed to create container: exit status 1
Aug 23 05:44:15 VyOS-Test01 sudo[4042]: pam_unix(sudo:session): session closed for user root
Aug 23 05:44:15 VyOS-Test01 podman[4057]: 2024-08-23 05:44:15.711209293 +0000 UTC m=+0.205431042 container remove 7347697ca3c48fd3bc1eebd0545>
Aug 23 05:44:15 VyOS-Test01 podman[4057]: Error: cleaning up storage: removing container 7347697ca3c48fd3bc1eebd054504036fe51bfeaaf2b581b15e6>
Aug 23 05:44:15 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Control process exited, code=exited, status=125/n/a
Aug 23 05:44:15 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'signal'.
Aug 23 05:44:15 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Scheduled restart job, restart counter is at 1.
Aug 23 05:44:15 VyOS-Test01 systemd[1]: Stopped vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:15 VyOS-Test01 systemd[1]: Starting vyos-container-suricata.service - VyOS Container suricata...
Aug 23 05:44:15 VyOS-Test01 podman[4081]: time="2024-08-23T05:44:15Z" level=warning msg="The input device is not a TTY. The --tty and --inter>
Aug 23 05:44:15 VyOS-Test01 podman[4081]: time="2024-08-23T05:44:15Z" level=warning msg="Unmounting container \"suricata\" while attempting t>
Aug 23 05:44:15 VyOS-Test01 podman[4081]: Error: removing storage for container "suricata": removing mount point "/usr/lib/live/mount/persist>
Aug 23 05:44:16 VyOS-Test01 podman[4081]: 2024-08-23 05:44:15.968156521 +0000 UTC m=+0.058205106 image pull 3981ebe57e30a593c39a761cb5e753614>
Aug 23 05:44:16 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Control process exited, code=exited, status=125/n/a
Aug 23 05:44:16 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 05:44:16 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:16 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Scheduled restart job, restart counter is at 2.
Aug 23 05:44:16 VyOS-Test01 systemd[1]: Stopped vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:16 VyOS-Test01 systemd[1]: Starting vyos-container-suricata.service - VyOS Container suricata...
Aug 23 05:44:16 VyOS-Test01 systemd[1]: usr-lib-live-mount-persistence-container-storage-overlay\x2dcontainers-7347697ca3c48fd3bc1eebd0545040>
Aug 23 05:44:16 VyOS-Test01 podman[4100]: time="2024-08-23T05:44:16Z" level=warning msg="The input device is not a TTY. The --tty and --inter>
Aug 23 05:44:16 VyOS-Test01 podman[4100]: time="2024-08-23T05:44:16Z" level=warning msg="Unmounting container \"suricata\" while attempting t>
Aug 23 05:44:16 VyOS-Test01 podman[4100]: Error: removing storage for container "suricata": removing mount point "/usr/lib/live/mount/persist>
Aug 23 05:44:16 VyOS-Test01 podman[4100]: 2024-08-23 05:44:16.468422328 +0000 UTC m=+0.047160950 image pull 3981ebe57e30a593c39a761cb5e753614>
Aug 23 05:44:16 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Control process exited, code=exited, status=125/n/a
Aug 23 05:44:16 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 05:44:16 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:16 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Scheduled restart job, restart counter is at 3.
Aug 23 05:44:16 VyOS-Test01 systemd[1]: Stopped vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:16 VyOS-Test01 systemd[1]: Starting vyos-container-suricata.service - VyOS Container suricata...
Aug 23 05:44:16 VyOS-Test01 podman[4119]: time="2024-08-23T05:44:16Z" level=warning msg="The input device is not a TTY. The --tty and --inter>
Aug 23 05:44:16 VyOS-Test01 podman[4119]: time="2024-08-23T05:44:16Z" level=warning msg="Unmounting container \"suricata\" while attempting t>
Aug 23 05:44:16 VyOS-Test01 podman[4119]: Error: removing storage for container "suricata": removing mount point "/usr/lib/live/mount/persist>
Aug 23 05:44:16 VyOS-Test01 podman[4119]: 2024-08-23 05:44:16.948894298 +0000 UTC m=+0.042025846 image pull 3981ebe57e30a593c39a761cb5e753614>
Aug 23 05:44:16 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Control process exited, code=exited, status=125/n/a
Aug 23 05:44:17 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 05:44:17 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:17 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Scheduled restart job, restart counter is at 4.
Aug 23 05:44:17 VyOS-Test01 systemd[1]: Stopped vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:17 VyOS-Test01 systemd[1]: Starting vyos-container-suricata.service - VyOS Container suricata...
Aug 23 05:44:17 VyOS-Test01 podman[4138]: time="2024-08-23T05:44:17Z" level=warning msg="The input device is not a TTY. The --tty and --inter>
Aug 23 05:44:17 VyOS-Test01 podman[4138]: 2024-08-23 05:44:17.462338524 +0000 UTC m=+0.039654783 image pull 3981ebe57e30a593c39a761cb5e753614>
Aug 23 05:44:17 VyOS-Test01 podman[4138]: time="2024-08-23T05:44:17Z" level=warning msg="Unmounting container \"suricata\" while attempting t>
Aug 23 05:44:17 VyOS-Test01 podman[4138]: Error: removing storage for container "suricata": removing mount point "/usr/lib/live/mount/persist>
Aug 23 05:44:17 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Control process exited, code=exited, status=125/n/a
Aug 23 05:44:17 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 05:44:17 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:17 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Scheduled restart job, restart counter is at 5.
Aug 23 05:44:17 VyOS-Test01 systemd[1]: Stopped vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:17 VyOS-Test01 systemd[1]: Starting vyos-container-suricata.service - VyOS Container suricata...
Aug 23 05:44:17 VyOS-Test01 podman[4157]: time="2024-08-23T05:44:17Z" level=warning msg="The input device is not a TTY. The --tty and --inter>
Aug 23 05:44:17 VyOS-Test01 podman[4157]: time="2024-08-23T05:44:17Z" level=warning msg="Unmounting container \"suricata\" while attempting t>
Aug 23 05:44:18 VyOS-Test01 podman[4157]: Error: removing storage for container "suricata": removing mount point "/usr/lib/live/mount/persist>
Aug 23 05:44:18 VyOS-Test01 podman[4157]: 2024-08-23 05:44:17.971692402 +0000 UTC m=+0.062170116 image pull 3981ebe57e30a593c39a761cb5e753614>
Aug 23 05:44:18 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Control process exited, code=exited, status=125/n/a
Aug 23 05:44:18 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 05:44:18 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:18 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Scheduled restart job, restart counter is at 6.
Aug 23 05:44:18 VyOS-Test01 systemd[1]: Stopped vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:18 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Start request repeated too quickly.
Aug 23 05:44:18 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 05:44:18 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.
Aug 23 05:44:26 VyOS-Test01 sudo[4241]:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/libexec/vyos/op_mode/container.py sh>
Aug 23 05:44:26 VyOS-Test01 sudo[4241]: pam_unix(sudo:session): session opened for user root(uid=0) by vyos(uid=1002)
Aug 23 05:44:26 VyOS-Test01 sudo[4241]: pam_unix(sudo:session): session closed for user root

Also after the restart container commands do successfully load:

vyos@VyOS-Test01:~$ show configuration commands | grep container
vyos@VyOS-Test01:~$ conf
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
[edit]
vyos@VyOS-Test01# load /config/config.boot
Loading configuration from '/config/config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@VyOS-Test01# coma

  Invalid command: [coma]

[edit]
vyos@VyOS-Test01# compare
+ container {
+     name suricata {
+         allow-host-networks
+         arguments "-q 1"
+         capability "net-admin"
+         capability "sys-admin"
+         capability "sys-nice"
+         image "jasonish/suricata:6.0.14"
+         memory "1024"
+         volume ETC {
+             destination "/etc/suricata"
+             source "/config/suricata/etc"
+         }
+         volume LOGS {
+             destination "/var/log/suricata"
+             source "/config/suricata/logs"
+         }
+         volume RULES {
+             destination "/var/lib/suricata/rules/"
+             source "/config/suricata/rules"
+         }
+     }
+ }

[edit]
vyos@VyOS-Test01# commit
[ container ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
  https://support.vyos.io/
- Make sure you are running the latest version of VyOS available at:
  https://vyos.net/get/
- Consult the community forum to see how to handle this issue:
  https://forum.vyos.io
- Join us on Slack where our users exchange help and advice:
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report time:      2024-08-23 05:53:12
Image version:    VyOS 1.4.0
Release train:    sagitta

Built by:         Sentrium S.L.
Built on:         Tue 04 Jun 2024 09:23 UTC
Build UUID:       5e6ae0c4-4d17-4b69-9247-b4ba44a3e3c2
Build commit ID:  35dd8ae6522c78-dirty

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-56 4d f4 7a e2 3a 16 69-d8 92 3a 5f 27 86 6f 46
Hardware UUID:    7af44d56-3ae2-6916-d892-3a5f27866f46

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/container.py", line 493, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/container.py", line 466, in apply
    cmd(f'systemctl restart vyos-container-{name}.service')
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 155, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: systemctl restart vyos-container-suricata.service
returned:
exit code: 1

noteworthy:
cmd 'systemctl restart vyos-container-suricata.service'
returned (out):

returned (err):
Job for vyos-container-suricata.service failed because the control process exited with error code.
See "systemctl status vyos-container-suricata.service" and "journalctl -xeu vyos-container-suricata.service" for details.

[[container]] failed
Commit failed
[edit]
vyos@VyOS-Test01#
[edit]
vyos@VyOS-Test01#
[edit]
vyos@VyOS-Test01# run sh container
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES
[edit]

A temporary workaround could be used:

sudo podman rm <CONTAINER NAME>
vyos@VyOS-Test01# sudo podman rm suricata
suricata
[edit]
vyos@VyOS-Test01# compare
+ container {
+     name suricata {
+         allow-host-networks
+         arguments "-q 1"
+         capability "net-admin"
+         capability "sys-admin"
+         capability "sys-nice"
+         image "jasonish/suricata:6.0.14"
+         memory "1024"
+         volume ETC {
+             destination "/etc/suricata"
+             source "/config/suricata/etc"
+         }
+         volume LOGS {
+             destination "/var/log/suricata"
+             source "/config/suricata/logs"
+         }
+         volume RULES {
+             destination "/var/lib/suricata/rules/"
+             source "/config/suricata/rules"
+         }
+     }
+ }

[edit]
vyos@VyOS-Test01# commit
[edit]
vyos@VyOS-Test01# run sh container
CONTAINER ID  IMAGE                               COMMAND     CREATED         STATUS         PORTS       NAMES
9dad3ea7522a  docker.io/jasonish/suricata:6.0.14  -q 1        14 seconds ago  Up 13 seconds              suricata
[edit]
vyos@VyOS-Test01#

Details

Difficulty level
Unknown (require assessment)
Version
1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

a.hajiyev created this task.Fri, Aug 23, 6:01 AM
Viacheslav subscribed.Fri, Aug 23, 6:52 AM

It fails because you do it in the wrong way

wrong:

vyos@VyOS-Test01# sudo podman restart suricata

Correct:

systemctl restart vyos-container-{name}.service'

https://github.com/vyos/vyos-1x/blob/5f780ebb7f1799eb9a93218bb83561db509c7e56/src/op_mode/container.py#L105C28-L105C75

Just use restart container xxx from op-mode and it will work, not all native podman commands will work correctly as needs to understand implementation.

a.hajiyev added a comment.Fri, Aug 23, 8:01 AM

You are right there is an op-mode command to restart the container

restart container suricata

But I think there needs to be some checks/changes at least someone will execute the native Podman command to restart the container.

pasik subscribed.Fri, Aug 23, 8:11 AM
Viacheslav added a comment.Fri, Aug 23, 8:18 AM
In T6673#198344, @a.hajiyev wrote:

You are right there is an op-mode command to restart the container

restart container suricata

But I think there needs to be some checks/changes at least someone will execute the native Podman command to restart the container.

We cannot check/limit sudo commands without the proper op-mode level which will disable all sudo commands. Via sudo you can do any destructive actions.

Viacheslav closed this task as Invalid.Fri, Aug 23, 9:53 AM
a.hajiyev added a comment.EditedFri, Aug 23, 10:42 AM

If service is 'failed' state

vyos@VyOS-Test01:~$ systemctl status vyos-container-suricata.service
× vyos-container-suricata.service - VyOS Container suricata
     Loaded: loaded (/run/systemd/system/vyos-container-suricata.service; static)
     Active: failed (Result: exit-code) since Fri 2024-08-23 10:32:44 UTC; 43s ago
   Duration: 4min 55.702s
    Process: 2855 ExecStartPre=/bin/rm -f /run/vyos-container-suricata.service.pid /run/vyos-container-suricata.service.cid (code=exited, sta>
    Process: 2856 ExecStart=/usr/bin/podman run --conmon-pidfile /run/vyos-container-suricata.service.pid --cidfile /run/vyos-container-suric>
    Process: 2867 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile /run/vyos-container-suricata.service.cid (code=exited, status=0/SUCCE>
    Process: 2873 ExecStopPost=/bin/rm -f /run/vyos-container-suricata.service.cid (code=exited, status=0/SUCCESS)
        CPU: 129ms

Aug 23 10:32:43 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 10:32:43 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.
Aug 23 10:32:44 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Scheduled restart job, restart counter is at 6.
Aug 23 10:32:44 VyOS-Test01 systemd[1]: Stopped vyos-container-suricata.service - VyOS Container suricata.
Aug 23 10:32:44 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Start request repeated too quickly.
Aug 23 10:32:44 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 10:32:44 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.
vyos@VyOS-Test01:~$

Commands:
VyOS native:

restart container suricata

Systemd:

sudo systemctl restart vyos-container-suricata.service

does not work.

vyos@VyOS-Test01:~$ restart container suricata
Job for vyos-container-suricata.service failed because the control process exited with error code.
See "systemctl status vyos-container-suricata.service" and "journalctl -xeu vyos-container-suricata.service" for details.
vyos@VyOS-Test01:~$
vyos@VyOS-Test01:~$ sudo systemctl restart vyos-container-suricata.service
Job for vyos-container-suricata.service failed because the control process exited with error code.
See "systemctl status vyos-container-suricata.service" and "journalctl -xeu vyos-container-suricata.service" for details.
vyos@VyOS-Test01:~$

If user breaks it by using command:

sudo podman restart <container>

Status still same (failed)

vyos@VyOS-Test01:~$ systemctl status vyos-container-suricata.service
× vyos-container-suricata.service - VyOS Container suricata
     Loaded: loaded (/run/systemd/system/vyos-container-suricata.service; static)
     Active: failed (Result: exit-code) since Fri 2024-08-23 10:35:30 UTC; 5min ago
   Duration: 4min 55.702s
    Process: 3112 ExecStartPre=/bin/rm -f /run/vyos-container-suricata.service.pid /run/vyos-container-suricata.service.cid (code=exited, sta>
    Process: 3113 ExecStart=/usr/bin/podman run --conmon-pidfile /run/vyos-container-suricata.service.pid --cidfile /run/vyos-container-suric>
    Process: 3124 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile /run/vyos-container-suricata.service.cid (code=exited, status=0/SUCCE>
    Process: 3130 ExecStopPost=/bin/rm -f /run/vyos-container-suricata.service.cid (code=exited, status=0/SUCCESS)
        CPU: 138ms

Aug 23 10:35:29 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 10:35:29 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.
Aug 23 10:35:30 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Scheduled restart job, restart counter is at 5.
Aug 23 10:35:30 VyOS-Test01 systemd[1]: Stopped vyos-container-suricata.service - VyOS Container suricata.
Aug 23 10:35:30 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Start request repeated too quickly.
Aug 23 10:35:30 VyOS-Test01 systemd[1]: vyos-container-suricata.service: Failed with result 'exit-code'.
Aug 23 10:35:30 VyOS-Test01 systemd[1]: Failed to start vyos-container-suricata.service - VyOS Container suricata.

Delete container via VyOS native command and reboot instance did not work
Without the delete command just reboot instance also did not work

a.hajiyev reopened this task as Open.Fri, Aug 23, 10:42 AM
a.hajiyev added a comment.EditedFri, Aug 23, 10:55 AM

Only worked:

  1. Reboot instance
  2. load /config/config.boot
  3. sudo podman rm suricata
  4. commit

Then it works

vyos@VyOS-Test01#
[edit]
vyos@VyOS-Test01# load /config/config.boot
[edit]
vyos@VyOS-Test01#
[edit]
vyos@VyOS-Test01# compare
+ container {
+     name suricata {
+         allow-host-networks
+         arguments "-q 1"
+         capability "net-admin"
+         capability "sys-admin"
+         capability "sys-nice"
+         image "jasonish/suricata:6.0.14"
+         memory "1024"
+         volume ETC {
+             destination "/etc/suricata"
+             source "/config/suricata/etc"
+         }
+         volume LOGS {
+             destination "/var/log/suricata"
+             source "/config/suricata/logs"
+         }
+         volume RULES {
+             destination "/var/lib/suricata/rules/"
+             source "/config/suricata/rules"
+         }
+     }
+ }

[edit]
vyos@VyOS-Test01# sudo podman rm suricata
suricata
[edit]
vyos@VyOS-Test01# commit
[edit]
vyos@VyOS-Test01# run sh container
CONTAINER ID  IMAGE                               COMMAND     CREATED        STATUS        PORTS       NAMES
5ef25a753739  docker.io/jasonish/suricata:6.0.14  -q 1        3 minutes ago  Up 3 minutes              suricata
[edit]
c-po triaged this task as Normal priority.Mon, Aug 26, 2:34 PM
c-po claimed this task.Mon, Sep 9, 1:59 PM
dmbaturin added a project: Restricted Project.Sun, Sep 15, 5:03 PM