When loading a rendered configuration from a file as a candidate config systemd requires authentication to stop/start the units managing the containers.
This does not happen when you type/paste in the commands that would produce the rendered configuration.
yzguy@test-R1# run add container image cloudflare/gortr
[edit]
yzguy@test-R1# set container name gortr allow-host-networks
[edit]
yzguy@test-R1# set container name gortr arguments '-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082'
[edit]
yzguy@test-R1# set container name gortr image 'cloudflare/gortr'
[edit]
yzguy@test-R1# set container name gortr port http destination '8082'
[edit]
yzguy@test-R1# set container name gortr port http source '8082'
[edit]
yzguy@test-R1# compare
[]
+ container {
+ name gortr {
+ allow-host-networks { }
+ arguments "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082"
+ image "cloudflare/gortr"
+ port http {
+ destination "8082"
+ source "8082"
+ }
+ }
+ }
[edit]
yzguy@test-R1# commit
[edit]
yzguy@test-R1# run show container
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
40c7fabd236e docker.io/cloudflare/gortr:latest -cache https://dn... 14 seconds ago Up 14 seconds ago gortr
[edit]It seems perhaps related to polkit: https://lateambichon.com/en/authenticating-for-org-freedesktop-systemd1-manage-units-2/ and it being done as a non-root/sudo operation.
yzguy@test-R1# load /var/tmp/candidate_running.conf
Loading configuration from '/var/tmp/candidate_running.conf'
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'vyos-container-gortr.service'.
Multiple identities can be used for authentication:
1. salt minion user,,, (minion)
2. RADIUS mapped user at privilege level admin,,, (radius_priv_user)
3. vyos
4. testuser1
5. testuser2
Choose identity to authenticate as (1-5):
^CTraceback (most recent call last):
File "/usr/libexec/vyos/vyos-load-config.py", line 92, in <module>
migration.run()
File "/usr/lib/python3/dist-packages/vyos/migrator.py", line 191, in run
rev_versions = self.run_migration_scripts(cfg_versions, sys_versions)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/migrator.py", line 127, in run_migration_scripts
out = cmd([migrate_script, self._config_file])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 141, in cmd
decoded, code = popen(
^^^^^^
File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 82, in popen
pipe = p.communicate(input, timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/subprocess.py", line 1207, in communicate
stdout, stderr = self._communicate(input, endtime, timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/subprocess.py", line 2059, in _communicate
ready = selector.select(timeout)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/selectors.py", line 415, in select
fd_event_list = self._selector.poll(timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyboardInterruptSeems maybe to be related to the container 0-to-1 migration script: https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/container/0-to-1#L38-L47
yzguy@test-R1# /opt/vyatta/etc/config-migrate/migrate/container/0-to-1 /tmp/tmp6uqa5gmw ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ==== Authentication is required to stop 'vyos-container-gortr.service'. Multiple identities can be used for authentication:
Seems related to this change: https://vyos.dev/T4870
Seems perhaps in the migration script it should detect if the container has a non-overlay FS and then proceed, otherwise continue on. Although, if is a non-overlay FS it's still not really a great experience to request authentication when doing load
Just as a test, if I add sudo in front of the two systemctl commands it works fine without the prompt
diff --git a/src/migration-scripts/container/0-to-1 b/src/migration-scripts/container/0-to-1 index 9fcf295e8..9f4ce3b64 100755 --- a/src/migration-scripts/container/0-to-1 +++ b/src/migration-scripts/container/0-to-1 @@ -39,7 +39,7 @@ config = ConfigTree(config_file) if config.exists(base): for container in config.list_nodes(base): # Stop any given container first - call(f'systemctl stop vyos-container-{container}.service') + call(f'sudo systemctl stop vyos-container-{container}.service') # Export container image for later re-import to new filesystem. We store # the backup on a real disk as a tmpfs (like /tmp) could probably lack # memory if a host has too many containers stored. @@ -69,7 +69,7 @@ if config.exists(base): call(f'podman image load --quiet --input {image_path}') # Start any given container first - call(f'systemctl start vyos-container-{container}.service') + call(f'sudo systemctl start vyos-container-{container}.service') # Delete temporary container image if os.path.exists(image_path):
If you let it sit it will eventually move through each container and finish. However with the automation pipeline we have, it errors out because of hitting a timeout as it's waiting for the prompt to come back after the configuration is loaded.
Sample configuration for containers
container {
name gortr {
allow-host-networks { }
arguments "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082"
image "cloudflare/gortr"
port http {
destination "8082"
source "8082"
}
}
}
...