Page MenuHomeVyOS Platform
Create Task
Maniphest T5909

Container registry with authentication prevents config load (section container) after reboot
Closed, ResolvedPublicBUG
Actions

Description

Let's assume that you have a private Harbor instance with a public project which proxies Dockerhub.
When you have a container configuration like the following everything works fine after a reboot:

vyos@vyos# show container
 name alpine {
     allow-host-networks
     image registry.example.org/dockerhub/library/alpine:latest
     restart always
 }
 registry registry.example.org {
 }

It still works when you add authentication to it:

vyos@vyos# show container
 name alpine {
     allow-host-networks
     image registry.example.org/dockerhub/library/alpine:latest
     restart always
 }
 registry registry.example.org {
	 password "my-password"
	 username "my-username"
 }

But then, after a reboot the configuration is not loaded:

vyos@vyos:~$ configure
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
[edit]
vyos@vyos# load
Loading configuration from 'config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@vyos# compare
+ container {
+     name alpine {
+         allow-host-networks
+         image "registry.example.org/dockerhub/library/alpine:latest"
+         restart "always"
+     }
+     registry registry.example.org {
+         authentication {
+             password "my-password"
+             username "my-username"
+         }
+     }
+ }

Details

Difficulty level
Easy (less than an hour)
Version
1.4 rc1
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

adestis created this task.Jan 8 2024, 4:07 PM
Viacheslav added a subscriber: Viacheslav.Jan 8 2024, 4:14 PM

The first thing could be that the container cannot connect to the registry as it happens before static routing (not sure).

vyos@r4# /opt/vyatta/sbin/priority.pl | match "container|static"
450 container
480 protocols/static
481 vrf/name/node.tag/protocols/static
[edit]
vyos@r4#
adestis added a comment.Jan 8 2024, 4:30 PM

I think I found the problem.

The order of what get loaded from the configuration is sub-optimal.
The container part get loaded before the routing part (static, bgp).

I checked the boot log and filtered it for config and router.
(The real registry name I use is replaced with registry.example.org)

vyos@vyos:~$ show log | grep -E "vyos-config|vyos-router"
Jan 08 16:16:50 systemd[1]: Started vyos-configd.service - VyOS configuration daemon.
Jan 08 16:17:01 systemd[1]: Started vyos-router.service - VyOS Router.
Jan 08 16:17:05 vyos-router[1148]: Waiting for NICs to settle down: settled in 0sec..
Jan 08 16:17:12 vyos-router[1148]: Mounting VyOS Config...done.
Jan 08 16:17:17 vyos-configd[769]: Received message: {"type": "init"}
Jan 08 16:17:18 vyos-configd[769]: config session pid is 1592
Jan 08 16:17:18 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/host_name.py"}
Jan 08 16:17:18 vyos-configd[769]: Sending response 1
Jan 08 16:17:18 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/system_console.py"}
Jan 08 16:17:18 vyos-configd[769]: Sending response 1
Jan 08 16:17:18 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/conntrack.py"}
Jan 08 16:17:19 vyos-configd[769]: Sending response 1
Jan 08 16:17:19 vyos-configd[769]: Received message: {"type": "node", "data": "VYOS_TAGNODE_VALUE=lo/usr/libexec/vyos/conf_mode/interfaces-loopback.py"}
Jan 08 16:17:19 vyos-configd[769]: Sending response 1
Jan 08 16:17:19 vyos-configd[769]: Received message: {"type": "node", "data": "VYOS_TAGNODE_VALUE=eth0/usr/libexec/vyos/conf_mode/interfaces-ethernet.py"}
Jan 08 16:17:19 vyos-configd[769]: Sending response 1
Jan 08 16:17:20 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/system-syslog.py"}
Jan 08 16:17:20 vyos-configd[769]: Sending response 1
Jan 08 16:17:21 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/system-login.py"}
Jan 08 16:17:21 vyos-configd[769]: Sending response 8
Jan 08 16:17:23 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/host_name.py"}
Jan 08 16:17:24 vyos-configd[769]: Sending response 1
Jan 08 16:17:24 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/host_name.py"}
Jan 08 16:17:24 vyos-configd[769]: Sending response 1
Jan 08 16:17:24 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/config_mgmt.py"}
Jan 08 16:17:24 vyos-configd[769]: Sending response 8
Jan 08 16:17:25 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/container.py"}
Jan 08 16:17:25 vyos-configd[769]: Error: authenticating creds for "registry.example.org": pinging container
Jan 08 16:17:25 vyos-configd[769]: registry registry.example.org: Get "https://registry.example.org/v2/": dial
Jan 08 16:17:25 vyos-configd[769]: tcp: lookup registry.example.org on 9.9.9.9:53: dial udp 9.9.9.9:53:
Jan 08 16:17:25 vyos-configd[769]: connect: network is unreachable
Jan 08 16:17:25 vyos-configd[769]: Sending response 2
Jan 08 16:17:25 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/protocols_static.py"}
Jan 08 16:17:26 vyos-configd[769]: Sending response 1
Jan 08 16:17:26 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/protocols_bgp.py"}
Jan 08 16:17:27 vyos-configd[769]: Sending response 1
Jan 08 16:17:27 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/ntp.py"}
Jan 08 16:17:28 vyos-configd[769]: Sending response 1
Jan 08 16:17:28 vyos-configd[769]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/ssh.py"}
Jan 08 16:17:29 vyos-configd[769]: Sending response 1
Jan 08 16:17:31 vyos-router[1148]: Starting VyOS router: migrate configure failed!
Jan 08 16:17:31 vyos-config[1154]: Configuration error

So in my opinion either the check must not be made on boot but only on configuration changes.
Or the order must be changed so that container become the last part.

But then there is the problem if your only connectivity is via BGP/OSPF etc.
You need to wait for sessions to establish.

adestis added a comment.Jan 8 2024, 4:47 PM

The same problem (container config does not get loaded) occurs, when DNS is not available for whatever reason.
This must not prevent the current container settings to be online.

pasik added a subscriber: pasik.Jan 8 2024, 5:08 PM
adestis added a comment.Jan 9 2024, 7:48 AM

Viacheslav suggested the following change which worked for me:

sudo nano /opt/vyatta/share/vyatta-cfg/templates/container/node.def

and change priority from 450 to 902

Viacheslav added a comment.Jan 9 2024, 7:52 AM

There could be another bug related T5407
I guess we should not Raise config but use the Warning here https://github.com/vyos/vyos-1x/blob/864524ba86b0a4d57ab64d6e9398c3fd5eb2fce4/src/conf_mode/container.py#L405-L408

adestis added a comment.Jan 9 2024, 7:56 AM

Warning would be much better because it would solve the problem.
When you have the image already loaded and the system was rebooted, the image should still exist and therefore the user/pass is not required (for the moment).

Viacheslav added a project: VyOS 1.5 Circinus.Jan 9 2024, 8:00 AM
Viacheslav changed the task status from Open to In progress.Jan 9 2024, 9:10 AM
Viacheslav claimed this task.

PR https://github.com/vyos/vyos-1x/pull/2775

Viacheslav removed Viacheslav as the assignee of this task.Jan 10 2024, 7:29 AM
Viacheslav triaged this task as High priority.Jan 20 2024, 2:08 PM
syncer changed the task status from In progress to Backport candidate.Feb 2 2024, 1:25 PM
c-po claimed this task.Feb 23 2024, 5:26 PM
c-po changed the task status from Backport candidate to In progress.Feb 23 2024, 8:54 PM
c-po edited projects, added VyOS 1.4 Sagitta (1.4.0); removed VyOS 1.4 Sagitta.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
c-po added a comment.Feb 23 2024, 8:57 PM

https://github.com/vyos/vyos-1x/pull/3044

c-po added a comment.Feb 24 2024, 8:13 AM

PR for VyOS 1.4 https://github.com/vyos/vyos-1x/pull/3045

c-po edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta (1.4.0).Feb 24 2024, 8:15 AM
c-po moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta (1.4.0-epa1) board.
c-po closed this task as Resolved.Feb 24 2024, 9:04 AM
c-po moved this task from In Progress to Finished on the VyOS 1.4 Sagitta (1.4.0-epa1) board.
adestis added a comment.Feb 27 2024, 12:15 PM

Thank you very much!

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa2); removed VyOS 1.4 Sagitta (1.4.0-epa1).Mar 11 2024, 6:45 PM
dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.