Container configurations on VyOS 1.5 prevent containers from starting
Needs reporter action, NormalPublicBUG
Actions

Assigned To

None

Authored By

	sempervictus
	Thu, Apr 11, 9:28 PM

Description

Defining a container in VyOS (seemingly with any set of attributes/images/etc, these are the defaults)

# show container 
 name test {
-    disable
     image hello-world
     network test {
     }
 }
 network test {
     prefix 169.254.3.0/28
 }

produces:

ExecStart=/usr/bin/podman run \
        --conmon-pidfile %t/%n.pid --cidfile %t/%n.cid --cgroups=no-conmon \
        --detach --interactive --tty --replace  --memory 512m --shm-size 64m --memory-swap 0 --restart on-failure --name

in the system service which then cannot start due to

Apr 11 19:50:37 hostname conmon[678861]: conmon fc5ac8e7b18a9113e265 <nwarn>: Failed to get console terminal settings
Apr 11 19:50:37 hostname conmon[678861]: conmon fc5ac8e7b18a9113e265 <nwarn>: runtime stderr: cannot set memory+swap limit less than the memory limit
Apr 11 19:50:37 hostname conmon[678861]: conmon fc5ac8e7b18a9113e265 <error>: Failed to create container: exit status 1
Apr 11 19:50:37 hostname podman[678832]: Error: OCI runtime error: crun: cannot set memory+swap limit less than the memory limit

Getting a container to actually start requires:

Setting the container to disabled in the config
Editing the systemd service definition to remove the --memory-swap piece
Starting the systemd container service from the shell (as enabling in the config will regenerate the weird memory settings)

Suggest simplifying the config generator:

avoid setting default values for memory-related parameters unless the user specifies them explicitly
not rendering those arguments in the systemd service template when they are not set by the user

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Config syntax change (migratable)
Issue type: Bug (incorrect behavior)

Event Timeline

sempervictus triaged this task as Urgent! priority.Thu, Apr 11, 9:28 PM

sempervictus created this task.

sempervictus created this object in space S1 VyOS Public.

pasik added a subscriber: pasik.Thu, Apr 11, 9:59 PM

Viacheslav changed the subtype of this task from "Task" to "Bug".Fri, Apr 12, 8:37 AM

Did you try another image (not hello-world)?
Tested on VyOS 1.5-rolling-202404140022

alpine

set container network NET01 prefix '10.0.0.0/24'
set container name c1 image docker.io/library/alpine:3.19
set container name c1 network NET01 

vyos@r4# commit
[edit]
vyos@r4# run connect container c1 
/ # 
/ # ping 10.0.0.1  -c 1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: seq=0 ttl=42 time=0.349 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.349/0.349/0.349 ms
/ #

busybox:

set container name c2 image 'docker.io/library/busybox'
set container name c2 network NET01
commit


vyos@r4# run show container 
CONTAINER ID  IMAGE                             COMMAND     CREATED             STATUS             PORTS       NAMES

fdb74e9700e5  docker.io/library/alpine:3.19     /bin/sh     9 minutes ago       Up 9 minutes                   c1
c05806fdb92c  docker.io/library/busybox:latest  sh          About a minute ago  Up About a minute              c2
[edit]
vyos@r4# run connect container c2
/ # 
/ # ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue qlen 1000
    link/ether 2a:f0:3b:44:1a:28 brd ff:ff:ff:ff:ff:ff
/ #

Check services:

vyos@r4# sudo systemctl status vyos-container-c1.service
● vyos-container-c1.service - VyOS Container c1
     Loaded: loaded (/run/systemd/system/vyos-container-c1.service; static)
     Active: active (running) since Sun 2024-04-14 13:09:23 EEST; 12min ago
   Main PID: 6644 (conmon)
      Tasks: 2 (limit: 18713)
     Memory: 1.6M
        CPU: 182ms
     CGroup: /system.slice/vyos-container-c1.service
             ├─6584 /usr/bin/fuse-overlayfs -o lowerdir=/usr/lib/live/mount/persistence/container/storage/overlay/l/FYXFLSP726ZY6RTZYYUNU4IDEG,upperdir=/usr/lib/live/mount/persistence/container/storage>
             └─6644 /usr/bin/conmon --api-version 1 -c fdb74e9700e5e04edc9386aada2058e2b72c5b185cc784de2b5a6e86a7ed5353 -u fdb74e9700e5e04edc9386aada2058e2b72c5b185cc784de2b5a6e86a7ed5353 -r /usr/bin/c>

Apr 14 13:09:23 r4 systemd[1]: Starting vyos-container-c1.service - VyOS Container c1...
Apr 14 13:09:23 r4 podman[6566]: time="2024-04-14T13:09:23+03:00" level=warning msg="The input device is not a TTY. The --tty and --interactive flags might not work properly"
Apr 14 13:09:23 r4 podman[6566]: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
Apr 14 13:09:23 r4 podman[6566]: 2024-04-14 13:09:23.294912214 +0300 EEST m=+0.052304746 container create fdb74e9700e5e04edc9386aada2058e2b72c5b185cc784de2b5a6e86a7ed5353 (image=docker.io/library/alpin>
Apr 14 13:09:23 r4 podman[6566]: 2024-04-14 13:09:23.271243139 +0300 EEST m=+0.028635671 image pull 05455a08881ea9cf0e752bc48e61bbd71a34c029bb13df01e40e3e70e0d007bd docker.io/library/alpine:3.19
Apr 14 13:09:23 r4 podman[6566]: 2024-04-14 13:09:23.428881436 +0300 EEST m=+0.186273958 container init fdb74e9700e5e04edc9386aada2058e2b72c5b185cc784de2b5a6e86a7ed5353 (image=docker.io/library/alpine:>
Apr 14 13:09:23 r4 podman[6566]: 2024-04-14 13:09:23.432443302 +0300 EEST m=+0.189835814 container start fdb74e9700e5e04edc9386aada2058e2b72c5b185cc784de2b5a6e86a7ed5353 (image=docker.io/library/alpine>
Apr 14 13:09:23 r4 podman[6566]: fdb74e9700e5e04edc9386aada2058e2b72c5b185cc784de2b5a6e86a7ed5353
Apr 14 13:09:23 r4 systemd[1]: Started vyos-container-c1.service - VyOS Container c1.
[edit]
vyos@r4# 
[edit]
vyos@r4# 
[edit]
vyos@r4# sudo systemctl status vyos-container-c2.service
● vyos-container-c2.service - VyOS Container c2
     Loaded: loaded (/run/systemd/system/vyos-container-c2.service; static)
     Active: active (running) since Sun 2024-04-14 13:18:08 EEST; 3min 46s ago
    Process: 9165 ExecStartPre=/bin/rm -f /run/vyos-container-c2.service.pid /run/vyos-container-c2.service.cid (code=exited, status=0/SUCCESS)
    Process: 9166 ExecStart=/usr/bin/podman run --conmon-pidfile /run/vyos-container-c2.service.pid --cidfile /run/vyos-container-c2.service.cid --cgroups=no-conmon --detach --interactive --tty --repla>
   Main PID: 9239 (conmon)
      Tasks: 2 (limit: 18713)
     Memory: 1.5M
        CPU: 186ms
     CGroup: /system.slice/vyos-container-c2.service
             ├─9180 /usr/bin/fuse-overlayfs -o lowerdir=/usr/lib/live/mount/persistence/container/storage/overlay/l/36HMXDOWTLN7FRYCFLL3VGTMC6,upperdir=/usr/lib/live/mount/persistence/container/storage>
             └─9239 /usr/bin/conmon --api-version 1 -c c05806fdb92c44b2fc879379f14706938af96f634bab1bf9a24cf7da5f0ab525 -u c05806fdb92c44b2fc879379f14706938af96f634bab1bf9a24cf7da5f0ab525 -r /usr/bin/c>

Apr 14 13:18:08 r4 systemd[1]: Starting vyos-container-c2.service - VyOS Container c2...
Apr 14 13:18:08 r4 podman[9166]: time="2024-04-14T13:18:08+03:00" level=warning msg="The input device is not a TTY. The --tty and --interactive flags might not work properly"
Apr 14 13:18:08 r4 podman[9166]: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
Apr 14 13:18:08 r4 podman[9166]: 2024-04-14 13:18:08.127518196 +0300 EEST m=+0.038924295 container create c05806fdb92c44b2fc879379f14706938af96f634bab1bf9a24cf7da5f0ab525 (image=docker.io/library/busyb>
Apr 14 13:18:08 r4 podman[9166]: 2024-04-14 13:18:08.106864102 +0300 EEST m=+0.018270221 image pull ba5dc23f65d4cc4a4535bce55cf9e63b068eb02946e3422d3587e8ce803b6aab docker.io/library/busybox
Apr 14 13:18:08 r4 podman[9166]: 2024-04-14 13:18:08.256903868 +0300 EEST m=+0.168310027 container init c05806fdb92c44b2fc879379f14706938af96f634bab1bf9a24cf7da5f0ab525 (image=docker.io/library/busybox>
Apr 14 13:18:08 r4 podman[9166]: 2024-04-14 13:18:08.263740214 +0300 EEST m=+0.175146333 container start c05806fdb92c44b2fc879379f14706938af96f634bab1bf9a24cf7da5f0ab525 (image=docker.io/library/busybo>
Apr 14 13:18:08 r4 podman[9166]: c05806fdb92c44b2fc879379f14706938af96f634bab1bf9a24cf7da5f0ab525
Apr 14 13:18:08 r4 systemd[1]: Started vyos-container-c2.service - VyOS Container c2.
[edit]
vyos@r4#

It seems to work fine.

Viacheslav lowered the priority of this task from Urgent! to Normal.Sun, Apr 14, 10:13 AM

@sempervictus Any updates or additional context?

Container configurations on VyOS 1.5 prevent containers from startingNeeds reporter action, NormalPublicBUGActions

Description

Details

Event Timeline

Container configurations on VyOS 1.5 prevent containers from starting
Needs reporter action, NormalPublicBUG
Actions