When loading a rendered configuration from a file as a candidate config systemd requires authentication to stop/start the units managing the containers.
This does not happen when you type/paste in the commands that would produce the rendered configuration. It seems perhaps related to polkit: https://lateambichon.com/en/authenticating-for-org-freedesktop-systemd1-manage-units-2/ and it being done as a non-root/sudo operation.
```
yzguy@test-R1# load /var/tmp/candidate_running.conf
Loading configuration from '/var/tmp/candidate_running.conf'
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'vyos-container-blackbox_exporter.service'.
Multiple identities can be used for authentication:
1. salt minion user,,, (minion)
2. RADIUS mapped user at privilege level admin,,, (radius_priv_user)
3. vyos
4. testuser1
5. testuser2
Choose identity to authenticate as (1-5): ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'vyos-container-frr_exporter.service'.
Multiple identities can be used for authentication:
1. salt minion user,,, (minion)
2. RADIUS mapped user at privilege level admin,,, (radius_priv_user)
3. vyos
4. testuser1
5. testuser2
```
If you let it sit it will eventually move through each container and finish. However with the automation pipeline we have, it errors out because of hitting a timeout as it's waiting for the prompt to come back after the configuration is loaded.
Sample configuration for containers
```
container {
name blackbox_exporter {
allow-host-networks { }
cap-add "net-admin"
cap-add "net-raw"
command "--config.file=/config.yml"
image "quay.io/prometheus/blackbox-exporter:v0.24.0"
port http {
destination "9115"
source "9115"
}
restart "on-failure"
volume config {
destination "/config.yml"
source "/config/containers/blackbox_exporter/config.yml"
}
}
name frr_exporter {
allow-host-networks { }
command "--no-collector.bfd --no-collector.ospf --collector.bgp --collector.bgp6"
image "tynany/frr_exporter:v1.2.0"
port http {
destination "9342"
source "9342"
}
restart "on-failure"
volume sockets {
destination "/var/run/frr"
source "/var/run/frr"
}
}
name grafana_agent {
allow-host-networks { }
cap-add "sys-time"
command "--config.file=/etc/agent-config/agent.yaml"
image "grafana/agent:v0.34.3"
restart "on-failure"
volume agent {
destination "/etc/agent"
source "/config/containers/grafana_agent/agent"
}
volume blackbox_exporter_targets {
destination "/etc/agent-config/blackbox_exporter_targets.yaml"
source "/config/containers/grafana_agent/blackbox_exporter_targets.yaml"
}
volume config {
destination "/etc/agent-config/agent.yaml"
source "/config/containers/grafana_agent/agent.yaml"
}
volume proc {
destination "/host/proc"
mode "ro"
propagation "rslave"
source "/proc"
}
volume root {
destination "/host/root"
mode "ro"
propagation "rslave"
source "/"
}
volume sys {
destination "/host/sys"
mode "ro"
propagation "rslave"
source "/sys"
}
}
}
```