When loading a rendered configuration from a file as a candidate config systemd requires authentication to stop/start the units managing the containers.
This does not happen when you type/paste in the commands that would produce the rendered configuration.
```
yzguy@test-R1# run add container image cloudflare/gortr
[edit]
yzguy@test-R1# set container name gortr allow-host-networks
[edit]
yzguy@test-R1# set container name gortr arguments '-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082'
[edit]
yzguy@test-R1# set container name gortr image 'cloudflare/gortr'
[edit]
yzguy@test-R1# set container name gortr port http destination '8082'
[edit]
yzguy@test-R1# set container name gortr port http source '8082'
[edit]
yzguy@test-R1# compare
[]
+ container {
+ name gortr {
+ allow-host-networks { }
+ arguments "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082"
+ image "cloudflare/gortr"
+ port http {
+ destination "8082"
+ source "8082"
+ }
+ }
+ }
[edit]
yzguy@test-R1# commit
[edit]
yzguy@test-R1# run show container
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
40c7fabd236e docker.io/cloudflare/gortr:latest -cache https://dn... 14 seconds ago Up 14 seconds ago gortr
[edit]
```
It seems perhaps related to polkit: https://lateambichon.com/en/authenticating-for-org-freedesktop-systemd1-manage-units-2/ and it being done as a non-root/sudo operation.
```
yzguy@test-R1# load /var/tmp/candidate_running.conf
Loading configuration from '/var/tmp/candidate_running.conf'
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'vyos-container-gortr.service'.
Multiple identities can be used for authentication:
1. salt minion user,,, (minion)
2. RADIUS mapped user at privilege level admin,,, (radius_priv_user)
3. vyos
4. testuser1
5. testuser2
Choose identity to authenticate as (1-5):
^CTraceback (most recent call last):
File "/usr/libexec/vyos/vyos-load-config.py", line 92, in <module>
migration.run()
File "/usr/lib/python3/dist-packages/vyos/migrator.py", line 191, in run
rev_versions = self.run_migration_scripts(cfg_versions, sys_versions)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/migrator.py", line 127, in run_migration_scripts
out = cmd([migrate_script, self._config_file])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 141, in cmd
decoded, code = popen(
^^^^^^
File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 82, in popen
pipe = p.communicate(input, timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/subprocess.py", line 1207, in communicate
stdout, stderr = self._communicate(input, endtime, timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/subprocess.py", line 2059, in _communicate
ready = selector.select(timeout)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/selectors.py", line 415, in select
fd_event_list = self._selector.poll(timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyboardInterrupt
```
Seems maybe to be related to the container 0-to-1 migration script: https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/container/0-to-1#L38-L47
```
yzguy@test-R1# /opt/vyatta/etc/config-migrate/migrate/container/0-to-1 /tmp/tmp6uqa5gmw
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'vyos-container-gortr.service'.
Multiple identities can be used for authentication:
```
Seems related to this change: https://vyos.dev/T4870
Seems perhaps in the migration script it should detect if the container has a non-overlay FS and then proceed, otherwise continue on.
If you let it sit it will eventually move through each container and finish. However with the automation pipeline we have, it errors out because of hitting a timeout as it's waiting for the prompt to come back after the configuration is loaded.
Sample configuration for containers
```
container {
name gortr {
allow-host-networks { }
arguments "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082"
image "cloudflare/gortr"
port http {
destination "8082"
source "8082"
}
}
}
...
```