What do permissions error mean when adding containers?

1

When I commit the changes in order to create a container with a static address, flips out and returns one of those super obvious Python errors — It’s way too easy for me. II mean… yawn and
“stuff”. :lying_face: I did the communal thing to do instead, come here to fovve others didn’t even try to solve it to give somebody else the chance :roll_eyes: :

username@routelogic# commit
[ container ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/services/vyos-configd", line 157, in run_script
    script.apply(c)
  File "/usr/libexec/vyos/conf_mode/container.py", line 671, in apply
    cmd(f'systemctl restart vyos-container-{name}.service')
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 189, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: None systemctl restart vyos-container-dns.service
returned:
exit code: 1

[[container]] failed
Commit failed
[edit]
username@routelogic#

The container itself has no special config:

username@routelogic# show container name dns
-allow-host-networks
 description "technitium dns server"
 image technitium/dns-server
+network dns {
+    address 10.53.53.53
+    mac 02:b3:38:c9:54:78
+}
 restart always
 volume /etc/dns {
     destination /etc/dns
     source /config/sharedvirtualbase/etc/dns
 }
 volume /etc/letsencrypt {
     destination /etc/letsencrypt
     source /config/sharedvirtualbase/etc/letsencrypt
 }
[edit]
username@routelogic#

Does anybody know what that means?

I thought it might be the uid, but:

[edit]
username@routelogic# del container name dns uid
[edit]
username@routelogic# commit
[ container ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/services/vyos-configd", line 157, in run_script
    script.apply(c)
  File "/usr/libexec/vyos/conf_mode/container.py", line 671, in apply
    cmd(f'systemctl restart vyos-container-{name}.service')
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 189, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: None systemctl restart vyos-container-dns.service
returned:
exit code: 1

[[container]] failed
Commit failed
[edit]

No luck. So I stepped it up:

username@routelogic# set container name dns privileged

[edit]
username@routelogic# commit
[ container ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/services/vyos-configd", line 157, in run_script
    script.apply(c)
  File "/usr/libexec/vyos/conf_mode/container.py", line 671, in apply
    cmd(f'systemctl restart vyos-container-{name}.service')
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 189, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: None systemctl restart vyos-container-dns.service
returned:
exit code: 1

[[container]] failed
Commit failed

AFAIU privileged is more or less running the container as root, correct? Doesn’t with that (privileged) instead of showing the Python riddle of the day, it instead should exit in 0?[1].

in other words: work. I think. Not that it matters.

The changes I made to tthe filesystem are all under /config/sharedvirtualbase, nowhere near the paths mentioned.

However, if I unset the network the custom network it works, it won’t start because I have two more containers with conflicting ports on the host, but at least VyOS lets me:

username@routelogic# del container name dns privileged
[edit]
username@routelogic# del container name dns network
[edit]
username@routelogic# set container name dns allow-host-networks
[edit]
username@routelogic# commit
[edit]
username@routelogic#

This is all I have on that, config BTW:

username@routelogic# show container network dns
 prefix 10.53.53.0/24
 prefix ::ffff:a35:3500/120
[edit]
username@routelogic#

This is VyOS ver 2025.11.14, I just updated it from ver 2025.07.13; in which this wouldn’t work either.

I also noticed that there are no veth interfaces, I assume it’s because the container isn’t created using container networks, I mentioned it in case it’s relevant.

To save everybody time I reviewed the docs one more time, as I checked the issue was reproducible… re-reproducible?—IDK. potato=vodka, but it is **producible again. easy to be replicated on purpose. No hablo inglés[2].

I also verified that the new container actually starts with host networking — It does once I shut down the conflicting protocol+port containers.once I shut down the

Could you tell me where I’m screwing up, please?
Thanks.

I’ll be throwing pasta at the wall in the meantime, hopefully I’ll find something on my own, I’ll make sure to share & close this it if I do.

  1. — perhaps write on some verbose log something like: Permissions?! {pompous laugh} You must be poor. — but mainly exit in 0 ↩︎

  2. (hashtag free pass) ↩︎

2

What’s the output of sudo cat /run/systemd/system/vyos-container-dns.service?

3

I did a quick test to reproduce your error, and it’s this that is causing the issue:

prefix ::ffff:a35:3500/120

The config script generates this:

sudo cat /etc/containers/networks/dns.json 
{
  "name": "dns",
  "id": "dd75a9d6fb309c4399fe425cd5f90ff95eba135d6924fb91766ee5d3726b168a",
  "driver": "bridge",
  "network_interface": "pod-dns",
  "subnets": [
    {
      "subnet": "10.53.53.0/24",
      "gateway": "10.53.53.1"
    },
    {
      "subnet": "::ffff:a35:3500/120",
      "gateway": "::ffff:a35:3501"
    }
  ],
  "ipv6_enabled": true,
  "internal": false,
  "dns_enabled": true,
  "ipam_options": {
    "driver": "host-local"
  },
  "options": {
    "mtu": "1500"
  }
}

But it creates this within podman:

sudo podman network inspect dns
[
     {
          "name": "dns",
          "id": "dd75a9d6fb309c4399fe425cd5f90ff95eba135d6924fb91766ee5d3726b168a",
          "driver": "bridge",
          "network_interface": "pod-dns",
          "created": "0001-01-01T00:00:00Z",
          "subnets": [
               {
                    "subnet": "10.53.53.0/24",
                    "gateway": "10.53.53.1"
               },
               {
                    "subnet": "10.53.53.0/24",
                    "gateway": "10.53.53.1"
               }
          ],
          "ipv6_enabled": true,
          "internal": false,
          "dns_enabled": true,
          "options": {
               "mtu": "1500"
          },
          "ipam_options": {
               "driver": "host-local"
          }
     }
]
4

Thanks for answering and sorry for the wait[1]

TL;DR, I should've taken addresses, from a static GUA block I have but I wanted to learn a little new and this embedded IPv4 addresses are super interesting to me. It's for the best, IPv6 traffic stopped working a few days ago anyway.

: @ ≈20:00

sudo cat /run/systemd/system/vyos-container-dns.service outputs:

username@routelogic# sudo cat /run/systemd/system/vyos-container-dns.service
### Autogenerated by container.py ###
[Unit]
Description=VyOS Container dns

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
ExecStartPre=/bin/rm -f %t/%n.pid %t/%n.cid
ExecStart=/usr/bin/podman run \
        --conmon-pidfile %t/%n.pid --cidfile %t/%n.cid --cgroups=no-conmon \
        --detach --interactive --tty --replace   --cpus 0  --memory 512m --shm-size 64m --memory-swap 0 --restart always --log-driver=journald --name dns      --volume /config/sharedvirtualbase/etc/dns:/etc/dns:rw,rprivate --volume /config/sharedvirtualbase/etc/letsencrypt:/etc/letsencrypt:rw,rprivate       --no-healthcheck --net host  technitium/dns-server
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n.cid -t 5
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n.cid
ExecStopPost=/bin/rm -f %t/%n.cid
PIDFile=%t/%n.pid
KillMode=control-group
Type=forking
[edit]

I had left it with host networking so hoping if

However, I did what I thought you implied: # del container network dns prefix ::ffff:a35:3500/120, followed by # run show container which showed it was running for six days.

I had forgotten to switch back the networks from host to its own, I did, committed, obliterated my own knuckles waiting anxiously for it and… it exited in zero!

It worked!— It :face_with_symbols_on_mouth: worked!

username@routelogic# run show container
CONTAINER ID  IMAGE                                      COMMAND               CREATED         STATUS         PORTS       NAMES
e95d43d82f90  xxx                                        xxx                   6 days ago      Up 6 days                  xxx
0b8583243dd7  xxx                                        xxx                   6 days ago      Up 6 days                  xxx
37b17ee2b3c1  docker.io/technitium/dns-server:latest     /etc/dns              49 seconds ago  Up 48 seconds              dns

(Worked is a bit of a stretch, but it did exit in 0, that’s huge compared to before)

# run show interfaces now shows a veth0 interface too, it lacks an address, but I’m investigating as I go.

sudo cat /run/systemd/system/vyos-container-dns.service now shows:

### Autogenerated by container.py ###
[Unit]
Description=VyOS Container dns

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
ExecStartPre=/bin/rm -f %t/%n.pid %t/%n.cid
ExecStart=/usr/bin/podman run \
        --conmon-pidfile %t/%n.pid --cidfile %t/%n.cid --cgroups=no-conmon \
        --detach --interactive --tty --replace   --cpus 0  --memory 512m --shm-size 64m --memory-swap 0 --restart always --log-driver=journald --name dns      --volume /config/sharedvirtualbase/etc/dns:/etc/dns:rw,rprivate --volume /config/sharedvirtualbase/etc/letsencrypt:/etc/letsencrypt:rw,rprivate       --no-healthcheck --net dns  --ip 10.53.53.53 --mac-address 02:f6:91:f9:b1:f8  technitium/dns-server
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n.cid -t 5
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n.cid
ExecStopPost=/bin/rm -f %t/%n.cid
PIDFile=%t/%n.pid
KillMode=control-group
Type=forking
[edit]

(basically the same minus the network, I think)

: @ ≈21:00

I had forgotten to specify the IP address with the network change. The commit went through again but I didn’t know minor changes don’t seem to restart containers. Finally I saw a 9min uptime immediately after a commit, manually restarted the container[2] and it started echoing back! I can’t thank you enough, in addition to this you helped me solve another issue I had been struggling with regarding addressing.

I even think I’m ready to try bareback again.

Anyway, thank you again! :raising_hands:t3: May the best orals[3] come your way. :person_bowing:t2:

Thanks !

  1. (I had not checked my email in forever and then I forgot this in draft twice! :sweat_smile:) ↩︎

  2. [(Technitium) is an ]awesome standard-aligned GUI-first DNS everything. It’s Pi-hole + BIND9 + Knot X + PowerDNS X, AD-integrated MS DNS (catalogs, clustering) but still scriptable/dev-friendly all in one. I found it on a Wikipedia reference, I think. Check it out if you haven’t already. ↩︎

  3. or alternative thanks offering deemed acceptable— Moderators: I mean orals as “oral discourse” of course, I would never suggest otherwise, unless it’s not a reason for banning ↩︎

5

That was baremetal, silly autocorrect. :roll_eyes: