Cant run in docker on Ubuntu Bullseye?

I am getting this error when running in docker on ubuntu

2022/02/15 02:03:19 Linux kernel version: 5.10.0-11-amd64
2022/02/15 02:03:19 'modprobe tun' successful
2022/02/15 02:03:19 /dev/net/tun: Dcrw-rw-rw-
2022/02/15 02:03:19 wgengine.NewUserspaceEngine(tun "tailscale0") error: tstun.New("tailscale0"): operation not permitted

my compose looks like this:

version: '3'
    image: tailscale/tailscale
    restart: always
    privileged: true
      - tailscaled
      - ROUTES=
      - AUTHKEY=redacted
      - /var/lib:/var/lib
      - /lib/modules:/lib/modules
      - /dev/net/tun:/dev/net/tun    
      - host

    external: true

I see others have had this issue, i can’t find anything that notes a resolution

i even tried a macvlan to see if that would help, nope it didn’t
(and just FYI privileged:true is a superset of CAP_ADD, no additional CAP_ADD are needed and they have been tried)

The only other case I can find where tstun.New returned EPERM was in an environment where the host did not have netns (Network Namespaces) enabled, which means containers couldn’t make their own network interfaces nor routing tables.

Thanks, Only things i can think are non standard on the host compared to standalone docker:

  1. these are swarm node
  2. the hosts are using network manager to manage connections

could either of these cause that?

I tried a couple of things:

sudo docker run -it --rm -v /dev/net/tun:/dev/net/tun -v /var/lib:/var/lib -v /lib/modules:/lib/modules -e ROUTES= -e AUTHKEY=redacted --privileged=true tailscale/tailscale /bin/sh
then i ran tailscaled with no issues (in that the were no errors) but it didnt register with tailscale cloud

sudo docker run -it --rm --network host -v /dev/net/tun:/dev/net/tun -v /var/lib:/var/lib -v /lib/modules:/lib/modules -e ROUTES= -e AUTHKEY=redacted --privileged=true tailscale/tailscale /bin/sh
then i ran tailescaled and it errored in the same way as my stack compose did.

device or resource busy

i then removed network manager on one of the swarm nodes, rebooted and repeated the second version above

i now get much further but never see the node register…

Switching ipn state NoState -> NeedsLogin (WantRunning=false, nm=false)
control: authRoutine: state:new; goal=nil paused=false
control: mapRoutine: state:new
health("overall"): error: state=NeedsLogin, wantRunning=false
wgengine: Reconfig: configuring userspace wireguard config (with 0/0 peers)
wgengine: Reconfig: configuring router
wgengine: Reconfig: configuring DNS
dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:0}
dns: Resolvercfg: {Routes:{} Hosts:0 LocalDomains:[]}
dns: OScfg: {Nameservers:[] SearchDomains:[] MatchDomains:[]}
logtail: dialed "" in 71ms
control: HostInfo: {"IPNVersion":"1.20.4-t8e32002cf","BackendLogID":"ae2e3602b675c31f3bf8a32f9a31584bcb20313bac2af81d19894Arch":"amd64","Services":[{"Proto":"peerapi-dns-proxy","Port":1}]}
control: mapRoutine: new map needed while idle.
control: mapRoutine: state:new

I cant get this far when running from swarm / stack and placing on the same node.

For the last one where the last two lines it prints are:

control: mapRoutine: new map needed while idle.
control: mapRoutine: state:new

It is waiting to be told what to do, for example using tailscale up

1 Like

Thanks, my bad, yes realized that after I decoded the instructions.

Tl;dr I got it running in a single container by switching from network manger back to classic linux networking stack. This still wasn’t enough to get it running in a swarm. As such I plan to move to a VM because of this plus giving the container privileged rights in my swarm isn’t a security risk I am willing to take.