I see others have had this issue, i can’t find anything that notes a resolution
i even tried a macvlan to see if that would help, nope it didn’t
(and just FYI privileged:true is a superset of CAP_ADD, no additional CAP_ADD are needed and they have been tried)
The only other case I can find where tstun.New returned EPERM was in an environment where the host did not have netns (Network Namespaces) enabled, which means containers couldn’t make their own network interfaces nor routing tables.
sudo docker run -it --rm -v /dev/net/tun:/dev/net/tun -v /var/lib:/var/lib -v /lib/modules:/lib/modules -e ROUTES=192.168.1.0/24 -e AUTHKEY=redacted --privileged=true tailscale/tailscale /bin/sh
then i ran tailscaled with no issues (in that the were no errors) but it didnt register with tailscale cloud
sudo docker run -it --rm --network host -v /dev/net/tun:/dev/net/tun -v /var/lib:/var/lib -v /lib/modules:/lib/modules -e ROUTES=192.168.1.0/24 -e AUTHKEY=redacted --privileged=true tailscale/tailscale /bin/sh
then i ran tailescaled and it errored in the same way as my stack compose did.
aka: device or resource busy
i then removed network manager on one of the swarm nodes, rebooted and repeated the second version above
i now get much further but never see the node register…
Thanks, my bad, yes realized that after I decoded the instructions.
Tl;dr I got it running in a single container by switching from network manger back to classic linux networking stack. This still wasn’t enough to get it running in a swarm. As such I plan to move to a VM because of this plus giving the container privileged rights in my swarm isn’t a security risk I am willing to take.