Cant run in docker on Ubuntu Bullseye?

1

I am getting this error when running in docker on ubuntu

2022/02/15 02:03:19 Linux kernel version: 5.10.0-11-amd64
2022/02/15 02:03:19 'modprobe tun' successful
2022/02/15 02:03:19 /dev/net/tun: Dcrw-rw-rw-
2022/02/15 02:03:19 wgengine.NewUserspaceEngine(tun "tailscale0") error: tstun.New("tailscale0"): operation not permitted

my compose looks like this:

version: '3'
services:
  tailscale:
    image: tailscale/tailscale
    restart: always
    privileged: true
    command:
      - tailscaled
    environment:
      - ROUTES=192.168.1.0/24
      - AUTHKEY=redacted
    volumes: 
      - /var/lib:/var/lib
      - /lib/modules:/lib/modules
      - /dev/net/tun:/dev/net/tun    
    networks:
      - host

networks:
  host:
    external: true

I see others have had this issue, i can’t find anything that notes a resolution

i even tried a macvlan to see if that would help, nope it didn’t
(and just FYI privileged:true is a superset of CAP_ADD, no additional CAP_ADD are needed and they have been tried)

2

The only other case I can find where tstun.New returned EPERM was in an environment where the host did not have netns (Network Namespaces) enabled, which means containers couldn’t make their own network interfaces nor routing tables.

3

Thanks, Only things i can think are non standard on the host compared to standalone docker:

  1. these are swarm node
  2. the hosts are using network manager to manage connections

could either of these cause that?

4

I tried a couple of things:

sudo docker run -it --rm -v /dev/net/tun:/dev/net/tun -v /var/lib:/var/lib -v /lib/modules:/lib/modules -e ROUTES=192.168.1.0/24 -e AUTHKEY=redacted --privileged=true tailscale/tailscale /bin/sh
then i ran tailscaled with no issues (in that the were no errors) but it didnt register with tailscale cloud

sudo docker run -it --rm --network host -v /dev/net/tun:/dev/net/tun -v /var/lib:/var/lib -v /lib/modules:/lib/modules -e ROUTES=192.168.1.0/24 -e AUTHKEY=redacted --privileged=true tailscale/tailscale /bin/sh
then i ran tailescaled and it errored in the same way as my stack compose did.

aka:
device or resource busy

i then removed network manager on one of the swarm nodes, rebooted and repeated the second version above

i now get much further but never see the node register…

Switching ipn state NoState -> NeedsLogin (WantRunning=false, nm=false)
control: authRoutine: state:new; goal=nil paused=false
control: mapRoutine: state:new
blockEngineUpdates(true)
health("overall"): error: state=NeedsLogin, wantRunning=false
wgengine: Reconfig: configuring userspace wireguard config (with 0/0 peers)
wgengine: Reconfig: configuring router
wgengine: Reconfig: configuring DNS
dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:0}
dns: Resolvercfg: {Routes:{} Hosts:0 LocalDomains:[]}
dns: OScfg: {Nameservers:[] SearchDomains:[] MatchDomains:[]}
logtail: dialed "log.tailscale.io:443" in 71ms
control: HostInfo: {"IPNVersion":"1.20.4-t8e32002cf","BackendLogID":"ae2e3602b675c31f3bf8a32f9a31584bcb20313bac2af81d19894Arch":"amd64","Services":[{"Proto":"peerapi-dns-proxy","Port":1}]}
control: mapRoutine: new map needed while idle.
control: mapRoutine: state:new

I cant get this far when running from swarm / stack and placing on the same node.

5

For the last one where the last two lines it prints are:

control: mapRoutine: new map needed while idle.
control: mapRoutine: state:new

It is waiting to be told what to do, for example using tailscale up

1 Like
6

Thanks, my bad, yes realized that after I decoded the instructions.

Tl;dr I got it running in a single container by switching from network manger back to classic linux networking stack. This still wasn’t enough to get it running in a swarm. As such I plan to move to a VM because of this plus giving the container privileged rights in my swarm isn’t a security risk I am willing to take.