Problem running Tailscale in AWS Lambda container

I’m trying to build an AWS Lambda container (based on a couple of my existing Python functions) to use Tailscale, so I can stop exposing my home automation server directly to the Internet. I’m following the instructions here:

Tailscale on AWS Lambda · Tailscale

Only using the more specific public.ecr.aws/lambda/python:3.9 base image. The resulting container builds fine, but when running it to test tailscaled fails to start with the following error:

safesocket.Listen: listen unix /var/run/tailscale/tailscaled.sock: socket: permission denied

unless I run the container with --privileged, which obviously won’t work on Lambda. I was under the impression that this wouldn’t be needed when tailscale was using user-mode networking?

Any thoughts on how can I get this working?

Are you in fact using userspace networking? It sounds like you’re not, and you’d need to pass the --tun=userspace-networking flag to tailscaled.

Unfortunately yes. My bootstrap script is:

#!/bin/sh

mkdir -p /tmp/tailscale
/var/runtime/tailscaled --tun=userspace-networking --socks5-server=localhost:1055 &
/var/runtime/tailscale up --authkey=${TAILSCALE_AUTHKEY} --hostname=aws-lambda-app --accept-routes
echo Tailscale started
export ALL_PROXY=socks5://localhost:1055/
sleep 1h

Which as you can see has that flag in it. (Leaving it off generates the tun interface error, as expected.) This seems to be referencing an error finding the tailscaled runtime socket, which it seems to lack permission to create, despite being root inside the container.

I learned recently how to use Tailscale on Lambda. It was not intuitive to me that I had to use the local SOCKS5 proxy vs accessing my tailnet directly. Here is a Lambda Extension packaged in a container format that made this easier for me along with some guides on how I used it.