Running into errors with iptables and peerAPI listen

I’m running a Debian Dockerfile on Flyio and getting two errors that have been tough to solve.

  1. peerapi: failed to do peerAPI listen, harmless (netstack available) but error was: listen tcp6 [fd7a:115c:a1e0:efe3::644e:5bc7]:0: bind: cannot assign requested address

I know Flyio supports ipv6 and Debian as well so I’m not sure what’s going on here or even really how to debug this.

  1. health("router"): error: setting up filter/ts-input: running [/usr/sbin/iptables -t filter -N ts-input --wait]: exit status 4: iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

I’ve tried nftables and some other variations but could not get this to work (I think iptables actually does use nftables under the hood now though).

The Dockerfile looks like this:

FROM bitnami/minideb:bullseye as tailscale

ENV TSFILE=tailscale_1.36.2_amd64.tgz


RUN install_packages wget ca-certificates

RUN wget${TSFILE} && \
  tar xzf ${TSFILE} --strip-components=1

FROM bitnami/minideb:bullseye

# Maybe missing some package here?
RUN install_packages ca-certificates iptables iproute2

COPY --from=tailscale /app/tailscaled /app/tailscaled
COPY --from=tailscale /app/tailscale /app/tailscale


And the entrypoint looks like this:

/app/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/var/run/tailscale/tailscaled.sock &

until /app/tailscale up --authkey=${TS_AUTHKEY} --hostname=fly-app
  sleep 0.1

I’m also running Caddy with this set up but I’ve removed those parts from the Dockerfile and entrypoint to keep things relevant to Tailscale.

Any help is much appreciated.