UnRaid / Tailscale / Docker

jeryd · September 11, 2022, 4:08pm

I need some help here. I’m currently using a community tailscale app for unraid, however I can’t figure out how to use the cert command.

I was thinking I would just launch my own docker / tailscale, but for the life of me I can not figure out what the flags should be to get it working. Every time it shows up as “ephemeral” which I don’t want - I need the IP to remain the same over reboots.

Can anyone point me to the “official” flags that should be used to run tailscale in a container? Also, where is the list of flags that could be used?

Jay · September 12, 2022, 6:53pm

Hi Jeryd,

If you want the tailscale identity to persist, You need to map /var/lib/tailscale inside the container to stable storage somewhere on the host. This folder will contain the node key, which Tailscale uses to identify and assign the IP address.

If you run tailscale --help or tailscale up --help you will get a list of the flags available.

Lieven · September 12, 2022, 7:21pm

Hey @jeryd ,

I went with the following in docker-compose:

    tailscale-myservice:
        image: tailscale/tailscale:v1.30
        network_mode: 'service:myservice'
        volumes:
            - ./data/tailscale-gitea:/var/lib/tailscale
            - gitea_keys:/ssl_certificate
        env_file:
            - tailscale-myservice.env
        environment:
            - TS_USERSPACE=true
            - TS_STATE_DIR=/var/lib/tailscale/ # sets state directory env var so that state is persisted
        cpus: 2
        mem_limit: 4096m
        restart: on-failure
        init: true

And then in tailscale-myservice.env you put a key that you generate in the admin panel where you can disable the ‘ephemeral’ flag:

TS_AUTH_KEY=tskey-XXXXXX-YYYYY

That should do the trick.

Note: this method of using a container in parallel with the actual service you want to expose still has some quirks. If you restart the service container you also need to restart the tailscale container in order to re-enable the connectivity to the service from your tailnet. As far as I understand this is due to a limitation on how docker works when you use the ‘service:myservice’ network mode.

Hope this helps,
Lieven.

Lieven · September 12, 2022, 7:26pm

Additionally: when you use the TS_USERSPACE setting and you try to execute a command in the tailscale container e.g. to check the status, then you need to pass the --socket=/tmp/tailscaled.sock parameter to the command so that tailscale knows where to find the tailscaled. It took some time for me to figure that out so I thought I’d share this info too…

Best regards,
Lieven

jeryd · September 13, 2022, 2:19am

Thank you all! I will set this up this weekend.

@Lieven why did you limit the CPUs to 2?

Lieven · September 13, 2022, 6:37am

Hey @jeryd

no specific reason but to restrict the possible amount of system resources that are used by this specific container.

Best regards,
Lieven.

Topic		Replies	Views
Running tailscale cert inside a docker deployment SUPPORT QUESTIONS	0	610	June 8, 2022
Tailscale up --ssh?	2	758	May 10, 2022
Connected but no access to docker services SUPPORT QUESTIONS	0	300	September 25, 2022
Tailscale + Fly + SSL	3	545	June 9, 2023
Connection to pkgs.tailscale.com fails due to a SSL certificate issue SUPPORT QUESTIONS	4	2189	September 13, 2021

UnRaid / Tailscale / Docker

Related Topics