Trying to get Tailscale Docker running ...

[pixelwave]

I am currently trying to get tailscale up and running for my Truenas Scale setup.

Truenas Version: TrueNAS-SCALE-22.02-RC.2
App Version: tailscale/tailscale:latest_2201.0.0

Previously I was using a Synology DS918+ with the tailscale app from their appstore. I am trying to get something similar in my current truenas scale setup but since there is no native app / support for tailscale I am trying to get the docker verison up an running to bring the entire truenas online. So ideally on the same system and not a seperate raspberry pi / vm or on my router.

When I try to deploy it is stuck and the shell shows:
error: unable to upgrade connection: container not found ("ix-chart")

I am using the official docker "tailscale/tailscale" (https://hub.docker.com/r/tailscale/tailscale) with the following container settings:

 

[sretalla]

Not sure what you think you'll be getting by mounting any directory other than /dev/tun on the host to /dev/tun in the container... I'm pretty sure it won't be a network connection. Likewise for /var/lib.

Did you tick the host networking option? (not sure it's even there anymore... but I see the container wants --network=host in addition to privileged mode)

You'll also need to specify the auth-key somehow.

 

[pixelwave]

Not sure what you think you'll be getting by mounting any directory other than /dev/tun on the host to /dev/tun in the container... I'm pretty sure it won't be a network connection. Likewise for /var/lib.

Did you tick the host networking option? (not sure it's even there anymore... but I see the container wants --network=host in addition to privileged mode)

You'll also need to specify the auth-key somehow.

I am not an expert ... so "/var/lib" and "/dev/net/tun" are not extra volumes the docker needs (like others for example home assistant the config folder etc) but rather it has to be connected to host / system root folders? If yes .. how do I do this?

Host network option I did not find ... I only ticked the priveledged option. The rest I left untouched like in this image:

Would this be "host network option"?:

 

[Ixian]

Container volumes = <path_on_host>:<path_inside_container>

If your container needs access to /dev/net/tun on the host - so it can write to the network stack via tunnel (I'm vastly oversimplifying) - then you need to pair it with the actual directory. In your screenshots you have it backwards - you are mounting the path inside the container. Your host path needs to be /dev/net/tun. If your app, Tailscale, expects that same path then mount it the same in the container too i.e. host path /dev/net/tun and mount path /dev/net/tun.

Host path is exactly that - the path on the host. Mount path is what it looks like inside the running container. Sometimes they will match, depends on the app.

 

[pixelwave]

So I created the folder on my local host pool "nvme1/docker/tailscale/dev/net/tun" and mounted it to the container "/dev/net/tun". For the container to write data to.

This is what you also explained with Container volumes = <path_on_host>:<path_inside_container>

But I guess from what I understand ... the host path "/dev/net/tun" is a system path that already exists? How can I mount this to the container? Is it possible using the GUI?

 

[Ixian]

Yes it exists and yes you can mount it to the container. I don't know if the GUI allows it or not but you can try just putting in the absolute path in host and see what happens.

 

[pixelwave]

So I put it like this now:

... and the container actually is ACTIVE now.

But Shell outputs the following message:

 

[pixelwave]

... hm seems to difficult somehow. If anybody has or finds a step by step tutorial how to setup tailscale on Truenas Scale ... would be happy for a link / hint.

 

[sretalla]

Seems that the container site (https://hub.docker.com/r/tailscale/tailscale) says you should be running a process called tailscaled...

You would set that in the Configure container CMD form field when editing the container.

 

[Ixian]

So I put it like this now:

View attachment 53332

... and the container actually is ACTIVE now.

View attachment 53333

But Shell outputs the following message:

View attachment 53334

1st, you still have what looks like a bad path - Tailscale needs to map to the hosts /var/lib directory but you are mounting it in what is likely just an empty directory called /var/lib inside your containers persistent storage. You need to do the same thing there you did with /dev/net/tun and map it to the actual /var/lib directory on the host.

2nd, you also need to add a command to run tailscaled when the container starts. It appears you are using the "launch docker image" button in SCALE to set this up so you would add the command at step 3 (Container Entrypoint) - click the "add" button next to "Configure Container CMD" and type in tailscaled .

You'll also need to use Host networking (configured in step 5) and run the container in privileged mode (step 8, Workload Details, check "Privileged Mode" under "Security Context".

 

[pixelwave]

Seems that the container site (https://hub.docker.com/r/tailscale/tailscale) says you should be running a process called tailscaled...

You would set that in the Configure container CMD form field when editing the container.

that i already did like in here:

 

[pixelwave]

1st, you still have what looks like a bad path - Tailscale needs to map to the hosts /var/lib directory but you are mounting it in what is likely just an empty directory called /var/lib inside your containers persistent storage. You need to do the same thing there you did with /dev/net/tun and map it to the actual /var/lib directory on the host.

2nd, you also need to add a command to run tailscaled when the container starts. It appears you are using the "launch docker image" button in SCALE to set this up so you would add the command at step 3 (Container Entrypoint) - click the "add" button next to "Configure Container CMD" and type in tailscaled .

You'll also need to use Host networking (configured in step 5) and run the container in privileged mode (step 8, Workload Details, check "Privileged Mode" under "Security Context".

1st ... that i already changed as well in the meantime:

2nd ... as well

... privileged is on:

... how should point 5 (Host networking) look like?

 

[pixelwave]

When the active container is running and I start the shell with command "tailscaled" following message appears:

 

[pixelwave]

When I try "tailscaled tailscale up" for the login I get this message:

 

[Ixian]

I'm trying to figure this out for you but I'm stuck on what's wrong with your setup.

I went ahead just now and set up my own tailscale app via SCALE's "Launch Docker Image" button on my test server.

I configured it via the steps I outlined for you above - for step 5 Networking I clicked add next to Configure Add external interface, choose my adapter & dhcp from the drop-down lists, and moved on. I made sure tailscaled was added as a command and privilege mode was set.

And it works:

I went ahead and set up a tailscale tunnel with my phone and this docker real quick just to make sure.

So this should work - there's something we're missing from your config that isn't correct.

 

[pixelwave]

I'm trying to figure this out for you but I'm stuck on what's wrong with your setup.

I went ahead just now and set up my own tailscale app via SCALE's "Launch Docker Image" button on my test server.

I configured it via the steps I outlined for you above - for step 5 Networking I clicked add next to Configure Add external interface, choose my adapter & dhcp from the drop-down lists, and moved on. I made sure tailscaled was added as a command and privilege mode was set.

And it works:
View attachment 53344


I went ahead and set up a tailscale tunnel with my phone and this docker real quick just to make sure.

So this should work - there's something we're missing from your config that isn't correct.

I also added the network interface like you described:

What does your shell show when you use command "tailscaled tailscale up"?

 

[Ixian]

You know what, I thought I had it working but it actually wasn't.

Digging in to it further it looks like the problem may be permission related - it's not able to access some host capabilities. Not sure what it is yet.

 

[pixelwave]

Progress!

So I updated to Truenas Scale Release Version today: TrueNAS-SCALE-22.02.0 and also rebooted the system.

Now the docker container launches and I get into the shell. I was able to setup and login (command "tailscale up") which gave me a URL address where I then connected to tailscale and now it is showing in my tailscale:

Only problem now due to the network settings of the tailscale container I guess it has a custom / different IP address then the host truenas system? I can not access homeassistent or other docker containers or even the truenas web gui when I use the tailscale VPN connection on my phone.

How can I fix this now? Do I have to put this in the container settings?

I am a bit scared because could I mess the system up with that and not be able to access web gui of the truenas system anymore?

 

[Trexx]

Better suggest would be to put TailScale on something like a Raspberry Pi and config TailScale to allow access to the rest of your network. Then you can jump from the RPI box into your TrueNas gui, any of your containers on it, etc.

 

[pixelwave]

Better suggest would be to put TailScale on something like a Raspberry Pi and config TailScale to allow access to the rest of your network. Then you can jump from the RPI box into your TrueNas gui, any of your containers on it, etc.

This would be the last resort solution. But as said in the beginng post - I would like to avoid extra computers.