cmd/containerboot: PID1 for running tailscaled in a container.

This implements the same functionality as the former run.sh, but in Go and with a little better awareness of tailscaled's lifecycle. Also adds TS_AUTH_ONCE, which fixes the unfortunate behavior run.sh had where it would unconditionally try to reauth every time if you gave it an authkey, rather than try to use it only if auth is actually needed. This makes it a bit nicer to deploy these containers in automation, since you don't have to run the container once, then go and edit its definition to remove authkeys. Signed-off-by: David Anderson <danderson@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2022-10-25 13:12:54 -07:00
parent 0759d78f12
commit 76904b82e7
8 changed files with 641 additions and 107 deletions
--- a/docs/k8s/proxy.yaml
+++ b/docs/k8s/proxy.yaml
@@ -41,6 +41,8 @@ spec:
          optional: true
    - name: TS_DEST_IP
      value: "{{TS_DEST_IP}}"
+    - name: TS_AUTH_ONCE
+      value: "true"
    securityContext:
      capabilities:
        add:
--- a/docs/k8s/run.sh
+++ b/docs/k8s/run.sh
@@ -1,93 +0,0 @@
-# Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-#! /bin/sh
-
-export PATH=$PATH:/tailscale/bin
-
-TS_AUTH_KEY="${TS_AUTH_KEY:-}"
-TS_ROUTES="${TS_ROUTES:-}"
-TS_DEST_IP="${TS_DEST_IP:-}"
-TS_EXTRA_ARGS="${TS_EXTRA_ARGS:-}"
-TS_USERSPACE="${TS_USERSPACE:-true}"
-TS_STATE_DIR="${TS_STATE_DIR:-}"
-TS_ACCEPT_DNS="${TS_ACCEPT_DNS:-false}"
-TS_KUBE_SECRET="${TS_KUBE_SECRET:-tailscale}"
-TS_SOCKS5_SERVER="${TS_SOCKS5_SERVER:-}"
-TS_OUTBOUND_HTTP_PROXY_LISTEN="${TS_OUTBOUND_HTTP_PROXY_LISTEN:-}"
-TS_TAILSCALED_EXTRA_ARGS="${TS_TAILSCALED_EXTRA_ARGS:-}"
-TS_SOCKET="${TS_SOCKET:-/tmp/tailscaled.sock}"
-
-set -e
-
-TAILSCALED_ARGS="--socket=${TS_SOCKET}"
-
-if [[ ! -z "${KUBERNETES_SERVICE_HOST}" ]]; then
-  TAILSCALED_ARGS="${TAILSCALED_ARGS} --state=kube:${TS_KUBE_SECRET} --statedir=${TS_STATE_DIR:-/tmp}"
-elif [[ ! -z "${TS_STATE_DIR}" ]]; then
-  TAILSCALED_ARGS="${TAILSCALED_ARGS} --statedir=${TS_STATE_DIR}"
-else
-  TAILSCALED_ARGS="${TAILSCALED_ARGS} --state=mem: --statedir=/tmp"
-fi
-
-if [[ "${TS_USERSPACE}" == "true" ]]; then
-  if [[ ! -z "${TS_DEST_IP}" ]]; then
-    echo "IP forwarding is not supported in userspace mode"
-    exit 1
-  fi
-  TAILSCALED_ARGS="${TAILSCALED_ARGS} --tun=userspace-networking"
-else
-  if [[ ! -d /dev/net ]]; then
-    mkdir -p /dev/net
-  fi
-
-  if [[ ! -c /dev/net/tun ]]; then
-    mknod /dev/net/tun c 10 200
-  fi
-fi
-
-if [[ ! -z "${TS_SOCKS5_SERVER}" ]]; then
-  TAILSCALED_ARGS="${TAILSCALED_ARGS} --socks5-server ${TS_SOCKS5_SERVER}"
-fi
-
-if [[ ! -z "${TS_OUTBOUND_HTTP_PROXY_LISTEN}" ]]; then
-  TAILSCALED_ARGS="${TAILSCALED_ARGS} --outbound-http-proxy-listen ${TS_OUTBOUND_HTTP_PROXY_LISTEN}"
-fi
-
-if [[ ! -z "${TS_TAILSCALED_EXTRA_ARGS}" ]]; then
-  TAILSCALED_ARGS="${TAILSCALED_ARGS} ${TS_TAILSCALED_EXTRA_ARGS}"
-fi
-
-handler() {
-  echo "Caught SIGINT/SIGTERM, shutting down tailscaled"
-  kill -s SIGINT $PID
-  wait ${PID}
-}
-
-echo "Starting tailscaled"
-tailscaled ${TAILSCALED_ARGS} &
-PID=$!
-trap handler SIGINT SIGTERM
-
-UP_ARGS="--accept-dns=${TS_ACCEPT_DNS}"
-if [[ ! -z "${TS_ROUTES}" ]]; then
-  UP_ARGS="--advertise-routes=${TS_ROUTES} ${UP_ARGS}"
-fi
-if [[ ! -z "${TS_AUTH_KEY}" ]]; then
-  UP_ARGS="--authkey=${TS_AUTH_KEY} ${UP_ARGS}"
-fi
-if [[ ! -z "${TS_EXTRA_ARGS}" ]]; then
-  UP_ARGS="${UP_ARGS} ${TS_EXTRA_ARGS:-}"
-fi
-
-echo "Running tailscale up"
-tailscale --socket="${TS_SOCKET}" up ${UP_ARGS}
-
-if [[ ! -z "${TS_DEST_IP}" ]]; then
-  echo "Adding iptables rule for DNAT"
-  iptables -t nat -I PREROUTING -d "$(tailscale --socket=${TS_SOCKET} ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
-fi
-
-echo "Waiting for tailscaled to exit"
-wait ${PID}