tailscale container client

I was interested to see if I could get a tailscale client running in a docker container which I could log in to a custom tailnet that is self hosted using headscale. As the container from tailscale defaults to using their own cloud service I initially thought this would not be possible untill I cam across a reddit post that discussed this.

Here is my solution using a lab test docker compose file to see how it works out :

name: TailscaleClient
services:
    ts-authkey-test:
        container_name: ts-authkey-test
        hostname: authkey-test
        environment:
          TS_STATE_DIR: /var/lib/tailscale
        volumes:
            - /var/lib:/var/lib
            - /dev/net/tun:/dev/net/tun
            - ./state:/var/lib/tailscale
        cap_add:
          - net_admin
          - sys_module
        # network_mode: host
        privileged: true
        image: tailscale/tailscale:v1.78.3
        command: tailscaled

This will start up a container with less priviledge than you’d have by giving it --network=host --privileged as suggested in the Dockerfile for the same which I think is trying to solve a different problem of how to run tailscale without installing tailscale and through a privileged container. This would not match up with what I wanted for my intended use.

Also, this stack has its own state stored at the current location in a directory called state which will persist a login later.

So running the above up with docker compose up I can see the container start and there not to be any errors I need to worry about just now. Next lets see what it can see, if anything.

docker exec -it ts-authkey-test tailscale status
Logged out.

This is good as would not expect to see anything different but the container is ready and waiting for further configuration which I can now give it having obtained a pre-auth key from a headscale server I have already with

headscale users create authkey-test
headscale preauthkeys create  -u authkey-test

this user matches that of the hostname I put into the docker compose stack earlier so now this can be used to log the containerised tailscale in to this service having saved the pre-auth keay to AUTHKEY :

docker exec -it ts-authkey-test tailscale up --login-server https://your-headscale-url --authkey $AUTHKEY --accept-routes

checkin on the tailscale status now, I can see this host on the tailnet with

docker exec -it ts-authkey-test tailscale status
100.64.0.9      authkey-test         authkey-test linux   -
...

I abbreviate the output to exclude the other hosts on this network but suffie to say, the docker container is logged in.

There is much now that can be done with this container and the following video from Tailscale goes into greater detail as to how we can sidecar this container with others, making it possble to have a fully containerised infrastructure regardless of where your container services are running

I would have to conclude that this adds greater incentive than I had before to use this technology as it is a step wise change to the way we can now host our services and creat our own networks.

Future possibilities are interesting.