-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support custom tailscale socket path #10663
Comments
Will test it out today! |
@kevinpollet can confirm that Traefik now refers to the correct socket path. Doesn't fix my issue, unfortunately (for some reason the file is not recognized), but this is an improvement nonetheless. Thanks for the swift work! My issue is specifically in Docker logs:
but then this file does exist: ls -alh /volume1/@appdata/Tailscale/tailscaled.sock
srw-rw-rw- 1 tailscale tailscale 0 Apr 16 13:25 /volume1/@appdata/Tailscale/tailscaled.sock weird! |
Hey @OverHash, |
Hey @emilevauge I do indeed mount the socket inside the container. My
an interesting point I had not noticed before: there is both a $ tailscale
[...]
FLAGS
--socket string
path to tailscaled socket (default /var/packages/Tailscale/var/tailscaled.sock) which exists on both my host and (theoretically, on the mounted container): user@host:/volume1/path/to/router$ ls -alh /var/packages/Tailscale/var/tailscaled.sock
srw-rw-rw- 1 tailscale tailscale 0 Apr 16 13:25 /var/packages/Tailscale/var/tailscaled.sock unfortunately I can't figure out how to bash into the traefik docker container, as there is no
Is there some networking I'm missing here? there's no mention of funny networking stuff I would need to do on the docs. I'm guessing this problem may not exist if I ran Tailscale on the same Docker network as Traefik (rather than on the host machine, as I currently do). Not quite sure how to proceed with figuring out this issue. Thanks for your time! |
We have exactly the same problem, but more specified for Kubernetes.
|
Random thought here... is your Traefik container user either root, or a tailscale operator? |
I tried to simplify the problem by moving Tailscale to my Relevant docker-compose.ymlMy version: '3'
services:
tailscale:
image: tailscale/tailscale:latest
container_name: ts-router
hostname: tailscale
environment:
- TS_ACCEPT_DNS=true
- TS_STATE_DIR=/var/lib/tailscale
env_file:
- .env
ports:
- 81:80
- 8080:8080
volumes:
- ${PWD}/tailscale/state:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun
cap_add:
- net_admin
- sys_module
restart: unless-stopped
traefik:
image: traefik:v3.0.1
restart: unless-stopped
networks:
- proxy
volumes:
# let traefik subscribe to Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/config.yml:/config.yml:ro
- ./data/traefik.yml:/traefik.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.http.middlewares.traefik-auth.basicauth.users=USER:BASIC_AUTH_PASSWORD"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.example.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=myresolver"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=traefik-dashboard.[REDACTED].ts.net"
- "traefik.http.routers.traefik-secure.service=api@internal"
depends_on:
- tailscale
network_mode: service:tailscale
networks:
proxy:
external: true and I then have a providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml # empty file here
certificatesResolvers:
myresolver:
tailscale: {} when I review the logs of the docker container, I see that the tailscale component has successfully authenticated and is streaming traffic. However, traefik is not happy and does not use Tailscale to acquire the HTTPS cert:
My suspicion is that I have to actually pass through the |
Last night, I spent some time looking into Traefik's tailscale certificate provider. It's using a tailscale cert golang library. I don't find it needing the tailscaled socket surprising. Documentation? meh, It's frequently out of date. |
I see that even a few months ago users have been having this issue, with reports of the same I just tried making a volume in my Regardless, happy to hear another persons input on this matter :) |
After reviewing #9772, I managed to get somewhere by using my original configuration I posted in this issue (where my host has tailscale installed, and I am trying to pass it through to the traefik in a Docker container), alongside security_opt:
- label:disable in the traefik container The original issue of that thread persists: you get a Maintainers, the original response in that thread was to post a new issue on the |
Welcome!
What did you expect to see?
Currently Traefik does not support setting a custom socket path to the tailscaled process.
On Unix systems, Traefik will assume that the path is at
/var/run/tailscale/tailscaled.sock
(see https://github.com/tailscale/tscert/blob/28a91b69a0467442178b62e2cfb9ab272ed3b64c/internal/paths/paths.go#L35-L37).Some systems don't have the socket path at this location, and so it is necessary to specify a custom path to the socket.
tscert
supports using theTS_SOCKET
env variable to specify this location, but this does not currently work with traefik v3 / traefik master.The text was updated successfully, but these errors were encountered: