containerboot

Overview ¶

The containerboot binary is a wrapper for starting tailscaled in a container. It handles reading the desired mode of operation out of environment variables, bringing up and authenticating Tailscale, and any other kubernetes-specific side jobs.

As with most container things, configuration is passed through environment variables. All configuration is optional.

• TS_AUTHKEY: the authkey to use for login.
• TS_HOSTNAME: the hostname to request for the node.
• TS_ROUTES: subnet routes to advertise.
• TS_DEST_IP: proxy all incoming Tailscale traffic to the given destination.
• TS_TAILNET_TARGET_IP: proxy all incoming non-Tailscale traffic to the given destination.
• TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
• TS_EXTRA_ARGS: extra arguments to 'tailscale login', these are not reset on restart.
• TS_USERSPACE: run with userspace networking (the default) instead of kernel networking.
• TS_STATE_DIR: the directory in which to store tailscaled state. The data should persist across container restarts.
• TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
• TS_KUBE_SECRET: the name of the Kubernetes secret in which to store tailscaled state.
• TS_SOCKS5_SERVER: the address on which to listen for SOCKS5 proxying into the tailnet.
• TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen for HTTP proxying into the tailnet.
• TS_SOCKET: the path where the tailscaled LocalAPI socket should be created.
• TS_AUTH_ONCE: if true, only attempt to log in if not already logged in. If false, forcibly log in every time the container starts. The default until 1.50.0 was false, but that was misleading: until 1.50, containerboot used `tailscale up` which would ignore an authkey argument if there was already a node key. Effectively, this behaved as though TS_AUTH_ONCE were always true. In 1.50.0 the change was made to use `tailscale login` instead of `up`, and login will reauthenticate every time it is given an authkey. In 1.50.1 we set the TS_AUTH_ONCE to true, to match the previously observed behavior.
• TS_SERVE_CONFIG: if specified, is the file path where the ipn.ServeConfig is located. It will be applied once tailscaled is up and running. If the file contains ${TS_CERT_DOMAIN}, it will be replaced with the value of the available FQDN. It cannot be used in conjunction with TS_DEST_IP. The file is watched for changes, and will be re-applied when it changes.

When running on Kubernetes, containerboot defaults to storing state in the "tailscale" kube secret. To store state on local disk instead, set TS_KUBE_SECRET="" and TS_STATE_DIR=/path/to/storage/dir. The state dir should be persistent storage.

Additionally, if TS_AUTHKEY is not set and the TS_KUBE_SECRET contains an "authkey" field, that key is used as the tailscale authkey.