From 1bc10bcb6efbe5234a69f2130b5e05057c720f0a Mon Sep 17 00:00:00 2001
From: Lumpiasty <arek.dzski@gmail.com>
Date: Tue, 2 Jun 2026 15:54:52 +0200
Subject: [PATCH] include ipnbus so 'tailscale up' waits and prints login URL

Without ipnbus, 'tailscale up' fires config at the daemon and returns
immediately ('built with ts_omit_ipnbus; not waiting for completion')
without printing the auth URL or confirming success. Add it to the
allowlist so interactive 'up' behaves normally.
---
 Dockerfile     | 7 +++++++
 docs/DESIGN.md | 1 +
 2 files changed, 8 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 8435cfe..118f35b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -69,6 +69,12 @@ WORKDIR /src/tailscale
 #                         trusted unix socket, so PermitRead/PermitWrite are
 #                         always false and EVERY CLI call (status, up, set, ...)
 #                         returns "access denied" (tailscale/tailscale#17873).
+#   ipnbus              — IPN bus watch. Without it, 'tailscale up' cannot wait
+#                         for completion: it fires config at the daemon and
+#                         returns immediately ("built with ts_omit_ipnbus; not
+#                         waiting for completion") WITHOUT printing the auth URL
+#                         or confirming success. Including it makes interactive
+#                         'up' behave normally (blocks, prints login URL).
 #
 # Everything else remains omitted, including (rationale):
 #   clientupdate  — DELIBERATELY removed. The built-in updater would download
@@ -111,6 +117,7 @@ RUN mkdir -p /out && \
           -e 's/ts_omit_health,\{0,1\}//g' \
           -e 's/ts_omit_iptables,\{0,1\}//g' \
           -e 's/ts_omit_unixsocketidentity,\{0,1\}//g' \
+          -e 's/ts_omit_ipnbus,\{0,1\}//g' \
           -e 's/,$//' \
     ) && \
     echo "Build tags: ${TAGS}" && \
diff --git a/docs/DESIGN.md b/docs/DESIGN.md
index b9ce258..7755d40 100644
--- a/docs/DESIGN.md
+++ b/docs/DESIGN.md
@@ -143,6 +143,7 @@ that's a separate build, not just a `--platform` change.
 | iptables | Linux iptables support for routing rules |
 | osrouter | Configure kernel network stack and routing tables |
 | unixsocketidentity | **Required** — without it the localapi denies every CLI call with "access denied" ([tailscale#17873](https://github.com/tailscale/tailscale/issues/17873)) |
+| ipnbus | Lets `tailscale up` wait for completion and print the login URL; without it `up` returns immediately without confirming success |
 
 ## Features intentionally omitted