This commit is contained in:
@@ -9,10 +9,21 @@
|
|||||||
# Reports pass/fail status back to Gitea, so it shows up as a required check on
|
# Reports pass/fail status back to Gitea, so it shows up as a required check on
|
||||||
# the PR.
|
# the PR.
|
||||||
|
|
||||||
|
# Doc-only changes can't affect the image, so they don't trigger the build.
|
||||||
|
# NOTE: if Gitea is ever configured to REQUIRE this check for merging, a
|
||||||
|
# doc-only PR will have no check at all — exempt such PRs or merge manually.
|
||||||
|
# Renovate PRs always touch the Dockerfile or pipeline files, so the
|
||||||
|
# automerge gate is unaffected by these exclusions.
|
||||||
when:
|
when:
|
||||||
- event: pull_request
|
- event: pull_request
|
||||||
|
path:
|
||||||
|
exclude: &doc_paths
|
||||||
|
- '**/*.md'
|
||||||
|
- 'docs/**'
|
||||||
- event: push
|
- event: push
|
||||||
branch: main
|
branch: main
|
||||||
|
path:
|
||||||
|
exclude: *doc_paths
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Build all arches (no push)
|
- name: Build all arches (no push)
|
||||||
|
|||||||
@@ -13,9 +13,16 @@
|
|||||||
# unchanged, so no tag is created and nothing is released — they ride along
|
# unchanged, so no tag is created and nothing is released — they ride along
|
||||||
# with the next Tailscale bump or manual tag.
|
# with the next Tailscale bump or manual tag.
|
||||||
|
|
||||||
|
# Skipped for doc-only pushes: TAILSCALE_VERSION lives in the Dockerfile, so a
|
||||||
|
# push that doesn't touch non-doc files can never introduce a new version to
|
||||||
|
# tag (the job would just no-op after spinning up OpenBao + git containers).
|
||||||
when:
|
when:
|
||||||
- event: push
|
- event: push
|
||||||
branch: main
|
branch: main
|
||||||
|
path:
|
||||||
|
exclude:
|
||||||
|
- '**/*.md'
|
||||||
|
- 'docs/**'
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Get git token from OpenBao
|
- name: Get git token from OpenBao
|
||||||
|
|||||||
@@ -294,6 +294,22 @@ Only the small, rarely-written state file touches flash; the socket dir is
|
|||||||
tmpfs. The netmap is held in memory only — see
|
tmpfs. The netmap is held in memory only — see
|
||||||
[Why netmap disk-caching is removed](#why-netmap-disk-caching-is-removed).
|
[Why netmap disk-caching is removed](#why-netmap-disk-caching-is-removed).
|
||||||
|
|
||||||
|
### What lives in the state dir
|
||||||
|
|
||||||
|
| File | Purpose | Write frequency |
|
||||||
|
|---|---|---|
|
||||||
|
| `tailscaled.state` | Node identity, auth keys, prefs | On auth / key rotation / prefs change |
|
||||||
|
| `derpmap.cached.json` | Cached DERP relay server list for **bootstrap DNS**: at cold start with broken/unavailable DNS, tailscaled asks DERP servers to resolve the control plane. The binary ships a static DERP list, but it goes stale; this cache keeps the current one. | Once at first auth, then **only when Tailscale's relay infrastructure changes** (a few times a year). `dnsfallback.UpdateCache` has a deep-equal guard and skips the write when the DERP map is unchanged — netmap churn never touches it. |
|
||||||
|
|
||||||
|
`derpmap.cached.json` is intentionally **kept** despite the flash-wear policy:
|
||||||
|
the policy targets *frequent* writes (netmap deltas, logs), not one-shot
|
||||||
|
caches. On a router this cache is genuinely useful — after a power outage the
|
||||||
|
device may boot with WAN up but upstream DNS broken, exactly the case where a
|
||||||
|
fresh DERP list lets the node reach the control plane anyway. With
|
||||||
|
`cachenetmap` omitted, this file and `tailscaled.state` are the only cold-start
|
||||||
|
resilience the node has. (There is no `ts_omit_*` tag for it; it is written
|
||||||
|
only because `--statedir` is set.)
|
||||||
|
|
||||||
## Flash wear protection
|
## Flash wear protection
|
||||||
|
|
||||||
Several measures are in place to avoid wearing out internal flash:
|
Several measures are in place to avoid wearing out internal flash:
|
||||||
|
|||||||
Reference in New Issue
Block a user