enable IP forwarding via entrypoint (fixes IPv6 subnet routes)
tailscaled does not reliably enable IPv6 forwarding inside a container
network namespace ('IPv6 forwarding is disabled'), so advertised IPv6
subnet routes silently fail. Add a tiny entrypoint.sh that sets
net.ipv4.ip_forward and net.ipv6.conf.all.forwarding (writable inside a
RouterOS container netns), then exec's tailscaled. Built in the builder
stage so it stays in the single /usr/local/bin COPY layer.
Verified: privileged run flips v6 forwarding 0->1 and exec's tailscaled
with CMD args intact.
This commit is contained in:
+15
-2
@@ -70,8 +70,21 @@ in a future release stays omitted until deliberately added to the Dockerfile.
|
||||
saves a real ~195 kB of flash (424 kB → 229 kB), not just transfer size.
|
||||
|
||||
The final image is built `FROM scratch` — there is no base distro layer.
|
||||
It contains only the busybox binary + applet symlinks, the CA bundle, and
|
||||
the Tailscale binary.
|
||||
It contains only the busybox binary + applet symlinks, the CA bundle, the
|
||||
Tailscale binary, and a tiny `entrypoint.sh`.
|
||||
|
||||
### Entrypoint: IP forwarding
|
||||
|
||||
`ENTRYPOINT` is a small `entrypoint.sh` that enables IPv4 and IPv6 forwarding
|
||||
(`net.ipv4.ip_forward`, `net.ipv6.conf.all.forwarding`) in the container's
|
||||
network namespace, then `exec`s `tailscaled` (so the daemon stays PID 1). This
|
||||
is necessary because `tailscaled` does **not** reliably enable IPv6 forwarding
|
||||
itself inside a container netns — it logs "IPv6 forwarding is disabled" and
|
||||
advertised IPv6 subnet routes silently fail. The sysctls are writable from
|
||||
inside a RouterOS container, so the entrypoint sets them directly; no
|
||||
host-side or `/container` configuration is required. The script is created in
|
||||
the builder stage so it ships in the same single `/usr/local/bin` `COPY` layer
|
||||
(preserving the [single-copy property](#avoiding-overlayfs-layer-duplication)).
|
||||
|
||||
### Avoiding overlayfs layer duplication
|
||||
|
||||
|
||||
+8
-1
@@ -95,7 +95,8 @@ The daemon is now running but **not yet authenticated**.
|
||||
|
||||
### 5. Authenticate
|
||||
|
||||
> This image runs `tailscaled` directly and does **not** bundle Tailscale's
|
||||
> This image runs `tailscaled` via a tiny entrypoint (which enables IP
|
||||
forwarding, then `exec`s the daemon) and does **not** bundle Tailscale's
|
||||
`containerboot` wrapper, so the `TS_AUTHKEY` environment variable is **not**
|
||||
read automatically. You authenticate with `tailscale up --authkey=...` after the
|
||||
container starts.
|
||||
@@ -119,6 +120,12 @@ The node now appears in your Tailscale admin console. Approve the advertised
|
||||
routes / exit node there. Because the auth state is written to the persisted
|
||||
`tailscaled.state`, you only do this once — it survives reboots and updates.
|
||||
|
||||
> **IP forwarding** (IPv4 and IPv6) is enabled automatically by the container's
|
||||
> entrypoint, so advertised subnet routes and exit-node traffic work without any
|
||||
> extra `sysctl`/`/container` configuration. (IPv6 forwarding in particular is
|
||||
> not reliably enabled by `tailscaled` itself inside a container network
|
||||
> namespace, so the entrypoint sets it explicitly.)
|
||||
|
||||
### 6. Enable automatic updates
|
||||
|
||||
First, edit the `CONFIG` block at the top of `routeros/update-tailscale.rsc` if
|
||||
|
||||
Reference in New Issue
Block a user