This commit is contained in:
+49
-1
@@ -164,7 +164,7 @@ that's a separate build, not just a `--platform` change.
|
||||
|---|---|
|
||||
| `clientupdate` | **Deliberately removed** — see [Why the built-in updater is removed](#why-the-built-in-updater-is-removed) |
|
||||
| `cachenetmap` | **Deliberately removed** — see [Why netmap disk-caching is removed](#why-netmap-disk-caching-is-removed) |
|
||||
| `logtail` | Would attempt persistent log writes; wear flash |
|
||||
| `logtail` | Would attempt persistent log writes; wear flash. Removing it also removes stderr verbosity filtering — restored by an injected filter, see [Log verbosity filtering](#log-verbosity-filtering) |
|
||||
| `netlog` | Network flow logging; separate concern |
|
||||
| `netstack` + `gro` | Userspace/gVisor networking; router uses kernel TUN |
|
||||
| `ssh` | Access via MikroTik SSH + `tailscale` CLI instead |
|
||||
@@ -226,6 +226,54 @@ the in-memory resilience (the common case) while eliminating per-netmap flash
|
||||
writes. Only `tailscaled.state` (written on auth / key rotation) ever touches
|
||||
flash.
|
||||
|
||||
### Log verbosity filtering
|
||||
|
||||
Upstream `tailscaled` embeds verbosity tags (`[v1]`, `[v2]`, …) inside its log
|
||||
messages and relies on the **logtail** subsystem to act on them: in a stock
|
||||
build, logtail's log policy intercepts everything written via the standard
|
||||
`log` package, parses the tag, and only writes a line to stderr when its level
|
||||
is within `--verbose` (default 0 — non-verbose messages only). The `--verbose`
|
||||
flag is literally wired into logtail (`pol.SetVerbosityLevel(args.verbose)` in
|
||||
`cmd/tailscaled/tailscaled.go`).
|
||||
|
||||
This build omits logtail (`ts_omit_logtail`) to avoid log-upload code and
|
||||
flash writes — but that removed the stderr filtering along with it, as
|
||||
collateral damage. The result: every verbose line went **unfiltered** to
|
||||
stderr and into the RouterOS container log, with the literal `[v1]` tag still
|
||||
in the text. On an active node that means constant spam, several lines per
|
||||
minute:
|
||||
|
||||
```
|
||||
tailscale: ... [v1] Accept: TCP{...:53256 > ...:50000} 391 tcp non-syn
|
||||
tailscale: ... netcheck: [v1] report: udp=true v6=true ... derp=22 ...
|
||||
tailscale: ... wg: [v2] [0GwzF] - Receiving keepalive packet
|
||||
```
|
||||
|
||||
This is a [known](https://github.com/tailscale/tailscale/issues/12158)
|
||||
[long-standing](https://github.com/tailscale/tailscale/issues/1548) complaint
|
||||
even in full builds, and RouterOS logging offers no way to discard matching
|
||||
messages (no drop action, rules are all-match — a regex rule duplicates rather
|
||||
than diverts).
|
||||
|
||||
The fix here: the build injects a ~20-line Go file
|
||||
(`patches/stderr_verbosity_filter.go`, copied into `cmd/tailscaled/` before
|
||||
`go build`) whose `init()` wraps the standard log output and silently drops
|
||||
any line carrying a `[v1]`/`[v2]`/`[v3]` tag. This restores the exact
|
||||
equivalent of logtail's default `StderrLevel=0` behavior without pulling in
|
||||
the upload machinery. Properties:
|
||||
|
||||
- **No upstream sources modified** — it's a new file in the package, so it
|
||||
survives Tailscale version bumps without rebasing (only relies on the
|
||||
daemon using the stdlib `log` package, which is core behavior).
|
||||
- **Build-tagged `//go:build ts_omit_logtail`** — if logtail is ever
|
||||
re-enabled, the file compiles out automatically and logtail's own filtering
|
||||
takes over; the two can never conflict.
|
||||
- **Runtime escape hatch** — setting the `TS_LOG_VERBOSITY=1` environment
|
||||
variable disables the filter (and, conveniently, the same knob is read by
|
||||
upstream as the default `--verbose` level). Verbose logs are one
|
||||
`/container/envs/add` away; no rebuild needed. See
|
||||
[USAGE.md → Logging](USAGE.md#logging).
|
||||
|
||||
## Volume layout
|
||||
|
||||
Two mount points, with different persistence requirements:
|
||||
|
||||
@@ -177,6 +177,40 @@ When this is configured, you can connect to other tailscale machines using
|
||||
`[device name].[tailnet name].ts.net`. You can see and change assigned
|
||||
Tailnet DNS name in Tailscale admin panel under DNS tab.
|
||||
|
||||
## Logging
|
||||
|
||||
The container logs to the RouterOS log (topic `container`) via `logging=yes`.
|
||||
|
||||
Upstream `tailscaled` is notoriously chatty: by default it would emit a line
|
||||
for every accepted connection (`Accept: TCP{...}`), every netcheck report, and
|
||||
every WireGuard handshake/keepalive — several lines per minute on an active
|
||||
node ([tailscale#12158](https://github.com/tailscale/tailscale/issues/12158)).
|
||||
This image filters those verbose (`[v1]`/`[v2]`-tagged) messages out at the
|
||||
source, so only meaningful messages (startup, auth, route changes, warnings,
|
||||
errors) reach the RouterOS log. See
|
||||
[DESIGN.md → Log verbosity filtering](DESIGN.md#log-verbosity-filtering) for
|
||||
how and why.
|
||||
|
||||
To temporarily get the verbose logs back for debugging (e.g. NAT-traversal
|
||||
issues), set the `TS_LOG_VERBOSITY` environment variable and recreate the
|
||||
container with the envlist attached:
|
||||
|
||||
```
|
||||
/container/envs/add list=tailscale_envs name=TS_LOG_VERBOSITY value=1
|
||||
/container/set [find where name=tailscale] envlist=tailscale_envs
|
||||
/container/stop [find where name=tailscale]
|
||||
/container/start [find where name=tailscale]
|
||||
```
|
||||
|
||||
Any value ≥ 1 disables the filter (and raises the daemon's own verbosity by
|
||||
the same amount). Remove the variable and restart to silence it again:
|
||||
|
||||
```
|
||||
/container/envs/remove [find where name=TS_LOG_VERBOSITY]
|
||||
/container/stop [find where name=tailscale]
|
||||
/container/start [find where name=tailscale]
|
||||
```
|
||||
|
||||
## Updating
|
||||
|
||||
You don't normally do anything: when a new release is published, the
|
||||
|
||||
Reference in New Issue
Block a user