Merge pull request 'Don't rebuild image on paths not included in image' (#25) from fix/skip-builds into main

Reviewed-on: #25

.woodpecker/pr-build.yaml

@@ -9,10 +9,24 @@
 # Reports pass/fail status back to Gitea, so it shows up as a required check on
 # the PR.
 
+# Changes that can't affect the image don't trigger the build: docs and the
+# RouterOS-side script (routeros/**: lives on the router, not in the image).
+# NOTE: if Gitea is ever configured to REQUIRE this check for merging, a
+# PR touching only excluded files will have no check at all — exempt such PRs
+# or merge manually. Renovate PRs always touch the Dockerfile or pipeline
+# files, so the automerge gate is unaffected by these exclusions.
 when:
   - event: pull_request
+    path:
+      exclude: &non_image_paths
+        - '**/*.md'
+        - 'docs/**'
+        - 'routeros/**'
+        - 'renovate.json'
   - event: push
     branch: main
+    path:
+      exclude: *non_image_paths
 
 steps:
   - name: Build all arches (no push)

.woodpecker/release-tag.yaml

@@ -13,9 +13,19 @@
 # unchanged, so no tag is created and nothing is released — they ride along
 # with the next Tailscale bump or manual tag.
 
+# Skipped for pushes that can't introduce a new Tailscale version:
+# TAILSCALE_VERSION lives in the Dockerfile, so a push touching only docs or
+# the RouterOS-side script can never produce a new version to tag (the job
+# would just no-op after spinning up OpenBao + git containers).
 when:
   - event: push
     branch: main
+    path:
+      exclude:
+        - '**/*.md'
+        - 'docs/**'
+        - 'routeros/**'
+        - 'renovate.json'
 
 steps:
   - name: Get git token from OpenBao

.woodpecker/renovate.yaml

@@ -46,7 +46,7 @@ steps:
       - bao kv get -mount secret -field GITHUB_COM_TOKEN renovate > /woodpecker/github_com_token
   - name: renovate
     # Renovate's built-in "woodpecker" manager tracks this image automatically.
-    image: renovate/renovate:43.205.3
+    image: renovate/renovate:43.220.0
     environment:
       # --- platform / target ---
       RENOVATE_PLATFORM: gitea
@@ -58,8 +58,12 @@ steps:
       # Use the committed renovate.json; don't open an onboarding PR.
       RENOVATE_ONBOARDING: "false"
       RENOVATE_REQUIRE_CONFIG: "optional"
-      # Git identity for the branches/commits Renovate creates.
+      # Git identity for the branches/commits Renovate creates. MUST match the
-      RENOVATE_GIT_AUTHOR: "Renovate Bot <renovate@localhost>"
+      # bot's Gitea account email: platform actions (automerge merge commits,
+      # "update branch") are attributed to the account email, and Renovate
+      # flags branches containing commits from unrecognized emails as
+      # "edited by someone else" and stops rebasing them.
+      RENOVATE_GIT_AUTHOR: "Renovate Bot <renovate@lumpiasty.xyz>"
       # GitHub token (read-only, no repo access) lets Renovate fetch release
       # notes / changelogs and avoids GitHub API rate limits for the
       # github-releases datasource (tailscale). Optional but recommended.

Dockerfile

@@ -19,10 +19,10 @@
 # =============================================================================
 # Stage 1: Build Tailscale combined binary (cross-compiled, runs natively)
 # =============================================================================
-FROM --platform=$BUILDPLATFORM golang:1.26.3-alpine@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26.4-alpine@sha256:7a3e50096189ad57c9f9f865e7e4aa8585ed1585248513dc5cda498e2f41812c AS builder
 
-# renovate: datasource=github-releases depName=tailscale packageName=tailscale/tailscale
+# renovate: datasource=github-releases depName=tailscale packageName=tailscale/tailscale versioning=semver
-ARG TAILSCALE_VERSION=v1.98.3
+ARG TAILSCALE_VERSION=v1.98.5
 
 # Provided automatically by buildx for the target platform.
 ARG TARGETOS
@@ -40,6 +40,23 @@ RUN git clone --depth 1 --branch ${TAILSCALE_VERSION} \
 
 WORKDIR /src/tailscale
 
+# Inject a stderr verbosity filter into the tailscaled package.
+#
+# With logtail compiled out (ts_omit_logtail), tailscaled never installs
+# logpolicy (see `if buildfeatures.HasLogTail` in cmd/tailscaled/tailscaled.go),
+# so log output goes raw to stderr: the [v1]/[v2] verbosity tags embedded in
+# messages are neither parsed nor filtered, and --verbose has NO effect. The
+# result is constant log spam in the RouterOS container log (filter
+# "Accept: TCP" verdicts, "netcheck: [v1] report", "wg: [v2]" handshakes and
+# keepalives) — see tailscale/tailscale#12158 and #1548.
+#
+# The injected file (build-tagged ts_omit_logtail, so it's a no-op if logtail
+# is ever re-enabled) registers a log writer in init() that drops lines
+# carrying a [v1]+ tag, restoring the equivalent of logtail's StderrLevel=0
+# default. Setting TS_LOG_VERBOSITY=1 (or higher) in the container environment
+# disables the filter at runtime for debugging — no rebuild needed.
+COPY patches/stderr_verbosity_filter.go cmd/tailscaled/
+
 # Build a minimal combined binary (tailscale CLI + tailscaled daemon in one file).
 #
 # Tag strategy — ALLOWLIST, not blocklist:
@@ -166,8 +183,7 @@ RUN mkdir -p /out/usrlocalbin && \
 # overlayfs single-copy property). `exec` keeps tailscaled as PID 1.
 RUN printf '%s\n' \
       '#!/bin/sh' \
-      '# Enable IPv4/IPv6 forwarding (best-effort; sysctls are writable inside' \
+      '# Enable IPv4/IPv6 forwarding. Required for advertised subnet routes and' \
-      '# a RouterOS container netns). Required for advertised subnet routes and' \
       '# exit-node functionality.' \
       'for f in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv6/conf/all/forwarding; do' \
       '  if [ -w "$f" ]; then echo 1 > "$f" 2>/dev/null || echo "warn: could not write $f"; fi' \
@@ -197,10 +213,10 @@ RUN printf '%s\n' \
 # This stage runs on the TARGET platform (no --platform override): gcc then
 # produces native target-arch binaries directly. Under buildx this is
 # transparently emulated via binfmt/QEMU for non-native targets.
-FROM alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS busybox
+FROM alpine:3.24.0@sha256:a2d49ea686c2adfe3c992e47dc3b5e7fa6e6b5055609400dc2acaeb241c829f4 AS busybox
 
 # renovate: datasource=docker depName=busybox versioning=docker
-ARG BUSYBOX_VERSION=1.37.0
+ARG BUSYBOX_VERSION=1.38.0
 
 RUN apk add --no-cache build-base linux-headers wget bzip2 perl upx
 

README.md

@@ -70,6 +70,7 @@ ARMv5 (hEX Refresh / hAP ax S) is **not** supported — see
 |---|---|
 | `Dockerfile` | Multi-stage, multi-arch build (cross-compiled Go + custom busybox) |
 | `busybox-applets.config` | Curated busybox applet set |
+| `patches/` | Source files injected into the Tailscale tree at build time (stderr verbosity filter) |
 | `build.sh` | Build all/one arch, optionally export per-arch tarballs |
 | `routeros/update-tailscale.rsc` | RouterOS auto-update script (digest compare + recreate) |
 | `.woodpecker/` | CI: Renovate cron, release tagging, multi-arch publish |

docs/DESIGN.md

@@ -164,7 +164,7 @@ that's a separate build, not just a `--platform` change.
 |---|---|
 | `clientupdate` | **Deliberately removed** — see [Why the built-in updater is removed](#why-the-built-in-updater-is-removed) |
 | `cachenetmap` | **Deliberately removed** — see [Why netmap disk-caching is removed](#why-netmap-disk-caching-is-removed) |
-| `logtail` | Would attempt persistent log writes; wear flash |
+| `logtail` | Would attempt persistent log writes; wear flash. Removing it also removes stderr verbosity filtering — restored by an injected filter, see [Log verbosity filtering](#log-verbosity-filtering) |
 | `netlog` | Network flow logging; separate concern |
 | `netstack` + `gro` | Userspace/gVisor networking; router uses kernel TUN |
 | `ssh` | Access via MikroTik SSH + `tailscale` CLI instead |
@@ -226,6 +226,54 @@ the in-memory resilience (the common case) while eliminating per-netmap flash
 writes. Only `tailscaled.state` (written on auth / key rotation) ever touches
 flash.
 
+### Log verbosity filtering
+
+Upstream `tailscaled` embeds verbosity tags (`[v1]`, `[v2]`, …) inside its log
+messages and relies on the **logtail** subsystem to act on them: in a stock
+build, logtail's log policy intercepts everything written via the standard
+`log` package, parses the tag, and only writes a line to stderr when its level
+is within `--verbose` (default 0 — non-verbose messages only). The `--verbose`
+flag is literally wired into logtail (`pol.SetVerbosityLevel(args.verbose)` in
+`cmd/tailscaled/tailscaled.go`).
+
+This build omits logtail (`ts_omit_logtail`) to avoid log-upload code and
+flash writes — but that removed the stderr filtering along with it, as
+collateral damage. The result: every verbose line went **unfiltered** to
+stderr and into the RouterOS container log, with the literal `[v1]` tag still
+in the text. On an active node that means constant spam, several lines per
+minute:
+
+```
+tailscale: ... [v1] Accept: TCP{...:53256 > ...:50000} 391 tcp non-syn
+tailscale: ... netcheck: [v1] report: udp=true v6=true ... derp=22 ...
+tailscale: ... wg: [v2] [0GwzF] - Receiving keepalive packet
+```
+
+This is a [known](https://github.com/tailscale/tailscale/issues/12158)
+[long-standing](https://github.com/tailscale/tailscale/issues/1548) complaint
+even in full builds, and RouterOS logging offers no way to discard matching
+messages (no drop action, rules are all-match — a regex rule duplicates rather
+than diverts).
+
+The fix here: the build injects a ~20-line Go file
+(`patches/stderr_verbosity_filter.go`, copied into `cmd/tailscaled/` before
+`go build`) whose `init()` wraps the standard log output and silently drops
+any line carrying a `[v1]`/`[v2]`/`[v3]` tag. This restores the exact
+equivalent of logtail's default `StderrLevel=0` behavior without pulling in
+the upload machinery. Properties:
+
+- **No upstream sources modified** — it's a new file in the package, so it
+  survives Tailscale version bumps without rebasing (only relies on the
+  daemon using the stdlib `log` package, which is core behavior).
+- **Build-tagged `//go:build ts_omit_logtail`** — if logtail is ever
+  re-enabled, the file compiles out automatically and logtail's own filtering
+  takes over; the two can never conflict.
+- **Runtime escape hatch** — setting the `TS_LOG_VERBOSITY=1` environment
+  variable disables the filter (and, conveniently, the same knob is read by
+  upstream as the default `--verbose` level). Verbose logs are one
+  `/container/envs/add` away; no rebuild needed. See
+  [USAGE.md → Logging](USAGE.md#logging).
+
 ## Volume layout
 
 Two mount points, with different persistence requirements:
@@ -246,6 +294,22 @@ Only the small, rarely-written state file touches flash; the socket dir is
 tmpfs. The netmap is held in memory only — see
 [Why netmap disk-caching is removed](#why-netmap-disk-caching-is-removed).
 
+### What lives in the state dir
+
+| File | Purpose | Write frequency |
+|---|---|---|
+| `tailscaled.state` | Node identity, auth keys, prefs | On auth / key rotation / prefs change |
+| `derpmap.cached.json` | Cached DERP relay server list for **bootstrap DNS**: at cold start with broken/unavailable DNS, tailscaled asks DERP servers to resolve the control plane. The binary ships a static DERP list, but it goes stale; this cache keeps the current one. | Once at first auth, then **only when Tailscale's relay infrastructure changes** (a few times a year). `dnsfallback.UpdateCache` has a deep-equal guard and skips the write when the DERP map is unchanged — netmap churn never touches it. |
+
+`derpmap.cached.json` is intentionally **kept** despite the flash-wear policy:
+the policy targets *frequent* writes (netmap deltas, logs), not one-shot
+caches. On a router this cache is genuinely useful — after a power outage the
+device may boot with WAN up but upstream DNS broken, exactly the case where a
+fresh DERP list lets the node reach the control plane anyway. With
+`cachenetmap` omitted, this file and `tailscaled.state` are the only cold-start
+resilience the node has. (There is no `ts_omit_*` tag for it; it is written
+only because `--statedir` is set.)
+
 ## Flash wear protection
 
 Several measures are in place to avoid wearing out internal flash:

docs/USAGE.md

@@ -9,7 +9,7 @@ reasoning behind these choices, see [DESIGN.md](DESIGN.md).
 
 ## Deploy on MikroTik (RouterOS)
 
-Verified on RouterOS 7.21.2 (arm64, CRS418). Commands are grouped into
+Verified on RouterOS 7.23 (arm64, CRS418). Commands are grouped into
 copy-paste blocks, defaults should fit most configurations.
 
 > Because the image has no built-in updater (the `clientupdate` feature is
@@ -19,7 +19,9 @@ copy-paste blocks, defaults should fit most configurations.
 
 ### 0. Prerequisites
 
-- RouterOS >7.13 with the **container** package installed.
+- RouterOS >= 7.23 with the **container** package installed
+  (7.23 is needed for container `restart-policy`; the deploy itself works on
+  >= 7.13 if you drop the restart options).
 - Container mode enabled ([documentation](https://manual.mikrotik.com/docs/System%20Information%20and%20Utilities/device-mode/#changing-mode-of-device-mode)):
 
   ```
@@ -80,6 +82,8 @@ just that directory:
     mountlists=tailscale_state \
     logging=yes \
     start-on-boot=yes \
+    restart-policy=on-failure \
+    restart-interval=10s \
     name=tailscale
 ```
 
@@ -120,12 +124,6 @@ The node now appears in your Tailscale admin console. Approve the advertised
 routes / exit node there. Because the auth state is written to the persisted
 `tailscaled.state`, you only do this once — it survives reboots and updates.
 
-> **IP forwarding** (IPv4 and IPv6) is enabled automatically by the container's
-> entrypoint, so advertised subnet routes and exit-node traffic work without any
-> extra `sysctl`/`/container` configuration. (IPv6 forwarding in particular is
-> not reliably enabled by `tailscaled` itself inside a container network
-> namespace, so the entrypoint sets it explicitly.)
-
 ### 6. Enable automatic updates
 
 First, edit the `CONFIG` block at the top of `routeros/update-tailscale.rsc` if
@@ -183,6 +181,40 @@ When this is configured, you can connect to other tailscale machines using
 `[device name].[tailnet name].ts.net`. You can see and change assigned
 Tailnet DNS name in Tailscale admin panel under DNS tab.
 
+## Logging
+
+The container logs to the RouterOS log (topic `container`) via `logging=yes`.
+
+Upstream `tailscaled` is notoriously chatty: by default it would emit a line
+for every accepted connection (`Accept: TCP{...}`), every netcheck report, and
+every WireGuard handshake/keepalive — several lines per minute on an active
+node ([tailscale#12158](https://github.com/tailscale/tailscale/issues/12158)).
+This image filters those verbose (`[v1]`/`[v2]`-tagged) messages out at the
+source, so only meaningful messages (startup, auth, route changes, warnings,
+errors) reach the RouterOS log. See
+[DESIGN.md → Log verbosity filtering](DESIGN.md#log-verbosity-filtering) for
+how and why.
+
+To temporarily get the verbose logs back for debugging (e.g. NAT-traversal
+issues), set the `TS_LOG_VERBOSITY` environment variable and recreate the
+container with the envlist attached:
+
+```
+/container/envs/add list=tailscale_envs name=TS_LOG_VERBOSITY value=1
+/container/set [find where name=tailscale] envlist=tailscale_envs
+/container/stop [find where name=tailscale]
+/container/start [find where name=tailscale]
+```
+
+Any value ≥ 1 disables the filter (and raises the daemon's own verbosity by
+the same amount). Remove the variable and restart to silence it again:
+
+```
+/container/envs/remove [find where name=TS_LOG_VERBOSITY]
+/container/stop [find where name=tailscale]
+/container/start [find where name=tailscale]
+```
+
 ## Updating
 
 You don't normally do anything: when a new release is published, the

patches/stderr_verbosity_filter.go

@@ -0,0 +1,45 @@
+// Copyright (c) mikrotik-tailscale build. Injected at image build time.
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build ts_omit_logtail
+
+package main
+
+// When logtail is compiled out (ts_omit_logtail), logpolicy is never
+// installed (see run() in tailscaled.go: `if buildfeatures.HasLogTail`),
+// so log.Printf output goes raw to stderr. Nothing parses the [v1]/[v2]
+// verbosity tags Tailscale embeds in log messages, which means every
+// verbose line (filter "Accept: TCP", "netcheck: [v1] report",
+// "wg: [v2]" handshakes/keepalives) is printed regardless of --verbose.
+//
+// This restores the equivalent of logtail's StderrLevel=0 behavior:
+// drop lines carrying a [v1]+ tag, unless TS_LOG_VERBOSITY is set to
+// 1 or higher (runtime escape hatch for debugging — no rebuild needed).
+
+import (
+	"bytes"
+	"log"
+	"os"
+)
+
+var verboseLogTags = [][]byte{[]byte("[v1] "), []byte("[v2] "), []byte("[v3] ")}
+
+type stderrVerbosityFilter struct{ w *os.File }
+
+func (f stderrVerbosityFilter) Write(p []byte) (int, error) {
+	for _, tag := range verboseLogTags {
+		if bytes.Contains(p, tag) {
+			// Claim success so the log package doesn't complain;
+			// the line is intentionally discarded.
+			return len(p), nil
+		}
+	}
+	return f.w.Write(p)
+}
+
+func init() {
+	if v := os.Getenv("TS_LOG_VERBOSITY"); v != "" && v != "0" {
+		return
+	}
+	log.SetOutput(stderrVerbosityFilter{os.Stderr})
+}

renovate.json

@@ -7,6 +7,17 @@
   ],
   "labels": ["dependencies"],
   "rebaseWhen": "behind-base-branch",
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Update version ARGs annotated with a `# renovate:` comment (the dockerfile manager only handles FROM/image lines, not ARG values).",
+      "managerFilePatterns": ["/(^|/)Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)(?:\\s+packageName=(?<packageName>\\S+))?(?:\\s+versioning=(?<versioning>\\S+))?\\s+ARG \\w+=(?<currentValue>\\S+)"
+      ],
+      "matchStringsStrategy": "any"
+    }
+  ],
   "packageRules": [
     {
       "matchManagers": ["dockerfile"],
@@ -16,9 +27,8 @@
     {
       "matchDatasources": ["github-releases"],
       "matchPackageNames": ["tailscale/tailscale"],
-      "description": "TAILSCALE_VERSION ARG: only stable releases. Tailscale uses EVEN minor versions for stable (v1.98.x); ODD minors (v1.99.x) are unstable, so filter to even minors and ignore pre-releases.",
+      "description": "TAILSCALE_VERSION ARG: only stable releases. Tailscale uses EVEN minor versions for stable (v1.98.x); ODD minors (v1.99.x) are unstable, so filter to even minors and ignore pre-releases. The `v` prefix is kept (no extractVersion) so the ARG value stays v-prefixed to match the git tags cloned in the Dockerfile.",
-      "extractVersion": "^v(?<version>\\d+\\.\\d+\\.\\d+)$",
+      "allowedVersions": "/^v\\d+\\.\\d*[02468]\\.\\d+$/",
-      "allowedVersions": "/^\\d+\\.\\d*[02468]\\.\\d+$/",
       "ignoreUnstable": true
     },
     {
@@ -30,8 +40,15 @@
     },
     {
       "matchManagers": ["dockerfile"],
-      "matchPackageNames": ["golang", "alpine", "busybox"],
+      "matchPackageNames": ["golang", "alpine"],
-      "description": "Automerge PATCH-only bumps of build components (Go/Alpine/busybox) once the PR build passes; review minor/major manually.",
+      "description": "Automerge PATCH-only bumps of build components (Go/Alpine) once the PR build passes; review minor/major manually.",
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    },
+    {
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["busybox"],
+      "description": "busybox ARG (custom manager): automerge PATCH bumps once the PR build passes; review minor/major manually.",
       "matchUpdateTypes": ["patch"],
       "automerge": true
     },

routeros/update-tailscale.rsc

@@ -3,8 +3,9 @@
 # =============================================================================
 # Checks the Gitea registry for a new :stable image and, only if the published
 # image actually changed, recreates the container. Designed for RouterOS 7.x
-# (tested target: 7.21.2, arm64). Requires RouterOS >= 7.13 for the :deserialize
+# (tested target: 7.23, arm64). Requires RouterOS >= 7.23 for the container
-# command used to parse the registry token JSON.
+# restart-policy properties (and >= 7.13 for the :deserialize command used to
+# parse the registry token JSON).
 #
 # HOW IT DECIDES "something changed":
 #   It fetches the manifest digest of the :stable tag from the registry and
@@ -59,6 +60,12 @@
 :local cInterface "veth-tailscale"
 :local cLogging   yes
 :local cStartOnBoot yes
+# Restart the container automatically if tailscaled crashes (tailscaled is
+# PID 1; if it dies the container stops). on-failure restarts only on abnormal
+# exit (a manual /container/stop stays stopped); 10s is a gentle backoff.
+# Requires RouterOS >= 7.23.
+:local cRestartPolicy "on-failure"
+:local cRestartInterval "10s"
 # ----------------------------------------------------------------------------
 
 :log info "$scriptName: checking for image updates"
@@ -174,6 +181,8 @@
     mountlists=$cMountList \
     logging=$cLogging \
     start-on-boot=$cStartOnBoot \
+    restart-policy=$cRestartPolicy \
+    restart-interval=$cRestartInterval \
     name=$cName
 } do={
   :log error "$scriptName: container add failed: $e"