chore(deps): update renovate/renovate docker tag to v43.207.4

.woodpecker/renovate.yaml

@@ -46,7 +46,7 @@ steps:
       - bao kv get -mount secret -field GITHUB_COM_TOKEN renovate > /woodpecker/github_com_token
   - name: renovate
     # Renovate's built-in "woodpecker" manager tracks this image automatically.
-    image: renovate/renovate:43.205.3
+    image: renovate/renovate:43.207.4
     environment:
       # --- platform / target ---
       RENOVATE_PLATFORM: gitea

Dockerfile

@@ -69,12 +69,6 @@ WORKDIR /src/tailscale
 #                         trusted unix socket, so PermitRead/PermitWrite are
 #                         always false and EVERY CLI call (status, up, set, ...)
 #                         returns "access denied" (tailscale/tailscale#17873).
-#   ipnbus              — IPN bus watch. Without it, 'tailscale up' cannot wait
-#                         for completion: it fires config at the daemon and
-#                         returns immediately ("built with ts_omit_ipnbus; not
-#                         waiting for completion") WITHOUT printing the auth URL
-#                         or confirming success. Including it makes interactive
-#                         'up' behave normally (blocks, prints login URL).
 #
 # Everything else remains omitted, including (rationale):
 #   clientupdate  — DELIBERATELY removed. The built-in updater would download
@@ -117,7 +111,6 @@ RUN mkdir -p /out && \
           -e 's/ts_omit_health,\{0,1\}//g' \
           -e 's/ts_omit_iptables,\{0,1\}//g' \
           -e 's/ts_omit_unixsocketidentity,\{0,1\}//g' \
-          -e 's/ts_omit_ipnbus,\{0,1\}//g' \
           -e 's/,$//' \
     ) && \
     echo "Build tags: ${TAGS}" && \
@@ -157,24 +150,6 @@ RUN mkdir -p /out/usrlocalbin && \
     ln -s /usr/local/bin/tailscale.combined /out/usrlocalbin/tailscale && \
     ln -s /usr/local/bin/tailscale.combined /out/usrlocalbin/tailscaled
 
-# Entrypoint wrapper: enable IP forwarding inside the container's network
-# namespace, then exec tailscaled. tailscaled does NOT reliably enable IPv6
-# forwarding itself in a container netns ("IPv6 forwarding is disabled" warning),
-# which silently breaks advertised IPv6 subnet routes. The sysctls ARE writable
-# from inside a RouterOS container, so we set both here. Written in the builder
-# stage so it ships in the same single /usr/local/bin COPY layer (preserves the
-# overlayfs single-copy property). `exec` keeps tailscaled as PID 1.
-RUN printf '%s\n' \
-      '#!/bin/sh' \
-      '# Enable IPv4/IPv6 forwarding. Required for advertised subnet routes and' \
-      '# exit-node functionality.' \
-      'for f in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv6/conf/all/forwarding; do' \
-      '  if [ -w "$f" ]; then echo 1 > "$f" 2>/dev/null || echo "warn: could not write $f"; fi' \
-      'done' \
-      'exec /usr/local/bin/tailscaled "$@"' \
-      > /out/usrlocalbin/entrypoint.sh && \
-    chmod +x /out/usrlocalbin/entrypoint.sh
-
 # =============================================================================
 # Stage 2: Custom minimal busybox
 # =============================================================================
@@ -292,9 +267,7 @@ ENV PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 # -----------------------------------------------------------------------------
 VOLUME ["/var/lib/tailscale"]
 
-# entrypoint.sh enables IP forwarding (incl. IPv6) in the container netns, then
+ENTRYPOINT ["/usr/local/bin/tailscaled"]
-# exec's tailscaled with the CMD flags below as its arguments.
-ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 
 # Default flags:
 #   --no-logs-no-support  disables logtail uploads (logtail binary code is

docs/DESIGN.md

@@ -70,21 +70,8 @@ in a future release stays omitted until deliberately added to the Dockerfile.
   saves a real ~195 kB of flash (424 kB → 229 kB), not just transfer size.
 
 The final image is built `FROM scratch` — there is no base distro layer.
-It contains only the busybox binary + applet symlinks, the CA bundle, the
+It contains only the busybox binary + applet symlinks, the CA bundle, and
-Tailscale binary, and a tiny `entrypoint.sh`.
+the Tailscale binary.
-
-### Entrypoint: IP forwarding
-
-`ENTRYPOINT` is a small `entrypoint.sh` that enables IPv4 and IPv6 forwarding
-(`net.ipv4.ip_forward`, `net.ipv6.conf.all.forwarding`) in the container's
-network namespace, then `exec`s `tailscaled` (so the daemon stays PID 1). This
-is necessary because `tailscaled` does **not** reliably enable IPv6 forwarding
-itself inside a container netns — it logs "IPv6 forwarding is disabled" and
-advertised IPv6 subnet routes silently fail. The sysctls are writable from
-inside a RouterOS container, so the entrypoint sets them directly; no
-host-side or `/container` configuration is required. The script is created in
-the builder stage so it ships in the same single `/usr/local/bin` `COPY` layer
-(preserving the [single-copy property](#avoiding-overlayfs-layer-duplication)).
 
 ### Avoiding overlayfs layer duplication
 
@@ -156,7 +143,6 @@ that's a separate build, not just a `--platform` change.
 | iptables | Linux iptables support for routing rules |
 | osrouter | Configure kernel network stack and routing tables |
 | unixsocketidentity | **Required** — without it the localapi denies every CLI call with "access denied" ([tailscale#17873](https://github.com/tailscale/tailscale/issues/17873)) |
-| ipnbus | Lets `tailscale up` wait for completion and print the login URL; without it `up` returns immediately without confirming success |
 
 ## Features intentionally omitted
 

docs/USAGE.md

@@ -95,8 +95,7 @@ The daemon is now running but **not yet authenticated**.
 
 ### 5. Authenticate
 
-> This image runs `tailscaled` via a tiny entrypoint (which enables IP
+> This image runs `tailscaled` directly and does **not** bundle Tailscale's
-forwarding, then `exec`s the daemon) and does **not** bundle Tailscale's
 `containerboot` wrapper, so the `TS_AUTHKEY` environment variable is **not**
 read automatically. You authenticate with `tailscale up --authkey=...` after the
 container starts.