New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't Ping Tailscale Machines From Docker #7382
Comments
Because /dev/net/tun is available:
There isn't a reason to use Cases where
Adding |
I just tried this out. I'm still getting the same behavior. Here is my docker-compose now: tailscale:
image: tailscale/tailscale
container_name: tailscale
restart: always
privileged: true
command: /bin/sh -c "tailscaled"
cap_add:
- NET_ADMIN
- SYS_ADMIN
- NET_RAW
environment:
- TS_AUTHKEY=${TAILSCALE_AUTH_KEY}
- TS_ROUTES=192.168.50.0/24
volumes:
- /etc/docker/tailscale:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun When running tailscale up, I get this warning:
My /etc/sysctl.d/99-tailscale.conf contains only two line:
My /etc/sysctl.conf is much larger but does have the following lines uncommented:
ufw appears to be inactive:
firewalld is not installed:
I notice that this change no longer shows routes when executing
I can see in tailscale admin portal that my linux host is up and running 1.36.2 and my android connection is also up running 1.36.1. I also see the accepted subnet routes ephemeral flag and expiry disabled. |
At this point a bugreport would be best, so we can look at the configuration of the tailnet and what it reports. Immediately after |
Ok, here are the bugreports. Docker container: BUG-5904a47322fd35a5404973b6f033d4f6f17d5e7ec072d3bd52d717ea7ca7657a-20230227181435Z-9d7d6058e8349c44
Android device: BUG-f349d36777b462ac621e2d53952e7b73df791b27f0d1fb831a8787501d19a3bd-20230227181604Z-07a087fb0dc032c1
|
This comment was marked as off-topic.
This comment was marked as off-topic.
@NathanMagnus something appears to be wrong in the routing table, there are no ACL evaluations about ICMP around the time of the bugreport. Even if the ping fails, the packet should trigger ACL evaluations when it tries to egress the node. It is like the ping is being sent to a different network interface. @nunofgs your issue is different. Near the BUG line:
I'd suggest setting TS_USERSPACE=false and seeing if it complains about what is wrong when it starts up. |
@DentonGentry That is strange. Pinging google works as expected both within and outside of the container. Here is another bugreport generated from this line: BUG-5904a47322fd35a5404973b6f033d4f6f17d5e7ec072d3bd52d717ea7ca7657a-20230306154717Z-8d9b8cab24221578 I'm not really sure what other debugging steps I can take here. A brief history, I have been running everything containerized for quite some time. However I recently needed to update because the ubuntu machine was running tailscale 1.9.0 and my android client could no longer connect to it successfully. Since then, nothing has been working. |
This comment was marked as off-topic.
This comment was marked as off-topic.
After some experimenting including the recommendations above, I have gotten to the point where pinging from the tailscale container provides the following in logs:
My current docker-compose is: tailscale:
image: tailscale/tailscale
container_name: tailscale
restart: always
privileged: true
command: /var/lib/tailscale/startup.sh
cap_add:
- NET_ADMIN
- SYS_ADMIN
- NET_RAW
environment:
- TS_USERSPACE=false
- TS_AUTHKEY=${TAILSCALE_AUTH_KEY}
- TS_ROUTES=[local subnet]/24
- TS_EXTRA_ARGS=--accept-routes
- TS_SOCKET=/var/run/tailscale/tailscaled.sock
volumes:
- /etc/docker/tailscale:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun and startup.sh: #!/bin/sh
echo "Executing Startup Script"
sysctl -w net.ipv4.conf.all.route_localnet=1
iptables -t nat -A POSTROUTING -j MASQUERADE
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
echo "starting tailscaled"
tailscaled --statedir=/tmp &
echo "sleeping"
sleep 10s
echo "starting tailscale"
tailscale up --reset --auth-key=[auth key] --accept-routes --advertise-routes=[local subnet]/24
wait $! Here is a new |
This comment was marked as off-topic.
This comment was marked as off-topic.
We do now see ICMP ACL evaluations:
The 100.112.x.y node no longer exists, no way to check what it was reporting at the time. |
Sorry for the slow response. Last month was very busy. I am now testing on two Ubuntu machines. Both machines are using the same docker-compose (with different env variables for auth key and different TS_ROUTES):
Startup.sh: #!/bin/sh
echo "Executing Startup Script"
sleep 10s
#wget -O - https://tailscale.com/install.sh | /bin/sh
echo "adding routing stuff"
sysctl -w net.ipv4.conf.all.route_localnet=1
#iptables -A FORWARD -i eth0 -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
cat /etc/sysctl.conf
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
echo "starting tailscaled"
tailscaled --statedir=/tmp &
echo "sleeping"
sleep 10s
echo "starting tailscale"
tailscale up --reset --auth-key=tskey-auth-AUTHKEY --accept-routes --advertise-routes=192.168.XX.XX/24 --advertise-tags=tag:MachineAorB --hostname=MachineAorB
wait $! Command from Machine A: echo "Tailscale ping name through container"; \
sudo docker exec tailscale tailscale ping -c 2 MachineB; \
echo "Ping ip no container"; \
sudo ping -c 2 100.126.BB.BB; \
echo "Ping name through container";\
sudo docker exec tailscale ping -c 2 MachineB; \
echo "Ping ip through container"; \
sudo docker exec tailscale ping -c 100.126.BB.BB; \
echo "Tailscale bug report"; \
sudo docker exec tailscale tailscale bugreport BUG-5904a47322fd35a5404973b6f033d4f6f17d5e7ec072d3bd52d717ea7ca7657a-20230429182437Z-77bafedeafab704e Command from Machine B: echo "Tailscale ping name through container"; \
sudo docker exec tailscale tailscale ping -c 2 MachineA; \
echo "Ping ip no container"; \
sudo ping -c 2 100.94.AA.AA; \
echo "Ping name through container";\
sudo docker exec tailscale ping -c 2 MachineA; \
echo "Ping ip through container"; \
sudo docker exec tailscale ping -c 100.94.AA.AA; \
echo "Tailscale bug report"; \
sudo docker exec tailscale tailscale bugreport BUG-3d03e3f9b6a7d6f112c400de694198fe23a5066de76a68f23389454f911d6f61-20230429182445Z-12bc2d7af7bec190 I'll try to leave these containers running for as long as I can. |
Around the time of BUG-5904a47322fd35a5404973b6f033d4f6f17d5e7ec072d3bd52d717ea7ca7657a-20230429182437Z-77bafedeafab704e:
Around the time of BUG-3d03e3f9b6a7d6f112c400de694198fe23a5066de76a68f23389454f911d6f61-20230429182445Z-12bc2d7af7bec190
So they are just saying that Disco Ping didn't respond. |
@DentonGentry I'm not quite sure what that means for me. What do I need to look into in my end? |
I am also experiencing the same problem. Inside the docker exec shell, I can ping through both TS virtual IP and the advertised subnet IP. However, in the host Debian machine, I couldn't ping any of them. Hereby below my docker-compose file.
|
The Debian host machine has Tailscale installed? |
Same issue here, i cant ping from container to my other Devices in network...this is my start lo:my startup : #!/bin/sh
|
My issue has gone away since I originally filed this bug. Only action I took was to use a newer version. |
What is the issue?
I have Tailscale running on Android Phone and as a docker container on Ubuntu 22.04.2. I am trying to set tailscale up in subnet routing mode from the Ubuntu machine, but this is not working. I also cannot ping any of the other machines on the tailnet.``
Steps to reproduce
I am using the Android app on the android phone.
On my Ubuntu machine, I am using this docker-compose file:
after the docker container is up, I am running
sudo docker exec tailscale tailscale up --auth-key=tskey-auth-AUTHKEY --advertise-routes=192.168.50.0/24 --hostname=hostName --accept-routes
After this point, running
But a regular ping times out:
Additionally
Are there any recent changes that introduced the issue?
No response
OS
Linux, Android
OS version
Ubuntu 22.04.2
Tailscale version
No response
Other software
No response
Bug report
Docker container: BUG-5904a47322fd35a5404973b6f033d4f6f17d5e7ec072d3bd52d717ea7ca7657a-20230227181435Z-9d7d6058e8349c44
Android device: BUG-f349d36777b462ac621e2d53952e7b73df791b27f0d1fb831a8787501d19a3bd-20230227181604Z-07a087fb0dc032c1
The text was updated successfully, but these errors were encountered: