[HN Gopher] The Tailscale Universal Docker Mod
___________________________________________________________________
The Tailscale Universal Docker Mod
Author : notamy
Score : 127 points
Date : 2023-10-08 16:51 UTC (6 hours ago)
(HTM) web link (tailscale.dev)
(TXT) w3m dump (tailscale.dev)
| tornato7 wrote:
| I wonder if this will fix the issue of appending -n to new
| ephemeral servers that join the network. For example, if you have
| a service wiki-1 and that container/instance gets restarted, it
| then appears on your tailnet as wiki-1 making users unable to
| access it at wiki/
|
| Their official solution is to run a logout command before
| shutting down but that's not always possible.
| upon_drumhead wrote:
| While this is super cool, it's not Universal. It requires usage
| of containers based upon LinuxServer.io containers.
| wutwutwat wrote:
| How does the base image make them not universal?
| upon_drumhead wrote:
| Not every container is based on the LinuxServer.io stack. I
| can't take any arbitrary container and use the docker mod and
| have it work.
|
| I have over 25 containers running on my home server and not a
| single one of them is based on a LinuxServer.io image. This
| "universal" mod would work with 0 of them.
| bigmattystyles wrote:
| Would you list them? I'm always looking for cool new
| containers for my homelab
| upon_drumhead wrote:
| Wireguard + GUI: https://github.com/wg-easy/wg-easy
|
| Managing all those household docs:
| https://docs.paperless-ngx.com
|
| Backups of mail accounts: https://www.offlineimap.org
|
| Cloud storage for phones: http://nextcloud.com
|
| Mirroring podcasts locally:
| https://github.com/akhilrex/podgrab
|
| Managing dynamic service dns via plugins:
| https://coredns.io
|
| My own matrix instance: https://matrix-
| org.github.io/dendrite/
|
| Backups: https://restic.net
|
| Media Management: https://jellyfin.org
|
| Relay only tor help: https://www.torproject.org
|
| S3 compatible storage:
| https://github.com/seaweedfs/seaweedfs
|
| Git + CI: https://about.gitlab.com
|
| Managing SSL and container proxying: https://traefik.io
|
| Mirror the docker registry locally:
| https://github.com/docker-
| library/docs/tree/master/registry
|
| Samba support for the windows hosts:
| https://github.com/ServerContainers/samba
|
| HTTP/S Proxy with support for modifying results:
| http://www.privoxy.org
|
| Database: https://www.postgresql.org
|
| Datastore: https://redis.io
|
| and a bunch of support software. Paperless has Tika and
| Gotenberg as deps for example.
| vineyardmike wrote:
| This is really cool, I didn't even know Docker mods existed.
| That's the best kind of cool.
|
| I wonder if the internals will be open sourced? I assume it's a
| pretty "simple" go tcp proxy that listens on the tailnet instead
| of an open port. I had been thinking about writing one for our
| services at work, so maybe we can use this, but I'd prefer to
| build the binary directly into our containers.
| figmert wrote:
| Docker doesn't do mods. As the article says, this is possible
| due to s6 and s6-overlay, which is included with linuxserver.io
| docker images, combined with a set up scripts that set it all
| up. This does prevent your containers from being immutable.
|
| All the code for LSIO images is available on their GitHub.
| asmor wrote:
| It's likely just `tailscale serve https / <upstream>`.
|
| https://github.com/tailscale/tailscale/blob/main/ipn/serve.g...
|
| And they also support direct embedding:
|
| https://tailscale.dev/blog/embedded-funnel
|
| I think this is built on the wireguard-go + gvisor mashup, that
| allows you to do this with just Wireguard:
|
| https://github.com/WireGuard/wireguard-go/tree/master/tun/ne...
|
| One of my favorite applications of this is this little tool
| that turns Wireguard VPNs into SOCKS5 proxies (which you can
| selectively enable in your browser)
|
| https://github.com/octeep/wireproxy
| debarshri wrote:
| This is really cool. Networking in general is full of quirks
| and what people think is full of "magic".
|
| Full disclosure, I am founder of Adaptive [1]. We use a
| similar technique to the one with VPN exposed as SOCK5 proxy
| but for accessing internal infrastructure resources.
|
| [1] https://adaptive.live/
| gonzo wrote:
| Article is six months old
| AgentK20 wrote:
| And yet some of us are just finding out about this feature now.
| crypt1d wrote:
| I am really impressed by what the tailscale folks have been
| building. I use their product suite regularly and have nothing
| but good things to say about it. I will be tinkering with this
| mod as well starting next week ;)
|
| keep it up guys!
| FloatArtifact wrote:
| All we need now is something for kubernetes
| conradludgate wrote:
| https://tailscale.com/kb/1236/kubernetes-operator
|
| It's actually even easier to use. Add `tailscale.com/expose:
| "true"` to a kubernetes service annotations and it will be
| added to the tailnet automatically
| skippyboxedhero wrote:
| I have never been sure what the security implications are but I
| just set ports to the tailscale address, and everything is
| accessible.
|
| So if the local tailscale address is 1.2.3.4, I do:
|
| ports:
|
| - 1.2.3.4:8080:8080
|
| This doesn't actually add applications to the tailnet as in the
| OP, but it works.
| johng wrote:
| This is really cool.
| asmor wrote:
| I would disagree that containers aren't supposed to run more than
| one process. It's just discouraged because a lot of people aren't
| well versed in the pitfalls of being PID 1. Fedora's toolbox is a
| great counter-example, as is systemd now being able to boot up as
| your PID 1 in some container distros without much modification.
| Sayrus wrote:
| To be fair, even for running a single process the pitfalls are
| real. I've been seeing Tini[1] a lot for these situations.
|
| I just read in the README that Tini is included by Docker since
| 1.13 if using --init flag.
|
| [1] https://github.com/krallin/tini
| eclipsetheworld wrote:
| I just love that this blog post includes an AI-generated image
| with the caption of course being the name of the model and the
| given prompt.
| MrPowerGamerBR wrote:
| For those who want to run Tailscale on their Docker containers,
| but don't want to switch to images based off linuxserver.io, you
| can still run Tailscale as a sidecar container, and use
| "network_mode: service:tailscale"
|
| I do that for my containers and it is incredibly useful for cross
| containers communication, especially for containers that are
| hosted in different dedicated servers.
|
| https://mrpowergamerbr.com/us/blog/2023-03-20-untangling-you...
| rcarmo wrote:
| This seems a lot cleaner than injecting new binaries into
| existing images or depending on linuxserver.io images.
___________________________________________________________________
(page generated 2023-10-08 23:00 UTC)