Solved Can't start tailscale in jail environment

blazingice

blazingice

I have been running for some time security/tailscale in a jail environment without a problem. Recently I seem to have encountered the following problem:

Code: 
root@tailscalejail:~ # tailscale up
failed to connect to local tailscaled process (is it running?); got: Failed to connect to local Tailscale daemon for /localapi/v0/status; not running? Error: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory

These are the services running under the same jail:

Code: 
root@tailscalejail:~ # service -e
/etc/rc.d/cleanvar
/etc/rc.d/ip6addrctl
/etc/rc.d/netif
/usr/local/etc/rc.d/tailscaled
/etc/rc.d/motd
/etc/rc.d/newsyslog
/etc/rc.d/os-release
/etc/rc.d/virecover
/etc/rc.d/cleartmp
/etc/rc.d/syslogd
/etc/rc.d/cron


Running security/tailscale outside jail, doesn't seem to be a problem. Is anyone running tailscale in jail environment? Any suggestion how to fix the above.

This is a vnet jail running under 13.3-RELEASE-p2
 
This worked for me ...

Create the file /etc/devfs.rules ...

Code: 
[devfsrules_jail_network=20]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_jail
add include $devfsrules_jail_vnet
add path 'bpf*' unhide
add path 'tun*' unhide

This permits the jail to create tun devices, which is needed for tailscale. The "bpf" line I added to make iftop work. I have not tested, if tailscale would work without that line.

Restart devfs ...

# service devfs restart

Edit the file /etc/jail.conf and add the following line to your jail definition ...

Code: 
yourjail {
    . . .
    devfs_ruleset = "20";
    . . .
}

Restart your jail ...

# service jail restart yourjail
 
Thanks. It worked!

I'm using sysutils/bastille to manage all my jails, so I had to tweak a bit your solution. For anyone facing a similar issue, simply create a new rule in the existing /etc/devfs.rules without touching the default bastille rule:

Code: 
# Set by bastille
[bastille_vnet=13]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_jail
add include $devfsrules_jail_vnet
add path 'bpf*' unhide

# Add new rule to allow tun device for tailscale jail
[bastille_vnet=14]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_jail
add include $devfsrules_jail_vnet
add path 'bpf*' unhide
add path 'tun*' unhide

Then add the appropriate rule in /usr/local/etc/bastille/jails/tailscailjail/jail.conf

Code: 
devfs_ruleset = 14

Thanks! This helped a lot, as I was stuck.
 
You must log in or register to reply here.
Back
Top