I don’t understand the Compose yaml at @6:45. If you don’t define it, TS_USERSPACE will default to true, and not need the /dev/net/tun and net_admin/sys_module capabilities. So either remove those lines and run in userspace, or leave them in and also add TS_USERSPACE=false. The combination as shown seems self-contradictory.
Tailscale has genuinely changed the way my business works. Thanks so much for sharing so many useful ways to innovate and break the traditional and insecure ways of connecting things.
I wish projects like Netbird were more user friendly/documented for people who are new to networking. I'm reluctantly using Tailscale right now because it "just works" for people who don't have all of the expertise needed to run more open wireguard mesh solutions.
I can't tell you how much I've been waiting for this video! You mentioned it recently in one of the podcasts and as I'm still not quite getting to grips with Docker and Tailscale I've been eagerly awaiting it. 😅
I set up my SearXNG container with Tailscale by following your video. For an added bit of anonymity I set it to use a VPS as an exit node by adding --exit-node=*.*.*.* to the TS_EXTRA_ARGS= section in the compose file. Thanks for making these great videos.
Brilliant stuff. The command line is scary, and docker just seems a headache, but I'm sure I could learn it if I tried. With tailscale, I've set up an old laptop with an external HDD, then use it as a personal cloud storage when I'm away from the house and have access to several TB if I want my files anywhere. Then I've also set up jellyfin with tailscale for a media server for family on a refurbished office PC for £60 off ebay - so it's a family netflix. This is a very powerful tool, and the more you can simplify it and offer alternatives to the command line and messy config files (because this stuff is just not intuitive), the more value it has for me personally. In any case, thanks for simplifying this stuff. Much appreciated
Fantastic video series Alex! Short, to the point and easily understandable information. Keep it up! Future video suggestion: deepdive in ACL:s and OPNsense interface firewall correlation? Having a hard time getting only the right nodes to access my admin stuff on LAN.
Just wanted to follow up I combined this (up to the tailscale serve section) to link up an internal NAS inside my house with a server in my office (different network) and then using a VPS with a static IP running docker and tailscale sidecar on there create a reverse proxy using nginx and because it natively is connected to the office server it can reverse proxy back to it. So neat for exposing internal services externally in a controlled way - got to love TS for simplifying it all!
Thanks Alex. I was locking for a way to connect all my docker to Tailscale (were already some of my devices connected). Before I worked with macvlan, but now I will try out this solution.
Without tailscale you access the containers using the deviceIP:port. Is there a way to still do this while also using tailscale? E.g. if I'm on the local network. Accessing the containers are a lot slower on my rasppi 5 via tailscale vs when I access them directly. I want to only use tailscale when I am outside of the house. Cheers
Hello! Could you do a deep dive into how ACLs work for beginners please? I know there is a really in depth article y'all have but I do much better learning when I can see it be done. Thank you!
ARE YOU KIDDING ME? I came to this because it might solve a problem I've been having with accessing multiple docker container services from within my home network (AND my [possibly remote] laptop), and I'm sure it will. But the thing that blew me away was "nsenter" (around 21 minutes in). I can't count the number of times I've physically added networking tools to a container so that I could diagnose network problems. I never knew there was a way to do it from the Linux host itself!
In the vidéo and in the blog post, you don't say that you have to allow the node to have the "funnel" option. But you have it on the ACL provided. Great work BTW
Great instructional vid!!! Question: How would you setup a docker-compose.yml when you have an app and a db in the same docker-compose.yml. Could you provide a few examples please with more than one app where the app depends on the db....
I use Tailscale and Nomad, both running on raspberry pi 4b based edge devices distributed around the world, to collect data on the carbon footprint of the production process in different places. And centralized collection, processing, analysis and presentation.
This is awesone! Thank you! But now I have another problem: My containers can't reach the www, but I need my containers to have access to the www while they're still only reachable via tailscale from outside. How can I do this now?
If I have a service that uses 'networks: -networkname' to connect to other services on the same compose file, I can't use network_mode to connect it to the tailscale image since network_mode can't be used when networks is being used. Is it possible to add tailscale also to the same network to have the service available on my tailscale network?
Good point. I don't understand why docker uses incompatible 'networks' and 'network_mode' options, but I can't see why you can't just make all of your services use the tailscale network.
@@DerekBroughton I have the same question as above. My consideration is that this way Ports of certrain applications would be exposed to the outside through tailscale sidecar that would else not be exposed. Like for example a MySQL Server that should only be exposed for applications inside the stack, but now would get exposed to everybody through tailscale.
Hello, got a small question, could it be possible to serve bitwarden over tailscale docker? I am not sure if we can use this approach to expose different services over different tailscales nodes?
maybe its just me but I can't find the ACL json file that you mentioned would be available in links provided? The tagging option wasn't immediately enabled for me because that section of the Access Controls wasn't yet configured or uncommented. But fortunately there was a helpful link to the ACLs, right next to the greyed out tag button which made that super intuitive. 👍
If you've already got nginx proxy manager up and running and lots of containers on the same Docker virtual network, can you just add Tailnet to the NPM container and then grant LAN access to enable access to the other containers in the same Docker network?
You did a great job explaining it Alex, but honestly, it makes me want to pull out my hair almost as much as setting up a reverse proxy with TLS does. However, because I'm now on CGNAT all that NGINX work is out of the window and this looks like a feasible replacement. It would be great to get more videos diving into more details.
@@Tailscale too late I'm afraid. However, after working through the blogpost I managed to expose the container to the tailnet and to the www. That feature is incredible honestly. Would be great to see more instruction for example on how to apply funnel to a windows based game server if I only want to expose access to the streaming application but not to the entire machine. Also, I can imagine why you are limiting the possible tailnet URL's to a few autogenerated ones but it would be great to be able to name one myself ;)
Great video! 🙂 Is there any howto how to configure an exit node with public static ipv4/ipv6 addresses as a Funnel replacement with custom domains including TLS certificates?
I cannot get serve to work. I have mounted the config directory but the command tailscale serve status states No serve config. The json file is in the config directory. What can be wrong?
Hey there, can you lend me a hand? I'm trying to figure out where I'm going wrong. I'm attempting to set up authkeys with a VSCode container from LinuxServer. Also, I need to get a Cloudflare reverse proxy going and expose port 8443. How do I set all this up with the end goal of getting the Tailscale VScode addon working and exposed on cloudflare
Great Video - as always. I am currently struggeling with getting direct access to my tailscale clients - Singe NAT on one side (home router with a valid , public IP4 address. However all connections to this container are routet via DERP. This is anoying especially when doing high bandwith tasks. Can you maybe give a tutorial on how to get direct connections and how to optimize routing?
Hi Alex, thanks for the video. This is my first step figuring out why my Docker image can no longer resolve hosts. It's been working for months now with `docker run` command options that provides the proper entries in /etc/resolv.conf but within the last few days, a Docker or Tailscale update broke something. (/etc/resolv.conf is still correct but the container cannot reach 100.100.100.100 or the named DNS server. It can reach other hosts on the local LAN by IP address but not name. 😥) Edit: upgrade from 1.68.0 => 1.68.1 seems to have fixed the issue.
Finally got my media-server working reasonably well using Traefik, and now I'm going to have to ditch it all 🙂 Auto discovery of ports via labels, like Traefik, would be nice, though
7 місяців тому
Great video, but how do I add Tailscale to five of my docker containers? Some say use docker networks and others creating side cars to the container. I would really appreciate a video about adding tailscale to multiple existing containers.
Appreciate the great instruction. However.. I'm always flummoxed. I can't get the ephemeral tag to disappear off the machine. I used this volume from your guide: tailscale-data-webserver2:/var/lib/tailscale and when doing ls, no state showed up. So I changed it to ${PWD}/tailscale-data-webserver2/state:/var/lib/tailscale per the video.. and the state showed up. Using portainer, I stopped the ts-webserver2 and the nginx and deleted the state or whatev. Restarted with a docker compose up -d. Perhaps my issue is I'm using a browser to access the login.tailscale page to generate keys and look at the machine status... which still shows ephemeral.. rather than a local console? I'm not clear on that. Thanks again.
I think I've got everything set up! Thanks for the tutorial. I'm a bit confused that this enables funnel for the node in the dashboard even though it's set to false in the json file. Is this the expected outcome?
I'm a bit confuse on how to expose other containers that are using a different docker compose file? Do I just provide the network_mode used by the original compose file with the tailscale instance? Or do all my services have to be moved to a single compose file that uses tailscale? How multiple TS-CONFIG for different services?
You can reference specific containers elsewhere in other compose files. Use their service name I think. Dependency mapping (depends_on) becomes a bit trickier that way though. -Alex
userspace tailscaled was a game changer for my workload. I don't need massive throughput but I don't want to run a privileged container if I can avoid it. The feature I'd like to see most is reserved IP keys: Almost like elastic IPs in AWS EC2, but for my tailnet. I generate an auth key for an ephemeral node that's always going to get a predetermined IP on my tailnet. I also want keys to last longer than 90 days, maybe with the prerequisite that the node be manually approved by an admin? This means I can use preauthorized keys to spin up infrastructure with deterministic IPs on my tailnet.
نريد شرح مترجم بالعربي We want a detailed explanation translated into Arabic of the steps for using the application from installation until connecting to the other device and controlling it
Just watched this and wonder if I misunderstood an effect of the namespace network merge. If I connect a django container and a postgres container to the same tailscale container will django be able to connect to postgres using localhost rather than databases container name? If yes then tailscale simplifies things even more. Or is there a reason why we can't/shouldn't connect multiple containers?
Hi! An amazing video, Just want to know how can I access my host like if tailscale was installed on it via this setup? Currently whenever I am moving b/w machine I have to do this manual setup. Rather I am looking that since my rest of the ecosystem is managed via docker compose I just spin this also up there and I can then normally SSH into my host machine
I had just one doubt. Is there a way to funnel multiple web services by adding subdomain for each, within one tailscale container? More like how we can do with nginx
I did ask this on the reddit thread but I'll ask it here too in case you don't see it. Are there any issues doing this with podman? Or is it only with Docker?
I should imagine so using the Podman specific syntax as outlined in the link below. Note that I didn’t test this. -Alex docs.podman.io/en/latest/markdown/podman-run.1.html#network-mode-net
Maybe you can create an external docker network. And use this network for all the services you want to use with Tailscale. Than in the config file, use the service’s container name as their ip. Maybe that will work
I don't think this would work on platforms that only support non-root or user-only docker containers. A lot of PaaS don't support compose or allow you to set the docker run args.
Running Tailscaled using Docker (compose) on a Ubuntu server. Have the --ssh setting. When attempting to SSH to this machine, SSH connects to the docker container itself and not the host machine. I'm guessing somebody has figured this out or maybe it's not possible.
It did not go well. I successfully added Tailscale to a Checkmk container but was not happy that Tailscale stored state in $(PWD)/... so I edited the file to cjhange that to /var/lib/... and restarted the container. It did not come up. I stopped it, moved $(PWD}/... to /var/lib. Still not coming up, and the logs indicated an expired key. I generated a new key nut was unable to stop the container. I had run docker compose interactively and it just hung. I restarted the docker service but it did not come back up. I rebooted the host (my local file server running Debian bookworm) and the docker service still did not come up. Systemd logs indicate restarting too fast. and also list a segment violation. 😥 Now I'm trying to debug a dockerd killer. :-/ Not a good at this point.
Got docker back up by manually editing the container config files to restart:none and manually starting one at a time, starting with checkmk+tailscale. After much fiddling, got it to run with the desired hostname. Other tailnet hosts cannot reach it but host names inside the container are not resolved, actually a step back from where I started. 😕
I have a unraid server and want to use tailscale on 2 diffrent accounts how to do this with a docker compose setup or on my unraid server. I tried what gpt4 suggested did not work I meant it kinda worked for every reboot of my unriad server it got ne a new machine name.
I'm having a heck of a time trying to get the serve and funnel configuration (/config/mealie.json in this example) to work in a Portainer stack. Apparently relative directories don't work in docker-compose within Portainer and even configuring another Dockerfile to copy the file from the image to the container doesn't want to work. Does anybody know a way around this or at least understand what I'm talking about? 😅
Does the /config directory exist? and does it have the correct ownership? I never use portainer to spin up my containers, however I use it to view logs and other things.
@@danr2513 I ended up getting it to work by creating an external volume and putting the file there manually. There must be a better, more automated way, but this did the trick for now!
I see this as an awesome tool to run gameservers, now if I can only figure it out...I cant get past the point of getting the test ngix web page to pull. I have to keep learning I suppose. Thanks
@@Tailscale This is is epic, I now have it configured for Pterodactyl and tested Minecraft which was always difficult for me to host due to the TCP requirement (and my CGNAT). I did have to enable subnet routing but once I did that all was good! Best bit of homelab hobbyist software there is!
I don’t understand the Compose yaml at @6:45. If you don’t define it, TS_USERSPACE will default to true, and not need the /dev/net/tun and net_admin/sys_module capabilities. So either remove those lines and run in userspace, or leave them in and also add TS_USERSPACE=false. The combination as shown seems self-contradictory.
Thanks for pointing this out! You are quite right and we have updated the linked code samples accordingly!
The presenter is a gifted communicator and teacher. Incredibly clear, thanks!
True. Just the right amount of geek-speak, no ums and ahs. I so wish I could do that...
Came to learn about tailscale and ended up finding the best 7 mins on docker networking I've seen. 10/10.
Tailscale has genuinely changed the way my business works. Thanks so much for sharing so many useful ways to innovate and break the traditional and insecure ways of connecting things.
Let's run the whole Internet through one private company. What could possibly go wrong?! Sorry I mean two companies.. tailscale and cloudflare.
@@urzaaaaais there any similar alternative? Possibly OpenSource?
I wish projects like Netbird were more user friendly/documented for people who are new to networking. I'm reluctantly using Tailscale right now because it "just works" for people who don't have all of the expertise needed to run more open wireguard mesh solutions.
@@urzaaaaa That’s pretty melodramatic lol
@@urzaaaaa use headscale then if that's your concern.
I met Alex at DevOps Days Chicago and he’s been blowing my mind since. Thanks Alex!
I can't tell you how much I've been waiting for this video! You mentioned it recently in one of the podcasts and as I'm still not quite getting to grips with Docker and Tailscale I've been eagerly awaiting it. 😅
I set up my SearXNG container with Tailscale by following your video. For an added bit of anonymity I set it to use a VPS as an exit node by adding --exit-node=*.*.*.* to the TS_EXTRA_ARGS= section in the compose file. Thanks for making these great videos.
Brilliant stuff. The command line is scary, and docker just seems a headache, but I'm sure I could learn it if I tried. With tailscale, I've set up an old laptop with an external HDD, then use it as a personal cloud storage when I'm away from the house and have access to several TB if I want my files anywhere. Then I've also set up jellyfin with tailscale for a media server for family on a refurbished office PC for £60 off ebay - so it's a family netflix. This is a very powerful tool, and the more you can simplify it and offer alternatives to the command line and messy config files (because this stuff is just not intuitive), the more value it has for me personally.
In any case, thanks for simplifying this stuff. Much appreciated
Thanks, Tailscale, for your outstanding efforts! Your dedication to providing high-quality content is truly appreciated. Keep up the great work!
Great tutorial, love the way you explain things!
Glad it was helpful!
Fantastic video series Alex! Short, to the point and easily understandable information. Keep it up!
Future video suggestion: deepdive in ACL:s and OPNsense interface firewall correlation? Having a hard time getting only the right nodes to access my admin stuff on LAN.
Alex you glorious bastid!
What a lovely comment. Thanks! 😊
Amazing content! Thank you for the time and effort you and the rest of the Tailscale team put into this.
I've been looking for a suitable self-hosting start point and this tutorial has answered a heap of "where do i begin?" questions. Thanks !
just getting started with Tailscale and Docker, thanks for the great intro! Long live self hosting! 🔥
Your explanation skills are outstanding!
I wish this video had existed years ago...Covers everything I wanted!
Just wanted to follow up I combined this (up to the tailscale serve section) to link up an internal NAS inside my house with a server in my office (different network) and then using a VPS with a static IP running docker and tailscale sidecar on there create a reverse proxy using nginx and because it natively is connected to the office server it can reverse proxy back to it. So neat for exposing internal services externally in a controlled way - got to love TS for simplifying it all!
Completely off topic here - I had no idea about sudo !! => You are a goldmine Alex!
Same here 🎉
Thanks Alex. I was locking for a way to connect all my docker to Tailscale (were already some of my devices connected). Before I worked with macvlan, but now I will try out this solution.
Without tailscale you access the containers using the deviceIP:port. Is there a way to still do this while also using tailscale? E.g. if I'm on the local network. Accessing the containers are a lot slower on my rasppi 5 via tailscale vs when I access them directly. I want to only use tailscale when I am outside of the house. Cheers
Thanks, Alex! You're teacher from God :) You saved sooo much time for me. Huge thanks!
Great tutorial! It would be nice, a tutorial with Tailscale running on a Proxmox
Hello! Could you do a deep dive into how ACLs work for beginners please? I know there is a really in depth article y'all have but I do much better learning when I can see it be done. Thank you!
Video on ACLs would be great!
ARE YOU KIDDING ME?
I came to this because it might solve a problem I've been having with accessing multiple docker container services from within my home network (AND my [possibly remote] laptop), and I'm sure it will.
But the thing that blew me away was "nsenter" (around 21 minutes in). I can't count the number of times I've physically added networking tools to a container so that I could diagnose network problems. I never knew there was a way to do it from the Linux host itself!
This section was a lot of fun to put together!
In the vidéo and in the blog post, you don't say that you have to allow the node to have the "funnel" option. But you have it on the ACL provided. Great work BTW
A good follow up video would be a nice, detailed work up of the ACL settings.
Tailscale is seriously cool. SDN are so neat, tailscale isn't necessarily one but in the realm of.
Great instructional vid!!! Question: How would you setup a docker-compose.yml when you have an app and a db in the same docker-compose.yml. Could you provide a few examples please with more than one app where the app depends on the db....
I use Tailscale and Nomad, both running on raspberry pi 4b based edge devices distributed around the world, to collect data on the carbon footprint of the production process in different places. And centralized collection, processing, analysis and presentation.
This is awesone! Thank you! But now I have another problem: My containers can't reach the www, but I need my containers to have access to the www while they're still only reachable via tailscale from outside. How can I do this now?
If I have a service that uses 'networks: -networkname' to connect to other services on the same compose file, I can't use network_mode to connect it to the tailscale image since network_mode can't be used when networks is being used. Is it possible to add tailscale also to the same network to have the service available on my tailscale network?
Good point. I don't understand why docker uses incompatible 'networks' and 'network_mode' options, but I can't see why you can't just make all of your services use the tailscale network.
@@DerekBroughton I have the same question as above. My consideration is that this way Ports of certrain applications would be exposed to the outside through tailscale sidecar that would else not be exposed. Like for example a MySQL Server that should only be exposed for applications inside the stack, but now would get exposed to everybody through tailscale.
Hello, got a small question, could it be possible to serve bitwarden over tailscale docker? I am not sure if we can use this approach to expose different services over different tailscales nodes?
maybe its just me but I can't find the ACL json file that you mentioned would be available in links provided? The tagging option wasn't immediately enabled for me because that section of the Access Controls wasn't yet configured or uncommented. But fortunately there was a helpful link to the ACLs, right next to the greyed out tag button which made that super intuitive. 👍
Great video, one question though, Does this process have to be done for every compose yml i create?
I Love Tailscale ❤.
Thx. It will be super helpful if you could do a similar topic on docker swarm as well
If you've already got nginx proxy manager up and running and lots of containers on the same Docker virtual network, can you just add Tailnet to the NPM container and then grant LAN access to enable access to the other containers in the same Docker network?
You did a great job explaining it Alex, but honestly, it makes me want to pull out my hair almost as much as setting up a reverse proxy with TLS does. However, because I'm now on CGNAT all that NGINX work is out of the window and this looks like a feasible replacement. It would be great to get more videos diving into more details.
Let’s try and keep your hair in tact. What details would you like us to go over?
@@Tailscale too late I'm afraid. However, after working through the blogpost I managed to expose the container to the tailnet and to the www. That feature is incredible honestly. Would be great to see more instruction for example on how to apply funnel to a windows based game server if I only want to expose access to the streaming application but not to the entire machine. Also, I can imagine why you are limiting the possible tailnet URL's to a few autogenerated ones but it would be great to be able to name one myself ;)
Great video! 🙂
Is there any howto how to configure an exit node with public static ipv4/ipv6 addresses as a Funnel replacement with custom domains including TLS certificates?
I cannot get serve to work. I have mounted the config directory but the command tailscale serve status states No serve config. The json file is in the config directory. What can be wrong?
Hey there, can you lend me a hand? I'm trying to figure out where I'm going wrong. I'm attempting to set up authkeys with a VSCode container from LinuxServer. Also, I need to get a Cloudflare reverse proxy going and expose port 8443.
How do I set all this up with the end goal of getting the Tailscale VScode addon working and exposed on cloudflare
Great Video - as always.
I am currently struggeling with getting direct access to my tailscale clients - Singe NAT on one side (home router with a valid , public IP4 address.
However all connections to this container are routet via DERP.
This is anoying especially when doing high bandwith tasks.
Can you maybe give a tutorial on how to get direct connections and how to optimize routing?
I’d encourage you to open a ticket with our excellent support teams to work through your specific situation.
Hi Alex, thanks for the video. This is my first step figuring out why my Docker image can no longer resolve hosts. It's been working for months now with `docker run` command options that provides the proper entries in /etc/resolv.conf but within the last few days, a Docker or Tailscale update broke something. (/etc/resolv.conf is still correct but the container cannot reach 100.100.100.100 or the named DNS server. It can reach other hosts on the local LAN by IP address but not name. 😥) Edit: upgrade from 1.68.0 => 1.68.1 seems to have fixed the issue.
I am getting : Container ts-oauth-test Starting "Error response from daemon: Bind mount failed: '/ts-oauth-test/state' does not exist" Any ideas?
Finally got my media-server working reasonably well using Traefik, and now I'm going to have to ditch it all 🙂 Auto discovery of ports via labels, like Traefik, would be nice, though
Great video, but how do I add Tailscale to five of my docker containers? Some say use docker networks and others creating side cars to the container. I would really appreciate a video about adding tailscale to multiple existing containers.
We'd suggest one sidecar per service.
The part exposing in app via serve and funnel is similar to caddy?
I have an 'No serve config' error, no matter what i do. What am I doing wrong?
Appreciate the great instruction. However.. I'm always flummoxed. I can't get the ephemeral tag to disappear off the machine. I used this volume from your guide: tailscale-data-webserver2:/var/lib/tailscale and when doing ls, no state showed up. So I changed it to ${PWD}/tailscale-data-webserver2/state:/var/lib/tailscale per the video.. and the state showed up. Using portainer, I stopped the ts-webserver2 and the nginx and deleted the state or whatev. Restarted with a docker compose up -d. Perhaps my issue is I'm using a browser to access the login.tailscale page to generate keys and look at the machine status... which still shows ephemeral.. rather than a local console? I'm not clear on that. Thanks again.
Sorry, it just took a few hours for it to disappear. Now to figure out how to connect up to home assistant.
This is great! But is there a way I can use my own domain name? Without using Caddy.
I think I've got everything set up! Thanks for the tutorial. I'm a bit confused that this enables funnel for the node in the dashboard even though it's set to false in the json file. Is this the expected outcome?
Getting the same. Did you find anything?
I'm a bit confuse on how to expose other containers that are using a different docker compose file?
Do I just provide the network_mode used by the original compose file with the tailscale instance?
Or do all my services have to be moved to a single compose file that uses tailscale?
How multiple TS-CONFIG for different services?
You can reference specific containers elsewhere in other compose files. Use their service name I think. Dependency mapping (depends_on) becomes a bit trickier that way though. -Alex
@@Tailscale If you had an example of it working. That would be aweomse!
I just tried extending the file using extend:
But it didn't work
userspace tailscaled was a game changer for my workload. I don't need massive throughput but I don't want to run a privileged container if I can avoid it.
The feature I'd like to see most is reserved IP keys: Almost like elastic IPs in AWS EC2, but for my tailnet. I generate an auth key for an ephemeral node that's always going to get a predetermined IP on my tailnet. I also want keys to last longer than 90 days, maybe with the prerequisite that the node be manually approved by an admin? This means I can use preauthorized keys to spin up infrastructure with deterministic IPs on my tailnet.
This is a really interesting question. Might I ask one back? Why does the IP matter if magicdns allows you to refer to the node deterministically too?
@@Tailscale magicdns doesnt always work
نريد شرح مترجم بالعربي We want a detailed explanation translated into Arabic of the steps for using the application from installation until connecting to the other device and controlling it
Would this have support for things like udp ports leading to game server containers?
Just watched this and wonder if I misunderstood an effect of the namespace network merge. If I connect a django container and a postgres container to the same tailscale container will django be able to connect to postgres using localhost rather than databases container name? If yes then tailscale simplifies things even more.
Or is there a reason why we can't/shouldn't connect multiple containers?
No reason I can think of. Although docker networks give you a lot of this too without the inter container dependency.
how do you turn on exit node specifically on this docker?
I'd like to know this too!
using oauth method, if two container try to use same port 80. how to resolve that
Hi! An amazing video, Just want to know how can I access my host like if tailscale was installed on it via this setup? Currently whenever I am moving b/w machine I have to do this manual setup. Rather I am looking that since my rest of the ecosystem is managed via docker compose I just spin this also up there and I can then normally SSH into my host machine
You’d likely want to install Tailscale natively on the host itself as well any containers for the smoothest experience.
I had just one doubt. Is there a way to funnel multiple web services by adding subdomain for each, within one tailscale container? More like how we can do with nginx
Not as of today. You'd need a reverse proxy to do that.
Tailscale is the best. How do you guys feel about headscale? I've considered trying it but I haven't taken the plunge yet.
We have a page for that!
tailscale.com/opensource
I did ask this on the reddit thread but I'll ask it here too in case you don't see it. Are there any issues doing this with podman? Or is it only with Docker?
I should imagine so using the Podman specific syntax as outlined in the link below. Note that I didn’t test this.
-Alex
docs.podman.io/en/latest/markdown/podman-run.1.html#network-mode-net
thnaks!@@Tailscale
I have been trying to do this for a month using macvlan with no luck thanks. Do you have to do this for every container?
For now at least, one Tailscale sidecar per service yup.
Maybe you can create an external docker network. And use this network for all the services you want to use with Tailscale. Than in the config file, use the service’s container name as their ip. Maybe that will work
How are the containers supposed to communicate between each other?
I don't think this would work on platforms that only support non-root or user-only docker containers. A lot of PaaS don't support compose or allow you to set the docker run args.
At 17:50 I get "curl: (6) Could not resolve host: ts-oauth". Didn't work in browser either.
Running Tailscaled using Docker (compose) on a Ubuntu server. Have the --ssh setting. When attempting to SSH to this machine, SSH connects to the docker container itself and not the host machine. I'm guessing somebody has figured this out or maybe it's not possible.
It did not go well. I successfully added Tailscale to a Checkmk container but was not happy that Tailscale stored state in $(PWD)/... so I edited the file to cjhange that to /var/lib/... and restarted the container. It did not come up. I stopped it, moved $(PWD}/... to /var/lib. Still not coming up, and the logs indicated an expired key. I generated a new key nut was unable to stop the container. I had run docker compose interactively and it just hung. I restarted the docker service but it did not come back up. I rebooted the host (my local file server running Debian bookworm) and the docker service still did not come up. Systemd logs indicate restarting too fast. and also list a segment violation. 😥 Now I'm trying to debug a dockerd killer. :-/
Not a good at this point.
And there are 1200+ lines in the journalctl logs.
Got docker back up by manually editing the container config files to restart:none and manually starting one at a time, starting with checkmk+tailscale. After much fiddling, got it to run with the desired hostname. Other tailnet hosts cannot reach it but host names inside the container are not resolved, actually a step back from where I started. 😕
Is it possible to get help doing this on my NAS? : )
Make a video on adding devices to a subnet and connecting it to your tailscale network
I have a unraid server and want to use tailscale on 2 diffrent accounts how to do this with a docker compose setup or on my unraid server.
I tried what gpt4 suggested did not work I meant it kinda worked for every reboot of my unriad server it got ne a new machine name.
What was he piping through to get the colors in the output of docker inspect?
jq
@@Tailscale Great! Thanks :)
I would love to work at Tailscale. Currently all their SWE jobs are taken.
I'm having a heck of a time trying to get the serve and funnel configuration (/config/mealie.json in this example) to work in a Portainer stack. Apparently relative directories don't work in docker-compose within Portainer and even configuring another Dockerfile to copy the file from the image to the container doesn't want to work. Does anybody know a way around this or at least understand what I'm talking about? 😅
Does the /config directory exist? and does it have the correct ownership? I never use portainer to spin up my containers, however I use it to view logs and other things.
@@danr2513 I ended up getting it to work by creating an external volume and putting the file there manually. There must be a better, more automated way, but this did the trick for now!
Ha I've even started reading tailscale docs with your accent
I love tailscale and love what it can do but im not smart enough to config this stuff lol
No ssh to the container?
he could have ssh'ed to the container, but as he showed via 'docker exec', the container doesn't have the diagnostic tools installed.
I see this as an awesome tool to run gameservers, now if I can only figure it out...I cant get past the point of getting the test ngix web page to pull. I have to keep learning I suppose. Thanks
See our recent Factorio video !
@@Tailscale Absolute legend! ...will be on that later today.
@@Tailscale This is is epic, I now have it configured for Pterodactyl and tested Minecraft which was always difficult for me to host due to the TCP requirement (and my CGNAT). I did have to enable subnet routing but once I did that all was good! Best bit of homelab hobbyist software there is!
Anyone got this working on a Synology NAS?
so I basically have to destroy my containers networks to chagne the network mode for everything
why bother, just create a docker swarm and connect your local to the server in the cloud. Easy peasy.