search

markpash / tailscale-sidecar

A TCP proxy used to expose services onto a tailscale network without root. Ideal for container environments.
MIT License
135 stars 10 forks source link

tsnet: open tsstate/tailscaled.state: permission denied #9

Open 4310V343k opened 1 year ago

4310V343k commented 1 year ago

For some reason tsnet can't create files in the default state folder: tsnet: open tsstate/tailscaled.state.tmp1170394514: permission denied It still panics with both named volumes and a local binding However, if you try to use the home folder for the state (TS_SIDECAR_STATEDIR: . & - tsstate:/home/nonroot), it works nicely

A part of the docker-compose.yml

  sidecar:
    image: "ghcr.io/markpash/tailscale-sidecar"
    environment:
      TS_AUTHKEY: tskey-ke9WLg5CNTRL-jdE98Dyg8KiRrrBjnzLQZR
      TS_SIDECAR_NAME: proxima-main
    volumes:
      - ./bindings.json:/etc/ts-sidecar/bindings.json
      # both these don't work
      #- tsstate:/home/nonroot/tsstate
      #- ./state:/home/nonroot/tsstate
Logs tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] using fake (no-op) tun device tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] using fake (no-op) OS network configurator tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] using fake (no-op) DNS configurator tgs-sidecar-1 | 2022/09/30 15:48:28 dns: using dns.noopManager tgs-sidecar-1 | 2022/09/30 15:48:28 link state: interfaces.State{defaultRoute=eth0 ifs={eth0:[172.19.0.2/16]} v4=true v6=false} tgs-sidecar-1 | 2022/09/30 15:48:28 magicsock: disco key = d:86b7c08b46a052b2 tgs-sidecar-1 | 2022/09/30 15:48:28 Creating wireguard device... tgs-sidecar-1 | 2022/09/30 15:48:28 Bringing wireguard device up... tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] UDP bind has been updated tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Interface state was Down, requested Up, now Up tgs-sidecar-1 | 2022/09/30 15:48:28 Bringing router up... tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] warning: fakeRouter.Up: not implemented. tgs-sidecar-1 | 2022/09/30 15:48:28 Clearing router settings... tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Routine: receive incoming v4 - started tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] warning: fakeRouter.Set: not implemented. tgs-sidecar-1 | 2022/09/30 15:48:28 Starting link monitor... tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Routine: receive incoming v6 - started tgs-sidecar-1 | 2022/09/30 15:48:28 Engine created. tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Routine: receive incoming receiveDERP - started tgs-sidecar-1 | 2022/09/30 15:48:28 tsnet: open tsstate/tailscaled.state.tmp23198575: permission denied tgs-sidecar-1 exited with code 0
chrisanderton commented 1 year ago

Seeing the same when using a volume. If i mount it over /home/nonroot it has no permission issues, but mounted on any other path it shows permission denied. I'm assuming it's because the process runs as user ID 65532 and there is no way to change ownership/access permissions of the mounted volume.

chrisanderton commented 1 year ago

After a bit of digging -

Bind mounts use the permissions of the host: the sidecar is running non-root (user 65xxx) so cannot create/change the permissions

Volume mounts default as root owned and 755 permissions: as above sidecar is non-root so cannot do the necessary

I see other images including some unix tools so you could tweak permissions on entrypoint, i'm sure there's a more elegant solution..