Skip to content
This repository has been archived by the owner on Oct 7, 2023. It is now read-only.

tsnet: open tsstate/tailscaled.state: permission denied #9

Open
4310V343k opened this issue Sep 30, 2022 · 2 comments
Open

tsnet: open tsstate/tailscaled.state: permission denied #9

4310V343k opened this issue Sep 30, 2022 · 2 comments

Comments

@4310V343k
Copy link

For some reason tsnet can't create files in the default state folder: tsnet: open tsstate/tailscaled.state.tmp1170394514: permission denied
It still panics with both named volumes and a local binding
However, if you try to use the home folder for the state (TS_SIDECAR_STATEDIR: . & - tsstate:/home/nonroot), it works nicely

A part of the docker-compose.yml

  sidecar:
    image: "ghcr.io/markpash/tailscale-sidecar"
    environment:
      TS_AUTHKEY: tskey-ke9WLg5CNTRL-jdE98Dyg8KiRrrBjnzLQZR
      TS_SIDECAR_NAME: proxima-main
    volumes:
      - ./bindings.json:/etc/ts-sidecar/bindings.json
      # both these don't work
      #- tsstate:/home/nonroot/tsstate
      #- ./state:/home/nonroot/tsstate
Logs

tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] using fake (no-op) tun device
tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] using fake (no-op) OS network configurator
tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] using fake (no-op) DNS configurator
tgs-sidecar-1 | 2022/09/30 15:48:28 dns: using dns.noopManager
tgs-sidecar-1 | 2022/09/30 15:48:28 link state: interfaces.State{defaultRoute=eth0 ifs={eth0:[172.19.0.2/16]} v4=true v6=false}
tgs-sidecar-1 | 2022/09/30 15:48:28 magicsock: disco key = d:86b7c08b46a052b2
tgs-sidecar-1 | 2022/09/30 15:48:28 Creating wireguard device...
tgs-sidecar-1 | 2022/09/30 15:48:28 Bringing wireguard device up...
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] UDP bind has been updated
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Interface state was Down, requested Up, now Up
tgs-sidecar-1 | 2022/09/30 15:48:28 Bringing router up...
tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] warning: fakeRouter.Up: not implemented.
tgs-sidecar-1 | 2022/09/30 15:48:28 Clearing router settings...
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Routine: receive incoming v4 - started
tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] warning: fakeRouter.Set: not implemented.
tgs-sidecar-1 | 2022/09/30 15:48:28 Starting link monitor...
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Routine: receive incoming v6 - started
tgs-sidecar-1 | 2022/09/30 15:48:28 Engine created.
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Routine: receive incoming receiveDERP - started
tgs-sidecar-1 | 2022/09/30 15:48:28 tsnet: open tsstate/tailscaled.state.tmp23198575: permission denied
tgs-sidecar-1 exited with code 0

@chrisanderton
Copy link

Seeing the same when using a volume. If i mount it over /home/nonroot it has no permission issues, but mounted on any other path it shows permission denied. I'm assuming it's because the process runs as user ID 65532 and there is no way to change ownership/access permissions of the mounted volume.

@chrisanderton
Copy link

After a bit of digging -

Bind mounts use the permissions of the host: the sidecar is running non-root (user 65xxx) so cannot create/change the permissions

Volume mounts default as root owned and 755 permissions: as above sidecar is non-root so cannot do the necessary

I see other images including some unix tools so you could tweak permissions on entrypoint, i'm sure there's a more elegant solution..

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants