#How to have a container running in Dagger access a tailscale network?

I ran into this because some of our ci runners need access to things behind a tailscale network, but it's broadly applicable for many use cases.

Using the python sdk, but of course this is broadly applicable for all sdk's

    auth_key_secret: Secret = client.set_secret("tailscaleAuthkey", "tskey-auth-mysupersecretkey")

    tailscale = (
        client.container()
        .from_("tailscale/tailscale:stable")
        .with_secret_variable(name="TAILSCALE_AUTHKEY", secret=auth_key_secret)
        .with_exec(["/bin/sh", "-c", "tailscaled --tun=userspace-networking --socks5-server=0.0.0.0:1055 --outbound-http-proxy-listen=0.0.0.0:1055 & tailscale up --authkey $TAILSCALE_AUTHKEY &"])
        .with_exposed_port(1055)
    )

    http = (
        client.container()
        .from_("alpine:3.17")
        .with_exec(["apk", "add", "curl"])
        .with_service_binding("tailscale", tailscale)
        .with_env_variable("ALL_PROXY", "socks5://tailscale:1055/")
        .with_exec(["curl https://my.url.only.accessible.on.tailscale.network.com"])
        )
    return http.sync()

This uses the userspace networking architecture here: https://tailscale.com/kb/1112/userspace-networking/#socks5-vs-http

@shrewd sequoia since you're posting in help I assume this isn't working?

Nope it works fine, I just added a Q/A for other people

Oh, that's neat then! 👏

I'm wondering about using this for pulling an image in local docker engine from a dagger container running a registry. That would simplify https://docs.dagger.io/252029/load-images-local-docker-engine 🤔

\cc @solemn kayak @covert jetty

seems like it could work. Only difference there between that and my example that I can think of is that in my example the dns entry is a public dns server

(that resolves to an internal aws dns/ip)

note that our architecture as outlined in this example does not exactly map 1:1 with the link I provided in the site. In the architecture they provide on the example, tailscaled and ./app run in the same container. In our example, we spin up tailscaled in a separate container. I think this is a better design and more daggery anyway than having them run in the same container, plus i'm not sure running a service in same container as your app like that is even supported in dagger

Super cool! Thanks for this example @shrewd sequoia . I have an older demo that uses tailscale in github actions to connect to my vault server. https://github.com/kpenfound/hello-nomad/blob/main/.github/workflows/test.yml#L11-L14 This seems like a much better dagger integration

One other thing to note, and this is also noted in the tailscale docs page I linked, whatever you are using needs to support some env variable like ALL_PROXY. Most Unix utilities apparently support this