Recently I've been testing OpenSUSE Kalpa, one of the recent batch of immutable operating systems. One of the first things I wanted to setup was Tailscale so that the laptop could connect back into my home network. For anyone unfamiliar, Tailscale is a really cool product for doing mesh VPNs.
The following instructions should work on any system with distrobox available, but it's especially useful for Kalpa and other immutable operating systems.
There's no official instructions for getting things going with distrobox, but thankfully it takes basically no effort.
Installing Tailscale
First, you need to create a new root distrobox with init system support:
distrobox create --root --name tailscale --image registry.opensuse.org/opensuse/tumbleweed:latest --init --additional-packages "systemd"
distrobox enter --root tailscale
Since this is a root distrobox, you'll be asked for a password for access to the distrobox. Once you're fully inside the distrobox, follow the normal installation instructions.
sudo rpm --import https://pkgs.tailscale.com/stable/opensuse/tumbleweed/repo.gpg
sudo zypper ar -g -r https://pkgs.tailscale.com/stable/opensuse/tumbleweed/tailscale.repo
sudo zypper ref
sudo zypper in tailscale
sudo systemctl enable --now tailscaled
# Expose the binaries to the host system
distrobox-export --bin /bin/tailscale --sudo
Now you can drop back out of the distrobox container and use tailscale as normal, eg. tailscale up to login and get setup.
Cleanup some distrobox inconveniences
There's a few things we can do to make the experience easier to use from here to close a few inconveniences introduced by distrobox.
Sudo requires two different passwords
When you try to use tailscale from the host machine, you will be asked to provide two different passwords - the first is for running sudo to get into the root distrobox container, the second is to elevate permissions inside the container to run tailscale itself.
We can simplify things. As long as you follow the instructions above and create a dedicated root distrobox for tailscale, then there is a reasonable assumption that if you can get inside the distrobox container then you should be allowed to run tailscale without any further authentication needed.
# You must be inside the tailscale container
echo "$USER ALL=(root) NOPASSWD:/bin/tailscale" | sudo tee /etc/sudoers.d/tailscale
This will allow sudo inside the container to run only tailscale without a password which will skip past the check inside the container, but will still require sudo on the host machine in order to make any changes.
Caveats
Anywhere you see sudo tailscale in the documentation, you can just use tailscale instead. Distrobox will install the binary stub into your local user account and deal with sudo for you. If you try to use sudo yourself, then it's likely that it won't be able to find the stub since it's installed into your home folder.
This setup will not start on boot, but will start when the distrobox starts. If you want it to start on boot you should be able to start the distrobox at login using a systemd service.
Top comments (0)