[systemd-devel] Setting up a VPN daemon as a Portable Service

Thu Oct 6 19:08:26 UTC 2022

Afaik Portable services run in an isolated root and dont have access to the
hosts rootfs.  You'd have go include iptables and all its dependencies in
the portable services directory. If you don't want to do that you'd have to
use BindReadOnlyPaths= to give the service access to the required host
paths or you'd have to use a system extension.

That's probably why they advice running as a system extension.

I think there are mechanisms for setting up system extensions on startup
but I'm not familiar enough with the details. Maybe someone else in the
list knows.

On Thu, 6 Oct 2022, 20:21 Duncan Gibson, <legowerewolf at gmail.com> wrote:

> Hi, everyone.
>
> The high-level overview: I'm trying to install Tailscale
> <https://tailscale.com/> as a portable service on my Steam Deck.
>
> Tailscale is a point-to-point VPN service, essentially a wrapper around
> Wireguard that helps with network setup and management. The Steam Deck is
> Valve's handheld PC running SteamOS 3, which is derived from Arch. It uses
> an A/B partition system for system files, meaning you can't install a
> service the normal way.
>
> There *is* a guide to do this <https://tailscale.com/blog/steam-deck/>,
> posted on their own blog, but it uses system extensions which aren't good
> for services that you want to run on startup. Indeed, following that guide
> puts me in a state where I have to manually start the daemon every time I
> reboot my Deck, even with the service enabled.
>
> Let's move on to how I've started to do this.
>
> Tailscale is available through most package managers, but they also
> publish static binaries with systemd unit files
> <https://pkgs.tailscale.com/stable/#static>.
>
> This script grabs that binary, extracts it, and moves it into a portable
> service directory structure.
>
> # download and extract Tailscale
> tarball="$(curl -s 'https://pkgs.tailscale.com/stable/?mode=json' | jq -r
> .Tarballs.amd64)"
> version="$(echo ${tarball} | cut -d_ -f2)"
> tar_dir="$(echo ${tarball} | cut -d. -f1-3)"
> curl -s "https://pkgs.tailscale.com/stable/${tarball}" -o tailscale.tgz
> tar xzf tailscale.tgz
> test -d $tar_dir
>
> # Set up our target directory structure
> mkdir -p
> tailscaled/{usr/{bin,sbin,lib/systemd/system},etc,proc,sys,dev,run,/var/tmp}
>
> # Copy tailscale-distributed files to the right place
> cp -rf $tar_dir/tailscaled tailscaled/usr/sbin/tailscaled
> cp -rf $tar_dir/systemd/tailscaled.service
> tailscaled/usr/lib/systemd/system/tailscaled.service
>
> # Write service os-release file
> source /etc/os-release
> cp -rf /etc/os-release tailscaled/etc/os-release
>
> Not automated yet is patching the provided unit file - you need to remove
> the EnvironmentFile line and "--port $PORT $FLAGS" options, and add
> [Exec]
> Environment="PATH=/usr/bin"
>
> Attach the portable service: sudo portablectl attach ./tailscaled
> --profile=trusted
> and try starting it: sudo systemctl start tailscaled
>
> It fails, leaving this in the logs:
>
> logtail started
> Program starting: v1.30.2-t24c524c78-gc399ae6fa, Go 1.19.1-tsb13188dd36:
> []string{"/usr/sbin/tailscaled",
> "--state=/var/lib/tailscale/tailscaled.state",
> "--socket=/run/tailscale/tailscaled.sock"}
> LogID: 0f59ed267a2b19cc28aac9ee7119914000ca478234af8d56893a025ae72cc647
> logpolicy: using $STATE_DIRECTORY, "/var/lib/tailscale"
> wgengine.NewUserspaceEngine(tun "tailscale0") ...
> wgengine.NewUserspaceEngine(tun "tailscale0") error: creating router:
> could not get iptables version: fork/exec /usr/bin/iptables: no such file
> or directory flushing log.
> logger closing down
> createEngine: creating router: could not get iptables version: fork/exec
> /usr/bin/iptables: no such file or directory
>
> iptables is, in fact, at /usr/bin/iptables, so what am I missing? Before I
> added the Environment line, I was getting errors that iptables wasn't on
> the PATH, so I suspect that now tailscaled can *see* iptables, but
> systemd isn't letting tailscaled run it.
>
> Thanks for having a look at this.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20221006/eb10839c/attachment.htm>