Coder Docker Compose with Tailscale HTTPS
I'm running into some difficulty. I'm able to access coder via https and can get to the deployment dashboard, which displays an unhealthy state with the errors below. Am I missing something or otherwise doing anything else wrong, or is there something else going on?
Access URL:
EACS03: get healthz endpoint: Get "https://astro.monkey-byzantine.ts.net:8443/healthz": context deadline exceededDERP Coder Embedded Relay:
connect to derp: derphttp.Client.Connect connect to https://astro.monkey-byzantine.ts.net:8443/derp: dial of astro.monkey-byzantine.ts.net: dial tcp 100.96.202.84:8443: i/o timeout connect to derp: derphttp.Client.Connect connect to https://astro.monkey-byzantine.ts.net:8443/derp: context deadline exceeded: dial of astro.monkey-byzantine.ts.net: dial tcp 100.96.202.84:8443: i/o timeout connect to derp: derphttp.Client.Connect connect to https://astro.monkey-byzantine.ts.net:8443/derp: context deadline exceeded: dial of astro.monkey-byzantine.ts.net: dial tcp 100.96.202.84:8443: i/o timeout connect to derp: derphttp.Client.Connect connect to https://astro.monkey-byzantine.ts.net:8443/derp: context deadline exceeded: dial of astro.monkey-byzantine.ts.net: dial tcp: lookup astro.monkey-byzantine.ts.net: i/o timeout connect to derp: derphttp.Client.Connect connect to https://astro.monkey-byzantine.ts.net:8443/derp: context deadline exceeded: dial of astro.monkey-byzantine.ts.net: dial tcp: lookup astro.monkey-byzantine.ts.net: i/o timeout couldn't connect after 5 tries, last error: couldn't connect after 5 tries, last error: derphttp.Client.Connect connect to https://astro.monkey-byzantine.ts.net:8443/derp: context deadline exceeded: dial of astro.monkey-byzantine.ts.net: dial tcp: lookup astro.monkey-byzantine.ts.net: i/o timeoutWebsocket:
EWS01: websocket dial: failed to WebSocket dial: failed to send handshake request: Get "https://astro.monkey-byzantine.ts.net:8443/api/v2/debug/ws": context deadline exceeded
43 Replies
What are you creating this issue for?
Docker Compose: (couldn't send it all at once)
Looks like this ends up working with the following config instead:
Maybe there's a way to sidecar Tailscale into the mix but this is probably the most efficient solution
this works, but a better option would be to switch the DNS or set
network_mode to service:tailscale-<name> like https://tailscale.com/kb/1282/docker#code-examplesTailscale
Using Tailscale with Docker · Tailscale Docs
Connect your container to Tailscale using Tailscale's official Docker image.
or try to change the DNS via https://docs.docker.com/reference/compose-file/services/#dns, the
network_mode: host is not ideal in terms of security :-)Docker Documentation
Services top-level elements
Explore all the attributes the services top-level element can have.
For what it’s worth, I later found that even with my nuclear option of network_mode host, while the health check would pass in the dashboard, I still couldn’t spin up workspaces properly. Still not sure what’s happening there
that's probably a different issue to be honest
oh wait so you have your ts.net domain as your access URL?
Yeah astro being the hostname
ah yeah so you'll need the tailscale sidecar
or set a public domain in the access URL
🤔
coder-1 | error: connect to postgres: connect to postgres: unable to connect after 11 tries; last error: dial tcp 127.0.0.1:5432: connect: connection refused
try change 127.0.0.1 to databse?
postgresql://coder:${POSTGRES_PASSWORD}@database/coder?sslmode=disable
yeah unfortunately no luck there wither..
[warn] ping postgres: retrying error="dial tcp: lookup database on 127.0.0.11:53: server misbehaving"Is this happens after you restart container? How did you run this docker-compose?
I usually do it with
docker compose down -v && docker compose up -d
since you running it behind tailscale, you gotta check the with tailscale containr at what's your database hostname
not really familiar with tailscale in container, I did use tailscale on host once, it does assign host name for machines in the network
if you run tailscale in container I guess you can use the cli to check network list
https://tailscale.com/kb/1080/cli#status
Tailscale
Tailscale CLI · Tailscale Docs
Manage and troubleshoot your tailnet with the Tailscale command-line interface (Tailscale CLI).
I don't think the database itself is given a hostname from Tailscale
In the sense that, if I pop a shell into my tailscale container and run tailscale status, I'm going to see that tailscale container (tailscale-coder) and the rest of my tailnet, but not the coder or database containers.
oh yeah my bad, nvm that, looks like database is the correct hostname tho, since you got srver misbehaving this time
I'd say double check your port, im running postgres 16 and it default to 5432
if that didnt work, idk man, out of idea, network suck
Yeah.. I also noticed the :53 in that error message and I'm not sure where it's getting that...
yup, tailscale usually hides a lot of it, but god networking really does suck 😂
can you check the postgres logs to see what the port it running on?
then maybe added :xyz after database:
something like that
It's definitely running on 5432, and doesn't look like explicitly specifying the port there does anything
at least with regards to this error message
so instead of
127.0.0.11:53 ,it misbehaving on 127.0.0.11:5432 ?no it still says 127.0.0.11:53
wait so:
and with
it still look up at
127.0.0.11:53
?
I was able to force change my port to 53:
yes (which is weird) but:
if i swap out database to be 127.0.0.1 again...
i get further, but then when i go to the url (tailscale-coder.monkey-byzantine.ts.net:8443), i get an https error on my browser, i proceed, and then i think i get redirected back to my host (astro.monkey-byzantine.ts.net:8443), which i think is from the access url
so then i changed the access url to be tailscale-coder.monkey-byzantine.ts.net:8443, but that doesn't respond whatsoever for some reason?
connection string with port should works, if coder still trying on port 53 you can try to add env PGPORT=53, and run with
docker compose up -d --force-recreate to see what happens
when CODER_ACCESS_URL was still https://astro.monkey-byzantine.ts.net:8443, it would at least redirect me as a response (and then die)
but now as https://tailscale-coder.monkey-byzantine.ts.net:8443 it wont reply whatsoever
but coder can at least talk to postgres now with the connection url
but tbh this whole tailscale sidecar solution seems just atrocious
this nonsense with the oauth, and i wouldn't even know where to begin with how to create https certs for this with a tailscale sidecar, the certs that it is referencing are for the host, not the container. tailscale would generate certs for tailscale-coder.monkey-byzantine.ts.net
Why not try using tailscale as proxy, instead of having it on the same network as coder, changing access url and it works with db sound impossible, it shouldn't be related
Unless there was some health chech issue.. check logs man
I could be missing something but it's not clear to me how I would be using Tailscale as a proxy
what the purpose of you using tailscale is for? isnt it to connect to other machine that connected to your tailscale instance ?
so instead of network_mode: , you create a network for tailscale, and attach it to coder (so e.g networks: -tailscale), so this way you won't mess with docker dns
then you can setup tailscale subnet seperately in tailscale container
i use tailscale for pretty much everything
in this case all im really trying to accomplish is hosting coder with docker and being able to access it from tailscale with https
technically the docker compose doesn't have to know anything about tailscale and i can hit it but it'll just redirect me to one of coder's proxies which isn't ideal
and i can't just throw the tailscale stuff in the access url because that blows up
ye, so you may have to look at tailscale subnet in this case
because access url with port is a bit unsettling lol
back when I was using hamachi to connect things, putting my virt net ip:port into access url mess stuff up lol
haha i also remember the hamachi days
at some point trying to fix it, I just give it up and using "http://virt-ip:port"
many extension dont like that tho
but ye try to use networks: to attach to tailscale and setup tailscale subnet, if you dont want to put tailscale stuff to access url
idk how tailscale subnets would work in this case
i used to use those as like a catch-all way for me to reach things on my lan that didn't have tailscale installed
i don't know how you would do something like that with Docker.. like are you talking about doing it from the host or within a container
my reverse proxy, traefik:
my coder compose:
thats my setup
well something like that, but instead of traefik you switch to tailscale container?
and then just do subnet as how you usually does it, since coder container doesnt have tailscale install so you have a dedicated tailscale container to run subnet
hey @Konstantine trying to catch up -- is your issue fixed?
just unsure at this point as to whether or not there’s any way to be accessing coder via my tailnet without a sidecar
otherwise that’s it
in your setup i don't think so no
since you depend on the tailscale DNS name
got it—thanks
@Konstantine closing this since i think it should be good but don't hesitate to follow up!
@Phorcys closed the thread.