Tailscale Docker image

Tailscale has a published Docker image that Tailscale manages and builds from source. It’s available in Docker Hub and GitHub Packages.

Pull image

To pull the image, run:

docker pull tailscale/tailscale:latest

or

docker pull ghcr.io/tailscale/tailscale:latest

The current version of the Makefile required for the examples in this doc is in the tailscale repo.

Supported tags

Containers are tagged based on the Tailscale versioning scheme.

  • Use stable or latest to get the latest stable version.
    • v1.20.1, v1.20 to get a specific stable version.
  • Use unstable to get the latest unstable version.
    • unstable-v1.33.159, unstable-v1.33 to get a specific unstable version.

Parameters

You can set additional parameters for use with the image. All configuration is optional.

TS_ACCEPT_DNS

Accept DNS configuration from the admin console. Not accepted by default.

TS_AUTH_ONCE

Attempt to log in only if not already logged in. False by default, to forcibly log in every time the container starts.

TS_AUTHKEY

An auth key used to authenticate the container. This is equivalent to what you’d pass to tailscale login --authkey=.

TS_DEST_IP

Proxy all incoming Tailscale traffic to the specified destination IP.

TS_KUBE_SECRET

If running in Kubernetes, the Kubernetes secret name where Tailscale state is stored. The default is tailscale.

If TS_AUTHKEY is not set, and TS_KUBE_SECRET contains a secret with an authkey field, that key is used as a Tailscale auth key.

TS_HOSTNAME

Use the specified hostname for the node. This is equivalent to tailscale set --hostname=.

TS_OUTBOUND_HTTP_PROXY_LISTEN

Set an address and port for the HTTP proxy. This will be passed to tailscaled --outbound-http-proxy-listen=. For example, to set the SOCKS5 proxy to port 1055, this is :1055, which is equivalent to tailscaled --outbound-http-proxy-listen=:1055.

TS_ROUTES

Accept subnet routes that other nodes advertise. Linux devices default to not accepting routes. This is equivalent to tailscale set --accept-routes=.

TS_SOCKET

Unix socket path used by the Tailscale binary, where the tailscaled LocalAPI socket is created. The default is /var/run/tailscale/tailscaled.sock. This is equivalent to tailscaled tailscale --socket=.

TS_SOCKS5_SERVER

Set an address and port for the SOCKS5 proxy. This will be passed to tailscaled --socks5-server=. For example, to set the SOCKS5 proxy to port 1055, this is :1055, which is equivalent to tailscaled --socks5-server=:1055.

TS_STATE_DIR

Directory where the state of tailscaled is stored. This needs to persist across container restarts. This will be passed to tailscaled --statedir=.

When running on Kubernetes, state is stored by default in the Kubernetes secret with name:tailscale. To store state on local disk instead, set TS_KUBE_SECRET="" and TS_STATE_DIR=/path/to/storage/dir.

TS_USERSPACE

Enable userspace networking, instead of kernel networking. Enabled by default. This is equivalent to tailscaled --tun=userspace-networking.

Extra arguments

TS_EXTRA_ARGS

Any other flags to pass in to the Tailscale CLI in a tailscale set command.

TS_TAILSCALED_EXTRA_ARGS

Any other flags to pass in to tailscaled.

Last updated

On This Page

Related Pages