Enhancement: allow container to work with tailscale plugin in Unraid 7

[rwagner3]

What features would you like to see added?

With Unraid 7's release, we can add tailscale serve to specific containers. This is working for most of my containers but not with your LibreChat container, which I gathered from the Unraid CA.

More details

Name = LibreChat
Repo = ghcr.io/danny-avila/librechat-dev:latest
Privileged = Off
Use Tailscale = On
TS Hostname = librechat

The rest are defaults other than my API keys and the like. When I apply it, docker run fires up the container, but the logs show tailscale not getting ran, because it runs into an error:

# docker logs LibreChat -f
=======================

Executing Unraid Docker Hook for Tailscale

ERROR: No root privileges!
ERROR: Unraid Docker Hook script throw an error!
       Starting container without Tailscale!

Starting container...

and it goes on and the container starts just no tailscale because "No root privs". I retried with privileged = On, but encountered the same error. Discussing this on another forum, someone suggested that the USER instruction in the Dockerfile (See here) is the problem here. In order to bypass this, you'd need to rebuild the container without that instruction.

In case it is helpful to reproduce the issue, here is what my docker run output looks like:

Command execution
docker run
  -d
  --name='LibreChat'
  --entrypoint='/opt/unraid/tailscale'
  --net='bridge'
  --cpuset-cpus='1,2,7,8'
  --pids-limit 2048
  -e TZ="America/New_York"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="xxxx"
  -e HOST_CONTAINERNAME="LibreChat"
  -e 'CREDS_KEY'='xxxx'
  -e 'CREDS_IV'='xxxx'
  -e 'MONGO_URI'='mongodb://x.x.x.x:x/librechat'
  -e 'JWT_SECRET'='xxxx'
  -e 'JWT_REFRESH_SECRET'='xxxx'
  -e 'EMAIL_FROM'=''
  -e 'EMAIL_SERVICE'=''
  -e 'EMAIL_USERNAME'=''
  -e 'EMAIL_PASSWORD'=''
  -e 'OPENAI_API_KEY'='sk-librechat-xxxx'
  -e 'ALLOW_EMAIL_LOGIN'='true'
  -e 'ALLOW_REGISTRATION'='true'
  -e 'ALLOW_SOCIAL_LOGIN'='false'
  -e 'ALLOW_SOCIAL_REGISTRATION'='false'
  -e 'DOMAIN_CLIENT'='x.x.x.x'
  -e 'DOMAIN_SERVER'='x.x.x.x'
  -e 'DEBUG_LOGGING'='False'
  -e 'UID'='1000'
  -e 'GID'='1000'
  -e 'ANTHROPIC_API_KEY'='sk-ant-apixxxx'
  -e 'OPENAI_MODELS'='chatgpt-4o-latest,gpt-4o,o1,o1-mini'
  -e 'GOOGLE_MODELS'='gemini-2.0-flash-exp'
  -e 'DALLE_API_KEY'=''
  -e 'TITLE_CONVO'='True'
  -e 'OPENAI_TITLE_MODEL'='gpt-4o'
  -e 'OPENAI_SUMMARIZE'=''
  -e 'GOOGLE_API_KEY'=''
  -e 'GOOGLE_CSE_ID'=''
  -e 'OPENID_CLIENT_ID'=''
  -e 'OPENID_CLIENT_SECRET'=''
  -e 'OPENID_ISSUER'=''
  -e 'OPENID_SESSION_SECRET'=''
  -e 'OPENID_SCOPE'=''
  -e 'OPENID_CALLBACK_URL'=''
  -e 'OPENID_BUTTON_LABEL'=''
  -e 'OPENID_IMAGE_URL'=''
  -e 'SESSION_EXPIRY'=''
  -e 'REFRESH_TOKEN_EXPIRY'=''
  -e 'EMAIL_ENCRYPTION'=''
  -e 'EMAIL_PORT'=''
  -e 'EMAIL_HOST'=''
  -e 'ENDPOINTS'=''
  -e 'PROXY'=''
  -e 'AZURE_API_KEY'=''
  -e 'BINGAI_TOKEN'=''
  -e 'CHATGPT_REVERSE_PROXY'=''
  -e 'GOOGLE_KEY'='xxxx'
  -e 'OPENROUTER_API_KEY'=''
  -e 'PLUGIN_MODELS'=''
  -e 'MEILI_MASTER_KEY'=''
  -e 'MEILI_HOST'=''
  -e 'CHECK_BALANCE'=''
  -e TAILSCALE_HOSTNAME='librechat'
  -e TAILSCALE_ALLOW_LAN_ACCESS='false'
  -e TAILSCALE_USE_SSH='false'
  -e TAILSCALE_USERSPACE_NETWORKING='false'
  -e TAILSCALE_SERVE_PORT='3080'
  -e ORG_ENTRYPOINT="docker-entrypoint.sh"
  -e ORG_CMD="npm run backend"
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.webui='http://[IP]:[PORT:3080]/'
  -l net.unraid.docker.icon='https://github.com/ds-sebastian/unraid-templates/blob/main/icons/LibreChat.png?raw=true'
  -l net.unraid.docker.tailscale.webui='https://[hostname][magicdns]/'
  -l net.unraid.docker.tailscale.hostname='librechat'
  -p '3080:3080/tcp'
  -v '/usr/local/share/docker/tailscale_container_hook':'/opt/unraid/tailscale'
  --cap-add=NET_ADMIN
  --device='/dev/net/tun' 'ghcr.io/danny-avila/librechat-dev:latest'

12ca969a5e8da53301f7888d4c3569b6f1c76c21dd700387eb1d43d0808a7441

The command finished successfully!

Please let me know if I can provide anything further.

Which components are impacted by your request?

No response

Pictures

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Thank you for the detailed report regarding Tailscale integration with the LibreChat container.

The current Dockerfile runs the application as a non-root user (node) as a security best practice to limit potential vulnerabilities if the container were to be compromised. This is especially important for applications handling API keys and user data.

Is building the image yourself not an option? You could modify the Dockerfile locally to test the necessary changes for Tailscale support. If you do try this, it would be very helpful if you could share your working configuration - this would help us validate the exact changes needed for proper Tailscale integration.

If building locally isn't feasible, I could consider adding a separate "-tailscale" tagged image that includes the necessary modifications while maintaining the current secure default image. This would allow users to choose between the standard secure configuration and a Tailscale-compatible version.

Please let me know if you're able to test a modified build, or if you'd prefer to wait for an official Tailscale-compatible image. Your feedback would be valuable in determining the best path forward.

[rwagner3]

Hello! I'll work on building this image myself and letting you know how that goes. Give me a few days and I'll get back to you. Thanks for the quick reply.

[rwagner3]

I cloned, edited the Dockerfile, only commenting out the USER line.

LibreChat/Dockerfile

Line 11 in 24beda3

USER node

root@Tower:/mnt/datacache/temp# git clone https://github.com/danny-avila/LibreChat.git
Cloning into 'LibreChat'...
remote: Enumerating objects: 36714, done.
remote: Counting objects: 100% (6606/6606), done.
remote: Compressing objects: 100% (1026/1026), done.
remote: Total 36714 (delta 6071), reused 5580 (delta 5580), pack-reused 30108 (from 3)
Receiving objects: 100% (36714/36714), 50.54 MiB | 53.30 MiB/s, done.
Resolving deltas: 100% (26581/26581), done.
root@Tower:/mnt/datacache/temp# cd LibreChat
root@Tower:/mnt/datacache/temp/LibreChat# vim Dockerfile
root@Tower:/mnt/datacache/temp/LibreChat# vi Dockerfile
reading Dockerfile

wrote Dockerfile, 41 lines, 1129 chars
root@Tower:/mnt/datacache/temp/LibreChat# docker build -t librechat-test .
[+] Building 98.8s (12/12) FINISHED                                                          docker:default
 => [internal] load build definition from Dockerfile                                                   0.2s
 => => transferring dockerfile: 1.17kB                                                                 0.0s
 => [internal] load metadata for docker.io/library/node:20-alpine                                      0.9s
 => [internal] load .dockerignore                                                                      0.1s
 => => transferring context: 248B                                                                      0.0s
 => [1/7] FROM docker.io/library/node:20-alpine@sha256:24fb6aa7020d9a20b00d6da6d1714187c45ed00d1eb4ad  0.4s
 => => resolve docker.io/library/node:20-alpine@sha256:24fb6aa7020d9a20b00d6da6d1714187c45ed00d1eb4ad  0.0s
 => => sha256:70ad5a57af6a37edbab480a0abcd9159740bc457d4d483f1b8847f76cdc47984 6.18kB / 6.18kB         0.0s
 => => sha256:24fb6aa7020d9a20b00d6da6d1714187c45ed00d1eb4adb01395843c338b9372 7.67kB / 7.67kB         0.0s
 => => sha256:796789f15b456fb7a2245190e89f6648ae71145b3e45c84a7bf55aa50d86ff01 1.72kB / 1.72kB         0.0s
 => [internal] load build context                                                                      0.3s
 => => transferring context: 11.84MB                                                                   0.1s
 => [2/7] RUN apk --no-cache add curl                                                                  1.7s
 => [3/7] RUN mkdir -p /app && chown node:node /app                                                    0.3s
 => [4/7] WORKDIR /app                                                                                 0.1s
 => [5/7] COPY --chown=node:node . .                                                                   0.3s
 => [6/7] RUN     touch .env ;     mkdir -p /app/client/public/images /app/api/logs ;     npm config  84.7s
 => [7/7] RUN mkdir -p /app/client/public/images /app/api/logs                                         0.4s
 => exporting to image                                                                                 9.5s
 => => exporting layers                                                                                9.4s
 => => writing image sha256:3324476a6695a23ca0066689adfd934f99d65b0fa152073812df83f7744b565a           0.0s
 => => naming to docker.io/library/librechat-test                                                      0.0s

I then changed thru the Unraid docker interface for LibreChat, and changed the repo to point to the image I built, librechat-test:latest. This ran into the issue where tailscale wants a persistent state.

# docker logs LibreChat
=======================

Executing Unraid Docker Hook for Tailscale

Detecting Package Manager...
Detected Alpine Package Keeper!
Installing packages...
Please wait...
Packages installed!
Tailscale not found, downloading...
Please wait...
/tmp/tailscale/tail 100%[===================>]  28.57M  73.3MB/s    in 0.4s
Download from Tailscale version 1.78.1 successful!
Installation Done!
ERROR: Couldn't detect persistent Docker directory for .tailscale_state!
       Please enable Tailscale Advanced Settings in the Docker template and set the Tailscale State Directory manually!

I added the state dir as /var/lib/tailscale and applied it.

# docker logs LibreChat -f
=======================

Executing Unraid Docker Hook for Tailscale

Detecting Package Manager...
Detected Alpine Package Keeper!
Installing packages...
Please wait...
Packages installed!
Tailscale not found, downloading...
Please wait...
/tmp/tailscale/tail 100%[===================>]  28.57M  88.5MB/s    in 0.3s
Download from Tailscale version 1.78.1 successful!
Installation Done!
Settings Tailscale state dir to: /var/lib/tailscale
Setting host name to "librechat"
Starting tailscaled with log file location: /var/log/tailscaled
Starting tailscale

To authenticate, visit:

        https://login.tailscale.com/a/8fcd57f01ed38

Success.
WARNING: Tailscale Key will expire in 179 days.
         Navigate to https://login.tailscale.com/admin/machines and 'Disable Key Expiry' for librechat
See: https://tailscale.com/kb/1028/key-expiry
Enabling Serve! See https://tailscale.com/kb/1312/serve
Available within your tailnet:

https://librechat.X.ts.net/
|-- proxy http://localhost:3080

Serve started and running in the background.
Generating Tailscale certs! This can take some time, please wait...
Done!
Starting container...

=======================


> [email protected] backend
> cross-env NODE_ENV=production node api/server/index.js

2025-01-13 17:34:12 info: [Optional] Redis not initialized. Note: Redis support is experimental.
2025-01-13 17:34:13 info: Connected to MongoDB
2025-01-13 17:34:13 error: Config file YAML format is invalid: ENOENT: no such file or directory, open '/app/librechat.yaml'
2025-01-13 17:34:13 warn: RAG API is either not running or not reachable at undefined, you may experience errors with file uploads.
2025-01-13 17:34:13 info: No changes needed for 'USER' role permissions
2025-01-13 17:34:13 info: No changes needed for 'ADMIN' role permissions
2025-01-13 17:34:13 info: Server listening at http://librechat:3080

I confirmed that librechat registered and shows connected within my tailnet.

However, now when I attempt to go to this application on https://librechat.X.ts.net I'm getting a 502 error in the browser.

When I check the tailscale logs within the container, it appears that it is sending traffic for this service to [::1]:3080 and not my IPv4 IP address.

# docker exec -it LibreChat sh
/app # tail -n20 /var/log/tailscaled
2025/01/13 22:33:53 listening on 100.x.x.x:443
2025/01/13 22:33:53 listening on [fd7a:115c:a1e0::cc01:1201]:443
2025/01/13 22:33:54 cert("librechat.X.ts.net"): registered ACME account.
2025/01/13 22:33:54 cert("librechat.X.ts.net"): starting SetDNS call...
2025/01/13 22:34:09 cert("librechat.X.ts.net"): did SetDNS
2025/01/13 22:34:10 cert("librechat.X.ts.net"): requesting cert...
2025/01/13 22:34:11 cert("librechat.X.ts.net"): got cert
2025/01/13 22:37:28 wgengine: idle peer [s3heI] now active, reconfiguring WireGuard
2025/01/13 22:37:28 wgengine: Reconfig: configuring userspace WireGuard config (with 1/14 peers)
2025/01/13 22:37:28 magicsock: disco: node [s3heI] d:f8831090e61680f9 now using 192.168.4.113:41641 mtu=1360 tx=213277f59123
2025/01/13 22:37:28 http: proxy error: dial tcp [::1]:3080: connect: connection refused
2025/01/13 22:37:30 http: proxy error: dial tcp [::1]:3080: connect: connection refused
2025/01/13 22:39:27 Received error: PollNetMap: unexpected EOF
2025/01/13 22:39:28 control: controlhttp: forcing port 443 dial due to recent noise dial
2025/01/13 22:39:28 control: controlhttp: forcing port 443 dial due to recent noise dial
2025/01/13 22:39:28 control: controlhttp: forcing port 443 dial due to recent noise dial
2025/01/13 22:39:28 control: controlhttp: forcing port 443 dial due to recent noise dial
2025/01/13 22:39:28 control: netmap: got new dial plan from control
2025/01/13 22:40:48 http: proxy error: dial tcp [::1]:3080: connect: connection refused
2025/01/13 22:40:49 http: proxy error: dial tcp [::1]:3080: connect: connection refused

Those connection refused happen when I attempt to connect in the browser.

However, when I'm inside this container, it is listening on an IPv4 IP.

# docker exec -it LibreChat sh
/app # netstat -tuln | grep 3080
tcp        0      0 100.x.x.x:3080        0.0.0.0:*               LISTEN
/app # tailscale serve status
https://librechat.X.ts.net (tailnet only)
|-- / proxy http://localhost:3080

I'm not sure how to proceed at this point, as I'm not sure what is telling it to send to ::1

[danny-avila]

You can change the HOST env var, see if that helps