ipn/ipnlocal: skip TKA bootstrap request if Tailnet Lock is unavailable

alexwlchan · alexwlchan · commit d47c697748ec · 2025-10-24T15:29:07.000+01:00
If you run tailscaled without passing a `--statedir`, Tailnet Lock is unavailable -- we don't have a folder to store the AUMs in. This causes a lot of unnecessary requests to bootstrap TKA, because every time the node receives a NetMap with some TKA state, it tries to bootstrap, fetches the bootstrap TKA state from the control plane, then fails with the error: TKA sync error: bootstrap: network-lock is not supported in this configuration, try setting --statedir We can't prevent the error, but we can skip the control plane request that immediately gets dropped on the floor. In local testing, a new node joining a tailnet caused *three* control plane requests which were unused. Updates tailscale/corp#19441 Signed-off-by: Alex Chan <alexc@tailscale.com>
diff --git a/ipn/ipnlocal/network-lock.go b/ipn/ipnlocal/network-lock.go
@@ -288,6 +288,10 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
 		return nil
 	}
 
+	if err := b.CanSupportNetworkLock(); err != nil {
+		return err
+	}
+
 	isEnabled := b.tka != nil
 	wantEnabled := nm.TKAEnabled
 

Original file line number	Diff line number	Diff line change
`@@ -288,6 +288,10 @@ func (b LocalBackend) tkaSyncIfNeeded(nm netmap.NetworkMap, prefs ipn.PrefsVie`
`288`	`288`	`return nil`
`289`	`289`	`}`
`290`	`290`
	`291`	`+ if err := b.CanSupportNetworkLock(); err != nil {`
	`292`	`+ return err`
	`293`	`+ }`
	`294`	`+`
`291`	`295`	`isEnabled := b.tka != nil`
`292`	`296`	`wantEnabled := nm.TKAEnabled`
`293`	`297`