test,.github/workflows: add a test and CI action

Exercise the configuration and see if tailscaled is started.
Various improvements to UX included as necessary for debugging and
implementing the test.

Updates #10

Author: raggi

.github/workflows/test.yaml

@@ -0,0 +1,22 @@
+name: Test Devcontainer Feature
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  test-feature:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Dev Container CLI
+        run: |
+          npm install -g @devcontainers/cli
+
+      - name: Run tests
+        run: |
+          npx @devcontainers/cli features test

README.md

@@ -9,7 +9,6 @@ To get started, add the following [feature](https://docs.github.com/en/codespace
 to your `devcontainer.json`:
 
 ```json
-"runArgs": ["--device=/dev/net/tun"],
 "features": {
   "ghcr.io/tailscale/codespace/tailscale": {
     "version": "latest"

src/tailscale/devcontainer-feature.json

@@ -6,7 +6,7 @@
   "documentationURL": "https://tailscale.com/kb/1160/github-codespaces/",
   "licenseURL": "https://github.com/tailscale/codespace/blob/main/LICENSE",
   "entrypoint": "/usr/local/sbin/tailscaled-entrypoint",
-  "capAdd": ["NET_ADMIN", "NET_RAW"],
+  "capAdd": ["NET_ADMIN", "NET_RAW", "MKNOD"],
   "options": {
     "version": {
       "type": "string",

src/tailscale/install.sh

@@ -3,7 +3,7 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
-set -euo pipefail
+set -xeuo pipefail
 
 platform=$(uname -m)
 if [ "$platform" = "x86_64" ]; then
@@ -15,14 +15,41 @@ else
     exit 1
 fi
 
+CURL_INSTALL_ATTEMPTED=""
+install_curl() {
+  CURL_INSTALL_ATTEMPTED=1
+
+  if type apt-get > /dev/null 2>/dev/null; then
+    apt-get update
+    # install recommends left on so we get ca-certificates.
+    apt-get -y install curl
+  elif type microdnf > /dev/null 2>/dev/null; then
+    microdnf makecache
+    microdnf -y install --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0 curl
+  elif type dnf > /dev/null 2>/dev/null; then
+    dnf check-update
+    dnf -y install --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0 curl
+  elif type yum > /dev/null 2>/dev/null; then
+    yum -y install --noplugins --setopt=install_weak_deps=0 curl
+  else
+    2> echo "Unknown platform, can not automate curl install. curl is required to download tailscale"
+    return 1
+  fi
+}
+
 download() {
   if command -v curl &> /dev/null; then
-    curl -fsSL "$1"
+    curl -fsSL "$@"
   elif command -v wget &> /dev/null; then
-    wget -qO - "$1"
+    wget -qO - "$@"
   else
-    echo "Must install curl or wget to download $1" 1&>2
-    return 1
+    if [[ -z "$CURL_INSTALL_ATTEMPTED" ]]; then
+      install_curl >&2
+      download "$@"
+    else
+      echo "Must install curl or wget to download $1" >&2
+      return 1
+    fi
   fi
 }
 

src/tailscale/tailscaled-entrypoint.sh

@@ -3,31 +3,73 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
-set -euxo pipefail
+check_userspace() {
+  if [[ ! -c /dev/net/tun ]]; then
+    >&2 cat - <<-EOF
+Error: /dev/net/tun is missing and could not be created!
+
+taiilscaled will fail to start.
+
+You can start tailscaled manually in userspace mode, see:
+  https://tailscale.com/kb/1112/userspace-networking
+EOF
+  fi
+}
 
 # Note: It is not recommended that users copy this setting into other
 # environments, the feature is in test and will be formally released in the
 # future, debug flags may later be recycled for other purposes leading to
 # unexpected behavior.
 export TS_DEBUG_FIREWALL_MODE=auto
+TAILSCALED_PID=""
+TAILSCALED_SOCK=/var/run/tailscale/tailscaled.sock
+TAILSCALED_LOG=/var/log/tailscaled.log
 if [[ "$(id -u)" -eq 0 ]]; then
-  mkdir -p /workspaces/.tailscale || true
-  2>/dev/null >/dev/null \
+  if [[ ! -c /dev/net/tun ]]; then
+    mkdir -p /dev/net
+    mknod /dev/net/tun c 10 200
+  fi
+  check_userspace
+  mkdir -p /workspaces/.tailscale /var/log
+  touch $TAILSCALED_LOG
+  >$TAILSCALED_LOG 2>&1 \
     /usr/local/sbin/tailscaled \
     --statedir=/workspaces/.tailscale/ \
-    --socket=/var/run/tailscale/tailscaled.sock \
+    --socket=$TAILSCALED_SOCK \
     --port=41641 &
+  TAILSCALED_PID=$!
 elif command -v sudo > /dev/null; then
-  sudo --non-interactive mkdir -p /workspaces/.tailscale
-  2>/dev/null >/dev/null \
+  if [[ ! -c /dev/net/tun ]]; then
+    sudo --non-interactive mkdir -p /dev/net
+    sudo --non-interactive mknod /dev/net/tun c 10 200
+  fi
+  check_userspace
+  sudo --non-interactive mkdir -p /workspaces/.tailscale /var/log
+  sudo --non-interactive touch $TAILSCALED_LOG
+  >$TAILSCALED_LOG 2>&1 \
     sudo --non-interactive "TS_DEBUG_FIREWALL_MODE=$TS_DEBUG_FIREWALL_MODE" \
     /usr/local/sbin/tailscaled \
     --statedir=/workspaces/.tailscale/ \
-    --socket=/var/run/tailscale/tailscaled.sock \
+    --socket=$TAILSCALED_SOCK \
     --port=41641 &
+  TAILSCALED_PID=$!
 else
   >&2 echo "tailscaled could not start as root."
 fi
 unset TS_DEBUG_FIREWALL_MODE
 
+if [[ -n "$TAILSCALED_PID" ]]; then
+  count=100
+  while ((count--)); do
+    [[ -f $TAILSCALED_SOCK ]] && break
+    sleep 0.01
+
+    if ! kill -0 "$TAILSCALED_PID"; then
+      >&2 echo "ERROR: tailscaled exited during startup, logs follow:"
+      >&2 cat $TAILSCALED_LOG
+      break
+    fi
+  done
+fi
+
 exec "$@"

test/tailscale/test.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright (c) 2025 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+set -e
+
+tailscale version --daemon