Small Tailscale Builds

Table of Contents

• Overview
  • Motivation
• Tailscale Self-Update: How does it work?
• Do it yourself
  • Costs
  • Notifications
  • Fork
  • Re-create
  • Required Settings

Overview

(Temporary) Project URL: github.com/lwbt/ts_build_test

💡	This might be a good introduction to GitHub Actions. The entire functionality here is just one GitHub Actions Workflow file. Read mode about it here.

Motivation

Provide automated builds of Tailscale as described in KB: Small Tailscale for embedded devices.

• Building a combined binary of tailscale and tailscaled

• Using the build option --extra-small

• Compressing the binary with UPX

Tailscale Self-Update: How does it work?

⚠️	Self-Update does not work with these builds. Your can run the updater script with yes (yes | script) for updates.

On official builds you can use tailscale update to do a self-update, or even better Tailscale can do it for you with auto-updates.

Another popular program that uses self-updates is Syncthing, and it looks not too complicated: Update → URL.

Tailscale: runUpdate → Update → NewUpdater → Arguments.PkgsAddr → pkgs.tailscale.com. I think the updates are signed and will be verified, however I was able to modify the URL and create binaries with (broken) modified URLs.

At the moment, I’m not sure if self-updates can be implemented without touching more than just the URL in the code base. It would be nice to have, but doing such kinds of patches opens the door to do other sketchy things.

• Original URL pattern: pkgs.tailscale.com/stable/?v=1.76.6#static → pkgs.tailscale.com/stable/tailscale_1.76.6_arm64.tgz

• Custom URL pattern: github.com/lwbt/ts_build_test/releases/tag/v1.76.6 → github.com/lwbt/ts_build_test/releases/download/v1.76.6/tailscaled-linux-arm64

ℹ️

Just a quick test with sed sed -i 's|https://pkgs.tailscale.com|https://github.com/lwbt/ts_build_test/releases/download|' "clientupdate/clientupdate.go" --- a/clientupdate/clientupdate.go +++ b/clientupdate/clientupdate.go @@ -91,7 +91,7 @@ type Arguments struct { // update is aborted. Confirm func(newVer string) bool // PkgsAddr is the address of the pkgs server to fetch updates from. - // Defaults to "https://pkgs.tailscale.com". + // Defaults to "https://github.com/lwbt/ts_build_test/releases/download". PkgsAddr string // ForAutoUpdate should be true when Updater is created in auto-update // context. When true, NewUpdater returns an error if it cannot be used for @@ -161,7 +161,7 @@ func NewUpdater(args Arguments) (*Updater, error) { } } if up.Arguments.PkgsAddr == "" { - up.Arguments.PkgsAddr = "https://pkgs.tailscale.com" + up.Arguments.PkgsAddr = "https://github.com/lwbt/ts_build_test/releases/download" } return &up, nil } @@ -494,7 +494,7 @@ func updateDebianAptSourcesList(dstTrack string) (rewrote bool, err error) { } func updateDebianAptSourcesListBytes(was []byte, dstTrack string) (newContent []byte, err error) { - trackURLPrefix := []byte("https://pkgs.tailscale.com/" + dstTrack + "/") + trackURLPrefix := []byte("https://github.com/lwbt/ts_build_test/releases/download/" + dstTrack + "/") var buf bytes.Buffer var changes int bs := bufio.NewScanner(bytes.NewReader(was)) @@ -602,7 +602,7 @@ func updateYUMRepoTrack(repoFile, dstTrack string) (rewrote bool, err error) { } urlRe := regexp.MustCompile(`^(baseurl|gpgkey)=https://pkgs\.tailscale\.com/(un)?stable/`) - urlReplacement := fmt.Sprintf("$1=https://pkgs.tailscale.com/%s/", dstTrack) + urlReplacement := fmt.Sprintf("$1=https://github.com/lwbt/ts_build_test/releases/download/%s/", dstTrack) s := bufio.NewScanner(bytes.NewReader(was)) newContent := bytes.NewBuffer(make([]byte, 0, len(was))) @@ -1183,7 +1183,7 @@ type trackPackages struct { } func latestPackages(track string) (*trackPackages, error) { - url := fmt.Sprintf("https://pkgs.tailscale.com/%s/?mode=json&os=%s", track, runtime.GOOS) + url := fmt.Sprintf("https://github.com/lwbt/ts_build_test/releases/download/%s/?mode=json&os=%s", track, runtime.GOOS) res, err := http.Get(url) if err != nil { return nil, fmt.Errorf("fetching latest tailscale version: %w", err)

Do it yourself

Costs

• Billing Summary — Pipeline minutes and packages

• Spending Limits — By default it should have a spending limit of 0, so you will not get billed but the functionalities will stop working when exceeding a limit. I have to figure out by myself how much on an impact this has, a I currently interpret it, I won’t hit the monthly pipeline minutes limit and outgoing data transfer for public packages seems to be free?

Pipeline consumption:

• You can run the check every hour which takes about 30 seconds

• If a build is created it will take about a total of 7 minutes, 2 minutes per architecture, and you will be "billed" 7 minutes, which means you will have 7 minutes left to use this month

Notifications

If you clone the repository and run the workflow on your account, you will receive email from GitHub when a new release was created. You will also see that, while the cron definition says run every hour at 00 Minutes, that a runner will sometimes start and complete a few minutes later.

Fork

TODO

Re-create

Here are the basic individual steps if you don’t want to fork:

# Login to GitHub (necessary on the first run)
gh auth login -h github.com -p HTTPS -w

# Create a new repo on GitHub
REPO="ts_build_test"
gh repo create ${REPO} --private

# Verify that the new repo exists
gh repo list

# TODO
# Do a git clone of the new repo here? GH already gives you the URL.

# Create folder structure for workflows
mkdir -pv .github/workflows

# TODO
# Do a git push of the new repo here?

Required Settings

Setting → Actions → General → Workflow permissions → "Read and write permissions" (default: "Read repository contents and packages permissions")

OWNER="lwbt"
REPO="ts_build_test"
gh api \
  --method PUT \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  /repos/${OWNER}/${REPO}/actions/permissions/workflow \
  -f default_workflow_permissions='write'

Set default workflow permissions for a repository