github-action icon indicating copy to clipboard operation
github-action copied to clipboard
verified publisher icon tailscale

DNS not working

Open VictorioBerra opened this issue 1 year ago • 10 comments 

name: Deploy to VM

on:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - '*'

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:

      - uses: actions/checkout@master

      - uses: actions/setup-node@v4
        with: 
          node-version: 20

      - name: Build
        env:
        run: |
          npm ci
          npm run generate

      - name: Tailscale
        uses: tailscale/github-action@v2
        with:
          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
          tags: tag:ci
          version: 1.66.4

      - name: netmap
        run:
          tailscale status
          ping -c 4 ${{ secrets.HOST }}

      - name: copy file via ssh
        uses: appleboy/scp-action@master
        with:
          host: ${{ secrets.HOST }}
          username: ${{ secrets.USERNAME }}
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          source: '.output/public/*'
          target: '/home/dockeruser/abc/pb_public/'
          overwrite: true
          strip_components: 2

The tailscale status and ping -c 4 ${{ secrets.HOST }} all work great. HOST is one of the node machine names.

appleboy/scp-action@master gives me:

2024/06/02 20:59:42 error copy file to dest: ***, error message: dial tcp: lookup *** on 1111.222.333.444:53: no such host

I have solved this with an action to get and set the IP to output variables:

      - name: netmap
        id: tailscale-netmap
        run: |
          ip=$(tailscale status | grep '${{ secrets.HOST }}' | awk '{print $1}')
          echo "LINODE_IP=$ip" >> "$GITHUB_OUTPUT"

      - name: copy file via ssh
        uses: appleboy/[email protected]
        with:
          host: ${{ steps.tailscale-netmap.outputs.LINODE_IP }}
          username: ${{ secrets.USERNAME }}
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          source: '.output/public//${{ GITHUB_SHA }}'
          target: '/home/dockeruser/failreactor/'
          overwrite: true
          strip_components: 2

This is obviously super lame. What am I doing wrong?

VictorioBerra avatar Jun 02 '24 22:06 VictorioBerra

@VictorioBerra Did you find a better workaround? I just hit this on a project using split dns with internal domains, although I'm using internal devices that don't have tailscale installed but their routes are being broadcasted.

tyvsmith avatar Aug 03 '24 21:08 tyvsmith

@tyvsmith I did not. I am still using the above solution. I believe this needs to be fixed properly by the tailscale action.

VictorioBerra avatar Aug 03 '24 21:08 VictorioBerra

@VictorioBerra I wonder if it's an issue with appleboy/scp-action and appleboy/ssh-action. I saw some logs from that action resolving to unexpected IPs instead of internal ones, but other standard commands command line commands run fine and resolve the host like I'd expect.

I ended up with this version based on yours since I need ipv4 hosts without tailscale installed.

    - name: netmap
      id: tailscale-netmap
      run: |
        ip=$(ping -4 -c 1 '${{ env.HOST }}' | grep -oP '(?<=\().*?(?=\))' | head -n 1)
        echo "HOST_IP=$ip" >> "$GITHUB_OUTPUT"

tyvsmith avatar Aug 03 '24 22:08 tyvsmith

@tyvsmith that is a good point, I did not troubleshoot that angle. How are your hosts available on your network without tailscale installed?

VictorioBerra avatar Aug 03 '24 22:08 VictorioBerra

@VictorioBerra I have the Tailscale client serving a vlan route with other machines, override the domain with split dns in tailscale admin pointing to the local dns server, and can access by local ip or local hostname using a secret ssh key.

tyvsmith avatar Aug 03 '24 22:08 tyvsmith

I had the same issue today, but figured out that using the long DNS name of the machine worked for some reason. so instead of ssh -o StrictHostKeyChecking=no <username>@<machine> "echo 123"

Then this worked ssh -o StrictHostKeyChecking=no <username>@<machine>.<tailnet-id>.ts.net "echo 123"

Just in case someone else has a Docker issue: Specifically, I had an issue in the Docker context using SSH. To fix my issue, I had to use the long DNS name with the tailnet name. Then, because I could not figure out how to pass StrictHostKeyChecking=no to ssh through docker, then i had to add the host to the known_hosts file.

      - name: Add SSH key to known_hosts
        run: |
          mkdir -p ~/.ssh
          ssh-keyscan -H ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts

      - name: Ensure ssh works and docker is installed
        run: |
          ssh ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} "docker --version"

      - name: "Deploy container"
        run: |
          docker context create docker-host --docker "host=ssh://${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }}"
          docker --context docker-host compose up --build -d
          docker context rm docker-host || true

PatrickMatthiesen avatar Aug 20 '25 15:08 PatrickMatthiesen

@VictorioBerra Did you find a better workaround? I just hit this on a project using split dns with internal domains, although I'm using internal devices that don't have tailscale installed but their routes are being broadcasted.

Hey @VictorioBerra @tyvsmith we're running the exact same setup and running into the same issue. Did you manage to figure out a workaround?

jurasmj avatar Nov 20 '25 16:11 jurasmj

My issue was having the exit node enabled or I didn't have that flag to allow lan set but in short it was all fixed related to running the tailscale command. No tinkering needed outside of the tailscale command

VictorioBerra avatar Nov 20 '25 17:11 VictorioBerra

My issue was having the exit node enabled or I didn't have that flag to allow lan set but in short it was all fixed related to running the tailscale command. No tinkering needed outside of the tailscale command

VictorioBerra avatar Nov 20 '25 17:11 VictorioBerra