Skip to content

Commit be96098

Browse files
committed
platform: tailnet join must not accept DNS
Tailscale's --accept-dns=true rewrites /etc/resolv.conf to point only at 100.100.100.100 (MagicDNS). k3s hands that file to pods via the kubelet, and the pod subnet cannot route to Tailscale's in-kernel resolver — every DNS query inside a pod times out (symptom: Flux source-controller logging 'dial tcp: lookup github.com: i/o timeout'). Fix by dropping --accept-dns to false in bootstrap-tailnet.sh. Tailnet hosts are still reachable on their 100.64.* addresses and via `tailscale status`, we just don't inherit MagicDNS at resolv.conf level. If you previously joined with accept-dns enabled, fix the running node with: sudo tailscale set --accept-dns=false
1 parent 0401e9f commit be96098

File tree

1 file changed

+6
-1
lines changed

1 file changed

+6
-1
lines changed

platform/scripts/bootstrap/bootstrap-tailnet.sh

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,10 +50,15 @@ printf '%s\n' "${TS_AUTH_KEY}" |
5050
"${ssh_args[@]}" "${ssh_target}" '
5151
read -r TS_AUTH_KEY
5252
sudo systemctl enable --now tailscaled >/dev/null
53+
# accept-dns=false: otherwise MagicDNS overwrites /etc/resolv.conf with
54+
# 100.100.100.100 only, which k3s then passes to pods — and the pod
55+
# subnet cannot reach the Tailscale kernel resolver, so every pod DNS
56+
# lookup times out. We keep tailnet hostnames resolvable on the host
57+
# via `tailscale status` / explicit `100.64.*.*` use instead.
5358
sudo env TS_AUTH_KEY="${TS_AUTH_KEY}" tailscale up \
5459
--auth-key="${TS_AUTH_KEY}" \
5560
--hostname="'"${NODE_NAME}"'" \
56-
--accept-dns=true
61+
--accept-dns=false
5762
'
5863

5964
"${ssh_args[@]}" "${ssh_target}" "tailscale status"

0 commit comments

Comments
 (0)