diff --git a/content/posts/taking-taildrive-testdrive/davfs-suid.png b/content/posts/taking-taildrive-testdrive/davfs-suid.png new file mode 100644 index 0000000..71a658e Binary files /dev/null and b/content/posts/taking-taildrive-testdrive/davfs-suid.png differ diff --git a/content/posts/taking-taildrive-testdrive/index.md b/content/posts/taking-taildrive-testdrive/index.md index eaea137..d78d0c1 100644 --- a/content/posts/taking-taildrive-testdrive/index.md +++ b/content/posts/taking-taildrive-testdrive/index.md @@ -1,18 +1,17 @@ --- title: "Taking Taildrive for a Testdrive" -date: 2024-07-28 +date: "2024-07-29T21:32:12Z" # lastmod: 2024-07-28 -draft: true -description: "This is a new post about..." +description: "A quick exploration of Taildrive, Tailscale's new(ish) feature to easily share directories with other machines on your tailnet without having to juggle authentication or network connectivity." featured: false toc: true reply: true -categories: Tips # Backstage, ChromeOS, Code, Self-Hosting, VMware +categories: Tips tags: - linux - tailscale --- -My little [homelab](/homelab) is perhaps a bit different from most in that I don't have any dedicated storage setup. This can sometimes make sharing files between systems a little bit tricky. I've used workarounds like [Tailscale Serve](/tailscale-ssh-serve-funnel/#tailscale-serve) for sharing files over HTTP or simply `scp`ing files around as needed, but none of those solutions are really very elegant. +My little [homelab](/homelab) is bit different from many others in that I don't have a SAN/NAS or other dedicated storage setup. This can sometimes make sharing files between systems a little bit tricky. I've used workarounds like [Tailscale Serve](/tailscale-ssh-serve-funnel/#tailscale-serve) for sharing files over HTTP or simply `scp`ing files around as needed, but none of those solutions are really very elegant. Last week, Tailscale announced [a new integration](https://tailscale.com/blog/controld) with [ControlD](https://controld.com/) to add advanced DNS filtering and security. While I was getting that set up on my tailnet, I stumbled across an option I hadn't previously noticed in the Tailscale CLI: the `tailscale drive` command: @@ -36,10 +35,10 @@ That sounded kind of neat - especially once I found the corresponding [Taildrive Oh yeah. That will be a huge simplification for how I share files within my tailnet. -I've finally had a chance to get this implemented and am pretty pleased with the results so far. Here's how I did it. +I've now had a chance to get this implemented on my tailnet and thought I'd share some notes on how I did it. ### ACL Changes -My Tailscale policy relies heavily on [ACL tags](https://tailscale.com/kb/1068/acl-tags) to manage access between systems, and especially for server nodes which don't typically have a user logging on to them directly. I don't necessarily want every system to be able to export a file share so I decided to control that capability with a new `tag:share` flag. Before I can use that tag, though, I need to [add it to the ACL](https://tailscale.com/kb/1068/acl-tags#define-a-tag): +My Tailscale policy relies heavily on [ACL tags](https://tailscale.com/kb/1068/acl-tags) to manage access between systems, especially for "headless" server systems which don't typically have users logged in to them. I don't necessarily want every system to be able to export a file share so I decided to control that capability with a new `tag:share` flag. Before I could use that tag, though, I had to [add it to the ACL](https://tailscale.com/kb/1068/acl-tags#define-a-tag): ```json { @@ -53,7 +52,7 @@ My Tailscale policy relies heavily on [ACL tags](https://tailscale.com/kb/1068/a } ``` -Next I needed to add the appropriate [node attributes](https://tailscale.com/kb/1337/acl-syntax#nodeattrs) to enable Taildrive: +Next I needed to add the appropriate [node attributes](https://tailscale.com/kb/1337/acl-syntax#nodeattrs) to enable Taildrive sharing on devices with that tag and Taildrive access for all other systems: ```json { @@ -105,6 +104,8 @@ And I created a pair of [Grants](https://tailscale.com/kb/1324/acl-grants) to gi } ``` +That will let me create/manage files from the devices I regularly work on, and easily retrieve them as needed on the others. + Then I just used the Tailscale admin portal to add the new `tag:share` tag to my existing `files` node: ![The files node tagged with `tag:internal`, `tag:salt-minion`, and `tag:share`](files-tags.png) @@ -116,7 +117,7 @@ After making the required ACL changes, actually publishing the share was very st tailscale drive share # [tl! .cmd] ``` -I (somewhat-confusingly) wanted to share a share named `share`, found at `/home/john/share`... so I used this to export it: +I (somewhat-confusingly) wanted to share a share named `share`, found at `/home/john/share` (I *might* be bad at naming things) so I used this to export it: ```shell tailscale drive share share /home/john/share # [tl! .cmd] @@ -132,24 +133,20 @@ share /home/john/share john ``` ### Mounting the Share -In order to mount the share from the Debian environment on my Chromebook, I first needed to install the `davfs2` package to add support for mounting WebDAV shares: +In order to mount the share from the Debian [Linux development environment on my Chromebook](https://support.google.com/chromebook/answer/9145439), I first needed to install the `davfs2` package to add support for mounting WebDAV shares: ```shell sudo apt update # [tl! .cmd:1] sudo apt install davfs2 ``` -I then added my user to the `davfs2` group so that I could mount WebDAV shares without needing `sudo` access: +During the install of `davfs2`, I got prompted for whether or not I want to allow unprivileged users to mount WebDAV resources. I was in a hurry and just selected the default `` response... before I realized that was probably a mistake (at least for this particular use case). -```shell -sudo usermod -aG davfs2 $USER # [tl! .cmd] -``` +So I ran `sudo dpkg-reconfigure davfs2` to try again and this time made sure to select ``: -And used `newgrp` to activate that membership without needing to log out and back in again: +![Should unprivileged users be allowed to mount WebDAV resources?](davfs-suid.png) -```shell -newgrp davfs2 # [tl! .cmd] -``` +That should ensure that the share gets mounted with appropriate privileges (otherwise, all the files would be owned by `root` and that could pose some additional challenges). I also created a folder inside my home directory to use as a mountpoint: @@ -160,15 +157,15 @@ mkdir ~/taildrive # [tl! .cmd] I knew from the [Taildrive docs](https://tailscale.com/kb/1369/taildrive) that the WebDAV server would be running at `http://100.100.100.100:8080` and the share would be available at `///`, so I added the following to my `/etc/fstab`: ```txt - http://100.100.100.100:8080/example.com/files/share /home/john/taildrive/ davfs user,rw,noauto 0 0 +http://100.100.100.100:8080/example.com/files/share /home/john/taildrive/ davfs user,rw,noauto 0 0 ``` Then I ran `sudo systemctl daemon-reload` to make sure the system knew about the changes to the fstab. -And to avoid being prompted for (unnecessary) credentials when attempting to mount the taildrive, I added this to the bottom of `~/.davfs2/secrets`: +Taildrive's WebDAV implementation doesn't require any additional authentication (that's handled automatically by Tailscale), but `davfs2` doesn't know that. So to keep it from prompting unnecessarily for credentials when attempting to mount the taildrive, I added this to the bottom of `~/.davfs2/secrets`, with empty strings taking the place of the username and password: ```txt -/home/john/taildrive john "" +/home/john/taildrive "" "" ``` After that, I could mount the share like so: @@ -189,4 +186,8 @@ drwxr-xr-x - john 16 Feb 2023 notes .rw-r--r-- 18 john 10 Jan 2023 status ``` -Neat, right? \ No newline at end of file +Neat, right? + +I'd like to eventually get this set up so that [AutoFS](https://help.ubuntu.com/community/Autofs) can handle mounting the Taildrive WebDAV share on the fly. I know that [won't work within the containerized Linux environment on my Chromebook](https://www.chromium.org/chromium-os/developer-library/guides/containers/containers-and-vms/#can-i-mount-filesystems) but I think it *should* be possible on an actual Linux system. My initial efforts were unsuccessful though; I'll update this post if I figure it out. + +In the meantime, though, this will be a more convenient way for me to share files between my Tailscale-connected systems.