If someone else has the same or similar issue, our workaround is to let Tailscale start last and use a sleep time before starting it. This seems to work consistently.
tailscale:
image: tailscale-image
# Tailscale needs to start delayed to be able to fix iptables after Balena has booted.
command: sh -c "
sleep 30;
if [ -z $TAILSCALE_KEY ]; then
echo 'Set TAILSCALE_KEY to activate.';
sleep infinity;
else
(sleep 10 &&
tailscale up --accept-routes --advertise-routes=$TAILSCALE_SUBNETS --authkey=$TAILSCALE_KEY --hostname=$BALENA_DEVICE_NAME_AT_INIT
) & tailscaled --state /data/tailscaled.state;
fi"
restart: always
network_mode: host
# The hope is that balena made the changes after all servics started, including this one,
# and with the 30s delay the tailscale stuff gets applied last consistently.
depends_on:
- everyOtherContainer
privileged: true
cap_add:
- NET_ADMIN
volumes:
- 'data-volume:/data'
devices:
- /dev/net/tun:/dev/net/tun