Overview
This guide provides a detailed configuration for running Livebook in a Docker container while using Tailscale as the identity provider. Livebook is an interactive notebook platform that allows users to write and execute Elixir code, and Tailscale enables secure access to the Livebook instance over a private network.
Prerequisites
Before proceeding, ensure you have the following:
- Docker installed on your machine.
- Tailscale account and the Tailscale CLI installed in your Docker image or host.
- Basic knowledge of Docker commands and networking.
Step-by-Step Configuration
1. Create Docker Volumes
Create persistent volumes for Livebook data and configuration to ensure that your work is saved across container restarts.
docker volume create livebook-data
docker volume create livebook-config
2. Run Tailscale in a Docker Container
You need to run Tailscale in a container to establish a connection with your Tailscale network. Use the following command:
docker run -d --name tailscaled \
--privileged \
--cap-add NET_ADMIN \
--cap-add NET_RAW \
-v /dev/net/tun:/dev/net/tun \
-v /var/lib/tailscale:/var/lib/tailscale \
-e TS_AUTHKEY="your_auth_key" \
tailscale/tailscale:latest
Replace "your_auth_key" with a valid Tailscale auth key. This command sets up Tailscale with necessary permissions and state persistence.
3. Run Livebook with Tailscale Integration
Next, run Livebook in a separate container, ensuring it uses the Tailscale socket for authentication:
#!/bin/bash
exec docker run \
--rm \
--name "livebook" \
--hostname "livebook" \
-e LIVEBOOK_IP="$(tailscale ip -4)" \
-e LIVEBOOK_PORT=8855 \
-e LIVEBOOK_IFRAME_PORT=8856 \
-e LIVEBOOK_IDENTITY_PROVIDER=tailscale:/var/run/tailscale/tailscaled.sock \
-e LIVEBOOK_TOKEN_ENABLED=false \
-v livebook-data:/data \
-v livebook-config:/home/livebook/.local/share/livebook \
-v /run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock \
-v /usr/bin/tailscale:/usr/bin/tailscale:ro \
--net host \
--pull always \
ghcr.io/livebook-dev/livebook:edge
Explanation of Parameters
--rm: Automatically remove the container when it exits.--name "livebook": Assigns a name to the container for easier management.--hostname "livebook": Sets the hostname inside the container.-e LIVEBOOK_IP="$(tailscale ip -4)": Sets the Livebook IP to your Tailscale IP address.-e LIVEBOOK_PORT=8855: Specifies the port for Livebook.-e LIVEBOOK_IFRAME_PORT=8856: Specifies the port for iframe access.-e LIVEBOOK_IDENTITY_PROVIDER=tailscale:/var/run/tailscale/tailscaled.sock: Configures Tailscale as the identity provider using its socket.-e LIVEBOOK_TOKEN_ENABLED=false: Disables token-based authentication.-v livebook-data:/data: Mounts persistent storage for Livebook data.-v livebook-config:/home/livebook/.local/share/livebook: Mounts persistent storage for Livebook configuration files.--net host: Uses the host network stack, allowing direct access to network interfaces.
4. Accessing Livebook
Once both containers are running, you can access Livebook by navigating to http://<Tailscale_IP>:8855 in your web browser. Replace <Tailscale_IP> with your actual Tailscale IP address.
5. Security Considerations
Ensure that your Tailscale auth key has appropriate permissions and consider rotating it periodically for enhanced security. Additionally, keep your Docker images updated to benefit from security patches.
Conclusion
By following this guide, you can successfully run Livebook in a Docker container with Tailscale as your identity provider. This setup allows you to securely access your Livebook instance from anywhere while maintaining control over who can access it through Tailscale’s authentication mechanisms.