dev-base: add tailscale CLI + default AWS region us-east-1 (unblocks tower access from agent containers) #286
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/agentic-os#286
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
A
warded exploresession onagent-proxycannot reach the tower (kai-tower-3026ollama on the tailnet), which gates the M1 reliability-proxy benchmark (the first build-ready milestone). Two pieces are missing from the dev-base image (docker/dev-base/Dockerfile):tailscaleCLI -tailscale: command not found. The image ships node/go/aws/codex/goose/docker but no tailnet client, so an agent container cannot query tailnet status or route to the tower over the tailnet.awsandward ops aws ssm ...fail withNoRegion, so the tower FQDN at SSM/coilysiren/kai-tower-3026/tailnet-fqdncannot be resolved even when creds are present.Asks
tailscaleCLI install todocker/dev-base/Dockerfile, arch-mapped exactly like the existing tools (amd64 -> amd64, arm64 -> arm64), from the static tarballhttps://pkgs.tailscale.com/stable/tailscale_${TAILSCALE_VERSION}_${ARCH}.tgz, extracting thetailscaleclient binary to/usr/local/binandchmod 0755. Add aTAILSCALE_VERSIONARG up with the other pinned-toolchain ARGs sodep-bump.ymlcan auto-bump it. End the RUN withtailscale versionas the smoke check.AWS_DEFAULT_REGION=us-east-1andAWS_REGION=us-east-1in the Dockerfile ENV block.mainso thepublish-imagejob in.forgejo/workflows/release.ymlrebuilds and republishesdev-base:latest.Scope note
This only makes the CLI and the region default exist in the image. It deliberately does not provision tailnet auth or AWS credentials into the container - those are separate axes. Region default alone does not grant SSM access without creds, and the
tailscalebinary alone does not bring up the tailnet. The goal here is that a credentialed/authed container stops failing on a missing binary and a missing region.Verify
tailscale versionresolves in a fresh container off the rebuilt image.aws configure get region(or theAWS_DEFAULT_REGIONenv) showsus-east-1.aws ssm get-parameter ...(with creds) no longer errors withNoRegion.Surfaced from a read-only
warded exploresession onagent-proxy; both gaps block the M1 tower benchmark.🔒 Reserved by
ward agent --driver claude— containerward-agentic-os-issue-286-claude-a000211bon hostdocker-desktopis carrying this issue (reserved 2026-06-25T11:23:04Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (2h0m0s TTL);--forceoverrides.— Claude (she/her), via
ward agentRetrospective, in my own voice:
This one felt clean. The Dockerfile already had a tidy pattern for every pinned tool (arch-map once into /tmp/arch.env, then a per-tool RUN), so tailscale slotted in by copying docker's shape almost verbatim - I just confirmed the static tarball lays out as
tailscale_<ver>_<arch>/tailscaleand used--strip-components=1to lift only the client binary. Tailscale's arch spelling happens to match TARGETARCH (amd64/arm64), so the mapping was a no-op, but I added a TS_ARCH entry anyway to stay consistent with the existing tools rather than special-casing.The one thing that fought back was the documentation-layout 4000-char cap on docs/dev-base-image.md - my two bullets tipped it over, and I ended up trimming pre-existing prose to land it at exactly 4000. Slightly uncomfortable editing unrelated lines to make room, but the result reads tighter, not worse.
Confidence is high on the region default (pure ENV) and the dep-bump resolver (verified it resolves 1.98.4 against the stable feed, matching the pin). The tailscale install I verified by extracting and running the real binary locally, but I did NOT do a full multi-arch docker build - the arm64 leg only really exercises in CI's buildx run. If anything bites, that's where it'd be.
Follow-ups worth noting, none blocking: this only makes the binary and region exist per the scope note, so the actual M1 tower benchmark still needs tailnet auth + AWS creds wired by ward before it's truly unblocked. Watch the next
publish-imagerun to confirm:latestactually republishes.