Force reauthentication when tailscale explicitly complains about login server change

[lmagyar]

Proposed Changes

Solution for "login server change" and "we must add --force-reauth to tailscale up" issue:

• wait only in the Starting state, and move on in each other state (in effect this means we move on in NoState (after a restart after an unsuccessful login)
• if TS complains about login server option change (by capturing stderr), then, and only then add the --force-reauth flag, and do a tailscale up again

Positive side-effects:

• it's automatic
• if the logic fails, it fails on the "not adding the flag" side (if we try to figure out when add this flag, it can fail into both direction)
  • eg. if user configures a wrong login server, restart, app can't start up even after adding the force reauth flag (trivial), user edits login server back to original value, restart, and TS starts up fine with the original url without forcing reauth (logical, that was the last working config), if we would have been trying to figure out whether add this flag, we would have failed on the "add unnecessarily" side
• it won't force accidentally a reauth eg. on key expiration

Related Issues

fixes #643 #546

Summary by CodeRabbit

• Bug Fixes
  • Improved startup reliability with more robust readiness detection before proceeding.
  • Enhanced error handling during startup to capture failures and provide clearer failure reporting.
  • Added automatic retry for a specific reauthentication-required scenario, with a logged warning.
  • Continued post-startup checks to ensure the service reaches a running state.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a2ae37e0-1f22-414f-85b5-b238d60197f2

📥 Commits

Reviewing files that changed from the base of the PR and between 92d2ede and 415a344.

📒 Files selected for processing (1)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run

🚧 Files skipped from review as they are similar to previous changes (1)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run

---

Walkthrough

Wait for additional backend states (including a transient NoState), run /opt/tailscale up while capturing stderr, detect the specific can't change --login-server without --force-reauth error, retry tailscale up with --force-reauth on that case, otherwise preserve previous exit behavior; post-up wait for Running unchanged.

Changes

Cohort / File(s)

Summary

Tailscale startup script tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run

Broadened pre-up readiness loop to allow BackendState values NoState, Stopped, NeedsLogin, NeedsMachineAuth, or Running (with NoState requiring a 30s persistence). Capture stderr from the first /opt/tailscale up attempt; if stderr contains can't change --login-server without --force-reauth, append --force-reauth and retry; otherwise keep existing failure exit path. Post-up wait for BackendState == "Running" unchanged.

Sequence Diagram(s)

sequenceDiagram
  participant S6 as s6 startup script
  participant TSd as tailscaled
  participant CLI as /opt/tailscale
  participant Backend as Tailscale backend

  S6->>TSd: poll BackendState until in {NoState (30s), Stopped, NeedsLogin, NeedsMachineAuth, Running}
  S6->>CLI: run `/opt/tailscale up` with options
  CLI-->>S6: stdout + stderr (stderr captured)
  alt stderr contains "can't change --login-server without --force-reauth"
    S6->>S6: add `--force-reauth` to options
    S6->>CLI: retry `/opt/tailscale up --force-reauth`
    CLI-->>S6: stdout/stderr (success or fail)
  else other failure
    CLI-->>S6: error (script exits)
  end
  S6->>Backend: wait until BackendState == "Running"

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

bugfix

Suggested reviewers

• frenck

Poem

🐇 I sniffed the logs, a tiny clue,
A flag was missing, so I flew.
I nudged a retry, gave login light,
Now Tailscale wakes and hops at night. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main change: detecting login server change errors and automatically applying force reauthentication.
Linked Issues check	✅ Passed	The implementation fully addresses issue #643 by automatically detecting login-server change errors and applying --force-reauth without manual intervention.
Out of Scope Changes check	✅ Passed	All changes focus on startup readiness logic and error recovery related to login-server changes, staying within the scope of fixing the identified issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lmagyar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[lmagyar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run`:
- Around line 103-105: The readiness loop conflates socket existence with
successful backend-state probes; modify the loop so it first waits for
bashio::fs.socket_exists "/var/run/tailscale/tailscaled.sock" to be true, then
separately poll /opt/tailscale status --json --peers=false --self=false and pipe
to jq '.BackendState == "Starting"' retrying on probe failures, and only exit
the loop when a probe succeeds and returns false (i.e., BackendState !=
"Starting"); ensure transient failures from the status/jq pipeline do not cause
the loop to break and delay proceeding to the next step (e.g., the tailscale up
invocation) until a successful non-Starting state is observed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6b4c3705-be06-4a14-b8ff-969930621b79

📥 Commits

Reviewing files that changed from the base of the PR and between 5dc0988 and 16b2219.

📒 Files selected for processing (1)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run