Starting Twingate service in Docker web service

1

I’m trying to figure out how my Docker app can get the Twingate service started since I need to run with sudo:

sudo twingate start

There’s also a couple additions in my compose.yaml file necessary to set the device (which I know is ignored by render):

devices:
    - /dev/net/tun:/dev/net/tun
cap_add:
    - NET_ADMIN

I don’t see support for this if using a render.yaml blueprint, and I can’t run this in my Dockerfile CMD since it doesn’t seem I’m able to use privileged commands.

Is there a workaround for this? I’d planned on having this run in a private service, but I’m using a web service now for testing.

1 Like
2

Hi Pljspahn,

Have you tried deploying it using the image directly: https://docs.render.com/deploy-an-image, you should be able to use twingate/connector:latest

Regards,

Matt

3

That’s not the client. That’s a connector, which is a different component.

I do see someone has a client image so I’ll take a look at that and see how they’re doing it.

My image is not only twingate. It’s an application that I previously would only host on-prem because it uses an ODBC connection to a server on our network and was behind a VPN.

E: The other image I see for twingate client still needs compose.yaml to add the tunnel device - I don’t see anything in render.yaml that would provide the same feature unless I’m missing something.

4

Hi Pljspahn,

Ahh sorry, my mistake. Yes, if you can deploy the client as an image, that would probably be the simplest approach

Regards,

Matt

5

Maybe you missed my edit, but here is an example of the compose.yaml that the client uses.

The tunnel device needs to be added here but since render ignores compose.yaml, I don’t see a way around this.

version: "3"
  services:
    twingate_client:
      image: rifqisah/twingate_client:latest
      container_name: twingate_client
      stdin_open: true
      tty: true
      devices:
      - /dev/net/tun
      cap_add:
      - NET_ADMIN
      network_mode: host
      volumes:
      - ./service.key.json:/twingate/service.key.json:ro
6

Hi Pljspahn,

Some of this may not be possible to replicate on Render since we do not offer privileged access to the containers. However, it looks like the important part is mounting the volume with a key

volumes: - ./service.key.json:/twingate/service.key.json:ro

You should be able to replicate this functionality by uploading that file as a secret file Render, then use a COPY command in your Dockerfile to copy it to the image. See https://docs.render.com/docker-secrets#building-images-with-secrets-locally for more information on this.

Regards,

Matt

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.