ipn/localapi: define a cert dir for Synology DSM6

Fixes #4060

Change-Id: I5f145d4f56f6edb14825268e858d419c55918673
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

ipn/localapi/cert.go

@@ -29,6 +29,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"sync"
 	"time"
@@ -37,6 +38,7 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/types/logger"
+	"tailscale.com/version/distro"
 )
 
 // Process-wide cache. (A new *Handler is created per connection,
@@ -53,6 +55,13 @@ var (
 
 func (h *Handler) certDir() (string, error) {
 	d := h.b.TailscaleVarRoot()
+
+	// As a workaround for Synology DSM6 not having a "var" directory, use the
+	// app's "etc" directory (on a small partition) to hold certs at least.
+	// See https://github.com/tailscale/tailscale/issues/4060#issuecomment-1186592251
+	if d == "" && runtime.GOOS == "linux" && distro.Get() == distro.Synology && distro.DSMVersion() == 6 {
+		d = "/var/packages/Tailscale/etc" // base; we append "certs" below
+	}
 	if d == "" {
 		return "", errors.New("no TailscaleVarRoot")
 	}

version/distro/distro.go

@@ -8,6 +8,7 @@ package distro
 import (
 	"os"
 	"runtime"
+	"strconv"
 	"sync/atomic"
 )
 
@@ -94,3 +95,17 @@ func freebsdDistro() Distro {
 	}
 	return ""
 }
+
+// DSMVersion reports the Synology DSM major version.
+//
+// If not Synology, it reports 0.
+func DSMVersion() int {
+	if runtime.GOOS != "linux" {
+		return 0
+	}
+	if Get() != Synology {
+		return 0
+	}
+	v, _ := strconv.Atoi(os.Getenv("SYNOPKG_DSM_VERSION_MAJOR"))
+	return v
+}

wgengine/router/router_linux.go

@@ -182,11 +182,7 @@ func useAmbientCaps() bool {
 	if distro.Get() != distro.Synology {
 		return false
 	}
-	v, err := strconv.Atoi(os.Getenv("SYNOPKG_DSM_VERSION_MAJOR"))
+	return distro.DSMVersion() >= 7
-	if err != nil {
-		return false
-	}
-	return v >= 7
 }
 
 var forceIPCommand = envknob.Bool("TS_DEBUG_USE_IP_COMMAND")