tailscale

Commit Graph

Author	SHA1	Message	Date
Andrew Lytvynov	c679aaba32	cmd/tailscaled,ipn: show a health warning when state store fails to open (#17883 ) With the introduction of node sealing, store.New fails in some cases due to the TPM device being reset or unavailable. Currently it results in tailscaled crashing at startup, which is not obvious to the user until they check the logs. Instead of crashing tailscaled at startup, start with an in-memory store with a health warning about state initialization and a link to (future) docs on what to do. When this health message is set, also block any login attempts to avoid masking the problem with an ephemeral node registration. Updates #15830 Updates #17654 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 weeks ago
Andrew Lytvynov	de8ed203e0	go.mod: bump golang.org/x/crypto (#18011 ) Pick up fixes for https://pkg.go.dev/vuln/GO-2025-4134 Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 weeks ago
Harry Harpham	ac74d28190	ipn/ipnlocal: add validations when setting serve config (#17950 ) These validations were previously performed in the CLI frontend. There are two motivations for moving these to the local backend: 1. The backend controls synchronization around the relevant state, so only the backend can guarantee many of these validations. 2. Doing these validations in the back-end avoids the need to repeat them across every frontend (e.g. the CLI and tsnet). Updates tailscale/corp#27200 Signed-off-by: Harry Harpham <harry@tailscale.com>	2 weeks ago
David Bond	42a5262016	cmd/k8s-operator: add multi replica support for recorders (#17864 ) This commit adds the `spec.replicas` field to the `Recorder` custom resource that allows for a highly available deployment of `tsrecorder` within a kubernetes cluster. Many changes were required here as the code hard-coded the assumption of a single replica. This has required a few loops, similar to what we do for the `Connector` resource to create auth and state secrets. It was also required to add a check to remove dangling state and auth secrets should the recorder be scaled down. Updates: https://github.com/tailscale/tailscale/issues/17965 Signed-off-by: David Bond <davidsbond93@gmail.com>	2 weeks ago
Jonathan Nobels	682172ca2d	net/netns: remove spammy logs for interface binding caps fixes tailscale/tailscale#17990 The logging for the netns caps is spammy. Log only on changes to the values and don't log Darwin specific stuff on non Darwin clients. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	2 weeks ago
Brad Fitzpatrick	7d19813618	net/batching: fix import formatting From #17842 Updates #cleanup Change-Id: Ie041b50659361b50558d5ec1f557688d09935f7c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
David Bond	86a849860e	cmd/k8s-operator: use stable image for k8s-nameserver (#17985 ) This commit modifies the kubernetes operator to use the "stable" version of `k8s-nameserver` by default. Updates: https://github.com/tailscale/corp/issues/19028 Signed-off-by: David Bond <davidsbond93@gmail.com>	2 weeks ago
KevinLiang10	a0d059d74c	cmd/tailscale/cli: allow remote target as service destination (#17607 ) This commit enables user to set service backend to remote destinations, that can be a partial URL or a full URL. The commit also prevents user to set remote destinations on linux system when socket mark is not working. For user on any version of mac extension they can't serve a service either. The socket mark usability is determined by a new local api. Fixes tailscale/corp#24783 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	2 weeks ago
License Updater	12c598de28	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	2 weeks ago
Alex Chan	976bf24f5e	ipn/ipnlocal: remove the always-true CanSupportNetworkLock() Now that we support using an in-memory backend for TKA state (#17946), this function always returns `nil` – we can always support Network Lock. We don't need it any more. Plus, clean up a couple of errant TODOs from that PR. Updates tailscale/corp#33599 Change-Id: Ief93bb9adebb82b9ad1b3e406d1ae9d2fa234877 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 weeks ago
Brad Fitzpatrick	6ac4356bce	util/eventbus: simplify some reflect in Bus.pump Updates #cleanup Change-Id: Ib7b497e22c6cdd80578c69cf728d45754e6f909e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Alex Chan	336df56f85	cmd/tailscale/cli: remove Latin abbreviations from CLI help text Our style guide recommends avoiding Latin abbreviations in technical documentation, which includes the CLI help text. This is causing linter issues for the docs site, because this help text is copied into the docs. See http://go/style-guide/kb/language-and-grammar/abbreviations#latin-abbreviations Updates #cleanup Change-Id: I980c28d996466f0503aaaa65127685f4af608039 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 weeks ago
Alex Chan	aeda3e8183	ipn/ipnlocal: reduce profileManager boilerplate in network-lock tests Updates tailscale/corp#33537 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 weeks ago
Raj Singh	62d64c05e1	cmd/k8s-operator: fix type comparison in apiserver proxy template (#17981 ) ArgoCD sends boolean values but the template expects strings, causing "incompatible types for comparison" errors. Wrap values with toString so both work. Fixes #17158 Signed-off-by: Raj Singh <raj@tailscale.com>	2 weeks ago
Alex Chan	e1dd9222d4	ipn/ipnlocal, tka: compact TKA state after every sync Previously a TKA compaction would only run when a node starts, which means a long-running node could use unbounded storage as it accumulates ever-increasing amounts of TKA state. This patch changes TKA so it runs a compaction after every sync. Updates https://github.com/tailscale/corp/issues/33537 Change-Id: I91df887ea0c5a5b00cb6caced85aeffa2a4b24ee Signed-off-by: Alex Chan <alexc@tailscale.com>	2 weeks ago
David Bond	38ccdbe35c	cmd/k8s-operator: default to stable image (#17848 ) This commit modifies the helm/static manifest configuration for the k8s-operator to prefer the stable image tag. This avoids making those using static manifests seeing unstable behaviour by default if they do not manually make the change. This is managed for us when using helm but not when generating the static manifests. Updates https://github.com/tailscale/tailscale/issues/10655 Signed-off-by: David Bond <davidsbond93@gmail.com>	2 weeks ago
Brad Fitzpatrick	408336a089	feature/featuretags: add CacheNetMap feature tag for upcoming work (trying to get in smaller obvious chunks ahead of later PRs to make them smaller) Updates #17925 Change-Id: I184002001055790484e4792af8ffe2a9a2465b2e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Brad Fitzpatrick	5b0c57f497	tailcfg: add some omitzero, adjust some omitempty to omitzero Updates tailscale/corp#25406 Change-Id: I7832dbe3dce3774bcc831e3111feb75bcc9e021d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Joe Tsai	3b865d7c33	cmd/netlogfmt: support resolving IP addresses to synonymous labels (#17955 ) We now embed node information into network flow logs. By default, netlogfmt still prints out using Tailscale IP addresses. Support a "--resolve-addrs=TYPE" flag that can be used to specify resolving IP addresses as node IDs, hostnames, users, or tags. Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 weeks ago
James Tucker	c09c95ef67	types/key,wgengine/magicsock,control/controlclient,ipn: add debug disco key rotation Adds the ability to rotate discovery keys on running clients, needed for testing upcoming disco key distribution changes. Introduces key.DiscoKey, an atomic container for a disco private key, public key, and the public key's ShortString, replacing the prior separate atomic fields. magicsock.Conn has a new RotateDiscoKey method, and access to this is provided via localapi and a CLI debug command. Note that this implementation is primarily for testing as it stands, and regular use should likely introduce an additional mechanism that allows the old key to be used for some time, to provide a seamless key rotation rather than one that invalidates all sessions. Updates tailscale/corp#34037 Signed-off-by: James Tucker <james@tailscale.com>	2 weeks ago
Fran Bull	da508c504d	appc: add ippool type As part of the conn25 work we will want to be able to keep track of a pool of IP Addresses and know which have been used and which have not. Fixes tailscale/corp#34247 Signed-off-by: Fran Bull <fran@tailscale.com>	2 weeks ago
Alex Chan	d0daa5a398	tka: marshal AUMHash totext even if Tailnet Lock is omitted We use `tka.AUMHash` in `netmap.NetworkMap`, and we serialise it as JSON in the `/debug/netmap` C2N endpoint. If the binary omits Tailnet Lock support, the debug endpoint returns an error because it's unable to marshal the AUMHash. This patch adds a sentinel value so this marshalling works, and we can use the debug endpoint. Updates https://github.com/tailscale/tailscale/issues/17115 Signed-off-by: Alex Chan <alexc@tailscale.com> Change-Id: I51ec1491a74e9b9f49d1766abd89681049e09ce4	2 weeks ago
Anton Tolchanov	04a9d25a54	tka: mark young AUMs as active even if the chain is long Existing compaction logic seems to have had an assumption that markActiveChain would cover a longer part of the chain than markYoungAUMs. This prevented long, but fresh, chains, from being compacted correctly. Updates tailscale/corp#33537 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 weeks ago
Brad Fitzpatrick	bd29b189fe	types/netmap,*: remove some redundant fields from NetMap Updates #12639 Change-Id: Ia50b15529bd1c002cdd2c937cdfbe69c06fa2dc8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Brad Fitzpatrick	2a6cbb70d9	.github/workflows: make go_generate check detect new files Updates #17957 Change-Id: I904fd5b544ac3090b58c678c4726e7ace41a52dd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Brad Fitzpatrick	4e2f2d1088	feature/buildfeatures: re-run go generate `6a73c0bdf5` added a feature tag but didn't re-run go generate on ./feature/buildfeatures. Updates #9192 Change-Id: I7819450453e6b34c60cad29d2273e3e118291643 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Alex Chan	af7c26aa05	cmd/vet/jsontags: fix a typo in an error message Updates #17945 Change-Id: I8987271420feb190f5e4d85caff305c8d4e84aae Signed-off-by: Alex Chan <alexc@tailscale.com>	2 weeks ago
Alex Chan	85373ef822	tka: move RemoveAll() to CompactableChonk I added a RemoveAll() method on tka.Chonk in #17946, but it's only used in the node to purge local AUMs. We don't need it in the SQLite storage, which currently implements tka.Chonk, so move it to CompactableChonk instead. Also add some automated tests, as a safety net. Updates tailscale/corp#33599 Change-Id: I54de9ccf1d6a3d29b36a94eccb0ebd235acd4ebc Signed-off-by: Alex Chan <alexc@tailscale.com>	2 weeks ago
Alex Chan	c2e474e729	all: rename variables with lowercase-l/uppercase-I See http://go/no-ell Signed-off-by: Alex Chan <alexc@tailscale.com> Updates #cleanup Change-Id: I8c976b51ce7a60f06315048b1920516129cc1d5d	2 weeks ago
James 'zofrex' Sanderson	9048ea25db	ipn/localapi: log calls to localapi (#17880 ) Updates tailscale/corp#34238 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	2 weeks ago
James 'zofrex' Sanderson	a2e9dfacde	cmd/tailscale/cli: warn if a simple up would change prefs (#17877 ) Updates tailscale/corp#21570 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	2 weeks ago
Joe Tsai	4860c460f5	wgengine/netlog: strip dot suffix from node name (#17954 ) The REST API does not return a node name with a trailing dot, while the internal node name reported in the netmap does have one. In order to be consistent with the API, strip the dot when recording node information. Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 weeks ago
James Tucker	41662f5128	ssh/tailssh: fix incubator tests on macOS arm64 Perform a path check first before attempting exec of `true`. Try /usr/bin/true first, as that is now and increasingly so, the more common and more portable path. Fixes tests on macOS arm64 where exec was returning a different kind of path error than previously checked. Updates #16569 Signed-off-by: James Tucker <james@tailscale.com>	2 weeks ago
Andrew Lytvynov	26f9b50247	feature/tpm: disable dictionary attack protection on sealing key (#17952 ) DA protection is not super helpful because we don't set an authorization password on the key. But if authorization fails for other reasons (like TPM being reset), we will eventually cause DA lockout with tailscaled trying to load the key. DA lockout then leads to (1) issues for other processes using the TPM and (2) the underlying authorization error being masked in logs. Updates #17654 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 weeks ago
Brad Fitzpatrick	f1cddc6ecf	ipn{,/local},cmd/tailscale: add "sync" flag and pref to disable control map poll For manual (human) testing, this lets the user disable control plane map polls with "tailscale set --sync=false" (which survives restarts) and "tailscale set --sync" to restore. A high severity health warning is shown while this is active. Updates #12639 Updates #17945 Change-Id: I83668fa5de3b5e5e25444df0815ec2a859153a6d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Brad Fitzpatrick	165a24744e	tka: fix typo in comment Let's fix all the typos, which lets the code be more readable, lest we confuse our readers. Updates #cleanup Change-Id: I4954601b0592b1fda40269009647bb517a4457be Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Alex Chan	1723cb83ed	ipn/ipnlocal: use an in-memory TKA store if FS is unavailable This requires making the internals of LocalBackend a bit more generic, and implementing the `tka.CompactableChonk` interface for `tka.Mem`. Signed-off-by: Alex Chan <alexc@tailscale.com> Updates https://github.com/tailscale/corp/issues/33599	2 weeks ago
Andrew Lytvynov	d01081683c	go.mod: bump golang.org/x/crypto (#17907 ) Pick up a fix for https://pkg.go.dev/vuln/GO-2025-4116 (even though we're not affected). Updates #cleanup Change-Id: I9f2571b17c1f14db58ece8a5a34785805217d9dd Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 weeks ago
Alex Chan	200383dce5	various: add more missing apostrophes in comments Updates #cleanup Change-Id: I79a0fda9783064a226ee9bcee2c1148212f6df7b Signed-off-by: Alex Chan <alexc@tailscale.com>	2 weeks ago
Brad Fitzpatrick	1e95bfa184	ipn: fix typo in comment Updates #cleanup Change-Id: Iec66518abd656c64943a58eb6d92f342e627a613 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Brad Fitzpatrick	a5b2f18567	control/controlclient: remove some public API, move to Options & test-only Includes adding StartPaused, which will be used in a future change to enable netmap caching testing. Updates #12639 Change-Id: Iec39915d33b8d75e9b8315b281b1af2f5d13a44a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Alex Chan	139c395d7d	cmd/tailscale/cli: stabilise the output of `tailscale lock log --json` This patch changes the behaviour of `tailscale lock log --json` to make it more useful for users. It also introduces versioning of our JSON output. ## Changes to `tailscale lock log --json` Previously this command would print the hash and base64-encoded bytes of each AUM, and users would need their own CBOR decoder to interpret it in a useful way: ```json [ { "Hash": [ 80, 136, 151, … ], "Change": "checkpoint", "Raw": "pAEFAvYFpQH2AopYIAkPN+8V3cJpkoC5ZY2+RI2Bcg2q5G7tRAQQd67W3YpnWCDPOo4KGeQBd8hdGsjoEQpSXyiPdlm+NXAlJ5dS1qEbFlggylNJDQM5ZQ2ULNsXxg2ZBFkPl/D93I1M56/rowU+UIlYIPZ/SxT9EA2Idy9kaCbsFzjX/s3Ms7584wWGbWd/f/QAWCBHYZzYiAPpQ+NXN+1Wn2fopQYk4yl7kNQcMXUKNAdt1lggcfjcuVACOH0J9pRNvYZQFOkbiBmLOW1hPKJsbC1D1GdYIKrJ38XMgpVMuTuBxM4YwoLmrK/RgXQw1uVEL3cywl3QWCA0FilVVv8uys8BNhS62cfNvCew1Pw5wIgSe3Prv8d8pFggQrwIt6ldYtyFPQcC5V18qrCnt7VpThACaz5RYzpx7RNYIKskOA7UoNiVtMkOrV2QoXv6EvDpbO26a01lVeh8UCeEA4KjAQECAQNYIORIdNHqSOzz1trIygnP5w3JWK2DtlY5NDIBbD7SKcjWowEBAgEDWCD27LpxiZNiA19k0QZhOWmJRvBdK2mz+dHu7rf0iGTPFwQb69Gt42fKNn0FGwRUiav/k6dDF4GiAVgg5Eh00epI7PPW2sjKCc/nDclYrYO2Vjk0MgFsPtIpyNYCWEDzIAooc+m45ay5PB/OB4AA9Fdki4KJq9Ll+PF6IJHYlOVhpTbc3E0KF7ODu1WURd0f7PXnW72dr89CSfGxIHAF" } ] ``` Now we print the AUM in an expanded form that can be easily read by scripts, although we include the raw bytes for verification and auditing. ```json { "SchemaVersion": "1", "Messages": [ { "Hash": "KCEJPRKNSXJG2TPH3EHQRLJNLIIK2DV53FUNPADWA7BZJWBDRXZQ", "AUM": { "MessageKind": "checkpoint", "PrevAUMHash": null, "Key": null, "KeyID": null, "State": { … }, "Votes": null, "Meta": null, "Signatures": [ { "KeyID": "tlpub:e44874d1ea48ecf3d6dac8ca09cfe70dc958ad83b656393432016c3ed229c8d6", "Signature": "8yAKKHPpuOWsuTwfzgeAAPRXZIuCiavS5fjxeiCR2JTlYaU23NxNChezg7tVlEXdH+z151u9na/PQknxsSBwBQ==" } ] }, "Raw": "pAEFAvYFpQH2AopYIAkPN-8V3cJpkoC5ZY2-RI2Bcg2q5G7tRAQQd67W3YpnWCDPOo4KGeQBd8hdGsjoEQpSXyiPdlm-NXAlJ5dS1qEbFlggylNJDQM5ZQ2ULNsXxg2ZBFkPl_D93I1M56_rowU-UIlYIPZ_SxT9EA2Idy9kaCbsFzjX_s3Ms7584wWGbWd_f_QAWCBHYZzYiAPpQ-NXN-1Wn2fopQYk4yl7kNQcMXUKNAdt1lggcfjcuVACOH0J9pRNvYZQFOkbiBmLOW1hPKJsbC1D1GdYIKrJ38XMgpVMuTuBxM4YwoLmrK_RgXQw1uVEL3cywl3QWCA0FilVVv8uys8BNhS62cfNvCew1Pw5wIgSe3Prv8d8pFggQrwIt6ldYtyFPQcC5V18qrCnt7VpThACaz5RYzpx7RNYIKskOA7UoNiVtMkOrV2QoXv6EvDpbO26a01lVeh8UCeEA4KjAQECAQNYIORIdNHqSOzz1trIygnP5w3JWK2DtlY5NDIBbD7SKcjWowEBAgEDWCD27LpxiZNiA19k0QZhOWmJRvBdK2mz-dHu7rf0iGTPFwQb69Gt42fKNn0FGwRUiav_k6dDF4GiAVgg5Eh00epI7PPW2sjKCc_nDclYrYO2Vjk0MgFsPtIpyNYCWEDzIAooc-m45ay5PB_OB4AA9Fdki4KJq9Ll-PF6IJHYlOVhpTbc3E0KF7ODu1WURd0f7PXnW72dr89CSfGxIHAF" } ] } ``` This output was previously marked as unstable, and it wasn't very useful, so changing it should be fine. ## Versioning our JSON output This patch introduces a way to version our JSON output on the CLI, so we can make backwards-incompatible changes in future without breaking existing scripts or integrations. You can run this command in two ways: ``` tailscale lock log --json tailscale lock log --json=1 ``` Passing an explicit version number allows you to pick a specific JSON schema. If we ever want to change the schema, we increment the version number and users must opt-in to the new output. A bare `--json` flag will always return schema version 1, for compatibility with existing scripts. Updates https://github.com/tailscale/tailscale/issues/17613 Updates https://github.com/tailscale/corp/issues/23258 Signed-off-by: Alex Chan <alexc@tailscale.com> Change-Id: I897f78521cc1a81651f5476228c0882d7b723606	2 weeks ago
Brad Fitzpatrick	99b06eac49	syncs: add Mutex/RWMutex alias/wrappers for future mutex debugging Updates #17852 Change-Id: I477340fb8e40686870e981ade11cd61597c34a20 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Andrew Dunham	3a41c0c585	ipn/ipnlocal: add PROXY protocol support to Funnel/Serve This adds the --proxy-protocol flag to 'tailscale serve' and 'tailscale funnel', which tells the Tailscale client to prepend a PROXY protocol[1] header when making connections to the proxied-to backend. I've verified that this works with our existing funnel servers without additional work, since they pass along source address information via PeerAPI already. Updates #7747 [1]: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt Change-Id: I647c24d319375c1b33e995555a541b7615d2d203 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 weeks ago
Brad Fitzpatrick	653d0738f9	types/netmap: remove PrivateKey from NetworkMap It's an unnecessary nuisance having it. We go out of our way to redact it in so many places when we don't even need it there anyway. Updates #12639 Change-Id: I5fc72e19e9cf36caeb42cf80ba430873f67167c3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Brad Fitzpatrick	98aadbaf54	util/cache: remove unused code Updates #cleanup Change-Id: I9be7029c5d2a7d6297125d0147e93205a7c68989 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Brad Fitzpatrick	4e01e8a66e	wgengine/netlog: fix send to closed channel in test Fixes #17922 Change-Id: I2cd600b0ecda389079f2004985ac9a25ffbbfdd1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Avery Palmer	8aa46a3956	util/clientmetric: fix regression causing Metric.v to be uninitialised m.v was uninitialised when Tailscale built with ts_omit_logtail Fixes #17918 Signed-off-by: Avery Palmer <quagsirus@catpowered.net>	3 weeks ago
Xinyu Kuo	8444659ed8	cmd/tailscale/cli: fix panic in netcheck with mismatched DERP region IDs Fixes #17564 Signed-off-by: Xinyu Kuo <gxylong@126.com>	3 weeks ago
Jordan Whited	e1f0ad7a05	net/udprelay: implement Server.SetStaticAddrPorts (#17909 ) Only used in tests for now. Updates tailscale/corp#31489 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 weeks ago

1 2 3 4 5 ...

9970 Commits (main) All Branches Search

9970 Commits (main)

All Branches