1729 Commits (release-branch/1.64)

Author	SHA1	Message	Date
James Tucker	8fa3026614	tsweb: switch to fastuuid for request ID generation ... Request ID generation appears prominently in some services cumulative allocation rate, and while this does not eradicate this issue (the API still makes UUID objects), it does improve the overhead of this API and reduce the amount of garbage that it produces. Updates tailscale/corp#18266 Updates tailscale/corp#19054 Signed-off-by: James Tucker <james@tailscale.com>	2 months ago
James Tucker	db760d0bac	cmd/tailscaled: move cleanup to an implicit action during startup ... This removes a potentially increased boot delay for certain boot topologies where they block on ExecStartPre that may have socket activation dependencies on other system services (such as systemd-resolved and NetworkManager). Also rename cleanup to clean up in affected/immediately nearby places per code review commentary. Fixes #11599 Signed-off-by: James Tucker <james@tailscale.com>	2 months ago
Paul Scott	da4e92bf01	cmd/tailscale/cli: prefix all --help usages with "tailscale ...", some tidying ... Also capitalises the start of all ShortHelp, allows subcommands to be hidden with a "HIDDEN: " prefix in their ShortHelp, and adds a TS_DUMP_HELP envknob to look at all --help messages together. Fixes #11664 Signed-off-by: Paul Scott <paul@tailscale.com>	2 months ago
Percy Wegmann	9da135dd64	cmd/tailscale/cli: moved share.go to drive.go ... Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	1e0ebc6c6d	cmd/tailscale/cli: rename share command to drive ... Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Irbe Krumina	231e44e742	Revert "cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11017)" (#11669) ... Temporarily reverting this PR to avoid releasing half finished featue. This reverts commit 9e2f58f846. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Brad Fitzpatrick	e6983baa73	cmd/tailscale/cli: fix macOS crash reading envknob in init (#11667) ... And add a test. Regression from a5e1f7d703 Fixes tailscale/corp#19036 Change-Id: If90984049af0a4820c96e1f77ddf2fce8cb3043f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Chloé Vulquin	0f3a292ebd	cli/configure: respect $KUBECONFIG (#11604) ... cmd/tailscale/cli: respect $KUBECONFIG * `$KUBECONFIG` is a `$PATH`-like: it defines a *list*. `tailscale config kubeconfig` works like the rest of the ecosystem so that if $KUBECONFIG is set it will write to the first existant file in the list, if none exist then the final entry in the list. * if `$KUBECONFIG` is an empty string, the old logic takes over. Notes: * The logic for file detection is inlined based on what `kind` does. Technically it's a race condition, since the file could be removed/added in between the processing steps, but the fallout shouldn't be too bad. https://github.com/kubernetes-sigs/kind/blob/v0.23.0-alpha/pkg/cluster/internal/kubeconfig/internal/kubeconfig/paths.go * The sandboxed (App Store) variant relies on a specific temporary entitlement to access the ~/.kube/config file. The entitlement is only granted to specific files, and so is not applicable to paths supplied by the user at runtime. While there may be other ways to achieve this access to arbitrary kubeconfig files, it's out of scope for now. Updates #11645 Signed-off-by: Chloé Vulquin <code@toast.bunkerlabs.net>	2 months ago
Brad Fitzpatrick	c71e8db058	cmd/tailscale/cli: stop spamming os.Stdout/os.Stderr in tests ... After: bradfitz@book1pro tailscale.com % ./tool/go test -c ./cmd/tailscale/cli bradfitz@book1pro tailscale.com % ./cli.test bradfitz@book1pro tailscale.com % Before: bradfitz@book1pro tailscale.com % ./tool/go test -c ./cmd/tailscale/cli bradfitz@book1pro tailscale.com % ./cli.test Warning: funnel=on for foo.test.ts.net:443, but no serve config run: `tailscale serve --help` to see how to configure handlers Warning: funnel=on for foo.test.ts.net:443, but no serve config run: `tailscale serve --help` to see how to configure handlers USAGE funnel <serve-port> {on|off} funnel status [--json] Funnel allows you to publish a 'tailscale serve' server publicly, open to the entire internet. Turning off Funnel only turns off serving to the internet. It does not affect serving to your tailnet. SUBCOMMANDS status show current serve/funnel status error: path must be absolute error: invalid TCP source "localhost:5432": missing port in address error: invalid TCP source "tcp://somehost:5432" must be one of: localhost or 127.0.0.1 tcp://somehost:5432error: invalid TCP source "tcp://somehost:0" must be one of: localhost or 127.0.0.1 tcp://somehost:0error: invalid TCP source "tcp://somehost:65536" must be one of: localhost or 127.0.0.1 tcp://somehost:65536error: path must be absolute error: cannot serve web; already serving TCP You don't have permission to enable this feature. This also moves the color handling up to a generic spot so it's not just one subcommand doing it itself. See https://github.com/tailscale/tailscale/issues/11626#issuecomment-2041795129 Fixes #11643 Updates #11626 Change-Id: I3a49e659dcbce491f4a2cb784be20bab53f72303 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b0fbd85592	net/tsdial: partially fix "tailscale nc" (UserDial) on macOS ... At least in the case of dialing a Tailscale IP. Updates #4529 Change-Id: I9fd667d088a14aec4a56e23aabc2b1ffddafa3fe Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	a5e1f7d703	ipn/{ipnlocal,localapi}: add API to toggle use of exit node ... This is primarily for GUIs, so they don't need to remember the most recently used exit node themselves. This adds some CLI commands, but they're disabled and behind the WIP envknob, as we need to consider naming (on/off is ambiguous with running an exit node, etc) as well as automatic exit node selection in the future. For now the CLI commands are effectively developer debug things to test the LocalAPI. Updates tailscale/corp#18724 Change-Id: I9a32b00e3ffbf5b29bfdcad996a4296b5e37be7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Maisem Ali	3f4c5daa15	wgengine/netstack: remove SubnetRouterWrapper ... It was used when we only supported subnet routers on linux and would nil out the SubnetRoutes slice as no other router worked with it, but now we support subnet routers on ~all platforms. The field it was setting to nil is now only used for network logging and nowhere else, so keep the field but drop the SubnetRouterWrapper as it's not useful. Updates #cleanup Change-Id: Id03f9b6ec33e47ad643e7b66e07911945f25db79 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Brad Fitzpatrick	ac2522092d	cmd/tailscale/cli: make exit-node list not random ... The output was changing randomly per run, due to range over a map. Then some misc style tweaks I noticed while debugging. Fixes #11629 Change-Id: I67aef0e68566994e5744d4828002f6eb70810ee1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Will Morrison	306bacc669	cmd/tailscale/cli: Add CLI command to update certs on Synology devices. ... Fixes #4674 Signed-off-by: Will Morrison <william.barr.morrison@gmail.com>	2 months ago
Charlotte Brandhorst-Satzkorn	98cf71cd73	tailscale: switch tailfs to drive syntax for api and logs (#11625) ... This change switches the api to /drive, rather than the previous /tailfs as well as updates the log lines to reflect the new value. It also cleans up some existing tailfs references. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597) ... This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Charlotte Brandhorst-Satzkorn	14683371ee	tailscale: update tailfs file and package names (#11590) ... This change updates the tailfs file and package names to their new naming convention. Updates #tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 months ago
Brad Fitzpatrick	1c259100b0	cmd/{derper,derpprobe}: add --version flag ... Fixes #11582 Change-Id: If99fc1ab6b89d624fbb07bd104dd882d2c7b50b4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	ec87e219ae	logtail: delete unused code from old way to configure zstd ... Updates #cleanup Change-Id: I666ecf08ea67e461adf2a3f4daa9d1753b2dc1e4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Irbe Krumina	9b5176c4d9	cmd/k8s-operator: fix failing tests (#11541) ... Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Irbe Krumina	9e2f58f846	cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11017) ... * cmd/k8s-nameserver,k8s-operator: add a nameserver that can resolve ts.net DNS names in cluster. Adds a simple nameserver that can respond to A record queries for ts.net DNS names. It can respond to queries from in-memory records, populated from a ConfigMap mounted at /config. It dynamically updates its records as the ConfigMap contents changes. It will respond with NXDOMAIN to queries for any other record types (AAAA to be implemented in the future). It can respond to queries over UDP or TCP. It runs a miekg/dns DNS server with a single registered handler for ts.net domain names. Queries for other domain names will be refused. The intended use of this is: 1) to allow non-tailnet cluster workloads to talk to HTTPS tailnet services exposed via Tailscale operator egress over HTTPS 2) to allow non-tailnet cluster workloads to talk to workloads in the same cluster that have been exposed to tailnet over their MagicDNS names but on their cluster IPs. Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com> * cmd/k8s-operator/deploy/crds,k8s-operator: add DNSConfig CustomResource Definition DNSConfig CRD can be used to configure the operator to deploy kube nameserver (./cmd/k8s-nameserver) to cluster. Signed-off-by: Irbe Krumina <irbe@tailscale.com> * cmd/k8s-operator,k8s-operator: optionally reconcile nameserver resources Adds a new reconciler that reconciles DNSConfig resources. If a DNSConfig is deployed to cluster, the reconciler creates kube nameserver resources. This reconciler is only responsible for creating nameserver resources and not for populating nameserver's records. Signed-off-by: Irbe Krumina <irbe@tailscale.com> * cmd/{k8s-operator,k8s-nameserver}: generate DNSConfig CRD for charts, append to static manifests Signed-off-by: Irbe Krumina <irbe@tailscale.com> --------- Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Andrea Gottardo	008676f76e	cmd/serve: update warning for sandboxed macOS builds (#11530)	2 months ago
Percy Wegmann	66e4d843c1	ipn/localapi: add support for multipart POST to file-put ... This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Andrew Lytvynov	5d41259a63	cmd/tailscale/cli: remove Beta tag from tailscale update (#11529) ... Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Irbe Krumina	4cbef20569	cmd/k8s-operator: redact auth key from debug logs (#11523) ... Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Chris Milson-Tokunaga	b6dfd7443a	Change type of installCRDs (#11478) ... Including the double quotes (`"`) around the value made it appear like the helm chart should expect a string value for `installCRDs`. Signed-off-by: Chris Milson-Tokunaga <chris.w.milson@gmail.com>	2 months ago
Percy Wegmann	8b8b315258	net/tstun: use gaissmai/bart instead of tempfork/device ... This implementation uses less memory than tempfork/device, which helps avoid OOM conditions in the iOS VPN extension when switching to a Tailnet with ExitNode routing enabled. Updates tailscale/corp#18514 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Brad Fitzpatrick	7b34154df2	all: deprecate Node.Capabilities (more), remove PeerChange.Capabilities [capver 89] ... First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Joe Tsai	85febda86d	all: use zstdframe where sensible (#11491) ... Use the zstdframe package where sensible instead of plumbing around our own zstd.Encoder just for stateless operations. This causes logtail to have a dependency on zstd, but that's arguably okay since zstd support is implicit to the protocol between a client and the logging service. Also, virtually every caller to logger.NewLogger was manually setting up a zstd.Encoder anyways, meaning that zstd was functionally always a dependency. Updates #cleanup Updates tailscale/corp#18514 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 months ago
Irbe Krumina	b0c3e6f6c5	cmd/k8s-operator,ipn/conf.go: fix --accept-routes for proxies (#11453) ... Fix a bug where all proxies got configured with --accept-routes set to true. The bug was introduced in https://github.com/tailscale/tailscale/pull/11238. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Mario Minardi	d2ccfa4edd	cmd/tailscale,ipn/ipnlocal: enable web client over quad 100 by default (#11419) ... Enable the web client over 100.100.100.100 by default. Accepting traffic from [tailnet IP]:5252 still requires setting the `webclient` user pref. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	2 months ago
Andrea Gottardo	08ebac9acb	version,cli,safesocket: detect non-sandboxed macOS GUI (#11369) ... Updates ENG-2848 We can safely disable the App Sandbox for our macsys GUI, allowing us to use `tailscale ssh` and do a few other things that we've wanted to do for a while. This PR: - allows Tailscale SSH to be used from the macsys GUI binary when called from a CLI - tweaks the detection of client variants in prop.go, with new functions `IsMacSys()`, `IsMacSysApp()` and `IsMacAppSandboxEnabled()` Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
Irbe Krumina	ea55f96310	cmd/tailscale/cli: fix configuring partially empty kubeconfig (#11417) ... When a user deletes the last cluster/user/context from their kubeconfig via 'kubectl delete-[cluster|user|context] command, kubectx sets the relevant field in kubeconfig to 'null'. This was breaking our conversion logic that was assuming that the field is either non-existant or is an array. Updates tailscale/corp#18320 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Anton Tolchanov	f12d2557f9	prober: add a DERP bandwidth probe ... Updates tailscale/corp#17912 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Percy Wegmann	e496451928	ipn,cmd/tailscale,client/tailscale: add support for renaming TailFS shares ... - Updates API to support renaming TailFS shares. - Adds a CLI rename subcommand for renaming a share. - Renames the CLI subcommand 'add' to 'set' to make it clear that this is an add or update. - Adds a unit test for TailFS in ipnlocal Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	6c160e6321	ipn,tailfs: tie TailFS share configuration to user profile ... Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	16ae0f65c0	cmd/viewer: import views when generating byteSliceField ... Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Andrew Dunham	34176432d6	cmd/derper, types/logger: move log filter to shared package ... So we can use it in trunkd to quiet down the logs there. Updates #5563 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie3177dc33f5ad103db832aab5a3e0e4f128f973f	3 months ago
Sonia Appasamy	c58c59ee54	{ipn,cmd/tailscale/cli}: move ServeConfig mutation logic to ipn/serve ... Moving logic that manipulates a ServeConfig into recievers on the ServeConfig in the ipn package. This is setup work to allow the web client and cli to both utilize these shared functions to edit the serve config. Any logic specific to flag parsing or validation is left untouched in the cli command. The web client will similarly manage its validation of user's requested changes. If validation logic becomes similar-enough, we can make a serve util for shared functionality, which likely does not make sense in ipn. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	3 months ago
Sonia Appasamy	65c3c690cf	{ipn/serve,cmd/tailscale/cli}: move some shared funcs to ipn ... In preparation for changes to allow configuration of serve/funnel from the web client, this commit moves some functionality that will be shared between the CLI and web client to the ipn package's serve.go file, where some other util funcs are already defined. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	3 months ago
Percy Wegmann	e324a5660f	ipn: include full tailfs shares in ipn notifications ... This allows the Mac application to regain access to restricted folders after restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	69f4b4595a	wgengine{,/wgint}: add wgint.Peer wrapper type, add to wgengine.Engine ... This adds a method to wgengine.Engine and plumbed down into magicsock to add a way to get a type-safe Tailscale-safe wrapper around a wireguard-go device.Peer that only exposes methods that are safe for Tailscale to use internally. It also removes HandshakeAttempts from PeerStatusLite that was just added as it wasn't needed yet and is now accessible ala cart as needed from the Peer type accessor. None of this is used yet. Updates #7617 Change-Id: I07be0c4e6679883e6eeddf8dbed7394c9e79c5f4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Irbe Krumina	95dcc1745b	cmd/k8s-operator: reconcile tailscale Ingresses when their backend Services change. (#11255) ... This is so that if a backend Service gets created after the Ingress, it gets picked up by the operator. Updates tailscale/tailscale#11251 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>	3 months ago
Irbe Krumina	303125d96d	cmd/k8s-operator: configure all proxies with declarative config (#11238) ... Containerboot container created for operator's ingress and egress proxies are now always configured by passing a configfile to tailscaled (tailscaled --config <configfile-path>. It does not run 'tailscale set' or 'tailscale up'. Upgrading existing setups to this version as well as downgrading existing setups at this version works. Updates tailscale/tailscale#10869 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Irbe Krumina	45d27fafd6	cmd/k8s-operator,k8s-operator,go.{mod,sum},tstest/tools: add Tailscale Kubernetes operator API docs (#11246) ... Add logic to autogenerate CRD docs. .github/workflows/kubemanifests.yaml CI workflow will fail if the doc is out of date with regard to the current CRDs. Docs can be refreshed by running make kube-generate-all. Updates tailscale/tailscale#11023 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Anton Tolchanov	8cc5c51888	health: warn about reverse path filtering and exit nodes ... When reverse path filtering is in strict mode on Linux, using an exit node blocks all network connectivity. This change adds a warning about this to `tailscale status` and the logs. Example in `tailscale status`: ``` - not connected to home DERP region 22 - The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Example in the logs: ``` 2024/02/21 21:17:07 health("overall"): error: multiple errors: not in map poll The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Nick Khyl	7ef1fb113d	cmd/tailscaled, ipn/ipnlocal, wgengine: shutdown tailscaled if wgdevice is closed ... Tailscaled becomes inoperative if the Tailscale Tunnel wintun adapter is abruptly removed. wireguard-go closes the device in case of a read error, but tailscaled keeps running. This adds detection of a closed WireGuard device, triggering a graceful shutdown of tailscaled. It is then restarted by the tailscaled watchdog service process. Fixes #11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Percy Wegmann	50fb8b9123	tailfs: replace webdavfs with reverse proxies ... Instead of modeling remote WebDAV servers as actual webdav.FS instances, we now just proxy traffic to them. This not only simplifies the code, but it also allows WebDAV locking to work correctly by making sure locks are handled by the servers that need to (i.e. the ones actually serving the files). Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	e1bd7488d0	all: remove LenIter, use Go 1.22 range-over-int instead ... Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
James Tucker	0c5e65eb3f	cmd/derper: apply TCP keepalive and timeout to TLS as well ... I missed a case in the earlier patch, and so we're still sending 15s TCP keepalive for TLS connections, now adjusted there too. Updates tailscale/corp#17587 Updates #3363 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago