tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	d5a40c01ab	cmd/k8s-operator/generate: skip tests if no network or Helm is down Updates helm/helm#31434 Change-Id: I5eb20e97ff543f883d5646c9324f50f54180851d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Harry Harpham	74f1d8bd87	cmd/tailscale/cli: unhide serve get-config and serve set-config (#17598 ) Fixes tailscale/corp#33152 Signed-off-by: Harry Harpham <harry@tailscale.com>	1 month ago
Fernando Serboncini	da90e3d8f2	cmd/k8s-operator: rename 'l' variables (#17700 ) Single letter 'l' variables can eventually become confusing when they're rendered in some fonts that make them similar to 1 or I. Updates #cleanup Signed-off-by: Fernando Serboncini <fserb@tailscale.com>	1 month ago
Joe Tsai	9ac8105fda	cmd/jsontags: add static analyzer for incompatible `json` struct tags (#17670 ) This migrates an internal tool to open source so that we can run it on the tailscale.com module as well. This PR does not yet set up a CI to run this analyzer. Updates tailscale/corp#791 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 month ago
Joe Tsai	fcb614a53e	cmd/jsonimports: add static analyzer for consistent "json" imports (#17669 ) This migrates an internal tool to open source so that we can run it on the tailscale.com module as well. We add the "util/safediff" also as a dependency of the tool. This PR does not yet set up a CI to run this analyzer. Updates tailscale/corp#791 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 month ago
Gesa Stupperich	d2e4a20f26	ipn/ipnlocal/serve: error when PeerCaps serialisation fails Also consolidates variable and header naming and amends the CLI behavior * multiple app-caps have to be specified as comma-separated list * simple regex-based validation of app capability names is carried out during flag parsing Signed-off-by: Gesa Stupperich <gesa@tailscale.com>	1 month ago
Gesa Stupperich	d6fa899eba	ipn/ipnlocal/serve: remove grant header truncation logic Given that we filter based on the usercaps argument now, truncation should not be necessary anymore. Updates tailscale/corp/#28372 Signed-off-by: Gesa Stupperich <gesa@tailscale.com>	1 month ago
Gesa Stupperich	576aacd459	ipn/ipnlocal/serve: add grant headers Updates tailscale/corp/#28372 Signed-off-by: Gesa Stupperich <gesa@tailscale.com>	1 month ago
srwareham	f4e2720821	cmd/tailscale/cli: move JetKVM scripts to /userdata/init.d for persistence (#17610 ) Updates #16524 Updates jetkvm/rv1106-system#34 Signed-off-by: srwareham <ebriouscoding@gmail.com>	1 month ago
Claus Lensbøl	7418583e47	health: compare warnable codes to avoid errors on release branch (#17637 ) This compares the warnings we actually care about and skips the unstable warnings and the changes with no warnings. Fixes #17635 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	1 month ago
Harry Harpham	675b1c6d54	cmd/tailscale/cli: error when advertising a Service from an untagged node (#17577 ) Service hosts must be tagged nodes, meaning it is only valid to advertise a Service from a machine which has at least one ACL tag. Fixes tailscale/corp#33197 Signed-off-by: Harry Harpham <harry@tailscale.com>	1 month ago
Alex Chan	c961d58091	cmd/tailscale: improve the error message for `lock log` with no lock Previously, running `tailscale lock log` in a tailnet without Tailnet Lock enabled would return a potentially confusing error: $ tailscale lock log 2025/10/20 11:07:09 failed to connect to local Tailscale service; is Tailscale running? It would return this error even if Tailscale was running. This patch fixes the error to be: $ tailscale lock log Tailnet Lock is not enabled Fixes #17586 Signed-off-by: Alex Chan <alexc@tailscale.com>	1 month ago
Max Coulombe	6a73c0bdf5	cmd/tailscale/cli,feature: add support for identity federation (#17529 ) Add new arguments to `tailscale up` so authkeys can be generated dynamically via identity federation. Updates #9192 Signed-off-by: mcoulombe <max@tailscale.com>	2 months ago
David Bond	9083ef1ac4	cmd/k8s-operator: allow pod tolerations on nameservers (#17260 ) This commit modifies the `DNSConfig` custom resource to allow specifying [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) on the nameserver pods. This will allow users to dictate where their nameserver pods are located within their clusters. Fixes: https://github.com/tailscale/tailscale/issues/17092 Signed-off-by: David Bond <davidsbond93@gmail.com>	2 months ago
Alex Chan	0ce88aa343	all: use a consistent capitalisation for "Tailnet Lock" Updates https://github.com/tailscale/corp/issues/13108 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
Joe Tsai	e804b64358	wgengine/netlog: merge connstats into package (#17557 ) Merge the connstats package into the netlog package and unexport all of its declarations. Remove the buildfeatures.HasConnStats and use HasNetLog instead. Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 months ago
Joe Tsai	e75f13bd93	net/connstats: prepare to remove package (#17554 ) The connstats package was an unnecessary layer of indirection. It was seperated out of wgengine/netlog so that net/tstun and wgengine/magicsock wouldn't need a depenedency on the concrete implementation of network flow logging. Instead, we simply register a callback for counting connections. This PR does the bare minimum work to prepare tstun and magicsock to only care about that callback. A future PR will delete connstats and merge it into netlog. Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 months ago
Jordan Whited	743e5ac696	cmd/tailscale: surface relay-server-port set flag (#17528 ) Fixes tailscale/corp#31186 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Patrick O'Doherty	e45557afc0	types/persist: add AttestationKey (#17281 ) Extend Persist with AttestationKey to record a hardware-backed attestation key for the node's identity. Add a flag to tailscaled to allow users to control the use of hardware-backed keys to bind node identity to individual machines. Updates tailscale/corp#31269 Change-Id: Idcf40d730a448d85f07f1bebf387f086d4c58be3 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	2 months ago
Naman Sood	f157f3288d	cmd/tailscale/cli,ipn/conffile: add declarative config mode for Services (#17435 ) This commit adds the subcommands `get-config` and `set-config` to Serve, which can be used to read the current Tailscale Services configuration in a standard syntax and provide a configuration to declaratively apply with that same syntax. Both commands must be provided with either `--service=svc:service` for one service, or `--all` for all services. When writing a config, `--set-config --all` will overwrite all existing Services configuration, and `--set-config --service=svc:service` will overwrite all configuration for that particular Service. Incremental changes are not supported. Fixes tailscale/corp#30983. cmd/tailscale/cli: hide serve "get-config"/"set-config" commands for now tailscale/corp#33152 tracks unhiding them when docs exist. Signed-off-by: Naman Sood <mail@nsood.in>	2 months ago
Anton Tolchanov	072e6a39f4	tsweb/varz: add support for ShardedInt metrics Fixes tailscale/corp#33236 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 months ago
Jordan Whited	e2233b7942	feature/relayserver: init server at config time instead of request time (#17484 ) The lazy init led to confusion and a belief that was something was wrong. It's reasonable to expect the daemon to listen on the port at the time it's configured. Updates tailscale/corp#33094 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Alex Chan	b7fe1cea9f	cmd/tailscale/cli: only print authURLs and device approval URLs once This patch fixes several issues related to printing login and device approval URLs, especially when `tailscale up` is interrupted: 1. Only print a login URL that will cause `tailscale up` to complete. Don't print expired URLs or URLs from previous login attempts. 2. Print the device approval URL if you run `tailscale up` after previously completing a login, but before approving the device. 3. Use the correct control URL for device approval if you run a bare `tailscale up` after previously completing a login, but before approving the device. 4. Don't print the device approval URL more than once (or at least, not consecutively). Updates tailscale/corp#31476 Updates #17361 ## How these fixes work This patch went through a lot of trial and error, and there may still be bugs! These notes capture the different scenarios and considerations as we wrote it, which are also captured by integration tests. 1. We were getting stale login URLs from the initial IPN state notification. When the IPN watcher was moved to before Start() in `c011369`, we mistakenly continued to request the initial state. This is only necessary if you start watching after you call Start(), because you may have missed some notifications. By getting the initial state before calling Start(), we'd get a stale login URL. If you clicked that URL, you could complete the login in the control server (if it wasn't expired), but your instance of `tailscale up` would hang, because it's listening for login updates from a different login URL. In this patch, we no longer request the initial state, and so we don't print a stale URL. 2. Once you skip the initial state from IPN, the following sequence: * Run `tailscale up` * Log into a tailnet with device approval * ^C after the device approval URL is printed, but without approving * Run `tailscale up` again means that nothing would ever be printed. `tailscale up` would send tailscaled the pref `WantRunning: true`, but that was already the case so nothing changes. You never get any IPN notifications, and in particular you never get a state change to `NeedsMachineAuth`. This means we'd never print the device approval URL. In this patch, we add a hard-coded rule that if you're doing a simple up (which won't trigger any other IPN notifications) and you start in the `NeedsMachineAuth` state, we print the device approval message without waiting for an IPN notification. 3. Consider the following sequence: * Run `tailscale up --login-server=<custom server>` * Log into a tailnet with device approval * ^C after the device approval URL is printed, but without approving * Run `tailscale up` again We'd print the device approval URL for the default control server, rather than the real control server, because we were using the `prefs` from the CLI arguments (which are all the defaults) rather than the `curPrefs` (which contain the custom login server). In this patch, we use the `prefs` if the user has specified any settings (and other code will ensure this is a complete set of settings) or `curPrefs` if it's a simple `tailscale up`. 4. Consider the following sequence: you've logged in, but not completed device approval, and you run `down` and `up` in quick succession. * `up`: sees state=NeedsMachineAuth * `up`: sends `{wantRunning: true}`, prints out the device approval URL * `down`: changes state to Stopped * `up`: changes state to Starting * tailscaled: changes state to NeedsMachineAuth * `up`: gets an IPN notification with the state change, and prints a second device approval URL Either URL works, but this is annoying for the user. In this patch, we track whether the last printed URL was the device approval URL, and if so, we skip printing it a second time. Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
Brad Fitzpatrick	9a72513fa4	go.toolchain.rev: bump Go to 1.25.2 Updates tailscale/go#135 Change-Id: I89cfb49b998b2fd0264f8d5f4a61af839cd06626 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Tom Meadows	cd2a3425cb	cmd/tsrecorder: adds sending api level logging to tsrecorder (#16960 ) Updates #17141 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	2 months ago
Tom Proctor	98a0ccc18a	cmd/tailscaled: default state encryption off for incompatible args (#17480 ) Since #17376, containerboot crashes on startup in k8s because state encryption is enabled by default without first checking that it's compatible with the selected state store. Make sure we only default state encryption to enabled if it's not going to immediately clash with other bits of tailscaled config. Updates tailscale/corp#32909 Change-Id: I76c586772750d6da188cc97b647c6e0c1a8734f0 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 months ago
Brad Fitzpatrick	232b928974	feature/linkspeed: move cosmetic tstun netlink code out to modular feature Part of making all netlink monitoring code optional. Updates #17311 (how I got started down this path) Updates #12614 Change-Id: Ic80d8a7a44dc261c4b8678b3c2241c3b3778370d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	316afe7d02	util/checkchange: stop using deephash everywhere Saves 45 KB from the min build, no longer pulling in deephash or util/hashx, both with unsafe code. It can actually be more efficient to not use deephash, as you don't have to walk all bytes of all fields recursively to answer that two things are not equal. Instead, you can just return false at the first difference you see. And then with views (as we use ~everywhere nowadays), the cloning the old value isn't expensive, as it's just a pointer under the hood. Updates #12614 Change-Id: I7b08616b8a09b3ade454bb5e0ac5672086fe8aec Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	28b1b4c3c1	cmd/tailscaled: guard some flag work with buildfeatures checks Updates #12614 Change-Id: Iec6f15d33a6500e7b0b7e8f5c098f7c00334460f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	059f53e67a	feature/condlite/expvar: add expvar stub package when metrics not needed Saves ~53 KB from the min build. Updates #12614 Change-Id: I73f9544a9feea06027c6ebdd222d712ada851299 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	d816454a88	feature/featuretags: make usermetrics modular Saves ~102 KB from the min build. Updates #12614 Change-Id: Ie1d4f439321267b9f98046593cb289ee3c4d6249 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	525f9921fe	cmd/testwrapper/flakytest: use t.Attr annotation on flaky tests Updates #17460 Change-Id: I7381e9a6dd73514c73deb6b863749eef1a87efdc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	541a4ed5b4	all: use buildfeatures consts in a few more places Saves ~25 KB. Updates #12614 Change-Id: I7b976e57819a0d2692824d779c8cc98033df0d30 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	6820ec5bbb	wgengine: stop importing flowtrack when unused Updates #12614 Change-Id: I42b5c4d623d356af4bee5bbdabaaf0f6822f2bf4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	3c7e351671	net/connstats: make it modular (omittable) Saves only 12 KB, but notably removes some deps on packages that future changes can then eliminate entirely. Updates #12614 Change-Id: Ibf830d3ee08f621d0a2011b1d4cd175427ef50df Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	2e381557b8	feature/c2n: move answerC2N code + deps out of control/controlclient c2n was already a conditional feature, but it didn't have a feature/c2n directory before (rather, it was using consts + DCE). This adds it, and moves some code, which removes the httprec dependency. Also, remove some unnecessary code from our httprec fork. Updates #12614 Change-Id: I2fbe538e09794c517038e35a694a363312c426a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	223ced84b5	feature/ace: make ACE modular Updates #12614 Change-Id: Iaee75d8831c4ba5c9705d7877bb78044424c6da1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	447cbdd1d0	health: make it omittable Saves 86 KB. And stop depending on expvar and usermetrics when disabled, in prep to removing all the expvar/metrics/tsweb stuff. Updates #12614 Change-Id: I35d2479ddd1d39b615bab32b1fa940ae8cbf9b11 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	f42be719de	all: use buildfeature constants in a few more places Saves 21 KB. Updates #12614 Change-Id: I0cd3e735937b0f5c0fcc9f09a24476b1c4ac9a15 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Tom Meadows	8d4ea55cc1	cmd/k8s-proxy: switching to using ipn/store/kubestore (#17402 ) kubestore init function has now been moved to a more explicit path of ipn/store/kubestore meaning we can now avoid the generic import of feature/condregister. Updates #12614 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	2 months ago
M. J. Fromberger	127a967207	appc,: publish events for route updates and storage (#17392 ) Add and wire up event publishers for these two event types in the AppConnector. Nothing currently subscribes to them, so this is harmless. Subscribers for these events will be added in a near-future commit. As part of this, move the appc.RouteInfo type to the types/appctype package. It does not contain any package-specific details from appc. Beside it, add appctype.RouteUpdate to carry route update event state, likewise not specific to appc. Update all usage of the appc. types throughout to use appctype.* instead, and update depaware files to reflect these changes. Add a Close method to the AppConnector to make sure the client gets cleaned up when the connector is dropped (we re-create connectors). Update the unit tests in the appc package to also check the events published alongside calls to the RouteAdvertiser. For now the tests still rely on the RouteAdvertiser for correctness; this is OK for now as the two methods are always performed together. In the near future, we need to rework the tests so not require that, but that will require building some more test fixtures that we can handle separately. Updates #15160 Updates #17192 Change-Id: I184670ba2fb920e0d2cb2be7c6816259bca77afe Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	2 months ago
Brad Fitzpatrick	1d93bdce20	control/controlclient: remove x/net/http2, use net/http Saves 352 KB, removing one of our two HTTP/2 implementations linked into the binary. Fixes #17305 Updates #15015 Change-Id: I53a04b1f2687dca73c8541949465038b69aa6ade Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	c45f8813b4	feature/featuretags, all: add build features, use existing ones in more places Saves 270 KB. Updates #12614 Change-Id: I4c3fe06d32c49edb3a4bb0758a8617d83f291cf5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Tom Proctor	aa5b2ce83b	cmd/k8s-operator: add .gitignore for generated chart CRDs (#17406 ) Add a .gitignore for the chart version of the CRDs that we never commit, because the static manifest CRD files are the canonical version. This makes it easier to deploy the CRDs via the helm chart in a way that reflects the production workflow without making the git checkout "dirty". Given that the chart CRDs are ignored, we can also now safely generate them for the kube-generate-all Makefile target without being a nuisance to the state of the git checkout. Added a slightly more robust repo root detection to the generation logic to make sure the command works from the context of both the Makefile and the image builder command we run for releases in corp. Updates tailscale/corp#32085 Change-Id: Id44a4707c183bfaf95a160911ec7a42ffb1a1287 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 months ago
Andrew Lytvynov	cca70ddbfc	cmd/tailscaled: default --encrypt-state to true if TPM is available (#17376 ) Whenever running on a platform that has a TPM (and tailscaled can access it), default to encrypting the state. The user can still explicitly set this flag to disable encryption. Updates https://github.com/tailscale/corp/issues/32909 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Brad Fitzpatrick	78af49dd1a	control/ts2021: rename from internal/noiseconn in prep for controlclient split A following change will split out the controlclient.NoiseClient type out, away from the rest of the controlclient package which is relatively dependency heavy. A question was where to move it, and whether to make a new (a fifth!) package in the ts2021 dependency chain. @creachadair and I brainstormed and decided to merge internal/noiseconn and controlclient.NoiseClient into one package, with names ts2021.Conn and ts2021.Client. For ease of reviewing the subsequent PR, this is the first step that just renames the internal/noiseconn package to control/ts2021. Updates #17305 Change-Id: Ib5ea162dc1d336c1d805bdd9548d1702dd6e1468 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	801aac59db	Makefile, cmd/*/depaware.txt: split out vendor packages explicitly depaware was merging golang.org/x/foo and std's vendor/golang.org/x/foo packages (which could both be in the binary!), leading to confusing output, especially when I was working on eliminating duplicate packages imported under different names. This makes the depaware output longer and grosser, but doesn't hide reality from us. Updates #17305 Change-Id: I21cc3418014e127f6c1a81caf4e84213ce84ab57 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Claus Lensbøl	ce752b8a88	net/netmon: remove usage of direct callbacks from netmon (#17292 ) The callback itself is not removed as it is used in other repos, making it simpler for those to slowly transition to the eventbus. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	2 months ago
Brad Fitzpatrick	05a4c8e839	tsnet: remove AuthenticatedAPITransport (API-over-noise) support It never launched and I've lost hope of it launching and it's in my way now, so I guess it's time to say goodbye. Updates tailscale/corp#4383 Updates #17305 Change-Id: I2eb551d49f2fb062979cc307f284df4b3dfa5956 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	c2f37c891c	all: use Go 1.20's errors.Join instead of our multierr package Updates #7123 Change-Id: Ie9be6814831f661ad5636afcd51d063a0d7a907d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago

1 2 3 4 5 ...

2502 Commits (05d2dcaf49ab0dbbc6fd726e851c7c5bc2139dfa)