tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	11ece02f52	net/{interfaces,netmon}: remove "interesting", EqualFiltered API This removes a lot of API from net/interfaces (including all the filter types, EqualFiltered, active Tailscale interface func, etc) and moves the "major" change detection to net/netmon which knows more about the world and the previous/new states. Updates #9040 Change-Id: I7fe66a23039c6347ae5458745b709e7ebdcce245 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	6dfa403e6b	cmd/tailscaled: default to userspace-networking on plan9 No tun support yet. Updates #5794 Change-Id: Ibd8db67594d4c65b47e352ae2af2ab3d2712dfad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Sonia Appasamy	7aea219a0f	client/web: pull SynoToken logic into apiFetch Updates tailscale/corp#13775	9 months ago
Brad Fitzpatrick	6b882a1511	control/controlclient: clean up a few little things De-pointer a *time.Time type, move it after the mutex which guard is, rename two test-only methods with our conventional "ForTest" suffix. Updates #cleanup Change-Id: I4f4d1acd9c2de33d9c3cb6465d7349ed051aa9f9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	3bce9632d9	derp/derphttp: fix data race and crash in proxy dial error path Named result meant error paths assigned that variable to nil. But a goroutine was concurrently using that variable. Don't use a named result for that first parameter. Then then return paths don't overwrite it. Fixes #9129 Change-Id: Ie57f99d40ca8110085097780686d9bd620aaf160 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Val	8ba07aac85	ipn/iplocale: remove unused argument to shouldUseOneCGNATRoute Remove an unused argument to shouldUseOneCGNATRoute. Updates #cleanup Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Brad Fitzpatrick	55bb7314f2	control/controlclient: replace a status func with Observer interface For now the method has only one interface (the same as the func it's replacing) but it will grow, eventually with the goal to remove the controlclient.Status type for most purposes. Updates #1909 Change-Id: I715c8bf95e3f5943055a94e76af98d988558a2f2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	a64593d7ef	types/logger: fix test failure I missed earlier I didn't see the race builder fail on CI earlier in `590c693b9`. This fixes the test. Updates #greenci Change-Id: I9f271bfadfc29b010226b55bf6647f35f03730b1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	590c693b96	types/logger: add AsJSON Printing out JSON representation things in log output is pretty common. Updates #cleanup Change-Id: Ife2d2e321a18e6e1185efa8b699a23061ac5e5a4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	a79b1d23b8	control/controlclient: convert PeersChanged nodes to patches internally So even if the server doesn't support sending patches (neither the Tailscale control server nor Headscale yet do), this makes the client convert a changed node to its diff so the diffs can be processed individually in a follow-up change. This lets us make progress on #1909 without adding a dependency on finishing the server-side part, and also means other control servers will get the same upcoming optimizations. And add some clientmetrics while here. Updates #1909 Change-Id: I9533bcb8bba5227e17389f0b10dff71f33ee54ec Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Andrew Lytvynov	67e48d9285	clientupdate: use SPKsVersion instead of Version (#9118 ) Top-level Version in pkgs response is not always in sync with SPK versions, especially on unstable track. It's very confusing when the confirmation prompt asks you "update to 1.49.x?" and you end up updating to 1.49.y. Instead, grab the SPK-specific version field. Updates #cleanup. Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Andrew Lytvynov	8d2eaa1956	clientupdate: download SPK and MSI packages with distsign (#9115 ) Reimplement `downloadURLToFile` using `distsign.Download` and move all of the progress reporting logic over there. Updates #6995 Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Maisem Ali	0c6fe94cf4	cmd/k8s-operator: add matching family addresses to status This was added in `3451b89e5f`, but resulted in the v6 Tailscale address being added to status when when the forwarding only happened on the v4 address. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	f92e6a1be8	cmd/k8s-operator: update RBAC to allow creating events The new ingress reconcile raises events on failure, but I forgot to add the updated permission. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Joe Tsai	fcbb2bf348	net/memnet: export the network name (#9111 ) This makes it more maintainable for other code to statically depend on the exact value of this string. It also makes it easier to identify what code might depend on this string by looking up references to this constant. Updates tailscale/corp#13777 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Chris Palmer	346dc5f37e	ipn/ipnlocal: move C2NUpdateResponse to c2ntypes.go (#9112 ) Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	9 months ago
Will Norris	d74c771fda	client/web: always use new web client; remove old client This uses the new react-based web client for all builds, not just with the --dev flag. If the web client assets have not been built, the client will serve a message that Tailscale was built without the web client, and link to build instructions. Because we will include the web client in all of our builds, this should only be seen by developers or users building from source. (And eventually this will be replaced by attempting to download needed assets as runtime.) We do now checkin the build/index.html file, which serves the error message when assets are unavailable. This will also eventually be used to trigger in CI when new assets should be built and uploaded to a well-known location. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Will Norris	be5bd1e619	client/web: skip authorization checks for static assets Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Andrew Lytvynov	18d9c92342	release/dist/cli: add verify-package-signature command (#9110 ) Helper command to verify package signatures, mainly for debugging. Also fix a copy-paste mistake in error message in distsign. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Andrew Dunham	c86a610eb3	cmd/tailscale, net/portmapper: add --log-http option to "debug portmap" This option allows logging the raw HTTP requests and responses that the portmapper Client makes when using UPnP. This can be extremely helpful when debugging strange UPnP issues with users' devices, and might allow us to avoid having to instruct users to perform a packet capture. Updates #8992 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I2c3cf6930b09717028deaff31738484cc9b008e4	9 months ago
Mike Beaumont	3451b89e5f	cmd/k8s-operator: put Tailscale IPs in Service ingress status Updates #502 Signed-off-by: Mike Beaumont <mjboamail@gmail.com>	9 months ago
Mike Beaumont	ce4bf41dcf	cmd/k8s-operator: support being the default loadbalancer controller Updates #502 Signed-off-by: Mike Beaumont <mjboamail@gmail.com>	9 months ago
Brad Fitzpatrick	4af22f3785	util/deephash: add IncludeFields, ExcludeFields HasherForType Options Updates tailscale/corp#6198 Change-Id: Iafc18c5b947522cf07a42a56f35c0319cc7b1c94 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	e7d1538a2d	types/views: add SliceEqual, like std slices.Equal Updates tailscale/corp#6198 Change-Id: I38614a4552c9fa933036aa493c7cdb57c7ffe2d2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
David Anderson	b407fdef70	flake.nix: use Go 1.21 to build tailscale, for real this time The previous change just switched the Go version used in the dev environment (for use with e.g. direnv), not the version used for the distribution build. Oops. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	9 months ago
David Anderson	fe91160775	flake.nix: use Go 1.21 to build tailscale flake Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	9 months ago
Flakes Updater	e80ba4ce79	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	9 months ago
Maisem Ali	9430481926	cmd/containerboot: account for k8s secret reflection in fsnotify On k8s the serve-config secret mount is symlinked so checking against the Name makes us miss the events. Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Andrew Lytvynov	ce5909dafc	release/dist: remove extra Close on a signed file (#9094 ) We pass the file as an io.Reader to http.Post under the hood as request body. Post, helpfully, detects that the body is an io.Closer and closes it. So when we try to explicitly close it again, we get "file already closed" error. The Close there is not load-bearing, we have a defer for it anyway. Remove the explicit close and error check. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Sonia Appasamy	4828e4c2db	client/web: move api handler into web.go Also uses `http.HandlerFunc` to pass the handler into `csrfProtect` so we can get rid of the extraneous `api` struct. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Dave Anderson	7b18ed293b	tsweb: check for key-based debug access before XFF check (#9093 ) Fly apps all set X-Forwarded-For, which breaks debug access even with a preshared key otherwise. Updates tailscale/corp#3601 Signed-off-by: David Anderson <danderson@tailscale.com>	9 months ago
Aaron Klotz	6b6a8cf843	util/osdiag: add query for Windows page file configuration and status It's very common for OOM crashes on Windows to be caused by lack of page file space (the NT kernel does not overcommit). Since Windows automatically manages page file space by default, unless the machine is out of disk space, this is typically caused by manual page file configurations that are too small. This patch obtains the current page file size, the amount of free page file space, and also determines whether the page file is automatically or manually managed. Fixes #9090 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	9 months ago
Denton Gentry	535db01b3f	scripts/installer: add Kaisen, Garuda, Fedora-Asahi. Fixes https://github.com/tailscale/tailscale/issues/8648 Fixes https://github.com/tailscale/tailscale/issues/8737 Fixes https://github.com/tailscale/tailscale/issues/9087 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	9 months ago
Maisem Ali	c8dea67cbf	cmd/k8s-operator: add support for Ingress resources Previously, the operator would only monitor Services and create a Tailscale StatefulSet which acted as a L3 proxy which proxied traffic inbound to the Tailscale IP onto the services ClusterIP. This extends that functionality to also monitor Ingress resources where the `ingressClassName=tailscale` and similarly creates a Tailscale StatefulSet, acting as a L7 proxy instead. Users can override the desired hostname by setting: ``` - tls hosts: - "foo" ``` Hostnames specified under `rules` are ignored as we only create a single host. This is emitted as an event for users to see. Fixes #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	320f77bd24	cmd/containerboot: add support for setting ServeConfig This watches the provided path for a JSON encoded ipn.ServeConfig. Everytime the file changes, or the nodes FQDN changes it reapplies the ServeConfig. At boot time, it nils out any previous ServeConfig just like tsnet does. As the ServeConfig requires pre-existing knowledge of the nodes FQDN to do SNI matching, it introduces a special `${TS_CERT_DOMAIN}` value in the JSON file which is replaced with the known CertDomain before it is applied. Updates #502 Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	12ac672542	cmd/k8s-operator: handle changes to services w/o teardown Previously users would have to unexpose/expose the service in order to change Hostname/TargetIP. This now applies those changes by causing a StatefulSet rollout now that `a61a9ab087` is in. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Denton Gentry	24d41e4ae7	cmd/sniproxy: add port forwarding and prometheus metrics 1. Add TCP port forwarding. For example: ./sniproxy -forwards=tcp/22/github.com will forward SSH to github. % ssh -i ~/.ssh/id_ecdsa.pem -T git@github.com Hi GitHubUser! You've successfully authenticated, but GitHub does not provide shell access. % ssh -i ~/.ssh/id_ecdsa.pem -T git@100.65.x.y Hi GitHubUser! You've successfully authenticated, but GitHub does not provide shell access. 2. Additionally export clientmetrics as prometheus metrics for local scraping over the tailnet: http://sniproxy-hostname:8080/debug/varz Updates https://github.com/tailscale/tailscale/issues/1748 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	9 months ago
Brad Fitzpatrick	98a5116434	all: adjust some build tags for plan9 I'm not saying it works, but it compiles. Updates #5794 Change-Id: I2f3c99732e67fe57a05edb25b758d083417f083e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Andrew Lytvynov	de9ba1c621	clientupdate/distsign/roots: add temporary dev root key (#9080 ) Adding a root key that signs the current signing key on pkgs.tailscale.com. This key is here purely for development and should be replaced before 1.50 release. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Sonia Appasamy	f3077c6ab5	client/web: add self node cache Adds a cached self node to the web client Server struct, which will be used from the web client api to verify that request came from the node's own machine (i.e. came from the web client frontend). We'll be using when we switch the web client api over to acting as a proxy to the localapi, to protect against DNS rebinding attacks. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Andrew Lytvynov	3b7ebeba2e	clientupdate: remove Arch support (#9081 ) An Arch Linux maintainer asked us to not implement "tailscale update" on Arch-based distros: https://github.com/tailscale/tailscale/issues/6995#issuecomment-1687080106 Return an error to the user if they try to run "tailscale update". Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Andrew Lytvynov	b42c4e2da1	cmd/dist,release/dist: add distsign signing hooks (#9070 ) Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Will Norris	dc8287ab3b	client/web: enforce full path for CGI platforms Synology and QNAP both run the web client as a CGI script. The old web client didn't care too much about requests paths, since there was only a single GET and POST handler. The new client serves assets on different paths, so now we need to care. First, enforce that the CGI script is always accessed from its full path, including a trailing slash (e.g. /cgi-bin/tailscale/index.cgi/). Then, strip that prefix off before passing the request along to the main serve handler. This allows for properly serving both static files and the API handler in a CGI environment. Also add a CGIPath option to allow other CGI environments to specify a custom path. Finally, update vite and one "api/data" call to no longer assume that we are always serving at the root path of "/". Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Will Norris	0c3d343ea3	client/web: invert auth logic for synology and qnap Add separate server methods for synology and qnap, and enforce authentication and authorization checks before calling into the actual serving handlers. This allows us to remove all of the auth logic from those handlers, since all requests will already be authenticated by that point. Also simplify the Synology token redirect handler by using fetch. Remove the SynologyUser from nodeData, since it was never used in the frontend anyway. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Will Norris	05486f0f8e	client/web: move synology and qnap logic into separate files This commit doesn't change any of the logic, but just organizes the code a little to prepare for future changes. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Maisem Ali	ff7f4b4224	cmd/testwrapper: fix off-by-one error in maxAttempts check It was checking if `>= maxAttempts` which meant that the third attempt would never run. Updates #8493 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	a61a9ab087	cmd/containerboot: reapply known args on restart Previously we would not reapply changes to TS_HOSTNAME etc when then the container restarted and TS_AUTH_ONCE was enabled. This splits those into two steps login and set, allowing us to only rerun the set step on restarts. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Andrew Lytvynov	d45af7c66f	release/dist/cli: add sign-key and verify-key-signature commands (#9041 ) Now we have all the commands to generate the key hierarchy and verify that signing keys were signed correctly: ``` $ ./tool/go run ./cmd/dist gen-key --priv-path root-priv.pem --pub-path root-pub.pem --root wrote private key to root-priv.pem wrote public key to root-pub.pem $ ./tool/go run ./cmd/dist gen-key --priv-path signing-priv.pem --pub-path signing-pub.pem --signing wrote private key to signing-priv.pem wrote public key to signing-pub.pem $ ./tool/go run ./cmd/dist sign-key --root-priv-path root-priv.pem --sign-pub-path signing-pub.pem wrote signature to signature.bin $ ./tool/go run ./cmd/dist verify-key-signature --root-pub-path root-pub.pem --sign-pub-path signing-pub.pem --sig-path signature.bin signature ok ``` Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Aaron Klotz	5fb1695bcb	util/osdiag, util/osdiag/internal/wsc: add code to probe the Windows Security Center for installed software The Windows Security Center is a component that manages the registration of security products on a Windows system. Only products that have obtained a special cert from Microsoft may register themselves using the WSC API. Practically speaking, most vendors do in fact sign up for the program as it enhances their legitimacy. From our perspective, this is useful because it gives us a high-signal source of information to query for the security products installed on the system. I've tied this query into the osdiag package and is run during bugreports. It uses COM bindings that were automatically generated by my prototype metadata processor, however that program still has a few bugs, so I had to make a few manual tweaks. I dropped those binding into an internal package because (for the moment, at least) they are effectively purpose-built for the osdiag use case. We also update the wingoes dependency to pick up BSTR. Fixes #10646 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	9 months ago
Sonia Appasamy	349c05d38d	client/web: refresh on tab focus Refresh node data when user switches to the web client browser tab. This helps clean up the auth flow where they're sent to another tab to authenticate then return to the original tab, where the data should be refreshed to pick up the login updates. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago

1 2 3 4 5 ...

6174 Commits (11ece02f5246dee65418bb87c702f230ba2163f0) All Branches Search

6174 Commits (11ece02f5246dee65418bb87c702f230ba2163f0)

All Branches