tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	f47a5fe52b	vnet: reduce some log spam Updates #13038 Change-Id: I76038a90dfde10a82063988a5b54190074d4b5c5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Maisem Ali	f8d23b3582	tstest/integration/nat: stream daemon logs directly Updates #13038 Signed-off-by: Maisem Ali <maisem@tailscale.com> Change-Id: I5da5706149c082c27d74c8b894bf53dd9b259e84	3 months ago
Brad Fitzpatrick	6798f8ea88	tstest/natlab/vnet: add port mapping Updates #13038 Change-Id: Iaf274d250398973790873534b236d5cbb34fbe0e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Maisem Ali	12764e9db4	natlab: add NodeAgentClient This adds a new NodeAgentClient type that can be used to invoke the LocalAPI using the LocalClient instead of handcrafted URLs. However, there are certain cases where it does make sense for the node agent to provide more functionality than whats possible with just the LocalClient, as such it also exposes a http.Client to make requests directly. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 months ago
Brad Fitzpatrick	1016aa045f	hostinfo: add hostinfo.IsNATLabGuestVM And don't make guests under vnet/natlab upload to logcatcher, as there won't be a valid cert anyway. Updates #13038 Change-Id: Ie1ce0139788036b8ecc1804549a9b5d326c5fef5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	8594292aa4	vnet: add control/derps to test, stateful firewall Updates #13038 Change-Id: Icd65b34c5f03498b5a7109785bb44692bce8911a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Jordan Whited	20691894f5	cmd/stunstamp: refactor to support multiple protocols (#13063 ) 'stun' has been removed from metric names and replaced with a protocol label. This refactor is preparation work for HTTPS & ICMP support. Updates tailscale/corp#22114 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Andrew Lytvynov	c0c4791ce7	cmd/gitops-pusher: ignore previous etag if local acls match control (#13068 ) In a situation when manual edits are made on the admin panel, around the GitOps process, the pusher will be stuck if `--fail-on-manual-edits` is set, as expected. To recover from this, there are 2 options: 1. revert the admin panel changes to get back in sync with the code 2. check in the manual edits to code The former will work well, since previous and local ETags will match control ETag again. The latter will still fail, since local and control ETags match, but previous does not. For this situation, check the local ETag against control first and ignore previous when things are already in sync. Updates https://github.com/tailscale/corp/issues/22177 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	3 months ago
Andrew Lytvynov	ad038f4046	cmd/gitops-pusher: add --fail-on-manual-edits flag (#13066 ) For cases where users want to be extra careful about not overwriting manual changes, add a flag to hard-fail. This is only useful if the etag cache is persistent or otherwise reliable. This flag should not be used in ephemeral CI workers that won't persist the cache. Updates https://github.com/tailscale/corp/issues/22177 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	3 months ago
Naman Sood	f79183dac7	cmd/tsidp: add funnel support (#12591 ) * cmd/tsidp: add funnel support Updates #10263. Signed-off-by: Naman Sood <mail@nsood.in> * look past funnel-ingress-node to see who we're authenticating Signed-off-by: Naman Sood <mail@nsood.in> * fix comment typo Signed-off-by: Naman Sood <mail@nsood.in> * address review feedback, support Basic auth for /token Turns out you need to support Basic auth if you do client ID/secret according to OAuth. Signed-off-by: Naman Sood <mail@nsood.in> * fix typos Signed-off-by: Naman Sood <mail@nsood.in> * review fixes Signed-off-by: Naman Sood <mail@nsood.in> * remove debugging log Signed-off-by: Naman Sood <mail@nsood.in> * add comments, fix header Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	3 months ago
Brad Fitzpatrick	1ed958fe23	tstest/natlab/vnet: add start of virtual network-based NAT Lab Updates #13038 Change-Id: I3c74120d73149c1329288621f6474bbbcaa7e1a6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	6ca078c46e	cmd/derper: move 204 handler from package main to derphttp Updates #13038 Change-Id: I28a8284dbe49371cae0e9098205c7c5f17225b40 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Anton Tolchanov	b3fc345aba	cmd/derpprobe: use a status page from the prober library Updates tailscale/corp#20583 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Anton Tolchanov	0fd73746dd	cmd/tailscale/cli: fix `revoke-keys` command name in CLI output During review of #8644 the `recover-compromised-key` command was renamed to `revoke-key`, but the old name remained in some messages printed by the command. Fixes tailscale/corp#19446 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Jordan Whited	f0230ce0b5	go.mod,net/tstun,wgengine/netstack: implement gVisor TCP GRO for Linux (#12921 ) This commit implements TCP GRO for packets being written to gVisor on Linux. Windows support will follow later. The wireguard-go dependency is updated in order to make use of newly exported IP checksum functions. gVisor is updated in order to make use of newly exported stack.PacketBuffer GRO logic. TCP throughput towards gVisor, i.e. TUN write direction, is dramatically improved as a result of this commit. Benchmarks show substantial improvement, sometimes as high as 2x. High bandwidth-delay product paths remain receive window limited, bottlenecked by gVisor's default TCP receive socket buffer size. This will be addressed in a follow-on commit. The iperf3 results below demonstrate the effect of this commit between two Linux computers with i5-12400 CPUs. There is roughly ~13us of round trip latency between them. The first result is from commit `57856fc` without TCP GRO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 4.77 GBytes 4.10 Gbits/sec 20 sender [ 5] 0.00-10.00 sec 4.77 GBytes 4.10 Gbits/sec receiver The second result is from this commit with TCP GRO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 10.6 GBytes 9.14 Gbits/sec 20 sender [ 5] 0.00-10.00 sec 10.6 GBytes 9.14 Gbits/sec receiver Updates #6816 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	7bc2ddaedc	go.mod,net/tstun,wgengine/netstack: implement gVisor TCP GSO for Linux (#12869 ) This commit implements TCP GSO for packets being read from gVisor on Linux. Windows support will follow later. The wireguard-go dependency is updated in order to make use of newly exported GSO logic from its tun package. A new gVisor stack.LinkEndpoint implementation has been established (linkEndpoint) that is loosely modeled after its predecessor (channel.Endpoint). This new implementation supports GSO of monster TCP segments up to 64K in size, whereas channel.Endpoint only supports up to 32K. linkEndpoint will also be required for GRO, which will be implemented in a follow-on commit. TCP throughput from gVisor, i.e. TUN read direction, is dramatically improved as a result of this commit. Benchmarks show substantial improvement through a wide range of RTT and loss conditions, sometimes as high as 5x. The iperf3 results below demonstrate the effect of this commit between two Linux computers with i5-12400 CPUs. There is roughly ~13us of round trip latency between them. The first result is from commit `57856fc` without TCP GSO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 2.51 GBytes 2.15 Gbits/sec 154 sender [ 5] 0.00-10.00 sec 2.49 GBytes 2.14 Gbits/sec receiver The second result is from this commit with TCP GSO. Starting Test: protocol: TCP, 1 streams, 131072 byte blocks - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 12.6 GBytes 10.8 Gbits/sec 6 sender [ 5] 0.00-10.00 sec 12.6 GBytes 10.8 Gbits/sec receiver Updates #6816 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jonathan Nobels	8a8ecac6a7	net/dns, cmd/tailscaled: plumb system health tracker into dns cleanup (#12969 ) fixes tailscale#12968 The dns manager cleanup func was getting passed a nil health tracker, which will panic. Fixed to pass it the system health tracker. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	3 months ago
Andrew Dunham	35a8fca379	cmd/tailscale/cli: release portmap after netcheck Updates #12954 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic14f037b48a79b1263b140c6699579b466d89310	3 months ago
Irbe Krumina	a21bf100f3	cmd/k8s-operator,k8s-operator/sessionrecording,sessionrecording,ssh/tailssh: refactor session recording functionality (#12945 ) cmd/k8s-operator,k8s-operator/sessionrecording,sessionrecording,ssh/tailssh: refactor session recording functionality Refactor SSH session recording functionality (mostly the bits related to Kubernetes API server proxy 'kubectl exec' session recording): - move the session recording bits used by both Tailscale SSH and the Kubernetes API server proxy into a shared sessionrecording package, to avoid having the operator to import ssh/tailssh - move the Kubernetes API server proxy session recording functionality into a k8s-operator/sessionrecording package, add some abstractions in preparation for adding support for a second streaming protocol (WebSockets) Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Irbe Krumina	c5623e0471	go.{mod,sum},tstest/tools,k8s-operator,cmd/k8s-operator: autogenerate CRD API docs (#12884 ) Re-instates the functionality that generates CRD API docs, but using a different library as the one we were using earlier seemed to have some issues with its Git history. Also regenerates the docs (make kube-generate-all). Updates tailscale/tailscale#12859 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Andrea Gottardo	90be06bd5b	health: introduce captive-portal-detected Warnable (#12707 ) Updates tailscale/tailscale#1634 This PR introduces a new `captive-portal-detected` Warnable which is set to an unhealthy state whenever a captive portal is detected on the local network, preventing Tailscale from connecting. ipn/ipnlocal: fix captive portal loop shutdown Change-Id: I7cafdbce68463a16260091bcec1741501a070c95 net/captivedetection: fix mutex misuse ipn/ipnlocal: ensure that we don't fail to start the timer Change-Id: I3e43fb19264d793e8707c5031c0898e48e3e7465 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
Nick Khyl	20562a4fb9	cmd/viewer, types/views, util/codegen: add viewer support for custom container types This adds support for container-like types such as Container[T] that don't explicitly specify a view type for T. Instead, a package implementing a container type should also implement and export a ContainerView[T, V] type and a ContainerViewOf(*Container[T]) ContainerView[T, V] function, which returns a view for the specified container, inferring the element view type V from the element type T. Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Andrew Lytvynov	e7bf6e716b	cmd/tailscale: add --min-validity flag to the cert command (#12822 ) Some users run "tailscale cert" in a cron job to renew their certificates on disk. The time until the next cron job run may be long enough for the old cert to expire with our default heristics. Add a `--min-validity` flag which ensures that the returned cert is valid for at least the provided duration (unless it's longer than the cert lifetime set by Let's Encrypt). Updates #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	3 months ago
Lee Briggs	32ce18716b	Add extra environment variables in deployment template (#12858 ) Fixes #12857 Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>	3 months ago
Irbe Krumina	0f57b9340b	cmd/k8s-operator,tstest,go.{mod,sum}: remove fybrik.io/crdoc dependency (#12862 ) Remove fybrik.io/crdoc dependency as it is causing issues for folks attempting to vendor tailscale using GOPROXY=direct. This means that the CRD API docs in ./k8s-operator/api.md will no longer be generated- I am going to look at replacing it with another tool in a follow-up. Updates tailscale/tailscale#12859 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Irbe Krumina	2742153f84	cmd/k8s-operator: add a metric to track the amount of ProxyClass resources (#12833 ) Updates tailscale/tailscale#10709 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Adrian Dewhurst	0834712c91	ipn: allow FQDN in exit node selection To match the format of exit node suggestions and ensure that the result is not ambiguous, relax exit node CLI selection to permit using a FQDN including the trailing dot. Updates #12618 Change-Id: I04b9b36d2743154aa42f2789149b2733f8555d3f Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	3 months ago
Nick Khyl	fd0acc4faf	cmd/cloner, cmd/viewer: add _test prefix for files generated with the test build tag Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Linus Brogan	9609b26541	cmd/tailscale: resolve taildrive share paths Fixes #12258. Signed-off-by: Linus Brogan <git@linusbrogan.com>	3 months ago
Nick Khyl	fc28c8e7f3	cmd/cloner, cmd/viewer, util/codegen: add support for generic types and interfaces This adds support for generic types and interfaces to our cloner and viewer codegens. It updates these packages to determine whether to make shallow or deep copies based on the type parameter constraints. Additionally, if a template parameter or an interface type has View() and Clone() methods, we'll use them for getters and the cloner of the owning structure. Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 months ago
Brad Fitzpatrick	c6af5bbfe8	all: add test for package comments, fix, add comments as needed Updates #cleanup Change-Id: Ic4304e909d2131a95a38b26911f49e7b1729aaef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Irbe Krumina	986d60a094	cmd/k8s-operator: add metrics for attempted/uploaded session recordings (#12765 ) Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Irbe Krumina	6a982faa7d	cmd/k8s-operator: send container name to session recorder (#12763 ) Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Nick Khyl	726d5d507d	cmd/k8s-operator: update depaware.txt This fixes an issue caused by the merge order of `2b638f550d` and `8bd442ba8c`. Updates #Cleanup Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 months ago
Maisem Ali	2238ca8a05	go.mod: bump bart Updates #bart Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Nick Khyl	8bd442ba8c	util/winutil/gp, net/dns: add package for Group Policy API This adds a package with GP-related functions and types to be used in the future PRs. It also updates nrptRuleDatabase to use the new package instead of its own gpNotificationWatcher implementation. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 months ago
Andrew Lytvynov	b8af91403d	clientupdate: return true for CanAutoUpdate for macsys (#12746 ) While `clientupdate.Updater` won't be able to apply updates on macsys, we use `clientupdate.CanAutoUpdate` to gate the EditPrefs endpoint in localAPI. We should allow the GUI client to set AutoUpdate.Apply on macsys for it to properly get reported to the control plane. This also allows the tailnet-wide default for auto-updates to propagate to macsys clients. Updates https://github.com/tailscale/corp/issues/21339 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 months ago
Nick Khyl	e21d8768f9	types/opt: add generic Value[T any] for optional values of any types Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 months ago
Irbe Krumina	ba517ab388	cmd/k8s-operator,ssh/tailssh,tsnet: optionally record 'kubectl exec' sessions via Kubernetes operator's API server proxy (#12274 ) cmd/k8s-operator,ssh/tailssh,tsnet: optionally record kubectl exec sessions The Kubernetes operator's API server proxy, when it receives a request for 'kubectl exec' session now reads 'RecorderAddrs', 'EnforceRecorder' fields from tailcfg.KubernetesCapRule. If 'RecorderAddrs' is set to one or more addresses (of a tsrecorder instance(s)), it attempts to connect to those and sends the session contents to the recorder before forwarding the request to the kube API server. If connection cannot be established or fails midway, it is only allowed if 'EnforceRecorder' is not true (fail open). Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Maisem Ali	2b638f550d	cmd/k8s-operator: add depaware.txt Updates #12742 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Tom Proctor	01a7726cf7	cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies (#12577 ) cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies Don't skip installing egress forwarding rules for IPv6 (as long as the host supports IPv6), and set headless services `ipFamilyPolicy` to `PreferDualStack` to optionally enable both IP families when possible. Note that even with `PreferDualStack` set, testing a dual-stack GKE cluster with the default DNS setup of kube-dns did not correctly set both A and AAAA records for the headless service, and instead only did so when switching the cluster DNS to Cloud DNS. For both IPv4 and IPv6 to work simultaneously in a dual-stack cluster, we require headless services to return both A and AAAA records. If the host doesn't support IPv6 but the FQDN specified only has IPv6 addresses available, containerboot will exit with error code 1 and an error message because there is no viable egress route. Fixes #12215 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 months ago
Charlotte Brandhorst-Satzkorn	42f01afe26	cmd/tailscale/cli: exit node filter should display all exit node options (#12699 ) This change expands the `exit-node list -filter` command to display all location based exit nodes for the filtered country. This allows users to switch to alternative servers when our recommended exit node is not working as intended. This change also makes the country filter matching case insensitive, e.g. both USA and usa will work. Updates #12698 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	4 months ago
Jordan Whited	ddf94a7b39	cmd/stunstamp: fix handling of invalid DERP map resp (#12679 ) Updates tailscale/corp#20344 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
James Tucker	b565a9faa7	cmd/xdpderper: add autodetection for default interface name This makes deployment easier in hetrogenous environments. Updates ENG-4274 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Josh McKinney	18939df0a7	fix: broken tests for localhost Signed-off-by: Josh McKinney <joshka@users.noreply.github.com>	4 months ago
Brad Fitzpatrick	210264f942	cmd/derper: clarify that derper and tailscaled need to be in sync Fixes #12617 Change-Id: Ifc87b7d9cf699635087afb57febd01fb9a6d11b7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Brad Fitzpatrick	6b801a8e9e	cmd/derper: link to various derper docs in more places In hopes it'll be found more. Updates tailscale/corp#20844 Change-Id: Ic92ee9908f45b88f8770de285f838333f9467465 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
James Tucker	46fda6bf4c	cmd/derper: add some DERP diagnostics pointers A few other minor language updates. Updates tailscale/corp#20844 Change-Id: Idba85941baa0e2714688cc8a4ec3e242e7d1a362 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Adrian Dewhurst	a6b13e6972	cmd/tailscale/cli: correct command emitted by exit node suggestion The exit node suggestion CLI command was written with the assumption that it's possible to provide a stableid on the command line, but this is incorrect. Instead, it will now emit the name of the exit node. Fixes #12618 Change-Id: Id7277f395b5fca090a99b0d13bfee7b215bc9802 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	4 months ago
Jordan Whited	94415e8029	cmd/stunstamp: remove sqlite DB and API (#12604 ) stunstamp now sends data to Prometheus via remote write, and Prometheus can serve the same data. Retaining and cleaning up old data in sqlite leads to long probing pauses, and it's not worth investing more effort to optimize the schema and/or concurrency model. Updates tailscale/corp#20344 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago

1 2 3 4 5 ...

1898 Commits (194ff6ee3deb02efe5cd10e8bae81076b33b5a05)