Commit Graph

1220 Commits (1a30b2d73f9ac0d1ecd7620574d80e6a38e9f0a9)

Author SHA1 Message Date
Mihai Parparita 73d33e3f20 cmd/tsconnect: use empty string as the default state store key
Makes the Wasm client more similar to the others, and allows the default
profile to be correctly picked up when restarting the client in dev
mode (where we persist the state in sessionStorage).

Also update README to reflect that Go wasm changes can be picked up
with just a reload (as of #5383)

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2 years ago
Maisem Ali 4441609d8f safesocket: remove the now unused WindowsLocalPort
Also drop the port param from safesocket.Listen. #cleanup

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2 years ago
David Anderson e51cf1b09d cmd/k8s-operator: use unstable tailscale image as well
We need a post-1.36 tailscale image to handle custom hostnames correctly.

Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson 0dc9cbc9ab cmd/k8s-operator: use the unstable operator image
There is no stable release yet, and for alpha we want people on the
unstable build while we iterate.

Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Will Norris 947c14793a all: update tools that manage copyright headers
Update all code generation tools, and those that check for license
headers to use the new standard header.

Also update copyright statement in LICENSE file.

Fixes #6865

Signed-off-by: Will Norris <will@tailscale.com>
2 years ago
Will Norris 71029cea2d all: update copyright and license headers
This updates all source files to use a new standard header for copyright
and license declaration.  Notably, copyright no longer includes a date,
and we now use the standard SPDX-License-Identifier header.

This commit was done almost entirely mechanically with perl, and then
some minimal manual fixes.

Updates #6865

Signed-off-by: Will Norris <will@tailscale.com>
2 years ago
Brad Fitzpatrick a1b4ab34e6 util/httpm: add new package for prettier HTTP method constants
See package doc.

Change-Id: Ibbfc8e1f98294217c56f3a9452bd93ffa3103572
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Denton Gentry 7439bc7ba6 cmd/sync-containers: add github.Keychain
Running sync-containers in a GitHub workflow will be
simpler if we check github.Keychain, which uses the
GITHUB_TOKEN if present.

Updates https://github.com/tailscale/corp/issues/8461

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2 years ago
David Anderson 9bd6a2fb8d cmd/k8s-operator: support setting a custom hostname.
Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Xe Iaso 038d25bd04
cmd/nginx-auth: update Expected-Tailnet documentation (#6055)
Signed-off-by: Xe Iaso <xe@tailscale.com>
2 years ago
phirework 2d29f77b24
cmd/tailscale/cli: fix TUNmode display on synology web page (#7064)
Fixes #7059

Signed-off-by: Jenny Zhang <jz@tailscale.com>

Signed-off-by: Jenny Zhang <jz@tailscale.com>
2 years ago
Vince Prignano 30380403d0 cmd/k8s-operator: remove use of InjectClient (deprecated)
The dependency injection functionality has been deprecated a while back
and it'll be removed in the 0.15 release of Controller Runtime. This
changeset sets the Client after creating the Manager, instead of using
InjectClient.

Signed-off-by: Vince Prignano <vince@prigna.com>
2 years ago
Anton Tolchanov e8b695626e cmd/mkpkg: allow specifying recommended dependencies
Updates #3151

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2 years ago
Brad Fitzpatrick c8db70fd73 cmd/tailscale/cli: add debug set-expire command for testing
Updates tailscale/corp#8811
Updates tailscale/corp#8613

Change-Id: I1c87806ca3ccc5c43e7ddbd6b4d521f73f7d29f1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 06fff461dc ipn/ipnstate: add PeerStatus.KeyExpiry for tailscale status --json
Fixes #6712

Change-Id: I817cd5342fac8a956fcefda2d63158fa488f3395
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Andrew Dunham b74db24149 tstest/integration: mark all integration tests as flaky
Updates #7036

Change-Id: I3aec5ad680078199ba984bf8afc20b2f2eb37257
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2 years ago
Brad Fitzpatrick fd92fbd69e cmd/tailscale/cli: only give systemctl hint on systemd systems
Per recent user confusion on a QNAP issue.

Change-Id: Ibda00013df793fb831f4088b40be8a04dfad17c2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick ba5aa2c486 version, cmd/tailscale: add version.Meta, tailscale version --json
Add `tailscale version --json` JSON output mode. This will be used
later for a double-opt-in (per node consent like Tailscale SSH +
control config) to let admins do remote upgrades via `tailscale
update` via a c2n call, which would then need to verify the
cmd/tailscale found on disk for running tailscale update corresponds
to the running tailscaled, refusing if anything looks amiss.

Plus JSON output modes are just nice to have, rather than parsing
unstable/fragile/obscure text formats.

Updates #6995
Updates #6907

Change-Id: I7821ab7fbea4612f4b9b7bdc1be1ad1095aca71b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 5ca22a0068 cmd/tailscale/cli: make 'tailscale update' support Debian/Ubuntu apt
Updates #6995

Change-Id: I3355435db583755e0fc73d76347f6423b8939dfb
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 6793685bba go.mod: bump AWS SDK past a breaking API change of theirs
They changed a type in their SDK which meant others using the AWS APIs
in their Go programs (with newer AWS modules in their caller go.mod)
and then depending on Tailscale (for e.g. tsnet) then couldn't compile
ipn/store/awsstore.

Thanks to @thisisaaronland for bringing this up.

Fixes #7019

Change-Id: I8d2919183dabd6045a96120bb52940a9bb27193b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
shayne 73399f784b
cmd/tailscale/cli: use mock impl of LocalClient for serve cmd (#6422)
Create an interface and mock implementation of tailscale.LocalClient for
serve command tests.

Updates #6304
Closes #6372

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>
2 years ago
Brad Fitzpatrick c129bf1da1 cmd/tailscale/cli: un-alpha login+switch in ShortUsage docs
Change-Id: I580d4417cf03833dfa8f6a295fb416faa667c477
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 71a7b8581d cmd/tailscale/cli: make "update" work on Windows
Updates #6995

Co-authored-by: Aaron Klotz <aaron@tailscale.com>
Change-Id: I16622f43156a70b6fbc8205239fd489d7378d57b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Andrew Dunham aea251d42a cmd/testwrapper: move from corp; mark magicsock test as flaky
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ibab5860f5797b3db151d3c27855333e43a9088a4
2 years ago
Tom DNetto ee6d18e35f cmd/tailscale/cli: implement --json for lock status and lock log cmds
Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
Brad Fitzpatrick b657187a69 cmd/tailscale, logtail: add 'tailscale debug daemon-logs' logtail mechanism
Fixes #6836

Change-Id: Ia6eb39ff8972e1aa149aeeb63844a97497c2cf04
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick d9144c73a8 cmd/tailscale: add start of "tailscale update" command
Goal: one way for users to update Tailscale, downgrade, switch tracks,
regardless of platform (Windows, most Linux distros, macOS, Synology).

This is a start.

Updates #755, etc

Change-Id: I23466da1ba41b45f0029ca79a17f5796c2eedd92
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
phirework f011a0923a
cmd/tailscale/cli: style synology outgoing access info (#6959)
Follow-up to #6957.

Updates #4015

Signed-off-by: Jenny Zhang <jz@tailscale.com>
2 years ago
Brad Fitzpatrick 5eded58924 cmd/tailscale/cli: make web show/link Synology outgoing connection mode/docs
Fixes #4015

Change-Id: I8230bb0cc3d621b6fa02ab2462cea104fa1e9cf9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 61dfbc0a6e cmd/tailscale/cli: plumb TUN mode into tailscale web template
UI works remains, but data is there now.

Updates #4015

Change-Id: Ib91e94718b655ad60a63596e59468f3b3b102306
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
salman 8a1201ac42 cmd/tailscale: correct order for -terminate-tls flag in serve tcp usage
The -terminate-tls flag is for the tcp subsubcommand, not the serve
subcommand like the usage example suggests.

Signed-off-by: salman <salman@tailscale.com>
2 years ago
Denton Gentry 22ebb25e83 cmd/tailscale: disable HTTPS verification for QNAP auth.
QNAP's "Force HTTPS" mode redirects even localhost HTTP to
HTTPS, but uses a self-signed certificate which fails
verification. We accommodate this by disabling checking
of the cert.

Fixes https://github.com/tailscale/tailscale/issues/6903

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2 years ago
Brad Fitzpatrick 1116602d4c ssh/tailssh: add OpenBSD support for Tailscale SSH
And bump go.mod for https://github.com/u-root/u-root/pull/2593

Change-Id: I36ec94c5b2b76d671cb739f1e9a1a43ca1d9d1b1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
David Anderson 39efba528f cmd/containerboot: use TS_AUTHKEY as the parameter for auth keys
We still accept the previous TS_AUTH_KEY for backwards compatibility, but the documented option name is the spelling we use everywhere else.

Updates #6321

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Brad Fitzpatrick 69c0b7e712 ipn/ipnlocal: add c2n handler to flush logtail for support debugging
Updates tailscale/corp#8564

Change-Id: I0c619d4007069f90cffd319fba66bd034d63e84d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Tom DNetto 673b3d8dbd net/dns,userspace: remove unused DNS paths, normalize query limit on iOS
With a42a594bb3, iOS uses netstack and
hence there are no longer any platforms which use the legacy MagicDNS path. As such, we remove it.

We also normalize the limit for max in-flight DNS queries on iOS (it was 64, now its 256 as per other platforms).
It was 64 for the sake of being cautious about memory, but now we have 50Mb (iOS-15 and greater) instead of 15Mb
so we have the spare headroom.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
Tom DNetto 907f85cd67 cmd/tailscale,tka: make KeyID return an error instead of panicking
Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
Tom DNetto 8724aa254f cmd/tailscale,tka: implement compat for TKA messages, minor UX tweaks
Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
David Anderson 91e64ca74f cmd/tailscale/cli: redact private key in debug netmap output by default
This makes `tailscale debug watch-ipn` safe to use for troubleshooting
user issues, in addition to local debugging during development.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Denton Gentry 467ace7d0c cmd/tailscale: use localhost for QNAP authLogin.cgi
When the user clicks on the Tailscale app in the QNAP App Center,
we do a GET from /cgi-bin/authLogin.cgi to look up their SID.

If the user clicked "secure login" on the QNAP login page to use
HTTPS, then our access to authLogin.cgi will also use HTTPS
but the certiciate is self-signed. Our GET fails with:
    Get "https://10.1.10.41/cgi-bin/authLogin.cgi?sid=abcd0123":
    x509: cannot validate certificate for 10.1.10.41 because it
    doesn't contain any IP SANs
or similar errors.

Instead, access QNAP authentication via http://localhost:8080/
as documented in
https://download.qnap.com/dev/API_QNAP_QTS_Authentication.pdf

Fixes https://github.com/tailscale/tailscale-qpkg/issues/62

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2 years ago
Brad Fitzpatrick aad6830df0 util/codegen, all: use latest year, not time.Now, in generated files
Updates #6865

Change-Id: I6b86c646968ebbd4553cf37df5e5612fbf5c5f7d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
David Anderson 7bfb9999ee cmd/printdep: support printing the toolchain SRI hash.
Updates #6845.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Brad Fitzpatrick 3599364312 cmd/nardump: Go tool to build Nix NARs and compute their hashes.
Updates #6845.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Claire Wang a45c9f982a wgengine/netstack: change netstack API to require LocalBackend
The macOS client was forgetting to call netstack.Impl.SetLocalBackend.
Change the API so that it can't be started without one, eliminating this
class of bug. Then update all the callers.

Updates #6764

Change-Id: I2b3a4f31fdfd9fdbbbbfe25a42db0c505373562f
Signed-off-by: Claire Wang <claire@tailscale.com>
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
andig 14e8afe444 go.mod, etc: bump gvisor
Fixes #6554

Change-Id: Ia04ae37a47b67fa57091c9bfe1d45a1842589aa8
Signed-off-by: andig <cpuidle@gmx.de>
2 years ago
Brad Fitzpatrick 8aac77aa19 cmd/tailscale: fix "up" warning about netfilter-mode on Synology
Fixes #6811

Change-Id: Ia43723e6ebedc9b01729897cec271c462b16e9ae
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
David Anderson a1ded4c166 cmd/sync-containers: add a dry-run option.
Updates tailscale/corp#8461

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson e5fe205c31 cmd/sync-containers: program to sync tags between container registries.
Updates tailscale/corp#8461

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Brad Fitzpatrick a06217a8bd cmd/tailscale/cli: hide Windows named pipe default name in flag help
It's long & distracting for how low value it is.

Fixes #6766

Change-Id: I51364f25c0088d9e63deb9f692ba44031f12251b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Jordan Whited 914d115f65
go.mod: bump tailscale/wireguard-go for big-endian fix (#6785)
Signed-off-by: Jordan Whited <jordan@tailscale.com>
2 years ago
David Anderson af3127711a cmd/containerboot: allow disabling secret storage in k8s.
In some configurations, user explicitly do not want to store
tailscale state in k8s secrets, because doing that leads to
some annoying permission issues with sidecar containers.
With this change, TS_KUBE_SECRET="" and TS_STATE_DIR=/foo
will force storage to file when running in kubernetes.

Fixes #6704.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Brad Fitzpatrick c02ccf6424 go.mod: bump dhcp dep to remove another endian package from our tree
To pull in insomniacslk/dhcp#484 to pull in u-root/uio#8

Updates golang/go#57237

Change-Id: I1e56656e0dc9ec0b870f799fe3bc18b3caac1ee4
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
David Anderson 8171eb600c cmd/k8s-operator: move the operator into its own namespace.
The operator creates a fair bit of internal cluster state to manage proxying,
dumping it all in the default namespace is handy for development but rude
for production.

Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson 3a5fc233aa cmd/k8s-operator: use oauth credentials for API access.
This automates both the operator's initial login, and
provisioning/deprovisioning of proxies.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson a7ab3429b6 cmd/k8s-operator: refactor reconcile loop, un-plumbing reconcile.Result.
We used to need to do timed requeues in a few places in the reconcile logic,
and the easiest way to do that was to plumb reconcile.Result return values
around. But now we're purely event-driven, so the only thing we care about
is whether or not an error occurred.

Incidentally also fix a very minor bug where headless services would get
completely ignored, rather than reconciled into the correct state. This
shouldn't matter in practice because you can't transition from a headful
to a headless service without a deletion, but for consistency let's avoid
having a path that takes no definite action if a service of interest does
exist.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Denton Gentry da53b1347b cmd/gitops-pusher: support alternate api-server URLs
Fixes https://github.com/tailscale/coral/issues/90

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2 years ago
David Anderson 835a73cc1f cmd/k8s-operator: remove unnecessary timed requeue.
Previously, we had to do blind timed requeues while waiting for
the tailscale hostname, because we looked up the hostname through
the API. But now the proxy container image writes back its hostname
to the k8s secret, so we get an event-triggered reconcile automatically
when the time is right.

Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson d857fd00b3 cmd/k8s-operator: sprinkle debug logging throughout.
As is convention in the k8s world, use zap for structured logging. For
development, OPERATOR_LOGGING=dev switches to a more human-readable output
than JSON.

Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson 8ccd707218 cmd/k8s-operator: remove times requeues in proxy deletion path.
Our reconcile loop gets triggered again when the StatefulSet object
finally disappears (in addition to when its deletion starts, as indicated
by DeletionTimestamp != 0). So, we don't need to queue additional
reconciliations to proceed with the remainder of the cleanup, that
happens organically.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson 9c77205ba1 cmd/k8s-operator: add more tests for "normal" paths.
Tests cover configuring a proxy through an annotation rather than a
LoadBalancerClass, and converting between those two modes at runtime.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson c902190e67 cmd/k8s-operator: factor out some of the larger expected test outputs.
For other test cases, the operator is going to produce similar generated
objects in several codepaths, and those objects are large. Move them out
to helpers so that the main test code stays a bit more intelligible.

The top-level Service that we start and end with remains in the main test
body, because its shape at the start and end is one of the main things that
varies a lot between test cases.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson 8dbb3b8bbe cmd/k8s-operator: remove unused structs. Cleanup missed in #6718.
Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson 53a9cc76c7 cmd/k8s-operator: rename main.go -> operator.go.
Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson bc8f5a7734 cmd/k8s-operator: add a basic unit test.
The test verifies one of the successful reconcile paths, where
a client requests an exposed service via a LoadBalancer class.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson 3b7ae39a06 cmd/k8s-operator: use the client's authkey method to create auth keys.
Also introduces an intermediary interface for the tailscale client, in
preparation for operator tests that fake out the Tailscale API interaction.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Brad Fitzpatrick ca08e316af util/endian: delete package; use updated josharian/native instead
See josharian/native#3

Updates golang/go#57237

Change-Id: I238c04c6654e5b9e7d9cfb81a7bbc5e1043a84a2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
David Anderson b2d4abf25a cmd/k8s-operator: add a kubernetes operator.
This was initially developed in a separate repo, but for build/release
reasons and because go module management limits the damage of importing
k8s things now, moving it into this repo.

At time of commit, the operator enables exposing services over tailscale,
with the 'tailscale' loadBalancerClass. It also currently requires an
unreleased feature to access the Tailscale API, so is not usable yet.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Aaron Klotz 53e2010b8a cmd/tailscaled: change Windows implementation to shut down subprocess via closing its stdin
We've been doing a hard kill of the subprocess, which is only safe as long as
both the cli and gui are not running and the subprocess has had the opportunity
to clean up DNS settings etc. If unattended mode is turned on, this is definitely
unsafe.

I changed babysitProc to close the subprocess's stdin to make it shut down, and
then I plumbed a cancel function into the stdin reader on the subprocess side.

Fixes https://github.com/tailscale/corp/issues/5621

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2 years ago
shayne 9d335aabb2
cmd/tailscale/cli: [ssh] fix typo in help text (#6694)
arugments => arguments

Signed-off-by: shayne <79330+shayne@users.noreply.github.com>
2 years ago
Jordan Whited ea5ee6f87c
all: update golang.zx2c4.com/wireguard to github.com/tailscale/wireguard-go (#6692)
This is temporary while we work to upstream performance work in
https://github.com/WireGuard/wireguard-go/pull/64. A replace directive
is less ideal as it breaks dependent code without duplication of the
directive.

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2 years ago
Walter Poupore 383e203fd2
cmd/tailscale/cli: update lock status help strings (#6675)
Signed-off-by: Walter Poupore <walterp@tailscale.com>

Signed-off-by: Walter Poupore <walterp@tailscale.com>
2 years ago
Jordan Whited 76389d8baf
net/tstun, wgengine/magicsock: enable vectorized I/O on Linux (#6663)
This commit updates the wireguard-go dependency and implements the
necessary changes to the tun.Device and conn.Bind implementations to
support passing vectors of packets in tailscaled. This significantly
improves throughput performance on Linux.

Updates #414

Signed-off-by: Jordan Whited <jordan@tailscale.com>
Signed-off-by: James Tucker <james@tailscale.com>
Co-authored-by: James Tucker <james@tailscale.com>
2 years ago
James Tucker 389238fe4a cmd/tailscale/cli: add workaround for improper named socket quoting in ssh command
This avoids the issue in the common case where the socket path is the
default path, avoiding the immediate need for a Windows shell quote
implementation.

Updates #6639

Signed-off-by: James Tucker <james@tailscale.com>
2 years ago
Tom DNetto e27f4f022e cmd/tailscale/cli: add progress to tailscale file cp
Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
shayne 98114bf608
cmd/tailscale/cli, ipn/localapi: add funnel status to status command (#6402)
Fixes #6400

open up GETs for localapi serve-config to allow read-only access to
ServeConfig

`tailscale status` will include "Funnel on" status when Funnel is
configured. Prints nothing if Funnel is not running.

Example:

 $ tailscale status
 <nodes redacted>

 # Funnel on:
 #     - https://node-name.corp.ts.net
 #     - https://node-name.corp.ts.net:8443
 #     - tcp://node-name.corp.ts.net:10000

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>
2 years ago
David Anderson 1b65630e83 cmd/containerboot: switch to IPN bus monitoring instead of polling.
We still have to shell out to `tailscale up` because the container image's
API includes "arbitrary flags to tailscale up", unfortunately. But this
should still speed up startup a little, and also enables k8s-bound containers
to update their device information as new netmap updates come in.

Fixes #6657

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Tom DNetto 55e0512a05 ipn/ipnlocal,cmd/tailscale: minor improvements to lock modify command
* Do not print the status at the end of a successful operation
 * Ensure the key of the current node is actually trusted to make these changes

Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
Aaron Klotz 98f21354c6 cmd/tailscaled: add a special command to tailscaled's Windows service for removing WinTun
WinTun is installed lazily by tailscaled while it is running as LocalSystem.
Based upon what we're seeing in bug reports and support requests, removing
WinTun as a lesser user may fail under certain Windows versions, even when that
user is an Administrator.

By adding a user-defined command code to tailscaled, we can ask the service to
do the removal on our behalf while it is still running as LocalSystem.

* The uninstall code is basically the same as it is in corp;
* The command code will be sent as a service control request and is protected by
  the SERVICE_USER_DEFINED_CONTROL access right, which requires Administrator.

I'll be adding follow-up patches in corp to engage this functionality.

Updates https://github.com/tailscale/tailscale/issues/6433

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2 years ago
David Anderson 367228ef82 cmd/containerboot: gracefully degrade if missing patch permissions in k8s.
Fixes #6629.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Andrew Dunham a887ca7efe ipn/ipnlocal: improve redactErr to handle more cases
This handles the case where the inner *os.PathError is wrapped in
another error type, and additionally will redact errors of type
*os.LinkError. Finally, add tests to verify that redaction works.

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ie83424ff6c85cdb29fb48b641330c495107aab7c
2 years ago
David Anderson e36c27bcd1 cmd/containerboot: check that k8s secret permissions are correct.
Updates #6629.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson e79a1eb24a cmd/containerboot: refactor tests to have more explicit phases.
In preparation for making startup more complex with IPN bus watches.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson e04aaa7575 cmd/containerboot: split tailscaled bringup and auth phases.
In preparation for reworking auth to use IPN bus watch.

Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
David Anderson a469ec8ff6 cmd/containerboot: fix some lint.
Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago
Anton Tolchanov 5ff946a9e6 cmd/containerboot: fix TS_STATE_DIR environment variable
It's supposed to set `--statedir` rather than `--state` file.

Fixes #6634.

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2 years ago
Brad Fitzpatrick 1598cd0361 net/tsaddr: remove ContainsFunc helpers (they're now in x/exp/slices)
x/exp/slices now has ContainsFunc (golang/go#53983) so we can delete
our versions.

Change-Id: I5157a403bfc1b30e243bf31c8b611da25e995078
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Mihai Parparita cb525a1aad cmd/tailscaled: fix typo in netstack variable name
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2 years ago
Maisem Ali 96cad35870 cmd/tailscaled: rename variables to be more descriptive
renamed from `useNetstack` to `onlyNetstack` which is 1 letter more but
more descriptive because we always have netstack enabled and `useNetstack`
doesn't convey what it is supposed to be used for. e.g. we always use
netstack for Tailscale SSH.

Also renamed shouldWrapNetstack to handleSubnetsInNetstack as it was only used
to configure subnet routing via netstack.

Updates tailscale/corp#8020

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2 years ago
Mihai Parparita 5b8323509f cmd/tailscale/cli: use "account" instead of "profile" in user-visible text
Matches the UI clients

Updates #713

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2 years ago
Maya Kaczorowski d5b4d2e276
cmd/tailscale/cli: improve tailnet lock help (#6583)
Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>

Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
2 years ago
Walter Poupore 74b47eaad6
cmd/tailscale/cli: Fix 'tailscale switch' error message (#6585)
Updates #713.

Signed-off-by: Walter Poupore <walterp@tailscale.com>

Signed-off-by: Walter Poupore <walterp@tailscale.com>
2 years ago
Maisem Ali a5a3188b7e cmd/tailscale/cli: unhide login and switch subcommands
Updates #713

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2 years ago
Maya Kaczorowski a1084047ce
cmd/tailscale/cli: capitalize Get (#6586)
Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>

Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
2 years ago
Tom DNetto 74c1f632f6 types/key,cmd/tailscale/cli: support tlpub prefix for tailnet-lock keys
Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
Brad Fitzpatrick 8dd1418774 ipn{,/ipnlocal}: add ipn.NotifyInitial* flags to WatchIPNBus
To simplify clients getting the initial state when they subscribe.

Change-Id: I2490a5ab2411253717c74265a46a98012b80db82
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Brad Fitzpatrick 197a4f1ae8 types/ptr: move all the ptrTo funcs to one new package's ptr.To
Change-Id: Ia0b820ffe7aa72897515f19bd415204b6fe743c7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Tom DNetto 9a80b8fb10 cmd/tailscale,ipn: surface TKA-filtered peers in lock status command
Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
Tom DNetto 731be07777 cmd/tailscale/cli: show rotation key when suggesting lock sign command
Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago
Brad Fitzpatrick f710d1cb20 cmd/tailscale/cli: add set --unattended on Windows
Fixes #6567

Change-Id: I8cb57196c601466401f8602eb50456e7cf7c31ef
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago
Denton Gentry a200a23f97 Revert "cmd/tailscale: access QNAP via localhost"
When running `tailscale web` as a standalone process,
it was necessary to send auth requests to QTS using
localhost to avoid hitting the proxy recursively.

However running `tailscale web` as a process means it is
consuming RAM all the time even when it isn't actively
doing anything.

After switching back to the `tailscale web` CGI mode, we
don't need to specifically use localhost for QNAP auth.

This reverts commit e0cadc5496.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2 years ago