tailscale

Commit Graph

Author	SHA1	Message	Date
Nick O'Neill	1a79abf5fb	VERSION.txt: this is v1.95.0 (#18414 ) Signed-off-by: Nick O'Neill <nick@tailscale.com>	12 hours ago
Simon Law	5aeee1d8a5	.github/workflows: double the timeout for golangci-lint (#18404 ) Recently, the golangci-lint workflow has been taking longer and longer to complete, causing it to timeout after the default of 5 minutes. Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: context deadline exceeded Timeout exceeded: try increasing it by passing --timeout option Although PR #18398 enabled the Go module cache, bootstrapping with a cold cache still takes too long. This PR doubles the default 5 minute timeout for golangci-lint to 10 minutes so that golangci-lint can finish downloading all of its dependencies. Note that this doesn’t affect the 5 minute timeout configured in .golangci.yml, since running golangci-lint on your local instance should still be plenty fast. Fixes #18366 Signed-off-by: Simon Law <sfllaw@tailscale.com>	14 hours ago
Tom Meadows	c3b7f24051	ipn,ipn/local: always accept routes for Tailscale Services (cgnat range) (#18173 ) Updates #18198 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Co-authored-by: James Tucker <raggi@tailscale.com>	16 hours ago
Mario Minardi	e9d82767e5	cmd/containerboot: allow for automatic ID token generation Allow for optionally specifying an audience for containerboot. This is passed to tailscale up to allow for containerboot to use automatic ID token generation for authentication. Updates https://github.com/tailscale/corp/issues/34430 Signed-off-by: Mario Minardi <mario@tailscale.com>	17 hours ago
Mario Minardi	02af7c963c	tsnet: allow for automatic ID token generation Allow for optionally specifiying an audience for tsnet. This is passed to the underlying identity federation logic to allow for tsnet auth to use automatic ID token generation for authentication. Updates https://github.com/tailscale/corp/issues/33316 Signed-off-by: Mario Minardi <mario@tailscale.com>	18 hours ago
Irbe Krumina	28f163542c	.github/actions/go-cache: build cigocacher using remote path, fall back to ./tool/go (#18409 ) If local tailscale/tailscale checkout is not available, pulll cigocacher remotely. Fall back to ./tool/go if no other Go installation is present. Updates tailscale/corp#32493 Signed-off-by: Irbe Krumina <irbekrm@gmail.com>	19 hours ago
Danni Popova	6a6aa805d6	cmd,feature: add identity token auto generation for workload identity (#18373 ) Adds the ability to detect what provider the client is running on and tries fetch the ID token to use with Workload Identity. Updates https://github.com/tailscale/corp/issues/33316 Signed-off-by: Danni Popova <danni@tailscale.com>	19 hours ago
Anton Tolchanov	58042e2de3	metrics: add a NewSet and Set.NewLabelMap helpers Updates tailscale/corp#31174 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 days ago
Anton Tolchanov	17b0c7bfb3	metrics: add a NewLabelMap helper to create and register label maps Updates tailscale/corp#31174 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 days ago
Simon Law	76fb09c6bd	.github/workflows: fix timeouts by caching packages for golangci-lint (#18398 ) Recently, the golangci-lint workflow has been taking longer and longer to complete, causing it to timeout after the default of 5 minutes. Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: context deadline exceeded Timeout exceeded: try increasing it by passing --timeout option This PR upgrades actions/setup-go to version 6, the latest, and enables caching for Go modules and build outputs. This should speed up linting because most packages won’t have to be downloaded over and over again. Fixes #18366 Signed-off-by: Simon Law <sfllaw@tailscale.com>	2 days ago
Irbe Krumina	8c17d871b3	ipn/store/kubestore: don't load write replica certs in memory (#18395 ) Fixes a bug where, for kube HA proxies, TLS certs for the replica responsible for cert issuance where loaded in memory on startup, although the in-memory store was not updated after renewal (to avoid failing re-issuance for re-created Ingresses). Now the 'write' replica always reads certs from the kube Secret. Updates tailscale/tailscale#18394 Signed-off-by: Irbe Krumina <irbekrm@gmail.com>	2 days ago
Harry Harpham	87e108e10c	docs: add instructions on referencing pull requests in commit messages Updates #cleanup Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Harry Harpham	78c8d14254	tsnet: use errors.Join and idiomatic field order Updates #18376 (follow up on feedback) Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Raj Singh	aadc4f2ef4	wgengine/magicsock: add home DERP region usermetric (#18062 ) Expose the node's home DERP region ID as a Prometheus gauge via the usermetrics endpoint. Fixes #18061 Signed-off-by: Raj Singh <raj@tailscale.com>	6 days ago
Patrick O'Doherty	5db95ec376	go.mod: bump github.com/containerd/containerd@v1.7.29 (#18374 ) Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	6 days ago
Harry Harpham	3c1be083a4	tsnet: ensure funnel listener cleans up after itself when closed Previously the funnel listener would leave artifacts in the serve config. This caused weird out-of-sync effects like the admin panel showing that funnel was enabled for a node, but the node rejecting packets because the listener was closed. This change resolves these synchronization issues by ensuring that funnel listeners clean up the serve config when closed. See also: `e109cf9fdd` Updates #cleanup Signed-off-by: Harry Harpham <harry@tailscale.com>	6 days ago
Harry Harpham	f9762064cf	tsnet: reset serve config only once Prior to this change, we were resetting the tsnet's serve config every time tsnet.Server.Up was run. This is important to do on startup, to prevent messy interactions with stale configuration when the code has changed. However, Up is frequently run as a just-in-case step (for example, by Server.ListenTLS/ListenFunnel and possibly by consumers of tsnet). When the serve config is reset on each of these calls to Up, this creates situations in which the serve config disappears unexpectedly. The solution is to reset the serve config only on the first call to Up. Fixes #8800 Updates tailscale/corp#27200 Signed-off-by: Harry Harpham <harry@tailscale.com>	6 days ago
Jordan Whited	5f34f14e14	net/udprelay: apply netns Control func to server socket(s) To prevent peer relay servers from sending packets over Tailscale. Updates tailscale/corp#35651 Signed-off-by: Jordan Whited <jordan@tailscale.com>	6 days ago
Mario Minardi	4c37141ab7	cmd,internal,feature: add workload idenity support to gitops pusher Add support for authenticating the gitops-pusher using workload identity federation. Updates https://github.com/tailscale/corp/issues/34172 Signed-off-by: Mario Minardi <mario@tailscale.com>	7 days ago
Simon Law	3e45e5b420	feature/featuretags: make QR codes modular (#18358 ) QR codes are used by `tailscale up --qr` to provide an easy way to open a web-page without transcribing a difficult URI. However, there’s no need for this feature if the client will never be called interactively. So this PR adds the `ts_omit_qrcodes` build tag. Updates #18182 Signed-off-by: Simon Law <sfllaw@tailscale.com>	7 days ago
Andrew Dunham	6aac87a84c	net/portmapper, go.mod: unfork our goupnp dependency Updates #7436 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	7 days ago
Tom Proctor	5019dc8eb2	go.mod: bump mkctr dep (#18365 ) Brings in tailscale/mkctr#29. Updates tailscale/corp#32085 Change-Id: I90160ed1cdc47118ac8fd0712d63a7b590e739d3 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 days ago
Tom Proctor	5be02ee6f8	cmd/k8s-operator/e2e,go.mod: remove client v2 dependency It's not worth adding the v2 client just for these e2e tests. Remove that dependency for now to keep a clear separation, but we should revive the v2 client version if we ever decide to take that dependency for the tailscale/tailscale repo as a whole. Updates tailscale/corp#32085 Change-Id: Ic51ce233d5f14ce2d25f31a6c4bb9cf545057dd0 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 days ago
Tom Proctor	73cb3b491e	cmd/k8s-operator/e2e: run self-contained e2e tests with devcontrol (#17415 ) * cmd/k8s-operator/e2e: run self-contained e2e tests with devcontrol Adds orchestration for more of the e2e testing setup requirements to make it easier to run them in CI, but also run them locally in a way that's consistent with CI. Requires running devcontrol, but otherwise supports creating all the scaffolding required to exercise the operator and proxies. Updates tailscale/corp#32085 Change-Id: Ia7bff38af3801fd141ad17452aa5a68b7e724ca6 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> * cmd/k8s-operator/e2e: being more specific on tmp dir cleanup Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>	7 days ago
Simon Law	522a6e385e	cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles (#18182 ) Raw Linux consoles support UTF-8, but we cannot assume that all UTF-8 characters are available. The default Fixed and Terminus fonts don’t contain half-block characters (`▀` and `▄`), but do contain the full-block character (`█`). Sometimes, Linux doesn’t have a framebuffer, so it falls back to VGA. When this happens, the full-block character could be anywhere in extended ASCII block, because we don’t know which code page is active. This PR introduces `--qr-format=auto` which tries to heuristically detect when Tailscale is printing to a raw Linux console, whether UTF-8 is enabled, and which block characters have been mapped in the console font. If Unicode characters are unavailable, the new `--qr-format=ascii` formatter uses `#` characters instead of full-block characters. Fixes #12935 Signed-off-by: Simon Law <sfllaw@tailscale.com>	1 week ago
Raj Singh	e66531041b	cmd/containerboot: add OAuth and WIF auth support (#18311 ) Fixes tailscale/corp#34430 Signed-off-by: Raj Singh <raj@tailscale.com>	1 week ago
Andrew Lytvynov	6c67deff38	cmd/distsign: add CLI for verifying package signatures (#18239 ) Updates #35374 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 week ago
Naman Sood	480ee9fec0	ipn,cmd/tailscale/cli: set correct SNI name for TLS-terminated TCP Services (#17752 ) Fixes #17749. Signed-off-by: Naman Sood <mail@nsood.in>	1 week ago
Alex Valiushko	4c3cf8bb11	wgengine/magicsock: extract IMDS utilities into a standalone package (#18334 ) Moves magicksock.cloudInfo into util/cloudinfo with minimal changes. Updates #17796 Change-Id: I83f32473b9180074d5cdbf00fa31e5b3f579f189 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>	1 week ago
Mario Minardi	a662c541ab	.github/workflows: bump create-pull-request to 8.0.0 Bump peter-evans/create-pull-request to 8.0.0 to ensure compatibility with actions/checkout 6.x. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 week ago
dependabot[bot]	9a6282b515	.github: Bump actions/checkout from 4.2.2 to 5.0.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](`11bd71901b...08c6903cd8`) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	1 week ago
Harry Harpham	7de1b0b330	cmd/tailscale/cli: remove Services-specific subcommands from funnel (#18225 ) The funnel command is sort of an alias for the serve command. This means that the subcommands added to serve to support Services appear as subcommands for funnel as well, despite having no meaning for funnel. This change removes all such Services-specific subcommands from funnel. Fixes tailscale/corp#34167 Signed-off-by: Harry Harpham <harry@tailscale.com>	1 week ago
Irbe Krumina	8ea90ba80d	cmd/tailscaled,ipn/{ipnlocal,store/kubestore}: don't create attestation keys for stores that are not bound to a node (#18322 ) Ensure that hardware attestation keys are not added to tailscaled state stores that are Kubernetes Secrets or AWS SSM as those Tailscale devices should be able to be recreated on different nodes, for example, when moving Pods between nodes. Updates tailscale/tailscale#18302 Signed-off-by: Irbe Krumina <irbekrm@gmail.com>	1 week ago
Andrew Lytvynov	68617bb82e	cmd/tailscaled: disable state encryption / attestation by default (#18336 ) TPM-based features have been incredibly painful due to the heterogeneous devices in the wild, and many situations in which the TPM "changes" (is reset or replaced). All of this leads to a lot of customer issues. We hoped to iron out all the kinks and get all users to benefit from state encryption and hardware attestation without manually opting in, but the long tail of kinks is just too long. This change disables TPM-based features on Windows and Linux by default. Node state should get auto-decrypted on update, and old attestation keys will be removed. There's also tailscaled-on-macOS, but it won't have a TPM or Keychain bindings anyway. Updates #18302 Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 week ago
Andrew Lytvynov	2e77b75e96	ipn/ipnlocal: don't fail profile unmarshal due to attestation keys (#18335 ) Soft-fail on initial unmarshal and try again, ignoring the AttestationKey. This helps in cases where something about the attestation key storage (usually a TPM) is messed up. The old key will be lost, but at least the node can start again. Updates #18302 Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 week ago
James Tucker	39a61888b8	ssh/tailssh: send audit messages on SSH login (Linux) Send LOGIN audit messages to the kernel audit subsystem on Linux when users successfully authenticate to Tailscale SSH. This provides administrators with audit trail integration via auditd or journald, recording details about both the Tailscale user (whois) and the mapped local user account. The implementation uses raw netlink sockets to send AUDIT_USER_LOGIN messages to the kernel audit subsystem. It requires CAP_AUDIT_WRITE capability, which is checked at runtime. If the capability is not present, audit logging is silently skipped. Audit messages are sent to the kernel (pid 0) and consumed by either auditd (written to /var/log/audit/audit.log) or journald (available via journalctl _TRANSPORT=audit), depending on system configuration. Note: This may result in duplicate messages on a system where auditd/journald audit logs are enabled and the system has and supports `login -h`. Sadly Linux login code paths are still an inconsistent wild west so we accept the potential duplication rather than trying to avoid it. Fixes #18332 Signed-off-by: James Tucker <james@tailscale.com>	1 week ago
Vince Liem	b7081522e7	scripts/installer.sh: add ultramarine to supported OS list	1 week ago
Raj Singh	d451cd54a7	cmd/derper: add --acme-email flag for GCP cert mode (#18278 ) GCP Certificate Manager requires an email contact on ACME accounts. Add --acme-email flag that is required for --certmode=gcp and optional for --certmode=letsencrypt. Fixes #18277 Signed-off-by: Raj Singh <raj@tailscale.com>	3 weeks ago
Nick Khyl	2917ea8d0e	ipn/ipnauth, safesocket: defer named pipe client's token retrieval until ipnserver needs it An error returned by net.Listener.Accept() causes the owning http.Server to shut down. With the deprecation of net.Error.Temporary(), there's no way for the http.Server to test whether the returned error is temporary / retryable or not (see golang/go#66252). Because of that, errors returned by (safesocket.winIOPipeListener).Accept() cause the LocalAPI server (aka ipnserver.Server) to shut down, and tailscaled process to exit. While this might be acceptable in the case of non-recoverable errors, such as programmer errors, we shouldn't shut down the entire tailscaled process for client- or connection-specific errors, such as when we couldn't obtain the client's access token because the client attempts to connect at the Anonymous impersonation level. Instead, the LocalAPI server should gracefully handle these errors by denying access and returning a 401 Unauthorized to the client. In tailscale/tscert#15, we fixed a known bug where Caddy and other apps using tscert would attempt to connect at the Anonymous impersonation level and fail. However, we should also fix this on the tailscaled side to prevent a potential DoS, where a local app could deliberately open the Tailscale LocalAPI named pipe at the Anonymous impersonation level and cause tailscaled to exit. In this PR, we defer token retrieval until (WindowsClientConn).Token() is called and propagate the returned token or error via ipnauth.GetConnIdentity() to ipnserver, which handles it the same way as other ipnauth-related errors. Fixes #18212 Fixes tailscale/tscert#13 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 weeks ago
Alex Chan	9c3a420e15	cmd/tailscale/cli: document why there's no --force-reauth on login Change-Id: Ied799fefbbb4612c7ba57b8369a418b7704eebf8 Updates #18273 Signed-off-by: Alex Chan <alexc@tailscale.com>	3 weeks ago
Alex Valiushko	ee59470270	net/udprelay: remove tailscaled_peer_relay_endpoints_total (#18254 ) This gauge will be reworked to include endpoint state in future. Updates tailscale/corp#30820 Change-Id: I66f349d89422b46eec4ecbaf1a99ad656c7301f9 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>	4 weeks ago
Irbe Krumina	90b4358113	cmd/k8s-operator,ipn/ipnlocal: allow opting out of ACME order replace extension (#18252 ) In dynamically changing environments where ACME account keys and certs are stored separately, it can happen that the account key would get deleted (and recreated) between issuances. If that is the case, we currently fail renewals and the only way to recover is for users to delete certs. This adds a config knob to allow opting out of the replaces extension and utilizes it in the Kubernetes operator where there are known user workflows that could end up with this edge case. Updates #18251 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Alex Valiushko	c40f352103	net/udprelay: expose peer relay metrics (#18218 ) Adding both user and client metrics for peer relay forwarded bytes and packets, and the total endpoints gauge. User metrics: tailscaled_peer_relay_forwarded_packets_total{transport_in, transport_out} tailscaled_peer_relay_forwarded_bytes_total{transport_in, transport_out} tailscaled_peer_relay_endpoints_total{} Where the transport labels can be of "udp4" or "udp6". Client metrics: udprelay_forwarded_(packets\|bytes)_udp(4\|6)_udp(4\|6) udprelay_endpoints RELNOTE: Expose tailscaled metrics for peer relay. Updates tailscale/corp#30820 Change-Id: I1a905d15bdc5ee84e28017e0b93210e2d9660259 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>	4 weeks ago
Tom Proctor	bb3529fcd4	cmd/containerboot: support egress to Tailscale Service FQDNs (#17493 ) Adds support for targeting FQDNs that are a Tailscale Service. Uses the same method of searching for Services as the tailscale configure kubeconfig command. This fixes using the tailscale.com/tailnet-fqdn annotation for Kubernetes Service when the specified FQDN is a Tailscale Service. Fixes #16534 Change-Id: I422795de76dc83ae30e7e757bc4fbd8eec21cc64 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> Signed-off-by: Becky Pauley <becky@tailscale.com>	4 weeks ago
Tom Proctor	eed5e95e27	docs: use -x for cherry-picks Updates #cleanup Change-Id: I5222e23b716b342d7c6d113fc539d2021024348e Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 weeks ago
Irbe Krumina	b73fb467e4	ipn/ipnlocal: log cert renewal failures (#18246 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Brendan Creane	e4847fa77b	go.toolchain.rev: update to Go 1.25.5 (#18123 ) Updates #18122 Signed-off-by: Brendan Creane <bcreane@gmail.com>	4 weeks ago
Andrew Lytvynov	ce7e1dea45	types/persist: omit Persist.AttestationKey based on IsZero (#18241 ) IsZero is required by the interface, so we should use that before trying to serialize the key. Updates #35412 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 weeks ago
Tom Meadows	b21cba0921	cmd/k8s-operator: fixes helm template for oauth secret volume mount (#18230 ) Fixes #18228 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	4 weeks ago
Andrew Dunham	323604b76c	net/dns/resolver: log source IP of forwarded queries When the TS_DEBUG_DNS_FORWARD_SEND envknob is turned on, also log the source IP:port of the query that tailscaled is forwarding. Updates tailscale/corp#35374 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	4 weeks ago

1 2 3 4 5 ...

10056 Commits (1a79abf5fb0358242e77e8dedfd699a4d7e4e6c5) All Branches Search

10056 Commits (1a79abf5fb0358242e77e8dedfd699a4d7e4e6c5)

All Branches