tailscale

Commit Graph

Author	SHA1	Message	Date
dependabot[bot]	23b528bb79	Merge `6d9d93bfc4` into `5db95ec376`	3 days ago
Patrick O'Doherty	5db95ec376	go.mod: bump github.com/containerd/containerd@v1.7.29 (#18374 ) Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	3 days ago
Harry Harpham	3c1be083a4	tsnet: ensure funnel listener cleans up after itself when closed Previously the funnel listener would leave artifacts in the serve config. This caused weird out-of-sync effects like the admin panel showing that funnel was enabled for a node, but the node rejecting packets because the listener was closed. This change resolves these synchronization issues by ensuring that funnel listeners clean up the serve config when closed. See also: `e109cf9fdd` Updates #cleanup Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Harry Harpham	f9762064cf	tsnet: reset serve config only once Prior to this change, we were resetting the tsnet's serve config every time tsnet.Server.Up was run. This is important to do on startup, to prevent messy interactions with stale configuration when the code has changed. However, Up is frequently run as a just-in-case step (for example, by Server.ListenTLS/ListenFunnel and possibly by consumers of tsnet). When the serve config is reset on each of these calls to Up, this creates situations in which the serve config disappears unexpectedly. The solution is to reset the serve config only on the first call to Up. Fixes #8800 Updates tailscale/corp#27200 Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Jordan Whited	5f34f14e14	net/udprelay: apply netns Control func to server socket(s) To prevent peer relay servers from sending packets over Tailscale. Updates tailscale/corp#35651 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 days ago
Mario Minardi	4c37141ab7	cmd,internal,feature: add workload idenity support to gitops pusher Add support for authenticating the gitops-pusher using workload identity federation. Updates https://github.com/tailscale/corp/issues/34172 Signed-off-by: Mario Minardi <mario@tailscale.com>	4 days ago
Simon Law	3e45e5b420	feature/featuretags: make QR codes modular (#18358 ) QR codes are used by `tailscale up --qr` to provide an easy way to open a web-page without transcribing a difficult URI. However, there’s no need for this feature if the client will never be called interactively. So this PR adds the `ts_omit_qrcodes` build tag. Updates #18182 Signed-off-by: Simon Law <sfllaw@tailscale.com>	4 days ago
Andrew Dunham	6aac87a84c	net/portmapper, go.mod: unfork our goupnp dependency Updates #7436 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	4 days ago
Tom Proctor	5019dc8eb2	go.mod: bump mkctr dep (#18365 ) Brings in tailscale/mkctr#29. Updates tailscale/corp#32085 Change-Id: I90160ed1cdc47118ac8fd0712d63a7b590e739d3 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 days ago
Tom Proctor	5be02ee6f8	cmd/k8s-operator/e2e,go.mod: remove client v2 dependency It's not worth adding the v2 client just for these e2e tests. Remove that dependency for now to keep a clear separation, but we should revive the v2 client version if we ever decide to take that dependency for the tailscale/tailscale repo as a whole. Updates tailscale/corp#32085 Change-Id: Ic51ce233d5f14ce2d25f31a6c4bb9cf545057dd0 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 days ago
Tom Proctor	73cb3b491e	cmd/k8s-operator/e2e: run self-contained e2e tests with devcontrol (#17415 ) * cmd/k8s-operator/e2e: run self-contained e2e tests with devcontrol Adds orchestration for more of the e2e testing setup requirements to make it easier to run them in CI, but also run them locally in a way that's consistent with CI. Requires running devcontrol, but otherwise supports creating all the scaffolding required to exercise the operator and proxies. Updates tailscale/corp#32085 Change-Id: Ia7bff38af3801fd141ad17452aa5a68b7e724ca6 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> * cmd/k8s-operator/e2e: being more specific on tmp dir cleanup Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>	4 days ago
Simon Law	522a6e385e	cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles (#18182 ) Raw Linux consoles support UTF-8, but we cannot assume that all UTF-8 characters are available. The default Fixed and Terminus fonts don’t contain half-block characters (`▀` and `▄`), but do contain the full-block character (`█`). Sometimes, Linux doesn’t have a framebuffer, so it falls back to VGA. When this happens, the full-block character could be anywhere in extended ASCII block, because we don’t know which code page is active. This PR introduces `--qr-format=auto` which tries to heuristically detect when Tailscale is printing to a raw Linux console, whether UTF-8 is enabled, and which block characters have been mapped in the console font. If Unicode characters are unavailable, the new `--qr-format=ascii` formatter uses `#` characters instead of full-block characters. Fixes #12935 Signed-off-by: Simon Law <sfllaw@tailscale.com>	4 days ago
Raj Singh	e66531041b	cmd/containerboot: add OAuth and WIF auth support (#18311 ) Fixes tailscale/corp#34430 Signed-off-by: Raj Singh <raj@tailscale.com>	5 days ago
Andrew Lytvynov	6c67deff38	cmd/distsign: add CLI for verifying package signatures (#18239 ) Updates #35374 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 days ago
Naman Sood	480ee9fec0	ipn,cmd/tailscale/cli: set correct SNI name for TLS-terminated TCP Services (#17752 ) Fixes #17749. Signed-off-by: Naman Sood <mail@nsood.in>	5 days ago
Alex Valiushko	4c3cf8bb11	wgengine/magicsock: extract IMDS utilities into a standalone package (#18334 ) Moves magicksock.cloudInfo into util/cloudinfo with minimal changes. Updates #17796 Change-Id: I83f32473b9180074d5cdbf00fa31e5b3f579f189 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>	5 days ago
Mario Minardi	a662c541ab	.github/workflows: bump create-pull-request to 8.0.0 Bump peter-evans/create-pull-request to 8.0.0 to ensure compatibility with actions/checkout 6.x. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	6 days ago
dependabot[bot]	9a6282b515	.github: Bump actions/checkout from 4.2.2 to 5.0.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](`11bd71901b...08c6903cd8`) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	6 days ago
Harry Harpham	7de1b0b330	cmd/tailscale/cli: remove Services-specific subcommands from funnel (#18225 ) The funnel command is sort of an alias for the serve command. This means that the subcommands added to serve to support Services appear as subcommands for funnel as well, despite having no meaning for funnel. This change removes all such Services-specific subcommands from funnel. Fixes tailscale/corp#34167 Signed-off-by: Harry Harpham <harry@tailscale.com>	6 days ago
Irbe Krumina	8ea90ba80d	cmd/tailscaled,ipn/{ipnlocal,store/kubestore}: don't create attestation keys for stores that are not bound to a node (#18322 ) Ensure that hardware attestation keys are not added to tailscaled state stores that are Kubernetes Secrets or AWS SSM as those Tailscale devices should be able to be recreated on different nodes, for example, when moving Pods between nodes. Updates tailscale/tailscale#18302 Signed-off-by: Irbe Krumina <irbekrm@gmail.com>	6 days ago
Andrew Lytvynov	68617bb82e	cmd/tailscaled: disable state encryption / attestation by default (#18336 ) TPM-based features have been incredibly painful due to the heterogeneous devices in the wild, and many situations in which the TPM "changes" (is reset or replaced). All of this leads to a lot of customer issues. We hoped to iron out all the kinks and get all users to benefit from state encryption and hardware attestation without manually opting in, but the long tail of kinks is just too long. This change disables TPM-based features on Windows and Linux by default. Node state should get auto-decrypted on update, and old attestation keys will be removed. There's also tailscaled-on-macOS, but it won't have a TPM or Keychain bindings anyway. Updates #18302 Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 days ago
Andrew Lytvynov	2e77b75e96	ipn/ipnlocal: don't fail profile unmarshal due to attestation keys (#18335 ) Soft-fail on initial unmarshal and try again, ignoring the AttestationKey. This helps in cases where something about the attestation key storage (usually a TPM) is messed up. The old key will be lost, but at least the node can start again. Updates #18302 Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 days ago
James Tucker	39a61888b8	ssh/tailssh: send audit messages on SSH login (Linux) Send LOGIN audit messages to the kernel audit subsystem on Linux when users successfully authenticate to Tailscale SSH. This provides administrators with audit trail integration via auditd or journald, recording details about both the Tailscale user (whois) and the mapped local user account. The implementation uses raw netlink sockets to send AUDIT_USER_LOGIN messages to the kernel audit subsystem. It requires CAP_AUDIT_WRITE capability, which is checked at runtime. If the capability is not present, audit logging is silently skipped. Audit messages are sent to the kernel (pid 0) and consumed by either auditd (written to /var/log/audit/audit.log) or journald (available via journalctl _TRANSPORT=audit), depending on system configuration. Note: This may result in duplicate messages on a system where auditd/journald audit logs are enabled and the system has and supports `login -h`. Sadly Linux login code paths are still an inconsistent wild west so we accept the potential duplication rather than trying to avoid it. Fixes #18332 Signed-off-by: James Tucker <james@tailscale.com>	6 days ago
Vince Liem	b7081522e7	scripts/installer.sh: add ultramarine to supported OS list	7 days ago
Raj Singh	d451cd54a7	cmd/derper: add --acme-email flag for GCP cert mode (#18278 ) GCP Certificate Manager requires an email contact on ACME accounts. Add --acme-email flag that is required for --certmode=gcp and optional for --certmode=letsencrypt. Fixes #18277 Signed-off-by: Raj Singh <raj@tailscale.com>	3 weeks ago
Nick Khyl	2917ea8d0e	ipn/ipnauth, safesocket: defer named pipe client's token retrieval until ipnserver needs it An error returned by net.Listener.Accept() causes the owning http.Server to shut down. With the deprecation of net.Error.Temporary(), there's no way for the http.Server to test whether the returned error is temporary / retryable or not (see golang/go#66252). Because of that, errors returned by (safesocket.winIOPipeListener).Accept() cause the LocalAPI server (aka ipnserver.Server) to shut down, and tailscaled process to exit. While this might be acceptable in the case of non-recoverable errors, such as programmer errors, we shouldn't shut down the entire tailscaled process for client- or connection-specific errors, such as when we couldn't obtain the client's access token because the client attempts to connect at the Anonymous impersonation level. Instead, the LocalAPI server should gracefully handle these errors by denying access and returning a 401 Unauthorized to the client. In tailscale/tscert#15, we fixed a known bug where Caddy and other apps using tscert would attempt to connect at the Anonymous impersonation level and fail. However, we should also fix this on the tailscaled side to prevent a potential DoS, where a local app could deliberately open the Tailscale LocalAPI named pipe at the Anonymous impersonation level and cause tailscaled to exit. In this PR, we defer token retrieval until (WindowsClientConn).Token() is called and propagate the returned token or error via ipnauth.GetConnIdentity() to ipnserver, which handles it the same way as other ipnauth-related errors. Fixes #18212 Fixes tailscale/tscert#13 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 weeks ago
Alex Chan	9c3a420e15	cmd/tailscale/cli: document why there's no --force-reauth on login Change-Id: Ied799fefbbb4612c7ba57b8369a418b7704eebf8 Updates #18273 Signed-off-by: Alex Chan <alexc@tailscale.com>	3 weeks ago
Alex Valiushko	ee59470270	net/udprelay: remove tailscaled_peer_relay_endpoints_total (#18254 ) This gauge will be reworked to include endpoint state in future. Updates tailscale/corp#30820 Change-Id: I66f349d89422b46eec4ecbaf1a99ad656c7301f9 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>	3 weeks ago
Irbe Krumina	90b4358113	cmd/k8s-operator,ipn/ipnlocal: allow opting out of ACME order replace extension (#18252 ) In dynamically changing environments where ACME account keys and certs are stored separately, it can happen that the account key would get deleted (and recreated) between issuances. If that is the case, we currently fail renewals and the only way to recover is for users to delete certs. This adds a config knob to allow opting out of the replaces extension and utilizes it in the Kubernetes operator where there are known user workflows that could end up with this edge case. Updates #18251 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 weeks ago
Alex Valiushko	c40f352103	net/udprelay: expose peer relay metrics (#18218 ) Adding both user and client metrics for peer relay forwarded bytes and packets, and the total endpoints gauge. User metrics: tailscaled_peer_relay_forwarded_packets_total{transport_in, transport_out} tailscaled_peer_relay_forwarded_bytes_total{transport_in, transport_out} tailscaled_peer_relay_endpoints_total{} Where the transport labels can be of "udp4" or "udp6". Client metrics: udprelay_forwarded_(packets\|bytes)_udp(4\|6)_udp(4\|6) udprelay_endpoints RELNOTE: Expose tailscaled metrics for peer relay. Updates tailscale/corp#30820 Change-Id: I1a905d15bdc5ee84e28017e0b93210e2d9660259 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>	3 weeks ago
Tom Proctor	bb3529fcd4	cmd/containerboot: support egress to Tailscale Service FQDNs (#17493 ) Adds support for targeting FQDNs that are a Tailscale Service. Uses the same method of searching for Services as the tailscale configure kubeconfig command. This fixes using the tailscale.com/tailnet-fqdn annotation for Kubernetes Service when the specified FQDN is a Tailscale Service. Fixes #16534 Change-Id: I422795de76dc83ae30e7e757bc4fbd8eec21cc64 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> Signed-off-by: Becky Pauley <becky@tailscale.com>	4 weeks ago
Tom Proctor	eed5e95e27	docs: use -x for cherry-picks Updates #cleanup Change-Id: I5222e23b716b342d7c6d113fc539d2021024348e Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 weeks ago
Irbe Krumina	b73fb467e4	ipn/ipnlocal: log cert renewal failures (#18246 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Brendan Creane	e4847fa77b	go.toolchain.rev: update to Go 1.25.5 (#18123 ) Updates #18122 Signed-off-by: Brendan Creane <bcreane@gmail.com>	4 weeks ago
Andrew Lytvynov	ce7e1dea45	types/persist: omit Persist.AttestationKey based on IsZero (#18241 ) IsZero is required by the interface, so we should use that before trying to serialize the key. Updates #35412 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 weeks ago
Tom Meadows	b21cba0921	cmd/k8s-operator: fixes helm template for oauth secret volume mount (#18230 ) Fixes #18228 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	4 weeks ago
Andrew Dunham	323604b76c	net/dns/resolver: log source IP of forwarded queries When the TS_DEBUG_DNS_FORWARD_SEND envknob is turned on, also log the source IP:port of the query that tailscaled is forwarding. Updates tailscale/corp#35374 Signed-off-by: Andrew Dunham <andrew@tailscale.com>	4 weeks ago
Jonathan Nobels	3e89068792	net/netmon, wgengine/userspace: purge ChangeDelta.Major and address TODOs (#17823 ) updates tailscale/corp#33891 Addresses several older the TODO's in netmon. This removes the Major flag precomputes the ChangeDelta state, rather than making consumers of ChangeDeltas sort that out themselves. We're also seeing a lot of ChangeDelta's being flagged as "Major" when they are not interesting, triggering rebinds in wgengine that are not needed. This cleans that up and adds a host of additional tests. The dependencies are cleaned, notably removing dependency on netmon itself for calculating what is interesting, and what is not. This includes letting individual platforms set a bespoke global "IsInterestingInterface" function. This is only used on Darwin. RebindRequired now roughly follows how "Major" was historically calculated but includes some additional checks for various uninteresting events such as changes in interface addresses that shouldn't trigger a rebind. This significantly reduces thrashing (by roughly half on Darwin clients which switching between nics). The individual values that we roll into RebindRequired are also exposed so that components consuming netmap.ChangeDelta can ask more targeted questions. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	4 weeks ago
Will Norris	0fd1670a59	client/local: add method to set gauge metric to a value The existing client metric methods only support incrementing (or decrementing) a delta value. This new method allows setting the metric to a specific value. Updates tailscale/corp#35327 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	4 weeks ago
stratself	f174ecb6fd	words: 33 tails and 26 scales (#18213 ) Updates #words Signed-off-by: stratself <126093083+stratself@users.noreply.github.com>	4 weeks ago
Jordan Whited	a663639bea	net/udprelay: replace map+sync.Mutex with sync.Map for VNI lookup This commit also introduces a sync.Mutex for guarding mutatable fields on serverEndpoint, now that it is no longer guarded by the sync.Mutex in Server. These changes reduce lock contention and by effect increase aggregate throughput under high flow count load. A benchmark on Linux with AWS c8gn instances showed a ~30% increase in aggregate throughput (37Gb/s vs 28Gb/s) for 12 tailscaled flows. Updates tailscale/corp#35264 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 weeks ago
Will Norris	951d711054	client/systray: add missing deferred unlock for httpCache mutex Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	4 weeks ago
Tom Proctor	d0d993f5d6	.github,cmd/cigocacher: add flags --version --stats --cigocached-host Add flags: * --cigocached-host to support alternative host resolution in other environments, like the corp repo. * --stats to reduce the amount of bash script we need. * --version to support a caching tool/cigocacher script that will download from GitHub releases. Updates tailscale/corp#10808 Change-Id: Ib2447bc5f79058669a70f2c49cef6aedd7afc049 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 weeks ago
Tom Meadows	d7a5624841	cmd/k8s-operator: fix statefulset template yaml indentation (#18194 ) Fixes #17000 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	4 weeks ago
Irbe Krumina	cb5fa35f57	.github/workfkows,Dockerfile,Dockerfile.base: add a test for base image (#18180 ) Test that the base image builds and has the right iptables binary linked. Updates #17854 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
James 'zofrex' Sanderson	3ef9787379	tsweb: add Unwrap to loggingResponseWriter for ResponseController (#18195 ) The new http.ResponseController type added in Go 1.20: https://go.dev/doc/go1.20#http_responsecontroller requires ResponseWriters that are wrapping the original passed to ServeHTTP to implement an Unwrap method: https://pkg.go.dev/net/http#NewResponseController With this in place, it is possible to call methods such as Flush and SetReadDeadline on a loggingResponseWriter without needing to implement them there ourselves. Updates tailscale/corp#34763 Updates tailscale/corp#34813 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	1 month ago
Raj Singh	65182f2119	ipn/ipnlocal: add ProxyProtocol support to VIP service TCP handler (#18175 ) tcpHandlerForVIPService was missing ProxyProtocol support that tcpHandlerForServe already had. Extract the shared logic into forwardTCPWithProxyProtocol helper and use it in both handlers. Fixes #18172 Signed-off-by: Raj Singh <raj@tailscale.com>	1 month ago
Joe Tsai	9613b4eecc	logtail: add metrics (#18184 ) Add metrics about logtail uploading and underlying buffer. Add metrics to the in-memory buffer implementation. Updates tailscale/corp#21363 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 month ago
Brad Fitzpatrick	0df4631308	ipn/ipnlocal: avoid ResetAndStop panic Updates #18187 Change-Id: If7375efb7df0452a5e85b742fc4c4eecbbd62717 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Simon Law	6ace3995f0	portlist: skip tests on Linux 6.14.x with /proc/net/tcp bug (#18185 ) PR #18033 skipped tests for the versions of Linux 6.6 and 6.12 that had a regression in /proc/net/tcp that causes seek operations to fail with “illegal seek”. This PR skips tests for Linux 6.14.0, which is the default Ubuntu kernel, that also contains this regression. Updates #16966 Signed-off-by: Simon Law <sfllaw@tailscale.com>	1 month ago

1 2 3 4 5 ...

10044 Commits (23b528bb79cd7619c030208ff0928af9a3d8d273) All Branches Search

10044 Commits (23b528bb79cd7619c030208ff0928af9a3d8d273)

All Branches