tailscale

Commit Graph

Author	SHA1	Message	Date
Irbe Krumina	6953dbcd8f	cmd/k8s-operator,ipn/conf.go: fix --accept-routes for proxies (#11454 ) Fix a bug where all proxies got configured with --accept-routes set to true. The bug was introduced in https://github.com/tailscale/tailscale/pull/11238. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Anton Tolchanov	f12d2557f9	prober: add a DERP bandwidth probe Updates tailscale/corp#17912 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Percy Wegmann	e496451928	ipn,cmd/tailscale,client/tailscale: add support for renaming TailFS shares - Updates API to support renaming TailFS shares. - Adds a CLI rename subcommand for renaming a share. - Renames the CLI subcommand 'add' to 'set' to make it clear that this is an add or update. - Adds a unit test for TailFS in ipnlocal Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	6c160e6321	ipn,tailfs: tie TailFS share configuration to user profile Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	16ae0f65c0	cmd/viewer: import views when generating byteSliceField Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Andrew Dunham	34176432d6	cmd/derper, types/logger: move log filter to shared package So we can use it in trunkd to quiet down the logs there. Updates #5563 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie3177dc33f5ad103db832aab5a3e0e4f128f973f	3 months ago
Sonia Appasamy	c58c59ee54	{ipn,cmd/tailscale/cli}: move ServeConfig mutation logic to ipn/serve Moving logic that manipulates a ServeConfig into recievers on the ServeConfig in the ipn package. This is setup work to allow the web client and cli to both utilize these shared functions to edit the serve config. Any logic specific to flag parsing or validation is left untouched in the cli command. The web client will similarly manage its validation of user's requested changes. If validation logic becomes similar-enough, we can make a serve util for shared functionality, which likely does not make sense in ipn. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	3 months ago
Sonia Appasamy	65c3c690cf	{ipn/serve,cmd/tailscale/cli}: move some shared funcs to ipn In preparation for changes to allow configuration of serve/funnel from the web client, this commit moves some functionality that will be shared between the CLI and web client to the ipn package's serve.go file, where some other util funcs are already defined. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	3 months ago
Percy Wegmann	e324a5660f	ipn: include full tailfs shares in ipn notifications This allows the Mac application to regain access to restricted folders after restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	69f4b4595a	wgengine{,/wgint}: add wgint.Peer wrapper type, add to wgengine.Engine This adds a method to wgengine.Engine and plumbed down into magicsock to add a way to get a type-safe Tailscale-safe wrapper around a wireguard-go device.Peer that only exposes methods that are safe for Tailscale to use internally. It also removes HandshakeAttempts from PeerStatusLite that was just added as it wasn't needed yet and is now accessible ala cart as needed from the Peer type accessor. None of this is used yet. Updates #7617 Change-Id: I07be0c4e6679883e6eeddf8dbed7394c9e79c5f4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Irbe Krumina	95dcc1745b	cmd/k8s-operator: reconcile tailscale Ingresses when their backend Services change. (#11255 ) This is so that if a backend Service gets created after the Ingress, it gets picked up by the operator. Updates tailscale/tailscale#11251 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>	3 months ago
Irbe Krumina	303125d96d	cmd/k8s-operator: configure all proxies with declarative config (#11238 ) Containerboot container created for operator's ingress and egress proxies are now always configured by passing a configfile to tailscaled (tailscaled --config <configfile-path>. It does not run 'tailscale set' or 'tailscale up'. Upgrading existing setups to this version as well as downgrading existing setups at this version works. Updates tailscale/tailscale#10869 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Irbe Krumina	45d27fafd6	cmd/k8s-operator,k8s-operator,go.{mod,sum},tstest/tools: add Tailscale Kubernetes operator API docs (#11246 ) Add logic to autogenerate CRD docs. .github/workflows/kubemanifests.yaml CI workflow will fail if the doc is out of date with regard to the current CRDs. Docs can be refreshed by running make kube-generate-all. Updates tailscale/tailscale#11023 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Anton Tolchanov	8cc5c51888	health: warn about reverse path filtering and exit nodes When reverse path filtering is in strict mode on Linux, using an exit node blocks all network connectivity. This change adds a warning about this to `tailscale status` and the logs. Example in `tailscale status`: ``` - not connected to home DERP region 22 - The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Example in the logs: ``` 2024/02/21 21:17:07 health("overall"): error: multiple errors: not in map poll The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	3 months ago
Nick Khyl	7ef1fb113d	cmd/tailscaled, ipn/ipnlocal, wgengine: shutdown tailscaled if wgdevice is closed Tailscaled becomes inoperative if the Tailscale Tunnel wintun adapter is abruptly removed. wireguard-go closes the device in case of a read error, but tailscaled keeps running. This adds detection of a closed WireGuard device, triggering a graceful shutdown of tailscaled. It is then restarted by the tailscaled watchdog service process. Fixes #11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 months ago
Percy Wegmann	50fb8b9123	tailfs: replace webdavfs with reverse proxies Instead of modeling remote WebDAV servers as actual webdav.FS instances, we now just proxy traffic to them. This not only simplifies the code, but it also allows WebDAV locking to work correctly by making sure locks are handled by the servers that need to (i.e. the ones actually serving the files). Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	e1bd7488d0	all: remove LenIter, use Go 1.22 range-over-int instead Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
James Tucker	0c5e65eb3f	cmd/derper: apply TCP keepalive and timeout to TLS as well I missed a case in the earlier patch, and so we're still sending 15s TCP keepalive for TLS connections, now adjusted there too. Updates tailscale/corp#17587 Updates #3363 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Andrea Gottardo	c8c999d7a9	cli/debug: rename DERP debug mode (#11220 ) Renames a debug flag in the CLI. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	3 months ago
Percy Wegmann	15b2c674bf	cmd/tailscale: add node attribute instructions to share command help This adds details on how to configure node attributes to allow sharing and accessing shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
James Tucker	edbad6d274	cmd/derper: add user timeout and reduce TCP keepalive The derper sends an in-protocol keepalive every 60-65s, so frequent TCP keepalives are unnecessary. In this tuning TCP keepalives should never occur for a DERP client connection, as they will send an L7 keepalive often enough to always reset the TCP keepalive timer. If however a connection does not receive an ACK promptly it will now be shutdown, which happens sooner than it would with a normal TCP keepalive tuning. This re-tuning reduces the frequency of network traffic from derp to client, reducing battery cost. Updates tailscale/corp#17587 Updates #3363 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Brad Fitzpatrick	10d130b845	cmd/derper, derp, tailcfg: add admission controller URL option So derpers can check an external URL for whether to permit access to a certain public key. Updates tailscale/corp#17693 Change-Id: I8594de58f54a08be3e2dbef8bcd1ff9b728ab297 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Paul Scott	7708ab68c0	cmd/tailscale/cli: pass "-o 'CanonicalizeHostname no'" to ssh Fixes #10348 Signed-off-by: Paul Scott <paul@tailscale.com>	3 months ago
Percy Wegmann	91a1019ee2	cmd/testwrapper: apply results of all unit tests to coverage for all packages This allows coverage from tests that hit multiple packages at once to be reflected in all those packages' coverage. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Will Norris	6b582cb8b6	cmd/tailscale: support clickable IPv6 web client addresses Instead of constructing the `ip:port` string ourselves, use netip.AddrPortFrom which handles IPv6 correctly. Updates #11164 Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Will Norris	24487815e1	cmd/tailscale: make web client URL clickable Updates #11151 Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Andrew Dunham	52f16b5d10	doctor/ethtool, ipn/ipnlocal: add ethtool bugreport check Updates #11137 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Idbe862d80e428adb044249c47d9096b87f29d5d8	4 months ago
Brad Fitzpatrick	61a1644c2a	go.mod, all: move away from inet.af domain seized by Taliban Updates inetaf/tcpproxy#39 Change-Id: I7fee276b116bd08397347c6c949011d76a2842cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Irbe Krumina	5bd19fd3e3	cmd/k8s-operator,k8s-operator: proxy configuration mechanism via a new ProxyClass custom resource (#11074 ) * cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource. ProxyClass custom resource can be used to specify customizations for the proxy resources created by the operator. Add a reconciler that validates ProxyClass resources and sets a Ready condition to True or False with a corresponding reason and message. This is required because some fields (labels and annotations) require complex validations that cannot be performed at custom resource apply time. Reconcilers that use the ProxyClass to configure proxy resources are expected to verify that the ProxyClass is Ready and not proceed with resource creation if configuration from a ProxyClass that is not yet Ready is required. If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet. If a tailscale Ingress has a tailscale.com/proxy-class annotation and the referenced ProxyClass custom resource is available and Ready, apply configuration from the ProxyClass to the proxy resources that will be created for the Ingress. Add a new .proxyClass field to the Connector spec. If connector.spec.proxyClass is set to a ProxyClass that is available and Ready, apply configuration from the ProxyClass to the proxy resources created for the Connector. Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Percy Wegmann	d0ef3a25df	cmd/tailscale: hide share subcommand Fixes #1115 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	55b372a79f	tailscaled: revert to using pointers for subcommands As part of #10631, we stopped using function pointers for subcommands, preventing us from registering platform-specific installSystemDaemon and uninstallSystemDaemon subcommands. Fixes #11099 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	87154a2f88	tailfs: fix startup issues on windows Starts TailFS for Windows too, initializes shares on startup. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	abab0d4197	tailfs: clean up naming and package structure - Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
James Tucker	24bac27632	util/rands: add Shuffle and Perm functions with on-stack RNG state The new math/rand/v2 package includes an m-local global random number generator that can not be reseeded by the user, which is suitable for most uses without the RNG pools we have in a number of areas of the code base. The new API still does not have an allocation-free way of performing a seeded operations, due to the long term compiler bug around interface parameter escapes, and the Source interface. This change introduces the two APIs that math/rand/v2 can not yet replace efficiently: seeded Perm() and Shuffle() operations. This implementation chooses to use the PCG random source from math/rand/v2, as with sufficient compiler optimization, this source should boil down to only two on-stack registers for random state under ideal conditions. Updates #17243 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Jenny Zhang	c446451bfa	cmd/gitops-pusher: only use OAuth creds if non-empty string `os.LookupEnv` may return true if the variable is present in the environment but an empty string. We should only attempt to set OAuth Config if thsoe values are non-empty. Updates gitops-acl-action#33 Signed-off-by: Jenny Zhang <jz@tailscale.com>	4 months ago
Percy Wegmann	993acf4475	tailfs: initial implementation Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Joe Tsai	94a4f701c2	all: use reflect.TypeFor now available in Go 1.22 (#11078 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Charlotte Brandhorst-Satzkorn	0f042b9814	cmd/tailscale/cli: fix exit node status output (#11076 ) This change fixes the format of tailscale status output when location based exit nodes are present. Fixes #11065 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	4 months ago
Sonia Appasamy	1217f655c0	cmd/dist: update logs for synology builds Update logs for synology builds to more clearly callout which variant is being built. The two existing variants are: 1. Sideloaded (can be manual installed on a device by anyone) 2. Package center distribution (by the tailscale team) Updates #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	4 months ago
Will Norris	128c99d4ae	client/web: add new readonly mode The new read-only mode is only accessible when running `tailscale web` by passing a new `-readonly` flag. This new mode is identical to the existing login mode with two exceptions: - the management client in tailscaled is not started (though if it is already running, it is left alone) - the client does not prompt the user to login or switch to the management client. Instead, a message is shown instructing the user to use other means to manage the device. Updates #10979 Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Irbe Krumina	a6cc2fdc3e	cmd/{containerboot,k8s-operator/deploy/manifests}: optionally allow proxying cluster traffic to a cluster target via ingress proxy (#11036 ) * cmd/containerboot,cmd/k8s-operator/deploy/manifests: optionally forward cluster traffic via ingress proxy. If a tailscale Ingress has tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation, configure the associated ingress proxy to have its tailscale serve proxy to listen on Pod's IP address. This ensures that cluster traffic too can be forwarded via this proxy to the ingress backend(s). In containerboot, if EXPERIMENTAL_PROXY_CLUSTER_TRAFFIC_VIA_INGRESS is set to true and the node is Kubernetes operator ingress proxy configured via Ingress, make sure that traffic from within the cluster can be proxied to the ingress target. Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Brad Fitzpatrick	2bd3c1474b	util/cmpx: delete now that we're using Go 1.22 Updates #11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Andrew Lytvynov	db3776d5bf	go.toolchain.rev: bump to Go 1.22.0 (#11055 ) Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 months ago
Chris Palmer	a633a30711	cmd/hello: link to the Hello KB article (#11022 ) Fixes https://github.com/tailscale/corp/issues/17104 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	4 months ago
Chris Palmer	9744ad47e3	cmd/hello: avoid deprecated apis (#10957 ) Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	4 months ago
Will Norris	13f8a669d5	cmd/gitops-pusher: fix logic for checking credentials gitops-pusher supports authenticating with an API key or OAuth credentials (added in #7393). You shouldn't ever use both of those together, so we error if both are set. In tailscale/gitops-acl-action#24, OAuth support is being added to the GitHub action. In that environment, both the TS_API_KEY and OAuth variables will be set, even if they are empty values. This causes an error in gitops-pusher which expects only one to be set. Update gitops-pusher to check that only one set of environment variables are non-empty, rather than just checking if they are set. Updates #7393 Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Andrew Lytvynov	fbfc3b7e51	cmd/tailscale/cli: run Watch with NotifyNoPrivateKeys (#10950 ) When running as non-root non-operator user, you get this error: ``` $ tailscale serve 8080 Access denied: watch IPN bus access denied, must set ipn.NotifyNoPrivateKeys when not running as admin/root or operator Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` It should fail, but the error message is confusing. With this fix: ``` $ tailscale serve 8080 sending serve config: Access denied: serve config denied Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 months ago
Irbe Krumina	370ec6b46b	cmd/k8s-operator: don't proceed with Ingress that has no valid backends (#10919 ) Do not provision resources for a tailscale Ingress that has no valid backends. Updates tailscale/tailscale#10910 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
James Tucker	7e3bcd297e	go.mod,wgengine/netstack: bump gvisor Updates #8043 Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
James Tucker	457102d070	go.mod: bump most deps for start of cycle Plan9 CI is disabled. 3p dependencies do not build for the target. Contributor enthusiasm appears to have ceased again, and no usage has been made. Skipped gvisor, nfpm, and k8s. Updates #5794 Updates #8043 Signed-off-by: James Tucker <james@tailscale.com>	5 months ago

1 2 3 4 5 ...

1697 Commits (2827330c6adacd9a67940621b5f05b589527c550)