tailscale

Commit Graph

Author	SHA1	Message	Date
Will Norris	9b537f7c97	ipn: remove the preview-webclient node capability Now that 1.54 has released, and the new web client will be included in 1.56, we can remove the need for the node capability. This means that all 1.55 unstable builds, and then eventually the 1.56 build, will work without setting the node capability. The web client still requires the "webclient" user pref, so this does NOT mean that the web client will be on by default for all devices. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Will Norris	303a1e86f5	cmd/tailscale: expose --webclient for all builds This removes the dev/unstable build check for the --webclient flag on `tailscale set`, so that it will be included in the next major stable release (1.56) Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Andrew Dunham	e33bc64cff	net/dnsfallback: add singleflight to recursive resolver This prevents running more than one recursive resolution for the same hostname in parallel, which can use excessive amounts of CPU when called in a tight loop. Additionally, add tests that hit the network (when run with a flag) to test the lookup behaviour. Updates tailscale/corp#15261 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I39351e1d2a8782dd4c52cb04b3bd982eb651c81e	7 months ago
Sonia Appasamy	bb31912ea5	cmd/cli: remove --webclient flag from up Causing issues building a stable release. Getting rid of the flag for now because it was only available in unstable, can still be turned on through localapi. A #cleanup Co-authored-by: Will Norris <will@tailscale.com> Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Andrew Lytvynov	c3f1bd4c0a	clientupdate: fix auto-update on Windows over RDP (#10242 ) `winutil.WTSGetActiveConsoleSessionId` only works for physical desktop logins and does not return the session ID for RDP logins. We need to `windows.WTSEnumerateSessions` and find the active session. Fixes https://github.com/tailscale/corp/issues/15772 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Tom DNetto	90a0aafdca	cmd/tailscale: warn if app-connector is enabled without ip forwarding Fixes: ENG-2446 Signed-off-by: Tom DNetto <tom@tailscale.com>	8 months ago
Naman Sood	e57fd9cda4	ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update (#10188 ) * ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * depaware Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * address review feedback Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	8 months ago
Andrew Lytvynov	55cd5c575b	ipn/localapi: only perform local-admin check in serveServeConfig (#10163 ) On unix systems, the check involves executing sudo, which is slow. Instead of doing it for every incoming request, move the logic into localapi serveServeConfig handler and do it as needed. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Jordan Whited	12d5c99b04	client/tailscale,ipn/{ipnlocal,localapi}: check UDP GRO config (#10071 ) Updates tailscale/corp#9990 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Andrew Lytvynov	1fc1077052	ssh/tailssh,util: extract new osuser package from ssh code (#10170 ) This package is a wrapper for os/user that handles non-cgo builds, gokrazy and user shells. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Will Norris	fdbe511c41	cmd/tailscale: add -webclient flag to up and set Initially, only expose this flag on dev and unstable builds. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	942d720a16	cli/web: don't block startup on status req If the status request to check for the preview node cap fails, continue with starting up the legacy client. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	7e81c83e64	cmd/tailscale: respect existing web client pref After running `tailscale web`, only disable the user pref if it was not already previously set. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	0ecfc1d5c3	client/web: fill devMode from an env var Avoids the need to pipe a web client dev flag through the tailscaled command. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	191e2ce719	client/web: add ServerMode to web.Server Adds a new Mode to the web server, indicating the specific scenario the constructed server is intended to be run in. Also starts filling this from the cli/web and ipn/ipnlocal callers. From cli/web this gets filled conditionally based on whether the preview web client node cap is set. If not set, the existing "legacy" client is served. If set, both a login/lobby and full management client are started (in "login" and "manage" modes respectively). Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
James Tucker	f27b2cf569	appc,cmd/sniproxy,ipn/ipnlocal: split sniproxy configuration code out of appc The design changed during integration and testing, resulting in the earlier implementation growing in the appc package to be intended now only for the sniproxy implementation. That code is moved to it's final location, and the current App Connector code is now renamed. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Aaron Klotz	47019ce1f1	cmd/tailscaled: pre-load wintun.dll using a fully-qualified path In corp PR #14970 I updated the installer to set a security mitigation that always forces system32 to the front of the Windows dynamic linker's search path. Unfortunately there are other products out there that, partying like it's 1995, drop their own, older version of wintun.dll into system32. Since we look there first, we end up loading that old version. We can fix this by preloading wintun using a fully-qualified path. When wintun-go then loads wintun, the dynamic linker will hand it the module that was previously loaded by us. Fixes #10023, #10025, #10052 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Irbe Krumina	af49bcaa52	cmd/k8s-operator: set different app type for operator with proxy (#10081 ) Updates tailscale/tailscale#9222 plain k8s-operator should have hostinfo.App set to 'k8s-operator', operator with proxy should have it set to 'k8s-operator-proxy'. In proxy mode, we were setting the type after it had already been set to 'k8s-operator' Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
James Tucker	6ad54fed00	appc,ipn/ipnlocal: add App Connector domain configuration from mapcap The AppConnector is now configured by the mapcap from the control plane. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	b48b7d82d0	appc,ipn/ipnlocal,net/dns/resolver: add App Connector wiring when enabled in prefs An EmbeddedAppConnector is added that when configured observes DNS responses from the PeerAPI. If a response is found matching a configured domain, routes are advertised when necessary. The wiring from a configuration in the netmap capmap is not yet done, so while the connector can be enabled, no domains can yet be added. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
David Anderson	37863205ec	cmd/k8s-operator: strip credentials from client config in noauth mode Updates tailscale/corp#15526 Signed-off-by: David Anderson <danderson@tailscale.com>	8 months ago
Rhea Ghosh	970eb5e784	cmd/k8s-operator: sanitize connection headers (#10063 ) Fixes tailscale/corp#15526 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
James Tucker	ca4c940a4d	ipn: introduce app connector advertisement preference and flags Introduce a preference structure to store the setting for app connector advertisement. Introduce the associated flags: tailscale up --advertise-connector{=true,=false} tailscale set --advertise-connector{=true,=false} ``` % tailscale set --advertise-connector=false % tailscale debug prefs \| jq .AppConnector.Advertise false % tailscale set --advertise-connector=true % tailscale debug prefs \| jq .AppConnector.Advertise true % tailscale up --advertise-connector=false % tailscale debug prefs \| jq .AppConnector.Advertise false % tailscale up --advertise-connector=true % tailscale debug prefs \| jq .AppConnector.Advertise true ``` Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Irbe Krumina	c2b87fcb46	cmd/k8s-operator/deploy/chart,.github/workflows: use helm chart API v2 (#10055 ) API v1 is compatible with helm v2 and v2 is not. However, helm v2 (the Tiller deployment mechanism) was deprecated in 2020 and no-one should be using it anymore. This PR also adds a CI lint test for helm chart Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Will Norris	66c7af3dd3	ipn: replace web client debug flag with node capability Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Brad Fitzpatrick	3d7fb6c21d	derp/derphttp: fix race in mesh watcher The derphttp client automatically reconnects upon failure. RunWatchConnectionLoop called derphttp.Client.WatchConnectionChanges once, but that wrapper method called the underlying derp.Client.WatchConnectionChanges exactly once on derphttp.Client's currently active connection. If there's a failure, we need to re-subscribe upon all reconnections. This removes the derphttp.Client.WatchConnectionChanges method, which was basically impossible to use correctly, and changes it to be a boolean field on derphttp.Client alongside MeshKey and IsProber. Then it moves the call to the underlying derp.Client.WatchConnectionChanges to derphttp's client connection code, so it's resubscribed on any reconnect. Some paranoia is then added to make sure people hold the API right, not calling derphttp.Client.RunWatchConnectionLoop on an already-started Client without having set the bool to true. (But still auto-setting it to true if that's the first method that's been called on that derphttp.Client, as is commonly the case, and prevents existing code from breaking) Fixes tailscale/corp#9916 Supercedes tailscale/tailscale#9719 Co-authored-by: Val <valerie@tailscale.com> Co-authored-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Brad Fitzpatrick <brad@danga.com>	8 months ago
Tom DNetto	a7c80c332a	cmd/sniproxy: implement support for control configuration, multiple addresses * Implement missing tests for sniproxy * Wire sniproxy to new appc package * Add support to tsnet for routing subnet router traffic into netstack, so it can be handled Updates: https://github.com/tailscale/corp/issues/15038 Signed-off-by: Tom DNetto <tom@tailscale.com>	8 months ago
Will Norris	28ad910840	ipn: add user pref for running web client This is not currently exposed as a user-settable preference through `tailscale up` or `tailscale set`. Instead, the preference is set when turning the web client on and off via localapi. In a subsequent commit, the pref will be used to automatically start the web client on startup when appropriate. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	89953b015b	ipn/ipnlocal,client/web: add web client to tailscaled Allows for serving the web interface from tailscaled, with the ability to start and stop the server via localapi endpoints (/web/start and /web/stop). This will be used to run the new full management web client, which will only be accessible over Tailscale (with an extra auth check step over noise) from the daemon. This switch also allows us to run the web interface as a long-lived service in environments where the CLI version is restricted to CGI, allowing us to manage certain auth state in memory. ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for ios builds to satisfy ios restriction from adding "text/template" and "html/template" dependencies. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Irbe Krumina	ed1b935238	cmd/k8s-operator: allow to install operator via helm (#9920 ) Initial helm manifests. Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	9107b5eadf	cmd/tailscale/cli: use status before doing interactive feature query We were inconsistent whether we checked if the feature was already enabled which we could do cheaply using the locally available status. We would do the checks fine if we were turning on funnel, but not serve. This moves the cap checks down into enableFeatureInteractive so that are always run. Updates #9984 Co-authored-by: Tyler Smalley <tyler@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Tyler Smalley	131518eed1	cmd/tailscale/cli: improve error when bg serve config is present (#9961 ) We prevent shodow configs when starting a foreground when a background serve config already exists for the serve type and port. This PR improves the messaging to let the user know how to remove the previous config. Updates #8489 ENG-2314 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Tyler Smalley	1873bc471b	cmd/tailscale/cli: remove http flag for funnel command (#9955 ) The `--http` flag can not be used with Funnel, so we should remove it to remove confusion. Updates #8489 ENG-2316 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Marwan Sulaiman	5f3cdaf283	cmd/tailscale/cli: chage port flags to uint for serve and funnel This PR changes the -https, -http, -tcp, and -tls-terminated-tcp flags from string to int and also updates the validation to ensure they fit the uint16 size as the flag library does not have a Uint16Var method. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Marwan Sulaiman	a7e4cebb90	cmd/tailscale/cli: refactor TestServeDevConfigMutations The TestServeDevConfigMutations test has 63 steps that all run under the same scope. This tests breaks them out into isolated subtests that can be run independently. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Andrew Lytvynov	21b6d373b0	cmd/tailscale/cli: unhide auto-update flags and mark update as Beta (#9954 ) Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Marwan Sulaiman	f5a7551382	cmd/tailscale: fix help message for serve funnel We currently print out "run tailscale serve --help" when the subcmd might be funnel. This PR ensures the right subcmd is passed. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Andrew Lytvynov	d3bc575f35	cmd/tailscale/cli: set Sparkle auto-update on macsys (#9952 ) On `tailscale set --auto-update`, set the Sparkle plist option for it. Also make macsys report not supporting auto-updates over c2n, since they will be triggered by Sparkle locally. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Tyler Smalley	269a498c1e	cmd/tailscale/cli: serve --set-path should not force background mode (#9905 ) A few people have run into issues with understanding why `--set-path` started in background mode, and/or why they couldn't use a path in foreground mode. This change allows `--set-path` to be used in either case (foreground or background). updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Andrew Lytvynov	593c086866	clientupdate: distinguish when auto-updates are possible (#9896 ) clientupdate.Updater will have a non-nil Update func in a few cases where it doesn't actually perform an update: * on Arch-like distros, where it prints instructions on how to update * on macOS app store version, where it opens the app store page Add a new clientupdate.Arguments field to cause NewUpdater to fail when we hit one of these cases. This results in c2n updates being "not supported" and `tailscale set --auto-update` returning an error. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Tyler Smalley	35d7b3aa27	cmd/tailscale/cli: updates help and background messaging (#9929 ) * Fixes issue with template string not being provided in help text * Updates background information to provide full URL, including path, to make it clear the source and destination * Restores some tests * Removes AllowFunnel in ServeConfig if no proxy exists for that port. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Marwan Sulaiman	c53ee37912	cmd/tailscale: add set-raw to the new serve funnel commands This PR adds the same set-raw from the old flow into the new one so that users can continue to use it when transitioning into the new flow. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Marwan Sulaiman	f232d4554a	cmd/tailscale: translate old serve commands to new ones This PR fixes the isLegacyInvocation to better catch serve and funnel legacy commands. In addition, it now also returns a string that translates the old command into the new one so that users can have an easier transition story. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Marwan Sulaiman	60e768fd14	cmd/tailscale: allow serve\|funnel off to delete an entire port This PR allows you to do "tailscale serve -bg -https:4545 off" and it will delete all handlers under it. It will also prompt you for a y/n in case you wanted to delete a single port. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Irbe Krumina	e9956419f6	cmd/k8s-operator: allow cleanup of cluster resources for deleted devices (#9917 ) Users should delete proxies by deleting or modifying the k8s cluster resources that they used to tell the operator to create they proxy. With this flow, the tailscale operator will delete the associated device from the control. However, in some cases users might have already deleted the device from the control manually. Updates tailscale/tailscale#9773 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Tyler Smalley	d9081d6ba2	cmd/tailscale/cli: update serve/funnel CLI help text (#9895 ) updates #8489 ENG-2308 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Adrian Dewhurst	5347e6a292	control/controlclient: support certstore without cgo We no longer build Windows releases with cgo enabled, which automatically turned off certstore support. Rather than re-enabling cgo, we updated our fork of the certstore package to no longer require cgo. This updates the package, cleans up how the feature is configured, and removes the cgo build tag requirement. Fixes tailscale/corp#14797 Fixes tailscale/coral#118 Change-Id: Iaea34340761c0431d759370532c16a48c0913374 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	8 months ago
Andrew Lytvynov	70f9c8a6ed	clientupdate: change Mac App Store support (#9891 ) In the sandboxed app from the app store, we cannot check `/Library/Preferences/com.apple.commerce.plist` or run `softwareupdate`. We can at most print a helpful message and open the app store page. Also, reenable macsys update function to mark it as supporting c2n updates. macsys support in `tailscale update` was fixed. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Joe Tsai	469b7cabad	cmd/tailscale: improve taildrop progress printer on Linux (#9878 ) The progress printer was buggy where it would not print correctly and some of the truncation logic was faulty. The progress printer now prints something like: go1.21.3.linux-amd64.tar.gz 21.53MiB 13.83MiB/s 33.88% ETA 00:00:03 where it shows * the number of bytes transferred so far * the rate of bytes transferred (using a 1-second half-life for an exponentially weighted average) * the progress made as a percentage * the estimated time (as calculated from the rate of bytes transferred) Other changes: * It now correctly prints the progress for very small files * It prints at a faster rate (4Hz instead of 1Hz) * It uses IEC units for byte quantities (to avoid ambiguities of "kb" being kilobits or kilobytes) Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Tyler Smalley	7a3ae39025	cmd/tailscale/cli: [serve/funnel] support omitting scheme for TCP (#9856 ) The `serve` command for TCP has always required the scheme of the target to be specified. However, when it's omitted the error message reported is misleading ``` error: failed to apply TCP serve: invalid TCP target "localhost:5900": missing port in address ``` Since we know the target is TCP, we shouldn't require it to be specified. This aligns with the changes for HTTP proxies in https://github.com/tailscale/tailscale/issues/8489 closes #9855 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Tyler Smalley	35376d52d4	cmd/tailscale/cli: [serve/funnel] provide correct command for disabling (#9859 ) The `off` subcommand removes a serve/funnel for the corresponding type and port. Previously, we were not providing this which would result in an error if someone was using something than the default https=443. closes #9858 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Brad Fitzpatrick	cf27761265	cmd/tsconnect/wasm: add missing tstun.Wrapper.Start call It's required as of the recent `5297bd2cff`. Updates #7894 Updates #9394 (sure would be nice) Change-Id: Id6672408dd8a6c82dba71022c8763e589d789fcd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Andrew Lytvynov	33bb2bbfe9	tailcfg,cmd/tailscale: add UrgentSecurityUpdate flag to ClientVersion (#9848 ) This flag is used in clients to surface urgent updates more prominently. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Irbe Krumina	cac290da87	cmd/k8s-operator: users can configure firewall mode for kube operator proxies (#9769 ) * cmd/k8s-operator: users can configure operator to set firewall mode for proxies Users can now pass PROXY_FIREWALL_MODE={nftables,auto,iptables} to operator to make it create ingress/egress proxies with that firewall mode Also makes sure that if an invalid firewall mode gets configured, the operator will not start provisioning proxy resources, but will instead log an error and write an error event to the related Service. Updates tailscale/tailscale#9310 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Tyler Smalley	ddb2a6eb8d	cmd/tailscale: promote new serve/funnel CLI to be default (#9833 ) The change is being kept to a minimum to make a revert easy if necessary. After the release, we will go back for a final cleanup. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Maisem Ali	f53c3be07c	cmd/k8s-operator: use our own container image instead of busybox We already have sysctl in the `tailscale/tailscale` image, just use that. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Brad Fitzpatrick	4dec0c6eb9	tstest, tstest/integration, github/workflows: shard integration tests Over four jobs for now. Updates #cleanup Change-Id: Ic2b1a739a454916893945a3f9efc480d6fcbd70b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Maisem Ali	e6ab7d3c14	cmd/testwrapper: parse args better Previously we were just smushing together args and not trying to parse the values at all. This resulted in the args to testwrapper being limited and confusing. This makes it so that testwrapper parses flags in the exact format as `go test` command and passes them down in the provided order. It uses tesing.Init to register flags that `go test` understands, however those are not the only flags understood by `go test` (such as `-exec`) so we register these separately. Updates tailscale/corp#14975 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	4899c2c1f4	cmd/containerboot: revert to using tailscale up This partially reverts commits `a61a9ab087` and `7538f38671` and fully reverts `4823a7e591`. The goal of that commit was to reapply known config whenever the container restarts. However, that already happens when TS_AUTH_ONCE was false (the default back then). So we only had to selectively reapply the config if TS_AUTH_ONCE is true, this does exactly that. This is a little sad that we have to revert to `tailscale up`, but it fixes the backwards incompatibility problem. Updates tailscale/tailscale#9539 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Brad Fitzpatrick	18bd98d35b	cmd/tailscaled,*: add start of configuration file support Updates #1412 Co-authored-by: Maisem Ali <maisem@tailscale.com> Change-Id: I38d559c1784d09fc804f521986c9b4b548718f7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Rhea Ghosh	71271e41d6	ipn/{ipnlocal/peerapi, localapi} initial taildrop resume api plumbing (#9798 ) This change: * adds a partial files peerAPI endpoint to get a list of partial files * adds a helper function to extract the basename of a file * updates the peer put peerAPI endpoint * updates the file put localapi endpoint to allow resume functionality Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Brad Fitzpatrick	c363b9055d	tstest/integration: add tests for tun mode (requiring root) Updates #7894 Change-Id: Iff0b07b21ae28c712dd665b12918fa28d6f601d0 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Maisem Ali	5297bd2cff	cmd/tailscaled,net/tstun: fix data race on start-up in TUN mode Fixes #7894 Change-Id: Ice3f8019405714dd69d02bc07694f3872bb598b8 Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	1294b89792	cmd/k8s-operator: allow setting same host value for tls and ingress rules We were too strict and required the user not specify the host field at all in the ingress rules, but that degrades compatibility with existing helm charts. Relax the constraint so that rule.Host can either be empty, or match the tls.Host[0] value exactly. Fixes #9548 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	2d4f808a4c	cmd/containerboot: fix time based serveConfig watcher This broke in a last minute refactor and seems to have never worked. Fixes #9686 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
James Tucker	96f01a73b1	tailcfg: import ProtoPortRange for local use Imported type and parsing, with minor modifications. Updates tailscale/corp#15043 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Maisem Ali	1cb9e33a95	cmd/k8s-operator: update env var in manifest to APISERVER_PROXY Replace the deprecated var with the one in docs to avoid confusion. Introduced in `335a5aaf9a`. Updates #8317 Fixes #9764 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
James Tucker	c1ef55249a	types/ipproto: import and test string parsing for ipproto IPProto has been being converted to and from string formats in multiple locations with variations in behavior. TextMarshaller and JSONMarshaller implementations are now added, along with defined accepted and preferred formats to centralize the logic into a single cross compatible implementation. Updates tailscale/corp#15043 Fixes tailscale/corp#15141 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Maisem Ali	9d96e05267	net/packet: split off checksum munging into different pkg The current structure meant that we were embedding netstack in the tailscale CLI and in the GUIs. This removes that by isolating the checksum munging to a different pkg which is only called from `net/tstun`. Fixes #9756 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	fbfee6a8c0	cmd/containerboot: use linuxfw.NetfilterRunner This migrates containerboot to reuse the NetfilterRunner used by tailscaled instead of manipulating iptables rule itself. This has the added advantage of now working with nftables and we can potentially drop the `iptables` command from the container image in the future. Updates #9310 Co-authored-by: Irbe Krumina <irbe@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Sonia Appasamy	7a0de2997e	client/web: remove unused context param from NewServer Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Andrew Lytvynov	677d486830	clientupdate: abort if current version is newer than latest (#9733 ) This is only relevant for unstable releases and local builds. When local version is newer than upstream, abort release. Also, re-add missing newlines in output that were missed in https://github.com/tailscale/tailscale/pull/9694. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Brad Fitzpatrick	6b1ed732df	go.mod: bump x/net to 0.17 for CVE-2023-39325 https://go.googlesource.com/net/+/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd Updates tailscale/corp#15165 Change-Id: Ia8b5e16b1acfe1b2400d321034b41370396f70e2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Kristoffer Dalby	7f540042d5	ipn/ipnlocal: use syspolicy to determine collection of posture data Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Kristoffer Dalby	9eedf86563	posture: add get serial support for Windows/Linux This commit adds support for getting serial numbers from SMBIOS on Windows/Linux (and BSD) using go-smbios. Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Kristoffer Dalby	9593cd3871	posture: add get serial stub for all platforms Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Kristoffer Dalby	623926a25d	cmd/tailscale: add --posture-checking flag to set Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Simon Leonhardt	553f657248	sniproxy allows configuration of hostname Signed-off-by: Simon Leonhardt <simon@controlzee.com>	9 months ago
Brad Fitzpatrick	6f36f8842c	cmd/tailscale, magicsock: add debug command to flip DERP homes For testing netmap patchification server-side. Updates #1909 Change-Id: Ib1d784bd97b8d4a31e48374b4567404aae5280cc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Andrew Lytvynov	e6aa7b815d	clientupdate,cmd/tailscale/cli: use cli.Stdout/Stderr (#9694 ) In case cli.Stdout/Stderr get overriden, all CLI output should use them instead of os.Stdout/Stderr. Update the `update` command to follow this pattern. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Andrew Lytvynov	3ee756757b	cmd/tailscale/cli: add update notification to "up" (#9644 ) Add available update message in "tailscale up" output. Also update the message in "tailscale status" to match and mention auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Rhea Ghosh	dc1c7cbe3e	taildrop: initial commit of taildrop functionality refactoring (#9676 ) Over time all taildrop functionality will be contained in the taildrop package. This will include end to end unit tests. This is simply the first smallest piece to move over. There is no functionality change in this commit. Updates tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com> Co-authored-by: Joseph Tsai <joetsai@tailscale.com>	9 months ago
Brad Fitzpatrick	93c6e1d53b	tstest/deptest: add check that x/exp/{maps,slices} imported as xfoo Updates #cleanup Change-Id: I4cbb5e477c739deddf7a46b66f286c9fdb106279 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Andrew Dunham	286c6ce27c	net/dns/resolver: race UDP and TCP queries (#9544 ) Instead of just falling back to making a TCP query to an upstream DNS server when the UDP query returns a truncated query, also start a TCP query in parallel with the UDP query after a given race timeout. This ensures that if the upstream DNS server does not reply over UDP (or if the response packet is blocked, or there's an error), we can still make queries if the server replies to TCP queries. This also adds a new package, util/race, to contain the logic required for racing two different functions and returning the first non-error answer. Updates tailscale/corp#14809 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4311702016c1093b1beaa31b135da1def6d86316	9 months ago
Val	73e53dcd1c	cmd/tailscale,ipn/ipnlocal: print debug component names Make the 'tailscale debug component-logs' command print the component names for which extra logging can be turned on, for easier discoverability of debug functions. Updates #cleanup Co-authored-by: Paul Scott <paul@tailscale.com> Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Tom DNetto	656a77ab4e	net/packet: implement methods for rewriting v6 addresses Implements the ability for the address-rewriting code to support rewriting IPv6 addresses. Specifically, UpdateSrcAddr & UpdateDstAddr. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates https://github.com/tailscale/corp/issues/11202	9 months ago
Brad Fitzpatrick	d2ea9bb1eb	cmd/cloner: fix typo in test type's name s/SliceContianer/SliceContainer/g Updates #9604 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
James Tucker	ab810f1f6d	cmd/cloner: add regression test for slice nil/empty semantics We had a misstep with the semantics when applying an optimization that showed up in the roll into corp. This test ensures that case and related cases must be retained. Updates #9410 Updates #9601 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Claire Wang	a56e58c244	util/syspolicy: add read boolean setting (#9592 )	9 months ago
James Tucker	324f0d5f80	cmd/cloner,*: revert: optimize nillable slice cloner This reverts commit `ee90cd02fd`. The outcome is not identical for empty slices. Cloner really needs tests! Updates #9601 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
James Tucker	ee90cd02fd	cmd/cloner,*: optimize nillable slice cloner A wild @josharian appears with a good suggestion for a refactor, thanks Josh! Updates #9410 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
James Tucker	0c8c374a41	go.mod: bump all dependencies except go-billy go-billy is held back at v5.4.1 in order to avoid a newly introduced subdependency that is not compatible with plan9. Updates #8043 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
James Tucker	87bc831730	go.mod,cmd/tsconnect: bump esbuild Updates #8043 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Maisem Ali	d71184d674	cmd/containerboot: only wipeout serve config when TS_SERVE_CONFIG is set Fixes #9558 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Denton Gentry	4823a7e591	cmd/containerboot: set TS_AUTH_ONCE default to true. 1.50.0 switched containerboot from using `tailscale up` to `tailscale login`. A side-effect is that a re-usable authkey is now re-applied on every boot by `tailscale login`, where `tailscale up` would ignore an authkey if already authenticated. Though this looks like it is changing the default, in reality it is setting the default to match what 1.48 and all prior releases actually implemented. Fixes https://github.com/tailscale/tailscale/issues/9539 Fixes https://github.com/tailscale/corp/issues/14953 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	9 months ago
Brad Fitzpatrick	856d32b4a9	cmd/testwrapper: include flake URL in JSON metadata Updates tailscale/corp#14975 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Andrea Barisani	b5b4298325	go.mod,*: bump gvisor Updates #9253 Signed-off-by: Andrea Barisani <andrea@inversepath.com> Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Brad Fitzpatrick	2c92f94e2a	cmd/testwrapper: output machine-readable JSON on test flakes For parsing by other tools. Updates tailscale/corp#14975 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Maisem Ali	354455e8be	ipn: use NodeCapMap in CheckFunnel These were missed when adding NodeCapMap and resulted in tsnet binaries not being able to turn on funnel. Fixes #9566 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago

1 2 3 4 5 ...

1624 Commits (29e98e18f84c96e66314a695cf0a0bff778bdabb)