Commit Graph

780 Commits (31094d557bdd592cdb08042535b2fc94889be7f3)

Author SHA1 Message Date
Maisem Ali 695f8a1d7e ssh/tailssh: add support for sftp
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
3 years ago
Brad Fitzpatrick 53588f632d Revert "wgengine/router,util/kmod: load & log xt_mark"
This reverts commit 8d6793fd70.

Reason: breaks Android build (cgo/pthreads addition)

We can try again next cycle.

Change-Id: I5e7e1730a8bf399a8acfce546a6d22e11fb835d5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
James Tucker 8d6793fd70 wgengine/router,util/kmod: load & log xt_mark
Attempt to load the xt_mark kernel module when it is not present. If the
load fails, log error information.

It may be tempting to promote this failure to an error once it has been
in use for some time, so as to avoid reaching an error with the iptables
invocation, however, there are conditions under which the two stages may
disagree - this change adds more useful breadcrumbs.

Example new output from tailscaled running under my WSL2:

```
router: ensure module xt_mark: "/usr/sbin/modprobe xt_mark" failed: exit status 1; modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.10.43.3-microsoft-standard-WSL2
```

Background:

There are two places to lookup modules, one is `/proc/modules` "old",
the other is `/sys/module/` "new".

There was query_modules(2) in linux <2.6, alas, it is gone.

In a docker container in the default configuration, you would get
/proc/modules and /sys/module/ both populated. lsmod may work file,
modprobe will fail with EPERM at `finit_module()` for an unpriviliged
container.

In a priviliged container the load may *succeed*, if some conditions are
met. This condition should be avoided, but the code landing in this
change does not attempt to avoid this scenario as it is both difficult
to detect, and has a very uncertain impact.

In an nspawn container `/proc/modules` is populated, but `/sys/module`
does not exist. Modern `lsmod` versions will fail to gather most module
information, without sysfs being populated with module information.

In WSL2 modules are likely missing, as the in-use kernel typically is
not provided by the distribution filesystem, and WSL does not mount in a
module filesystem of its own. Notably the WSL2 kernel supports iptables
marks without listing the xt_mark module in /sys/module, and
/proc/modules is empty.

On a recent kernel, we can ask the capabilities system about SYS_MODULE,
that will help to disambiguate between the non-privileged container case
and just being root. On older kernels these calls may fail.

Update #4329

Signed-off-by: James Tucker <james@tailscale.com>
3 years ago
Brad Fitzpatrick d413850bd7 cmd/tailscale: add "debug via" subcommand to do CIDR math for via ranges
$ tailscale debug via 0xb 10.2.0.0/16
fd7a:115c:a1e0:b1a:0🅱️a02:0/112
$ tailscale debug via fd7a:115c:a1e0:b1a:0🅱️a02:0/112
site 11 (0xb), 10.2.0.0/16

Previously: 3ae701f0eb

This adds a little debug tool to do CIDR math to make converting between
those ranges easier for now.

Updates #3616

Change-Id: I98302e95d17765bfaced3ecbb71cbd43e84bff46
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Xe Iaso fc2f628d4c
cmd/nginx-auth: maintainer scripts and tailnet checking (#4460)
* cmd/nginx-auth: add maintainer scripts

Signed-off-by: Xe <xe@tailscale.com>

* cmd/nginx-auth: add Expected-Tailnet header and documentation

Signed-off-by: Xe <xe@tailscale.com>
3 years ago
Blake Mizerany 33fa43252e cmd/proxy-to-grafana: prevent premature termination
This commit changes proxy-to-grafana to report errors while polling for
tailscaled status instead of terminating at the first sign of an error.
This allows tailscale some time to come up before the proxy decides to
give up.

Signed-off-by: Blake Mizerany <blake.mizerany@gmail.com>
3 years ago
Maisem Ali 945879fa38 cmd/tailscale: [ssh] enable StrictHostKeyChecking mode
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
3 years ago
Brad Fitzpatrick 8f5e5bff1e cmd/tailscale, etc: make "tailscale up --ssh" fail fast when unavailable
Fail on unsupported platforms (must be Linux or macOS tailscaled with
WIP env) or when disabled by admin (with TS_DISABLE_SSH_SERVER=1)

Updates #3802

Change-Id: I5ba191ed0d8ba4ddabe9b8fc1c6a0ead8754b286
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick f0e2272e04 cmd/tailscale: unhide 'up --ssh' behind WIP env var
Updates #3802

Change-Id: I99c550c2e4450640b0ee6ab060f178dde1360553
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 8ee044ea4a ssh/tailssh: make the SSH server a singleton, register with LocalBackend
Remove the weird netstack -> tailssh dependency and instead have tailssh
register itself with ipnlocal when linked.

This makes tailssh.server a singleton, so we can have a global map of
all sessions.

Updates #3802

Change-Id: Iad5caec3a26a33011796878ab66b8e7b49339f29
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
phirework 83c734a6e0
net/dns, util/publicdns: extract public DNS mapping into own package (#4405)
This extracts DOH mapping of known public DNS providers in
forwarder.go into its own package, to be consumed by other repos

Signed-off-by: Jenny Zhang <jz@tailscale.com>
3 years ago
James Tucker 8de7f9bff7 tailscaled: no longer tune gcpercent
Usage of userspace-networking is increasing, and the aggressive GC
tuning causes a significant reduction in performance in that mode.

Signed-off-by: James Tucker <james@tailscale.com>
3 years ago
Xe Iaso 4f1d6c53cb
cmd/nginx-auth: create new Tailscale NGINX auth service (#4400)
This conforms to the NGINX subrequest result authentication protocol[1]
using the NGINX module `ngx_http_auth_request_module`. This is based on
the example that @peterkeen provided on Twitter[2], but with several
changes to make things more tightly locked down:

* This listens over a UNIX socket instead of a TCP socket to prevent
  leakage to the network
* This uses systemd socket activation so that systemd owns the socket
  and can then lock down the service to the bare minimum required to do
  its job without having to worry about dropping permissions
* This provides additional information in HTTP response headers that can
  be useful for integrating with various services
* This has a script to automagically create debian and redhat packages
  for easier distribution

This will be written about on the Tailscale blog. There is more
information in README.md.

[1]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
[2]: https://github.com/peterkeen/tailscale/blob/main/cmd/nginx-auth-proxy/nginx-auth-proxy.go

Signed-off-by: Xe Iaso <xe@tailscale.com>
3 years ago
Maisem Ali c87ed52ad4 cmd/tailscale: add id-token subcommand
RELNOTE=Initial support for getting OIDC ID Tokens

Updates tailscale/corp#4347

Signed-off-by: Maisem Ali <maisem@tailscale.com>
3 years ago
Brad Fitzpatrick 3ae701f0eb net/tsaddr, wgengine/netstack: add IPv6 range that forwards to site-relative IPv4
This defines a new magic IPv6 prefix, fd7a:115c:a1e0:b1a::/64, a
subset of our existing /48, where the final 32 bits are an IPv4
address, and the middle 32 bits are a user-chosen "site ID". (which
must currently be 0000:00xx; the top 3 bytes must be zero for now)

e.g., I can say my home LAN's "site ID" is "0000:00bb" and then
advertise its 10.2.0.0/16 IPv4 range via IPv6, like:

    tailscale up --advertise-routes=fd7a:115c:a1e0:b1a::bb:10.2.0.0/112

(112 being /128 minuse the /96 v6 prefix length)

Then people in my tailnet can:

     $ curl '[fd7a:115c:a1e0:b1a::bb:10.2.0.230]'
     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ....

Updates #3616, etc

RELNOTE=initial support for TS IPv6 addresses to route v4 "via" specific nodes

Change-Id: I9b49b6ad10410a24b5866b9fbc69d3cae1f600ef
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
David Eger f992749b98 cmd/tailscale: Add file get --loop flag.
To "automatically receive taildrop files to my Downloads directory,"
user currently has to run 'tailscale file get' in a loop.  Make
it easy to do this without shell.

Updates: #2312

Signed-off-by: David Eger <david.eger@gmail.com>
3 years ago
Xiaochao Dong (@damnever) 7d97800d52 cmd/tailscale: make web mode preserve URL scheme in Synology redirect
Signed-off-by: Xiaochao Dong (@damnever) <the.xcdong@gmail.com>
3 years ago
James Tucker 2550acfd9d
go.mod: bump netstack for clone reset fix (#4379)
In tracking down issue #4144 and reading through the netstack code in
detail, I discovered that the packet buf Clone path did not reset the
packetbuf it was getting from the sync.Pool. The fix was sent upstream
https://github.com/google/gvisor/pull/7385, and this bump pulls that in.
At this time there is no known path that this fixes, however at the time
of upstream submission this reset at least one field that could lead to
incorrect packet routing if exercised, a situation that could therefore
lead to an information leak.

Signed-off-by: James Tucker <james@tailscale.com>
3 years ago
James Tucker c6ac29bcc4
wgengine/netstack: disable refsvfs2 leak tracking (#4378)
In addition an envknob (TS_DEBUG_NETSTACK_LEAK_MODE) now provides access
to set leak tracking to more useful values.

Fixes #4309

Signed-off-by: James Tucker <james@tailscale.com>
3 years ago
Xe Iaso 55161b3d92
cmd/mkpkg: use package flag (#4373)
Also removes getopt

Signed-off-by: Xe <xe@tailscale.com>
3 years ago
Xe Iaso be861797b4
cmd/mkpkg: add name argument (#4372)
* shell.nix: rename goimports to gotools

Signed-off-by: Xe <xe@tailscale.com>

* cmd/mkpkg: allow specifying description and name in flag args

Signed-off-by: Xe <xe@tailscale.com>
3 years ago
oliverpool 0b273e1857 cmd/tailscale: drop special exit code 125 for gokrazy
No needed since gokrazy doesn't restart successful processes anymore: https://github.com/gokrazy/gokrazy/pull/127

Signed-off-by: Olivier Charvin <git@olivier.pfad.fr>
3 years ago
Brad Fitzpatrick 5a44f9f5b5 tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh
While we rearrange/upstream things.

gliderlabs/ssh is forked into tempfork from our prior fork
at be8b7add40

x/crypto/ssh OTOH is forked at
https://github.com/tailscale/golang-x-crypto because it was gnarlier
to vendor with various internal packages, etc.
Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d).

Updates #3802

Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 753f1bfad4 cmd/tailscale: write fewer known_hosts, resolve ssh host to FQDN early
Updates #3802

Change-Id: Ic44fa2e6661a9c046e725c04fa6b8213d3d4d2b2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick df93158aac cmd/tailscale: generate known_hosts file for 'tailscale ssh'
Updates #3802

Change-Id: I7a0052392f000ee44fc8e719f6666756aab91f3d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 8294915780 cmd/tailscale/cli: add start of 'ssh' subcommand
Updates #3802

Change-Id: Iabc07c00c7e4f43944cfe7daec8d2b66ac002289
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 06fcf3b225 cmd/tailscale: make status --peers=false work earlier + in JSON mode
And return an error if you use non-flag arguments.

Change-Id: I0dd6c357eb5cabd0f17020f21ba86406aea21681
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 5df12b9059 client/tailscale, cmd/tailscale, localapi: add 'tailscale nc' (actually)
Adds missing file from fc12cbfcd3.

GitHub was having issues earlier and it was all green because the
checks never actually ran, but the DCO non-Actions check at least did,
so "green" and I merged, not realizing it hadn't really run anything.

Updates #3802

Change-Id: I29f605eebe5336f1f3ca28ebb78b092dd99d9fd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick fc12cbfcd3 client/tailscale, cmd/tailscale, localapi: add 'tailscale nc'
This adds a "tailscale nc" command that acts a bit like "nc", but
dials out via tailscaled via localapi.

This is a step towards a "tailscale ssh", as we'll use "tailscale nc"
as a ProxyCommand for in some cases (notably in userspace mode).

But this is also just useful for debugging & scripting.

Updates #3802

RELNOTE=tailscale nc

Change-Id: Ia5c37af2d51dd0259d5833d80264d3ad5f68446a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Josh Bleecher Snyder 77b4fe0afa all: remove "no 1.18 support" failures
We have worked around the issue in DERP,
so the vanilla Go 1.18 toolchain now works.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Brad Fitzpatrick 98984c1a9a cmd/proxy-to-grafana: fix package doc code snippet
Markdown isn't supported.

Change-Id: I8d9bb92260c164dc277afbce624f64fc2faf5125
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Nick O'Neill 5fa502b5dc
cmd/proxy-to-grafana: use grafana's authproxy to log in tailnet users (#4208)
Signed-off-by: Nick O'Neill <nick@tailscale.com>
3 years ago
Brad Fitzpatrick f2041c9088 all: use strings.Cut even more
Change-Id: I943ce72c6f339589235bddbe10d07799c4e37979
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Aaron Klotz 6e91f872af net/tshttpproxy: ensure we pass the correct flags to WinHttpOpen on Win7 and Win8.0
The best flag to use on Win7 and Win8.0 is deprecated in Win8.1, so we resolve
the flag depending on OS version info.

Fixes https://github.com/tailscale/tailscale/issues/4201

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
3 years ago
Brad Fitzpatrick 1db46919ab cmd/tailscaled: make build fail nicely on older Go versions
Due to a bug in Go (golang/go#51778), cmd/go doesn't warn about your
Go version being older than the go.mod's declared Go version in that
case that package loading fails before the build starts, such as when
you use packages that are only in the current version of Go, like our
use of net/netip.

This change works around that Go bug by adding build tags and a
pre-Go1.18-only file that will cause Go 1.17 and earlier to fail like:

    $ ~/sdk/go1.17/bin/go install ./cmd/tailscaled
    # tailscale.com/cmd/tailscaled
    ./required_version.go:11:2: undefined: you_need_Go_1_18_to_compile_Tailscale
    note: module requires Go 1.18

Change-Id: I39f5820de646703e19dde448dd86a7022252f75c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Josh Bleecher Snyder 0868329936 all: use any instead of interface{}
My favorite part of generics.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Josh Bleecher Snyder 997b19545b syncs: use TryLock and TryRLock instead of unsafe
The docs say:

Note that while correct uses of TryLock do exist, they are rare,
and use of TryLock is often a sign of a deeper problem in a particular use of mutexes.

Rare code! Or bad code! Who can tell!

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Brad Fitzpatrick ead16b24ec cmd/tailscaled: fail early with nice error on macOS with go1.18
Due to golang/go#51759

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Denton Gentry d8953bf2ba cmd/derpprobe: don't alert for smaller failures.
There is a Cosmic Background level of DERP Unreachability,
with individual nodes or regions becoming unreachable briefly
and returning a short time later. This is due to hosting provider
outages or just the Internet sloshing about.

Returning a 500 error pages a human. Being awoken at 3am for
a transient error is annoying.

For relatively small levels of badness don't page a human,
just post to Slack. If the outage impacts a significant fraction
of the DERP fleet, then page a human.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
3 years ago
Josh Bleecher Snyder 8c2cb4b431 go.mod: update to latest certstore
It includes a fix to allow us to use Go 1.18.
We can now remove our Tailscale-only build tags.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Brad Fitzpatrick 1f22507c06 version: use Go 1.18's git stamping as default implementation
No more manual version bumps!

Fixes #81

Change-Id: I3a9e544a7248f0b83bcbacbaabbc4dabc435e62d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Josh Bleecher Snyder 26021b07ec control/controlclient: only build certstore-related code with the Tailscale Go toolchain
The certstore code is impacted by golang/go#51726.
The Tailscale Go toolchain fork contains a temporary workaround,
so it can compile it. Once the upstream toolchain can compile certstore,
presumably in Go 1.18.1, we can revert this change.

Note that depaware runs with the upstream toolchain.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Josh Bleecher Snyder 1b57b0380d wgengine/magicsock: remove final alloc from ReceiveFrom
And now that we don't have to play escape analysis and inlining games,
simplify the code.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Josh Bleecher Snyder 71b535fc94 go.mod: require Go 1.18
Also, update depaware for Go 1.18's dependency tree.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
David Eger 5be42c0af1 cmd/tailscale: add file get options for dealing with existing files
A new flag --conflict=(skip|overwrite|rename) lets users specify
what to do when receiving files that match a same-named file in
the target directory.

Updates #3548

Signed-off-by: David Eger <david.eger@gmail.com>
3 years ago
Maisem Ali da6ce27416 go.mod: move from github.com/gliderlabs/ssh to github.com/tailscale/ssh
Updates #4146

Signed-off-by: Maisem Ali <maisem@tailscale.com>
3 years ago
Brad Fitzpatrick ba1adf6c24 ssh/tailssh: make pty termios options match OpenSSH
Still not sure the exact rules of how/when/who's supposed to set
these, but this works for now on making them match. Baby steps.
Will research more and adjust later.

Updates #4146 (but not enough to fix it, something's still wrong)
Updates #3802

Change-Id: I496d8cd7e31d45fe9ede88fc8894f35dc096de67
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Aaron Klotz f8a4df66de cmd/tailscale/cli, ipn: move exit node IP parsing and validation from cli into prefs.
We need to be able to provide the ability for the GUI clients to resolve and set
the exit node IP from an untrusted string, thus enabling the ability to specify
that information via enterprise policy.

This patch moves the relevant code out of the handler for `tailscale up`,
into a method on `Prefs` that may then be called by GUI clients.

We also update tests accordingly.

Updates https://github.com/tailscale/corp/issues/4239

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
3 years ago
Joonas Kuorilehto c1b3500a05 cmd/tailscale: allow use of flags in gokrazy
Enable use of command line arguments with tailscale cli on gokrazy. Before
this change using arguments like "up" would cause tailscale cli to be
repeatedly restarted by gokrazy process supervisor.

We never want to have gokrazy restart tailscale cli, even if user would
manually start the process.

Expected usage is that user creates files:

flags/tailscale.com/cmd/tailscale/flags.txt:

    up

flags/tailscale.com/cmd/tailscaled/flags.txt:

    --statedir=/perm/tailscaled/
    --tun=userspace-networking

Then tailscale prints URL for user to log in with browser.

Alternatively it should be possible to use up with auth key to allow
unattended gokrazy installs.

Signed-off-by: Joonas Kuorilehto <joneskoo@derbian.fi>
3 years ago
Maisem Ali 06c147d848 ssh/tailssh: create login sessions for new connections
Signed-off-by: Maisem Ali <maisem@tailscale.com>
3 years ago