tailscale

Commit Graph

Author	SHA1	Message	Date
Claire Wang	35872e86d2	ipnlocal, magicsock: store last suggested exit node id in local backend (#11959 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Andrew Dunham	e9505e5432	ipn/ipnlocal: plumb health.Tracker into profileManager constructor Setting the field after-the-fact wasn't working because we could migrate prefs on creation, which would set health status for auto updates. Updates #11986 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I41d79ebd61d64829a3a9e70586ce56f62d24ccfd	2 months ago
Maisem Ali	a49ed2e145	derp,ipn/ipnlocal: stop calling rand.Seed It's deprecated and using it gets us the old slow behavior according to https://go.dev/blog/randv2. > Having eliminated repeatability of the global output stream, Go 1.20 > was also able to make the global generator scale better in programs > that don’t call rand.Seed, replacing the Go 1 generator with a very > cheap per-thread wyrand generator already used inside the Go > runtime. This removed the global mutex and made the top-level > functions scale much better. Programs that do call rand.Seed fall > back to the mutex-protected Go 1 generator. Updates #7123 Change-Id: Ia5452e66bd16b5457d4b1c290a59294545e13291 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Brad Fitzpatrick	96712e10a7	health, ipn/ipnlocal: move more health warning code into health.Tracker In prep for making health warnings rich objects with metadata rather than a bunch of strings, start moving it all into the same place. We'll still ultimately need the stringified form for the CLI and LocalAPI for compatibility but we'll next convert all these warnings into Warnables that have severity levels and such, and legacy stringification will just be something each Warnable thing can do. Updates #4136 Change-Id: I83e189435daae3664135ed53c98627c66e9e53da Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Dunham	fe009c134e	ipn/ipnlocal: reset the dialPlan only when the URL is unchanged Also, reset it in a few more places (e.g. logout, new blank profiles, etc.) to avoid a few more cases where a pre-existing dialPlan can cause a new Headscale server take 10+ seconds to connect. Updates #11938 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I3095173a5a3d9720507afe4452548491e9e45a3e	2 months ago
Shaw Drastin	1fe073098c	Reset dial plan when switching profile (#11933 ) When switching profile, the server URL can change (e.g. because of switching to a self-hosted headscale instance). If it is not reset here, dial plans returned by old server (e.g. tailscale control server) will be used to connect to new server (e.g. self-hosted headscale server), and the register request will be blocked by it until timeout, leading to very slow profile switches. Updates #11938 11938 Signed-off-by: Shaw Drastin <showier.drastic0a@icloud.com>	2 months ago
Andrew Lytvynov	7ba8f03936	ipn/ipnlocal: fix TestOnTailnetDefaultAutoUpdate on unsupported platforms (#11921 ) Fixes #11894 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Fran Bull	6a0fbacc28	appc: setting AdvertiseRoutes explicitly discards app connector routes This fixes bugs where after using the cli to set AdvertiseRoutes users were finding that they had to restart tailscaled before the app connector would advertise previously learned routes again. And seems more in line with user expectations. Fixes #11006 Signed-off-by: Fran Bull <fran@tailscale.com>	2 months ago
Fran Bull	1bd1b387b2	appc: add flag shouldStoreRoutes and controlknob for it When an app connector is reconfigured and domains to route are removed, we would like to no longer advertise routes that were discovered for those domains. In order to do this we plan to store which routes were discovered for which domains. Add a controlknob so that we can enable/disable the new behavior. Updates #11008 Signed-off-by: Fran Bull <fran@tailscale.com>	2 months ago
Fran Bull	79836e7bfd	appc: add RouteInfo struct and persist it to StateStore Lays the groundwork for the ability to persist app connectors discovered routes, which will allow us to stop advertising routes for a domain if the app connector no longer monitors that domain. Updates #11008 Signed-off-by: Fran Bull <fran@tailscale.com>	2 months ago
Irbe Krumina	1452faf510	cmd/containerboot,kube,ipn/store/kubestore: allow interactive login on kube, check Secret create perms, allow empty state Secret (#11326 ) cmd/containerboot,kube,ipn/store/kubestore: allow interactive login and empty state Secrets, check perms * Allow users to pre-create empty state Secrets * Add a fake internal kube client, test functionality that has dependencies on kube client operations. * Fix an issue where interactive login was not allowed in an edge case where state Secret does not exist * Make the CheckSecretPermissions method report whether we have permissions to create/patch a Secret if it's determined that these operations will be needed Updates tailscale/tailscale#11170 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Brad Fitzpatrick	b9adbe2002	net/{interfaces,netmon}, all: merge net/interfaces package into net/netmon In prep for most of the package funcs in net/interfaces to become methods in a long-lived netmon.Monitor that can cache things. (Many of the funcs are very heavy to call regularly, whereas the long-lived netmon.Monitor can subscribe to things from the OS and remember answers to questions it's asked regularly later) Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: Ie4e8dedb70136af2d611b990b865a822cd1797e5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	6b95219e3a	net/netmon, add: add netmon.State type alias of interfaces.State ... in prep for merging the net/interfaces package into net/netmon. This is a no-op change that updates a bunch of the API signatures ahead of a future change to actually move things (and remove the type alias) Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: I477613388f09389214db0d77ccf24a65bff2199c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	3672f29a4e	net/netns, net/dns/resolver, etc: make netmon required in most places The goal is to move more network state accessors to netmon.Monitor where they can be cheaper/cached. But first (this change and others) we need to make sure the one netmon.Monitor is plumbed everywhere. Some notable bits: * tsdial.NewDialer is added, taking a now-required netmon * because a tsdial.Dialer always has a netmon, anything taking both a Dialer and a NetMon is now redundant; take only the Dialer and get the NetMon from that if/when needed. * netmon.NewStatic is added, primarily for tests Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: I877f9cb87618c4eb037cee098241d18da9c01691 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	4f73a26ea5	ipn/ipnlocal: skip TestOnTailnetDefaultAutoUpdate on macOS for now While it's broken. Updates #11894 Change-Id: I24698707ffe405471a14ab2683aea7e836531da8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Jonathan Nobels	71e9258ad9	ipn/ipnlocal: fix null dereference for early suggested exit node queries (#11885 ) Fixes tailscale/corp#19558 A request for the suggested exit nodes that occurs too early in the VPN lifecycle would result in a null deref of the netmap and/or the netcheck report. This checks both and errors out. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	2 months ago
Brad Fitzpatrick	745931415c	health, all: remove health.Global, finish plumbing health.Tracker Updates #11874 Updates #4136 Change-Id: I414470f71d90be9889d44c3afd53956d9f26cd61 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	a4a282cd49	control/controlclient: plumb health.Tracker Updates #11874 Updates #4136 Change-Id: Ia941153bd83523f0c8b56852010f5231d774d91a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	6d69fc137f	ipn/{ipnlocal,localapi},wgengine{,/magicsock}: plumb health.Tracker Down to 25 health.Global users. After this remains controlclient & net/dns & wgengine/router. Updates #11874 Updates #4136 Change-Id: I6dd1856e3d9bf523bdd44b60fb3b8f7501d5dc0d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	723c775dbb	tsd, ipnlocal, etc: add tsd.System.HealthTracker, start some plumbing This adds a health.Tracker to tsd.System, accessible via a new tsd.System.HealthTracker method. In the future, that new method will return a tsd.System-specific HealthTracker, so multiple tsnet.Servers in the same process are isolated. For now, though, it just always returns the temporary health.Global value. That permits incremental plumbing over a number of changes. When the second to last health.Global reference is gone, then the tsd.System.HealthTracker implementation can return a private Tracker. The primary plumbing this does is adding it to LocalBackend and its dozen and change health calls. A few misc other callers are also plumbed. Subsequent changes will flesh out other parts of the tree (magicsock, controlclient, etc). Updates #11874 Updates #4136 Change-Id: Id51e73cfc8a39110425b6dc19d18b3975eac75ce Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	5b32264033	health: break Warnable into a global and per-Tracker value halves Previously it was both metadata about the class of warnable item as well as the value. Now it's only metadata and the value is per-Tracker. Updates #11874 Updates #4136 Change-Id: Ia1ed1b6c95d34bc5aae36cffdb04279e6ba77015 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	ebc552d2e0	health: add Tracker type, in prep for removing global variables This moves most of the health package global variables to a new `health.Tracker` type. But then rather than plumbing the Tracker in tsd.System everywhere, this only goes halfway and makes one new global Tracker (`health.Global`) that all the existing callers now use. A future change will eliminate that global. Updates #11874 Updates #4136 Change-Id: I6ee27e0b2e35f68cb38fecdb3b2dc4c3f2e09d68 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Percy Wegmann	955ad12489	ipn/ipnlocal: only show Taildrive peers to which ACLs grant us access This improves convenience and security. * Convenience - no need to see nodes that can't share anything with you. * Security - malicious nodes can't expose shares to peers that aren't allowed to access their shares. Updates tailscale/corp#19432 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Anton Tolchanov	31e6bdbc82	ipn/ipnlocal: always stop the engine on auth when key has expired If seamless key renewal is enabled, we typically do not stop the engine (deconfigure networking). However, if the node key has expired there is no point in keeping the connection up, and it might actually prevent key renewal if auth relies on endpoints routed via app connectors. Fixes tailscale/corp#5800 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 months ago
Andrea Gottardo	1d3e77f373	util/syspolicy: add ReadStringArray interface (#11857 ) Fixes tailscale/corp#19459 This PR adds the ability for users of the syspolicy handler to read string arrays from the MDM solution configured on the system. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 months ago
Joe Tsai	63b3c82587	ipn/local: log OS-specific diagnostic information as JSON (#11700 ) There is an undocumented 16KiB limit for text log messages. However, the limit for JSON messages is 256KiB. Even worse, logging JSON as text results in significant overhead since each double quote needs to be escaped. Instead, use logger.Logf.JSON to explicitly log the info as JSON. We also modify osdiag to return the information as structured data rather than implicitly have the package log on our behalf. This gives more control to the caller on how to log. Updates #7802 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 months ago
Andrew Lytvynov	06502b9048	ipn/ipnlocal: reset auto-updates if unsupported on profile load (#11838 ) Prior to `1613b18f82 (diff-314ba0d799f70c8998940903efb541e511f352b39a9eeeae8d475c921d66c2ac)`, nodes could set AutoUpdate.Apply=true on unsupported platforms via `EditPrefs`. Specifically, this affects tailnets where default auto-updates are on. Fix up those invalid prefs on profile reload, as a migration. Updates #11544 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Andrew Lytvynov	b743b85dad	ipn/ipnlocal,ssh/tailssh: reject c2n /update if SSH conns are active (#11820 ) Since we already track active SSH connections, it's not hard to proactively reject updates until those finish. We attempt to do the same on the control side, but the detection latency for new connections is in the minutes, which is not fast enough for common short sessions. Handle a `force=true` query parameter to override this behavior, so that control can still trigger an update on a server where some long-running abandoned SSH session is open. Updates https://github.com/tailscale/corp/issues/18556 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Andrew Lytvynov	bff527622d	ipn/ipnlocal,clientupdate: disallow auto-updates in containers (#11814 ) Containers are typically immutable and should be updated as a whole (and not individual packages within). Deny enablement of auto-updates in containers. Also, add the missing check in EditPrefs in LocalAPI, to catch cases like tailnet default auto-updates getting enabled for nodes that don't support it. Updates #11544 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Percy Wegmann	d16c1293e9	ipn/ipnlocal: remove origin and referer headers from Taildrive requests peerapi does not want these, but rclone includes them. Removing them allows rclone to work with Taildrive configured as a WebDAV remote. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	94c0403104	ipn/ipnlocal: strip origin and referer headers from Taildrive requests peerapi does not want these, but rclone includes them. Stripping them out allows rclone to work with Taildrive configured as a WebDAV remote. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Andrew Lytvynov	22bd506129	ipn/ipnlocal: hold the mutex when in onTailnetDefaultAutoUpdate (#11786 ) Turns out, profileManager is not safe for concurrent use and I missed all the locking infrastructure in LocalBackend, oops. I was not able to reproduce the race even with `go test -count 100`, but this seems like an obvious fix. Fixes #11773 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Brad Fitzpatrick	21a0fe1b9b	ipn/store: omit AWS & Kubernetes support on 'small' Linux GOARCHes This removes AWS and Kubernetes support from Linux binaries by default on GOARCH values where people don't typically run on AWS or use Kubernetes, such as 32-bit mips CPUs. It primarily focuses on optimizing for the static binaries we distribute. But for people building it themselves, they can set ts_kube or ts_aws (the opposite of ts_omit_kube or ts_omit_aws) to force it back on. Makes tailscaled binary ~2.3MB (~7%) smaller. Updates #7272, #10627 etc Change-Id: I42a8775119ce006fa321462cb2d28bc985d1c146 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Jonathan Nobels	7e2b4268d6	ipn/{localapi, ipnlocal}: forget the prior exit node when localAPI is used to zero the ExitNodeID (#11681 ) Updates tailscale/corp#18724 When localAPI clients directly set ExitNodeID to "", the expected behaviour is that the prior exit node also gets zero'd - effectively setting the UI state back to 'no exit node was ever selected' The IntenalExitNodePrior has been changed to be a non-opaque type, as it is read by the UI to render the users last selected exit node, and must be concrete. Future-us can either break this, or deprecate it and replace it with something more interesting. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	3 months ago
Brad Fitzpatrick	3c1e2bba5b	ipn/ipnlocal: remove outdated iOS hacky workaround in Start We haven't needed this hack for quite some time Andrea says. Updates #11649 Change-Id: Ie854b7edd0a01e92495669daa466c7c0d57e7438 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	dd6c76ea24	ipn: remove unused Options.LegacyMigrationPrefs I'm on a mission to simplify LocalBackend.Start and its locking and deflake some tests. I noticed this hasn't been used since March 2023 when it was removed from the Windows client in corp 66be796d33c. So, delete. Updates #11649 Change-Id: I40f2cb75fb3f43baf23558007655f65a8ec5e1b2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	7ec0dc3834	ipn/ipnlocal: make StartLoginInteractive take (yet unused) context In prep for future fix to undermentioned issue. Updates tailscale/tailscale#7036 Change-Id: Ide114db917dcba43719482ffded6a9a54630d99e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Claire Wang	9171b217ba	cmd/tailscale, ipn/ipnlocal: add suggest exit node CLI option (#11407 ) Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	3 months ago
Brad Fitzpatrick	b9aa7421d6	ipn/ipnlocal: remove some dead code (legacyBackend methods) from LocalBackend Nothing used it. Updates #11649 Change-Id: Ic1c331d947974cd7d4738ff3aafe9c498853689e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	bad3159b62	ipn/ipnlocal: delete useless SetControlClientGetterForTesting use Updates #11649 Change-Id: I56c069b9c97bd3e30ff87ec6655ec57e1698427c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	8186cd0349	ipn/ipnlocal: delete redundant TestStatusWithoutPeers We have tstest/integration nowadays. And this test was one of the lone holdouts using the to-be-nuked SetControlClientGetterForTesting. Updates #11649 Change-Id: Icf8a6a2e9b8ae1ac534754afa898c00dc0b7623b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	68043a17c2	ipn/ipnlocal: centralize assignments to cc + ccAuto in new method cc vs ccAuto is a mess. It needs to go. But this is a baby step towards getting there. Updates #11649 Change-Id: I34f33934844e580bd823a7d8f2b945cf26c87b3b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	970b1e21d0	ipn/ipnlocal: inline assertClientLocked into its now sole caller Updates #11649 Change-Id: I8e2a5e59125a0cad5c0a8c9ed8930585f1735d03 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	170c618483	ipn/ipnlocal: remove dead code now that Android uses LocalAPI instead The new Android app and its libtailscale don't use this anymore; it uses LocalAPI like other clients now. Updates #11649 Change-Id: Ic9f42b41e0e0280b82294329093dc6c275f41d50 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
kari-ts	1cd51f95c7	ipnlocal: enable allow LAN for android (#11709 ) Updates tailscale/corp#18984 Updates tailscale/corp#18202	3 months ago
Brad Fitzpatrick	a5e1f7d703	ipn/{ipnlocal,localapi}: add API to toggle use of exit node This is primarily for GUIs, so they don't need to remember the most recently used exit node themselves. This adds some CLI commands, but they're disabled and behind the WIP envknob, as we need to consider naming (on/off is ambiguous with running an exit node, etc) as well as automatic exit node selection in the future. For now the CLI commands are effectively developer debug things to test the LocalAPI. Updates tailscale/corp#18724 Change-Id: I9a32b00e3ffbf5b29bfdcad996a4296b5e37be7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	aa084a29c6	ipn/ipnlocal: name the unlockOnce type, plumb more, add Unlock method This names the func() that Once-unlocked LocalBackend.mu. It does so both for docs and because it can then have a method: Unlock, for the few points that need to explicitly unlock early (the cause of all this mess). This makes those ugly points easy to find, and also can then make them stricter, panicking if the mutex is already unlocked. So a normal call to the func just once-releases the mutex, returning false if it's already done, but the Unlock method is the strict one. Then this uses it more, so most the b.mu.Unlock calls remaining are simple cases and usually defers. Updates #11649 Change-Id: Ia070db66c54a55e59d2f76fdc26316abf0dd4627 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	5e7c0b025c	ipn/ipnlocal: add some "lockedOnEntry" helpers + guardrails, fix bug A number of methods in LocalBackend (with suffixed "LockedOnEntry") require b.mu be held but unlock it on the way out. That's asymmetric and atypical and error prone. This adds a helper method to LocalBackend that locks the mutex and returns a sync.OnceFunc that unlocks the mutex. Then we pass around that unlocker func down the chain to make it explicit (and somewhat type check the passing of ownership) but also let the caller defer unlock it, in the case of errors/panics that happen before the callee gets around to calling the unlock. This revealed a latent bug in LocalBackend.DeleteProfile which double unlocked the mutex. Updates #11649 Change-Id: I002f77567973bd77b8906bfa4ec9a2049b89836a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	38377c37b5	ipn/localapi: sort localapi handler map keys Updates #cleanup Change-Id: I750ed8d033954f1f8786fb35dd16895bb1c5af8e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago

1 2 3 4 5 ...

1405 Commits (35872e86d29a4a46d20d2b7cbd4927ee83fedac4)