tailscale

Commit Graph

Author	SHA1	Message	Date
Mihai Parparita	4722f7e322	all: move network monitoring from wgengine/monitor to net/netmon We're using it in more and more places, and it's not really specific to our use of Wireguard (and does more just link/interface monitoring). Also removes the separate interface we had for it in sockstats -- it's a small enough package (we already pull in all of its dependencies via other paths) that it's not worth the extra complexity. Updates #7621 Updates #7850 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Andrew Dunham	f85dc6f97c	ci: add more lints (#7909 ) This is a follow-up to #7905 that adds two more linters and fixes the corresponding findings. As per the previous PR, this only flags things that are "obviously" wrong, and fixes the issues found. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8739bdb7bc4f75666a7385a7a26d56ec13741b7c	1 year ago
Maisem Ali	c3ef6fb4ee	ipn/ipnlocal: handle masquerade addresses in PeerAPI Without this, the peer fails to do anything over the PeerAPI if it has a masquerade address. ``` Apr 19 13:58:15 hydrogen tailscaled[6696]: peerapi: invalid request from <ip>:58334: 100.64.0.1/32 not found in self addresses ``` Updates #8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Mihai Parparita	d0906cda97	net/sockstats: expose debug info Exposes some internal state of the sockstats package via the C2N and PeerAPI endpoints, so that it can be used for debugging. For now this includes the estimated radio on percentage and a second-by-second view of the times the radio was active. Also fixes another off-by-one error in the radio on percentage that was leading to >100% values (if n seconds have passed since we started to monitor, there may be n + 1 possible seconds where the radio could have been on). Updates tailscale/corp#9230 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Andrew Dunham	280255acae	various: add golangci-lint, fix issues (#7905 ) This adds an initial and intentionally minimal configuration for golang-ci, fixes the issues reported, and adds a GitHub Action to check new pull requests against this linter configuration. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8f38fbc315836a19a094d0d3e986758b9313f163	1 year ago
Mihai Parparita	9a655a1d58	net/dnsfallback: more explicitly pass through logf function Redoes the approach from #5550 and #7539 to explicitly pass in the logf function, instead of having global state that can be overridden. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
James Tucker	8dec1a8724	.github/workflows: reenable Windows CI, disable broken tests We accidentally switched to ./tool/go in `4022796484` which resulted in no longer running Windows builds, as this is attempting to run a bash script. I was unable to quickly fix the various tests that have regressed, so instead I've added skips referencing #7876, which we need to back and fix. Updates #7262 Updates #7876 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Mihai Parparita	cef0a474f8	ipn/ipnlocal: check that sockstatLogger is available in c2n endpoint Otherwise there may be a panic if it's nil (and the control side of the c2n call will just time out). Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Mihai Parparita	03b2c44a21	ipn/ipnlocal: more explicitly say if sockstats are not available Makes it more apparent in the PeerAPI endpoint that the client was not built with the appropriate toolchain or build tags. Updates tailscale/corp#9230 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Brad Fitzpatrick	2c0bda6e2e	ssh/tailssh: make Tailscale SSH work on gokrazy Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
shayne	ba4e58f429	cmd/tailscale/cli: do not allow turning Funnel on while shields-up (#7770 )	1 year ago
Will Norris	5a3da3cd7f	ipn: add sockstat logger to stable builds This makes the sockstat logger available on all builds, but only enables it by default for unstable. For stable builds, the logger must be explicitly enabled via C2N component logger. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Aaron Klotz	90fd04cbde	ipn/ipnlocal, util/winutil/policy: modify Windows profile migration to load legacy prefs from within tailscaled I realized that a lot of the problems that we're seeing around migration and LocalBackend state can be avoided if we drive Windows pref migration entirely from within tailscaled. By doing it this way, tailscaled can automatically perform the migration as soon as the connection with the client frontend is established. Since tailscaled is already running as LocalSystem, it already has access to the user's local AppData directory. The profile manager already knows which user is connected, so we simply need to resolve the user's prefs file and read it from there. Of course, to properly migrate this information we need to also check system policies. I moved a bunch of policy resolution code out of the GUI and into a new package in util/winutil/policy. Updates #7626 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Mihai Parparita	e3cb8cc88d	ipn/ipnlocal: automatically upload sockstats logs when the period ends Avoids needing a separate c2n call to get the logs uploaded. Updates tailscale/corp#9230 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Andrew Dunham	3b39ca9017	ipn/ipnlocal: update comment in SetComponentDebugLogging Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8c36a62079dce77fc81b9cdfb5fe723b007218ba	1 year ago
Maisem Ali	e0d291ab8a	ipn/store: add support for stores to hook into a custom dialer For stores like k8s secrets we need to dial out to the k8s API as though Tailscale wasn't running. The issue currently only manifests when you try to use an exit node while running inside a k8s cluster and are trying to use Kubernetes secrets as the backing store. This doesn't address cmd/containerboot, which I'll do in a follow up. Updates #7695 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	c98652c333	doctor/permissions: add new check to print process permissions Since users can run tailscaled in a variety of ways (root, non-root, non-root with process capabilities on Linux), this check will print the current process permissions to the log to aid in debugging. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida93a206123f98271a0c664775d0baba98b330c7	1 year ago
Will Norris	7c99210e68	log: allow toggling sockstat logs via c2n component logging Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
shayne	3177ccabe5	ipn/ipnlocal: [serve/funnel] use actual SrcAddr as X-Forwarded-For (#7600 ) The reverse proxy was sending the ingressd IPv6 down as the X-Forwarded-For. This update uses the actual remote addr. Updates tailscale/corp#9914 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	7908b6d616	ipn/ipnlocal: [serve] Trim mountPoint prefix from proxy path (#7334 ) This change trims the mountPoint from the request URL path before sending the request to the reverse proxy. Today if you mount a proxy at `/foo` and request to `/foo/bar/baz`, we leak the `mountPoint` `/foo` as part of the request URL's path. This fix makes removed the `mountPoint` prefix from the path so proxied services receive requests as if they were running at the root (`/`) path. This could be an issue if the app generates URLs (in HTML or otherwise) and assumes `/path`. In this case, those URLs will 404. With that, I still think we should trim by default and not leak the `mountPoint` (specific to Tailscale) into whatever app is hosted. If it causes an issue with URL generation, I'd suggest looking at configuring an app-specific path prefix or running Caddy as a more advanced solution. Fixes: #6571 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Maisem Ali	9e81db50f6	ipn/ipnlocal: use atomicfile.WriteFile in certFileStore Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8a11f76a0d	ipn/ipnlocal: fix cert storage in Kubernetes We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	ec90522a53	ipn/ipnlocal: also store ACME keys in the certStore We were not storing the ACME keys in the state store, they would always be stored on disk. Updates #7588 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	57a008a1e1	all: pass log IDs as the proper type rather than strings This change focuses on the backend log ID, which is the mostly commonly used in the client. Tests which don't seem to make use of the log ID just use the zero value. Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Will Norris	f13b8bf0cf	log: use logtail to log and upload sockstat logs Switch to using logtail for logging sockstat logs. Always log locally (on supported platforms), but disable automatic uploading. Change existing c2n sockstats request to trigger upload to log server and return log ID. Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Mihai Parparita	97b6d3e917	sockstats: remove per-interface stats from Get They're not needed for the sockstats logger, and they're somewhat expensive to return (since they involve the creation of a map per label). We now have a separate GetInterfaces() method that returns them instead (which we can still use in the PeerAPI debug endpoint). If changing sockstatlog to sample at 10,000 Hz (instead of the default of 10Hz), the CPU usage would go up to 59% on a iPhone XS. Removing the per-interface stats drops it to 20% (a no-op implementation of Get that returns a fixed value is 16%). Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Will Norris	6ef2105a8e	log/sockstatlog: only start once; don't copy ticker Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Will Norris	09e0ccf4c2	ipn: add c2n endpoint for sockstats logs Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Will Norris	a1d9f65354	ipn,log: add logger for sockstat deltas Signed-off-by: Will Norris <will@tailscale.com> Co-authored-by: Melanie Warrick <warrick@tailscale.com>	1 year ago
Mihai Parparita	b64d78d58f	sockstats: refactor validation to be opt-in Followup to #7499 to make validation a separate function ( GetWithValidation vs. Get). This way callers that don't need it don't pay the cost of a syscall per active TCP socket. Also clears the conn on close, so that we don't double-count the stats. Also more consistently uses Go doc comments for the exported API of the sockstats package. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Maisem Ali	1e72de6b72	ipn/ipnlocal: remove WIP restriction for Tailscale SSH on macOS It kinda works fine now on macOS with the recent fixes in `0582829` and `5787989d`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Tom DNetto	3471fbf8dc	cmd/tailscale: surface node-key for locked out tailnet-lock peers Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Maisem Ali	b797f773c7	ipn/ipnlocal: add support for funnel in tsnet Previously the part that handled Funnel connections was not aware of any listeners that tsnet.Servers might have had open so it would check against the ServeConfig and fail. Adding a ServeConfig for a TCP proxy was also not suitable in this scenario as that would mean creating two different listeners and have one forward to the other, which really meant that you could not have funnel and tailnet-only listeners on the same port. This also introduces the ipn.FunnelConn as a way for users to identify whether the call is coming over funnel or not. Currently it only holds the underlying conn and the target as presented in the "Tailscale-Ingress-Target" header. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Tom DNetto	ce99474317	all: implement preauth-key support with tailnet lock Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Mihai Parparita	f4f8ed98d9	sockstats: add validation for TCP socket stats We can use the TCP_CONNECTION_INFO getsockopt() on Darwin to get OS-collected tx/rx bytes for TCP sockets. Since this API is not available for UDP sockets (or on Linux/Android), we can't rely on it for actual stats gathering. However, we can use it to validate the stats that we collect ourselves using read/write hooks, so that we can be more confident in them. We do need additional hooks from the Go standard library (added in tailscale/go#59) to be able to collect them. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Andrew Dunham	be107f92d3	wgengine/magicsock: track per-endpoint changes in ringbuffer This change adds a ringbuffer to each magicsock endpoint that keeps a fixed set of "changes"–debug information about what updates have been made to that endpoint. Additionally, this adds a LocalAPI endpoint and associated "debug peer-status" CLI subcommand to fetch the set of changes for a given IP or hostname. Updates tailscale/corp#9364 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I34f726a71bddd0dfa36ec05ebafffb24f6e0516a	1 year ago
Mihai Parparita	6ac6ddbb47	sockstats: switch label to enum Makes it cheaper/simpler to persist values, and encourages reuse of labels as opposed to generating an arbitrary number. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Andrew Dunham	df2561f6a2	ipn/ipnlocal: stop netmap expiry timer when resetting control client This prevents a panic where we synthesize a new netmap in setClientStatus after we've shut down and nil'd out the controlclient, since that function expects to be called while connected to control. Fixes #7392 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib631eb90f34f6afa008d69bbb386f70da145e102	1 year ago
Maisem Ali	1a30b2d73f	all: use tstest.Replace more Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	a9c17dbf93	ipn/ipnlocal: reject unmasked routes Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic804efd24f5f536de1f2c910de3a24372d48d54d	1 year ago
Tom DNetto	88c7d19d54	tka: compact TKA storage on startup Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Tom DNetto	e2d652ec4d	ipn,cmd/tailscale: implement resigning nodes on tka key removal Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Mihai Parparita	9cb332f0e2	sockstats: instrument networking code paths Uses the hooks added by tailscale/go#45 to instrument the reads and writes on the major code paths that do network I/O in the client. The convention is to use "<package>.<type>:<label>" as the annotation for the responsible code path. Enabled on iOS, macOS and Android only, since mobile platforms are the ones we're most interested in, and we are less sensitive to any throughput degradation due to the per-I/O callback overhead (macOS is also enabled for ease of testing during development). For now just exposed as counters on a /v0/sockstats PeerAPI endpoint. We also keep track of the current interface so that we can break out the stats by interface. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Joe Tsai	0d19f5d421	all: replace logtail.{Public,Private}ID with logid.{Public,Private}ID (#7404 ) The log ID types were moved to a separate package so that code that only depend on log ID types do not need to link in the logic for the logtail client itself. Not all code need the logtail client. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Mihai Parparita	780c56e119	ipn/ipnlocal: add delegated interface information to /interfaces PeerAPI handler Exposes the delegated interface data added by #7248 in the debug endpoint. I would have found it useful when working on that PR, and it may be handy in the future as well. Also makes the interfaces table slightly easier to parse by adding borders to it. To make then nicer-looking, the CSP was relaxed to allow inline styles. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
David Anderson	8b2ae47c31	version: unexport all vars, turn Short/Long into funcs The other formerly exported values aren't used outside the package, so just unexport them. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Mihai Parparita	fa932fefe7	net/interfaces: redo how we get the default interface on macOS and iOS With #6566 we added an external mechanism for getting the default interface, and used it on macOS and iOS (see tailscale/corp#8201). The goal was to be able to get the default physical interface even when using an exit node (in which case the routing table would say that the Tailscale utun* interface is the default). However, the external mechanism turns out to be unreliable in some cases, e.g. when multiple cellular interfaces are present/toggled (I have occasionally gotten my phone into a state where it reports the pdp_ip1 interface as the default, even though it can't actually route traffic). It was observed that `ifconfig -v` on macOS reports an "effective interface" for the Tailscale utn* interface, which seems promising. By examining the ifconfig source code, it turns out that this is done via a SIOCGIFDELEGATE ioctl syscall. Though this is a private API, it appears to have been around for a long time (e.g. it's in the 10.13 xnu release at https://opensource.apple.com/source/xnu/xnu-4570.41.2/bsd/net/if_types.h.auto.html) and thus is unlikely to go away. We can thus use this ioctl if the routing table says that a utun* interface is the default, and go back to the simpler mechanism that we had before #6566. Updates #7184 Updates #7188 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Mihai Parparita	7d204d89c2	ipn/ipnlocal: fix passthrough of formatting arguments in PeerAPI doctor output Followup to #7235, we were not treating the formatting arguments as variadic. This worked OK for single values, but stopped working when we started passing multiple values (noticed while trying out #7244). Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Mihai Parparita	6799ef838f	ipn/ipnlocal: add PeerAPI endpoint for doctor output Useful when debugging issues (e.g. to see the full routing table), and easier to refer to the output via a browser than trying to read it from the logs generated by `bugreport --diagnose`. Behind a canDebug() check, similar to the /magicsock and /interfaces endpoints. Updates #7184 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Mihai Parparita	62f4df3257	net/interfaces, net/netns: add node attributes to control default interface getting and binding With #6566 we started to more aggressively bind to the default interface on Darwin. We are seeing some reports of the wrong cellular interface being chosen on iOS. To help with the investigation, this adds to knobs to control the behavior changes: - CapabilityDebugDisableAlternateDefaultRouteInterface disables the alternate function that we use to get the default interface on macOS and iOS (implemented in tailscale/corp#8201). We still log what it would have returned so we can see if it gets things wrong. - CapabilityDebugDisableBindConnToInterface is a bigger hammer that disables binding of connections to the default interface altogether. Updates #7184 Updates #7188 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago

1 2 3 4 5 ...

604 Commits (4722f7e32283c383f397076799959e246103f02a)