tailscale

Commit Graph

Author	SHA1	Message	Date
Shayne Sweeney	47ebe6f956	VERSION.txt: this is v1.38.3 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	c750186830	ipn/ipnlocal: [serve] Trim mountPoint prefix from proxy path (#7334 ) This change trims the mountPoint from the request URL path before sending the request to the reverse proxy. Today if you mount a proxy at `/foo` and request to `/foo/bar/baz`, we leak the `mountPoint` `/foo` as part of the request URL's path. This fix makes removed the `mountPoint` prefix from the path so proxied services receive requests as if they were running at the root (`/`) path. This could be an issue if the app generates URLs (in HTML or otherwise) and assumes `/path`. In this case, those URLs will 404. With that, I still think we should trim by default and not leak the `mountPoint` (specific to Tailscale) into whatever app is hosted. If it causes an issue with URL generation, I'd suggest looking at configuring an app-specific path prefix or running Caddy as a more advanced solution. Fixes: #6571 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	d7bbd4fe03	ipn/ipnlocal: [serve/funnel] use actual SrcAddr as X-Forwarded-For (#7600 ) The reverse proxy was sending the ingressd IPv6 down as the X-Forwarded-For. This update uses the actual remote addr. Updates tailscale/corp#9914 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
shayne	ac0c0b081d	funnel: change references from alpha to beta (#7613 ) Updates CLI and docs to reference Funnel as beta Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Maisem Ali	068ed7dbfa	ipn/ipnlocal: use atomicfile.WriteFile in certFileStore Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `9e81db50f6`)	1 year ago
Maisem Ali	26bf7c4dbe	ipn/ipnlocal: fix cert storage in Kubernetes We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `8a11f76a0d`)	1 year ago
Maisem Ali	d47b74e461	ipn/ipnlocal: also store ACME keys in the certStore We were not storing the ACME keys in the state store, they would always be stored on disk. Updates #7588 Signed-off-by: Maisem Ali <maisem@tailscale.com> (cherry picked from commit `ec90522a53`)	1 year ago
Denton Gentry	3db61d07ca	VERSION.txt: this is v1.38.2 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Mihai Parparita	817aa282c2	net/sockstats: export cellular-only clientmetrics Followup to #7518 to also export client metrics when the active interface is cellular. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com> (cherry picked from commit `d2dec13392`)	1 year ago
Andrew Dunham	d00c046b72	ssh/tailssh: fix privilege dropping on FreeBSD; add tests On FreeBSD and Darwin, changing a process's supplementary groups with setgroups(2) will also change the egid of the process, setting it to the first entry in the provided list. This is distinct from the behaviour on other platforms (and possibly a violation of the POSIX standard). Because of this, on FreeBSD with no TTY, our incubator code would previously not change the process's gid, because it would read the newly-changed egid, compare it against the expected egid, and since they matched, not change the gid. Because we didn't use the 'login' program on FreeBSD without a TTY, this would propagate to a child process. This could be observed by running "id -p" in two contexts. The expected output, and the output returned when running from a SSH shell, is: andrew@freebsd:~ $ id -p uid andrew groups andrew However, when run via "ssh andrew@freebsd id -p", the output would be: $ ssh andrew@freebsd id -p login root uid andrew rgid wheel groups andrew (this could also be observed via "id -g -r" to print just the gid) We fix this by pulling the details of privilege dropping out into their own function and prepending the expected gid to the start of the list on Darwin and FreeBSD. Finally, we add some tests that run a child process, drop privileges, and assert that the final UID/GID/additional groups are what we expect. More information can be found in the following article: https://www.usenix.org/system/files/login/articles/325-tsafrir.pdf Updates #7616 Alternative to #7609 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I0e6513c31b121108b50fe561c89e5816d84a45b9 (cherry picked from commit `ccace1f7df`)	1 year ago
Tom DNetto	aad01c81b1	cmd/tailscale/cli: move tskey-wrap functionality under lock sign Signed-off-by: Tom DNetto <tom@tailscale.com> (cherry picked from commit `60cd4ac08d`)	1 year ago
Denton Gentry	fd558e2e68	net/interfaces: also allow link-local for AzureAppServices. In May 2021, Azure App Services used 172.16.x.x addresses: ``` 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 02:42:ac:10:01:03 brd ff:ff:ff:ff:ff:ff inet 172.16.1.3/24 brd 172.16.1.255 scope global eth0 valid_lft forever preferred_lft forever ``` Now it uses link-local: ``` 2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 8a:30:1f:50:1d:23 brd ff:ff:ff:ff:ff:ff inet 169.254.129.3/24 brd 169.254.129.255 scope global eth0 valid_lft forever preferred_lft forever ``` This is reasonable for them to choose to do, it just broke the handling in net/interfaces. This PR proposes to: 1. Always allow link-local in LocalAddresses() if we have no better address available. 2. Continue to make isUsableV4() conditional on an environment we know requires it. I don't love the idea of having to discover these environments one by one, but I don't understand the consequences of making isUsableV4() return true unconditionally. It makes isUsableV4() essentially always return true and perform no function. Fixes https://github.com/tailscale/tailscale/issues/7603 Signed-off-by: Denton Gentry <dgentry@tailscale.com> (cherry picked from commit `ebc630c6c0`)	1 year ago
Denton Gentry	3eeff9e7f7	VERSION.txt: this is v1.38.1 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
David Anderson	6c0e6a5f4e	version/mkversion: don't break on tagged go.mod entries I thought our versioning scheme would make go.mod include a commit hash even on stable builds. I was wrong. Fortunately, the rest of this code wants anything that 'git rev-parse' understands (to convert it into a full git hash), and tags qualify. Signed-off-by: David Anderson <danderson@tailscale.com> (cherry picked from commit `9ebab961c9`)	1 year ago
Denton Gentry	10d462d321	VERSION.txt: this is v1.38.0 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
License Updater	51b0169b10	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 year ago
Maisem Ali	b4d3e2928b	tsnet: avoid deadlock on close tsnet.Server.Close was calling listener.Close with the server mutex held, but the listener close method tries to grab that mutex, resulting in a deadlock. Co-authored-by: David Crawshaw <crawshaw@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
shayne	2b892ad6e7	cmd/tailscale/cli: [serve] rework commands based on feedback (#6521 ) ``` $ tailscale serve https:<port> <mount-point> <source> [off] $ tailscale serve tcp:<port> tcp://localhost:<local-port> [off] $ tailscale serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off] $ tailscale serve status [--json] $ tailscale funnel <serve-port> {on\|off} $ tailscale funnel status [--json] ``` Fixes: #6674 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Will Norris	6ef2105a8e	log/sockstatlog: only start once; don't copy ticker Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Maisem Ali	8c4adde083	log/sockstatlog: also shutdown the poll goroutine Co-authored-by: Will Norris <will@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	c87782ba9d	cmd/k8s-operator: drop trailing dot in tagged node name Also update tailcfg docs. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	09e0ccf4c2	ipn: add c2n endpoint for sockstats logs Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Will Norris	a1d9f65354	ipn,log: add logger for sockstat deltas Signed-off-by: Will Norris <will@tailscale.com> Co-authored-by: Melanie Warrick <warrick@tailscale.com>	1 year ago
Maisem Ali	5e8a80b845	all: replace /kb/ links with /s/ equivalents Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	558735bc63	cmd/k8s-operator: require HTTPS to be enabled for AuthProxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	489e27f085	cmd/k8s-operator: make auth proxy pass tags as Impersonate-Group We were not handling tags at all, pass them through as Impersonate-Group headers. And use the FQDN for tagged nodes as Impersonate-User. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	56526ff57f	tailcfg: bump capver for 1.38 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	09aed46d44	cmd/tailscale/cli: update docs and unhide configure Also call out Alpha. Updates #7220 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	223713d4a1	tailcfg,all: add and use Node.IsTagged() Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	83fa17d26c	various: pass logger.Logf through to more places Updates #7537 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id89acab70ea678c8c7ff0f44792d54c7223337c6	1 year ago
Maisem Ali	958c89470b	tsnet: add CertDomains helper (#7533 ) Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
shayne	e109cf9fdd	tsnet/tsnet: clear ipn.ServeConfig on Up for tsnet apps (#7534 ) We persist the ServeConfig, even for tsnet apps. It's quite possible for the ServeConfig to be out of step with the code. Example: If you run `ListenFunnel` then later turn it off, the ServeConfig will still show it enabled, the admin console will show it enabled, but the packet handler will reject the packets. Workaround by clearing the ServeConfig in `tsnet.Up` Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Maisem Ali	3ff44b2307	ipn: add Funnel port check from nodeAttr Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	ccdd534e81	tsnet: add ListenFunnel This lets a tsnet binary share a server out over Tailscale Funnel. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Denton Gentry	047b324933	scripts/installer: add PureOS and Amazon Linux Next Fixes https://github.com/tailscale/tailscale/issues/7410 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Andrew Dunham	f0d6228c52	ipn/localapi: flesh out the 'debug derp' checks Updates #6526 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic18d9ff288b9c7b8d5ab1bd77dd59693cd776cc4	1 year ago
License Updater	920de86cee	licenses: update android licenses Signed-off-by: License Updater <noreply@tailscale.com>	1 year ago
Mihai Parparita	b64d78d58f	sockstats: refactor validation to be opt-in Followup to #7499 to make validation a separate function ( GetWithValidation vs. Get). This way callers that don't need it don't pay the cost of a syscall per active TCP socket. Also clears the conn on close, so that we don't double-count the stats. Also more consistently uses Go doc comments for the exported API of the sockstats package. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Mihai Parparita	ea81bffdeb	sockstats: export as client metrics Though not fine-grained enough to be useful for detailed analysis, we might as well export that we gather as client metrics too, since we have an upload/analysis pipeline for them. clientmetric.Metric.Add is an atomic add, so it's pretty cheap to also do per-packet. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Maisem Ali	1e72de6b72	ipn/ipnlocal: remove WIP restriction for Tailscale SSH on macOS It kinda works fine now on macOS with the recent fixes in `0582829` and `5787989d`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Tom DNetto	92fc243755	cmd/tailscale: annotate tailnet-lock keys which wrap pre-auth keys Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Tom DNetto	3471fbf8dc	cmd/tailscale: surface node-key for locked out tailnet-lock peers Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Maisem Ali	b797f773c7	ipn/ipnlocal: add support for funnel in tsnet Previously the part that handled Funnel connections was not aware of any listeners that tsnet.Servers might have had open so it would check against the ServeConfig and fail. Adding a ServeConfig for a TCP proxy was also not suitable in this scenario as that would mean creating two different listeners and have one forward to the other, which really meant that you could not have funnel and tailnet-only listeners on the same port. This also introduces the ipn.FunnelConn as a way for users to identify whether the call is coming over funnel or not. Currently it only holds the underlying conn and the target as presented in the "Tailscale-Ingress-Target" header. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Joe Tsai	dad78f31f3	syncs: add WaitGroup wrapper (#7481 ) The addition of WaitGroup.Go in the standard library has been repeatedly proposed and rejected. See golang/go#18022, golang/go#23538, and golang/go#39863 In summary, the argument for WaitGroup.Go is that it avoids bugs like: go func() { wg.Add(1) defer wg.Done() ... }() where the increment happens after execution (not before) and also (to a lesser degree) because: wg.Go(func() { ... }) is shorter and more readble. The argument against WaitGroup.Go is that the provided function takes no arguments and so inputs and outputs must closed over by the provided function. The most common race bug for goroutines is that the caller forgot to capture the loop iteration variable, so this pattern may make it easier to be accidentally racy. However, that is changing with golang/go#57969. In my experience the probability of race bugs due to the former still outwighs the latter, but I have no concrete evidence to prove it. The existence of errgroup.Group.Go and frequent utility of the method at least proves that this is a workable pattern and the possibility of accidental races do not appear to manifest as frequently as feared. A reason not to use errgroup.Group everywhere is that there are many situations where it doesn't make sense for the goroutine to return an error since the error is handled in a different mechanism (e.g., logged and ignored, formatted and printed to the frontend, etc.). While you can use errgroup.Group by always returning nil, the fact that you can return nil makes it easy to accidentally return an error when nothing is checking the return of group.Wait. This is not a hypothetical problem, but something that has bitten us in usages that was only using errgroup.Group without intending to use the error reporting part of it. Thus, add a (yet another) variant of WaitGroup here that is identical to sync.WaitGroup, but with an extra method. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Maisem Ali	be027a9899	control/controlclient: improve handling of concurrent lite map requests This reverts commit `6eca47b16c` and fixes forward. Previously the first ever streaming MapRequest that a client sent would also set ReadOnly to true as it didn't have any endpoints and expected/relied on the map poll to restart as soon as it got endpoints. However with `48f6c1eba4`, we would no longer restart MapRequests as frequently as we used to, so control would only ever get the first streaming MapRequest which had ReadOnly=true. Control would treat this as an uninteresting request and would not send it any further netmaps, while the client would happily stay in the map poll forever while litemap updates happened in parallel. This makes it so that we never set `ReadOnly=true` when we are doing a streaming MapRequest. This is no longer necessary either as most endpoint discovery happens over disco anyway. Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Joe Tsai	87b4bbb94f	tstime/rate: add Value (#7491 ) Add Value, which measures the rate at which an event occurs, exponentially weighted towards recent activity. It is guaranteed to occupy O(1) memory, operate in O(1) runtime, and is safe for concurrent use. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Mihai Parparita	4c2f67a1d0	net/sockstat: fix per-interface statistics not always being available withSockStats may be called before setLinkMonitor, in which case we don't have a populated knownInterfaces map. Since we pre-populate the per-interface counters at creation time, we would end up with an empty map. To mitigate this, we do an on-demand request for the list of interfaces. This would most often happen with the logtail instrumentation, since we initialize it very early on. Updates tailscale/corp#9230 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Maisem Ali	e69682678f	ssh/tailssh: use context.WithCancelCause It was using a custom implmentation of the context.WithCancelCause, replace usage with stdlib. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Mihai Parparita	a2be1aabfa	logtail: remove unncessary response read Effectively reverts #249, since the server side was fixed (with #251?) to send a 200 OK/content-length 0 response. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Tom DNetto	ce99474317	all: implement preauth-key support with tailnet lock Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago

1 2 3 4 5 ...

5478 Commits (47ebe6f9560c5d20199ff7f78574fd830a60b842) All Branches Search

5478 Commits (47ebe6f9560c5d20199ff7f78574fd830a60b842)

All Branches