tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	e1bbe1bf45	derp: document the RunWatchConnectionLoop callback gotchas Updates #13566 Change-Id: I497b5adc57f8b1b97dbc3f74c0dc67140caad436 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Brad Fitzpatrick	6f7e7a30e3	tool/gocross: make gocross-wrapper.sh keep multiple Go toolchains around So it doesn't delete and re-pull when switching between branches. Updates tailscale/corp#17686 Change-Id: Iffb989781db42fcd673c5f03dbd0ce95972ede0f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Mario Minardi	43f4131d7a	{release,version}: add DSM7.2 specific synology builds (#13405 ) Add separate builds for DSM7.2 for synology so that we can encode separate versioning information in the INFO file to distinguish between the two. Fixes https://github.com/tailscale/corp/issues/22908 Signed-off-by: Mario Minardi <mario@tailscale.com>	4 weeks ago
Andrea Gottardo	8a6f48b455	cli: add `tailscale dns query` (#13368 ) Updates tailscale/tailscale#13326 Adds a CLI subcommand to perform DNS queries using the internal DNS forwarder and observe its internals (namely, which upstream resolvers are being used). Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 weeks ago
dependabot[bot]	a98f75b783	.github: Bump tibdex/github-app-token from 1.8.0 to 2.1.0 (#9529 ) Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.0 to 2.1.0. - [Release notes](https://github.com/tibdex/github-app-token/releases) - [Commits](`b62528385c...3beb63f4bd`) --- updated-dependencies: - dependency-name: tibdex/github-app-token dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Mario Minardi <mario@tailscale.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	4 weeks ago
Mario Minardi	05d82fb0d8	.github: pin re-actors/alls-green to latest 1.x (#13558 ) Pin re-actors/alls-green usage to latest 1.x. This was previously pointing to `@release/v2` which pulls in the latest changes from this branch as they are released, with the potential to break our workflows if a breaking change or malicious version on this stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	04bbef0e8b	.github: update and pin actions/upload-artifact to latest 4.x (#13556 ) Update and pin actions/upload-artifact usage to latest 4.x. These were previously pointing to @3 which pulls in the latest v3 as they are released, with the potential to break our workflows if a breaking change or malicious version on the @3 stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	a8bd0cb9c2	.github: update and pin actions/cache to latest 4.x (#13555 ) Update and pin actions/cache usage to latest 4.x. These were previously pointing to `@3` which pulls in the latest v3 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@3` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v3 and v4 is that v4 requires Node 20 which should be a non-issue where this is run. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	a3f7e72321	.github: use and pin slackapi/slack-github-action to latest 1.x (#13554 ) Use slackapi/slack-github-action across the board and pin to latest 1.x. Previously we were referencing the 1.27.0 tag directly which is vulnerable to someone replacing that version tag with malicious code. Replace usage of ruby/action-slack with slackapi/slack-github-action as the latter is the officially supported action from slack. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	22e98cf95e	.github: pin codeql actions to latest 3.x (#13552 ) Pin codeql actions usage to latest 3.x. These were previously pointing to `@2` which pulls in the latest v2 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@2` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v2 and v3 is that v3 requires Node 20 which is a non-issue as we are running this on ubuntu latest. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	2c1bbfb902	.github: pin actions/setup-go usage to latest 5.x (#13553 ) Pin actions/checkout usage to latest 5.x. These were previously pointing to `@4` which pulls in the latest v4 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@4` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v4 and v5 is that v5 requires Node 20 which should be a non-issue where it is used. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	07991dec83	.github: pin actions/checkout to latest v3 or v4 as appropriate (#13551 ) Pin actions/checkout usage to latest 3.x or 4.x as appropriate. These were previously pointing to `@4` or `@3` which pull in the latest versions at these tags as they are released, with the potential to break our workflows if a breaking change or malicious version for either of these streams are released. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Mario Minardi	8d508712c9	tailcfg: add AcceptEnv field to SSHRule (#13523 ) Add an `AcceptEnv` field to `SSHRule`. This will contain the collection of environment variable names / patterns that are specified in the `acceptEnv` block for the SSH rule within the policy file. This will be used in the tailscale client to filter out unacceptable environment variables. Updates: https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Joe Tsai	dc86d3589c	types/views: add SliceView.All iterator (#13536 ) And convert a all relevant usages. Updates #12912 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 month ago
Brad Fitzpatrick	3e9ca6c64b	go.toolchain.rev: bump oss, test toolchain matches go.toolchain.rev Update go.toolchain.rev for https://github.com/tailscale/go/pull/104 and add a test that, when using the tailscale_go build tag, we use the right Go toolchain. We'll crank up the strictness in later commits. Updates #13527 Change-Id: Ifb09a844858be2beb144a420e4e9dbdc5c03ae3a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Tom Proctor	d0a56a8870	cmd/containerboot: split main.go (#13517 ) containerboot's main.go had grown to well over 1000 lines with lots of disparate bits of functionality. This commit is pure copy- paste to group related functionality outside of the main function into its own set of files. Everything is still in the main package to keep the diff incremental and reviewable. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 month ago
James Tucker	af5a845a87	net/dns/resolver: fix dns-sd NXDOMAIN responses from quad-100 mdnsResponder at least as of macOS Sequoia does not find NXDOMAIN responses to these dns-sd PTR queries acceptable unless they include the question section in the response. This was found debugging #13511, once we turned on additional diagnostic reporting from mdnsResponder we witnessed: ``` Received unacceptable 12-byte response from 100.100.100.100 over UDP via utun6/27 -- id: 0x7F41 (32577), flags: 0x8183 (R/Query, RD, RA, NXDomain), counts: 0/0/0/0, ``` If the response includes a question section, the resposnes are acceptable, e.g.: ``` Received acceptable 59-byte response from 8.8.8.8 over UDP via en0/17 -- id: 0x2E55 (11861), flags: 0x8183 (R/Query, RD, RA, NXDomain), counts: 1/0/0/0, ``` This may be contributing to an issue under diagnosis in #13511 wherein some combination of conditions results in mdnsResponder no longer answering DNS queries correctly to applications on the system for extended periods of time (multiple minutes), while dig against quad-100 provides correct responses for those same domains. If additional debug logging is enabled in mdnsResponder we see it reporting: ``` Penalizing server 100.100.100.100 for 60 seconds ``` It is also possible that the reason that macOS & iOS never "stopped spamming" these queries is that they have never been replied to with acceptable responses. It is not clear if this special case handling of dns-sd PTR queries was ever beneficial, and given this evidence may have always been harmful. If we subsequently observe that the queries settle down now that they have acceptable responses, we should remove these special cases - making upstream queries very occasionally isn't a lot of battery, so we should be better off having to maintain less special cases and avoid bugs of this class. Updates #2442 Updates #3025 Updates #3363 Updates #3594 Updates #13511 Signed-off-by: James Tucker <james@tailscale.com>	1 month ago
Andrea Gottardo	3a467b66b6	go/toolchain: use ed9dc37b2b000f376a3e819cbb159e2c17a2dac6 (#13507 ) Updates tailscale/tailscale#13452 Bump the Go toolchain to the latest to pick up changes required to not crash on Android 9/10. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 month ago
M. J. Fromberger	5f89c93274	safeweb: add a ListenAndServe method to the Server type (#13498 ) Updates #13497 Change-Id: I398e9fa58ad0b9dc799ea280c9c7a32150150ee4 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	1 month ago
Jordan Whited	951884b077	net/netcheck,wgengine/magicsock: plumb OnlyTCP443 controlknob through netcheck (#13491 ) Updates tailscale/corp#17879 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Fran Bull	8b962f23d1	cmd/natc: fix nil pointer Fixes #13495 Signed-off-by: Fran Bull <fran@tailscale.com>	1 month ago
Jordan Whited	5f4a4c6744	wgengine/magicsock: fix sendUDPStd docs (#13490 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Jordan Whited	4084c6186d	wgengine/magicsock: add side-effect-free function for netcheck UDP sends (#13487 ) Updates #13484 Updates tailscale/corp#17879 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Brad Fitzpatrick	8012bb4216	derp: refactor DERP server's peer-gone watch mechanism In prep for upcoming flow tracking & mutex contention optimization changes, this change refactors (subjectively simplifying) how the DERP Server accounts for which peers have written to which other peers, to be able to send PeerGoneReasonDisconnected messages to writes to uncache their DRPO (DERP Return Path Optimization) routes. Notably, this removes the Server.sentTo field which was guarded by Server.mu and checked on all packet sends. Instead, the accounting is moved to each sclient's sendLoop goroutine and now only needs to acquire Server.mu for newly seen senders, the first time a peer sends a packet to that sclient. This change reduces the number of reasons to acquire Server.mu per-packet from two to one. Removing the last one is the subject of an upcoming change. Updates #3560 Updates #150 Change-Id: Id226216d6629d61254b6bfd532887534ac38586c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
License Updater	7f1c193a83	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 month ago
Andrew Dunham	f572286bf9	gokrazy, various: use point versions of Go and update Nix deps This un-breaks vim-go (which doesn't understand "go 1.23") and allows the natlab tests to work in a Nix shell (by adding the "qemu-img" and "mkfs.ext4" binaries to the shell). These binaries are available even on macOS, as I'm testing on my M1 Max. Updates #13038 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I99f8521b5de93ea47dc33b099d5b243ffc1303da	1 month ago
Andrew Dunham	40833a7524	wgengine/magicsock: disable raw disco by default; add envknob to enable Updates #13140 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ica85b2ac8ac7eab4ec5413b212f004aecc453279	1 month ago
Mario Minardi	124ff3b034	{api.md,publicapi}: remove old API docs (#13468 ) Now that we have our API docs hosted at https://tailscale.com/api we can remove the previous (and now outdated) markdown based docs. The top level api.md has been left with the only content being the redirect to the new docs. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Jordan Whited	afec2d41b4	wgengine/magicsock: remove redundant deadline from netcheck report call (#13395 ) netcheck.Client.GetReport() applies its own deadlines. This 2s deadline was causing GetReport() to never fall back to HTTPS/ICMP measurements as it was shorter than netcheck.stunProbeTimeout, leaving no time for fallbacks. Updates #13394 Updates #6187 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Mario Minardi	93f61aa4cc	tailcfg: add node attr for SSH environment variables (#13450 ) Add a node attr for enabling SSH environment variable handling logic. Updates https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>	1 month ago
Brad Fitzpatrick	aa15a63651	derp: add new concurrent server benchmark In prep for reducing mutex contention on Server.mu. Updates #3560 Change-Id: Ie95e7c6dc9f4b64b6f79b3b2338f8cd86c688d98 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
kari-ts	3bee38d50f	VERSION.txt: this is v1.75.0 (#13454 ) Signed-off-by: kari-ts <kari@tailscale.com>	1 month ago
Brad Fitzpatrick	cec779e771	util/slicesx: add FirstElementEqual and LastElementEqual And update a few callers as examples of motivation. (there are a couple others, but these are the ones where it's prettier) Updates #cleanup Change-Id: Ic8c5cb7af0a59c6e790a599136b591ebe16d38eb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	910462a8e0	derp: unify server's clientSet interface into concrete type `73280595a8` for #2751 added a "clientSet" interface to distinguish the two cases of a client being singly connected (the common case) vs tolerating multiple connections from the client at once. At the time (three years ago) it was kinda an experiment and we didn't know whether it'd stop the reconnect floods we saw from certain clients. It did. So this promotes it to a be first-class thing a bit, removing the interface. The old tests from `73280595a` were invaluable in ensuring correctness while writing this change (they failed a bunch). But the real motivation for this change is that it'll permit a future optimization to add flow tracking for stats & performance where we don't contend on Server.mu for each packet sent via DERP. Instead, each client can track its active flows and hold on to a *clientSet and ask the clientSet per packet what the active client is via one atomic load rather than a mutex. And if the atomic load returns nil, we'll know we need to ask the server to see if they died and reconnected and got a new clientSet. But that's all coming later. Updates #3560 Change-Id: I9ccda3e5381226563b5ec171ceeacf5c210e1faf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Maisem Ali	f2713b663e	.github: enable fuzz testing again (go1.23) Updates #12912 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 month ago
Maisem Ali	4d6a8224d5	util/linuxfw: fall back to nftables when iptables not found When the desired netfilter mode was unset, we would always try to use the `iptables` binary. In such cases if iptables was not found, tailscaled would just crash as seen in #13440. To work around this, in those cases check if the `iptables` binary even exists and if it doesn't fall back to the nftables implementation. Verified that it works on stock Ubuntu 24.04. Updates #5621 Updates #8555 Updates #8762 Fixes #13440 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 month ago
Tom Proctor	98f4dd9857	cmd/k8s-operator,k8s-operator,kube: Add TSRecorder CRD + controller (#13299 ) cmd/k8s-operator,k8s-operator,kube: Add TSRecorder CRD + controller Deploys tsrecorder images to the operator's cluster. S3 storage is configured via environment variables from a k8s Secret. Currently only supports a single tsrecorder replica, but I've tried to take early steps towards supporting multiple replicas by e.g. having a separate secret for auth and state storage. Example CR: ```yaml apiVersion: tailscale.com/v1alpha1 kind: Recorder metadata: name: rec spec: enableUI: true ``` Updates #13298 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 month ago
Brad Fitzpatrick	9f9470fc10	ipnlocal,proxymap,wgengine/netstack: add optional WhoIs/proxymap debug Updates tailscale/corp#20600 Change-Id: I2bb17af0f40603ada1ba4cecc087443e00f9392a Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Fran Bull	7d16af8d95	cmd/natc: fix nil pointer Fixes #13432 Signed-off-by: Fran Bull <fran@tailscale.com>	1 month ago
dependabot[bot]	436a0784a2	build(deps): bump ws from 8.14.2 to 8.17.1 in /client/web (#12524 ) Bumps [ws](https://github.com/websockets/ws) from 8.14.2 to 8.17.1. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](https://github.com/websockets/ws/compare/8.14.2...8.17.1) --- updated-dependencies: - dependency-name: ws dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	1 month ago
dependabot[bot]	71b550c73c	.github: Bump peter-evans/create-pull-request from 5.0.1 to 7.0.1 (#13419 ) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.1 to 7.0.1. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](`284f54f989...8867c4aba1`) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	1 month ago
Jordan Whited	a228d77f86	cmd/stunstamp: add protocol context to timeout logs (#13422 ) We started out with a single protocol & port, now it's many. Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Andrew Dunham	0970615b1b	ipn/ipnlocal: don't program system DNS when node key is expired (#13370 ) This mimics having Tailscale in the 'Stopped' state by programming an empty DNS configuration when the current node key is expired. Updates tailscale/support-escalations#55 Change-Id: I68ff4665761fb621ed57ebf879263c2f4b911610 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	1 month ago
Brad Fitzpatrick	0a2e5afb26	tsnet: remove old package doc experimental warning It was scaring people. It's been pretty stable for quite some time now and we're unlikely to change the API and break people at this point. We might, but have been trying not to. Fixes tailscale/corp#22933 Change-Id: I0c3c79b57ccac979693c62ba320643a940ac947e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Irbe Krumina	209567e7a0	kube,cmd/{k8s-operator,containerboot},envknob,ipn/store/kubestore,*/depaware.txt: rename packages (#13418 ) Rename kube/{types,client,api} -> kube/{kubetypes,kubeclient,kubeapi} so that we don't need to rename the package on each import to convey that it's kubernetes specific. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Irbe Krumina	d6dfb7f242	kube,cmd/{k8s-operator,containerboot},envknob,ipn/store/kubestore,*/depaware.txt: split out kube types (#13417 ) Further split kube package into kube/{client,api,types}. This is so that consumers who only need constants/static types don't have to import the client and api bits. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Irbe Krumina	ecd64f6ed9	cmd/k8s-operator,kube: set app name for Kubernetes Operator proxies (#13410 ) Updates tailscale/corp#22920 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Nick Khyl	4dfde7bffc	net/dns: disable DNS registration for Tailscale interface on Windows We already disable dynamic updates by setting DisableDynamicUpdate to 1 for the Tailscale interface. However, this does not prevent non-dynamic DNS registration from happening when `ipconfig /registerdns` runs and in similar scenarios. Notably, dns/windowsManager.SetDNS runs `ipconfig /registerdns`, triggering DNS registration for all interfaces that do not explicitly disable it. In this PR, we update dns/windowsManager.disableDynamicUpdates to also set RegistrationEnabled to 0. Fixes #13411 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Irbe Krumina	2b0d0ddf5d	sessionrecording,ssh/tailssh,k8s-operator: log connected recorder address (#13382 ) Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Patrick O'Doherty	7ce9c1944a	go.toolchain.rev: update to 1.23.1 (#13408 ) Update Go toolchain to 1.23.1. Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	2 months ago

1 2 3 4 5 ...

8209 Commits (4ad3f01225745294474f1ae0de33e5a86824a744) All Branches Search

8209 Commits (4ad3f01225745294474f1ae0de33e5a86824a744)

All Branches