tailscale

Commit Graph

Author	SHA1	Message	Date
Adrian Dewhurst	5347e6a292	control/controlclient: support certstore without cgo We no longer build Windows releases with cgo enabled, which automatically turned off certstore support. Rather than re-enabling cgo, we updated our fork of the certstore package to no longer require cgo. This updates the package, cleans up how the feature is configured, and removes the cgo build tag requirement. Fixes tailscale/corp#14797 Fixes tailscale/coral#118 Change-Id: Iaea34340761c0431d759370532c16a48c0913374 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	8 months ago
Sonia Appasamy	68da15516f	ipn/localapi,client/web: clean up auth error handling This commit makes two changes to the web client auth flow error handling: 1. Properly passes back the error code from the noise request from the localapi. Previously we were using io.Copy, which was always setting a 200 response status code. 2. Clean up web client browser sessions on any /wait endpoint error. This avoids the user getting in a stuck state if something goes wrong with their auth path. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Andrew Lytvynov	70f9c8a6ed	clientupdate: change Mac App Store support (#9891 ) In the sandboxed app from the app store, we cannot check `/Library/Preferences/com.apple.commerce.plist` or run `softwareupdate`. We can at most print a helpful message and open the app store page. Also, reenable macsys update function to mark it as supporting c2n updates. macsys support in `tailscale update` was fixed. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Irbe Krumina	eced054796	ipn/ipnlocal: close connections for removed proxy transports (#9884 ) Ensure that when a userspace proxy config is reloaded, connections for any removed proxies are safely closed Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Sonia Appasamy	1df2d14c8f	client/web: use auth ID in browser sessions Stores ID from tailcfg.WebClientAuthResponse in browser session data, and uses ID to hit control server /wait endpoint. No longer need the control url cached, so removed that from Server. Also added optional timeNow field, initially to manage time from tests. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Joe Tsai	6ada33db77	taildrop: fix theoretical race condition in fileDeleter.Init (#9876 ) It is possible that upon a cold-start, we enqueue a partial file for deletion that is resumed shortly after startup. If the file transfer happens to last longer than deleteDelay, we will delete the partial file, which is unfortunate. The client spent a long time uploading a file, only for it to be accidentally deleted. It's a very rare race, but also a frustrating one if it happens to manifest. Fix the code to only delete partial files that do not have an active puts against it. We also fix a minor bug in ResumeReader where we read b[:blockSize] instead of b[:cs.Size]. The former is the fixed size of 64KiB, while the latter is usually 64KiB, but may be less for the last block. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Andrew Lytvynov	25b6974219	ipn/ipnlocal: send ClientVersion to Apple frontends (#9887 ) Apple frontends will now understand this Notify field and handle it. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Sonia Appasamy	b4247fabec	tailcfg: add ID field to WebClientAuthResponse Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Tom DNetto	7e933a8816	appctype: move to types/appctype Having a types package at the top level was almost certainly unintentional. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: https://github.com/tailscale/corp/issues/15038	8 months ago
Tom DNetto	02908a2d8d	appc: implement app connector Server type This change refactors & moves the bulk of the app connector logic from ./cmd/sniproxy. A future change will delete the delta in sniproxy and wire it to this type. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: https://github.com/tailscale/corp/issues/15038	8 months ago
Joe Tsai	469b7cabad	cmd/tailscale: improve taildrop progress printer on Linux (#9878 ) The progress printer was buggy where it would not print correctly and some of the truncation logic was faulty. The progress printer now prints something like: go1.21.3.linux-amd64.tar.gz 21.53MiB 13.83MiB/s 33.88% ETA 00:00:03 where it shows * the number of bytes transferred so far * the rate of bytes transferred (using a 1-second half-life for an exponentially weighted average) * the progress made as a percentage * the estimated time (as calculated from the rate of bytes transferred) Other changes: * It now correctly prints the progress for very small files * It prints at a faster rate (4Hz instead of 1Hz) * It uses IEC units for byte quantities (to avoid ambiguities of "kb" being kilobits or kilobytes) Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Tyler Smalley	7a3ae39025	cmd/tailscale/cli: [serve/funnel] support omitting scheme for TCP (#9856 ) The `serve` command for TCP has always required the scheme of the target to be specified. However, when it's omitted the error message reported is misleading ``` error: failed to apply TCP serve: invalid TCP target "localhost:5900": missing port in address ``` Since we know the target is TCP, we shouldn't require it to be specified. This aligns with the changes for HTTP proxies in https://github.com/tailscale/tailscale/issues/8489 closes #9855 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Tyler Smalley	35376d52d4	cmd/tailscale/cli: [serve/funnel] provide correct command for disabling (#9859 ) The `off` subcommand removes a serve/funnel for the corresponding type and port. Previously, we were not providing this which would result in an error if someone was using something than the default https=443. closes #9858 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Irbe Krumina	f09cb45f9d	ipn/ipnlocal: initiate proxy transport once (#9883 ) Initiates http/h2c transport for userspace proxy backend lazily and at most once. Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Sonia Appasamy	73bbf941f8	client/web: hook up auth flow Connects serveTailscaleAuth to the localapi webclient endpoint and pipes auth URLs and session cookies back to the browser to redirect users from the frontend. All behind debug flags for now. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Irbe Krumina	09b5bb3e55	ipn/ipnlocal: proxy gRPC requests over h2c if needed. (#9847 ) Updates userspace proxy to detect plaintext grpc requests using the preconfigured host prefix and request's content type header and ensure that these will be proxied over h2c. Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Jordan Whited	891d964bd4	wgengine/magicsock: simplify tryEnableUDPOffload() (#9872 ) Don't assume Linux lacks UDP_GRO support if it lacks UDP_SEGMENT support. This mirrors a similar change in wireguard/wireguard-go@177caa7 for consistency sake. We haven't found any issues here, just being overly paranoid. Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Joe Tsai	d603d18956	taildrop: fix TestResume (#9874 ) Previously, the test simply relied on: defer close() to cleanup file handles. This works fine on Unix-based systems, but not on Windows, which dislikes deleting files where an open file handle continues to exist. Fix the test by explicitly closing the file handle after we are done with the resource. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Brad Fitzpatrick	cf27761265	cmd/tsconnect/wasm: add missing tstun.Wrapper.Start call It's required as of the recent `5297bd2cff`. Updates #7894 Updates #9394 (sure would be nice) Change-Id: Id6672408dd8a6c82dba71022c8763e589d789fcd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Joe Tsai	cb00eac850	taildrop: disable TestResume (#9873 ) This test is currently failing on Windows. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Joe Tsai	674beabc73	syncs: add Map.LoadFunc (#9869 ) The LoadFunc loads a value and calls a user-provided function. The utility of this method is to ensure that the map lock is held while executing user-provided logic. This allows us to solve TOCTOU bugs that would be nearly imposible to the solve without this API. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
James Tucker	afb72ecd73	.github/workflows: update golangci-lint Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Sonia Appasamy	851536044a	client/web: add tests for authorizeRequest Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Maisem Ali	c3a8e63100	util/linuxfw: add additional nftable detection logic We were previously using the netlink API to see if there are chains/rules that already exist. This works fine in environments where there is either full nftable support or no support at all. However, we have identified certain environments which have partial nftable support and the only feasible way of detecting such an environment is to try to create some of the chains that we need. This adds a check to create a dummy postrouting chain which is immediately deleted. The goal of the check is to ensure we are able to use nftables and that it won't error out later. This check is only done in the path where we detected that the system has no preexisting nftable rules. Updates #5621 Updates #8555 Updates #8762 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	b47cf04624	util/linuxfw: fix broken tests These tests were broken at HEAD. CI currently does not run these as root, will figure out how to do that in a followup. Updates #5621 Updates #8555 Updates #8762 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Joe Tsai	a8fbe284b2	taildrop: fix theoretical race condition (#9866 ) WaitGroup.Wait should not be concurrently called WaitGroup.Add. In other words, we should not start new goroutines after shutodwn is called. Thus, add a conditional to check that shutdown has not been called before starting off a new waitAndDelete goroutine. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
License Updater	756a4c43b6	licenses: update win/apple licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	8 months ago
Joe Tsai	3f27087e9d	taildrop: switch hashing to be streaming based (#9861 ) While the previous logic was correct, it did not perform well. Resuming is a dance between the client and server, where 1. the client requests hashes for a partial file, 2. the server then computes those hashes, 3. the client computes hashes locally and compares them. 4. goto 1 while the partial file still has data While step 2 is running, the client is sitting idle. While step 3 is running, the server is sitting idle. By streaming over the block hash immediately after the server computes it, the client can start checking the hash, while the server works on the next hash (in a pipelined manner). This performs dramatically better and also uses less memory as we don't need to hold a list of hashes, but only need to handle one hash at a time. There are two detriments to this approach: * The HTTP API relies on a JSON stream, which is not a standard REST-like pattern. However, since we implement both client and server, this is fine. * While the stream is on-going, we hold an open file handle on the server side while the file is being hashed. On really slow streams, this could hold a file open forever. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Joe Tsai	7971333603	ipn: fix localapi and peerapi protocol for taildrop resume (#9860 ) Minor fixes: * The branch for listing or hashing partial files was inverted. * The host for peerapi call needs to be real (rather than bogus). * Handle remote peers that don't support resuming. * Make resume failures non-fatal (since we can still continue). This was tested locally, end-to-end system test is future work. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Andrew Lytvynov	77127a2494	clientupdate: fix background install for linux tarballs (#9852 ) Two bug fixes: 1. when tailscale update is executed as root, `os.UserCacheDir` may return an error because `$XDG_CACHE_HOME` and `$HOME` are not set; fallback to `os.TempDir` in those cases 2. on some weird distros (like my EndeavourOS), `/usr/sbin` is just a symlink to `/usr/bin`; when we resolve `tailscale` binary path from `tailscaled`, allow `tailscaled` to be in either directory Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Sonia Appasamy	c27870e160	client/web: refactor authorizeRequest Moves request authorization back into Server.serve to be run at the start of any request. Fixes Synology unstable track bug where client would get stuck unable to auth due to not rendering the Synology redirect auth html on index.html load. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Joe Tsai	c2a551469c	taildrop: implement asynchronous file deletion (#9844 ) File resumption requires keeping partial files around for some time, but we must still eventually delete them if never resumed. Thus, we implement asynchronous file deletion, which could spawn a background goroutine to delete the files. We also use the same mechanism for deleting files on Windows, where a file can't be deleted if there is still an open file handle. We can enqueue those with the asynchronous file deleter as well. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Andrew Lytvynov	33bb2bbfe9	tailcfg,cmd/tailscale: add UrgentSecurityUpdate flag to ClientVersion (#9848 ) This flag is used in clients to surface urgent updates more prominently. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Irbe Krumina	cac290da87	cmd/k8s-operator: users can configure firewall mode for kube operator proxies (#9769 ) * cmd/k8s-operator: users can configure operator to set firewall mode for proxies Users can now pass PROXY_FIREWALL_MODE={nftables,auto,iptables} to operator to make it create ingress/egress proxies with that firewall mode Also makes sure that if an invalid firewall mode gets configured, the operator will not start provisioning proxy resources, but will instead log an error and write an error event to the related Service. Updates tailscale/tailscale#9310 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Tyler Smalley	ddb2a6eb8d	cmd/tailscale: promote new serve/funnel CLI to be default (#9833 ) The change is being kept to a minimum to make a revert easy if necessary. After the release, we will go back for a final cleanup. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Maisem Ali	f53c3be07c	cmd/k8s-operator: use our own container image instead of busybox We already have sysctl in the `tailscale/tailscale` image, just use that. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Brad Fitzpatrick	1fc3573446	ipn/{conffile,ipnlocal}: start booting tailscaled from a config file w/ auth key Updates #1412 Change-Id: Icd880035a31df59797b8379f4af19da5c4c453e2 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	6ca8650c7b	tstest/tstest: add t.Parallel that can be disabled by TS_SERIAL_TESTS=true Updates #9841 Change-Id: I1b8f4d6e34ac8540e3b0455a7c79bd400e2721b7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	4dec0c6eb9	tstest, tstest/integration, github/workflows: shard integration tests Over four jobs for now. Updates #cleanup Change-Id: Ic2b1a739a454916893945a3f9efc480d6fcbd70b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Maisem Ali	e6ab7d3c14	cmd/testwrapper: parse args better Previously we were just smushing together args and not trying to parse the values at all. This resulted in the args to testwrapper being limited and confusing. This makes it so that testwrapper parses flags in the exact format as `go test` command and passes them down in the provided order. It uses tesing.Init to register flags that `go test` understands, however those are not the only flags understood by `go test` (such as `-exec`) so we register these separately. Updates tailscale/corp#14975 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Rhea Ghosh	9d3c6bf52e	ipn/ipnlocal/peerapi: refactoring taildrop to just one endpoint (#9832 ) Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Maisem Ali	4899c2c1f4	cmd/containerboot: revert to using tailscale up This partially reverts commits `a61a9ab087` and `7538f38671` and fully reverts `4823a7e591`. The goal of that commit was to reapply known config whenever the container restarts. However, that already happens when TS_AUTH_ONCE was false (the default back then). So we only had to selectively reapply the config if TS_AUTH_ONCE is true, this does exactly that. This is a little sad that we have to revert to `tailscale up`, but it fixes the backwards incompatibility problem. Updates tailscale/tailscale#9539 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Andrew Lytvynov	b949e208bb	ipn/ipnlocal: fix AllowsUpdate disable after enable (#9827 ) The old code would always retain value `true` if it was set once, even if you then change `prefs.AutoUpdate.Apply` to `false`. Instead of using the previous value, use the default (envknob) value to OR with. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Brad Fitzpatrick	18bd98d35b	cmd/tailscaled,*: add start of configuration file support Updates #1412 Co-authored-by: Maisem Ali <maisem@tailscale.com> Change-Id: I38d559c1784d09fc804f521986c9b4b548718f7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Rhea Ghosh	71271e41d6	ipn/{ipnlocal/peerapi, localapi} initial taildrop resume api plumbing (#9798 ) This change: * adds a partial files peerAPI endpoint to get a list of partial files * adds a helper function to extract the basename of a file * updates the peer put peerAPI endpoint * updates the file put localapi endpoint to allow resume functionality Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Brad Fitzpatrick	95faefd1f6	net/dnsfallback: disable recursive resolver for now It seems to be implicated in a CPU consumption bug that's not yet understood. Disable it until we understand. Updates tailscale/corp#15261 Change-Id: Ia6d0c310da6464dda79a70fc3c18be0782812d3f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Andrew Lytvynov	8a5b02133d	clientupdate: return ErrUnsupported for macSys clients (#9793 ) The Sparkle-based update is not quite working yet. Make `NewUpdater` return `ErrUnsupported` for it to avoid the proliferation of exceptions up the stack. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Flakes Updater	51078b6486	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	8 months ago
Brad Fitzpatrick	7fd6cc3caa	go.mod: bump alexbrainman/sspi For https://github.com/alexbrainman/sspi/pull/13 Fixes #9131 (hopefully) Change-Id: I27bb00bbf5e03850f65f18c45f15c4441cc54b23 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Sonia Appasamy	feabb34ea0	ipn/localapi: add debug-web-client endpoint Debug endpoint for the web client's auth flow to talk back to the control server. Restricted behind a feature flag on control. We will either be removing this debug endpoint, or renaming it before launching the web client updates. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago

1 2 3 4 5 ...

6563 Commits (5347e6a292506ea35ab3988f7bb5d56f614cd9db) All Branches Search

6563 Commits (5347e6a292506ea35ab3988f7bb5d56f614cd9db)

All Branches