tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	585248ec5d	net/dnscache: fix case where Resolver could return zero IP with single IPv6 address The controlhttp dialer with a ControlDialPlan IPv6 entry was hitting a case where the dnscache Resolver was returning an netip.Addr zero value, where it should've been returning the IPv6 address. We then tried to dial "invalid IP:80", which would immediately fail, at least locally. Mostly this was causing spammy logs when debugging other stuff. Updates tailscale/corp#32534 Change-Id: If8b9a20f10c1a6aa8a662c324151d987fe9bd2f8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `1b6bc37f28`)	3 months ago
Brad Fitzpatrick	a5e69bcb97	ipn/ipnauth: don't crash on OpenBSD trying to log username of unknown peer We never implemented the peercred package on OpenBSD (and I just tried again and failed), but we've always documented that the creds pointer can be nil for operating systems where we can't map the unix socket back to its UID. On those platforms, we set the default unix socket permissions such that only the admin can open it anyway and we don't have a read-only vs read-write distinction. OpenBSD was always in that camp, where any access to Tailscale's unix socket meant full access. But during some refactoring, we broke OpenBSD in that we started assuming during one logging path (during login) that Creds was non-nil when looking up an ipnauth.Actor's username, which wasn't relevant (it was called from a function "maybeUsernameOf" anyway, which threw away errors). Verified on an OpenBSD VM. We don't have any OpenBSD integration tests yet. Fixes #17209 Updates #17221 (cherry picked from commit `8ec07b5f7f`, without the one semantic change, limiting it to just the safest part of the fix) Change-Id: I473c5903dfaa645694bcc75e7f5d484f3dd6044d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Will Hannah	912a84eadc	VERSION.txt: this is v1.88.2 Signed-off-by: Will Hannah <willh@tailscale.com>	4 months ago
David Bond	5a56942b43	k8s-operator: reset service status before append (#17120 ) (#17137 ) This commit fixes an issue within the service reconciler where we end up in a constant reconciliation loop. When reconciling, the loadbalancer status is appended to but not reset between each reconciliation, leading to an ever growing slice of duplicate statuses. Fixes https://github.com/tailscale/tailscale/issues/17105 Fixes https://github.com/tailscale/tailscale/issues/17107 (cherry picked from commit `782c16c513`) Signed-off-by: David Bond <davidsbond93@gmail.com>	4 months ago
Will Hannah	0d95d67a80	VERSION.txt: this is v1.88.1 Signed-off-by: Will Hannah <willh@tailscale.com>	4 months ago
Will Hannah	8431e98ed5	VERSION.txt: this is v1.88.0 Signed-off-by: Will Hannah <willh@tailscale.com>	4 months ago
Jordan Whited	fb9d9ba86e	wgengine/magicsock: add TS_DEBUG_NEVER_DIRECT_UDP debug knob (#17094 ) Updates tailscale/corp#30903 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	32bfd72752	tstest/integration/testcontrol: propagate CapVer (#17093 ) To support integration testing of client features that rely on it, e.g. peer relay. Updates tailscale/corp#30903 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	6feb6f3c75	wgengine/magicsock: add relayManager event logs (#17091 ) These are gated behind magicsock component debug logging. Updates tailscale/corp#30818 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Tom Proctor	1ec3d20d10	cmd/k8s-operator: simplify scope of e2e tests (#17076 ) Removes ACL edits from e2e tests in favour of trying to simplify the tests and separate the actual test logic from the environment setup logic as much as possible. Also aims to fit in with the requirements that will generally be filled anyway for most devs working on the operator; in particular using tags that fit in with our documentation. Updates tailscale/corp#32085 Change-Id: I7659246e39ec0b7bcc4ec0a00c6310f25fe6fac2 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 months ago
Jordan Whited	2d9d869d3d	wgengine/magicsock: fix debug disco printing of alloc resp disco keys (#17087 ) Updates tailscale/corp#30818 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	09bfee2e06	disco: add missing message types to MessageSummary (#17081 ) Updates tailscale/corp#30818 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
nikiUppal-TS	88d7db33da	cmd/tailscale: use tailnet display name on cli (#17079 ) Updates cli to use tailnet display name Updates tailscale/corp#32108 Signed-off-by: nikiUppal-TS <nikita@tailscale.com>	4 months ago
Nick O'Neill	77250a301a	ipn/ipnlocal, types: plumb tailnet display name cap through to network profile (#17045 ) Updates tailscale/corp#30456 Signed-off-by: Nick O'Neill <nick@tailscale.com>	4 months ago
Brad Fitzpatrick	f1ded84454	cmd/tailscaled: add disabled debug file to force reflect for binary size experiments This adds a file that's not compiled by default that exists just to make it easier to do binary size checks, probing what a binary would be like if it included reflect methods (as used by html/template, etc). As an example, once tailscaled uses reflect.Type.MethodByName(non-const-string) anywhere, the build jumps up by 14.5 MB: $ GOOS=linux GOARCH=amd64 ./tool/go build -tags=ts_include_cli,ts_omit_webclient,ts_omit_systray,ts_omit_debugeventbus -o before ./cmd/tailscaled $ GOOS=linux GOARCH=amd64 ./tool/go build -tags=ts_include_cli,ts_omit_webclient,ts_omit_systray,ts_omit_debugeventbus,ts_debug_forcereflect -o after ./cmd/tailscaled $ ls -l before after -rwxr-xr-x@ 1 bradfitz staff 41011861 Sep 9 07:28 before -rwxr-xr-x@ 1 bradfitz staff 55610948 Sep 9 07:29 after This is particularly pronounced with large deps like the AWS SDK. If you compare using ts_omit_aws: -rwxr-xr-x@ 1 bradfitz staff 38284771 Sep 9 07:40 no-aws-no-reflect -rwxr-xr-x@ 1 bradfitz staff 45546491 Sep 9 07:41 no-aws-with-reflect That means adding AWS to a non-reflect binary adds 2.7 MB but adding AWS to a reflect binary adds 10 MB. Updates #17063 Updates #12614 Change-Id: I18e9b77c9cf33565ce5bba65ac5584fa9433f7fb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Alex Chan	f4ae81e015	tsnet: remove APIClient() which is deprecated and now unused (#17073 ) Updates tailscale/corp#22748 Signed-off-by: Alex Chan <alexc@tailscale.com>	4 months ago
Brad Fitzpatrick	3e4b0c1516	cmd/tailscale, ipn/ipnlocal: add ts_omit_webclient Fixes #17063 Updates #12614 Change-Id: I0a189f6a4d1c4558351e3195839867725774fa96 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Brad Fitzpatrick	ffc82ad820	util/eventbus: add ts_omit_debugeventbus Updates #17063 Change-Id: Ibc98dd2088f82c829effa71f72f3e2a5abda5038 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Brad Fitzpatrick	6f9f190f4d	go.toolchain.rev: bump to Go 1.25.1 Updates #17064 Change-Id: Ibbca837e0921fe9f82fc931dde8bb51b017e4e48 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
License Updater	2da52dce7a	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	4 months ago
Alex Chan	71cb6d4cbd	cmd/tailscale/cli, derp: use client/local instead of deprecated client/tailscale (#17061 ) * cmd/tailscale/cli: use client/local instead of deprecated client/tailscale Updates tailscale/corp#22748 Signed-off-by: Alex Chan <alexc@tailscale.com> * derp: use client/local instead of deprecated client/tailscale Updates tailscale/corp#22748 Signed-off-by: Alex Chan <alexc@tailscale.com> --------- Signed-off-by: Alex Chan <alexc@tailscale.com>	4 months ago
Brad Fitzpatrick	1cb855fb36	util/expvarx: deflake TestSafeFuncHappyPath with synctest I probably could've deflaked this without synctest, but might as well use it now that Go 1.25 has it. Fixes #15348 Change-Id: I81c9253fcb7eada079f3e943ab5f1e29ba8e8e31 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Alex Chan	14adf5b717	utils/expvarx, tstest/integration: mark two tests as known flaky (#17052 ) * utils/expvarx: mark TestSafeFuncHappyPath as known flaky Updates #15348 Signed-off-by: Alex Chan <alexc@tailscale.com> * tstest/integration: mark TestCollectPanic as known flaky Updates #15865 Signed-off-by: Alex Chan <alexc@tailscale.com> --------- Signed-off-by: Alex Chan <alexc@tailscale.com>	4 months ago
Alex Chan	ff8900583c	cmd/tailscale/cli: fix the spelling of "routes" (#17039 ) Updates #cleanup Signed-off-by: Alex Chan <alexc@tailscale.com>	4 months ago
Anton Tolchanov	ed6aa50bd5	prober: include current probe results in run-probe text response It was a bit confusing that provided history did not include the current probe results. Updates tailscale/corp#20583 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	4 months ago
James Tucker	a29545e9cc	wgengine/magicsock: log the peer failing disco writes are intended for Updates tailscale/corp#31762 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Mike O'Driscoll	23297da10d	cmd/tailscale/cli: add new line for set --webclient (#17043 ) Fixes #17042 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	4 months ago
James Sanderson	046b8830c7	ipn/ipnlocal: add state change test for key expiry Updates tailscale/corp#31478 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	4 months ago
Brad Fitzpatrick	46369f06af	util/syspolicy/policyclient: always use no-op policyclient in tests by default We should never use the real syspolicy implementation in tests by default. (the machine's configuration shouldn't affect tests) You either specify a test policy, or you get a no-op one. Updates #16998 Change-Id: I3350d392aad11573a5ad7caab919bb3bbaecb225 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Brad Fitzpatrick	b034f7cca9	ipn/ipnlocal, util/syspolicy: convert last RegisterWellKnownSettingsForTest caller, remove Updates #16998 Change-Id: I735d75129a97a929092e9075107e41cdade18944 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
David Bond	624cdd2961	cmd/containerboot: do not reset state on non-existant secret (#17021 ) This commit modifies containerboot's state reset process to handle the state secret not existing. During other parts of the boot process we gracefully handle the state secret not being created yet, but missed that check within `resetContainerbootState` Fixes https://github.com/tailscale/tailscale/issues/16804 Signed-off-by: David Bond <davidsbond93@gmail.com>	4 months ago
Brad Fitzpatrick	d8ac539bf9	util/syspolicy: remove handler, other dead code Fixes #17022 Change-Id: I6a0f6488ae3ea75c5844dfcba68e1e8024e930be Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
David Bond	04f00339b6	cmd/k8s-operator: update connector example (#17020 ) This commit modifies the connector example to use the new hostname prefix and replicas fields Signed-off-by: David Bond <davidsbond93@gmail.com>	4 months ago
Jonathan Nobels	a2f2ac6ba1	ipn/local: fix deadlock in initial suggested exit node query (#17025 ) updates tailscale/corp#26369 b.mu is locked here. We need to use suggestExitNodeLocked. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	4 months ago
Craig Hesling	2b9d055101	drive: fix StatCache mishandling of paths with spaces Fix "file not found" errors when WebDAV clients access files/dirs inside directories with spaces. The issue occurred because StatCache was mixing URL-escaped and unescaped paths, causing cache key mismatches. Specifically, StatCache.set() parsed WebDAV responses containing URL-escaped paths (ex. "Dir%20Space/file1.txt") and stored them alongside unescaped cache keys (ex. "Dir Space/file1.txt"). This mismatch prevented StatCache.get() from correctly determining whether a child file existed. See https://github.com/tailscale/tailscale/issues/13632#issuecomment-3243522449 for the full explanation of the issue. The decision to keep all paths references unescaped inside the StatCache is consistent with net/http.Request.URL.Path and rewrite.go (sole consumer) Update unit test to detect this directory space mishandling. Fixes tailscale#13632 Signed-off-by: Craig Hesling <craig@hesling.com>	4 months ago
Brad Fitzpatrick	0f3598b467	util/syspolicy: delete some unused code in handler.go There's a TODO to delete all of handler.go, but part of it's still used in another repo. But this deletes some. Updates #17022 Change-Id: Ic5a8a5a694ca258440307436731cd92b45ee2d21 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Alex Chan	c9f214e503	ipn: warn about self as the exit node if backend is running (#17018 ) Before: $ tailscale ip -4 1.2.3.4 $ tailscale set --exit-node=1.2.3.4 no node found in netmap with IP 1.2.3.4 After: $ tailscale set --exit-node=1.2.3.4 cannot use 1.2.3.4 as an exit node as it is a local IP address to this machine; did you mean --advertise-exit-node? The new error message already existed in the code, but would only be triggered if the backend wasn't running -- which means, in practice, it would almost never be triggered. The old error message is technically true, but could be confusing if you don't know the distinction between "netmap" and "tailnet" -- it could sound like the exit node isn't part of your tailnet. A node is never in its own netmap, but it is part of your tailnet. This error confused me when I was doing some local dev work, and it's confused customers before (e.g. #7513). Using the more specific error message should reduce confusion. Updates #7513 Updates https://github.com/tailscale/corp/issues/23596 Signed-off-by: Alex Chan <alexc@tailscale.com>	4 months ago
Brad Fitzpatrick	d06d9007a6	ipn/ipnlocal: convert more tests to use policytest, de-global-ify Now that we have policytest and the policyclient.Client interface, we can de-global-ify many of the tests, letting them run concurrently with each other, and just removing global variable complexity. This does ~half of the LocalBackend ones. Updates #16998 Change-Id: Iece754e1ef4e49744ccd967fa83629d0dca6f66a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Brad Fitzpatrick	21f21bd2a2	util/syspolicy: finish adding ts_omit_syspolicy build tags, tests Fixes #16998 Updates #12614 Change-Id: Idf2b1657898111df4be31f356091b2376d0d7f0b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Brad Fitzpatrick	24b8a57b1e	util/syspolicy/policytest: move policy test helper to its own package Updates #16998 Updates #12614 Change-Id: I9fd27d653ebee547951705dc5597481e85b60747 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Brad Fitzpatrick	2b3e533048	util/syspolicy: finish plumbing policyclient, add feature/syspolicy, move global impl This is step 4 of making syspolicy a build-time feature. This adds a policyclient.Get() accessor to return the correct implementation to use: either the real one, or the no-op one. (A third type, a static one for testing, also exists, so in general a policyclient.Client should be plumbed around and not always fetched via policyclient.Get whenever possible, especially if tests need to use alternate syspolicy) Updates #16998 Updates #12614 Change-Id: Iaf19670744a596d5918acfa744f5db4564272978 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
M. J. Fromberger	9e9bf13063	ipn/ipnlocal: revert some locking changes ahead of release branch cut (#17011 )	4 months ago
Brad Fitzpatrick	0d23490e1a	ipn/ipnlocal: simplify a test with a new simpler syspolicy client test type Less indirection. Updates #16998 Updates #12614 Change-Id: I5a3a3c3f3b195486b2731ec002d2532337b3d211 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Brad Fitzpatrick	1ca4ae598a	ipn/ipnlocal: use policyclient.Client always, stop using global syspolicy funcs Step 4 of N. See earlier commits in the series (via the issue) for the plan. This adds the missing methods to policyclient.Client and then uses it everywhere in ipn/ipnlocal and locks it in with a new dep test. Still plenty of users of the global syspolicy elsewhere in the tree, but this is a lot of them. Updates #16998 Updates #12614 Change-Id: I25b136539ae1eedbcba80124de842970db0ca314 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Brad Fitzpatrick	2434bc69fc	util/syspolicy/{setting,ptype}: move PreferenceOption and Visibility to new leaf package Step 3 in the series. See earlier `cc532efc20` and `d05e6dc09e`. This step moves some types into a new leaf "ptype" package out of the big "settings" package. The policyclient.Client will later get new methods to return those things (as well as Duration and Uint64, which weren't done at the time of the earlier prototype). Updates #16998 Updates #12614 Change-Id: I4d72d8079de3b5351ed602eaa72863372bd474a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Percy Wegmann	42a215e12a	cmd/tailscale/cli: prompt for y/n when attempting risky action Previously, when attempting a risky action, the CLI printed a 5 second countdown saying "Continuing in 5 seconds...". When the countdown finished, the CLI aborted rather than continuing. To avoid confusion, but also avoid accidentally continuing if someone (or an automated process) fails to manually abort within the countdown, we now explicitly prompt for a y/n response on whether or not to continue. Updates #15445 Co-authored-by: Kot C <kot@kot.pink> Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
License Updater	dbc54addd0	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	4 months ago
nikiUppal-TS	0f5d3969ca	tailcfg: add tailnet display name field (#16907 ) Updates the NodeCapabilities to contain Tailnet Display Name Updates tailscale/corp#30462 Signed-off-by: nikiUppal-TS <nikita@tailscale.com>	4 months ago
Brad Fitzpatrick	61d3693e61	cmd/tailscale/cli: add a debug command to force a risky action For testing risky action flows. Updates #15445 Change-Id: Id81e54678a1fe5ccedb5dd9c6542ff48c162b349 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
David Bond	12ad630128	cmd/k8s-operator: allow specifying replicas for connectors (#16721 ) This commit adds a `replicas` field to the `Connector` custom resource that allows users to specify the number of desired replicas deployed for their connectors. This allows users to deploy exit nodes, subnet routers and app connectors in a highly available fashion. Fixes #14020 Signed-off-by: David Bond <davidsbond93@gmail.com>	4 months ago

1 2 3 4 5 ...

9508 Commits (585248ec5db129a15f9f615c6b3eaf5efe5d31a7) All Branches Search

9508 Commits (585248ec5db129a15f9f615c6b3eaf5efe5d31a7)

All Branches