tailscale

Commit Graph

Author	SHA1	Message	Date
Sonia Appasamy	18280ebf7d	client/web: hook up data fetching to fill --dev React UI Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Charlotte Brandhorst-Satzkorn	f101a75dce	cmd/tailscale/cli: fix comment accuracy All exit nodes are shown under this subcommand. Updates tailscale/corp#13025 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 year ago
Brad Fitzpatrick	6c791f7d60	derp: include src IPs in mesh watch messages Updates tailscale/corp#13945 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrew Dunham	95d776bd8c	wgengine/magicsock: only cache N most recent endpoints per-Addr If a node is flapping or otherwise generating lots of STUN endpoints, we can end up caching a ton of useless values and sending them to peers. Instead, let's apply a fixed per-Addr limit of endpoints that we cache, so that we're only sending peers up to the N most recent. Updates tailscale/corp#13890 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8079a05b44220c46da55016c0e5fc96dd2135ef8	1 year ago
Sonia Appasamy	1a64166073	cli/serve: add interactive flow for enabling HTTPS certs When trying to use serve with https, send users through https cert provisioning enablement before editing the ServeConfig. Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Sonia Appasamy	0052830c64	cli/serve: funnel interactive enablement flow tweaks 1. Add metrics to funnel flow. 2. Stop blocking users from turning off funnels when no longer in their node capabilities. 3. Rename LocalClient.IncrementMetric to IncrementCounter to better callout its usage is only for counter clientmetrics. Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Brad Fitzpatrick	a1b8d703d6	tstime/mono: remove unsafe This removes the unsafe/linkname and only uses the standard library. It's a bit slower, for now, but https://go.dev/cl/518336 should get us back. On darwin/arm64, without https://go.dev/cl/518336 pkg: tailscale.com/tstime/mono │ before │ after │ │ sec/op │ sec/op vs base │ MonoNow-8 16.20n ± 0% 19.75n ± 0% +21.92% (p=0.000 n=10) TimeNow-8 39.46n ± 0% 39.40n ± 0% -0.16% (p=0.002 n=10) geomean 25.28n 27.89n +10.33% And with it, MonoNow-8 16.34n ± 1% 16.93n ± 0% +3.67% (p=0.001 n=10) TimeNow-8 39.55n ± 15% 38.46n ± 1% -2.76% (p=0.000 n=10) geomean 25.42n 25.52n +0.41% Updates #8839 Updates tailscale/go#70 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
James Tucker	de8e55fda6	net/netcheck,wgengine/magicsock: reduce coupling between netcheck and magicsock Netcheck no longer performs I/O itself, instead it makes requests via SendPacket and expects users to route reply traffic to ReceiveSTUNPacket. Netcheck gains a Standalone function that stands up sockets and goroutines to implement I/O when used in a standalone fashion. Magicsock now unconditionally routes STUN traffic to the netcheck.Client that it hosts, and plumbs the send packet sink. The CLI is updated to make use of the Standalone mode. Fixes #8723 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Brad Fitzpatrick	92fc9a01fa	cmd/tailscale: add debug commands to break connections For testing reconnects. Updates tailscale/corp#5761 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Sonia Appasamy	16bc9350e3	client/web: add barebones vite dev setup Currently just serving a "Hello world" page when running the web cli in --dev mode. Updates tailscale/corp#13775 Co-authored-by: Will Norris <will@tailscale.com> Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Andrew Lytvynov	215480a022	cmd/tailscale/cli,clientupdate: extract new clientupdate package (#8827 ) Extract the self-update logic from cmd/tailscale/cli into a standalone package that could be used from tailscaled later. Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Sonia Appasamy	53c722924b	tool/{node,yarn}: update node and yarn tools Syncing these up with what we've got in corp. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Sonia Appasamy	2bc98abbd9	client/web: add web client Server struct Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Sonia Appasamy	7815fbe17a	tailscale/cli: add interactive flow for enabling Funnel Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Will Norris	f9066ac1f4	client/web: extract web client from cli package move the tailscale web client out of the cmd/tailscale/cli package, into a new client/web package. The remaining cli/web.go file is still responsible for parsing CLI flags and such, and then calls into client/web. This will allow the web client to be hooked into from other contexts (for example, from a tsnet server), and provide a dedicated space to add more functionality to this client. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Will Norris	69f1324c9e	cmd/tailscale: refactor shared utility methods Refactor two shared functions used by the tailscale cli, calcAdvertiseRoutes and licensesURL. These are used by the web client as well as other tailscale subcommands. The web client is being moved out of the cli package, so move these two functions to new locations. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Brad Fitzpatrick	66f27c4beb	all: require Go 1.21 Updates #8419 Change-Id: I809b6a4d59d92a2ab6ec587ccbb9053376bf02c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Maisem Ali	682fd72f7b	util/testenv: add new package to hold InTest Removes duplicated code. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	6aaf1d48df	types/persist: drop duplicated Persist.LoginName It was duplicated from Persist.UserProfile.LoginName, drop it. Updates #7726 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
salman aljammaz	25a7204bb4	wgengine,ipn,cmd/tailscale: add size option to ping (#8739 ) This adds the capability to pad disco ping message payloads to reach a specified size. It also plumbs it through to the tailscale ping -size flag. Disco pings used for actual endpoint discovery do not use this yet. Updates #311. Signed-off-by: salman <salman@tailscale.com> Co-authored-by: Val <valerie@tailscale.com>	1 year ago
Claire Wang	a17c45fd6e	control: use tstime instead of time (#8595 ) Updates #8587 Signed-off-by: Claire Wang <claire@tailscale.com>	1 year ago
Andrew Lytvynov	371e1ebf07	cmd/dist,release/dist: expose RPM signing hook (#8789 ) Plumb a signing callback function to `unixpkgs.rpmTarget` to allow signing RPMs. This callback is optional and RPMs will build unsigned if not set, just as before. Updates https://github.com/tailscale/tailscale/issues/1882 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Andrew Lytvynov	eb6883bb5a	go.mod: upgrade nfpm to v2 (#8786 ) Upgrade the nfpm package to the latest version to pick up `24a43c5ad7`. The upgrade is from v0 to v2, so there was some breakage to fix. Generated packages should have the same contents as before. Updates https://github.com/tailscale/tailscale/issues/1882 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Aaron Klotz	37925b3e7a	go.mod, cmd/tailscaled, ipn/localapi, util/osdiag, util/winutil, util/winutil/authenticode: add Windows module list to OS-specific logs that are written upon bugreport * We update wingoes to pick up new version information functionality (See pe/version.go in the https://github.com/dblohm7/wingoes repo); * We move the existing LogSupportInfo code (including necessary syscall stubs) out of util/winutil into a new package, util/osdiag, and implement the public LogSupportInfo function may be implemented for other platforms as needed; * We add a new reason argument to LogSupportInfo and wire that into localapi's bugreport implementation; * We add module information to the Windows implementation of LogSupportInfo when reason indicates a bugreport. We enumerate all loaded modules in our process, and for each one we gather debug, authenticode signature, and version information. Fixes #7802 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Sonia Appasamy	301e59f398	tailcfg,ipn/localapi,client/tailscale: add QueryFeature endpoint Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Andrew Lytvynov	f57cc19ba2	cmd/tailscale/cli: add latest version output to "tailscale version" (#8700 ) Add optional `--upstream` flag to `tailscale version` to fetch the latest upstream release version from `pkgs.tailscale.com`. This is useful to diagnose `tailscale update` behavior or write other tooling. Example output: $ tailscale version --upstream --json { "majorMinorPatch": "1.47.35", "short": "1.47.35", "long": "1.47.35-t6afffece8", "unstableBranch": true, "gitCommit": "6afffece8a32509aa7a4dc2972415ec58d8316de", "cap": 66, "upstream": "1.45.61" } Fixes #8669 RELNOTE=adds "tailscale version --upstream" Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Tom DNetto	767e839db5	all: implement lock revoke-keys command The revoke-keys command allows nodes with tailnet lock keys to collaborate to erase the use of a compromised key, and remove trust in it. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates ENG-1848	1 year ago
Aaron Klotz	7adf15f90e	cmd/tailscale/cli, util/winutil/authenticode: flesh out authenticode support Previously, tailscale upgrade was doing the bare minimum for checking authenticode signatures via `WinVerifyTrustEx`. This is fine, but we can do better: * WinVerifyTrustEx verifies that the binary's signature is valid, but it doesn't determine whose signature is valid; tailscale upgrade should also ensure that the binary is actually signed by us. * I added the ability to check the signatures of MSI files. * In future PRs I will be adding diagnostic logging that lists details about every module (ie, DLL) loaded into our process. As part of that metadata, I want to be able to extract information about who signed the binaries. This code is modelled on some C++ I wrote for Firefox back in the day. See https://searchfox.org/mozilla-central/rev/27e4816536c891d85d63695025f2549fd7976392/toolkit/xre/dllservices/mozglue/Authenticode.cpp for reference. Fixes #8284 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Denton Gentry	ec9213a627	cmd/sniproxy: add client metrics Count number of sessions, number of DNS queries answered successfully and in error, and number of http->https redirects. Updates #1748 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Andrew Lytvynov	eef15b4ffc	cmd/dist,release/dist: sign release tarballs with an ECDSA key (#8759 ) Pass an optional PEM-encoded ECDSA key to `cmd/dist` to sign all built tarballs. The signature is stored next to the tarball with a `.sig` extension. Tested this with an `openssl`-generated key pair and verified the resulting signature. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
David Anderson	52212f4323	all: update exp/slices and fix call sites slices.SortFunc suffered a late-in-cycle API breakage. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Claire Wang	90a7d3066c	derp: use tstime (#8634 ) Updates #8587 Signed-off-by: Claire Wang <claire@tailscale.com>	1 year ago
Charlotte Brandhorst-Satzkorn	35bdbeda9f	cli: introduce exit-node subcommand to list and filter exit nodes This change introduces a new subcommand, `exit-node`, along with a subsubcommand of `list` and a `--filter` flag. Exit nodes without location data will continue to be displayed when `status` is used. Exit nodes with location data will only be displayed behind `exit-node list`, and in status if they are the active exit node. The `filter` flag can be used to filter exit nodes with location data by country. Exit nodes with Location.Priority data will have only the highest priority option for each country and city listed. For countries with multiple cities, a <Country> <Any> option will be displayed, indicating the highest priority node within that country. Updates tailscale/corp#13025 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 year ago
Andrew Lytvynov	9edb848505	cmd/tailscale/cli: implement update on FreeBSD (#8710 ) Implement `tailscale update` on FreeBSD. This is much simpler than other platforms because `pkg rquery` lets us get the version in their repos without any extra parsing. Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Maisem Ali	1ecc16da5f	tailcfg,ipn/ipnlocal,wgengine: add values to PeerCapabilities Define PeerCapabilty and PeerCapMap as the new way of sending down inter-peer capability information. Previously, this was unstructured and you could only send down strings which got too limiting for certain usecases. Instead add the ability to send down raw JSON messages that are opaque to Tailscale but provide the applications to define them however they wish. Also update accessors to use the new values. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Lytvynov	306deea03a	cmd/tailscale/cli,version/distro: update support for Alpine (#8701 ) Similar to Arch support, use the latest version info from the official `apk` repo and don't offer explicit track or version switching. Add detection for Alpine Linux in version/distro along the way. Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Andrew Lytvynov	894b237a70	cmd/tailscale/cli: implement update for dnf/yum-based distros (#8678 ) This is the Fedora family of distros, including CentOS, RHEL and others. Tested in `fedora:latest` and `centos:7` containers. Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Brad Fitzpatrick	88cc0ad9f7	util/linuxfw: remove yet-unused code to fix linux/arm64 crash The util/linuxfw/iptables.go had a bunch of code that wasn't yet used (in prep for future work) but because of its imports, ended up initializing code deep within gvisor that panicked on init on arm64 systems not using 4KB pages. This deletes the unused code to delete the imports and remove the panic. We can then cherry-pick this back to the branch and restore it later in a different way. A new test makes sure we don't regress in the future by depending on the panicking package in question. Fixes #8658 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	7560435eb5	tstest/deptest: add test-only package to unify negative dep tests Updates #8658 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Chris Palmer	32d486e2bf	cmd/tailscale/cli: ensure custom UsageFunc is always set (#8665 ) Updates #6995 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	1 year ago
Chris Palmer	3c53bedbbf	cmd/tailscale/cli: limit Darwin-only option to Darwin (#8657 )	1 year ago
Andrew Lytvynov	efd6d90dd7	cmd/tailscale/cli: implement update for arch-based distros (#8655 ) Arch version of tailscale is not maintained by us, but is generally up-to-date with our releases. Therefore "tailscale update" is just a thin wrapper around "pacman -Sy tailscale" with different flags. Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Chris Palmer	3f6b0d8c84	cmd/tailscale/cli: make `tailscale update` query `softwareupdate` (#8641 ) * cmd/tailscale/cli: make `tailscale update` query `softwareupdate` Even on macOS when Tailscale was installed via the App Store, we can check for and even install new versions if people ask explicitly. Also, warn if App Store AutoUpdate is not turned on. Updates #6995	1 year ago
Jenny Zhang	9ab70212f4	cmd/gitops-pusher: re-use existing types from acl package This changes the ACLTestError type to reuse the existing/identical types from the ACL implementation, to avoid issues in the future if the two types fall out of sync. Updates #8645 Signed-off-by: Jenny Zhang <jz@tailscale.com>	1 year ago
Tom DNetto	abcb7ec1ce	cmd/tailscale: warn if node is locked out on bringup Updates https://github.com/tailscale/corp/issues/12718 Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Will Norris	f8b0caa8c2	serve: fix hostname for custom http ports When using a custom http port like 8080, this was resulting in a constructed hostname of `host.tailnet.ts.net:8080.tailnet.ts.net` when looking up the serve handler. Instead, strip off the port before adding the MagicDNS suffix. Also use the actual hostname in `serve status` rather than the literal string "host". Fixes #8635 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Andrew Lytvynov	7a82fd8dbe	ipn/ipnlocal: add optional support for ACME Renewal Info (ARI) (#8599 )	1 year ago
Denton Gentry	4f95b6966b	cmd/tailscale: remove TS_EXPERIMENT_OAUTH_AUTHKEY guardrail We've had support for OAuth client keys in `--authkey=...` for several releases, and we're using it in https://github.com/tailscale/github-action Remove the TS_EXPERIMENT_* guardrail, it is fully supported now. Fixes https://github.com/tailscale/tailscale/issues/8403 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Andrew Lytvynov	96d7af3469	cmd/derper,tsweb: consistently add HTTP security headers (#8579 ) Add a few helper functions in tsweb to add common security headers to handlers. Use those functions for all non-tailscaled-facing endpoints in derper. Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Maisem Ali	8cda647a0f	cmd/testwrapper: handle build failures `go test -json` outputs invalid JSON when a build fails. Handle that case by reseting the json.Decode and continuing to read. Updates #8493 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	60ab8089ff	logpolicy, various: allow overriding log function This allows sending logs from the "logpolicy" package (and associated callees) to something other than the log package. The behaviour for tailscaled remains the same, passing in log.Printf Updates #8249 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie1d43b75fa7281933d9225bffd388462c08a5f31	1 year ago
Andrew Dunham	a7648a6723	net/dnsfallback: run recursive resolver and compare results When performing a fallback DNS query, run the recursive resolver in a separate goroutine and compare the results returned by the recursive resolver with the results we get from "regular" bootstrap DNS. This will allow us to gather data about whether the recursive DNS resolver works better, worse, or about the same as "regular" bootstrap DNS. Updates #5853 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ifa0b0cc9eeb0dccd6f7a3d91675fe44b3b34bd48	1 year ago
Maisem Ali	1ca5dcce15	cmd/testwrapper: stream output results Previously it would wait for all tests to run before printing anything, instead stream the results over a channel so that they can be emitted immediately. Updates #8493 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	2e4e7d6b9d	cmd/testwrapper: output packages tested Previously it would only print the failures without providing more information on which package the failures from. This commit makes it so that it prints out the package information as well as the attempt numbers. ``` ➜ tailscale.com git:(main) ✗ go run ./cmd/testwrapper ./cmd/... ok tailscale.com/cmd/derper ok tailscale.com/cmd/k8s-operator ok tailscale.com/cmd/tailscale/cli ok tailscale.com/cmd/tailscaled === RUN TestFlakeRun flakytest.go:38: flakytest: issue tracking this flaky test: https://github.com/tailscale/tailscale/issues/0 flakytest_test.go:41: First run in testwrapper, failing so that test is retried. This is expected. --- FAIL: TestFlakeRun (0.00s) FAIL tailscale.com/cmd/testwrapper/flakytest Attempt #2: Retrying flaky tests: ok tailscale.com/cmd/testwrapper/flakytest ``` Updates #8493 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	2e19790f61	types/views: add JSON marshal/unmarshal and AsMap to Map This allows cloning a Map as well as marshaling the Map as JSON. Updates tailscale/corp#12754 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	12a2221db2	cmd/testwrapper/flakytest: clearly describe why TestFlakeRun fails Fixes #8474 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Tom DNetto	97ee0bc685	cmd/tailscale: improve error message when signing without a tailnet lock key Updates #8568 Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Andrew Dunham	ab310a7f60	derp: use new net/tcpinfo package Updates #8413 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8bf8046517195a6d42cabb32d6ec7f1f79cef860	1 year ago
KevinLiang10	243ce6ccc1	util/linuxfw: decoupling IPTables logic from linux router This change is introducing new netfilterRunner interface and moving iptables manipulation to a lower leveled iptables runner. For #391 Signed-off-by: KevinLiang10 <kevinliang@tailscale.com>	1 year ago
Tom DNetto	1377618dbc	tsnet: expose field to configure Wireguard port Signed-off-by: Tom DNetto <tom@tailscale.com> Updates #1748	1 year ago
Maisem Ali	8e840489ed	cmd/testwrapper: only retry flaky failed tests Redo the testwrapper to track and only retry flaky tests instead of retrying the entire pkg. It also fails early if a non-flaky test fails. This also makes it so that the go test caches are used. Fixes #7975 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
phirework	fbacc0bd39	go.toolchain: switch to tailscale.go1.21 (#8415 ) Updates #8419 Signed-off-by: Jenny Zhang <jz@tailscale.com>	1 year ago
shayne	6697690b55	{cmd/tailscale/cli,ipn}: add http support to tailscale serve (#8358 ) Updates #8357 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Graham Christensen	4dda949760	tailscale ping: note that `-c` can take 0 for infinity Signed-off-by: Graham Christensen <graham@grahamc.com>	1 year ago
Brad Fitzpatrick	67e912824a	all: adjust some build tags for wasi A start. Updates #8320 Change-Id: I64057f977be51ba63ce635c56d67de7ecec415d1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	eefee6f149	all: use cmpx.Or where it made sense I left a few out where writing it explicitly was better for various reasons. Updates #8296 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Aaron Klotz	2aa8299c37	cmd/tailscaled, util/winutil: log our registry keys during tailscaled startup In order to improve our ability to understand the state of policies and registry settings when troubleshooting, we enumerate all values in all subkeys. x/sys/windows does not already offer this, so we need to call RegEnumValue directly. For now we're just logging this during startup, however in a future PR I plan to also trigger this code during a bugreport. I also want to log more than just registry. Fixes #8141 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Vince Prignano	1a691ec5b2	cmd/k8s-operator: update controller-runtime to v0.15 Fixes #8170 Signed-off-by: Vince Prignano <vince@prigna.com>	2 years ago
David Anderson	32e0ba5e68	release/dist/synology: build synology packages with cmd/dist Updates #8217 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Gabriel Martinez	03e848e3b5	cmd/k8s-operator: add support for priorityClassName Updates #8155 Signed-off-by: Gabriel Martinez <gabrielmartinez@sisti.pt>	2 years ago
Derek Kaser	7c88eeba86	cmd/tailscale: allow Tailscale to work with Unraid web interface (#8062 ) Updates tailscale/tailscale#8026 Signed-off-by: Derek Kaser <derek.kaser@gmail.com>	2 years ago
Sonia Appasamy	f0ee03dfaf	cmd/tailscale/cli: [serve] add reset flag Usage: `tailscale serve reset` Fixes #8139 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	2 years ago
Brad Fitzpatrick	4664318be2	client/tailscale: revert CreateKey API change, add Client.CreateKeyWithExpiry The client/tailscale is a stable-ish API we try not to break. Revert the Client.CreateKey method as it was and add a new CreateKeyWithExpiry method to do the new thing. And document the expiry field and enforce that the time.Duration can't be between in range greater than 0 and less than a second. Updates #7143 Updates #8124 (reverts it, effectively) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
shayne	678bb92bb8	cmd/tailscale/cli: [up] fix CreateKey missing argument (#8124 ) Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
Matt Brown	9b6e48658f	client: allow the expiry time to be specified for new keys Adds a parameter for create key that allows a number of seconds (less than 90) to be specified for new keys. Fixes https://github.com/tailscale/tailscale/issues/7965 Signed-off-by: Matthew Brown <matthew@bargrove.com>	2 years ago
Maisem Ali	85215ed58a	cmd/k8s-operator: handle NotFound secrets getSingleObject can return `nil, nil`, getDeviceInfo was not handling that case which resulted in panics. Fixes #7303 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Joe Tsai	84c99fe0d9	logtail: be less aggressive about re-uploads (#8117 ) The retry logic was pathological in the following ways: * If we restarted the logging service, any pending uploads would be placed in a retry-loop where it depended on backoff.Backoff, which was too aggresive. It would retry failures within milliseconds, taking at least 10 retries to hit a delay of 1 second. * In the event where a logstream was rate limited, the aggressive retry logic would severely exacerbate the problem since each retry would also log an error message. It is by chance that the rate of log error spam does not happen to exceed the rate limit itself. We modify the retry logic in the following ways: * We now respect the "Retry-After" header sent by the logging service. * Lacking a "Retry-After" header, we retry after a hard-coded period of 30 to 60 seconds. This avoids the thundering-herd effect when all nodes try reconnecting to the logging service at the same time after a restart. * We do not treat a status 400 as having been uploaded. This is simply not the behavior of the logging service. Updates #tailscale/corp#11213 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	cb2fd5be92	cmd/tsconnect: fix forgotten API change for wasm Fix regression from `6e967446e4` Updates #8036 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	4f454f4122	util/codegen: support embedded fields I noticed cmd/{cloner,viewer} didn't support structs with embedded fields while working on a change in another repo. This adds support. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Craig Rodrigues	827abbeeaa	cmd/k8s-operator: print version in startup logs Fixes: #7813 Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>	2 years ago
Chenyang Gao	b9fb8ac702	fix sys.Set(router) issue will crash the daemon in some OSs Signed-off-by: Chenyang Gao <gps949@outlook.com> in commit `6e96744`, the tsd system type has been added. Which will cause the daemon will crash on some OSs (Windows, darwin and so on). The root cause is that on those OSs, handleSubnetsInNetstack() will return true and set the conf.Router with a wrapper. Later in NewUserspaceEngine() it will do subsystem set and found that early set router mismatch to current value, then panic.	2 years ago
Brad Fitzpatrick	6e967446e4	tsd: add package with System type to unify subsystem init, discovery This is part of an effort to clean up tailscaled initialization between tailscaled, tailscaled Windows service, tsnet, and the mac GUI. Updates #8036 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Derek Kaser	0d7303b798	various: add detection and Taildrop for Unraid Updates tailscale/tailscale#8025 Signed-off-by: Derek Kaser <derek.kaser@gmail.com>	2 years ago
Brad Fitzpatrick	9e9ea6e974	go.mod: bump all deps possible that don't break the build This holds back gvisor, kubernetes, goreleaser, and esbuild, which all had breaking API changes. Updates #8043 Updates #7381 Updates #8042 (updates u-root which adds deps) Change-Id: I889759bea057cd3963037d41f608c99eb7466a5b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Charlotte Brandhorst-Satzkorn	ddb4040aa0	wgengine/magicsock: add address selection for wireguard only endpoints (#7979 ) This change introduces address selection for wireguard only endpoints. If a endpoint has not been used before, an address is randomly selected to be used based on information we know about, such as if they are able to use IPv4 or IPv6. When an address is initially selected, we also initiate a new ICMP ping to the endpoints addresses to determine which endpoint offers the best latency. This information is then used to update which endpoint we should be using based on the best possible route. If the latency is the same for a IPv4 and an IPv6 address, IPv6 will be used. Updates #7826 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 years ago
Denton Gentry	a82f275619	cmd/sniproxy: Set App name in tsnet hostinfo Updates #1748 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Kyle Carberry	d78b334964	cmd/derper: disable http2 DERP doesn't support HTTP/2. If an HTTP/2 proxy was placed in front of a DERP server requests would fail because the connection would be initialized with HTTP/2, which the DERP client doesn't support. Signed-off-by: Kyle Carberry <kyle@carberry.com>	2 years ago
Charlotte Brandhorst-Satzkorn	161d1d281a	net/ping,netcheck: add v6 pinging capabilities to pinger (#7971 ) This change adds a v6conn to the pinger to enable sending pings to v6 addrs. Updates #7826 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	2 years ago
Maisem Ali	a8f10c23b2	cmd/tailscale/cli: [up] reuse --advertise-tags for OAuth key generation We need to always specify tags when creating an AuthKey from an OAuth key. Check for that, and reuse the `--advertise-tags` param. Updates #7982 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	b2b5379348	cmd/tailscale/cli: [up] change oauth authkey format Updates #7982 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	13de36303d	cmd/tailscale/cli: [up] add experimental oauth2 authkey support Updates #7982 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
shayne	018a382729	cmd/tailscale/cli: [serve] fix MinGW path conversion (#7964 ) Fixes #7963 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
Mihai Parparita	7330aa593e	all: avoid repeated default interface lookups On some platforms (notably macOS and iOS) we look up the default interface to bind outgoing connections to. This is both duplicated work and results in logspam when the default interface is not available (i.e. when a phone has no connectivity, we log an error and thus cause more things that we will try to upload and fail). Fixed by passing around a netmon.Monitor to more places, so that we can use its cached interface state. Fixes #7850 Updates #7621 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Mihai Parparita	4722f7e322	all: move network monitoring from wgengine/monitor to net/netmon We're using it in more and more places, and it's not really specific to our use of Wireguard (and does more just link/interface monitoring). Also removes the separate interface we had for it in sockstats -- it's a small enough package (we already pull in all of its dependencies via other paths) that it's not worth the extra complexity. Updates #7621 Updates #7850 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Andrew Dunham	f85dc6f97c	ci: add more lints (#7909 ) This is a follow-up to #7905 that adds two more linters and fixes the corresponding findings. As per the previous PR, this only flags things that are "obviously" wrong, and fixes the issues found. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8739bdb7bc4f75666a7385a7a26d56ec13741b7c	2 years ago
Andrew Dunham	280255acae	various: add golangci-lint, fix issues (#7905 ) This adds an initial and intentionally minimal configuration for golang-ci, fixes the issues reported, and adds a GitHub Action to check new pull requests against this linter configuration. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8f38fbc315836a19a094d0d3e986758b9313f163	2 years ago
Mihai Parparita	9a655a1d58	net/dnsfallback: more explicitly pass through logf function Redoes the approach from #5550 and #7539 to explicitly pass in the logf function, instead of having global state that can be overridden. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Andrew Dunham	228d0c6aea	net/netcheck: use dnscache.Resolver when resolving DERP IPs This also adds a bunch of tests for this function to ensure that we're returning the proper IP(s) in all cases. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I0d9d57170dbab5f2bf07abdf78ecd17e0e635399	2 years ago
Anton Tolchanov	8546ff98fb	tsweb: move varz handler(s) into separate modules This splits Prometheus metric handlers exposed by tsweb into two modules: - `varz.Handler` exposes Prometheus metrics generated by our expvar converter; - `promvarz.Handler` combines our expvar-converted metrics and native Prometheus metrics. By default, tsweb will use the promvarz handler, however users can keep using only the expvar converter. Specifically, `tailscaled` now uses `varz.Handler` explicitly, which avoids a dependency on the (heavyweight) Prometheus client. Updates https://github.com/tailscale/corp/issues/10205 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Anton Tolchanov	c153e6ae2f	prober: migrate to Prometheus metric library This provides an example of using native Prometheus metrics with tsweb. Prober library seems to be the only user of PrometheusVar, so I am removing support for it in tsweb. Updates https://github.com/tailscale/corp/issues/10205 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Anton Tolchanov	11e6247d2a	tsweb: expose native Prometheus metrics in /debug/varz The handler will expose built-in process and Go metrics by default, which currently duplicate some of the expvar-proxied metrics (`goroutines` vs `go_goroutines`, `memstats` vs `go_memstats`), but as long as their names are different, Prometheus server will just scrape both. This will change /debug/varz behaviour for most tsweb binaries, but notably not for control, which configures a `tsweb.VarzHandler` [explicitly](`a5b5d5167f/cmd/tailcontrol/tailcontrol.go (L779)`) Updates https://github.com/tailscale/corp/issues/10205 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Tom DNetto	6a627e5a33	net, wgengine/capture: encode NAT addresses in pcap stream Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
phirework	c0e0a5458f	cmd/tailscale: show reauth etc. links even if no login name (#7803 ) Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
shayne	81fd00a6b7	cmd/tailscale/cli: [serve] add support for proxy paths (#7800 )	2 years ago
valscale	7bfb7744b7	derp,magicsock: add debug envknobs for HTTP and derp server name (#7744 ) Make developing derp easier by: 1. Creating an envknob telling clients to use HTTP to connect to derp servers, so devs don't have to acquire a valid TLS cert. 2. Creating an envknob telling clients which derp server to connect to, so devs don't have to edit the ACLs in the admin console to add a custom DERP map. 3. Explaining how the -dev and -a command lines args to derper interact. To use this: 1. Run derper with -dev. 2. Run tailscaled with TS_DEBUG_USE_DERP_HTTP=1 and TS_DEBUG_USE_DERP_ADDR=localhost This will result in the client connecting to derp via HTTP on port 3340. Fixes #7700 Signed-off-by: Val <valerie@tailscale.com>	2 years ago
Aaron Klotz	90fd04cbde	ipn/ipnlocal, util/winutil/policy: modify Windows profile migration to load legacy prefs from within tailscaled I realized that a lot of the problems that we're seeing around migration and LocalBackend state can be avoided if we drive Windows pref migration entirely from within tailscaled. By doing it this way, tailscaled can automatically perform the migration as soon as the connection with the client frontend is established. Since tailscaled is already running as LocalSystem, it already has access to the user's local AppData directory. The profile manager already knows which user is connected, so we simply need to resolve the user's prefs file and read it from there. Of course, to properly migrate this information we need to also check system policies. I moved a bunch of policy resolution code out of the GUI and into a new package in util/winutil/policy. Updates #7626 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Andrew Dunham	8d3acc9235	util/sysresources, magicsock: scale DERP buffer based on system memory This adds the util/sysresources package, which currently only contains a function to return the total memory size of the current system. Then, we modify magicsock to scale the number of buffered DERP messages based on the system's available memory, ensuring that we never use a value lower than the previous constant of 32. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib763c877de4d0d4ee88869078e7d512f6a3a148d	2 years ago
shayne	59879e5770	cmd/tailscale/cli: make serve and funnel visible in list (#7737 )	2 years ago
Mihai Parparita	02582083d5	cmd/tsconnect: allow root directory to be passed in #7339 changed the root directory logic to find the ancestor of the cwd with a go.mod file. This works when running the the binary from this repo directly, but breaks when we're a dependency in another repo. Allow the directory to be passed in via a -rootdir flag (the repo that depends on it can then use `go list -m -f '{{.Dir}}' tailscale.com` or similar to pass in the value). Updates tailscale/corp#10165 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Andrew Dunham	38e4d303a2	net/tshttpproxy: don't proxy through ourselves When running a SOCKS or HTTP proxy, configure the tshttpproxy package to drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment variables. Fixes #7407 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6cd7cad7a609c639780484bad521c7514841764b	2 years ago
Maisem Ali	985535aebc	net/tstun,wgengine/*: add support for NAT to routes This adds support to make exit nodes and subnet routers work when in scenarios where NAT is required. It also updates the NATConfig to be generated from a `wgcfg.Config` as that handles merging prefs with the netmap, so it has the required information about whether an exit node is already configured and whether routes are accepted. Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Andrew Dunham	c98652c333	doctor/permissions: add new check to print process permissions Since users can run tailscaled in a variety of ways (root, non-root, non-root with process capabilities on Linux), this check will print the current process permissions to the log to aid in debugging. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida93a206123f98271a0c664775d0baba98b330c7	2 years ago
James Tucker	a31e43f760	go.mod: bump gvisor to 20230320 for dispatcher locking Upstream improved code around an issue showing up in CI, where sometimes shutdown will race on endpoint.dispatcher being nil'd, causing a panic down stack of injectInbound. The upstream patch makes some usage more safe, but it does not itself fix the local issue. See panic in https://github.com/tailscale/tailscale/actions/runs/4548299564/jobs/8019187385#step:7:843 See fix in google/gvisor@13d7bf69d8 Updates #7715 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Anton Tolchanov	2a933c1903	cmd/tailscale: extend hostname validation (#7678 ) In addition to checking the total hostname length, validate characters used in each DNS label and label length. Updates https://github.com/tailscale/corp/issues/10012 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
shayne	43f7ec48ca	funnel: change references from alpha to beta (#7613 ) Updates CLI and docs to reference Funnel as beta Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
valscale	74eb99aed1	derp, derphttp, magicsock: send new unknown peer frame when destination is unknown (#7552 ) * wgengine/magicsock: add envknob to send CallMeMaybe to non-existent peer For testing older client version responses to the PeerGone packet format change. Updates #4326 Signed-off-by: Val <valerie@tailscale.com> * derp: remove dead sclient struct member replaceLimiter Leftover from an previous solution to the duplicate client problem. Updates #2751 Signed-off-by: Val <valerie@tailscale.com> * derp, derp/derphttp, wgengine/magicsock: add new PeerGone message type Not Here Extend the PeerGone message type by adding a reason byte. Send a PeerGone "Not Here" message when an endpoint sends a disco message to a peer that this server has no record of. Fixes #4326 Signed-off-by: Val <valerie@tailscale.com> --------- Signed-off-by: Val <valerie@tailscale.com>	2 years ago
Maisem Ali	8a11f76a0d	ipn/ipnlocal: fix cert storage in Kubernetes We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	df89b7de10	cmd/k8s-operator: disable HTTP/2 for the auth proxy Kubernetes uses SPDY/3.1 which is incompatible with HTTP/2, disable it in the transport and server. Fixes #7645 Fixes #7646 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Will Norris	57a008a1e1	all: pass log IDs as the proper type rather than strings This change focuses on the backend log ID, which is the mostly commonly used in the client. Tests which don't seem to make use of the log ID just use the zero value. Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Tom DNetto	60cd4ac08d	cmd/tailscale/cli: move tskey-wrap functionality under lock sign Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Mihai Parparita	e1fb687104	cmd/tailscale/cli: fix inconsistency between serve text and example command Use the same local port number in both, and be more precise about what is being forwarded Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Anton Tolchanov	50d211d1a4	cmd/derpprobe: allow running all probes at the same time This allows disabling spread mode, which is helpful if you are manually running derpprobe in `--once` mode against a small number of DERP machines. Updates https://github.com/tailscale/corp/issues/9916 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
James 'zofrex' Sanderson	9534783758	tailscale/cmd: Warn for up --force-reauth over SSH without accepting the risk (#7575 ) Fixes #6377 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	2 years ago
shayne	2b892ad6e7	cmd/tailscale/cli: [serve] rework commands based on feedback (#6521 ) ``` $ tailscale serve https:<port> <mount-point> <source> [off] $ tailscale serve tcp:<port> tcp://localhost:<local-port> [off] $ tailscale serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off] $ tailscale serve status [--json] $ tailscale funnel <serve-port> {on\|off} $ tailscale funnel status [--json] ``` Fixes: #6674 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
Maisem Ali	c87782ba9d	cmd/k8s-operator: drop trailing dot in tagged node name Also update tailcfg docs. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Will Norris	a1d9f65354	ipn,log: add logger for sockstat deltas Signed-off-by: Will Norris <will@tailscale.com> Co-authored-by: Melanie Warrick <warrick@tailscale.com>	2 years ago
Maisem Ali	5e8a80b845	all: replace /kb/ links with /s/ equivalents Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	558735bc63	cmd/k8s-operator: require HTTPS to be enabled for AuthProxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	489e27f085	cmd/k8s-operator: make auth proxy pass tags as Impersonate-Group We were not handling tags at all, pass them through as Impersonate-Group headers. And use the FQDN for tagged nodes as Impersonate-User. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	09aed46d44	cmd/tailscale/cli: update docs and unhide configure Also call out Alpha. Updates #7220 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	223713d4a1	tailcfg,all: add and use Node.IsTagged() Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	3ff44b2307	ipn: add Funnel port check from nodeAttr Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	ccdd534e81	tsnet: add ListenFunnel This lets a tsnet binary share a server out over Tailscale Funnel. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
Tom DNetto	92fc243755	cmd/tailscale: annotate tailnet-lock keys which wrap pre-auth keys Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	3471fbf8dc	cmd/tailscale: surface node-key for locked out tailnet-lock peers Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Maisem Ali	be027a9899	control/controlclient: improve handling of concurrent lite map requests This reverts commit `6eca47b16c` and fixes forward. Previously the first ever streaming MapRequest that a client sent would also set ReadOnly to true as it didn't have any endpoints and expected/relied on the map poll to restart as soon as it got endpoints. However with `48f6c1eba4`, we would no longer restart MapRequests as frequently as we used to, so control would only ever get the first streaming MapRequest which had ReadOnly=true. Control would treat this as an uninteresting request and would not send it any further netmaps, while the client would happily stay in the map poll forever while litemap updates happened in parallel. This makes it so that we never set `ReadOnly=true` when we are doing a streaming MapRequest. This is no longer necessary either as most endpoint discovery happens over disco anyway. Co-authored-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Tom DNetto	ce99474317	all: implement preauth-key support with tailnet lock Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Andrew Dunham	be107f92d3	wgengine/magicsock: track per-endpoint changes in ringbuffer This change adds a ringbuffer to each magicsock endpoint that keeps a fixed set of "changes"–debug information about what updates have been made to that endpoint. Additionally, this adds a LocalAPI endpoint and associated "debug peer-status" CLI subcommand to fetch the set of changes for a given IP or hostname. Updates tailscale/corp#9364 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I34f726a71bddd0dfa36ec05ebafffb24f6e0516a	2 years ago
shayne	f7a7957a11	sniproxy: add promote-https (#7487 ) Adds support for an HTTP server that promotes all requests to HTTPS. The flag is `-promote-https` and defaults to true. Updates #1748	2 years ago
Denton Gentry	b46c5ae82a	cmd/sniproxy: draw the rest of the DNS owl. Add a DNS server which always responds as its own IP addresses. Additionally add a tsnet TailscaleIPs() function to return the IP addresses, both IPv4 and IPv6. Updates https://github.com/tailscale/tailscale/issues/1748 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Tom DNetto	2263d9c44b	cmd/tsconnect: pop CTA to make everything work with tailnet lock Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	0f4359116e	tsnet: add UDP support to Server.Listen No ListenPacket support yet, but Listen with a udp network type fit easier into netstack's model to start. Then added an example of using it to cmd/sniproxy with a little udp :53 handler. No tests in tsnet yet because we don't have support for dialing over UDP in tsnet yet. When that's done, a new test can test both sides. Updates #5871 Updates #1748 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	1a30b2d73f	all: use tstest.Replace more Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	b9ebf7cf14	tstest: add method to Replace values for tests We have many function pointers that we replace for the duration of test and restore it on test completion, add method to do that. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Andrew Dunham	73fa7dd7af	util/slicesx: add package for generic slice functions, use Now that we're using rand.Shuffle in a few locations, create a generic shuffle function and use it instead. While we're at it, move the interleaveSlices function to the same package for use. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I0b00920e5b3eea846b6cedc30bd34d978a049fd3	2 years ago
Tom DNetto	e2d652ec4d	ipn,cmd/tailscale: implement resigning nodes on tka key removal Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Andrew Dunham	3f8e8b04fd	cmd/tailscale, cmd/tailscaled: move portmapper debugging into tailscale CLI The debug flag on tailscaled isn't available in the macOS App Store build, since we don't have a tailscaled binary; move it to the 'tailscale debug' CLI that is available on all platforms instead, accessed over LocalAPI. Updates #7377 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I47bffe4461e036fab577c2e51e173f4003592ff7	2 years ago
Mihai Parparita	3e71e0ef68	net/sockstats: remove explicit dependency on wgengine/monitor Followup to #7177 to avoid adding extra dependencies to the CLI. We instead declare an interface for the link monitor. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
shayne	d92ef4c215	cmd/derper: randomize IPs on refreshBootstrapDNS (#7440 ) This is to address a possible DNS failure on startup. Before this change IPv6 addresses would be listed first, and the client dialer would fail for hosts without IPv6 connectivity.	2 years ago
Brad Fitzpatrick	1410682fb6	cmd/sniproxy: add start of a tsnet-based SNI proxy $ curl https://canhazip.com/ 170.173.0.21 $ curl --resolve canhazip.com:443:100.85.165.81 https://canhazip.com/ 34.223.127.151 Updates #1748 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	e1530cdfcc	cmd/containerboot,kube: consolidate the two kube clients We had two implemenetations of the kube client, merge them. containerboot was also using a raw http.Transport, this also has the side effect of making it use a http.Client Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Denton Gentry	51288221ce	cmd/tailscale: use request Schema+Host for QNAP authLogin.cgi QNAP allows users to set the port number for the management WebUI, which includes authLogin.cgi. If they do, then connecting to localhost:8080 fails. https://github.com/tailscale/tailscale-qpkg/issues/74#issuecomment-1407486911 Fixes https://github.com/tailscale/tailscale/issues/7108 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Aaron Klotz	f18beaa1e4	cmd/mkmanifest, cmd/tailscale, cmd/tailscaled: remove Windows arm32 resources from OSS Given recent changes in corp, I originally thought we could remove all of the syso files, but then I realized that we still need them so that binaries built purely from OSS (without going through corp) will still receive a manifest. We can remove the arm32 one though, since we don't support 32-bit ARM on Windows. Updates https://github.com/tailscale/corp/issues/9576 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Sonia Appasamy	7985f5243a	cmd/k8s-operator: update device authorization copy "Device Authorization" was recently renamed to "Device Approval" on the control side. This change updates the k8s operator to match. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	2 years ago
Sonia Appasamy	bb7033174c	cmd/tsconnect: update device authorization copy "Device Authorization" was recently renamed to "Device Approval" on the control side. This change updates tsconnect to match. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	2 years ago
Mihai Parparita	9cb332f0e2	sockstats: instrument networking code paths Uses the hooks added by tailscale/go#45 to instrument the reads and writes on the major code paths that do network I/O in the client. The convention is to use "<package>.<type>:<label>" as the annotation for the responsible code path. Enabled on iOS, macOS and Android only, since mobile platforms are the ones we're most interested in, and we are less sensitive to any throughput degradation due to the per-I/O callback overhead (macOS is also enabled for ease of testing during development). For now just exposed as counters on a /v0/sockstats PeerAPI endpoint. We also keep track of the current interface so that we can break out the stats by interface. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Sonia Appasamy	0c1510739c	cmd/tailscale/cli: update device authorization copy "Device Authorization" was recently renamed to "Device Approval" on the control side. This change updates the linux cli to match. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	2 years ago
Joe Tsai	0d19f5d421	all: replace logtail.{Public,Private}ID with logid.{Public,Private}ID (#7404 ) The log ID types were moved to a separate package so that code that only depend on log ID types do not need to link in the logic for the logtail client itself. Not all code need the logtail client. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Vladimir Pouzanov	e3211ff88b	Add support for OAuth tokens #7394 (#7393 ) Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com>	2 years ago
Maisem Ali	49c206fe1e	tailcfg,hostinfo: add App field to identify tsnet uses This allows us to differentiate between the various tsnet apps that we have like `golinks` and `k8s-operator`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Denton Gentry	bf7573c9ee	cmd/nginx-auth: build for arm64 Fixes https://github.com/tailscale/tailscale/issues/6978 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Jordan Whited	d4122c9f0a	cmd/tailscale/cli: fix TestUpdatePrefs over Tailscale SSH (#7374 ) Fixes #7373 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 years ago
David Anderson	587eb32a83	release/dist: add forgotten license headers Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	cf74ee49ee	release/dist/cli: factor out the CLI boilerplace from cmd/dist Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	fc4b25d9fd	release: open-source release build logic for unix packages Updates tailscale/corp#9221 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Maisem Ali	06a10125fc	cmd/k8s-operator: set hostinfo.Package This allows identifying the operator. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
David Anderson	0b8f89c79c	cmd/tsconnect: find the build dir independently of -trimpath trimmed builds don't have absolute path information in executable metadata, which leads the runtime.Caller approach failing mysteriously in yarn with complaints about relative package paths. So, instead of using embedded package metadata to find paths, expect that we're being invoked within the tailscale repo, and locate the tsconnect directory that way. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	1dadbbb72a	version/mkversion: open-source version generation logic In preparation for moving more of the release building here too. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Maisem Ali	d811c5a7f0	cmd/tailscale/cli: handle home dir correctly on macOS for kubeconfig This ensures that we put the kubeconfig in the correct directory from within the macOS Sandbox when paired with tailscale/corp@3035ef7 Updates #7220 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	c01c84ea8e	cmd/tailscale/cli: add "configure kubeconfig" subcommand It takes in a node hostname and configures the local kubeconfig file to point to that. Updates #7220 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	181a3da513	cmd/tailscale/cli: add a hidden configure subcommand Also make `tailscale configure-host` an alias to `tailscale configure synology` Updates #7220 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Jenny Zhang	fe5558094c	cmd/tailscale/cli: add logout and debug info to web Fixes #7238 Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
David Anderson	bd81d520ab	cmd/printdep: print correct toolchain URL In the switch to static toolchains, we removed a legacy oddity from the toolchain URL structure, but forgot to update printdep. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	70a2929a12	version: make all exported funcs compile-time constant or lazy Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	8b2ae47c31	version: unexport all vars, turn Short/Long into funcs The other formerly exported values aren't used outside the package, so just unexport them. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Denton Gentry	5bca44d572	cmd/sync-containers: update latest and stable tags Fixes https://github.com/tailscale/tailscale/issues/7251 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Mihai Parparita	fa932fefe7	net/interfaces: redo how we get the default interface on macOS and iOS With #6566 we added an external mechanism for getting the default interface, and used it on macOS and iOS (see tailscale/corp#8201). The goal was to be able to get the default physical interface even when using an exit node (in which case the routing table would say that the Tailscale utun* interface is the default). However, the external mechanism turns out to be unreliable in some cases, e.g. when multiple cellular interfaces are present/toggled (I have occasionally gotten my phone into a state where it reports the pdp_ip1 interface as the default, even though it can't actually route traffic). It was observed that `ifconfig -v` on macOS reports an "effective interface" for the Tailscale utn* interface, which seems promising. By examining the ifconfig source code, it turns out that this is done via a SIOCGIFDELEGATE ioctl syscall. Though this is a private API, it appears to have been around for a long time (e.g. it's in the 10.13 xnu release at https://opensource.apple.com/source/xnu/xnu-4570.41.2/bsd/net/if_types.h.auto.html) and thus is unlikely to go away. We can thus use this ioctl if the routing table says that a utun* interface is the default, and go back to the simpler mechanism that we had before #6566. Updates #7184 Updates #7188 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Will Norris	6ef834a6b7	get-authkey: require tags to be specified Tailnet-owned auth keys (which all OAuth-created keys are) must include tags, since there is no user to own the registered devices. Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Maisem Ali	05adf22383	cmd/k8s-operator: add support for running an auth proxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Tom DNetto	99b9d7a621	all: implement pcap streaming for datapath debugging Updates: tailscale/corp#8470 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Denton Gentry	4daba23cd4	cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Maisem Ali	6bae55e351	ipn/ipnlocal: add support to store certs in k8s secrets Fixes #5676 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
David Anderson	02a2dcfc86	go.toolchain.rev: use new statically built toolchain Also removes the toolchain builds from flake.nix. For now the flake build uses upstream Go 1.20, a followup change will switch it back to our custom toolchain. Updates tailscale/corp#9005 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	03645f0c27	net/{netns,netstat}: use new x/sys/cpu.IsBigEndian See golang/go#57237 Change-Id: If47ab6de7c1610998a5808e945c4177c561eab45 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	2755f3843c	health, net/tlsdial: add healthcheck for self-signed cert When we make a connection to a server, we previously would verify with the system roots, and then fall back to verifying with our baked-in Let's Encrypt root if the system root cert verification failed. We now explicitly check for, and log a health error on, self-signed certificates. Additionally, we now always verify against our baked-in Let's Encrypt root certificate and log an error if that isn't successful. We don't consider this a health failure, since if we ever change our server certificate issuer in the future older non-updated versions of Tailscale will no longer be healthy despite being able to connect. Updates #3198 Change-Id: I00be5ceb8afee544ee795e3c7a2815476abc4abf Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Brad Fitzpatrick	b1248442c3	all: update to Go 1.20, use strings.CutPrefix/Suffix instead of our fork Updates #7123 Updates #5309 Change-Id: I90bcd87a2fb85a91834a0dd4be6e03db08438672 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Will Norris	51e1ab5560	fixup! util/vizerror: add new package for visible errors Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Brad Fitzpatrick	ca45fe2d46	cmd/tailscale/cli: delete ActLikeCLI It's since been rewritten in Swift. #cleanup Change-Id: I0860d681e8728697804ce565f63c5613b8b1088c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Mihai Parparita	0039993359	cmd/tsconnect: update to xterm.js 5.1 It includes xtermjs/xterm.js#4216, which improves handling of some escape sequences. Unfortunately it's not enough to fix the issue with `ponysay`, but it does not hurt to be up to date. Updates #6090 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Anton Tolchanov	100d8e909e	cmd/derpprobe: migrate to the prober framework `prober.DERP` was created in #5988 based on derpprobe. Having used it instead of derpprobe for a few months, I think we have enough confidence that it works and can now migrate derpprobe to use the prober framework and get rid of code duplication. A few notable changes in behaviour: - results of STUN probes over IPv4 and IPv6 are now reported separately; - TLS probing now includes OCSP verification; - probe names in the output have changed; - ability to send Slack notification from the prober has been removed. Instead, the prober now exports metrics in Expvar (/debug/vars) and Prometheus (/debug/varz) formats. Fixes https://github.com/tailscale/corp/issues/8497 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Brad Fitzpatrick	01e736e1d5	go.toolchain.rev: update to Go 1.20rc3 Updates #7123 Change-Id: Ibdf53530251c120e7e20c24abcf4a05f2ff7ac97 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	04b57a371e	ipn/ipnlocal: drop not required StateKey parameter This is #cleanup now that #7121 is merged. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Mihai Parparita	73d33e3f20	cmd/tsconnect: use empty string as the default state store key Makes the Wasm client more similar to the others, and allows the default profile to be correctly picked up when restarting the client in dev mode (where we persist the state in sessionStorage). Also update README to reflect that Go wasm changes can be picked up with just a reload (as of #5383) Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Maisem Ali	4441609d8f	safesocket: remove the now unused WindowsLocalPort Also drop the port param from safesocket.Listen. #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
David Anderson	e51cf1b09d	cmd/k8s-operator: use unstable tailscale image as well We need a post-1.36 tailscale image to handle custom hostnames correctly. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	0dc9cbc9ab	cmd/k8s-operator: use the unstable operator image There is no stable release yet, and for alpha we want people on the unstable build while we iterate. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Will Norris	947c14793a	all: update tools that manage copyright headers Update all code generation tools, and those that check for license headers to use the new standard header. Also update copyright statement in LICENSE file. Fixes #6865 Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Brad Fitzpatrick	a1b4ab34e6	util/httpm: add new package for prettier HTTP method constants See package doc. Change-Id: Ibbfc8e1f98294217c56f3a9452bd93ffa3103572 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Denton Gentry	7439bc7ba6	cmd/sync-containers: add github.Keychain Running sync-containers in a GitHub workflow will be simpler if we check github.Keychain, which uses the GITHUB_TOKEN if present. Updates https://github.com/tailscale/corp/issues/8461 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
David Anderson	9bd6a2fb8d	cmd/k8s-operator: support setting a custom hostname. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Xe Iaso	038d25bd04	cmd/nginx-auth: update Expected-Tailnet documentation (#6055 ) Signed-off-by: Xe Iaso <xe@tailscale.com>	2 years ago
phirework	2d29f77b24	cmd/tailscale/cli: fix TUNmode display on synology web page (#7064 ) Fixes #7059 Signed-off-by: Jenny Zhang <jz@tailscale.com> Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
Vince Prignano	30380403d0	cmd/k8s-operator: remove use of InjectClient (deprecated) The dependency injection functionality has been deprecated a while back and it'll be removed in the 0.15 release of Controller Runtime. This changeset sets the Client after creating the Manager, instead of using InjectClient. Signed-off-by: Vince Prignano <vince@prigna.com>	2 years ago
Anton Tolchanov	e8b695626e	cmd/mkpkg: allow specifying recommended dependencies Updates #3151 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Brad Fitzpatrick	c8db70fd73	cmd/tailscale/cli: add debug set-expire command for testing Updates tailscale/corp#8811 Updates tailscale/corp#8613 Change-Id: I1c87806ca3ccc5c43e7ddbd6b4d521f73f7d29f1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	06fff461dc	ipn/ipnstate: add PeerStatus.KeyExpiry for tailscale status --json Fixes #6712 Change-Id: I817cd5342fac8a956fcefda2d63158fa488f3395 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	b74db24149	tstest/integration: mark all integration tests as flaky Updates #7036 Change-Id: I3aec5ad680078199ba984bf8afc20b2f2eb37257 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Brad Fitzpatrick	fd92fbd69e	cmd/tailscale/cli: only give systemctl hint on systemd systems Per recent user confusion on a QNAP issue. Change-Id: Ibda00013df793fb831f4088b40be8a04dfad17c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	ba5aa2c486	version, cmd/tailscale: add version.Meta, tailscale version --json Add `tailscale version --json` JSON output mode. This will be used later for a double-opt-in (per node consent like Tailscale SSH + control config) to let admins do remote upgrades via `tailscale update` via a c2n call, which would then need to verify the cmd/tailscale found on disk for running tailscale update corresponds to the running tailscaled, refusing if anything looks amiss. Plus JSON output modes are just nice to have, rather than parsing unstable/fragile/obscure text formats. Updates #6995 Updates #6907 Change-Id: I7821ab7fbea4612f4b9b7bdc1be1ad1095aca71b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	5ca22a0068	cmd/tailscale/cli: make 'tailscale update' support Debian/Ubuntu apt Updates #6995 Change-Id: I3355435db583755e0fc73d76347f6423b8939dfb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6793685bba	go.mod: bump AWS SDK past a breaking API change of theirs They changed a type in their SDK which meant others using the AWS APIs in their Go programs (with newer AWS modules in their caller go.mod) and then depending on Tailscale (for e.g. tsnet) then couldn't compile ipn/store/awsstore. Thanks to @thisisaaronland for bringing this up. Fixes #7019 Change-Id: I8d2919183dabd6045a96120bb52940a9bb27193b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
shayne	73399f784b	cmd/tailscale/cli: use mock impl of LocalClient for serve cmd (#6422 ) Create an interface and mock implementation of tailscale.LocalClient for serve command tests. Updates #6304 Closes #6372 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
Brad Fitzpatrick	c129bf1da1	cmd/tailscale/cli: un-alpha login+switch in ShortUsage docs Change-Id: I580d4417cf03833dfa8f6a295fb416faa667c477 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	71a7b8581d	cmd/tailscale/cli: make "update" work on Windows Updates #6995 Co-authored-by: Aaron Klotz <aaron@tailscale.com> Change-Id: I16622f43156a70b6fbc8205239fd489d7378d57b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	aea251d42a	cmd/testwrapper: move from corp; mark magicsock test as flaky Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ibab5860f5797b3db151d3c27855333e43a9088a4	2 years ago
Tom DNetto	ee6d18e35f	cmd/tailscale/cli: implement --json for lock status and lock log cmds Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	b657187a69	cmd/tailscale, logtail: add 'tailscale debug daemon-logs' logtail mechanism Fixes #6836 Change-Id: Ia6eb39ff8972e1aa149aeeb63844a97497c2cf04 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	d9144c73a8	cmd/tailscale: add start of "tailscale update" command Goal: one way for users to update Tailscale, downgrade, switch tracks, regardless of platform (Windows, most Linux distros, macOS, Synology). This is a start. Updates #755, etc Change-Id: I23466da1ba41b45f0029ca79a17f5796c2eedd92 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
phirework	f011a0923a	cmd/tailscale/cli: style synology outgoing access info (#6959 ) Follow-up to #6957. Updates #4015 Signed-off-by: Jenny Zhang <jz@tailscale.com>	2 years ago
Brad Fitzpatrick	5eded58924	cmd/tailscale/cli: make web show/link Synology outgoing connection mode/docs Fixes #4015 Change-Id: I8230bb0cc3d621b6fa02ab2462cea104fa1e9cf9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	61dfbc0a6e	cmd/tailscale/cli: plumb TUN mode into tailscale web template UI works remains, but data is there now. Updates #4015 Change-Id: Ib91e94718b655ad60a63596e59468f3b3b102306 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
salman	8a1201ac42	cmd/tailscale: correct order for -terminate-tls flag in serve tcp usage The -terminate-tls flag is for the tcp subsubcommand, not the serve subcommand like the usage example suggests. Signed-off-by: salman <salman@tailscale.com>	2 years ago
Denton Gentry	22ebb25e83	cmd/tailscale: disable HTTPS verification for QNAP auth. QNAP's "Force HTTPS" mode redirects even localhost HTTP to HTTPS, but uses a self-signed certificate which fails verification. We accommodate this by disabling checking of the cert. Fixes https://github.com/tailscale/tailscale/issues/6903 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Brad Fitzpatrick	1116602d4c	ssh/tailssh: add OpenBSD support for Tailscale SSH And bump go.mod for https://github.com/u-root/u-root/pull/2593 Change-Id: I36ec94c5b2b76d671cb739f1e9a1a43ca1d9d1b1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Anderson	39efba528f	cmd/containerboot: use TS_AUTHKEY as the parameter for auth keys We still accept the previous TS_AUTH_KEY for backwards compatibility, but the documented option name is the spelling we use everywhere else. Updates #6321 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	69c0b7e712	ipn/ipnlocal: add c2n handler to flush logtail for support debugging Updates tailscale/corp#8564 Change-Id: I0c619d4007069f90cffd319fba66bd034d63e84d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	673b3d8dbd	net/dns,userspace: remove unused DNS paths, normalize query limit on iOS With `a42a594bb3`, iOS uses netstack and hence there are no longer any platforms which use the legacy MagicDNS path. As such, we remove it. We also normalize the limit for max in-flight DNS queries on iOS (it was 64, now its 256 as per other platforms). It was 64 for the sake of being cautious about memory, but now we have 50Mb (iOS-15 and greater) instead of 15Mb so we have the spare headroom. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	907f85cd67	cmd/tailscale,tka: make KeyID return an error instead of panicking Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	8724aa254f	cmd/tailscale,tka: implement compat for TKA messages, minor UX tweaks Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
David Anderson	91e64ca74f	cmd/tailscale/cli: redact private key in debug netmap output by default This makes `tailscale debug watch-ipn` safe to use for troubleshooting user issues, in addition to local debugging during development. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Denton Gentry	467ace7d0c	cmd/tailscale: use localhost for QNAP authLogin.cgi When the user clicks on the Tailscale app in the QNAP App Center, we do a GET from /cgi-bin/authLogin.cgi to look up their SID. If the user clicked "secure login" on the QNAP login page to use HTTPS, then our access to authLogin.cgi will also use HTTPS but the certiciate is self-signed. Our GET fails with: Get "https://10.1.10.41/cgi-bin/authLogin.cgi?sid=abcd0123": x509: cannot validate certificate for 10.1.10.41 because it doesn't contain any IP SANs or similar errors. Instead, access QNAP authentication via http://localhost:8080/ as documented in https://download.qnap.com/dev/API_QNAP_QTS_Authentication.pdf Fixes https://github.com/tailscale/tailscale-qpkg/issues/62 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Brad Fitzpatrick	aad6830df0	util/codegen, all: use latest year, not time.Now, in generated files Updates #6865 Change-Id: I6b86c646968ebbd4553cf37df5e5612fbf5c5f7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Anderson	7bfb9999ee	cmd/printdep: support printing the toolchain SRI hash. Updates #6845. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	3599364312	cmd/nardump: Go tool to build Nix NARs and compute their hashes. Updates #6845. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Claire Wang	a45c9f982a	wgengine/netstack: change netstack API to require LocalBackend The macOS client was forgetting to call netstack.Impl.SetLocalBackend. Change the API so that it can't be started without one, eliminating this class of bug. Then update all the callers. Updates #6764 Change-Id: I2b3a4f31fdfd9fdbbbbfe25a42db0c505373562f Signed-off-by: Claire Wang <claire@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
andig	14e8afe444	go.mod, etc: bump gvisor Fixes #6554 Change-Id: Ia04ae37a47b67fa57091c9bfe1d45a1842589aa8 Signed-off-by: andig <cpuidle@gmx.de>	2 years ago
Brad Fitzpatrick	8aac77aa19	cmd/tailscale: fix "up" warning about netfilter-mode on Synology Fixes #6811 Change-Id: Ia43723e6ebedc9b01729897cec271c462b16e9ae Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Anderson	a1ded4c166	cmd/sync-containers: add a dry-run option. Updates tailscale/corp#8461 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	e5fe205c31	cmd/sync-containers: program to sync tags between container registries. Updates tailscale/corp#8461 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	a06217a8bd	cmd/tailscale/cli: hide Windows named pipe default name in flag help It's long & distracting for how low value it is. Fixes #6766 Change-Id: I51364f25c0088d9e63deb9f692ba44031f12251b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Jordan Whited	914d115f65	go.mod: bump tailscale/wireguard-go for big-endian fix (#6785 ) Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 years ago
David Anderson	af3127711a	cmd/containerboot: allow disabling secret storage in k8s. In some configurations, user explicitly do not want to store tailscale state in k8s secrets, because doing that leads to some annoying permission issues with sidecar containers. With this change, TS_KUBE_SECRET="" and TS_STATE_DIR=/foo will force storage to file when running in kubernetes. Fixes #6704. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	c02ccf6424	go.mod: bump dhcp dep to remove another endian package from our tree To pull in insomniacslk/dhcp#484 to pull in u-root/uio#8 Updates golang/go#57237 Change-Id: I1e56656e0dc9ec0b870f799fe3bc18b3caac1ee4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
David Anderson	8171eb600c	cmd/k8s-operator: move the operator into its own namespace. The operator creates a fair bit of internal cluster state to manage proxying, dumping it all in the default namespace is handy for development but rude for production. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	3a5fc233aa	cmd/k8s-operator: use oauth credentials for API access. This automates both the operator's initial login, and provisioning/deprovisioning of proxies. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	a7ab3429b6	cmd/k8s-operator: refactor reconcile loop, un-plumbing reconcile.Result. We used to need to do timed requeues in a few places in the reconcile logic, and the easiest way to do that was to plumb reconcile.Result return values around. But now we're purely event-driven, so the only thing we care about is whether or not an error occurred. Incidentally also fix a very minor bug where headless services would get completely ignored, rather than reconciled into the correct state. This shouldn't matter in practice because you can't transition from a headful to a headless service without a deletion, but for consistency let's avoid having a path that takes no definite action if a service of interest does exist. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Denton Gentry	da53b1347b	cmd/gitops-pusher: support alternate api-server URLs Fixes https://github.com/tailscale/coral/issues/90 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
David Anderson	835a73cc1f	cmd/k8s-operator: remove unnecessary timed requeue. Previously, we had to do blind timed requeues while waiting for the tailscale hostname, because we looked up the hostname through the API. But now the proxy container image writes back its hostname to the k8s secret, so we get an event-triggered reconcile automatically when the time is right. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	d857fd00b3	cmd/k8s-operator: sprinkle debug logging throughout. As is convention in the k8s world, use zap for structured logging. For development, OPERATOR_LOGGING=dev switches to a more human-readable output than JSON. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago

... 3 4 5 6 7 ...

1562 Commits (5de865046657c028e3f20903c208c4fc09edadeb)