tailscale

Commit Graph

Author	SHA1	Message	Date
Anton Tolchanov	53c4892841	ipn/ipnserver: propagate http.Serve error This ensures that we capture error returned by `Serve` and exit with a non-zero exit code if it happens. Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
David Anderson	8171eb600c	cmd/k8s-operator: move the operator into its own namespace. The operator creates a fair bit of internal cluster state to manage proxying, dumping it all in the default namespace is handy for development but rude for production. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Brad Fitzpatrick	56f7da0cfd	ssh/tailssh: set default Tailscale SSH $PATH for non-interactive commands Fixes #5285 Co-authored-by: Andrew Dunham <andrew@tailscale.com> Change-Id: Ic7e967bf6a53b056cac5f21dd39565d9c31563af Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Joe Tsai	350aab05e5	util/multierr: optimize New for nil cases (#6750 ) Consider the following pattern: err1 := foo() err2 := bar() err3 := baz() return multierr.New(err1, err2, err3) If err1, err2, and err3 are all nil, then multierr.New should not allocate. Thus, modify the logic of New to count the number of distinct error values and allocate the exactly needed slice. This also speeds up non-empty error situation since repeatedly growing with append is slow. Performance: name old time/op new time/op delta Empty-24 41.8ns ± 2% 6.4ns ± 1% -84.73% (p=0.000 n=10+10) NonEmpty-24 120ns ± 3% 69ns ± 1% -42.01% (p=0.000 n=9+10) name old alloc/op new alloc/op delta Empty-24 64.0B ± 0% 0.0B -100.00% (p=0.000 n=10+10) NonEmpty-24 168B ± 0% 88B ± 0% -47.62% (p=0.000 n=10+10) name old allocs/op new allocs/op delta Empty-24 1.00 ± 0% 0.00 -100.00% (p=0.000 n=10+10) NonEmpty-24 3.00 ± 0% 2.00 ± 0% -33.33% (p=0.000 n=10+10) Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Jordan Whited	55b24009f7	net/tstun: don't return early from a partial tun.Read() (#6745 ) Fixes #6730 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
David Anderson	3a5fc233aa	cmd/k8s-operator: use oauth credentials for API access. This automates both the operator's initial login, and provisioning/deprovisioning of proxies. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	a7ab3429b6	cmd/k8s-operator: refactor reconcile loop, un-plumbing reconcile.Result. We used to need to do timed requeues in a few places in the reconcile logic, and the easiest way to do that was to plumb reconcile.Result return values around. But now we're purely event-driven, so the only thing we care about is whether or not an error occurred. Incidentally also fix a very minor bug where headless services would get completely ignored, rather than reconciled into the correct state. This shouldn't matter in practice because you can't transition from a headful to a headless service without a deletion, but for consistency let's avoid having a path that takes no definite action if a service of interest does exist. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Denton Gentry	da53b1347b	cmd/gitops-pusher: support alternate api-server URLs Fixes https://github.com/tailscale/coral/issues/90 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
David Anderson	835a73cc1f	cmd/k8s-operator: remove unnecessary timed requeue. Previously, we had to do blind timed requeues while waiting for the tailscale hostname, because we looked up the hostname through the API. But now the proxy container image writes back its hostname to the k8s secret, so we get an event-triggered reconcile automatically when the time is right. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	d857fd00b3	cmd/k8s-operator: sprinkle debug logging throughout. As is convention in the k8s world, use zap for structured logging. For development, OPERATOR_LOGGING=dev switches to a more human-readable output than JSON. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	8ccd707218	cmd/k8s-operator: remove times requeues in proxy deletion path. Our reconcile loop gets triggered again when the StatefulSet object finally disappears (in addition to when its deletion starts, as indicated by DeletionTimestamp != 0). So, we don't need to queue additional reconciliations to proceed with the remainder of the cleanup, that happens organically. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	c0fcab01ac	client/tailscale: fix request object for key creation. The request takes key capabilities as an argument, but wrapped in a parent object. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Andrew Dunham	3f4d51c588	net/dns: don't send on closed channel when message too large Previously, if a DNS-over-TCP message was received while there were existing queries in-flight, and it was over the size limit, we'd close the 'responses' channel. This would cause those in-flight queries to send on the closed channel and panic. Instead, don't close the channel at all and rely on s.ctx being canceled, which will ensure that in-flight queries don't hang. Fixes #6725 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8267728ac37ed7ae38ddd09ce2633a5824320097	1 year ago
Brad Fitzpatrick	44be59c15a	wgengine/magicsock: fix panic in wireguard-go rate limiting path Fixes #6686 Change-Id: I1055a87141b07261afed8e36c963a69f3be26088 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrew Dunham	0d47cd2284	wgengine/monitor: fix panic due to race on Windows It's possible for the 'somethingChanged' callback to be registered and then trigger before the ctx field is assigned; move the assignment earlier so this can't happen. Change-Id: Ia7ee8b937299014a083ab40adf31a8b3e0db4ec5 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	1 year ago
David Anderson	d81a2b2ce2	Makefile: add a target for doing dev builds of the k8s operator. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	9c77205ba1	cmd/k8s-operator: add more tests for "normal" paths. Tests cover configuring a proxy through an annotation rather than a LoadBalancerClass, and converting between those two modes at runtime. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	c902190e67	cmd/k8s-operator: factor out some of the larger expected test outputs. For other test cases, the operator is going to produce similar generated objects in several codepaths, and those objects are large. Move them out to helpers so that the main test code stays a bit more intelligible. The top-level Service that we start and end with remains in the main test body, because its shape at the start and end is one of the main things that varies a lot between test cases. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	8dbb3b8bbe	cmd/k8s-operator: remove unused structs. Cleanup missed in #6718 . Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	53a9cc76c7	cmd/k8s-operator: rename main.go -> operator.go. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	bc8f5a7734	cmd/k8s-operator: add a basic unit test. The test verifies one of the successful reconcile paths, where a client requests an exposed service via a LoadBalancer class. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	3b7ae39a06	cmd/k8s-operator: use the client's authkey method to create auth keys. Also introduces an intermediary interface for the tailscale client, in preparation for operator tests that fake out the Tailscale API interaction. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Brad Fitzpatrick	ca08e316af	util/endian: delete package; use updated josharian/native instead See josharian/native#3 Updates golang/go#57237 Change-Id: I238c04c6654e5b9e7d9cfb81a7bbc5e1043a84a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Joe Tsai	bd2995c14b	ipn/ipnlocal: simplify redactErr (#6716 ) Use multierr.Range to iterate through an error tree instead of multiple invocations of errors.As. This scales better as we add more Go error types to the switch. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Joe Tsai	c47578b528	util/multierr: add Range (#6643 ) Errors in Go are no longer viewed as a linear chain, but a tree. See golang/go#53435. Add a Range function that iterates through an error in a pre-order, depth-first order. This matches the iteration order of errors.As in Go 1.20. This adds the logic (but currently commented out) for having Error implement the multi-error version of Unwrap in Go 1.20. It is commented out currently since it causes "go vet" to complain about having the "wrong" signature. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Dave Anderson	041a0e3c27	client/tailscale: add APIs for auth key management. (#6715 ) client/tailscale: add APIs for key management. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	b2d4abf25a	cmd/k8s-operator: add a kubernetes operator. This was initially developed in a separate repo, but for build/release reasons and because go module management limits the damage of importing k8s things now, moving it into this repo. At time of commit, the operator enables exposing services over tailscale, with the 'tailscale' loadBalancerClass. It also currently requires an unreleased feature to access the Tailscale API, so is not usable yet. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Mihai Parparita	47002d93a3	ipn/ipnlocal: add a few metrics for PeerAPI and LocalAPI Mainly motivated by wanting to know how much Taildrop is used, but also useful when tracking down how many invalid requests are generated. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Aaron Klotz	53e2010b8a	cmd/tailscaled: change Windows implementation to shut down subprocess via closing its stdin We've been doing a hard kill of the subprocess, which is only safe as long as both the cli and gui are not running and the subprocess has had the opportunity to clean up DNS settings etc. If unattended mode is turned on, this is definitely unsafe. I changed babysitProc to close the subprocess's stdin to make it shut down, and then I plumbed a cancel function into the stdin reader on the subprocess side. Fixes https://github.com/tailscale/corp/issues/5621 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
缘生	9c67395334	feat(build): add support on Loongnix-Server (loong64) (#6233 ) Makefile, .github/workflow: add tests, targets for GOARCH=loong64 (Loongnix) Signed-off-by: ysicing <i@ysicing.me>	1 year ago
Brad Fitzpatrick	7b65b7f85c	go.mod: bump tailscale/wireguard-go for loong64 Updates tailscale/tailscale#6233 Change-Id: I5ba1826e79be51c03b19f2b31d73024410be4970 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	5a523fdc7f	go.mod: update deps to add support for GOARCH=loong64 Updates tailscale/tailscale#6233 Change-Id: Ibbc8e42607342e4ab4fc0b365ed628d82b56864d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
shayne	9d335aabb2	cmd/tailscale/cli: [ssh] fix typo in help text (#6694 ) arugments => arguments Signed-off-by: shayne <79330+shayne@users.noreply.github.com>	1 year ago
License Updater	ab4992e10d	licenses: update win/apple licenses Signed-off-by: License Updater <noreply@tailscale.com>	1 year ago
Jordan Whited	ea5ee6f87c	all: update golang.zx2c4.com/wireguard to github.com/tailscale/wireguard-go (#6692 ) This is temporary while we work to upstream performance work in https://github.com/WireGuard/wireguard-go/pull/64. A replace directive is less ideal as it breaks dependent code without duplication of the directive. Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Andrew Dunham	b63094431b	wgengine/router: fix tests on systems with older Busybox 'ip' binary Adjust the expected system output by removing the unsupported mask component including and after the slash in expected output like: fwmask 0xabc/0xdef This package's tests now pass in an Alpine container when the 'go' and 'iptables' packages are installed (and run as privileged so /dev/net/tun exists). Fixes #5928 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id1a3896282bfa36b64afaec7a47205e63ad88542	1 year ago
Maisem Ali	eb1adf629f	net/tstun: reuse buffered packet from pool We would call parsedPacketPool.Get() for all packets received in Read/Write. This was wasteful and not necessary, fetch a single *packet.Parsed for all packets. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Walter Poupore	383e203fd2	cmd/tailscale/cli: update lock status help strings (#6675 ) Signed-off-by: Walter Poupore <walterp@tailscale.com> Signed-off-by: Walter Poupore <walterp@tailscale.com>	1 year ago
Jordan Whited	76389d8baf	net/tstun, wgengine/magicsock: enable vectorized I/O on Linux (#6663 ) This commit updates the wireguard-go dependency and implements the necessary changes to the tun.Device and conn.Bind implementations to support passing vectors of packets in tailscaled. This significantly improves throughput performance on Linux. Updates #414 Signed-off-by: Jordan Whited <jordan@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Co-authored-by: James Tucker <james@tailscale.com>	1 year ago
James Tucker	389238fe4a	cmd/tailscale/cli: add workaround for improper named socket quoting in ssh command This avoids the issue in the common case where the socket path is the default path, avoiding the immediate need for a Windows shell quote implementation. Updates #6639 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Mihai Parparita	bdc45b9066	wgengine/magicsock: fix panic when rebinding fails We would replace the existing real implementation of nettype.PacketConn with a blockForeverConn, but that violates the contract of atomic.Value (where the type cannot change). Fix by switching to a pointer value (atomic.Pointer[nettype.PacketConn]). A longstanding issue, but became more prevalent when we started binding connections to interfaces on macOS and iOS (#6566), which could lead to the bind call failing if the interface was no longer available. Fixes #6641 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Tom DNetto	e27f4f022e	cmd/tailscale/cli: add progress to tailscale file cp Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Xe Iaso	d1a5757639	tsnet: add HTTP client method to tsnet.Server (#6669 ) This allows tsnet services to make requests to other services in the tailnet with the tsnet service identity instead of the identity of the host machine. This also enables tsnet services to make requests to other tailnet services without having to have the host machine join the tailnet. Signed-off-by: Xe Iaso <xe@tailscale.com> Signed-off-by: Xe Iaso <xe@tailscale.com>	1 year ago
salman	2d271f3bd1	ipn/ipnlocal: disallow exit nodes from using exit nodes Nodes which have both -advertise-exit-node and -exit-node in prefs should continue have them until the next invocation of `tailscale up`. Updates #3569. Signed-off-by: salman <salman@tailscale.com>	1 year ago
License Updater	5f68763cb2	licenses: update win/apple licenses Signed-off-by: License Updater <noreply@tailscale.com>	1 year ago
shayne	98114bf608	cmd/tailscale/cli, ipn/localapi: add funnel status to status command (#6402 ) Fixes #6400 open up GETs for localapi serve-config to allow read-only access to ServeConfig `tailscale status` will include "Funnel on" status when Funnel is configured. Prints nothing if Funnel is not running. Example: $ tailscale status <nodes redacted> # Funnel on: # - https://node-name.corp.ts.net # - https://node-name.corp.ts.net:8443 # - tcp://node-name.corp.ts.net:10000 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
David Anderson	1b65630e83	cmd/containerboot: switch to IPN bus monitoring instead of polling. We still have to shell out to `tailscale up` because the container image's API includes "arbitrary flags to tailscale up", unfortunately. But this should still speed up startup a little, and also enables k8s-bound containers to update their device information as new netmap updates come in. Fixes #6657 Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Tom DNetto	55e0512a05	ipn/ipnlocal,cmd/tailscale: minor improvements to lock modify command * Do not print the status at the end of a successful operation * Ensure the key of the current node is actually trusted to make these changes Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Aaron Klotz	98f21354c6	cmd/tailscaled: add a special command to tailscaled's Windows service for removing WinTun WinTun is installed lazily by tailscaled while it is running as LocalSystem. Based upon what we're seeing in bug reports and support requests, removing WinTun as a lesser user may fail under certain Windows versions, even when that user is an Administrator. By adding a user-defined command code to tailscaled, we can ask the service to do the removal on our behalf while it is still running as LocalSystem. * The uninstall code is basically the same as it is in corp; * The command code will be sent as a service control request and is protected by the SERVICE_USER_DEFINED_CONTROL access right, which requires Administrator. I'll be adding follow-up patches in corp to engage this functionality. Updates https://github.com/tailscale/tailscale/issues/6433 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
David Anderson	367228ef82	cmd/containerboot: gracefully degrade if missing patch permissions in k8s. Fixes #6629. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago

... 2 3 4 5 6 ...

5199 Commits (71029cea2ddf82007b80f465b256d027eab0f02d) All Branches Search

5199 Commits (71029cea2ddf82007b80f465b256d027eab0f02d)

All Branches