tailscale

Commit Graph

Author	SHA1	Message	Date
Percy Wegmann	817badf9ca	ipn/ipnlocal: reuse transport across Taildrive remotes This prevents us from opening a new connection on each HTTP request. Updates #11967 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	2cf764e998	drive: actually cache results on statcache Updates #11967 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Irbe Krumina	406293682c	cmd/k8s-operator: cleanup runReconciler signature (#11993 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Claire Wang	35872e86d2	ipnlocal, magicsock: store last suggested exit node id in local backend (#11959 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Brad Fitzpatrick	b62cfc430a	tstest/integration/testcontrol: fix data race Noticed in earlier GitHub actions failure. Fixes #11994 Change-Id: Iba8d753caaa3dacbe2da9171d96c5f99b12e62d7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Dunham	e9505e5432	ipn/ipnlocal: plumb health.Tracker into profileManager constructor Setting the field after-the-fact wasn't working because we could migrate prefs on creation, which would set health status for auto updates. Updates #11986 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I41d79ebd61d64829a3a9e70586ce56f62d24ccfd	2 months ago
Brad Fitzpatrick	e42c4396cf	net/netcheck: don't spam on ICMP socket permission denied errors While debugging a failing test in airplane mode on macOS, I noticed netcheck logspam about ICMP socket creation permission denied errors. Apparently macOS just can't do those, or at least not in airplane mode. Not worth spamming about. Updates #cleanup Change-Id: I302620cfd3c8eabb25202d7eef040c01bd8a843c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	15fc6cd966	derp/derphttp: fix netcheck HTTPS probes The netcheck client, when no UDP is available, probes distance using HTTPS. Several problems: * It probes using /derp/latency-check. * But cmd/derper serves the handler at /derp/probe * Despite the difference, it work by accident until `c8f4dfc8c0` which made netcheck's probe require a 2xx status code. * in tests, we only use derphttp.Handler, so the cmd/derper-installed mux routes aren't preesnt, so there's no probe. That breaks tests in airplane mode. netcheck.Client then reports "unexpected HTTP status 426" (Upgrade Required) This makes derp handle both /derp/probe and /derp/latency-check equivalently, and in both cmd/derper and derphttp.Handler standalone modes. I notice this when wgengine/magicsock TestActiveDiscovery was failing in airplane mode (no wifi). It still doesn't pass, but it gets further. Fixes #11989 Change-Id: I45213d4bd137e0f29aac8bd4a9ac92091065113f	2 months ago
Brad Fitzpatrick	1fe0983f2d	cmd/derper,tstest/nettest: skip network-needing test in airplane mode Not buying wifi on a short flight is a good way to find tests that require network. Whoops. Updates #cleanup Change-Id: Ibe678e9c755d27269ad7206413ffe9971f07d298 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	46f3feae96	ssh/tailssh: plumb health.Tracker in test In prep for it being required in more places. Updates #11874 Change-Id: Ib743205fc2a6c6ff3d2c4ed3a2b28cac79156539 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	4fa6cbec27	ssh/tailssh: use ptr.To in test Updates #cleanup Change-Id: Ic98ba1b63c8205084b30f59f0ca343788edea5b0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	ee3bd4dbda	derp/derphttp, net/netcheck: plumb netmon.Monitor to derp netcheck client Fixes #11981 Change-Id: I0e15a09f93aefb3cfddbc12d463c1c08b83e09fd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Percy Wegmann	a03cb866b4	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	745fb31bd4	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	07e783c7be	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	3349e86c0a	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	0c11fd978b	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	9d22ec0ba2	drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Irbe Krumina	cd633a7252	cmd/k8s-operator/deploy,k8s-operator: document that metrics are unstable (#11979 ) Updates#11292 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Andrew Dunham	f97d0ac994	net/dns/resolver: add better error wrapping To aid in debugging exactly what's going wrong, instead of the not-particularly-useful "dns udp query: context deadline exceeded" error that we currently get. Updates #3786 Updates #10768 Updates #11620 (etc.) Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I76334bf0681a8a2c72c90700f636c4174931432c	2 months ago
Claire Wang	e0287a4b33	wgengine: add exit destination logging enable for wgengine logger (#11952 ) Updates tailscale/corp#18625 Co-authored-by: Kevin Liang <kevinliang@tailscale.com> Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Irbe Krumina	19b31ac9a6	cmd/{k8s-operator,k8s-nameserver},k8s-operator: update nameserver config with records for ingress/egress proxies (#11019 ) cmd/k8s-operator: optionally update dnsrecords Configmap with DNS records for proxies. This commit adds functionality to automatically populate DNS records for the in-cluster ts.net nameserver to allow cluster workloads to resolve MagicDNS names associated with operator's proxies. The records are created as follows: * For tailscale Ingress proxies there will be a record mapping the MagicDNS name of the Ingress device and each proxy Pod's IP address. * For cluster egress proxies, configured via tailscale.com/tailnet-fqdn annotation, there will be a record for each proxy Pod, mapping the MagicDNS name of the exposed tailnet workload to the proxy Pod's IP. No records will be created for any other proxy types. Records will only be created if users have configured the operator to deploy an in-cluster ts.net nameserver by applying tailscale.com/v1alpha1.DNSConfig. It is user's responsibility to add the ts.net nameserver as a stub nameserver for ts.net DNS names. https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns https://cloud.google.com/kubernetes-engine/docs/how-to/kube-dns#upstream_nameservers See also https://github.com/tailscale/tailscale/pull/11017 Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Maisem Ali	a49ed2e145	derp,ipn/ipnlocal: stop calling rand.Seed It's deprecated and using it gets us the old slow behavior according to https://go.dev/blog/randv2. > Having eliminated repeatability of the global output stream, Go 1.20 > was also able to make the global generator scale better in programs > that don’t call rand.Seed, replacing the Go 1 generator with a very > cheap per-thread wyrand generator already used inside the Go > runtime. This removed the global mutex and made the top-level > functions scale much better. Programs that do call rand.Seed fall > back to the mutex-protected Go 1 generator. Updates #7123 Change-Id: Ia5452e66bd16b5457d4b1c290a59294545e13291 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 months ago
Brad Fitzpatrick	96712e10a7	health, ipn/ipnlocal: move more health warning code into health.Tracker In prep for making health warnings rich objects with metadata rather than a bunch of strings, start moving it all into the same place. We'll still ultimately need the stringified form for the CLI and LocalAPI for compatibility but we'll next convert all these warnings into Warnables that have severity levels and such, and legacy stringification will just be something each Warnable thing can do. Updates #4136 Change-Id: I83e189435daae3664135ed53c98627c66e9e53da Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Dunham	be663c84c1	net/tstun: rename natConfig to peerConfig So that we can use this for additional, non-NAT configuration without it being confusing. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1658d59c9824217917a94ee76d2d08f0a682986f	2 months ago
Andrew Dunham	10497acc95	net/tstun: refactor natConfig to not be per-family This was a holdover from the older, pre-BART days and is no longer necessary. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I71b892bab1898077767b9ff51cef33d59c08faf8	2 months ago
Andrew Lytvynov	13e1355546	scripts/installer.sh: remove unnecessary escaping in grep (#11950 ) Updates #11263 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Percy Wegmann	843afe7c53	ssh/tailssh: add integration test Updates tailscale/corp#11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Jonathan Nobels	45b9aa0d83	net/netmon: remove spammy log statements (#11953 ) Updates tailscale/corp#18960 Tests in corp called us using the wrong logging calls. Removed. This is logged downstream anyway. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	2 months ago
Paul Scott	4c08410011	cmd/tailscale/cli: set localClient.UseSocketOnly during flag parsing This configures localClient correctly during flag parsing, so that the --socket option is effective when generating tab-completion results. For example, the following would not connect to the system Tailscale for tab-completion results: tailscale --socket=/tmp/tailscaled.socket switch <TAB> Updates #3793 Signed-off-by: Paul Scott <paul@tailscale.com>	2 months ago
Paul Scott	ba34943133	cmd/tailscale/cli/ffcomplete: omit and clean completion results Updates #3793 Signed-off-by: Paul Scott <paul@tailscale.com>	2 months ago
Jonathan Nobels	fa1303d632	net/netmon: swap to swift-derived defaultRoute on macos (#11936 ) Updates tailscale/corp#18960 iOS uses Apple's NetworkMonitor to track the default interface and there's no reason we shouldn't also use this on macOS, for the same reasons noted in the comments for why this change was made on iOS. This eliminates the need to load and parse the routing table when querying the defaultRouter() in almost all cases. A slight modification here (on both platforms) to fallback to the default BSD logic in the unhappy-path rather than making assumptions that may not hold. If netmon is eventually parsing AF_ROUTE and able to give a consistently correct answer for the default interface index, we can fall back to that and eliminate the Swift dependency. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	2 months ago
Gabe Gorelick	de85610be0	cmd/k8s-operator/deploy/chart: allow users to configure additional labels for the operator's Pod via Helm chart values. cmd/k8s-operator/deploy/chart: allow users to configure additional labels for the operator's Pod via Helm chart values. Fixes #11947 Signed-off-by: Gabe Gorelick <gabe@hightouch.io>	2 months ago
Percy Wegmann	2648d475d7	drive: don't allow DELETE on read-only shares Fixes tailscale/corp#19646 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Brad Fitzpatrick	7455e027e9	util/slicesx: add AppendMatching We had this in a different repo, but moving it here, as this a more fitting package. Updates #cleanup Change-Id: I5fb9b10e465932aeef5841c67deba4d77d473d57 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrew Dunham	fe009c134e	ipn/ipnlocal: reset the dialPlan only when the URL is unchanged Also, reset it in a few more places (e.g. logout, new blank profiles, etc.) to avoid a few more cases where a pre-existing dialPlan can cause a new Headscale server take 10+ seconds to connect. Updates #11938 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I3095173a5a3d9720507afe4452548491e9e45a3e	2 months ago
Brad Fitzpatrick	c47f9303b0	types/views: use slices.Contains{,Func} Updates #8419 Change-Id: Ib1a9cb3fb425284b7e02684072a4e7a35975f35c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Joe Tsai	5db80cf2d8	syncs: fix AtomicValue for interface kinds (#11943 ) If AtomicValue[T] is used with a T that is an interface kind, then Store may panic if different concret types are ever stored. Fix this by always wrapping in a concrete type. Technically, this is only needed if T is an interface kind, but there is no harm in doing it also for non-interface kinds. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 months ago
Irbe Krumina	44aa809cb0	cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11919 ) * cmd/k8s-nameserver,k8s-operator: add a nameserver that can resolve ts.net DNS names in cluster. Adds a simple nameserver that can respond to A record queries for ts.net DNS names. It can respond to queries from in-memory records, populated from a ConfigMap mounted at /config. It dynamically updates its records as the ConfigMap contents changes. It will respond with NXDOMAIN to queries for any other record types (AAAA to be implemented in the future). It can respond to queries over UDP or TCP. It runs a miekg/dns DNS server with a single registered handler for ts.net domain names. Queries for other domain names will be refused. The intended use of this is: 1) to allow non-tailnet cluster workloads to talk to HTTPS tailnet services exposed via Tailscale operator egress over HTTPS 2) to allow non-tailnet cluster workloads to talk to workloads in the same cluster that have been exposed to tailnet over their MagicDNS names but on their cluster IPs. DNSConfig CRD can be used to configure the operator to deploy kube nameserver (./cmd/k8s-nameserver) to cluster. Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Shaw Drastin	1fe073098c	Reset dial plan when switching profile (#11933 ) When switching profile, the server URL can change (e.g. because of switching to a self-hosted headscale instance). If it is not reset here, dial plans returned by old server (e.g. tailscale control server) will be used to connect to new server (e.g. self-hosted headscale server), and the register request will be blocked by it until timeout, leading to very slow profile switches. Updates #11938 11938 Signed-off-by: Shaw Drastin <showier.drastic0a@icloud.com>	2 months ago
Jordan Whited	a47ce618bd	net/tstun: implement env var for disabling UDP GRO on Linux (#11924 ) Certain device drivers (e.g. vxlan, geneve) do not properly handle coalesced UDP packets later in the stack, resulting in packet loss. Updates #11026 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Mario Minardi	ec04c677c0	api.md: add documentation for new split DNS endpoints (#11922 ) Add documentation for GET/PATCH/PUT `api/v2/tailnet/<ID>/dns/split-dns`. These endpoints allow for reading, partially updating, and replacing the split DNS settings for a given tailnet. Updates https://github.com/tailscale/corp/issues/19483 Signed-off-by: Mario Minardi <mario@tailscale.com>	2 months ago
Andrew Lytvynov	7ba8f03936	ipn/ipnlocal: fix TestOnTailnetDefaultAutoUpdate on unsupported platforms (#11921 ) Fixes #11894 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Irbe Krumina	7d9c3f9897	cmd/k8s-operator/deploy/manifests: check if IPv6 module is loaded before using it (#11867 ) Before attempting to enable IPv6 forwarding in the proxy init container check if the relevant module is found, else the container crashes on hosts that don't have it. Updates#11860 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Andrew Lytvynov	d02f1be46a	scripts/installer.sh: enable Alpine community repo if needed (#11837 ) The tailscale package is in the community Alpine repo. Check if it's commented out in `/etc/apk/repositories` and run `setup-apkrepos -c -1` if it's not. Fixes #11263 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Claire Wang	5254f6de06	tailcfg: add suggest exit node UI node attribute (#11918 ) Add node attribute to determine whether or not to show suggested exit node in UI. Updates tailscale/corp#19515 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Andrew Lytvynov	ce5c80d0fe	clientupdate: exec systemctl instead of using dbus to restart (#11923 ) Shell out to "systemctl", which lets us drop an extra dependency. Updates https://github.com/tailscale/corp/issues/18935 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Fran Bull	6a0fbacc28	appc: setting AdvertiseRoutes explicitly discards app connector routes This fixes bugs where after using the cli to set AdvertiseRoutes users were finding that they had to restart tailscaled before the app connector would advertise previously learned routes again. And seems more in line with user expectations. Fixes #11006 Signed-off-by: Fran Bull <fran@tailscale.com>	2 months ago
Fran Bull	c27dc1ca31	appc: unadvertise routes when reconfiguring app connector If the controlknob to persist app connector routes is enabled, when reconfiguring an app connector unadvertise routes that are no longer relevant. Updates #11008 Signed-off-by: Fran Bull <fran@tailscale.com>	2 months ago
Fran Bull	fea2e73bc1	appc: write discovered domains to StateStore If the controlknob is on. This will allow us to remove discovered routes associated with a particular domain. Updates #11008 Signed-off-by: Fran Bull <fran@tailscale.com>	2 months ago

1 2 3 4 5 ...

7541 Commits (817badf9ca95e081626d034911c772ce2070955f) All Branches Search

7541 Commits (817badf9ca95e081626d034911c772ce2070955f)

All Branches