Commit Graph

1611 Commits (8c2fcef453eeaec16203c6cfe724c1d686a509ef)

Author SHA1 Message Date
Sonia Appasamy 0ecfc1d5c3 client/web: fill devMode from an env var
Avoids the need to pipe a web client dev flag through the tailscaled
command.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
1 year ago
Sonia Appasamy 191e2ce719 client/web: add ServerMode to web.Server
Adds a new Mode to the web server, indicating the specific
scenario the constructed server is intended to be run in. Also
starts filling this from the cli/web and ipn/ipnlocal callers.

From cli/web this gets filled conditionally based on whether the
preview web client node cap is set. If not set, the existing
"legacy" client is served. If set, both a login/lobby and full
management client are started (in "login" and "manage" modes
respectively).

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
1 year ago
James Tucker f27b2cf569 appc,cmd/sniproxy,ipn/ipnlocal: split sniproxy configuration code out of appc
The design changed during integration and testing, resulting in the
earlier implementation growing in the appc package to be intended now
only for the sniproxy implementation. That code is moved to it's final
location, and the current App Connector code is now renamed.

Updates tailscale/corp#15437

Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
Aaron Klotz 47019ce1f1 cmd/tailscaled: pre-load wintun.dll using a fully-qualified path
In corp PR #14970 I updated the installer to set a security mitigation that
always forces system32 to the front of the Windows dynamic linker's search
path.

Unfortunately there are other products out there that, partying like it's
1995, drop their own, older version of wintun.dll into system32. Since we
look there first, we end up loading that old version.

We can fix this by preloading wintun using a fully-qualified path. When
wintun-go then loads wintun, the dynamic linker will hand it the module
that was previously loaded by us.

Fixes #10023, #10025, #10052

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
1 year ago
Irbe Krumina af49bcaa52
cmd/k8s-operator: set different app type for operator with proxy (#10081)
Updates tailscale/tailscale#9222

plain k8s-operator should have hostinfo.App set to 'k8s-operator', operator with proxy should have it set to 'k8s-operator-proxy'. In proxy mode, we were setting the type after it had already been set to 'k8s-operator'

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
1 year ago
James Tucker 6ad54fed00 appc,ipn/ipnlocal: add App Connector domain configuration from mapcap
The AppConnector is now configured by the mapcap from the control plane.

Updates tailscale/corp#15437

Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
James Tucker b48b7d82d0 appc,ipn/ipnlocal,net/dns/resolver: add App Connector wiring when enabled in prefs
An EmbeddedAppConnector is added that when configured observes DNS
responses from the PeerAPI. If a response is found matching a configured
domain, routes are advertised when necessary.

The wiring from a configuration in the netmap capmap is not yet done, so
while the connector can be enabled, no domains can yet be added.

Updates tailscale/corp#15437

Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
David Anderson 37863205ec cmd/k8s-operator: strip credentials from client config in noauth mode
Updates tailscale/corp#15526

Signed-off-by: David Anderson <danderson@tailscale.com>
1 year ago
Rhea Ghosh 970eb5e784
cmd/k8s-operator: sanitize connection headers (#10063)
Fixes tailscale/corp#15526

Signed-off-by: Rhea Ghosh <rhea@tailscale.com>
1 year ago
James Tucker ca4c940a4d ipn: introduce app connector advertisement preference and flags
Introduce a preference structure to store the setting for app connector
advertisement.

Introduce the associated flags:

  tailscale up --advertise-connector{=true,=false}
  tailscale set --advertise-connector{=true,=false}

```
% tailscale set --advertise-connector=false
% tailscale debug prefs | jq .AppConnector.Advertise
false
% tailscale set --advertise-connector=true
% tailscale debug prefs | jq .AppConnector.Advertise
true
% tailscale up --advertise-connector=false
% tailscale debug prefs | jq .AppConnector.Advertise
false
% tailscale up --advertise-connector=true
% tailscale debug prefs | jq .AppConnector.Advertise
true
```

Updates tailscale/corp#15437

Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
Irbe Krumina c2b87fcb46
cmd/k8s-operator/deploy/chart,.github/workflows: use helm chart API v2 (#10055)
API v1 is compatible with helm v2 and v2 is not.
However, helm v2 (the Tiller deployment mechanism) was deprecated in 2020
and no-one should be using it anymore.
This PR also adds a CI lint test for helm chart

Updates tailscale/tailscale#9222

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
1 year ago
Will Norris 66c7af3dd3 ipn: replace web client debug flag with node capability
Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
1 year ago
Brad Fitzpatrick 3d7fb6c21d derp/derphttp: fix race in mesh watcher
The derphttp client automatically reconnects upon failure.

RunWatchConnectionLoop called derphttp.Client.WatchConnectionChanges
once, but that wrapper method called the underlying
derp.Client.WatchConnectionChanges exactly once on derphttp.Client's
currently active connection. If there's a failure, we need to re-subscribe
upon all reconnections.

This removes the derphttp.Client.WatchConnectionChanges method, which
was basically impossible to use correctly, and changes it to be a
boolean field on derphttp.Client alongside MeshKey and IsProber. Then
it moves the call to the underlying derp.Client.WatchConnectionChanges
to derphttp's client connection code, so it's resubscribed on any
reconnect.

Some paranoia is then added to make sure people hold the API right,
not calling derphttp.Client.RunWatchConnectionLoop on an
already-started Client without having set the bool to true. (But still
auto-setting it to true if that's the first method that's been called
on that derphttp.Client, as is commonly the case, and prevents
existing code from breaking)

Fixes tailscale/corp#9916
Supercedes tailscale/tailscale#9719

Co-authored-by: Val <valerie@tailscale.com>
Co-authored-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Anton Tolchanov <anton@tailscale.com>
Signed-off-by: Brad Fitzpatrick <brad@danga.com>
1 year ago
Tom DNetto a7c80c332a cmd/sniproxy: implement support for control configuration, multiple addresses
* Implement missing tests for sniproxy
 * Wire sniproxy to new appc package
 * Add support to tsnet for routing subnet router traffic into netstack, so it can be handled

Updates: https://github.com/tailscale/corp/issues/15038
Signed-off-by: Tom DNetto <tom@tailscale.com>
1 year ago
Will Norris 28ad910840 ipn: add user pref for running web client
This is not currently exposed as a user-settable preference through
`tailscale up` or `tailscale set`.  Instead, the preference is set when
turning the web client on and off via localapi. In a subsequent commit,
the pref will be used to automatically start the web client on startup
when appropriate.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
1 year ago
Sonia Appasamy 89953b015b ipn/ipnlocal,client/web: add web client to tailscaled
Allows for serving the web interface from tailscaled, with the
ability to start and stop the server via localapi endpoints
(/web/start and /web/stop).

This will be used to run the new full management web client,
which will only be accessible over Tailscale (with an extra auth
check step over noise) from the daemon. This switch also allows
us to run the web interface as a long-lived service in environments
where the CLI version is restricted to CGI, allowing us to manage
certain auth state in memory.

ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for
ios builds to satisfy ios restriction from adding "text/template"
and "html/template" dependencies.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
1 year ago
Irbe Krumina ed1b935238
cmd/k8s-operator: allow to install operator via helm (#9920)
Initial helm manifests.

Updates tailscale/tailscale#9222

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Maisem Ali 9107b5eadf cmd/tailscale/cli: use status before doing interactive feature query
We were inconsistent whether we checked if the feature was already
enabled which we could do cheaply using the locally available status.
We would do the checks fine if we were turning on funnel, but not serve.

This moves the cap checks down into enableFeatureInteractive so that
are always run.

Updates #9984

Co-authored-by: Tyler Smalley <tyler@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Aaron Klotz 95671b71a6 ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.

The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.

This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).

Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.

I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.

Updates https://github.com/tailscale/tailscale/issues/755

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
1 year ago
Tyler Smalley 131518eed1
cmd/tailscale/cli: improve error when bg serve config is present (#9961)
We prevent shodow configs when starting a foreground when a background serve config already exists for the serve type and port. This PR improves the messaging to let the user know how to remove the previous config.

Updates #8489
ENG-2314

Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Tyler Smalley 1873bc471b
cmd/tailscale/cli: remove http flag for funnel command (#9955)
The `--http` flag can not be used with Funnel, so we should remove it to remove confusion.

Updates #8489
ENG-2316

Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Marwan Sulaiman 5f3cdaf283 cmd/tailscale/cli: chage port flags to uint for serve and funnel
This PR changes the -https, -http, -tcp, and -tls-terminated-tcp
flags from string to int and also updates the validation to ensure
they fit the uint16 size as the flag library does not have a Uint16Var
method.

Updates #8489

Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
1 year ago
Marwan Sulaiman a7e4cebb90 cmd/tailscale/cli: refactor TestServeDevConfigMutations
The TestServeDevConfigMutations test has 63 steps that all run
under the same scope. This tests breaks them out into isolated
subtests that can be run independently.

Updates #8489

Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
1 year ago
Andrew Lytvynov 21b6d373b0
cmd/tailscale/cli: unhide auto-update flags and mark update as Beta (#9954)
Updates #755

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
1 year ago
Marwan Sulaiman f5a7551382 cmd/tailscale: fix help message for serve funnel
We currently print out "run tailscale serve --help" when the subcmd
might be funnel. This PR ensures the right subcmd is passed.

Updates #8489

Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
1 year ago
Andrew Lytvynov d3bc575f35
cmd/tailscale/cli: set Sparkle auto-update on macsys (#9952)
On `tailscale set --auto-update`, set the Sparkle plist option for it.
Also make macsys report not supporting auto-updates over c2n, since they
will be triggered by Sparkle locally.

Updates #755

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
1 year ago
Tyler Smalley 269a498c1e
cmd/tailscale/cli: serve --set-path should not force background mode (#9905)
A few people have run into issues with understanding why `--set-path` started in background mode, and/or why they couldn't use a path in foreground mode. This change allows `--set-path` to be used in either case (foreground or background).

updates #8489

Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Andrew Lytvynov 593c086866
clientupdate: distinguish when auto-updates are possible (#9896)
clientupdate.Updater will have a non-nil Update func in a few cases
where it doesn't actually perform an update:
* on Arch-like distros, where it prints instructions on how to update
* on macOS app store version, where it opens the app store page

Add a new clientupdate.Arguments field to cause NewUpdater to fail when
we hit one of these cases. This results in c2n updates being "not
supported" and `tailscale set --auto-update` returning an error.

Updates #755

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
1 year ago
Tyler Smalley 35d7b3aa27
cmd/tailscale/cli: updates help and background messaging (#9929)
* Fixes issue with template string not being provided in help text
* Updates background information to provide full URL, including path, to make it clear the source and destination
* Restores some tests
* Removes AllowFunnel in ServeConfig if no proxy exists for that port.

updates #8489

Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Marwan Sulaiman c53ee37912 cmd/tailscale: add set-raw to the new serve funnel commands
This PR adds the same set-raw from the old flow into the new one
so that users can continue to use it when transitioning into the new
flow.

Updates #8489

Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
1 year ago
Marwan Sulaiman f232d4554a cmd/tailscale: translate old serve commands to new ones
This PR fixes the isLegacyInvocation to better catch serve and
funnel legacy commands. In addition, it now also returns a string
that translates the old command into the new one so that users
can have an easier transition story.

Updates #8489

Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
1 year ago
Marwan Sulaiman 60e768fd14 cmd/tailscale: allow serve|funnel off to delete an entire port
This PR allows you to do "tailscale serve -bg -https:4545 off" and it
will delete all handlers under it. It will also prompt you for a y/n in case
you wanted to delete a single port.

Updates #8489

Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
1 year ago
Irbe Krumina e9956419f6
cmd/k8s-operator: allow cleanup of cluster resources for deleted devices (#9917)
Users should delete proxies by deleting or modifying the k8s cluster resources
that they used to tell the operator to create they proxy. With this flow,
the tailscale operator will delete the associated device from the control.
However, in some cases users might have already deleted the device from the control manually.

Updates tailscale/tailscale#9773

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
1 year ago
Tyler Smalley d9081d6ba2
cmd/tailscale/cli: update serve/funnel CLI help text (#9895)
updates #8489
ENG-2308

Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Adrian Dewhurst 5347e6a292 control/controlclient: support certstore without cgo
We no longer build Windows releases with cgo enabled, which
automatically turned off certstore support. Rather than re-enabling cgo,
we updated our fork of the certstore package to no longer require cgo.
This updates the package, cleans up how the feature is configured, and
removes the cgo build tag requirement.

Fixes tailscale/corp#14797
Fixes tailscale/coral#118

Change-Id: Iaea34340761c0431d759370532c16a48c0913374
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
1 year ago
Andrew Lytvynov 70f9c8a6ed
clientupdate: change Mac App Store support (#9891)
In the sandboxed app from the app store, we cannot check
`/Library/Preferences/com.apple.commerce.plist` or run `softwareupdate`.
We can at most print a helpful message and open the app store page.

Also, reenable macsys update function to mark it as supporting c2n
updates. macsys support in `tailscale update` was fixed.

Updates #755

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
1 year ago
Joe Tsai 469b7cabad
cmd/tailscale: improve taildrop progress printer on Linux (#9878)
The progress printer was buggy where it would not print correctly
and some of the truncation logic was faulty.

The progress printer now prints something like:

	go1.21.3.linux-amd64.tar.gz               21.53MiB      13.83MiB/s     33.88%    ETA 00:00:03

where it shows
* the number of bytes transferred so far
* the rate of bytes transferred
  (using a 1-second half-life for an exponentially weighted average)
* the progress made as a percentage
* the estimated time
  (as calculated from the rate of bytes transferred)

Other changes:
* It now correctly prints the progress for very small files
* It prints at a faster rate (4Hz instead of 1Hz)
* It uses IEC units for byte quantities
  (to avoid ambiguities of "kb" being kilobits or kilobytes)

Updates tailscale/corp#14772

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
1 year ago
Tyler Smalley 7a3ae39025
cmd/tailscale/cli: [serve/funnel] support omitting scheme for TCP (#9856)
The `serve` command for TCP  has always required the scheme of the target to be specified. However, when it's omitted the error message reported is misleading

```
error: failed to apply TCP serve: invalid TCP target "localhost:5900": missing port in address
```

Since we know the target is TCP, we shouldn't require it to be specified. This aligns with the changes for HTTP proxies in https://github.com/tailscale/tailscale/issues/8489

closes #9855

Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Tyler Smalley 35376d52d4
cmd/tailscale/cli: [serve/funnel] provide correct command for disabling (#9859)
The `off` subcommand removes a serve/funnel for the corresponding type and port. Previously, we were not providing this which would result in an error if someone was using something than the default https=443.

closes #9858

Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Brad Fitzpatrick cf27761265 cmd/tsconnect/wasm: add missing tstun.Wrapper.Start call
It's required as of the recent 5297bd2cff.

Updates #7894
Updates #9394 (sure would be nice)

Change-Id: Id6672408dd8a6c82dba71022c8763e589d789fcd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Andrew Lytvynov 33bb2bbfe9
tailcfg,cmd/tailscale: add UrgentSecurityUpdate flag to ClientVersion (#9848)
This flag is used in clients to surface urgent updates more prominently.

Updates #755

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
1 year ago
Irbe Krumina cac290da87
cmd/k8s-operator: users can configure firewall mode for kube operator proxies (#9769)
* cmd/k8s-operator: users can configure operator to set firewall mode for proxies

Users can now pass PROXY_FIREWALL_MODE={nftables,auto,iptables} to operator to make it create ingress/egress proxies with that firewall mode

Also makes sure that if an invalid firewall mode gets configured, the operator will not start provisioning proxy resources, but will instead log an error and write an error event to the related Service.

Updates tailscale/tailscale#9310

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
1 year ago
Tyler Smalley ddb2a6eb8d
cmd/tailscale: promote new serve/funnel CLI to be default (#9833)
The change is being kept to a minimum to make a revert easy if necessary. After the release, we will go back for a final cleanup.

updates #8489

Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Maisem Ali f53c3be07c cmd/k8s-operator: use our own container image instead of busybox
We already have sysctl in the `tailscale/tailscale` image, just use that.

Updates #cleanup

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Brad Fitzpatrick 4dec0c6eb9 tstest, tstest/integration, github/workflows: shard integration tests
Over four jobs for now.

Updates #cleanup

Change-Id: Ic2b1a739a454916893945a3f9efc480d6fcbd70b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Maisem Ali e6ab7d3c14 cmd/testwrapper: parse args better
Previously we were just smushing together args and not trying
to parse the values at all. This resulted in the args to testwrapper
being limited and confusing.

This makes it so that testwrapper parses flags in the exact format as `go test`
command and passes them down in the provided order. It uses tesing.Init to
register flags that `go test` understands, however those are not the only
flags understood by `go test` (such as `-exec`) so we register these separately.

Updates tailscale/corp#14975

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Maisem Ali 4899c2c1f4 cmd/containerboot: revert to using tailscale up
This partially reverts commits a61a9ab087
and 7538f38671 and fully reverts
4823a7e591.

The goal of that commit was to reapply known config whenever the
container restarts. However, that already happens when TS_AUTH_ONCE was
false (the default back then). So we only had to selectively reapply the
config if TS_AUTH_ONCE is true, this does exactly that.

This is a little sad that we have to revert to `tailscale up`, but it
fixes the backwards incompatibility problem.

Updates tailscale/tailscale#9539

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Brad Fitzpatrick 18bd98d35b cmd/tailscaled,*: add start of configuration file support
Updates #1412

Co-authored-by: Maisem Ali <maisem@tailscale.com>
Change-Id: I38d559c1784d09fc804f521986c9b4b548718f7d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Rhea Ghosh 71271e41d6
ipn/{ipnlocal/peerapi, localapi} initial taildrop resume api plumbing (#9798)
This change:
* adds a partial files peerAPI endpoint to get a list of partial files
* adds a helper function to extract the basename of a file
* updates the peer put peerAPI endpoint
* updates the file put localapi endpoint to allow resume functionality

Updates #14772

Signed-off-by: Rhea Ghosh <rhea@tailscale.com>
1 year ago
Brad Fitzpatrick c363b9055d tstest/integration: add tests for tun mode (requiring root)
Updates #7894

Change-Id: Iff0b07b21ae28c712dd665b12918fa28d6f601d0
Co-authored-by: Maisem Ali <maisem@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Maisem Ali 5297bd2cff cmd/tailscaled,net/tstun: fix data race on start-up in TUN mode
Fixes #7894

Change-Id: Ice3f8019405714dd69d02bc07694f3872bb598b8

Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Maisem Ali 1294b89792 cmd/k8s-operator: allow setting same host value for tls and ingress rules
We were too strict and required the user not specify the host field at all
in the ingress rules, but that degrades compatibility with existing helm charts.

Relax the constraint so that rule.Host can either be empty, or match the tls.Host[0]
value exactly.

Fixes #9548

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Maisem Ali 2d4f808a4c cmd/containerboot: fix time based serveConfig watcher
This broke in a last minute refactor and seems to have never worked.

Fixes #9686

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
James Tucker 96f01a73b1 tailcfg: import ProtoPortRange for local use
Imported type and parsing, with minor modifications.

Updates tailscale/corp#15043

Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
Maisem Ali 1cb9e33a95 cmd/k8s-operator: update env var in manifest to APISERVER_PROXY
Replace the deprecated var with the one in docs to avoid confusion.
Introduced in 335a5aaf9a.

Updates #8317
Fixes #9764

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
James Tucker c1ef55249a types/ipproto: import and test string parsing for ipproto
IPProto has been being converted to and from string formats in multiple
locations with variations in behavior. TextMarshaller and JSONMarshaller
implementations are now added, along with defined accepted and preferred
formats to centralize the logic into a single cross compatible
implementation.

Updates tailscale/corp#15043
Fixes tailscale/corp#15141

Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
Maisem Ali 9d96e05267 net/packet: split off checksum munging into different pkg
The current structure meant that we were embedding netstack in
the tailscale CLI and in the GUIs. This removes that by isolating
the checksum munging to a different pkg which is only called from
`net/tstun`.

Fixes #9756

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Maisem Ali fbfee6a8c0 cmd/containerboot: use linuxfw.NetfilterRunner
This migrates containerboot to reuse the NetfilterRunner used
by tailscaled instead of manipulating iptables rule itself.
This has the added advantage of now working with nftables and
we can potentially drop the `iptables` command from the container
image in the future.

Updates #9310

Co-authored-by: Irbe Krumina <irbe@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Sonia Appasamy 7a0de2997e client/web: remove unused context param from NewServer
Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
1 year ago
Andrew Lytvynov 677d486830
clientupdate: abort if current version is newer than latest (#9733)
This is only relevant for unstable releases and local builds. When local
version is newer than upstream, abort release.

Also, re-add missing newlines in output that were missed in
https://github.com/tailscale/tailscale/pull/9694.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
1 year ago
Brad Fitzpatrick 6b1ed732df go.mod: bump x/net to 0.17 for CVE-2023-39325
https://go.googlesource.com/net/+/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd

Updates tailscale/corp#15165

Change-Id: Ia8b5e16b1acfe1b2400d321034b41370396f70e2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Kristoffer Dalby 7f540042d5 ipn/ipnlocal: use syspolicy to determine collection of posture data
Updates #5902

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
1 year ago
Kristoffer Dalby 9eedf86563 posture: add get serial support for Windows/Linux
This commit adds support for getting serial numbers from SMBIOS
on Windows/Linux (and BSD) using go-smbios.

Updates #5902

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
1 year ago
Kristoffer Dalby 9593cd3871 posture: add get serial stub for all platforms
Updates #5902

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
1 year ago
Kristoffer Dalby 623926a25d cmd/tailscale: add --posture-checking flag to set
Updates #5902

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
1 year ago
Simon Leonhardt 553f657248 sniproxy allows configuration of hostname
Signed-off-by: Simon Leonhardt <simon@controlzee.com>
1 year ago
Brad Fitzpatrick 6f36f8842c cmd/tailscale, magicsock: add debug command to flip DERP homes
For testing netmap patchification server-side.

Updates #1909

Change-Id: Ib1d784bd97b8d4a31e48374b4567404aae5280cc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Andrew Lytvynov e6aa7b815d
clientupdate,cmd/tailscale/cli: use cli.Stdout/Stderr (#9694)
In case cli.Stdout/Stderr get overriden, all CLI output should use them
instead of os.Stdout/Stderr. Update the `update` command to follow this
pattern.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
1 year ago
Andrew Lytvynov 3ee756757b
cmd/tailscale/cli: add update notification to "up" (#9644)
Add available update message in "tailscale up" output. Also update the
message in "tailscale status" to match and mention auto-update.

Updates https://github.com/tailscale/tailscale/issues/755

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
1 year ago
Rhea Ghosh dc1c7cbe3e
taildrop: initial commit of taildrop functionality refactoring (#9676)
Over time all taildrop functionality will be contained in the
taildrop package. This will include end to end unit tests. This is
simply the first smallest piece to move over.

There is no functionality change in this commit.

Updates tailscale/corp#14772

Signed-off-by: Rhea Ghosh <rhea@tailscale.com>
Co-authored-by: Joseph Tsai <joetsai@tailscale.com>
1 year ago
Brad Fitzpatrick 93c6e1d53b tstest/deptest: add check that x/exp/{maps,slices} imported as xfoo
Updates #cleanup

Change-Id: I4cbb5e477c739deddf7a46b66f286c9fdb106279
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Andrew Dunham 286c6ce27c
net/dns/resolver: race UDP and TCP queries (#9544)
Instead of just falling back to making a TCP query to an upstream DNS
server when the UDP query returns a truncated query, also start a TCP
query in parallel with the UDP query after a given race timeout. This
ensures that if the upstream DNS server does not reply over UDP (or if
the response packet is blocked, or there's an error), we can still make
queries if the server replies to TCP queries.

This also adds a new package, util/race, to contain the logic required for
racing two different functions and returning the first non-error answer.

Updates tailscale/corp#14809

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I4311702016c1093b1beaa31b135da1def6d86316
1 year ago
Val 73e53dcd1c cmd/tailscale,ipn/ipnlocal: print debug component names
Make the 'tailscale debug component-logs' command print the component names for
which extra logging can be turned on, for easier discoverability of debug
functions.

Updates #cleanup

Co-authored-by: Paul Scott <paul@tailscale.com>
Signed-off-by: Val <valerie@tailscale.com>
1 year ago
Tom DNetto 656a77ab4e net/packet: implement methods for rewriting v6 addresses
Implements the ability for the address-rewriting code to support rewriting IPv6 addresses.

Specifically, UpdateSrcAddr & UpdateDstAddr.

Signed-off-by: Tom DNetto <tom@tailscale.com>
Updates https://github.com/tailscale/corp/issues/11202
1 year ago
Brad Fitzpatrick d2ea9bb1eb cmd/cloner: fix typo in test type's name
s/SliceContianer/SliceContainer/g

Updates #9604

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
James Tucker ab810f1f6d cmd/cloner: add regression test for slice nil/empty semantics
We had a misstep with the semantics when applying an optimization that
showed up in the roll into corp. This test ensures that case and related
cases must be retained.

Updates #9410
Updates #9601
Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
Claire Wang a56e58c244
util/syspolicy: add read boolean setting (#9592) 1 year ago
James Tucker 324f0d5f80 cmd/cloner,*: revert: optimize nillable slice cloner
This reverts commit ee90cd02fd.

The outcome is not identical for empty slices. Cloner really needs
tests!

Updates #9601

Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
James Tucker ee90cd02fd cmd/cloner,*: optimize nillable slice cloner
A wild @josharian appears with a good suggestion for a refactor, thanks
Josh!

Updates #9410
Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
James Tucker 0c8c374a41 go.mod: bump all dependencies except go-billy
go-billy is held back at v5.4.1 in order to avoid a newly introduced
subdependency that is not compatible with plan9.

Updates #8043
Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
James Tucker 87bc831730 go.mod,cmd/tsconnect: bump esbuild
Updates #8043
Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
Maisem Ali d71184d674 cmd/containerboot: only wipeout serve config when TS_SERVE_CONFIG is set
Fixes #9558

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Denton Gentry 4823a7e591 cmd/containerboot: set TS_AUTH_ONCE default to true.
1.50.0 switched containerboot from using `tailscale up`
to `tailscale login`. A side-effect is that a re-usable
authkey is now re-applied on every boot by `tailscale login`,
where `tailscale up` would ignore an authkey if already
authenticated.

Though this looks like it is changing the default, in reality
it is setting the default to match what 1.48 and all
prior releases actually implemented.

Fixes https://github.com/tailscale/tailscale/issues/9539
Fixes https://github.com/tailscale/corp/issues/14953

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
1 year ago
Brad Fitzpatrick 856d32b4a9 cmd/testwrapper: include flake URL in JSON metadata
Updates tailscale/corp#14975

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Andrea Barisani b5b4298325 go.mod,*: bump gvisor
Updates #9253

Signed-off-by: Andrea Barisani <andrea@inversepath.com>
Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
Brad Fitzpatrick 2c92f94e2a cmd/testwrapper: output machine-readable JSON on test flakes
For parsing by other tools.

Updates tailscale/corp#14975

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Maisem Ali 354455e8be ipn: use NodeCapMap in CheckFunnel
These were missed when adding NodeCapMap and resulted
in tsnet binaries not being able to turn on funnel.

Fixes #9566

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Claire Wang e3d6236606
winutil: refactor methods to get values from registry to also return (#9536)
errors
Updates tailscale/corp#14879

Signed-off-by: Claire Wang <claire@tailscale.com>
1 year ago
Irbe Krumina bdd9eeca90
cmd/k8s-operator: fix reconcile filters (#9533)
Ensure that when there is an event on a Tailscale managed Ingress or Service child resource, the right parent type gets reconciled

Updates tailscale/tailscale#502

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
1 year ago
Marwan Sulaiman 651620623b ipn/ipnlocal: close foreground sessions on SetServeConfig
This PR ensures zombie foregrounds are shutdown if a new
ServeConfig is created that wipes the ongoing foreground ones.
For example, "tailscale serve|funnel reset|off" should close
all open sessions.

Updates #8489

Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
1 year ago
Brad Fitzpatrick 04fabcd359 ipn/{ipnlocal,localapi}, cli: add debug force-netmap-update
For loading testing & profiling the cost of full netmap updates.

Updates #1909

Change-Id: I0afdf5de9967f8d95c7f81d5b531ed1c92c3208f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Joe Tsai 36242904f1
go.mod: update github.com/go-json-experiment/json (#9508)
Update github.com/go-json-experiment/json to the latest version
and fix the build in light of some breaking API changes.

Updates #cleanup

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
1 year ago
James Tucker a82a74f2cf cmd/containerboot: avoid leaking bash scripts after test runs
The test was sending SIGKILL to containerboot, which results in no
signal propagation down to the bash script that is running as a child
process, thus it leaks.

Minor changes to the test daemon script, so that it cleans up the socket
that it creates on exit, and spawns fewer processes.

Fixes tailscale/corp#14833
Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
Maisem Ali 4669e7f7d5 cmd/containerboot: add iptables based MSS clamping for ingress/egress proxies
In typical k8s setups, the MTU configured on the eth0 interfaces is typically 1500 which
results in packets being dropped when they make it to proxy pods as the tailscale0 interface
has a 1280 MTU.

As the primary use of this functionality is TCP, add iptables based MSS clamping to allow
connectivity.

Updates #502

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Irbe Krumina c5b2a365de
cmd/k8s-operator: fix egress service name (#9494)
Updates https://github.com/tailscale/tailscale/issues/502

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
1 year ago
Maisem Ali 5f4d76c18c cmd/k8s-operator: rename egress annotation
It was tailscale.com/ts-tailnet-target-ip, which was pretty
redundant. Change it to tailscale.com/tailnet-ip.

Updates #502

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Will Norris 652f77d236 client/web: switch to using prebuilt web client assets
Updates tailscale/corp#13775

Co-authored-by: Sonia Appasamy <sonia@tailscale.com>
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Signed-off-by: Will Norris <will@tailscale.com>
1 year ago
Maisem Ali 19a9d9037f tailcfg: add NodeCapMap
Like PeerCapMap, add a field to `tailcfg.Node` which provides
a map of Capability to raw JSON messages which are deferred to be
parsed later by the application code which cares about the specific
capabilities. This effectively allows us to prototype new behavior
without having to commit to a schema in tailcfg, and it also opens up
the possibilities to develop custom behavior in tsnet applications w/o
having to plumb through application specific data in the MapResponse.

Updates #4217

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Maisem Ali 4da0689c2c tailcfg: add Node.HasCap helpers
This makes a follow up change less noisy.

Updates #cleanup

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Maisem Ali d06b48dd0a tailcfg: add RawMessage
This adds a new RawMessage type backed by string instead of the
json.RawMessage which is backed by []byte. The byte slice makes
the generated views be a lot more defensive than the need to be
which we can get around by using a string instead.

Updates #cleanup

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago