tailscale

Commit Graph

Author	SHA1	Message	Date
Harry Harpham	8cb076bc72	tsnet: add example for advertising a Service with multiple ports Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Harry Harpham	003bf36342	tsnet: fix address returned by service listener Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Harry Harpham	c2e81dd9d9	tsnet: resolve issues listening on multiple ports, refactor input Issues were resolved mainly via cherry-picked commits prior to this. Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Harry Harpham	f779b0089d	tsnet: ensure funnel listener cleans up after itself when closed Previously the funnel listener would leave artifacts in the serve config. This caused weird out-of-sync effects like the admin panel showing that funnel was enabled for a node, but the node rejecting packets because the listener was closed. This change resolves these synchronization issues by ensuring that funnel listeners clean up the serve config when closed. See also: `e109cf9fdd` Updates #cleanup Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Harry Harpham	e3c75a4398	tsnet: reset serve config only once Prior to this change, we were resetting the tsnet's serve config every time tsnet.Server.Up was run. This is important to do on startup, to prevent messy interactions with stale configuration when the code has changed. However, Up is frequently run as a just-in-case step (for example, by Server.ListenTLS/ListenFunnel and possibly by consumers of tsnet). When the serve config is reset on each of these calls to Up, this creates situations in which the serve config disappears unexpectedly. The solution is to reset the serve config only on the first call to Up. Fixes #8800 Updates tailscale/corp#27200 Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Harry Harpham	51e9aec240	tsnet: fix race condition in TestListenService Signed-off-by: Harry Harpham <harry@tailscale.com>	3 days ago
Harry Harpham	b4ebe5ae70	tsnet: change format of configuration to ListenService Signed-off-by: Harry Harpham <harry@tailscale.com>	7 days ago
Harry Harpham	0d16a0bf32	tsnet: fix bug in app capabilities forwarding Signed-off-by: Harry Harpham <harry@tailscale.com>	7 days ago
Harry Harpham	2c2b2f8cf9	tsnet: add support to ListenService for identity and app capability headers Signed-off-by: Harry Harpham <harry@tailscale.com>	3 weeks ago
Harry Harpham	a44e9d9c08	ipn/ipnlocal: set certificate retrieval function directly in tests Signed-off-by: Harry Harpham <harry@tailscale.com>	3 weeks ago
Harry Harpham	1584825c9a	tsnet: use ipnlocal.LocalBackend.SetCertsForTest This replaces tsnet's independent and more limited cert-override logic. Signed-off-by: Harry Harpham <harry@tailscale.com>	3 weeks ago
Harry Harpham	376cd5fc61	Revert "Reapply "(debugging) Lots of print statements"" This reverts commit `19f06d4784`.	3 weeks ago
Harry Harpham	95318b7cb4	tsnet: fix TLS-terminated-TCP test Signed-off-by: Harry Harpham <harry@tailscale.com>	3 weeks ago
Harry Harpham	0bb60fe2ad	ipn/ipnlocal: add ability to configure TLS certs for tests Signed-off-by: Harry Harpham <harry@tailscale.com>	3 weeks ago
Harry Harpham	19f06d4784	Reapply "(debugging) Lots of print statements" This reverts commit `18721591ef`.	3 weeks ago
Harry Harpham	39b84281e0	working example using TLS termination Signed-off-by: Harry Harpham <harry@tailscale.com>	3 weeks ago
Harry Harpham	180e100a82	ipn: ensure TLS termination works for Services by correctly setting FQDN This is really just cherry-picking Naman's work in https://github.com/tailscale/tailscale/pull/17752 Signed-off-by: Harry Harpham <harry@tailscale.com>	3 weeks ago
Harry Harpham	706028c3c4	Clean up test Signed-off-by: Harry Harpham <harry@tailscale.com>	4 weeks ago
Harry Harpham	0922a4727c	Implement a few options, check for ACL tags Signed-off-by: Harry Harpham <harry@tailscale.com>	4 weeks ago
Harry Harpham	645808c3e9	Clean up test a bit Signed-off-by: Harry Harpham <harry@tailscale.com>	4 weeks ago
Harry Harpham	18721591ef	Revert "(debugging) Lots of print statements" This reverts commit `01440eb2f5`.	4 weeks ago
Harry Harpham	f38c68557d	(wip) The test works! Still very messy Signed-off-by: Harry Harpham <harry@tailscale.com>	4 weeks ago
Harry Harpham	01440eb2f5	(debugging) Lots of print statements Signed-off-by: Harry Harpham <harry@tailscale.com>	4 weeks ago
Harry Harpham	8c22e1f60f	(wip) Add end-to-end test, but it hangs =/ Signed-off-by: Harry Harpham <harry@tailscale.com>	4 weeks ago
Harry Harpham	bb642f8aab	Working prototype Signed-off-by: Harry Harpham <harry@tailscale.com>	4 weeks ago
Tom Proctor	d0d993f5d6	.github,cmd/cigocacher: add flags --version --stats --cigocached-host Add flags: * --cigocached-host to support alternative host resolution in other environments, like the corp repo. * --stats to reduce the amount of bash script we need. * --version to support a caching tool/cigocacher script that will download from GitHub releases. Updates tailscale/corp#10808 Change-Id: Ib2447bc5f79058669a70f2c49cef6aedd7afc049 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 weeks ago
Tom Meadows	d7a5624841	cmd/k8s-operator: fix statefulset template yaml indentation (#18194 ) Fixes #17000 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	4 weeks ago
Irbe Krumina	cb5fa35f57	.github/workfkows,Dockerfile,Dockerfile.base: add a test for base image (#18180 ) Test that the base image builds and has the right iptables binary linked. Updates #17854 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
James 'zofrex' Sanderson	3ef9787379	tsweb: add Unwrap to loggingResponseWriter for ResponseController (#18195 ) The new http.ResponseController type added in Go 1.20: https://go.dev/doc/go1.20#http_responsecontroller requires ResponseWriters that are wrapping the original passed to ServeHTTP to implement an Unwrap method: https://pkg.go.dev/net/http#NewResponseController With this in place, it is possible to call methods such as Flush and SetReadDeadline on a loggingResponseWriter without needing to implement them there ourselves. Updates tailscale/corp#34763 Updates tailscale/corp#34813 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	1 month ago
Raj Singh	65182f2119	ipn/ipnlocal: add ProxyProtocol support to VIP service TCP handler (#18175 ) tcpHandlerForVIPService was missing ProxyProtocol support that tcpHandlerForServe already had. Extract the shared logic into forwardTCPWithProxyProtocol helper and use it in both handlers. Fixes #18172 Signed-off-by: Raj Singh <raj@tailscale.com>	1 month ago
Joe Tsai	9613b4eecc	logtail: add metrics (#18184 ) Add metrics about logtail uploading and underlying buffer. Add metrics to the in-memory buffer implementation. Updates tailscale/corp#21363 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 month ago
Brad Fitzpatrick	0df4631308	ipn/ipnlocal: avoid ResetAndStop panic Updates #18187 Change-Id: If7375efb7df0452a5e85b742fc4c4eecbbd62717 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Simon Law	6ace3995f0	portlist: skip tests on Linux 6.14.x with /proc/net/tcp bug (#18185 ) PR #18033 skipped tests for the versions of Linux 6.6 and 6.12 that had a regression in /proc/net/tcp that causes seek operations to fail with “illegal seek”. This PR skips tests for Linux 6.14.0, which is the default Ubuntu kernel, that also contains this regression. Updates #16966 Signed-off-by: Simon Law <sfllaw@tailscale.com>	1 month ago
Joe Tsai	6428ba01ef	logtail/filch: rewrite the package (#18143 ) The filch implementation is fairly broken: * When Filch.cur exceeds MaxFileSize, it calls moveContents to copy the entirety of cur into alt (while holding the write lock). By nature, this is the movement of a lot of data in a hot path, meaning that all log calls will be globally blocked! It also means that log uploads will be blocked during the move. * The implementation of moveContents is buggy in that it copies data from cur into the start of alt, but fails to truncate alt to the number of bytes copied. Consequently, there are unrelated lines near the end, leading to out-of-order lines when being read back. * Data filched via stderr do not directly respect MaxFileSize, which is only checked every 100 Filch.Write calls. This means that it is possible that the file grows far beyond the specified max file size before moveContents is called. * If both log files have data when New is called, it also copies the entirety of cur into alt. This can block the startup of a process copying lots of data before the process can do any useful work. * TryReadLine is implemented using bufio.Scanner. Unfortunately, it will choke on any lines longer than bufio.MaxScanTokenSize, rather than gracefully skip over them. The re-implementation avoids a lot of these problems by fundamentally eliminating the need for moveContent. We enforce MaxFileSize by simply rotating the log files whenever the current file exceeds MaxFileSize/2. This is a constant-time operation regardless of file size. To more gracefully handle lines longer than bufio.MaxScanTokenSize, we skip over these lines (without growing the read buffer) and report an error. This allows subsequent lines to be read. In order to improve debugging, we add a lot of metrics. Note that the the mechanism of dup2 with stderr is inherently racy with a the two file approach. The order of operations during a rotation is carefully chosen to reduce the race window to be as short as possible. Thus, this is slightly less racy than before. Updates tailscale/corp#21363 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 month ago
Claus Lensbøl	c870d3811d	net/{packet,tstun},wgengine: update disco key when receiving via TSMP (#18158 ) When receiving a TSMPDiscoAdvertisement from peer, update the discokey for said peer. Some parts taken from: https://github.com/tailscale/tailscale/pull/18073/ Updates #12639 Co-authored-by: James Tucker <james@tailscale.com>	1 month ago
Irbe Krumina	723b9af21a	Dockerfile,Dockerfile.base: link iptables to legacy binary (#18177 ) Re-instate the linking of iptables installed in Tailscale container to the legacy iptables version. In environments where the legacy iptables is not needed, we should be able to run nftables instead, but this will ensure that Tailscale keeps working in environments that don't support nftables, such as some Synology NAS hosts. Updates #17854 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Raj Singh	8eda947530	cmd/derper: add GCP Certificate Manager support (#18161 ) Add --certmode=gcp for using Google Cloud Certificate Manager's public CA instead of Let's Encrypt. GCP requires External Account Binding (EAB) credentials for ACME registration, so this adds --acme-eab-kid and --acme-eab-key flags. The EAB key accepts both base64url and standard base64 encoding to support both ACME spec format and gcloud output. Fixes tailscale/corp#34881 Signed-off-by: Raj Singh <raj@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Claus Lensbøl	1dfdee8521	net/dns: retrample resolve.conf when another process has trampled it (#18069 ) When using the resolve.conf file for setting DNS, it is possible that some other services will trample the file and overwrite our set DNS server. Experiments has shown this to be a racy error depending on how quickly processes start. Make an attempt to trample back the file a limited number of times if the file is changed. Updates #16635 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	1 month ago
Jordan Whited	a9b37c510c	net/udprelay: re-use mono.Time in control packet handling Fixes tailscale/corp#35100 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Simar	363d882306	net/udprelay: use `mono.Time` instead of `time.Time` Fixes: https://github.com/tailscale/tailscale/issues/18064 Signed-off-by: Simar <simar@linux.com>	1 month ago
Fran Bull	076d5c7214	appc,feature: add the start of new conn25 app connector When peers request an IP address mapping to be stored, the connector stores it in memory. Fixes tailscale/corp#34251 Signed-off-by: Fran Bull <fran@tailscale.com>	1 month ago
Tom Proctor	dd1bb8ee42	.github: add cigocacher release workflow To save rebuilding cigocacher on each CI job, build it on-demand, and publish a release similar to how we publish releases for tool/go to consume. Once the first release is done, we can add a new tool/cigocacher script that pins to a specific release for each branch to download. Updates tailscale/corp#10808 Change-Id: I7694b2c2240020ba2335eb467522cdd029469b6c Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 month ago
Alex Chan	378ee20b9a	cmd/tailscale/cli: stabilise the output of `tailscale lock status --json` This patch stabilises the JSON output, and improves it in the following ways: * The AUM hash in Head uses the base32-encoded form of an AUM hash, consistent with how it's presented elsewhere * TrustedKeys are the same format as the keys as `tailnet lock log --json` * SigKind, Pubkey and KeyID are all presented consistently with other JSON output in NodeKeySignature * FilteredPeers don't have a NodeKeySignature, because it will always be empty For reference, here's the JSON output from the CLI prior to this change: ```json { "Enabled": true, "Head": [ 196, 69, 63, 243, 213, 133, 123, 46, 183, 203, 143, 34, 184, 85, 80, 1, 221, 92, 49, 213, 93, 106, 5, 206, 176, 250, 58, 165, 155, 136, 11, 13 ], "PublicKey": "nlpub:0f99af5c02216193963ce9304bb4ca418846eddebe237f37a6de1c59097ed0b8", "NodeKey": "nodekey:8abfe98b38151748919f6e346ad16436201c3ecd453b01e9d6d3a38e1826000d", "NodeKeySigned": true, "NodeKeySignature": { "SigKind": 1, "Pubkey": "bnCKv+mLOBUXSJGfbjRq0WQ2IBw+zUU7AenW06OOGCYADQ==", "KeyID": "D5mvXAIhYZOWPOkwS7TKQYhG7d6+I383pt4cWQl+0Lg=", "Signature": "4DPW4v6MyLLwQ8AMDm27BVDGABjeC9gg1EfqRdKgzVXi/mJDwY9PTAoX0+0WTRs5SUksWjY0u1CLxq5xgjFGBA==", "Nested": null, "WrappingPubkey": "D5mvXAIhYZOWPOkwS7TKQYhG7d6+I383pt4cWQl+0Lg=" }, "TrustedKeys": [ { "Key": "nlpub:0f99af5c02216193963ce9304bb4ca418846eddebe237f37a6de1c59097ed0b8", "Metadata": null, "Votes": 1 }, { "Key": "nlpub:de2254c040e728140d92bc967d51284e9daea103a28a97a215694c5bda2128b8", "Metadata": null, "Votes": 1 } ], "VisiblePeers": [ { "Name": "signing2.taila62b.unknown.c.ts.net.", "ID": 7525920332164264, "StableID": "nRX6TbAWm121DEVEL", "TailscaleIPs": [ "100.110.67.20", "fd7a:115c:a1e0::9c01:4314" ], "NodeKey": "nodekey:10bf4a5c168051d700a29123cd81568377849da458abef4b328794ca9cae4313", "NodeKeySignature": { "SigKind": 1, "Pubkey": "bnAQv0pcFoBR1wCikSPNgVaDd4SdpFir70syh5TKnK5DEw==", "KeyID": "D5mvXAIhYZOWPOkwS7TKQYhG7d6+I383pt4cWQl+0Lg=", "Signature": "h9fhwHiNdkTqOGVQNdW6AVFoio6MFaFobPiK9ydywgmtYxcExJ38b76Tabdc56aNLxf8IfCaRw2VYPcQG2J/AA==", "Nested": null, "WrappingPubkey": "3iJUwEDnKBQNkryWfVEoTp2uoQOiipeiFWlMW9ohKLg=" } } ], "FilteredPeers": [ { "Name": "node3.taila62b.unknown.c.ts.net.", "ID": 5200614049042386, "StableID": "n3jAr7KNch11DEVEL", "TailscaleIPs": [ "100.95.29.124", "fd7a:115c:a1e0::f901:1d7c" ], "NodeKey": "nodekey:454d2c8602c10574c5ec3a6790f159714802012b7b8bb8d2ab47d637f9df1d7b", "NodeKeySignature": { "SigKind": 0, "Pubkey": null, "KeyID": null, "Signature": null, "Nested": null, "WrappingPubkey": null } } ], "StateID": 16885615198276932820 } ``` Updates https://github.com/tailscale/corp/issues/22355 Updates https://github.com/tailscale/tailscale/issues/17619 Signed-off-by: Alex Chan <alexc@tailscale.com> Change-Id: I65b58ff4520033e6b70fc3b1ba7fc91c1f70a960	1 month ago
Nick Khyl	da0ea8ef3e	Revert "ipn/ipnlocal: shut down old control client synchronously on reset" It appears (*controlclient.Auto).Shutdown() can still deadlock when called with b.mu held, and therefore the changes in #18127 are unsafe. This reverts #18127 until we figure out what causes it. This reverts commit `d199ecac80`. Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 month ago
Erisa A	c7b10cb39f	scripts/installer.sh: add SteamOS handling (#18159 ) Fixes #12943 Signed-off-by: Erisa A <erisa@tailscale.com>	1 month ago
Alex Chan	7d3097d3b5	tka: add some more tests for Bootstrap() This improves our test coverage of the Bootstrap() method, especially around catching AUMs that shouldn't pass validation. Updates #cleanup Change-Id: Idc61fcbc6daaa98c36d20ec61e45ce48771b85de Signed-off-by: Alex Chan <alexc@tailscale.com>	1 month ago
Irbe Krumina	2a0ddb7897	cmd/k8s-operator: warn if users attempt to expose a headless Service (#18140 ) Previously, if users attempted to expose a headless Service to tailnet, this just silently did not work. This PR makes the operator throw a warning event + update Service's status with an error message. Updates #18139 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Irbe Krumina	d5c893195b	cmd/k8s-operator: don't log errors on not found objects. (#18142 ) The event queue gets deleted events, which means that sometimes the object that should be reconciled no longer exists. Don't log user facing errors if that is the case. Updates #18141 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Claus Lensbøl	d349370e55	client/systray: change systray to start after graphical.target (#18138 ) The service was starting after systemd itself, and while this surprisingly worked for some situations, it broke for others. Change it to start after a GUI has been initialized. Updates #17656 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	1 month ago
James 'zofrex' Sanderson	cf40cf5ccb	ipn/ipnlocal: add peer API endpoints to Hostinfo on initial client creation (#17851 ) Previously we only set this when it updated, which was fine for the first call to Start(), but after that point future updates would be skipped if nothing had changed. If Start() was called again, it would wipe the peer API endpoints and they wouldn't get added back again, breaking exit nodes (and anything else requiring peer API to be advertised). Updates tailscale/corp#27173 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	1 month ago

1 2 3 4 5 ...

10026 Commits (8cb076bc72dca7547d0a43291d47fa90e09c8495) All Branches Search

10026 Commits (8cb076bc72dca7547d0a43291d47fa90e09c8495)

All Branches