tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	165f0116f1	types/netmap: move some mutations earlier, remove, document some fields And optimize the Persist setting a bit, allocating later and only mutating fields when there's been a Node change. Updates #1909 Change-Id: Iaddfd9e88ef76e1d18e8d0a41926eb44d0955312 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Maisem Ali	2548496cef	types/views,cmd/viewer: add ByteSlice[T] to replace mem.RO Add a new views.ByteSlice[T ~[]byte] to provide a better API to use with views. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8a5ec72c85	cmd/cloner: use maps.Clone and ptr.To Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Brad Fitzpatrick	4511e7d64e	ipn/ipnstate: add PeerStatus.AltSharerUserID, stop mangling Node.User In `b987b2ab18` (2021-01-12) when we introduced sharing we mapped the sharer to the userid at a low layer, mostly to fix the display of "tailscale status" and the client UIs, but also some tests. The commit earlier today, `7dec09d169`, removed the 2.5yo option to let clients disable that automatic mapping, as clearly we were never getting around to it. This plumbs the Sharer UserID all the way to ipnstatus so the CLI itself can choose to print out the Sharer's identity over the node's original owner. Then we stop mangling Node.User and let clients decide how they want to render things. To ease the migration for the Windows GUI (which currently operates on tailcfg.Node via the NetMap from WatchIPNBus, instead of PeerStatus), a new method Node.SharerOrUser is added to do the mapping of Sharer-else-User. Updates #1909 Updates tailscale/corp#1183 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	d8191a9813	ipn/ipnlocal: fix regression in printf arg type I screwed this up in `58a4fd43d` as I expected. I even looked out for cases like this (because this always happens) and I still missed it. Vet doesn't flag these because they're not the standard printf funcs it knows about. TODO: make our vet recognize all our "logger.Logf" types. Updates #8948 Change-Id: Iae267d5f81da49d0876b91c0e6dc451bf7dcd721 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	58a4fd43d8	types/netmap, all: use read-only tailcfg.NodeView in NetworkMap Updates #8948 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	6e57dee7eb	cmd/viewer, types/views, all: un-special case slice of netip.Prefix Make it just a views.Slice[netip.Prefix] instead of its own named type. Having the special case led to circular dependencies in another WIP PR of mine. Updates #8948 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	af2e4909b6	all: remove some Debug fields, NetworkMap.Debug, Reconfig Debug arg Updates #8923 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	121d1d002c	tailcfg: add nodeAttrs for forcing OneCGNAT on/off [capver 71] Updates #8923 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	25663b1307	tailcfg: remove most Debug fields, move bulk to nodeAttrs [capver 70] Now a nodeAttr: ForceBackgroundSTUN, DERPRoute, TrimWGConfig, DisableSubnetsIfPAC, DisableUPnP. Kept support for, but also now a NodeAttr: RandomizeClientPort. Removed: SetForceBackgroundSTUN, SetRandomizeClientPort (both never used, sadly... never got around to them. But nodeAttrs are better anyway), EnableSilentDisco (will be a nodeAttr later when that effort resumes). Updates #8923 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	e8551d6b40	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	239ad57446	tailcfg: move LogHeapPprof from Debug to c2n [capver 69] And delete Debug.GoroutineDumpURL, which was already in c2n. Updates #8923 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Sonia Appasamy	8e63d75018	client/tailscale: add LocalClient.IncrementMetric func A #cleanup to add a func to utilize the already-present "/localapi/v0/upload-client-metrics" localapi endpoint. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Maisem Ali	98ec8924c2	ipn/ipnlocal,net/tsdial: update docs/rename funcs Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Brad Fitzpatrick	92fc9a01fa	cmd/tailscale: add debug commands to break connections For testing reconnects. Updates tailscale/corp#5761 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Sonia Appasamy	7815fbe17a	tailscale/cli: add interactive flow for enabling Funnel Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Maisem Ali	682fd72f7b	util/testenv: add new package to hold InTest Removes duplicated code. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	3e255d76e1	ipn/ipnlocal: fix profile duplication We would only look for duplicate profiles when a new login occurred but when using `--force-reauth` we could switch users which would end up with duplicate profiles. Updates #7726 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	500b9579d5	ipn/ipnlocal: add test to find issues with profile duplication There are a few situations where we end up with duplicate profiles. Add tests to identify those situations, fix in followup. Updates #7726 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	734928d3cb	control/controlclient: make Direct own all changes to Persist It was being modified in two places in Direct for the auth routine and then in LocalBackend when a new NetMap was received. This was confusing, so make Direct also own changes to Persist when a new NetMap is received. Updates #7726 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	6aaf1d48df	types/persist: drop duplicated Persist.LoginName It was duplicated from Persist.UserProfile.LoginName, drop it. Updates #7726 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	82454b57dd	ipn/ipnlocal: make tests pass when offline Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
salman aljammaz	25a7204bb4	wgengine,ipn,cmd/tailscale: add size option to ping (#8739 ) This adds the capability to pad disco ping message payloads to reach a specified size. It also plumbs it through to the tailscale ping -size flag. Disco pings used for actual endpoint discovery do not use this yet. Updates #311. Signed-off-by: salman <salman@tailscale.com> Co-authored-by: Val <valerie@tailscale.com>	1 year ago
Sonia Appasamy	49896cbdfa	ipn/ipnlocal: add profile pic header to serve HTTP proxy Fixes #8807 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Brad Fitzpatrick	c56e94af2d	ipn: avoid useless no-op WriteState calls Rather than make each ipn.StateStore implementation guard against useless writes (a write of the same value that's already in the store), do writes via a new wrapper that has a fast path for the unchanged case. This then fixes profileManager's flood of useless writes to AWS SSM, etc. Updates #8785 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Aaron Klotz	37925b3e7a	go.mod, cmd/tailscaled, ipn/localapi, util/osdiag, util/winutil, util/winutil/authenticode: add Windows module list to OS-specific logs that are written upon bugreport * We update wingoes to pick up new version information functionality (See pe/version.go in the https://github.com/dblohm7/wingoes repo); * We move the existing LogSupportInfo code (including necessary syscall stubs) out of util/winutil into a new package, util/osdiag, and implement the public LogSupportInfo function may be implemented for other platforms as needed; * We add a new reason argument to LogSupportInfo and wire that into localapi's bugreport implementation; * We add module information to the Windows implementation of LogSupportInfo when reason indicates a bugreport. We enumerate all loaded modules in our process, and for each one we gather debug, authenticode signature, and version information. Fixes #7802 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	1 year ago
Sonia Appasamy	301e59f398	tailcfg,ipn/localapi,client/tailscale: add QueryFeature endpoint Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Brad Fitzpatrick	66e46bf501	ipnlocal, net/*: deprecate interfaces.GetState, use netmon more for it Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Tom DNetto	767e839db5	all: implement lock revoke-keys command The revoke-keys command allows nodes with tailnet lock keys to collaborate to erase the use of a compromised key, and remove trust in it. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates ENG-1848	1 year ago
David Anderson	ed46442cb1	client/tailscale/apitype: document never-nil property of WhoIsResponse Every time I use WhoIsResponse I end up writing mildly irritating nil-checking for both Node and UserProfile, but it turns out our code guarantees that both are non-nil in successful whois responses. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	52212f4323	all: update exp/slices and fix call sites slices.SortFunc suffered a late-in-cycle API breakage. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Claire Wang	2315bf246a	ipn: use tstime (#8597 ) Updates #8587 Signed-off-by: Claire Wang <claire@tailscale.com>	1 year ago
Andrew Lytvynov	c1ecae13ab	ipn/{ipnlocal,localapi}: actually renew certs before expiry (#8731 ) While our `shouldStartDomainRenewal` check is correct, `getCertPEM` would always bail if the existing cert is not expired. Add the same `shouldStartDomainRenewal` check to `getCertPEM` to make it proceed with renewal when existing certs are still valid but should be renewed. The extra check is expensive (ARI request towards LetsEncrypt), so cache the last check result for 1hr to not degrade `tailscale serve` performance. Also, asynchronous renewal is great for `tailscale serve` but confusing for `tailscale cert`. Add an explicit flag to `GetCertPEM` to force a synchronous renewal for `tailscale cert`. Fixes #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Charlotte Brandhorst-Satzkorn	35bdbeda9f	cli: introduce exit-node subcommand to list and filter exit nodes This change introduces a new subcommand, `exit-node`, along with a subsubcommand of `list` and a `--filter` flag. Exit nodes without location data will continue to be displayed when `status` is used. Exit nodes with location data will only be displayed behind `exit-node list`, and in status if they are the active exit node. The `filter` flag can be used to filter exit nodes with location data by country. Exit nodes with Location.Priority data will have only the highest priority option for each country and city listed. For countries with multiple cities, a <Country> <Any> option will be displayed, indicating the highest priority node within that country. Updates tailscale/corp#13025 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 year ago
Maisem Ali	1ecc16da5f	tailcfg,ipn/ipnlocal,wgengine: add values to PeerCapabilities Define PeerCapabilty and PeerCapMap as the new way of sending down inter-peer capability information. Previously, this was unstructured and you could only send down strings which got too limiting for certain usecases. Instead add the ability to send down raw JSON messages that are opaque to Tailscale but provide the applications to define them however they wish. Also update accessors to use the new values. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Tom DNetto	abcb7ec1ce	cmd/tailscale: warn if node is locked out on bringup Updates https://github.com/tailscale/corp/issues/12718 Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Will Norris	f8b0caa8c2	serve: fix hostname for custom http ports When using a custom http port like 8080, this was resulting in a constructed hostname of `host.tailnet.ts.net:8080.tailnet.ts.net` when looking up the serve handler. Instead, strip off the port before adding the MagicDNS suffix. Also use the actual hostname in `serve status` rather than the literal string "host". Fixes #8635 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Andrew Lytvynov	7a82fd8dbe	ipn/ipnlocal: add optional support for ACME Renewal Info (ARI) (#8599 )	1 year ago
Tom DNetto	2bbedd2001	ipn: rename CapTailnetLockAlpha -> CapTailnetLock Updates tailscale/corp#8568 Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Andrew Dunham	60ab8089ff	logpolicy, various: allow overriding log function This allows sending logs from the "logpolicy" package (and associated callees) to something other than the log package. The behaviour for tailscaled remains the same, passing in log.Printf Updates #8249 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie1d43b75fa7281933d9225bffd388462c08a5f31	1 year ago
Brad Fitzpatrick	7b1c3dfd28	tailcfg,etc: remove unused tailcfg.Node.KeepAlive field The server hasn't sent it in ages. Updates #cleanup Change-Id: I9695ab0f074ec6fb006e11faf3cdfc5ca049fbf8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
valscale	e26376194d	ipn/ipnlocal: validate ping type (#8458 ) Correct a minor cut-n-paste error that resulted in an invalid or missing ping type being accepted as a disco ping. Fixes #8457 Signed-off-by: Val <valerie@tailscale.com>	1 year ago
Brad Fitzpatrick	7c1068b7ac	util/goroutines: let ScrubbedGoroutineDump get only current stack ScrubbedGoroutineDump previously only returned the stacks of all goroutines. I also want to be able to use this for only the current goroutine's stack. Add a bool param to support both ways. Updates tailscale/corp#5149 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	e48c0bf0e7	ipn/ipnlocal: quiet some spammy network lock logging Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
shayne	6697690b55	{cmd/tailscale/cli,ipn}: add http support to tailscale serve (#8358 ) Updates #8357 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	1 year ago
Sonia Appasamy	0f5090c526	ipn/ipnlocal: add docs header to serve HTTP proxy Adds a `Tailscale-Headers-Info` header whenever the `Tailscale-User-` headers are filled from the HTTP proxy handler. Planning on hooking this shorturl up to KB docs about the header values (i.e. what's a login name vs. display name) and security considerations to keep in mind while using these headers - notibly that they can also be filled from external requests that do not hit tailscaled. Updates https://github.com/tailscale/tailscale/issues/6954 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Maisem Ali	2ae670eb71	ssh/tailssh: work around lack of scontext in SELinux Trying to SSH when SELinux is enforced results in errors like: ``` ➜ ~ ssh ec2-user@<ip> Last login: Thu Jun 1 22:51:44 from <ip2> ec2-user: no shell: Permission denied Connection to <ip> closed. ``` while the `/var/log/audit/audit.log` has ``` type=AVC msg=audit(1685661291.067:465): avc: denied { transition } for pid=5296 comm="login" path="/usr/bin/bash" dev="nvme0n1p1" ino=2564 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 ``` The right fix here would be to somehow install the appropriate context when tailscale is installed on host, but until we figure out a way to do that stop using the `login` cmd in these situations. Updates #4908 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Sonia Appasamy	e1cdcf7708	ipn/ipnlocal: add identity headers to HTTP serve proxy Adds two new headers to HTTP serve proxy: - `Tailscale-User-Login`: Filled with requester's login name. - `Tailscale-User-Name`: Filled with requester's display name. These headers only get filled when the SrcAddr is associated with a non-tagged (i.e. user-owned) node within the client's Tailnet. The headers are passed through empty when the request originated from another tailnet, or the public internet (via funnel). Updates https://github.com/tailscale/tailscale/issues/6954 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Andrea Gottardo	99f17a7135	tka: provide verify-deeplink local API endpoint (#8303 ) * tka: provide verify-deeplink local API endpoint Fixes https://github.com/tailscale/tailscale/issues/8302 Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Address code review comments Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Address code review comments by Ross Signed-off-by: Andrea Gottardo <andrea@tailscale.com> * Improve error encoding, fix logic error Signed-off-by: Andrea Gottardo <andrea@tailscale.com> --------- Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	1 year ago
Maisem Ali	fe95d81b43	ipn/ipnlocal,wgengine/netstack: move LocalBackend specifc serving logic to LocalBackend The netstack code had a bunch of logic to figure out if the LocalBackend should handle an incoming connection and then would call the function directly on LocalBackend. Move that logic to LocalBackend and refactor the methods to return conn handlers. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Brad Fitzpatrick	eefee6f149	all: use cmpx.Or where it made sense I left a few out where writing it explicitly was better for various reasons. Updates #8296 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrea Gottardo	1c4a047ad0	version: detect tvOS by checking XPC_SERVICE_NAME (#8295 ) Another change needed working towards #8282. Updates https://github.com/tailscale/tailscale/issues/8282 Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	1 year ago
Marwan Sulaiman	5dd0b02133	portlist: add a synchronous Poll method This is a follow up on PR #8172 that adds a synchronous Poll method which allows for the Poller to be used as a zero value without needing the constructor. The local backend is also changed to use the new API. A follow up PR will remove the async functionality from the portlist package. Updates #8171 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	1 year ago
Dominic Black	570cb018da	ipn/localapi: require only read permission for WatchIPNBus (#7798 ) Allow calls to `WatchIPNBus` to be permformed by clients with Readonly permissions. This brings it in line with the permissions required for `Status`, which also exposes the similar information. This allows clients to get realtime updates about the tailnet in their own applications, without needing to actively poll the `Status` endpoint. Fixes https://github.com/tailscale/tailscale/issues/7797 Signed-off-by: Dominic Black <dom@encore.dev>	1 year ago
Heiko Rothe	dc1d8826a2	ipn/ipnlocal: [serve/funnel] add forwarded host and proto header (#8224 ) This replicates the headers also sent by the golang reverse proxy by default. Fixes https://github.com/tailscale/tailscale/issues/7061 Signed-off-by: Heiko Rothe <me@heikorothe.com>	1 year ago
Andrew Dunham	07eacdfe92	ipn/ipnlocal: renew certificates based on lifetime Instead of renewing certificates based on whether or not they're expired at a fixed 14-day period in the future, renew based on whether or not we're more than 2/3 of the way through the certificate's lifetime. This properly handles shorter-lived certificates without issue. Updates #8204 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I5e82a9cadc427c010d04ce58c7f932e80dd571ea	1 year ago
Andrew Dunham	9d09c821f7	ipn/ipnlocal: add more logging during profile migration Updates tailscale/corp#11883 Change-Id: I3a3ca8f25bfefca139115b25ec4161c069da7e4a Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	1 year ago
Andrea Gottardo	66f97f4bea	tka: provide authority StateID in NetworkLockStatus response (#8200 ) Fixes #8201. Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Co-authored-by: Andrea Gottardo <andrea@tailscale.com>	1 year ago
Charlotte Brandhorst-Satzkorn	8d3d48e000	ipn/ipnlocal: add NodeKey func to return the public node NodeKey This change introduces a NodeKey func on localbackend that returns the public node key. Updates tailscale/corp#9967 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 year ago
Brad Fitzpatrick	8864112a0c	ipn/ipnlocal: bound how long cert fetchher checks for existing DNS records It was supposed to be best effort but in some cases (macsys at least, per @marwan-at-work) it hangs and exhausts the whole context.Context deadline so we fail to make the SetDNS call to the server. Updates #8067 Updates #3273 etc Change-Id: Ie1f04abe9689951484748aecdeae312afbafdb0f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	6e967446e4	tsd: add package with System type to unify subsystem init, discovery This is part of an effort to clean up tailscaled initialization between tailscaled, tailscaled Windows service, tsnet, and the mac GUI. Updates #8036 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Derek Kaser	0d7303b798	various: add detection and Taildrop for Unraid Updates tailscale/tailscale#8025 Signed-off-by: Derek Kaser <derek.kaser@gmail.com>	1 year ago
Brad Fitzpatrick	1e876a3c1d	ipn/ipnlocal: fix fmt format arg type mismatch in log line It was printing like "v0xxxxxxxx" after version.Long became a func in `8b2ae47c31`. Fixes #7976 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
James Tucker	095d3edd33	ipn/ipnlocal: reenable profile tests on Windows This fix does not seem ideal, but the test infrastructure using a local goos doesn't seem to avoid all of the associated challenges, but is somewhat deeply tied to the setup. The core issue this addresses for now is that when run on Windows there can be no code paths that attempt to use an invalid UID string, which on Windows is described in [1]. For the goos="linux" tests, we now explicitly skip the affected migration code if runtime.GOOS=="windows", and for the Windows test we explicitly use the running users uid, rather than just the string "user1". We also now make the case where a profile exists and has already been migrated a non-error condition toward the outer API. Updates #7876 [1] https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers Signed-off-by: James Tucker <jftucker@gmail.com>	1 year ago
Marwan Sulaiman	ce11c82d51	ipn/store/awsstore: persist state with intelligent tiering Fixes #6784 This PR makes it so that we can persist the tailscaled state with intelligent tiering which increases the capacity from 4kb to 8kb Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	1 year ago
Mihai Parparita	7330aa593e	all: avoid repeated default interface lookups On some platforms (notably macOS and iOS) we look up the default interface to bind outgoing connections to. This is both duplicated work and results in logspam when the default interface is not available (i.e. when a phone has no connectivity, we log an error and thus cause more things that we will try to upload and fail). Fixed by passing around a netmon.Monitor to more places, so that we can use its cached interface state. Fixes #7850 Updates #7621 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Mihai Parparita	4722f7e322	all: move network monitoring from wgengine/monitor to net/netmon We're using it in more and more places, and it's not really specific to our use of Wireguard (and does more just link/interface monitoring). Also removes the separate interface we had for it in sockstats -- it's a small enough package (we already pull in all of its dependencies via other paths) that it's not worth the extra complexity. Updates #7621 Updates #7850 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Andrew Dunham	3ede3aafe4	ipn/localapi: also verify STUN queries work in 'debug derp' Updates #6526 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I274b7ed53ee0be3fb94fdb00cafe06a1d676e1cf	1 year ago
Andrew Dunham	f85dc6f97c	ci: add more lints (#7909 ) This is a follow-up to #7905 that adds two more linters and fixes the corresponding findings. As per the previous PR, this only flags things that are "obviously" wrong, and fixes the issues found. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8739bdb7bc4f75666a7385a7a26d56ec13741b7c	1 year ago
Maisem Ali	c3ef6fb4ee	ipn/ipnlocal: handle masquerade addresses in PeerAPI Without this, the peer fails to do anything over the PeerAPI if it has a masquerade address. ``` Apr 19 13:58:15 hydrogen tailscaled[6696]: peerapi: invalid request from <ip>:58334: 100.64.0.1/32 not found in self addresses ``` Updates #8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Mihai Parparita	d0906cda97	net/sockstats: expose debug info Exposes some internal state of the sockstats package via the C2N and PeerAPI endpoints, so that it can be used for debugging. For now this includes the estimated radio on percentage and a second-by-second view of the times the radio was active. Also fixes another off-by-one error in the radio on percentage that was leading to >100% values (if n seconds have passed since we started to monitor, there may be n + 1 possible seconds where the radio could have been on). Updates tailscale/corp#9230 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Andrew Dunham	280255acae	various: add golangci-lint, fix issues (#7905 ) This adds an initial and intentionally minimal configuration for golang-ci, fixes the issues reported, and adds a GitHub Action to check new pull requests against this linter configuration. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8f38fbc315836a19a094d0d3e986758b9313f163	1 year ago
Mihai Parparita	9a655a1d58	net/dnsfallback: more explicitly pass through logf function Redoes the approach from #5550 and #7539 to explicitly pass in the logf function, instead of having global state that can be overridden. Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
James Tucker	8dec1a8724	.github/workflows: reenable Windows CI, disable broken tests We accidentally switched to ./tool/go in `4022796484` which resulted in no longer running Windows builds, as this is attempting to run a bash script. I was unable to quickly fix the various tests that have regressed, so instead I've added skips referencing #7876, which we need to back and fix. Updates #7262 Updates #7876 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Mihai Parparita	cef0a474f8	ipn/ipnlocal: check that sockstatLogger is available in c2n endpoint Otherwise there may be a panic if it's nil (and the control side of the c2n call will just time out). Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Mihai Parparita	03b2c44a21	ipn/ipnlocal: more explicitly say if sockstats are not available Makes it more apparent in the PeerAPI endpoint that the client was not built with the appropriate toolchain or build tags. Updates tailscale/corp#9230 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Brad Fitzpatrick	2c0bda6e2e	ssh/tailssh: make Tailscale SSH work on gokrazy Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
shayne	ba4e58f429	cmd/tailscale/cli: do not allow turning Funnel on while shields-up (#7770 )	2 years ago
Will Norris	6d5c3c1637	ipn: prefer allow/denylist terminology Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Will Norris	5a3da3cd7f	ipn: add sockstat logger to stable builds This makes the sockstat logger available on all builds, but only enables it by default for unstable. For stable builds, the logger must be explicitly enabled via C2N component logger. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Aaron Klotz	90fd04cbde	ipn/ipnlocal, util/winutil/policy: modify Windows profile migration to load legacy prefs from within tailscaled I realized that a lot of the problems that we're seeing around migration and LocalBackend state can be avoided if we drive Windows pref migration entirely from within tailscaled. By doing it this way, tailscaled can automatically perform the migration as soon as the connection with the client frontend is established. Since tailscaled is already running as LocalSystem, it already has access to the user's local AppData directory. The profile manager already knows which user is connected, so we simply need to resolve the user's prefs file and read it from there. Of course, to properly migrate this information we need to also check system policies. I moved a bunch of policy resolution code out of the GUI and into a new package in util/winutil/policy. Updates #7626 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Mihai Parparita	e3cb8cc88d	ipn/ipnlocal: automatically upload sockstats logs when the period ends Avoids needing a separate c2n call to get the logs uploaded. Updates tailscale/corp#9230 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Andrew Dunham	3b39ca9017	ipn/ipnlocal: update comment in SetComponentDebugLogging Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8c36a62079dce77fc81b9cdfb5fe723b007218ba	2 years ago
Maisem Ali	e0d291ab8a	ipn/store: add support for stores to hook into a custom dialer For stores like k8s secrets we need to dial out to the k8s API as though Tailscale wasn't running. The issue currently only manifests when you try to use an exit node while running inside a k8s cluster and are trying to use Kubernetes secrets as the backing store. This doesn't address cmd/containerboot, which I'll do in a follow up. Updates #7695 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Andrew Dunham	c98652c333	doctor/permissions: add new check to print process permissions Since users can run tailscaled in a variety of ways (root, non-root, non-root with process capabilities on Linux), this check will print the current process permissions to the log to aid in debugging. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida93a206123f98271a0c664775d0baba98b330c7	2 years ago
Will Norris	7c99210e68	log: allow toggling sockstat logs via c2n component logging Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
shayne	43f7ec48ca	funnel: change references from alpha to beta (#7613 ) Updates CLI and docs to reference Funnel as beta Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
shayne	3177ccabe5	ipn/ipnlocal: [serve/funnel] use actual SrcAddr as X-Forwarded-For (#7600 ) The reverse proxy was sending the ingressd IPv6 down as the X-Forwarded-For. This update uses the actual remote addr. Updates tailscale/corp#9914 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
shayne	7908b6d616	ipn/ipnlocal: [serve] Trim mountPoint prefix from proxy path (#7334 ) This change trims the mountPoint from the request URL path before sending the request to the reverse proxy. Today if you mount a proxy at `/foo` and request to `/foo/bar/baz`, we leak the `mountPoint` `/foo` as part of the request URL's path. This fix makes removed the `mountPoint` prefix from the path so proxied services receive requests as if they were running at the root (`/`) path. This could be an issue if the app generates URLs (in HTML or otherwise) and assumes `/path`. In this case, those URLs will 404. With that, I still think we should trim by default and not leak the `mountPoint` (specific to Tailscale) into whatever app is hosted. If it causes an issue with URL generation, I'd suggest looking at configuring an app-specific path prefix or running Caddy as a more advanced solution. Fixes: #6571 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2 years ago
Maisem Ali	7300b908fb	logpolicy: split out DialContext into a func Updates tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	9e81db50f6	ipn/ipnlocal: use atomicfile.WriteFile in certFileStore Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	8a11f76a0d	ipn/ipnlocal: fix cert storage in Kubernetes We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	ec90522a53	ipn/ipnlocal: also store ACME keys in the certStore We were not storing the ACME keys in the state store, they would always be stored on disk. Updates #7588 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	9d8b7a7383	ipn/store/kubestore: handle "/" in ipn.StateKeys Kubernetes doesn't allow slashes as keys in secrets, replace them with "__". This shows up in the kubernetes-operator now that tsnet sets resets the ServeConfig at startup. Fixes #7662 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Will Norris	57a008a1e1	all: pass log IDs as the proper type rather than strings This change focuses on the backend log ID, which is the mostly commonly used in the client. Tests which don't seem to make use of the log ID just use the zero value. Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Will Norris	f13b8bf0cf	log: use logtail to log and upload sockstat logs Switch to using logtail for logging sockstat logs. Always log locally (on supported platforms), but disable automatic uploading. Change existing c2n sockstats request to trigger upload to log server and return log ID. Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Mihai Parparita	731688e5cc	ipn/localapi: add endpoint for adding debug log entries Allows the iOS and macOS apps to include their frontend logs when generating bug reports (tailscale/corp#9982). Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Mihai Parparita	97b6d3e917	sockstats: remove per-interface stats from Get They're not needed for the sockstats logger, and they're somewhat expensive to return (since they involve the creation of a map per label). We now have a separate GetInterfaces() method that returns them instead (which we can still use in the PeerAPI debug endpoint). If changing sockstatlog to sample at 10,000 Hz (instead of the default of 10Hz), the CPU usage would go up to 59% on a iPhone XS. Removing the per-interface stats drops it to 20% (a no-op implementation of Get that returns a fixed value is 16%). Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Will Norris	6ef2105a8e	log/sockstatlog: only start once; don't copy ticker Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
Will Norris	09e0ccf4c2	ipn: add c2n endpoint for sockstats logs Signed-off-by: Will Norris <will@tailscale.com>	2 years ago

1 2 3 4 5 ...

1126 Commits (9843e922b8da99e99a1249f36ae9aba8eda5e839)