tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	bcc47d91ca	cmd/tailscale/cli: use new Go 1.23 slices.Sorted And a grammatical nit. Updates #12912 Change-Id: I9feae53beb4d28dfe98b583373e2e0a43c801fc4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrea Gottardo	d060b3fa02	cli: implement `tailscale dns status` (#13353 ) Updates tailscale/tailscale#13326 This PR begins implementing a `tailscale dns` command group in the Tailscale CLI. It provides an initial implementation of `tailscale dns status` which dumps the state of the internal DNS forwarder. Two new endpoints were added in LocalAPI to support the CLI functionality: - `/netmap`: dumps a copy of the last received network map (because the CLI shouldn't have to listen to the ipn bus for a copy) - `/dns-osconfig`: dumps the OS DNS configuration (this will be very handy for the UI clients as well, as they currently do not display this information) My plan is to implement other subcommands mentioned in tailscale/tailscale#13326, such as `query`, in later PRs. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 months ago
Jordan Whited	1fc4268aea	cmd/stunstamp: increase probe jitter (#13362 ) We've added more probe targets recently which has resulted in more timeouts behind restrictive NATs in localized testing that don't like how many flows we are creating at once. Not so much an issue for datacenter or cloud-hosted deployments. Updates tailscale/corp#22114 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Jordan Whited	1dd1798bfa	cmd/stunstamp: use measureFn more consistently in naming/signatures (#13360 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Jordan Whited	6d6b1773ea	cmd/stunstamp: implement ICMP{v6} probing (#13354 ) This adds both userspace and kernel timestamping. Updates tailscale/corp#22114 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Brad Fitzpatrick	e865a0e2b0	cmd/tailscale/cli: add 'debug go-buildinfo' subcommand To dump runtime/debug.BuildInfo. Updates #1866 Change-Id: I8810390858a03b7649f9b22ef3ab910d423388da Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Irbe Krumina	8e1c00f841	cmd/k8s-operator,k8s-operator/sessionrecording: ensure recording header contains terminal size for terminal sessions (#12965 ) * cmd/k8s-operator,k8s-operator/sessonrecording: ensure CastHeader contains terminal size For tsrecorder to be able to play session recordings, the recording's CastHeader must have '.Width' and '.Height' fields set to non-zero. Kubectl (or whoever is the client that initiates the 'kubectl exec' session recording) sends the terminal dimensions in a resize message that the API server proxy can intercept, however that races with the first server message that we need to record. This PR ensures we wait for the terminal dimensions to be processed from the first resize message before any other data is sent, so that for all sessions with terminal attached, the header of the session recording contains the terminal dimensions and the recording can be played by tsrecorder. Updates tailscale/tailscale#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Andrew Dunham	1c972bc7cb	wgengine/magicsock: actually use AF_PACKET socket for raw disco Previously, despite what the commit said, we were using a raw IP socket that was not an AF_PACKET socket, and thus was subject to the host firewall rules. Switch to using a real AF_PACKET socket to actually get the functionality we want. Updates #13140 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: If657daeeda9ab8d967e75a4f049c66e2bca54b78	2 months ago
Nick Khyl	961ee321e8	ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client. These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config) requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues. We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other platforms when switching between profiles that have different OperatorUser values in ipn.Prefs. We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device (e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation. The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device and against the current (and/or the target) profile. This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next PRs and removing the deprecated methods and the Permit* flags at the end of the transition. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Kristoffer Dalby	a2c42d3cd4	usermetric: add initial user-facing metrics This commit adds a new usermetric package and wires up metrics across the tailscale client. Updates tailscale/corp#22075 Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2 months ago
Kristoffer Dalby	06c31f4e91	tsweb/varz: remove pprof Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2 months ago
Brad Fitzpatrick	2636a83d0e	cmd/tta: pull out test driver dialing into a type, fix bugs There were a few places it could get wedged (notably the dial without a timeout). And add a knob for verbose debug logs. And keep two idle connections always. Updates #13038 Change-Id: I952ad182d7111481d97a83c12aa2ff4bfdc55fe8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b78df4d48a	tstest/natlab/vnet: add start of IPv6 support Updates #13038 Change-Id: Ic3d095f167daf6c7129463e881b18f2e0d5693f5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	475ab1fb67	cmd/vnet: omit log spam when backend status hasn't changed Updates #13038 Change-Id: I9cc67cf18ba44ff66ba03cda486d5e111e395ce7	2 months ago
Nick Khyl	03acab2639	cmd/cloner, cmd/viewer, util/codegen: add support for aliases of cloneable types We have several checked type assertions to types.Named in both cmd/cloner and cmd/viewer. As Go 1.23 updates the go/types package to produce Alias type nodes for type aliases, these type assertions no longer work as expected unless the new behavior is disabled with gotypesalias=0. In this PR, we add codegen.NamedTypeOf(t types.Type), which functions like t.(types.Named) but also unrolls type aliases. We then use it in place of type assertions in the cmd/cloner and cmd/viewer packages where appropriate. We also update type switches to include types.Alias alongside types.Named in relevant cases, remove *types.Struct cases when switching on types.Type.Underlying and update the tests with more cases where type aliases can be used. Updates #13224 Updates #12912 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Nick Khyl	a9dc6e07ad	util/codegen, cmd/cloner, cmd/viewer: update codegen.LookupMethod to support alias type nodes Go 1.23 updates the go/types package to produce Alias type nodes for type aliases, unless disabled with gotypesalias=0. This new default behavior breaks codegen.LookupMethod, which uses checked type assertions to types.Named and types.Interface, as only named types and interfaces have methods. In this PR, we update codegen.LookupMethod to perform method lookup on the right-hand side of the alias declaration and clearly switch on the supported type nodes types. We also improve support for various edge cases, such as when an alias is used as a type parameter constraint, and add tests for the LookupMethod function. Additionally, we update cmd/viewer/tests to include types with aliases used in type fields and generic type constraints. Updates #13224 Updates #12912 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Brad Fitzpatrick	3b70968c25	cmd/vnet: add --blend and --pcap flags Updates #13038 Change-Id: Id16ea9eb94447a3d9651215f04b2525daf10b3eb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	3904e4d175	cmd/tta, tstest/natlab/vnet: remove unneeded port 124 log hack, add log buffer The natlab Test Agent (tta) still had its old log streaming hack in place where it dialed out to anything on TCP port 124 and those logs were streamed to the host running the tests. But we'd since added gokrazy syslog streaming support, which made that redundant. So remove all the port 124 stuff. And then make sure we log to stderr so gokrazy logs it to syslog. Also, keep the first 1MB of logs in memory in tta too, exported via localhost:8034/logs for interactive debugging. That was very useful during debugging when I added IPv6 support. (which is coming in future PRs) Updates #13038 Change-Id: Ieed904a704410b9031d5fd5f014a73412348fa7f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b091264c0a	cmd/systray: set ipn.NotifyNoPrivateKeys, permit non-operator use Otherwise you get "Access denied: watch IPN bus access denied, must set ipn.NotifyNoPrivateKeys when not running as admin/root or operator". This lets a non-operator at least start the app and see the status, even if they can't change everything. (the web UI is unaffected by operator) A future change can add a LocalAPI call to check permissions and guide people through adding a user as an operator (perhaps the web client can do that?) Updates #1708 Change-Id: I699e035a251b4ebe14385102d5e7a2993424c4b7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Will Norris	3c66ee3f57	cmd/systray: add a basic linux systray app This adds a systray app for linux, similar to the apps for macOS and windows. There are already a number of community-developed systray apps, but most of them are either long abandoned, are built for a specific desktop environment, or simply wrap the tailscale CLI. This uses fyne.io/systray (a fork of github.com/getlantern/systray) which uses newer D-Bus specifications to render the tray icon and menu. This results in a pretty broad support for modern desktop environments. This initial commit lacks a number of features like profile switching, device listing, and exit node selection. This is really focused on the application structure, the interaction with LocalAPI, and some system integration pieces like the app icon, notifications, and the clipboard. Updates #1708 Signed-off-by: Will Norris <will@tailscale.com>	2 months ago
Percy Wegmann	d00d6d6dc2	go.mod: update to github.com/tailscale/netlink library that doesn't require vishvananda/netlink After the upstream PR is merged, we can point directly at github.com/vishvananda/netlink and retire github.com/tailscale/netlink. See https://github.com/vishvananda/netlink/pull/1006 Updates #12298 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Ilarion Kovalchuk	0cb7eb9b75	net/dns: updated gonotify dependency to v2 that supports closable context Signed-off-by: Ilarion Kovalchuk <illarion.kovalchuk@gmail.com>	2 months ago
Brad Fitzpatrick	696711cc17	all: switch to and require Go 1.23 Updates #12912 Change-Id: Ib4ae26eb5fb68ad2216cab4913811b94f7eed5b6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	0ff474ff37	all: fix new lint warnings from bumping staticcheck In prep for updating to new staticcheck required for Go 1.23. Updates #12912 Change-Id: If77892a023b79c6fa798f936fc80428fd4ce0673 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	690d3bfafe	cmd/tailscale/cli: add debug command to do DNS lookups portably To avoid dig vs nslookup vs $X availability issues between OSes/distros. And to be in Go, to match the resolver we use. Updates #13038 Change-Id: Ib7e5c351ed36b5470a42cbc230b8f27eed9a1bf8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Anton Tolchanov	151b77f9d6	cmd/tl-longchain: tool to re-sign nodes with long rotation signatures In Tailnet Lock, there is an implicit limit on the number of rotation signatures that can be chained before the signature becomes too long. This program helps tailnet admins to identify nodes that have signatures with long chains and prints commands to re-sign those node keys with a fresh direct signature. It's a temporary mitigation measure, and we will remove this tool as we design and implement a long-term approach for rotation signatures. Example output: ``` 2024/08/20 18:25:03 Self: does not need re-signing 2024/08/20 18:25:03 Visible peers with valid signatures: 2024/08/20 18:25:03 Peer xxx2.yy.ts.net. (100.77.192.34) nodeid=nyDmhiZiGA11KTM59, current signature kind=direct: does not need re-signing 2024/08/20 18:25:03 Peer xxx3.yy.ts.net. (100.84.248.22) nodeid=ndQ64mDnaB11KTM59, current signature kind=direct: does not need re-signing 2024/08/20 18:25:03 Peer xxx4.yy.ts.net. (100.85.253.53) nodeid=nmZfVygzkB21KTM59, current signature kind=rotation: chain length 4, printing command to re-sign tailscale lock sign nodekey:530bddbfbe69e91fe15758a1d6ead5337aa6307e55ac92dafad3794f8b3fc661 tlpub:4bf07597336703395f2149dce88e7c50dd8694ab5bbde3d7c2a1c7b3e231a3c2 ``` To support this, the NetworkLockStatus localapi response now includes information about signatures of all peers rather than just the invalid ones. This is not displayed by default in `tailscale lock status`, but will be surfaced in `tailscale lock status --json`. Updates #13185 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 months ago
Jordan Whited	df6014f1d7	net/tstun,wgengine{/netstack/gro}: refactor and re-enable gVisor GRO for Linux (#13172 ) In `2f27319baf` we disabled GRO due to a data race around concurrent calls to tstun.Wrapper.Write(). This commit refactors GRO to be thread-safe, and re-enables it on Linux. This refactor now carries a GRO type across tstun and netstack APIs with a lifetime that is scoped to a single tstun.Wrapper.Write() call. In `25f0a3fc8f` we used build tags to prevent importation of gVisor's GRO package on iOS as at the time we believed it was contributing to additional memory usage on that platform. It wasn't, so this commit simplifies and removes those build tags. Updates tailscale/corp#22353 Updates tailscale/corp#22125 Updates #6816 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
ChandonPierre	93dc2ded6e	cmd/k8s-operator: support default proxy class in k8s-operator (#12711 ) Signed-off-by: ChandonPierre <cpierre@coreweave.com> Closes #12421	2 months ago
pierig-n3xtio	2105773874	cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs fixes: #13168 Signed-off-by: Pierig Le Saux <pierig@n3xt.io>	2 months ago
tomholford	16bb541adb	wgengine/magicsock: replace deprecated poly1305 (#13184 ) Signed-off-by: tomholford <tomholford@users.noreply.github.com>	2 months ago
Kyle Carberry	6c852fa817	go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket Coder has just adopted nhooyr/websocket which unfortunately changes the import path. `github.com/coder/coder` imports `tailscale.com/net/wsconn` which was still pointing to `nhooyr.io/websocket`, but this change updates it. See https://coder.com/blog/websocket Updates #13154 Change-Id: I3dec6512472b14eae337ae22c5bcc1e3758888d5 Signed-off-by: Kyle Carberry <kyle@carberry.com>	2 months ago
Nick Khyl	f8f9f05ffe	cmd/viewer: add support for map-like container types This PR modifies viewTypeForContainerType to use the last type parameter of a container type as the value type, enabling the implementation of map-like container types where the second-to-last (usually first) type parameter serves as the key type. It also adds a MapContainer type to test the code generation. Updates #12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Irbe Krumina	a15ff1bade	cmd/k8s-operator,k8s-operator/sessionrecording: support recording kubectl exec sessions over WebSockets (#12947 ) cmd/k8s-operator,k8s-operator/sessionrecording: support recording WebSocket sessions Kubernetes currently supports two streaming protocols, SPDY and WebSockets. WebSockets are replacing SPDY, see https://github.com/kubernetes/enhancements/issues/4006. We were currently only supporting SPDY, erroring out if session was not SPDY and relying on the kube's built-in SPDY fallback. This PR: - adds support for parsing contents of 'kubectl exec' sessions streamed over WebSockets - adds logic to distinguish 'kubectl exec' requests for a SPDY/WebSockets sessions and call the relevant handler Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 months ago
Brad Fitzpatrick	4c2e978f1e	cmd/tailscale/cli: support passing network lock keys via files Fixes tailscale/corp#22356 Change-Id: I959efae716a22bcf582c20d261fb1b57bacf6dd9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Irbe Krumina	b9f42814b5	cmd/containerboot: optionally serve health check endpoint (#12899 ) Add functionality to optionally serve a health check endpoint (off by default). Users can enable health check endpoint by setting TS_HEALTHCHECK_ADDR_PORT to [<addr>]:<port>. Containerboot will then serve an unauthenticatd HTTP health check at /healthz at that address. The health check returns 200 OK if the node has at least one tailnet IP address, else returns 503. Updates tailscale/tailscale#12898 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Brad Fitzpatrick	02581b1603	gokrazy,tstest/integration/nat: add Gokrazy appliance just for natlab ... rather than abusing the generic tsapp. Per discussion in https://github.com/gokrazy/gokrazy/pull/275 It also means we can remove stuff we don't need, like ntp or randomd. Updates #13038 Change-Id: Iccf579c354bd3b5025d05fa1128e32f1d5bde4e4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	f79e688e0d	cmd/tailscale/cli: fix gokrazy CLI-as-a-service detection The change in `b7e48058c8` was too loose; it also captured the CLI being run as a child process under cmd/tta. Updates #13038 Updates #1866 Change-Id: Id410b87132938dd38ed4dd3959473c5d0d242ff5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Irbe Krumina	adbab25bac	cmd/k8s-operator: fix DNS reconciler for dual-stack clusters (#13057 ) * cmd/k8s-operator: fix DNS reconciler for dual-stack clusters This fixes a bug where DNS reconciler logic was always assuming that no more than one EndpointSlice exists for a Service. In fact, there can be multiple, for example, in dual-stack clusters, but also in other cases this is valid (as per kube docs). This PR: - allows for multiple EndpointSlices - picks out the ones for IPv4 family - deduplicates addresses Updates tailscale/tailscale#13056 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 months ago
Brad Fitzpatrick	b7e48058c8	cmd/tailscale/cli: don't run CLI as a service on gokrazy Updates #13038 Updates #1866 Change-Id: Ie3223573044a92f5715a827fb66cc6705b38004f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Nick Khyl	67df9abdc6	util/syspolicy/setting: add package that contains types for the next syspolicy PRs Package setting contains types for defining and representing policy settings. It facilitates the registration of setting definitions using Register and RegisterDefinition, and the retrieval of registered setting definitions via Definitions and DefinitionOf. This package is intended for use primarily within the syspolicy package hierarchy, and added in a preparation for the next PRs. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Brad Fitzpatrick	a61825c7b8	cmd/tta, vnet: add host firewall, env var support, more tests In particular, tests showing that #3824 works. But that test doesn't actually work yet; it only gets a DERP connection. (why?) Updates #13038 Change-Id: Ie1fd1b6a38d4e90fae7e72a0b9a142a95f0b2e8f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	0686bc8b19	cmd/tailscaled: add env knob to control default verbosity Updates #13038 Change-Id: Ic0e6dfc7a8d127ab5ce0ae9aab9119c56e19b636 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Jordan Whited	7aec8d4e6b	cmd/stunstamp: refactor connection construction (#13110 ) getConns() is now responsible for returning both stable and unstable conns. conn and measureFn are now passed together via connAndMeasureFn. newConnAndMeasureFn() is responsible for constructing them. TCP measurement timeouts are adjusted to more closely match netcheck. Updates tailscale/corp#22114 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Jordan Whited	218110963d	cmd/stunstamp: implement HTTPS & TCP latency measurements (#13082 ) HTTPS mirrors current netcheck behavior and TCP uses tcp_info->rtt. Updates tailscale/corp#22114 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Brad Fitzpatrick	2e32abc3e2	cmd/tailscaled: allow setting env via linux cmdline for integration tests Updates #13038 Change-Id: I51e016d0eb7c14647159706c08f017fdedd68e2a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Maisem Ali	d0e8375b53	cmd/{tta,vnet}: proxy to gokrazy UI Updates #13038 Change-Id: I1cacb1b0f8c3d0e4c36b7890155f7b1ad0d23575 Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 months ago
Brad Fitzpatrick	f47a5fe52b	vnet: reduce some log spam Updates #13038 Change-Id: I76038a90dfde10a82063988a5b54190074d4b5c5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Maisem Ali	f8d23b3582	tstest/integration/nat: stream daemon logs directly Updates #13038 Signed-off-by: Maisem Ali <maisem@tailscale.com> Change-Id: I5da5706149c082c27d74c8b894bf53dd9b259e84	3 months ago
Brad Fitzpatrick	6798f8ea88	tstest/natlab/vnet: add port mapping Updates #13038 Change-Id: Iaf274d250398973790873534b236d5cbb34fbe0e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Maisem Ali	12764e9db4	natlab: add NodeAgentClient This adds a new NodeAgentClient type that can be used to invoke the LocalAPI using the LocalClient instead of handcrafted URLs. However, there are certain cases where it does make sense for the node agent to provide more functionality than whats possible with just the LocalClient, as such it also exposes a http.Client to make requests directly. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 months ago

1 2 3 4 5 ...

1944 Commits (bcc47d91ca83aecd5123a4b0ac645e5ccb574000)