tailscale

Commit Graph

Author	SHA1	Message	Date
Maisem Ali	d39a5e4417	tsnet: support TS_AUTH_KEY variant too Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	d2fd101eb4	net/tstun: only log natConfig on changes Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8ac5976897	logpolicy: do not upload logs in tests Fixes tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	7300b908fb	logpolicy: split out DialContext into a func Updates tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	ca19cf13e9	log/sockstatlog: add resource cleanup test Updates tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Andrew Dunham	33b359642e	net/dns: don't send on closed channel in resolvedManager Fixes #7686 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ibffb05539ab876b12407d77dcf2201d467895981	1 year ago
Anton Tolchanov	6f9aed1656	scripts: use pkg server to determine supported deb/rpm distros Fixes https://github.com/tailscale/corp/issues/8952 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Andrew Dunham	4cb1bfee44	net/netcheck: improve determinism in hairpinning test If multiple Go channels have a value (or are closed), receiving from them all in a select will nondeterministically return one of the two arms. In this case, it's possible that the hairpin check timer will have expired between when we start checking and before we check at all, but the hairpin packet has already been received. In such cases, we'd nondeterministically set report.HairPinning. Instead, check if we have a value in our results channel first, then select on the value and timeout channel after. Also, add a test that catches this particular failure. Fixes #1795 Change-Id: I842ab0bd38d66fabc6cabf2c2c1bb9bd32febf35 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	1 year ago
Maisem Ali	4a89642f7f	log/sockstatlog: make shutdown close idle connections Updates tailscale/corp#10030 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	9e81db50f6	ipn/ipnlocal: use atomicfile.WriteFile in certFileStore Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8a11f76a0d	ipn/ipnlocal: fix cert storage in Kubernetes We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	ec90522a53	ipn/ipnlocal: also store ACME keys in the certStore We were not storing the ACME keys in the state store, they would always be stored on disk. Updates #7588 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	0e203e414f	net/packet: add checksum update tests Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	0bf8c8e710	net/tstun: use p.Buffer() in more places Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	f6ea6863de	tstest/integration: add ping test w/ masquerades Updates tailscale/corp#8020 Co-authored-by: Melanie Warrick <warrick@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	bb31fd7d1c	net/tstun: add inital support for NAT v4 This adds support in tstun to utitilize the SelfNodeV4MasqAddrForThisPeer and perform the necessary modifications to the packet as it passes through tstun. Currently this only handles ICMP, UDP and TCP traffic. Subnet routers and Exit Nodes are also unsupported. Updates tailscale/corp#8020 Co-authored-by: Melanie Warrick <warrick@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	535fad16f8	net/tstun: rename filterIn/filterOut methods to be more descriptive Updates tailscale/corp#8020 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	f61b306133	tailcfg: add Node.SelfNodeV4MasqAddrForThisPeer This only adds the field, to be used in a future commit. Updates tailscale/corp#8020 Co-authored-by: Melanie Warrick <warrick@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	583e86b7df	ssh/tailssh: handle session recording when running in userspace mode Previously it would dial out using the http.DefaultClient, however that doesn't work when tailscaled is running in userspace mode (e.g. when testing). Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	df89b7de10	cmd/k8s-operator: disable HTTP/2 for the auth proxy Kubernetes uses SPDY/3.1 which is incompatible with HTTP/2, disable it in the transport and server. Fixes #7645 Fixes #7646 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8a246487c2	ssh/tailssh: enable recording of non-pty sessions Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	8765568373	ssh/tailssh: add docs to CastHeader fields Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	9d8b7a7383	ipn/store/kubestore: handle "/" in ipn.StateKeys Kubernetes doesn't allow slashes as keys in secrets, replace them with "__". This shows up in the kubernetes-operator now that tsnet sets resets the ServeConfig at startup. Fixes #7662 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	57a008a1e1	all: pass log IDs as the proper type rather than strings This change focuses on the backend log ID, which is the mostly commonly used in the client. Tests which don't seem to make use of the log ID just use the zero value. Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Andrew Dunham	13377e6458	ssh/tailssh: always assert our final uid/gid Move the assertions about our post-privilege-drop UID/GID out of the conditional if statement and always run them; I haven't been able to find a case where this would fail. Defensively add an envknob to disable this feature, however, which we can remove after the 1.40 release. Updates #7616 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Iaec3dba9248131920204bd6c6d34bbc57a148185	1 year ago
Andrew Dunham	9de8287d47	ssh/tailssh: lock OS thread during incubator This makes it less likely that we trip over bugs like golang/go#1435. Updates #7616 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic28c03c3ad8ed5274a795c766b767fa876029f0e	1 year ago
Maisem Ali	c350cd1f06	ssh/tailssh: use background context for uploading recordings Otherwise we see errors like ``` ssh-session(sess-20230322T005655-5562985593): recording: error sending recording to <addr>:80: Post "http://<addr>:80/record": context canceled ``` The ss.ctx is closed when the session closes, but we don't want to break the upload at that time. Instead we want to wait for the session to close the writer when it finishes, which it is already doing. Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	f13b8bf0cf	log: use logtail to log and upload sockstat logs Switch to using logtail for logging sockstat logs. Always log locally (on supported platforms), but disable automatic uploading. Change existing c2n sockstats request to trigger upload to log server and return log ID. Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Mihai Parparita	731688e5cc	ipn/localapi: add endpoint for adding debug log entries Allows the iOS and macOS apps to include their frontend logs when generating bug reports (tailscale/corp#9982). Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Anton Tolchanov	7083246409	prober: only record latency for successful probes This will make it easier to track probe latency on a dashboard. Updates https://github.com/tailscale/corp/issues/9916 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Maisem Ali	d92047cc30	ssh/tailssh: allow recorders to be configured on the first or final action Currently we only send down recorders in first action, allow the final action to replace them but not to drop them. Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	7a97e64ef0	ssh/tailssh: add more metadata to recording header Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Denton Gentry	cc3806056f	scripts/installer.sh: Add Ubuntu Lunar Lobster 23.04. pkgs.tailscale.com added support in January, need to add it to the installer script. Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Maisem Ali	916aa782af	ssh/tailssh: stream SSH recordings to configured recorders Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Tom DNetto	60cd4ac08d	cmd/tailscale/cli: move tskey-wrap functionality under lock sign Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Charlotte Brandhorst-Satzkorn	1b78dc1f33	tailcfg: move recorders field from SSHRule to SSHAction Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 year ago
Charlotte Brandhorst-Satzkorn	3efd83555f	tailcfg: add recorders field to SSHRule struct This change introduces the Recorders field to the SSHRule struct. The field is used to store and define addresses where the ssh recorder is located. Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 year ago
Sam Linville	812025a39c	words: what?! a llama?! he's supposed to be dead! (#7623 ) pull the lever, kronk Signed-off-by: Sam Linville <samlinville@protonmail.com>	1 year ago
Andrew Dunham	39b289578e	ssh/tailssh: make uid an int instead of uint64 Follow-up to #7615 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib4256bff276f6d5cf95838d8e39c87b3643bde37	1 year ago
David Anderson	c9a4dbe383	tool/gocross: correctly embed the git commit into gocross Previously, the build ended up embedding an empty string, which made the shell wrapper rebuild gocross on every invocation. This is still reasonably fast, but fixing the bypass shaves 80% off gocross's overhead when no rebuild is needed. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Brad Fitzpatrick	f11c270c6b	go.toolchain.rev: bump Go toolchain For tailscale/go#60 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Mihai Parparita	d2dec13392	net/sockstats: export cellular-only clientmetrics Followup to #7518 to also export client metrics when the active interface is cellular. Updates tailscale/corp#9230 Updates #3363 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
David Anderson	e7a78bc28f	tool/gocross: support running from outside the repo dir A bunch of us invoke tool/go from outside the repo that hosts gocross, as a way of accessing our version-controlled toolchain. This removes assumptions from gocross that it's being invoked within the repository that contains its source code and toolchain configuration. Fixes tailscale/corp#9627 Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	df02bb013a	tool/gocross: fail if the toolchain revision isn't findable This used to make sense, but after a refactor somewhere along the line this results in trying to download from a malformed URL and generally confusing failures. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Denton Gentry	ebc630c6c0	net/interfaces: also allow link-local for AzureAppServices. In May 2021, Azure App Services used 172.16.x.x addresses: ``` 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 02:42:ac:10:01:03 brd ff:ff:ff:ff:ff:ff inet 172.16.1.3/24 brd 172.16.1.255 scope global eth0 valid_lft forever preferred_lft forever ``` Now it uses link-local: ``` 2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 8a:30:1f:50:1d:23 brd ff:ff:ff:ff:ff:ff inet 169.254.129.3/24 brd 169.254.129.255 scope global eth0 valid_lft forever preferred_lft forever ``` This is reasonable for them to choose to do, it just broke the handling in net/interfaces. This PR proposes to: 1. Always allow link-local in LocalAddresses() if we have no better address available. 2. Continue to make isUsableV4() conditional on an environment we know requires it. I don't love the idea of having to discover these environments one by one, but I don't understand the consequences of making isUsableV4() return true unconditionally. It makes isUsableV4() essentially always return true and perform no function. Fixes https://github.com/tailscale/tailscale/issues/7603 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Andrew Dunham	ccace1f7df	ssh/tailssh: fix privilege dropping on FreeBSD; add tests On FreeBSD and Darwin, changing a process's supplementary groups with setgroups(2) will also change the egid of the process, setting it to the first entry in the provided list. This is distinct from the behaviour on other platforms (and possibly a violation of the POSIX standard). Because of this, on FreeBSD with no TTY, our incubator code would previously not change the process's gid, because it would read the newly-changed egid, compare it against the expected egid, and since they matched, not change the gid. Because we didn't use the 'login' program on FreeBSD without a TTY, this would propagate to a child process. This could be observed by running "id -p" in two contexts. The expected output, and the output returned when running from a SSH shell, is: andrew@freebsd:~ $ id -p uid andrew groups andrew However, when run via "ssh andrew@freebsd id -p", the output would be: $ ssh andrew@freebsd id -p login root uid andrew rgid wheel groups andrew (this could also be observed via "id -g -r" to print just the gid) We fix this by pulling the details of privilege dropping out into their own function and prepending the expected gid to the start of the list on Darwin and FreeBSD. Finally, we add some tests that run a child process, drop privileges, and assert that the final UID/GID/additional groups are what we expect. More information can be found in the following article: https://www.usenix.org/system/files/login/articles/325-tsafrir.pdf Updates #7616 Alternative to #7609 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I0e6513c31b121108b50fe561c89e5816d84a45b9	1 year ago
Mihai Parparita	e1fb687104	cmd/tailscale/cli: fix inconsistency between serve text and example command Use the same local port number in both, and be more precise about what is being forwarded Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Anton Tolchanov	654b5a0616	derp: add optional debug logging for prober clients This allows tracking packet flow via logs for prober clients. Note that the new sclient.debug() function is called on every received packet, but will do nothing for most clients. I have adjusted sclient logging to print public keys in short format rather than full. This takes effect even for existing non-debug logging (mostly client disconnect messages). Example logs for a packet being sent from client [SbsJn] (connected to derper [dM2E3]) to client [10WOo] (connected to derper [AVxvv]): ``` derper [dM2E3]: derp client 10.0.0.1:35470[SbsJn]: register single client mesh("10.0.1.1"): 4 peers derp client 10.0.0.1:35470[SbsJn]: read frame type 4 len 40 err <nil> derp client 10.0.0.1:35470[SbsJn]: SendPacket for [10WOo], forwarding via <derphttp_client.Client [AVxvv] url=https://10.0.1.1/derp>: <nil> derp client 10.0.0.1:35470[SbsJn]: read frame type 0 len 0 err EOF derp client 10.0.0.1:35470[SbsJn]: read EOF derp client 10.0.0.1:35470[SbsJn]: sender failed: context canceled derp client 10.0.0.1:35470[SbsJn]: removing connection derper [AVxvv]: derp client 10.0.1.1:50650[10WOo]: register single client derp client 10.0.1.1:50650[10WOo]: received forwarded packet from [SbsJn] via [dM2E3] derp client 10.0.1.1:50650[10WOo]: sendPkt attempt 0 enqueued derp client 10.0.1.1:50650[10WOo]: sendPacket from [SbsJn]: <nil> derp client 10.0.1.1:50650[10WOo]: read frame type 0 len 0 err EOF derp client 10.0.1.1:50650[10WOo]: read EOF derp client 10.0.1.1:50650[10WOo]: sender failed: context canceled derp client 10.0.1.1:50650[10WOo]: removing connection ``` Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Anton Tolchanov	50d211d1a4	cmd/derpprobe: allow running all probes at the same time This allows disabling spread mode, which is helpful if you are manually running derpprobe in `--once` mode against a small number of DERP machines. Updates https://github.com/tailscale/corp/issues/9916 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Anton Tolchanov	e59dc29a55	prober: log client pubkeys on derp mesh probe failures Updates https://github.com/tailscale/corp/issues/9916 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago

1 2 3 4 5 ...

5527 Commits (d39a5e441701bc407fe522b22cc88fde302b615f) All Branches Search

5527 Commits (d39a5e441701bc407fe522b22cc88fde302b615f)

All Branches