tailscale

Commit Graph

Author	SHA1	Message	Date
Andrew Lytvynov	de9ba1c621	clientupdate/distsign/roots: add temporary dev root key (#9080 ) Adding a root key that signs the current signing key on pkgs.tailscale.com. This key is here purely for development and should be replaced before 1.50 release. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Sonia Appasamy	f3077c6ab5	client/web: add self node cache Adds a cached self node to the web client Server struct, which will be used from the web client api to verify that request came from the node's own machine (i.e. came from the web client frontend). We'll be using when we switch the web client api over to acting as a proxy to the localapi, to protect against DNS rebinding attacks. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Andrew Lytvynov	3b7ebeba2e	clientupdate: remove Arch support (#9081 ) An Arch Linux maintainer asked us to not implement "tailscale update" on Arch-based distros: https://github.com/tailscale/tailscale/issues/6995#issuecomment-1687080106 Return an error to the user if they try to run "tailscale update". Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Andrew Lytvynov	b42c4e2da1	cmd/dist,release/dist: add distsign signing hooks (#9070 ) Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Will Norris	dc8287ab3b	client/web: enforce full path for CGI platforms Synology and QNAP both run the web client as a CGI script. The old web client didn't care too much about requests paths, since there was only a single GET and POST handler. The new client serves assets on different paths, so now we need to care. First, enforce that the CGI script is always accessed from its full path, including a trailing slash (e.g. /cgi-bin/tailscale/index.cgi/). Then, strip that prefix off before passing the request along to the main serve handler. This allows for properly serving both static files and the API handler in a CGI environment. Also add a CGIPath option to allow other CGI environments to specify a custom path. Finally, update vite and one "api/data" call to no longer assume that we are always serving at the root path of "/". Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	0c3d343ea3	client/web: invert auth logic for synology and qnap Add separate server methods for synology and qnap, and enforce authentication and authorization checks before calling into the actual serving handlers. This allows us to remove all of the auth logic from those handlers, since all requests will already be authenticated by that point. Also simplify the Synology token redirect handler by using fetch. Remove the SynologyUser from nodeData, since it was never used in the frontend anyway. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	05486f0f8e	client/web: move synology and qnap logic into separate files This commit doesn't change any of the logic, but just organizes the code a little to prepare for future changes. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Maisem Ali	ff7f4b4224	cmd/testwrapper: fix off-by-one error in maxAttempts check It was checking if `>= maxAttempts` which meant that the third attempt would never run. Updates #8493 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	a61a9ab087	cmd/containerboot: reapply known args on restart Previously we would not reapply changes to TS_HOSTNAME etc when then the container restarted and TS_AUTH_ONCE was enabled. This splits those into two steps login and set, allowing us to only rerun the set step on restarts. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Andrew Lytvynov	d45af7c66f	release/dist/cli: add sign-key and verify-key-signature commands (#9041 ) Now we have all the commands to generate the key hierarchy and verify that signing keys were signed correctly: ``` $ ./tool/go run ./cmd/dist gen-key --priv-path root-priv.pem --pub-path root-pub.pem --root wrote private key to root-priv.pem wrote public key to root-pub.pem $ ./tool/go run ./cmd/dist gen-key --priv-path signing-priv.pem --pub-path signing-pub.pem --signing wrote private key to signing-priv.pem wrote public key to signing-pub.pem $ ./tool/go run ./cmd/dist sign-key --root-priv-path root-priv.pem --sign-pub-path signing-pub.pem wrote signature to signature.bin $ ./tool/go run ./cmd/dist verify-key-signature --root-pub-path root-pub.pem --sign-pub-path signing-pub.pem --sig-path signature.bin signature ok ``` Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Aaron Klotz	5fb1695bcb	util/osdiag, util/osdiag/internal/wsc: add code to probe the Windows Security Center for installed software The Windows Security Center is a component that manages the registration of security products on a Windows system. Only products that have obtained a special cert from Microsoft may register themselves using the WSC API. Practically speaking, most vendors do in fact sign up for the program as it enhances their legitimacy. From our perspective, this is useful because it gives us a high-signal source of information to query for the security products installed on the system. I've tied this query into the osdiag package and is run during bugreports. It uses COM bindings that were automatically generated by my prototype metadata processor, however that program still has a few bugs, so I had to make a few manual tweaks. I dropped those binding into an internal package because (for the moment, at least) they are effectively purpose-built for the osdiag use case. We also update the wingoes dependency to pick up BSTR. Fixes #10646 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Sonia Appasamy	349c05d38d	client/web: refresh on tab focus Refresh node data when user switches to the web client browser tab. This helps clean up the auth flow where they're sent to another tab to authenticate then return to the original tab, where the data should be refreshed to pick up the login updates. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Will Norris	824cd02d6d	client/web: cache csrf key when running in CGI mode Indicate to the web client when it is running in CGI mode, and if it is then cache the csrf key between requests. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
shayne	46b0c9168f	.github: update flakehub workflow to support existing tags (#9067 ) This adds a workflow_dispatch input to the update-flakehub workflow that allows the user to specify an existing tag to publish to FlakeHub. This is useful for publishing a version of a package that has already been tagged in the repository. Updates #9008 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	10 months ago
shayne	7825074444	.github: fix flakehub-publish-tagged.yml glob (#9066 ) The previous regex was too advanced for GitHub Actions. They only support a simpler glob syntax. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet Updates #9008 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	10 months ago
Brad Fitzpatrick	5b6a90fb33	types/logger, cmd/tailscale/cli: flesh out, simplify some non-unix build tags Can write "wasm" instead of js \|\| wasi1p, since there's only two: $ go tool dist list \| grep wasm js/wasm wasip1/wasm Plus, if GOOS=wasip2 is added later, we're already set. Updates #5794 Change-Id: Ifcfb187c3775c17c9141bc721512dc4577ac4434 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	a5dcc4c87b	paths: remove wasm file, no-op stubs, make OS-specific funcs consistent Some OS-specific funcs were defined in init. Another used build tags and required all other OSes to stub it out. Another one could just be in the portable file. Simplify it a bit, removing a file and some stubs in the process. Updates #5794 Change-Id: I51df8772cc60a9335ac4c1dc0ab59b8a0d236961 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	d58ba59fd5	cmd/tailscale/cli: make netcheck run even if machine lacks TLS certs We have a fancy package for doing TLS cert validation even if the machine doesn't have TLS certs (for LetsEncrypt only) but the CLI's netcheck command wasn't using it. Also, update the tlsdial's outdated package docs while here. Updates #cleanup Change-Id: I74b3cb645d07af4d8ae230fb39a60c809ec129ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	e881c1caec	net/netmon: factor out debounce loop, simplify polling impl This simplifies some netmon code in prep for other changes. It breaks up Monitor.debounce into a helper method so locking is easier to read and things unindent, and then it simplifies the polling netmon implementation to remove the redundant stuff that the caller (the Monitor.debounce loop) was already basically doing. Updates #9040 Change-Id: Idcfb45201d00ae64017042a7bdee6ef86ad37a9f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Will Norris	9ea3942b1a	client/web: don't require secure cookies for csrf Under normal circumstances, you would typically want to keep the default behavior of requiring secure cookies. In the case of the Tailscale web client, we are regularly serving on localhost (where secure cookies don't really matter), and/or we are behind a reverse proxy running on a network appliance like a NAS or Home Assistant. In those cases, those devices are regularly accessed over local IP addresses without https configured, so would not work with secure cookies. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Andrew Lytvynov	f61dd12f05	clientupdate/distsign: use distinct PEM types for root/signing keys (#9045 ) To make key management less error-prone, use different PEM block types for root and signing keys. As a result, separate out most of the Go code between root/signing keys too. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Marwan Sulaiman	9c07f4f512	all: replace deprecated ioutil references This PR removes calls to ioutil library and replaces them with their new locations in the io and os packages. Fixes #9034 Updates #5210 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	10 months ago
Denton Gentry	1b8a538953	scripts/installer.sh: add CloudLinux and Alibaba Linux Fixes https://github.com/tailscale/tailscale/issues/9010 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	10 months ago
Sonia Appasamy	776f9b5875	client/web: open auth URLs in new browser tab Open control server auth URLs in new browser tabs on web clients so users don't loose original client URL when redirected for login. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Brad Fitzpatrick	ad9b711a1b	tailcfg: bump capver to 72 to restore UPnP Actually fixed in `77ff705545` but that was cherry-picked to a branch and we don't bump capver in branches. This tells the control plane that UPnP should be re-enabled going forward. Updates #8992 Change-Id: I5c4743eb52fdee94175668c368c0f712536dc26b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	ea4425d8a9	ipn/ipnlocal, wgengine/magicsock: move UpdateStatus stuff around Upcoming work on incremental netmap change handling will require some replumbing of which subsystems get notified about what. Done naively, it could break "tailscale status --json" visibility later. To make sure I understood the flow of all the updates I was rereading the status code and realized parts of ipnstate.Status were being populated by the wrong subsystems. The engine (wireguard) and magicsock (data plane, NAT traveral) should only populate the stuff that they uniquely know. The WireGuard bits were fine but magicsock was populating stuff stuff that LocalBackend could've better handled, so move it there. Updates #1909 Change-Id: I6d1b95d19a2d1b70fbb3c875fac8ea1e169e8cb0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Maisem Ali	74388a771f	cmd/k8s-operator: fix regression from earlier refactor I forgot to move the defer out of the func, so the tsnet.Server immediately closed after starting. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Brad Fitzpatrick	9089efea06	net/netmon: make ChangeFunc's signature take new ChangeDelta, not bool Updates #9040 Change-Id: Ia43752064a1a6ecefc8802b58d6eaa0b71cf1f84 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Sonia Appasamy	78f087aa02	cli/web: pass existing localClient to web client Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
David Anderson	5cfa85e604	tsweb: clean up pprof handler registration, document why it's there Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
Will Norris	09068f6c16	release: add empty embed.FS for release files This ensures that `go mod vendor` includes these files, which are needed for client builds run in corp. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Maisem Ali	836f932ead	cmd/k8s-operator: split operator.go into svc.go/sts.go Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	7f6bc52b78	cmd/k8s-operator: refactor operator code It was jumbled doing a lot of things, this breaks it up into the svc reconciliation and the tailscale sts reconciliation. Prep for future commit. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Will Norris	cf45d6a275	client/web: remove old /redirect handler I thought this had something to do with Synology or QNAP support, since they both have specific authentication logic. But it turns out this was part of the original web client added in #1621, and then refactored as part of #2093. But with how we handle logging in now, it's never called. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Andrew Lytvynov	05523bdcdd	release/dist/cli: add gen-key command (#9023 ) Add a new subcommand to generate a Ed25519 key pair for release signing. The same command can be used to generate both root and signing keys. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
James Tucker	e1c7e9b736	wgengine/magicsock: improve endpoint selection for WireGuard peers with rx time If we don't have the ICMP hint available, such as on Android, we can use the signal of rx traffic to bias toward a particular endpoint. We don't want to stick to a particular endpoint for a very long time without any signals, so the sticky time is reduced to 1 second, which is large enough to avoid excessive packet reordering in the common case, but should be small enough that either rx provides a strong signal, or we rotate in a user-interactive schedule to another endpoint, improving the feel of failover to other endpoints. Updates #8999 Co-authored-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	10 months ago
James Tucker	5edb39d032	wgengine/magicsock: clear out endpoint statistics when it becomes bad There are cases where we do not detect the non-viability of a route, but we will instead observe a failure to send. In a Disco path this would normally be handled as a side effect of Disco, which is not available to non-Disco WireGuard nodes. In both cases, recognizing the failure as such will result in faster convergence. Updates #8999 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Charlotte Brandhorst-Satzkorn	7c9c68feed	wgengine/magicsock: update lastfullping comment to include wg only LastFullPing is now used for disco or wireguard only endpoints. This change updates the comment to make that clear. Updates #7826 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	10 months ago
Aaron Klotz	ea693eacb6	util/winutil: add RegisterForRestart, allowing programs to indicate their preferences to the Windows restart manager In order for the installer to restart the GUI correctly post-upgrade, we need the GUI to be able to register its restart preferences. This PR adds API support for doing so. I'm adding it to OSS so that it is available should we need to do any such registrations on OSS binaries in the future. Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
James Tucker	3a652d7761	wgengine/magicsock: clear endpoint state in noteConnectivityChange There are latency values stored in bestAddr and endpointState that are no longer applicable after a connectivity change and should be cleared out, following the documented behavior of the function. Updates #8999 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Andrew Lytvynov	7364c6beec	clientupdate/distsign: add new library for package signing/verification (#8943 ) This library is intended for use during release to sign packages which are then served from pkgs.tailscale.com. The library is also then used by clients downloading packages for `tailscale update` where OS package managers / app stores aren't used. Updates https://github.com/tailscale/tailscale/issues/8760 Updates https://github.com/tailscale/tailscale/issues/6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Maisem Ali	4b13e6e087	go.mod: bump golang.org/x/net Theory is that our long lived http2 connection to control would get tainted by _something_ (unclear what) and would get closed. This picks up the fix for golang/go#60818. Updates tailscale/corp#5761 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Will Norris	5ebff95a4c	client/web: fix globbing for file embedding src/*/ was only grabbing files in subdirectories, but not in the src directory itself. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Marwan Sulaiman	000c0a70f6	ipn, ipn/ipnlocal: clean up documentation and use clock instead of time This PR addresses a number of the follow ups from PR #8491 that were written after getting merged. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	10 months ago
Will Norris	0df5507c81	client/web: combine embeds into a single embed.FS instead of embedding each file individually, embed them all into a single embed filesystem. This is basically a noop for the current frontend, but sets things up a little cleaner for the new frontend. Also added an embed.FS for the source files needed to build the new frontend. These files are not actually embedded into the binary (since it is a blank identifier), but causes `go mod vendor` to copy them into the vendor directory. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	3722b05465	release/dist: run yarn build before building CLI This builds the assets for the new web client as part of our release process. The path to the web client source is specified by the -web-client-root flag. This allows corp builds to first vendor the tailscale.com module, and then build the web client assets in the vendor directory. The default value for the -web-client-root flag is empty, so no assets are built by default. This is an update of the previously reverted `0fb95ec` Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Sonia Appasamy	09e5e68297	client/web: track web client initializations Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Brad Fitzpatrick	947def7688	types/netmap: remove redundant Netmap.Hostinfo It was in SelfNode.Hostinfo anyway. The redundant copy was just costing us an allocation per netmap (a Hostinfo.Clone). Updates #1909 Change-Id: Ifac568aa5f8054d9419828489442a0f4559bc099 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Sonia Appasamy	50b558de74	client/web: hook up remaining legacy POST requests Hooks up remaining legacy POST request from the React side in --dev. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Brad Fitzpatrick	db017d3b12	control/controlclient: remove quadratic allocs in mapSession The mapSession code was previously quadratic: N clients in a netmap send updates proportional to N and then for each, we do N units of work. This removes most of that "N units of work" per update. There's still a netmap-sized slice allocation per update (that's #8963), but that's it. Bit more efficient now, especially with larger netmaps: │ before │ after │ │ sec/op │ sec/op vs base │ MapSessionDelta/size_10-8 47.935µ ± 3% 1.232µ ± 2% -97.43% (p=0.000 n=10) MapSessionDelta/size_100-8 79.950µ ± 3% 1.642µ ± 2% -97.95% (p=0.000 n=10) MapSessionDelta/size_1000-8 355.747µ ± 10% 4.400µ ± 1% -98.76% (p=0.000 n=10) MapSessionDelta/size_10000-8 3079.71µ ± 3% 27.89µ ± 3% -99.09% (p=0.000 n=10) geomean 254.6µ 3.969µ -98.44% │ before │ after │ │ B/op │ B/op vs base │ MapSessionDelta/size_10-8 9.651Ki ± 0% 2.395Ki ± 0% -75.19% (p=0.000 n=10) MapSessionDelta/size_100-8 83.097Ki ± 0% 3.192Ki ± 0% -96.16% (p=0.000 n=10) MapSessionDelta/size_1000-8 800.25Ki ± 0% 10.32Ki ± 0% -98.71% (p=0.000 n=10) MapSessionDelta/size_10000-8 7896.04Ki ± 0% 82.32Ki ± 0% -98.96% (p=0.000 n=10) geomean 266.8Ki 8.977Ki -96.64% │ before │ after │ │ allocs/op │ allocs/op vs base │ MapSessionDelta/size_10-8 72.00 ± 0% 20.00 ± 0% -72.22% (p=0.000 n=10) MapSessionDelta/size_100-8 523.00 ± 0% 20.00 ± 0% -96.18% (p=0.000 n=10) MapSessionDelta/size_1000-8 5024.00 ± 0% 20.00 ± 0% -99.60% (p=0.000 n=10) MapSessionDelta/size_10000-8 50024.00 ± 0% 20.00 ± 0% -99.96% (p=0.000 n=10) geomean 1.754k 20.00 -98.86% Updates #1909 Change-Id: I41ee29358a5521ed762216a76d4cc5b0d16e46ac Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago

1 2 3 4 5 ...

6136 Commits (de9ba1c621639a2f161133ec7360a925c1e502d7) All Branches Search

6136 Commits (de9ba1c621639a2f161133ec7360a925c1e502d7)

All Branches