tailscale

Commit Graph

Author	SHA1	Message	Date
Frederik “Freso” S. Olesen	83fccf9fe5	tailscaled.service: Lock down clock and /dev (#1071 ) Research in issue #1063 uncovered why tailscaled would fail with ProtectClock enabled (it implicitly enabled DevicePolicy=closed). This knowledge in turn also opens the door for locking down /dev further, e.g. explicitly setting DevicePolicy=strict (instead of closed), and making /dev private for the unit. Additional possible future (or downstream) lockdown that can be done is setting `PrivateDevices=true` (with `BindPaths=/dev/net/`), however, systemd 233 or later is required for this, and tailscaled currently need to work for systemd down to version 215. Closes https://github.com/tailscale/tailscale/issues/1063 Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>	4 years ago
Josh Bleecher Snyder	56a7652dc9	wgkey: new package This is a replacement for the key-related parts of the wireguard-go wgcfg package. This is almost a straight copy/paste from the wgcfg package. I have slightly changed some of the exported functions and types to avoid stutter, added and tweaked some comments, and removed some now-unused code. To avoid having wireguard-go depend on this new package, wgcfg will keep its key types. We translate into and out of those types at the last minute. These few remaining uses will be eliminated alongside the rest of the wgcfg package. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	4 years ago
Frederik “Freso” S. Olesen	a9a80ab372	tailscaled.service: Harden systemd unit somewhat (#1062 ) While not a full capability lockdown of the systemd unit, this still improves sandboxing and security of the running process a good deal. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>	4 years ago
Matt Layher	1a42cef3a2	cmd/tailscale*: make updatedeps Signed-off-by: Matt Layher <mdlayher@gmail.com>	4 years ago
Brad Fitzpatrick	d0baece5fa	go.mod: bump inet.af/netaddr to non-allocating version	4 years ago
Brad Fitzpatrick	15c064f76f	wgengine/router/dns: remove unsafe endianness detection on Linux	4 years ago
Brad Fitzpatrick	57dd247376	cmd/tailscaled, logpolicy, logtail: support log levels Log levels can now be specified with "[v1] " or "[v2] " substrings that are then stripped and filtered at the final logger. This follows our existing "[unexpected]" etc convention and doesn't require a wholesale reworking of our logging at the moment. cmd/tailscaled then gets a new --verbose=N flag to take a log level that controls what gets logged to stderr (and thus systemd, syslog, etc). Logtail is unaffected by --verbose. This commit doesn't add annotations to any existing log prints. That is in the next commit. Updates #924 Updates #282 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Christine Dodrill	2485faf69a	Merge branch 'main' into report-status-systemd	4 years ago
Christine Dodrill	7ea809897d	ipn/ipnserver: enable systemd-notify support Addresses #964 Still to be done: - Figure out the correct logging lines in util/systemd - Figure out if we need to slip the systemd.Status function anywhere else - Log util/systemd errors? (most of the errors are of the "you cannot do anything about this, but it might be a bad idea to crash the program if it errors" kind) Assistance in getting this over the finish line would help a lot. Signed-off-by: Christine Dodrill <me@christine.website> util/systemd: rename the nonlinux file to appease the magic Signed-off-by: Christine Dodrill <me@christine.website> util/systemd: fix package name Signed-off-by: Christine Dodrill <me@christine.website> util/systemd: fix review feedback from @mdlayher Signed-off-by: Christine Dodrill <me@christine.website> cmd/tailscale{,d}: update depaware manifests Signed-off-by: Christine Dodrill <me@christine.website> util/systemd: use sync.Once instead of func init Signed-off-by: Christine Dodrill <me@christine.website> control/controlclient: minor review feedback fixes Signed-off-by: Christine Dodrill <me@christine.website> {control,ipn,systemd}: fix review feedback Signed-off-by: Christine Dodrill <me@christine.website> review feedback fixes Signed-off-by: Christine Dodrill <me@christine.website> ipn: fix sprintf call Signed-off-by: Christine Dodrill <me@christine.website> ipn: make staticcheck less sad Signed-off-by: Christine Dodrill <me@christine.website> ipn: print IP address in connected status Signed-off-by: Christine Dodrill <me@christine.website> ipn: review feedback Signed-off-by: Christine Dodrill <me@christine.website> final fixups Signed-off-by: Christine Dodrill <me@christine.website>	4 years ago
Aleksandar Pesic	4749a96a5b	Update depaware.txt files. Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>	4 years ago
Brad Fitzpatrick	bce865b61b	logpolicy: migrate from x/crypto/ssh/terminal to x/term	4 years ago
Josh Bleecher Snyder	aa9d7f4665	tstime: add Parse3339B, for byte slices Use go4.org/mem for memory safety. A slight performance hit, but a huge performance win for clients who start with a []byte. The perf hit is due largely to the MapHash call, which adds ~25ns. That is necessary to keep the fast path allocation-free. name old time/op new time/op delta GoParse3339/Z-8 281ns ± 1% 283ns ± 2% ~ (p=0.366 n=9+9) GoParse3339/TZ-8 509ns ± 0% 510ns ± 1% ~ (p=0.059 n=9+9) GoParse3339InLocation-8 330ns ± 1% 330ns ± 0% ~ (p=0.802 n=10+6) Parse3339/Z-8 69.3ns ± 1% 74.4ns ± 1% +7.45% (p=0.000 n=9+10) Parse3339/TZ-8 110ns ± 1% 140ns ± 3% +27.42% (p=0.000 n=9+10) ParseInt-8 8.20ns ± 1% 8.17ns ± 1% ~ (p=0.452 n=9+9) name old alloc/op new alloc/op delta GoParse3339/Z-8 0.00B 0.00B ~ (all equal) GoParse3339/TZ-8 160B ± 0% 160B ± 0% ~ (all equal) GoParse3339InLocation-8 0.00B 0.00B ~ (all equal) Parse3339/Z-8 0.00B 0.00B ~ (all equal) Parse3339/TZ-8 0.00B 0.00B ~ (all equal) name old allocs/op new allocs/op delta GoParse3339/Z-8 0.00 0.00 ~ (all equal) GoParse3339/TZ-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) GoParse3339InLocation-8 0.00 0.00 ~ (all equal) Parse3339/Z-8 0.00 0.00 ~ (all equal) Parse3339/TZ-8 0.00 0.00 ~ (all equal) Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	4 years ago
Brad Fitzpatrick	8f76548fd9	tempfork/osexec: remove old fork of os/exec This package was a temporary fork of os/exec to fix an EINTR loop bug that was fixed upstream for Go 1.15 in `8c1db77a92` (https://go-review.googlesource.com/c/go/+/232862), in src/os/exec_unix.go: `8c1db77a92 (diff-72072cbd53a7240debad8aa506ff7ec795f9cfac7322e779f9bac29a4d0d0bd4)`	4 years ago
Brad Fitzpatrick	51c8fd1dfc	logpolicy: add -race suffix to Go version when race detector in use	4 years ago
Brad Fitzpatrick	7a01cd27ca	net/netstat: remove some unsafe Just removing any unnecessary unsafe while auditing unsafe usage for #921.	4 years ago
Brad Fitzpatrick	45d96788b5	net/netns: remove use of unsafe on Windows Found while auditing unsafe for #921 via the list at: https://github.com/tailscale/tailscale/issues/921#issuecomment-727365383 No need for unsafe here, so remove it.	4 years ago
Brad Fitzpatrick	a2d78b4d3e	net/dnscache, control/controlclient: use DNS cache when dialing control Cache DNS results of earlier login.tailscale.com control dials, and use them for future dials if DNS is slow or broken. Fixes various issues with trickier setups with the domain's DNS server behind a subnet router. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
David Anderson	7988f75b87	tailscaled.service: also cleanup prior to starting. Fixes #813. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	427bf2134f	net/packet: rename from wgengine/packet. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	ebd96bf4a9	wgengine/router/dns: use OpenKeyWait to set DNS configuration. Fixes tailscale/corp#839. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	7e1a146e6c	cmd/tailscaled: update depaware.txt	4 years ago
David Anderson	54e6c3a290	version: use OSS repo's version when building. When building with redo, also include the git commit hash from the proprietary repo, so that we have a precise commit that identifies all build info (including Go toolchain version). Add a top-level build script demonstrating to downstream distros how to burn the right information into builds. Adjust `tailscale version` to print commit hashes when available. Fixes #841. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	86c271caba	types/logger: move RusagePrefixLog to logger package, disable by default The RusagePrefixLog is rarely useful, hasn't been useful in a long time, is rarely the measurement we need, and is pretty spammy (and syscall-heavy). Disable it by default. We can enable it when we're debugging memory.	4 years ago
Alex Brainman	f2ce64f0c6	wgengine/router: unfork winipcfg-go package, use upstream Use golang.zx2c4.com/wireguard/windows/tunnel/winipcfg instead of github.com/tailscale/winipcfg-go package. Updates #760 Signed-off-by: Alex Brainman <alex.brainman@gmail.com>	4 years ago
Josh Bleecher Snyder	a5103a4cae	all: upgrade to latest version of depaware	4 years ago
Josh Bleecher Snyder	38dda1ea9e	all: update depaware.txt Broken by `8051ecff55`. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	4 years ago
Brad Fitzpatrick	8b94a769be	cmd/tailscaled: use the standard flag page instead of getopt Per discussion with @crawshaw. The CLI tool already used std flag anyway. If either of them, it would've made more sense for the CLI to use getopt.	4 years ago
Brad Fitzpatrick	3528d28ed1	wgengine/router: move Tailscale's winipcfg additions into wgengine/router Part of unforking our winipcfg-go and using upstream (#760), move our additions into our repo. (We might upstream them later if upstream has interest) Originally these were: @apenwarr: "Add ifc.SyncAddresses() and SyncRoutes()." `609dcf2df5` @bradfitz: "winipcfg: make Interface.AddRoutes do as much as possible, return combined error" `e9f93d53f3` @bradfitz: "prevent unnecessary Interface.SyncAddresses work; normalize IPNets in deltaNets" `decb9ee8e1`	4 years ago
Christina Wen	f0e9dcdc0a	wgengine/router: restore /etc/resolv.conf after tailscale down is called This change is to restore /etc/resolv.conf after tailscale down is called. This is done by setting the dns.Manager before errors occur. Error collection is also added. Fixes #723	4 years ago
Brad Fitzpatrick	931bcd44cb	control/controlclient: report Synology "distro" + its version to control	4 years ago
David Anderson	8f5b52e571	net/netns: add windows support. Also remove rebinding logic from the windows router. Magicsock will instead rebind based on link change signals. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	4f7751e025	Update depaware for previous ipnserver change.	4 years ago
Brad Fitzpatrick	a084c44afc	wgengine, wgengine/router, cmd/tailscale: force netfilter mode off on Synology For now. Get it working again so it's not stuck on 0.98. Subnet relay can come later. Updates #451 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	8b60936913	depaware: update deps	4 years ago
Brad Fitzpatrick	22ed3c503e	Add depaware.txt files and GitHub checks. (#745 ) See https://github.com/tailscale/depaware Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
David Anderson	9e26ffecf8	cmd/tailscaled: ignore SIGPIPE. SIGPIPE can be generated when CLIs disconnect from tailscaled. This should not terminate the process. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	d64de1ddf7	Revert "cmd/tailscaled: exit gracefully on SIGPIPE" tailscaled receives a SIGPIPE when CLIs disconnect from it. We shouldn't shut down in that case. This reverts commit `43b271cb26`. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Dmytro Shynkevych	43b271cb26	cmd/tailscaled: exit gracefully on SIGPIPE Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>	4 years ago
David Crawshaw	92e9a5ac15	tailscaled.service: use default restart limiting It appears that systemd has sensible defaults for limiting crash loops: DefaultStartLimitIntervalSec=10s DefaultStartLimitBurst=5 Remove our insta-restart configuration so that it works. Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	4 years ago
Brad Fitzpatrick	ff8c8db9d3	cmd/tailscaled: log on shutdown signal	4 years ago
Brad Fitzpatrick	4aba86cc03	ipn/ipnserver: make Engine argument a func that tries again for each connection So a backend in server-an-error state (as used by Windows) can try to create a new Engine again each time somebody re-connects, relaunching the GUI app. (The proper fix is actually fixing Windows issues, but this makes things better in the short term) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Dmytro Shynkevych	318751c486	cmd/tailscaled: always flush logs properly Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>	4 years ago
Brad Fitzpatrick	e589c76e98	cmd/tailscaled: don't require --socket path on windows	4 years ago
Brad Fitzpatrick	c1d9e41bef	cmd/tailscaled: use "Tailscale" as default TUN device name on Windows That's what's used in the Windows GUI version and seems special. If we don't use that, Windows tries to rename it and fails.	4 years ago
Brad Fitzpatrick	f98706bdb3	paths, cmd/tailscaled: on Windows, don't try to migrate from legacy relay.conf Avoids confusing logspam on Windows.	4 years ago
Dmytro Shynkevych	61abab999e	cmd/tailscaled: graceful shutdown (#534 ) Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>	4 years ago
Avery Pennarun	af9328c1b7	log rate limiting: reformat limiter messages, and use nonempty burst size. - Reformat the warning about a message being rate limited to print the format string, rather than the formatted message. This helps give a clue what "type" of message is being limited. - Change the rate limit warning to be [RATE LIMITED] in all caps. This uses less space on each line, plus is more noticeable. - In tailscaled, change the frequency to be less often (once every 5 seconds per format string) but to allow bursts of up to 5 messages. This greatly reduces the number of messages that are rate limited during startup, but allows us to tighten the limit even further during normal runtime. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	5 years ago
Avery Pennarun	f2db4ac277	cmd/tailscaled: SetGCPercent() if GOGC is not set. This cuts RSS from ~30MB to ~20MB on my machine, after the previous fix to get rid of unnecessary zstd buffers. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	5 years ago
Avery Pennarun	d074ec6571	cmd/tailscaled: eliminate unnecessary use of an init() function. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>	5 years ago
Wendi Yu	bb55694c95	wgengine: log node IDs when peers are added/removed (#381 ) Also stop logging data sent/received from nodes we're not connected to (ie all those `x`s being logged in the `peers: ` line) Signed-off-by: Wendi <wendi.yu@yahoo.ca>	5 years ago

1 2

76 Commits (e692e3866bf2cbe240b64f96e03d590539e67aef)