tailscale

Commit Graph

Author	SHA1	Message	Date
Claus Lensbøl	e6a3669277	net/tsdial: do not panic if setting the same eventbus twice (#17640 ) Updates #17638 Signed-off-by: Claus Lensbøl <claus@tailscale.com> (cherry picked from commit `fd0e541e5d`)	1 month ago
Nick Khyl	8bcd44ecf0	VERSION.txt: this is v1.90.2 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 month ago
Claus Lensbøl	b0f0bce928	health: compare warnable codes to avoid errors on release branch (#17637 ) This compares the warnings we actually care about and skips the unstable warnings and the changes with no warnings. Fixes #17635 Signed-off-by: Claus Lensbøl <claus@tailscale.com> (cherry picked from commit `7418583e47`)	1 month ago
Brad Fitzpatrick	c81ef9055b	util/linuxfw: fix 32-bit arm regression with iptables This fixes a regression from `dd615c8fdd` that moved the newIPTablesRunner constructor from a any-Linux-GOARCH file to one that was only amd64 and arm64, thus breaking iptables on other platforms (notably 32-bit "arm", as seen on older Pis running Buster with iptables) Tested by hand on a Raspberry Pi 2 w/ Buster + iptables for now, for lack of automated 32-bit arm tests at the moment. But filed #17629. Fixes #17623 Updates #17629 Change-Id: Iac1a3d78f35d8428821b46f0fed3f3717891c1bd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit `8576a802ca`)	1 month ago
Patrick O'Doherty	9fe44b3718	feature/tpm: use withSRK to probe TPM availability (#17627 ) On some platforms e.g. ChromeOS the owner hierarchy might not always be available to us. To avoid stale sealing exceptions later we probe to confirm it's working rather than rely solely on family indicator status. Updates #17622 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com> (cherry picked from commit `672b1f0e76`)	1 month ago
Patrick O'Doherty	a8ae316858	feature/tpm: check TPM family data for compatibility (#17624 ) Check that the TPM we have opened is advertised as a 2.0 family device before using it for state sealing / hardware attestation. Updates #17622 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com> (cherry picked from commit `36ad24b20f`)	1 month ago
Nick Khyl	75b0c6f164	VERSION.txt: this is v1.90.1 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 month ago
Nick Khyl	3c78146ece	VERSION.txt: this is v1.90.0 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 month ago
License Updater	4e1c270f90	licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	1 month ago
Alex Chan	4673992b96	tka: created a shared testing library for Chonk This patch creates a set of tests that should be true for all implementations of Chonk and CompactableChonk, which we can share with the SQLite implementation in corp. It includes all the existing tests, plus a test for LastActiveAncestor which was in corp but not in oss. Updates https://github.com/tailscale/corp/issues/33465 Signed-off-by: Alex Chan <alexc@tailscale.com>	1 month ago
Alex Chan	c961d58091	cmd/tailscale: improve the error message for `lock log` with no lock Previously, running `tailscale lock log` in a tailnet without Tailnet Lock enabled would return a potentially confusing error: $ tailscale lock log 2025/10/20 11:07:09 failed to connect to local Tailscale service; is Tailscale running? It would return this error even if Tailscale was running. This patch fixes the error to be: $ tailscale lock log Tailnet Lock is not enabled Fixes #17586 Signed-off-by: Alex Chan <alexc@tailscale.com>	1 month ago
Max Coulombe	6a73c0bdf5	cmd/tailscale/cli,feature: add support for identity federation (#17529 ) Add new arguments to `tailscale up` so authkeys can be generated dynamically via identity federation. Updates #9192 Signed-off-by: mcoulombe <max@tailscale.com>	2 months ago
Brad Fitzpatrick	54cee33bae	go.toolchain.rev: update to Go 1.25.3 Updates tailscale/go#140 Updates tailscale/go#142 Updates tailscale/go#138 Change-Id: Id25b6fa4e31eee243fec17667f14cdc48243c59e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
David Bond	9083ef1ac4	cmd/k8s-operator: allow pod tolerations on nameservers (#17260 ) This commit modifies the `DNSConfig` custom resource to allow specifying [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) on the nameserver pods. This will allow users to dictate where their nameserver pods are located within their clusters. Fixes: https://github.com/tailscale/tailscale/issues/17092 Signed-off-by: David Bond <davidsbond93@gmail.com>	2 months ago
Andrew Lytvynov	6493206ac7	.github/workflows: pin nix-related github actions (#17574 ) Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Alex Chan	8d119f62ee	wgengine/magicsock: minor tidies in Test_endpoint_maybeProbeUDPLifetimeLocked * Remove a couple of single-letter `l` variables * Use named struct parameters in the test cases for readability * Delete `wantAfterInactivityForFn` parameter when it returns the default zero Updates #cleanup Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
Alex Chan	55a43c3736	tka: don't look up parent/child information from purged AUMs We soft-delete AUMs when they're purged, but when we call `ChildAUMs()`, we look up soft-deleted AUMs to find the `Children` field. This patch changes the behaviour of `ChildAUMs()` so it only looks at not-deleted AUMs. This means we don't need to record child information on AUMs any more, which is a minor space saving for any newly-recorded AUMs. Updates https://github.com/tailscale/tailscale/issues/17566 Updates https://github.com/tailscale/corp/issues/27166 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
Alex Chan	c3acf25d62	tka: remove an unused Mem.Orphans() method This method was added in `cca25f6` in the initial in-memory implementation of Chonk, but it's not part of the Chonk interface and isn't implemented or used anywhere else. Let's get rid of it. Updates https://github.com/tailscale/corp/issues/33465 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
Alex Chan	0ce88aa343	all: use a consistent capitalisation for "Tailnet Lock" Updates https://github.com/tailscale/corp/issues/13108 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
David Bond	419fba40e0	k8s-operator/api-proxy: put kube api server events behind environment variable (#17550 ) This commit modifies the k8s-operator's api proxy implementation to only enable forwarding of api requests to tsrecorder when an environment variable is set. This new environment variable is named `TS_EXPERIMENTAL_KUBE_API_EVENTS`. Updates https://github.com/tailscale/corp/issues/32448 Signed-off-by: David Bond <davidsbond93@gmail.com>	2 months ago
Joe Tsai	e804b64358	wgengine/netlog: merge connstats into package (#17557 ) Merge the connstats package into the netlog package and unexport all of its declarations. Remove the buildfeatures.HasConnStats and use HasNetLog instead. Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 months ago
Joe Tsai	e75f13bd93	net/connstats: prepare to remove package (#17554 ) The connstats package was an unnecessary layer of indirection. It was seperated out of wgengine/netlog so that net/tstun and wgengine/magicsock wouldn't need a depenedency on the concrete implementation of network flow logging. Instead, we simply register a callback for counting connections. This PR does the bare minimum work to prepare tstun and magicsock to only care about that callback. A future PR will delete connstats and merge it into netlog. Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 months ago
Joe Tsai	6d897c4ab4	types/netlogtype: remove CBOR representation (#17545 ) Remove CBOR representation since it was never used. We should support CBOR in the future, but for remove it for now so that it is less work to add more fields. Also, rely on just omitzero for JSON now that it is supported in Go 1.24. Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 months ago
Jordan Whited	743e5ac696	cmd/tailscale: surface relay-server-port set flag (#17528 ) Fixes tailscale/corp#31186 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Brad Fitzpatrick	1a93a8a704	feature/tpm: quiet log output a bit I was debugging a customer issue and saw in their 1.88.3 logs: TPM: error opening: stat /dev/tpm0: no such file or directory That's unnecessary output. The lack of TPM will be reported by them having a nil Hostinfo.TPM, which is plenty elsewhere in logs. Let's only write out an "error opening" line if it's an interesting error. (perhaps permissions, or EIO, etc) Updates #cleanup Change-Id: I3f987f6bf1d3ada03473ca3eef555e9cfafc7677 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Claus Lensbøl	005e264b54	util/eventbus/eventbustest: add support for synctest instead of timers (#17522 ) Before synctest, timers was needed to allow the events to flow into the test bus. There is still a timer, but this one is not derived from the test deadline and it is mostly arbitrary as synctest will render it practically non-existent. With this approach, tests that do not need to test for the absence of events do not rely on synctest. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	2 months ago
Patrick O'Doherty	d8a6d0183c	ipn/ipnlocal: strip AttestationKey in redacted prefs view (#17527 ) Updates tailscale/corp#31269 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	2 months ago
Aaron Klotz	7c49cab1a6	clientupdate, util/osshare, util/winutil, version: improve Windows GUI filename resolution and WinUI build awareness On Windows arm64 we are going to need to ship two different GUI builds; one for Win10 (GOARCH=386) and one for Win11 (GOARCH=amd64, tags += winui). Due to quirks in MSI packaging, they cannot both share the same filename. This requires some fixes in places where we have hardcoded "tailscale-ipn" as the GUI filename. We also do some cleanup in clientupdate to ensure that autoupdates will continue to work correctly with the temporary "-winui" package variant. Fixes #17480 Updates https://github.com/tailscale/corp/issues/29940 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 months ago
Patrick O'Doherty	e45557afc0	types/persist: add AttestationKey (#17281 ) Extend Persist with AttestationKey to record a hardware-backed attestation key for the node's identity. Add a flag to tailscaled to allow users to control the use of hardware-backed keys to bind node identity to individual machines. Updates tailscale/corp#31269 Change-Id: Idcf40d730a448d85f07f1bebf387f086d4c58be3 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	2 months ago
Joe Tsai	a2dc517d7d	all: specify explicit JSON format for time.Duration (#17307 ) The default representation of time.Duration has different JSON representation between v1 and v2. Apply an explicit format flag that uses the v1 representation so that this behavior does not change if serialized with v2. Updates tailscale/corp#791 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 months ago
Jonathan Nobels	8e98ecb5f7	net/netmon: handle net.IPAddr types during interface address parsing (#17523 ) updates tailscale/tailscale#16836 Android's altNetInterfaces implementation now returns net.IPAddr types which netmon wasn't handling. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	2 months ago
Jordan Whited	af15ee9c5f	wgengine/magicsock: add clientmetrics for TX bytes/packets by af & conn type (#17515 ) Updates tailscale/corp#33206 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
M. J. Fromberger	0a33aae823	util/eventbus: run subscriber functions in a goroutine (#17510 ) With a channel subscriber, the subscription processing always occurs on another goroutine. The SubscriberFunc (prior to this commit) runs its callbacks on the client's own goroutine. This changes the semantics, though: In addition to more directly pushing back on the publisher, a publisher and subscriber can deadlock in a SubscriberFunc but succeed on a Subscriber. They should behave equivalently regardless which interface they use. Arguably the caller should deal with this by creating its own goroutine if it needs to. However, that loses much of the benefit of the SubscriberFunc API, as it will need to manage the lifecycle of that goroutine. So, for practical ergonomics, let's make the SubscriberFunc do this management on the user's behalf. (We discussed doing this in #17432, but decided not to do it yet). We can optimize this approach further, if we need to, without changing the API. Updates #17487 Change-Id: I19ea9e8f246f7b406711f5a16518ef7ff21a1ac9 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	2 months ago
Naman Sood	f157f3288d	cmd/tailscale/cli,ipn/conffile: add declarative config mode for Services (#17435 ) This commit adds the subcommands `get-config` and `set-config` to Serve, which can be used to read the current Tailscale Services configuration in a standard syntax and provide a configuration to declaratively apply with that same syntax. Both commands must be provided with either `--service=svc:service` for one service, or `--all` for all services. When writing a config, `--set-config --all` will overwrite all existing Services configuration, and `--set-config --service=svc:service` will overwrite all configuration for that particular Service. Incremental changes are not supported. Fixes tailscale/corp#30983. cmd/tailscale/cli: hide serve "get-config"/"set-config" commands for now tailscale/corp#33152 tracks unhiding them when docs exist. Signed-off-by: Naman Sood <mail@nsood.in>	2 months ago
Tom Meadows	08eae9affd	sessionrecording: add destination to struct for tsrecorder (#17520 ) when tsrecorder receives events, it populates this field with information about the node the request was sent to. Updates #17141 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	2 months ago
Anton Tolchanov	072e6a39f4	tsweb/varz: add support for ShardedInt metrics Fixes tailscale/corp#33236 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 months ago
M. J. Fromberger	154d36f73d	wgengine/magicsock: do not apply node view updates to a closed Conn (#17517 ) Fixes #17516 Change-Id: Iae2dab42d6f7bc618478d360a1005537c1fa1bbd Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	2 months ago
Jordan Whited	16a05c7680	wgengine/magicsock: fix docs for send clientmetrics (#17514 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Jordan Whited	adf308a064	wgengine/magicsock: add clientmetrics for RX bytes by af & conn type (#17512 ) Updates tailscale/corp#33206 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Jordan Whited	d72370a6eb	wgengine/magicsock: remove unused arg in deregisterMetrics (#17513 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Jordan Whited	e2233b7942	feature/relayserver: init server at config time instead of request time (#17484 ) The lazy init led to confusion and a belief that was something was wrong. It's reasonable to expect the daemon to listen on the port at the time it's configured. Updates tailscale/corp#33094 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Brad Fitzpatrick	0f4dec928e	feature/featuretags: make bird depend on advertiseroutes Updates #cleanup Change-Id: I87082919064a5652c0d976cadd6d159787bb224a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	9123932710	net/dns, wgengine: use viewer/cloner for Config Per earlier TODO. Updates #17506 Change-Id: I21fe851c4bcced98fcee844cb428ca9c2f6b0588 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	f270c3158a	net/dns, ipn/ipnlocal: fix regressions from change moving away from deephash I got sidetracked apparently and never finished writing this Clone code in `316afe7d02` (#17448). (It really should use views instead.) And then I missed one of the users of "routerChanged" that was broken up into "routerChanged" vs "dnsChanged". This broke integration tests elsewhere. Fixes #17506 Change-Id: I533bf0fcf3da9ac6eb4a6cdef03b8df2c1fb4c8e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Mike O'Driscoll	7edb5b7d43	flake.nix: update Nix to use tailscale/go 1.25.2 (#17500 ) Update Nix flake to use go 1.25.2 Create the hash from the toolchain rev file automatically from update-flake.sh Updates tailscale/go#135 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	2 months ago
Alex Chan	b7fe1cea9f	cmd/tailscale/cli: only print authURLs and device approval URLs once This patch fixes several issues related to printing login and device approval URLs, especially when `tailscale up` is interrupted: 1. Only print a login URL that will cause `tailscale up` to complete. Don't print expired URLs or URLs from previous login attempts. 2. Print the device approval URL if you run `tailscale up` after previously completing a login, but before approving the device. 3. Use the correct control URL for device approval if you run a bare `tailscale up` after previously completing a login, but before approving the device. 4. Don't print the device approval URL more than once (or at least, not consecutively). Updates tailscale/corp#31476 Updates #17361 ## How these fixes work This patch went through a lot of trial and error, and there may still be bugs! These notes capture the different scenarios and considerations as we wrote it, which are also captured by integration tests. 1. We were getting stale login URLs from the initial IPN state notification. When the IPN watcher was moved to before Start() in `c011369`, we mistakenly continued to request the initial state. This is only necessary if you start watching after you call Start(), because you may have missed some notifications. By getting the initial state before calling Start(), we'd get a stale login URL. If you clicked that URL, you could complete the login in the control server (if it wasn't expired), but your instance of `tailscale up` would hang, because it's listening for login updates from a different login URL. In this patch, we no longer request the initial state, and so we don't print a stale URL. 2. Once you skip the initial state from IPN, the following sequence: * Run `tailscale up` * Log into a tailnet with device approval * ^C after the device approval URL is printed, but without approving * Run `tailscale up` again means that nothing would ever be printed. `tailscale up` would send tailscaled the pref `WantRunning: true`, but that was already the case so nothing changes. You never get any IPN notifications, and in particular you never get a state change to `NeedsMachineAuth`. This means we'd never print the device approval URL. In this patch, we add a hard-coded rule that if you're doing a simple up (which won't trigger any other IPN notifications) and you start in the `NeedsMachineAuth` state, we print the device approval message without waiting for an IPN notification. 3. Consider the following sequence: * Run `tailscale up --login-server=<custom server>` * Log into a tailnet with device approval * ^C after the device approval URL is printed, but without approving * Run `tailscale up` again We'd print the device approval URL for the default control server, rather than the real control server, because we were using the `prefs` from the CLI arguments (which are all the defaults) rather than the `curPrefs` (which contain the custom login server). In this patch, we use the `prefs` if the user has specified any settings (and other code will ensure this is a complete set of settings) or `curPrefs` if it's a simple `tailscale up`. 4. Consider the following sequence: you've logged in, but not completed device approval, and you run `down` and `up` in quick succession. * `up`: sees state=NeedsMachineAuth * `up`: sends `{wantRunning: true}`, prints out the device approval URL * `down`: changes state to Stopped * `up`: changes state to Starting * tailscaled: changes state to NeedsMachineAuth * `up`: gets an IPN notification with the state change, and prints a second device approval URL Either URL works, but this is annoying for the user. In this patch, we track whether the last printed URL was the device approval URL, and if so, we skip printing it a second time. Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
Alex Chan	bb6bd46570	tstest/integration: log all the output printed by `tailscale up` Updates tailscale/corp#31476 Updates #17361 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
Alex Chan	06f12186d9	tstest/integration: test `tailscale up` when device approval is required This patch extends the integration tests for `tailscale up` to include tailnets where new devices need to be approved. It doesn't change the CLI, because it's mostly working correctly already -- these tests are just to prevent future regressions. I've added support for `MachineAuthorized` to mock control, and I've refactored `TestOneNodeUpAuth` to be more flexible. It now takes a sequence of steps to run and asserts whether we got a login URL and/or machine approval URL after each step. Updates tailscale/corp#31476 Updates #17361 Signed-off-by: Alex Chan <alexc@tailscale.com>	2 months ago
Jordan Whited	4543ea5c8a	wgengine/magicsock: start peer relay path discovery sooner (#17485 ) This commit also shuffles the hasPeerRelayServers atomic load to happen sooner, reducing the cost for clients with no peer relay servers. Updates tailscale/corp#33099 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Brad Fitzpatrick	9a72513fa4	go.toolchain.rev: bump Go to 1.25.2 Updates tailscale/go#135 Change-Id: I89cfb49b998b2fd0264f8d5f4a61af839cd06626 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago

1 2 3 4 5 ...

9783 Commits (e6a3669277e113d3889a6e4c1e71bc79ca5a28d0) All Branches Search

9783 Commits (e6a3669277e113d3889a6e4c1e71bc79ca5a28d0)

All Branches