tailscale

Commit Graph

Author	SHA1	Message	Date
Flakes Updater	e80ba4ce79	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	9 months ago
Maisem Ali	9430481926	cmd/containerboot: account for k8s secret reflection in fsnotify On k8s the serve-config secret mount is symlinked so checking against the Name makes us miss the events. Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Andrew Lytvynov	ce5909dafc	release/dist: remove extra Close on a signed file (#9094 ) We pass the file as an io.Reader to http.Post under the hood as request body. Post, helpfully, detects that the body is an io.Closer and closes it. So when we try to explicitly close it again, we get "file already closed" error. The Close there is not load-bearing, we have a defer for it anyway. Remove the explicit close and error check. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Sonia Appasamy	4828e4c2db	client/web: move api handler into web.go Also uses `http.HandlerFunc` to pass the handler into `csrfProtect` so we can get rid of the extraneous `api` struct. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Dave Anderson	7b18ed293b	tsweb: check for key-based debug access before XFF check (#9093 ) Fly apps all set X-Forwarded-For, which breaks debug access even with a preshared key otherwise. Updates tailscale/corp#3601 Signed-off-by: David Anderson <danderson@tailscale.com>	9 months ago
Aaron Klotz	6b6a8cf843	util/osdiag: add query for Windows page file configuration and status It's very common for OOM crashes on Windows to be caused by lack of page file space (the NT kernel does not overcommit). Since Windows automatically manages page file space by default, unless the machine is out of disk space, this is typically caused by manual page file configurations that are too small. This patch obtains the current page file size, the amount of free page file space, and also determines whether the page file is automatically or manually managed. Fixes #9090 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	9 months ago
Denton Gentry	535db01b3f	scripts/installer: add Kaisen, Garuda, Fedora-Asahi. Fixes https://github.com/tailscale/tailscale/issues/8648 Fixes https://github.com/tailscale/tailscale/issues/8737 Fixes https://github.com/tailscale/tailscale/issues/9087 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	9 months ago
Maisem Ali	c8dea67cbf	cmd/k8s-operator: add support for Ingress resources Previously, the operator would only monitor Services and create a Tailscale StatefulSet which acted as a L3 proxy which proxied traffic inbound to the Tailscale IP onto the services ClusterIP. This extends that functionality to also monitor Ingress resources where the `ingressClassName=tailscale` and similarly creates a Tailscale StatefulSet, acting as a L7 proxy instead. Users can override the desired hostname by setting: ``` - tls hosts: - "foo" ``` Hostnames specified under `rules` are ignored as we only create a single host. This is emitted as an event for users to see. Fixes #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	320f77bd24	cmd/containerboot: add support for setting ServeConfig This watches the provided path for a JSON encoded ipn.ServeConfig. Everytime the file changes, or the nodes FQDN changes it reapplies the ServeConfig. At boot time, it nils out any previous ServeConfig just like tsnet does. As the ServeConfig requires pre-existing knowledge of the nodes FQDN to do SNI matching, it introduces a special `${TS_CERT_DOMAIN}` value in the JSON file which is replaced with the known CertDomain before it is applied. Updates #502 Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	12ac672542	cmd/k8s-operator: handle changes to services w/o teardown Previously users would have to unexpose/expose the service in order to change Hostname/TargetIP. This now applies those changes by causing a StatefulSet rollout now that `a61a9ab087` is in. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Denton Gentry	24d41e4ae7	cmd/sniproxy: add port forwarding and prometheus metrics 1. Add TCP port forwarding. For example: ./sniproxy -forwards=tcp/22/github.com will forward SSH to github. % ssh -i ~/.ssh/id_ecdsa.pem -T git@github.com Hi GitHubUser! You've successfully authenticated, but GitHub does not provide shell access. % ssh -i ~/.ssh/id_ecdsa.pem -T git@100.65.x.y Hi GitHubUser! You've successfully authenticated, but GitHub does not provide shell access. 2. Additionally export clientmetrics as prometheus metrics for local scraping over the tailnet: http://sniproxy-hostname:8080/debug/varz Updates https://github.com/tailscale/tailscale/issues/1748 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	9 months ago
Brad Fitzpatrick	98a5116434	all: adjust some build tags for plan9 I'm not saying it works, but it compiles. Updates #5794 Change-Id: I2f3c99732e67fe57a05edb25b758d083417f083e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Andrew Lytvynov	de9ba1c621	clientupdate/distsign/roots: add temporary dev root key (#9080 ) Adding a root key that signs the current signing key on pkgs.tailscale.com. This key is here purely for development and should be replaced before 1.50 release. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Sonia Appasamy	f3077c6ab5	client/web: add self node cache Adds a cached self node to the web client Server struct, which will be used from the web client api to verify that request came from the node's own machine (i.e. came from the web client frontend). We'll be using when we switch the web client api over to acting as a proxy to the localapi, to protect against DNS rebinding attacks. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Andrew Lytvynov	3b7ebeba2e	clientupdate: remove Arch support (#9081 ) An Arch Linux maintainer asked us to not implement "tailscale update" on Arch-based distros: https://github.com/tailscale/tailscale/issues/6995#issuecomment-1687080106 Return an error to the user if they try to run "tailscale update". Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Andrew Lytvynov	b42c4e2da1	cmd/dist,release/dist: add distsign signing hooks (#9070 ) Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Will Norris	dc8287ab3b	client/web: enforce full path for CGI platforms Synology and QNAP both run the web client as a CGI script. The old web client didn't care too much about requests paths, since there was only a single GET and POST handler. The new client serves assets on different paths, so now we need to care. First, enforce that the CGI script is always accessed from its full path, including a trailing slash (e.g. /cgi-bin/tailscale/index.cgi/). Then, strip that prefix off before passing the request along to the main serve handler. This allows for properly serving both static files and the API handler in a CGI environment. Also add a CGIPath option to allow other CGI environments to specify a custom path. Finally, update vite and one "api/data" call to no longer assume that we are always serving at the root path of "/". Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Will Norris	0c3d343ea3	client/web: invert auth logic for synology and qnap Add separate server methods for synology and qnap, and enforce authentication and authorization checks before calling into the actual serving handlers. This allows us to remove all of the auth logic from those handlers, since all requests will already be authenticated by that point. Also simplify the Synology token redirect handler by using fetch. Remove the SynologyUser from nodeData, since it was never used in the frontend anyway. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Will Norris	05486f0f8e	client/web: move synology and qnap logic into separate files This commit doesn't change any of the logic, but just organizes the code a little to prepare for future changes. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Maisem Ali	ff7f4b4224	cmd/testwrapper: fix off-by-one error in maxAttempts check It was checking if `>= maxAttempts` which meant that the third attempt would never run. Updates #8493 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	a61a9ab087	cmd/containerboot: reapply known args on restart Previously we would not reapply changes to TS_HOSTNAME etc when then the container restarted and TS_AUTH_ONCE was enabled. This splits those into two steps login and set, allowing us to only rerun the set step on restarts. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Andrew Lytvynov	d45af7c66f	release/dist/cli: add sign-key and verify-key-signature commands (#9041 ) Now we have all the commands to generate the key hierarchy and verify that signing keys were signed correctly: ``` $ ./tool/go run ./cmd/dist gen-key --priv-path root-priv.pem --pub-path root-pub.pem --root wrote private key to root-priv.pem wrote public key to root-pub.pem $ ./tool/go run ./cmd/dist gen-key --priv-path signing-priv.pem --pub-path signing-pub.pem --signing wrote private key to signing-priv.pem wrote public key to signing-pub.pem $ ./tool/go run ./cmd/dist sign-key --root-priv-path root-priv.pem --sign-pub-path signing-pub.pem wrote signature to signature.bin $ ./tool/go run ./cmd/dist verify-key-signature --root-pub-path root-pub.pem --sign-pub-path signing-pub.pem --sig-path signature.bin signature ok ``` Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Aaron Klotz	5fb1695bcb	util/osdiag, util/osdiag/internal/wsc: add code to probe the Windows Security Center for installed software The Windows Security Center is a component that manages the registration of security products on a Windows system. Only products that have obtained a special cert from Microsoft may register themselves using the WSC API. Practically speaking, most vendors do in fact sign up for the program as it enhances their legitimacy. From our perspective, this is useful because it gives us a high-signal source of information to query for the security products installed on the system. I've tied this query into the osdiag package and is run during bugreports. It uses COM bindings that were automatically generated by my prototype metadata processor, however that program still has a few bugs, so I had to make a few manual tweaks. I dropped those binding into an internal package because (for the moment, at least) they are effectively purpose-built for the osdiag use case. We also update the wingoes dependency to pick up BSTR. Fixes #10646 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	9 months ago
Sonia Appasamy	349c05d38d	client/web: refresh on tab focus Refresh node data when user switches to the web client browser tab. This helps clean up the auth flow where they're sent to another tab to authenticate then return to the original tab, where the data should be refreshed to pick up the login updates. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Will Norris	824cd02d6d	client/web: cache csrf key when running in CGI mode Indicate to the web client when it is running in CGI mode, and if it is then cache the csrf key between requests. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
shayne	46b0c9168f	.github: update flakehub workflow to support existing tags (#9067 ) This adds a workflow_dispatch input to the update-flakehub workflow that allows the user to specify an existing tag to publish to FlakeHub. This is useful for publishing a version of a package that has already been tagged in the repository. Updates #9008 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	9 months ago
shayne	7825074444	.github: fix flakehub-publish-tagged.yml glob (#9066 ) The previous regex was too advanced for GitHub Actions. They only support a simpler glob syntax. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet Updates #9008 Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	9 months ago
Brad Fitzpatrick	5b6a90fb33	types/logger, cmd/tailscale/cli: flesh out, simplify some non-unix build tags Can write "wasm" instead of js \|\| wasi1p, since there's only two: $ go tool dist list \| grep wasm js/wasm wasip1/wasm Plus, if GOOS=wasip2 is added later, we're already set. Updates #5794 Change-Id: Ifcfb187c3775c17c9141bc721512dc4577ac4434 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	a5dcc4c87b	paths: remove wasm file, no-op stubs, make OS-specific funcs consistent Some OS-specific funcs were defined in init. Another used build tags and required all other OSes to stub it out. Another one could just be in the portable file. Simplify it a bit, removing a file and some stubs in the process. Updates #5794 Change-Id: I51df8772cc60a9335ac4c1dc0ab59b8a0d236961 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	d58ba59fd5	cmd/tailscale/cli: make netcheck run even if machine lacks TLS certs We have a fancy package for doing TLS cert validation even if the machine doesn't have TLS certs (for LetsEncrypt only) but the CLI's netcheck command wasn't using it. Also, update the tlsdial's outdated package docs while here. Updates #cleanup Change-Id: I74b3cb645d07af4d8ae230fb39a60c809ec129ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	e881c1caec	net/netmon: factor out debounce loop, simplify polling impl This simplifies some netmon code in prep for other changes. It breaks up Monitor.debounce into a helper method so locking is easier to read and things unindent, and then it simplifies the polling netmon implementation to remove the redundant stuff that the caller (the Monitor.debounce loop) was already basically doing. Updates #9040 Change-Id: Idcfb45201d00ae64017042a7bdee6ef86ad37a9f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Will Norris	9ea3942b1a	client/web: don't require secure cookies for csrf Under normal circumstances, you would typically want to keep the default behavior of requiring secure cookies. In the case of the Tailscale web client, we are regularly serving on localhost (where secure cookies don't really matter), and/or we are behind a reverse proxy running on a network appliance like a NAS or Home Assistant. In those cases, those devices are regularly accessed over local IP addresses without https configured, so would not work with secure cookies. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Andrew Lytvynov	f61dd12f05	clientupdate/distsign: use distinct PEM types for root/signing keys (#9045 ) To make key management less error-prone, use different PEM block types for root and signing keys. As a result, separate out most of the Go code between root/signing keys too. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Marwan Sulaiman	9c07f4f512	all: replace deprecated ioutil references This PR removes calls to ioutil library and replaces them with their new locations in the io and os packages. Fixes #9034 Updates #5210 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Denton Gentry	1b8a538953	scripts/installer.sh: add CloudLinux and Alibaba Linux Fixes https://github.com/tailscale/tailscale/issues/9010 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	9 months ago
Sonia Appasamy	776f9b5875	client/web: open auth URLs in new browser tab Open control server auth URLs in new browser tabs on web clients so users don't loose original client URL when redirected for login. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Brad Fitzpatrick	ad9b711a1b	tailcfg: bump capver to 72 to restore UPnP Actually fixed in `77ff705545` but that was cherry-picked to a branch and we don't bump capver in branches. This tells the control plane that UPnP should be re-enabled going forward. Updates #8992 Change-Id: I5c4743eb52fdee94175668c368c0f712536dc26b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	ea4425d8a9	ipn/ipnlocal, wgengine/magicsock: move UpdateStatus stuff around Upcoming work on incremental netmap change handling will require some replumbing of which subsystems get notified about what. Done naively, it could break "tailscale status --json" visibility later. To make sure I understood the flow of all the updates I was rereading the status code and realized parts of ipnstate.Status were being populated by the wrong subsystems. The engine (wireguard) and magicsock (data plane, NAT traveral) should only populate the stuff that they uniquely know. The WireGuard bits were fine but magicsock was populating stuff stuff that LocalBackend could've better handled, so move it there. Updates #1909 Change-Id: I6d1b95d19a2d1b70fbb3c875fac8ea1e169e8cb0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Maisem Ali	74388a771f	cmd/k8s-operator: fix regression from earlier refactor I forgot to move the defer out of the func, so the tsnet.Server immediately closed after starting. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Brad Fitzpatrick	9089efea06	net/netmon: make ChangeFunc's signature take new ChangeDelta, not bool Updates #9040 Change-Id: Ia43752064a1a6ecefc8802b58d6eaa0b71cf1f84 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Sonia Appasamy	78f087aa02	cli/web: pass existing localClient to web client Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
David Anderson	5cfa85e604	tsweb: clean up pprof handler registration, document why it's there Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	9 months ago
Will Norris	09068f6c16	release: add empty embed.FS for release files This ensures that `go mod vendor` includes these files, which are needed for client builds run in corp. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Maisem Ali	836f932ead	cmd/k8s-operator: split operator.go into svc.go/sts.go Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	7f6bc52b78	cmd/k8s-operator: refactor operator code It was jumbled doing a lot of things, this breaks it up into the svc reconciliation and the tailscale sts reconciliation. Prep for future commit. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Will Norris	cf45d6a275	client/web: remove old /redirect handler I thought this had something to do with Synology or QNAP support, since they both have specific authentication logic. But it turns out this was part of the original web client added in #1621, and then refactored as part of #2093. But with how we handle logging in now, it's never called. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	9 months ago
Andrew Lytvynov	05523bdcdd	release/dist/cli: add gen-key command (#9023 ) Add a new subcommand to generate a Ed25519 key pair for release signing. The same command can be used to generate both root and signing keys. Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
James Tucker	e1c7e9b736	wgengine/magicsock: improve endpoint selection for WireGuard peers with rx time If we don't have the ICMP hint available, such as on Android, we can use the signal of rx traffic to bias toward a particular endpoint. We don't want to stick to a particular endpoint for a very long time without any signals, so the sticky time is reduced to 1 second, which is large enough to avoid excessive packet reordering in the common case, but should be small enough that either rx provides a strong signal, or we rotate in a user-interactive schedule to another endpoint, improving the feel of failover to other endpoints. Updates #8999 Co-authored-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	9 months ago
James Tucker	5edb39d032	wgengine/magicsock: clear out endpoint statistics when it becomes bad There are cases where we do not detect the non-viability of a route, but we will instead observe a failure to send. In a Disco path this would normally be handled as a side effect of Disco, which is not available to non-Disco WireGuard nodes. In both cases, recognizing the failure as such will result in faster convergence. Updates #8999 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Charlotte Brandhorst-Satzkorn	7c9c68feed	wgengine/magicsock: update lastfullping comment to include wg only LastFullPing is now used for disco or wireguard only endpoints. This change updates the comment to make that clear. Updates #7826 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	9 months ago

1 2 3 4 5 ...

6148 Commits (e80ba4ce79fc75f6fec2e1d6175ff180630f20be) All Branches Search

6148 Commits (e80ba4ce79fc75f6fec2e1d6175ff180630f20be)

All Branches