tailscale, branch 13685-low-memory-mode-in-logtail-may-no-longer-be-needed The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=13685-low-memory-mode-in-logtail-may-no-longer-be-needed 2024-10-04T16:48:50Z logtail: remove LowMemory mode 2024-10-04T16:48:50Z Andrea Gottardo andrea@gottardo.me 2024-10-04T16:48:29Z urn:sha1:810c84b65948a0942b8b168ff437813792ddd2b9 Fixes tailscale/tailscale#13685 logtail currently has a LowMemory flag, which is enabled upon initialization on memory-constrained platforms like iOS. This flag reduces the ring buffer size from 256 log lines to 64. It was introduced over four years ago, back when Tailscale supported iOS 14 and earlier, where network extensions were limited to 15 MB of RAM. Since the memory limit has now increased to 50 MB on all supported iOS versions (with our minimum requirement being iOS 15.0), the need to conserve a few kilobytes of RAM by reducing buffer entries and the size of each flush is minimal. The additional code paths are more things we need to maintain over time... with little benefit. This PR removes that. To be merged after we cut the first 1.77 unstable, as this might be a risky change. Signed-off-by: Andrea Gottardo <andrea@gottardo.me> hostinfo: update SetPackage doc with new Android values (#13537) 2024-10-04T16:35:19Z kari-ts 135075563+kari-ts@users.noreply.github.com 2024-10-04T16:35:19Z urn:sha1:8fdffb8da05d16f5a6a6fbce6acfe46612393980 Fixes tailscale/corp#23283 Signed-off-by: kari-ts <kari@tailscale.com> cmd/tailscale/cli: don't print disablement secrets if init fails (#13673) 2024-10-04T15:01:48Z Erisa A erisa@tailscale.com 2024-10-04T15:01:48Z urn:sha1:f30d85310c450c76c8a7bc724bc2f2599eb7e6ad * cmd/tailscale/cli: don't print disablement secrets if init fails Fixes tailscale/corp#11355 Signed-off-by: Erisa A <erisa@tailscale.com> * cmd/tailscale/cli: changes from code review Signed-off-by: Erisa A <erisa@tailscale.com> * cmd/tailscale/cli: small grammar change Signed-off-by: Erisa A <erisa@tailscale.com> --------- Signed-off-by: Erisa A <erisa@tailscale.com> cmd/{k8s-operator,containerboot},k8s-operator,kube: reconcile ExternalName Services for ProxyGroup (#13635) 2024-10-04T12:11:35Z Irbe Krumina irbe@tailscale.com 2024-10-04T12:11:35Z urn:sha1:e8bb5d1be59b9646cb5eedc1152390d9796e760e Adds a new reconciler that reconciles ExternalName Services that define a tailnet target that should be exposed to cluster workloads on a ProxyGroup's proxies. The reconciler ensures that for each such service, the config mounted to the proxies is updated with the tailnet target definition and that and EndpointSlice and ClusterIP Service are created for the service. Adds a new reconciler that ensures that as proxy Pods become ready to route traffic to a tailnet target, the EndpointSlice for the target is updated with the Pods' endpoints. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com> cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658) 2024-10-03T19:15:00Z Irbe Krumina irbe@tailscale.com 2024-10-03T19:15:00Z urn:sha1:9bd158cc09d926c4dd6a9311c3fd68a4ed01a6b1 The AddSNATRuleForDst rule was adding a new rule each time it was called including: - if a rule already existed - if a rule matching the destination, but with different desired source already existed This was causing issues especially for the in-progress egress HA proxies work, where the rules are now refreshed more frequently, so more redundant rules were being created. This change: - only creates the rule if it doesn't already exist - if a rule for the same dst, but different source is found, delete it - also ensures that egress proxies refresh firewall rules if the node's tailnet IP changes Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com> safeweb: add StrictTransportSecurityOptions config (#13679) 2024-10-03T18:38:29Z Patrick O'Doherty patrick@tailscale.com 2024-10-03T18:38:29Z urn:sha1:a3c6a3a34f53b025097a576907343de58b611166 Add the ability to specify Strict-Transport-Security options in response to BrowserMux HTTP requests in safeweb. Updates https://github.com/tailscale/corp/issues/23375 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com> ssh/tailssh: pass window size pixels in IoctlSetWinsize events 2024-10-03T16:24:28Z Brad Fitzpatrick bradfitz@tailscale.com 2024-10-03T16:05:29Z urn:sha1:dc60c8d786b7d28a7a6b0a9897cd2d31548d4724 Fixes #13669 Change-Id: Id44cfbb83183f1bbcbdc38c29238287b9d288707 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> logpolicy: force TLS 1.3 handshake 2024-10-03T16:16:23Z Andrea Gottardo andrea@gottardo.me 2024-10-02T18:20:49Z urn:sha1:58c6bc299190b782a4f641ef902529a915297d7e Updates tailscale/tailscale#3363 We know `log.tailscale.io` supports TLS 1.3, so we can enforce its usage in the client to shake some bytes off the TLS handshake each time a connection is opened to upload logs. Signed-off-by: Andrea Gottardo <andrea@gottardo.me> wgengine/netstack: check userspace ping success on Windows 2024-10-03T16:07:39Z Brad Fitzpatrick bradfitz@tailscale.com 2024-10-02T17:01:46Z urn:sha1:5f88b65764925c397761d306fd6b228578948ac7 Hacky temporary workaround until we do #13654 correctly. Updates #13654 Change-Id: I764eaedbb112fb3a34dddb89572fec1b2543fd4a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> control/controlclient: include HTTP status string in error message too 2024-10-03T15:37:16Z Brad Fitzpatrick bradfitz@tailscale.com 2024-10-03T15:30:27Z urn:sha1:1f8eea53a873030bc19a8d8e57f2e4014160c01c Not just its code. Updates tailscale/corp#23584 Change-Id: I8001a675372fe15da797adde22f04488d8683448 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>