tailscale/ssh, branch awly/deadcode-sysresources

ssh/tailssh: speed up SSH integration tests

2026-04-13T21:18:27Z

Parallelize the SSH integration tests across OS targets and reduce per-container overhead: - CI: use GitHub Actions matrix strategy to run all 4 OS containers (ubuntu:focal, ubuntu:jammy, ubuntu:noble, alpine:latest) in parallel instead of sequentially (~4x wall-clock improvement) - Makefile: run docker builds in parallel for local dev too - Dockerfile: consolidate ~20 separate RUN commands into 5 (one per test phase), eliminating Docker layer overhead. Combine test binary invocations where no state mutation is needed between them. Fix a bug where TestDoDropPrivileges was silently not being run (was passed as a second positional arg to -test.run instead of using regex alternation). - TestMain: replace tail -F + 2s sleep with synchronous log read, eliminating 2s overhead per test binary invocation. Set debugTest once in TestMain instead of redundantly in each test function. - session.read(): close channel on EOF so non-shell tests return immediately instead of waiting for the 1s silence timeout. Updates #19244 Change-Id: I2cc8588964fbce0dd7b654fb94e7ff33440b8584 Signed-off-by: Brad Fitzpatrick

ssh/tailssh: gofmt

2026-04-13T18:09:13Z

I'm not sure how this file got into the repo without gofmt. Maybe gofmt rules changed in some Go release? Updates #cleanup Change-Id: Ia8bd46e29f116f7fbfca11be80c8ef48699cd9f2 Signed-off-by: Brad Fitzpatrick

.github, tool/listpkgs: automatically find tests which use tstest.RequireRoot

2026-04-10T23:22:05Z

Updates tailscale/corp#40007 Change-Id: I677d3d9e276cb6633a14ac07e4b58ea08e52fac4 Signed-off-by: Brad Fitzpatrick

tstest: add RequireRoot helper

2026-04-10T17:48:50Z

Start using a common helper for tests to declare that they require root. This is step 1. A later step will then make this helper track which tests were skipped so a subsequent pass will run these test as root. Updates tailscale/corp#40007 Change-Id: I4979e1def0fa3691d38c83f48c89aaa443e7f62e Signed-off-by: Brad Fitzpatrick

ssh/tailssh: fix default PATH for Debian

2026-04-09T15:57:40Z

Validated against a modern Debian install, fixes a typo. Updates #cleanup Signed-off-by: Andrew Dunham Change-Id: I7b26012f54dbd2f0f9fea98722e8edc2fe97645a

ssh/tailssh: fix race in session termination message delivery

2026-04-07T12:31:16Z

When a recording upload fails mid-session, the recording goroutine cancels the session context. This triggers two concurrent paths: exec.CommandContext kills the process (causing cmd.Wait to return), and killProcessOnContextDone tries to write the termination message via exitOnce.Do. If cmd.Wait returns first, the main goroutine's exitOnce.Do(func(){}) steals the once, and the termination message is never written to the client. Fix by waiting for killProcessOnContextDone to finish writing the termination message (via <-ss.exitHandled) before claiming exitOnce, when the context is already done. Also fix the fallback path when launchProcess itself fails due to context cancellation: use SSHTerminationMessage() with the correct "\r\n\r\n" framing instead of fmt.Fprintf with the internal error string. Deflakes TestSSHRecordingCancelsSessionsOnUploadFailure, which was failing consistently at a low rate due to the exitOnce race. After this fix, flakestress passes with 8,668 runs, 0 failures. Fixes #7707 (again. hopefully for good.) Change-Id: I5ab911c71574db8d3f9d979fb839f273be51ecf9 Signed-off-by: Brad Fitzpatrick

ssh: replace tempfork with tailscale/gliderssh

2026-04-07T10:59:38Z

Brings in a newer version of Gliderlabs SSH with added socket forwarding support. Fixes #12409 Fixes #5295 Signed-off-by: Kristoffer Dalby

tempfork/gliderlabs/ssh: remove tempfork

2026-04-07T10:59:38Z

Updates #12409 Updates #5295 Signed-off-by: Kristoffer Dalby

ssh/tailssh: fix integration test hang due to missing host keys

2026-04-06T16:29:31Z

Commit f905871fb moved host key generation from the ipnLocalBackend interface (GetSSH_HostKeys) to the standalone getHostKeys function, which requires either system host keys in /etc/ssh/ or a valid TailscaleVarRoot to generate keys into. The testBackend returned "" for TailscaleVarRoot, and the Docker test containers only install openssh-client (no server host keys), so getHostKeys always failed. When getHostKeys fails, HandleSSHConn returns the error but never closes the TCP connection, so SSH clients hang forever waiting for the server hello. Fix by creating a temp directory in TestMain and returning it from testBackend.TailscaleVarRoot(). Regression from f905871fb #18949 ("ipn/ipnlocal, feature/ssh: move SSH code out of LocalBackend to feature"). I was apparently too impatient to wait for the test to complete and didn't connect the dots: https://github.com/tailscale/tailscale/actions/runs/22930275950 We should make that test faster (#19244) for the patience issue, but also fail more nicely if this happens in the future. Updates #19244 Change-Id: If82393b8f35413b04174e6f7d09a1ee3a2125a6b Signed-off-by: Brad Fitzpatrick

cmd/vet: add subtestnames analyzer; fix all existing violations

2026-04-05T22:52:51Z

Add a new vet analyzer that checks t.Run subtest names don't contain characters requiring quoting when re-running via "go test -run". This enforces the style guide rule: don't use spaces or punctuation in subtest names. The analyzer flags: - Direct t.Run calls with string literal names containing spaces, regex metacharacters, quotes, or other problematic characters - Table-driven t.Run(tt.name, ...) calls where tt ranges over a slice/map literal with bad name field values Also fix all 978 existing violations across 81 test files, replacing spaces with hyphens and shortening long sentence-like names to concise hyphenated forms. Updates #19242 Change-Id: Ib0ad96a111bd8e764582d1d4902fe2599454ab65 Signed-off-by: Brad Fitzpatrick