| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Xe <xe@tailscale.com>
|
|
This allows gitops-pusher to detect external ACL changes. I'm not
sure what to call this problem, so I've been calling it the "three
version problem" in my notes. The basic problem is that at any given
time we only have two versions of the ACL file at any given point:
the version in CONTROL and the one in the git repo. In order to
check if there has been tampering of the ACL files in the admin
panel, we need to have a _third_ version to compare against.
In this case I am not storing the old ACL entirely (though that could
be a reasonable thing to add in the future), but only its sha256sum.
This allows us to detect if the shasum in control matches the shasum
we expect, and if that expectation fails, then we can react
accordingly.
This will require additional configuration in CI, but I'm sure that
can be done.
Signed-off-by: Xe <xe@tailscale.com>
|
|
Change-Id: Iedd2d3898befa536181036b9e9dea59bc777a440
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: Xe <xe@tailscale.com>
|
|
Signed-off-by: Logan Saso <logansaso@gmail.com>
|
|
Pick up https://github.com/google/gvisor/pull/7787
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
This has the benefit of propagating SIGINT to tailscaled, which in turn
can react to the event and logout in case of an ephemeral node.
Also fix missing run.sh in Dockerfile.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Fixes #5089
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Also make more fields in conn.info thread safe, there was previously a
data race here.
Fixes #5110
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: Xe <xe@tailscale.com>
|
|
We were starting to write these elsewhere as little unexported copies
in misc places.
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This adds a lighter mechanism for endpoint updates from control.
Change-Id: If169c26becb76d683e9877dc48cfb35f90cc5f24
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
When using tsconnect as a module in another repo, we cannot write to
the ./dist directory (modules directories are read-only by default -
there is a -modcacherw flag for `go get` but we can't count on it).
We add a -distdir flag that is honored by both the build and serve
commands for where to place output in.
Somewhat tedious because esbuild outputs paths relative to the working
directory, so we need to do some extra munging to make them relative
to the output directory.
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
We now have the actual module that we need to build, so switch to
building it directly instead of its (expected) dependencies.
Also fix a copy/paste error in a jsdeps comment.
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
The control plane server doesn't send these to modern clients so we
don't need them in the tree. The server has its own serialization code
to generate legacy MapResponses when needed.
Change-Id: Idd1e5d96ddf9d4306f2da550d20b77f0c252817a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Follow-up to cfdb8626738da.
Change-Id: Iab610d761f1e6d88e8bcb584d9c02cafe48fc377
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
So the control plane can stop doing precomputations on each naclbox
message.
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Runs a Tailscale client in the browser (via a WebAssembly build of the
wasm package) and allows SSH access to machines. The wasm package exports
a newIPN function, which returns a simple JS object with methods like
start(), login(), logout() and ssh(). The golang.org/x/crypto/ssh
package is used for the SSH client.
Terminal emulation and QR code renedring is done via NPM packages (xterm
and qrcode respectively), thus we also need a JS toolchain that can
install and bundle them. Yarn is used for installation, and esbuild
handles loading them and bundling for production serving.
Updates #3157
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
name old time/op new time/op delta
Hash-8 71.1µs ± 2% 71.5µs ± 1% ~ (p=0.114 n=9+8)
HashPacketFilter-8 8.39µs ± 1% 4.83µs ± 2% -42.38% (p=0.000 n=8+9)
HashMapAcyclic-8 56.2µs ± 1% 56.9µs ± 2% +1.17% (p=0.035 n=10+9)
TailcfgNode-8 6.49µs ± 2% 3.54µs ± 1% -45.37% (p=0.000 n=9+9)
HashArray-8 729ns ± 2% 566ns ± 3% -22.30% (p=0.000 n=10+10)
name old alloc/op new alloc/op delta
Hash-8 24.0B ± 0% 24.0B ± 0% ~ (all equal)
HashPacketFilter-8 24.0B ± 0% 24.0B ± 0% ~ (all equal)
HashMapAcyclic-8 0.00B 0.00B ~ (all equal)
TailcfgNode-8 0.00B 0.00B ~ (all equal)
HashArray-8 0.00B 0.00B ~ (all equal)
name old allocs/op new allocs/op delta
Hash-8 1.00 ± 0% 1.00 ± 0% ~ (all equal)
HashPacketFilter-8 1.00 ± 0% 1.00 ± 0% ~ (all equal)
HashMapAcyclic-8 0.00 0.00 ~ (all equal)
TailcfgNode-8 0.00 0.00 ~ (all equal)
HashArray-8 0.00 0.00 ~ (all equal)
Change-Id: I34c4e786e748fe60280646d40cc63a2adb2ea6fe
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
This PR implements the synchronization mechanics for TKA: generating a SyncOffer, processing a SyncOffer to find an intersection,
and computing the set of AUMs that should be transmitted to effect convergence.
This is the final PR implementing core mechanics for TKA.
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
After this, there should be one final PR to implement the Sync algorithm!
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
Change-Id: I8e752afd5bf009c17aae1b53650479b37c3232bd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This lets us distinguish "no IPv6 because the device's ISP doesn't
offer IPv6" from "IPv6 is unavailable/disabled in the OS".
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
This change is required to implement tracing for derp.
Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
|
|
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
|
|
This makes `tailscale cert` and Taildrop work on k8s and in ephemeral
mode.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Fixes #4060
Change-Id: I5f145d4f56f6edb14825268e858d419c55918673
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This was seeminlgy missed in 87ba528ae0c1138e8e8b2b1d91fbe2b97c84d9ae.
Fixes #5072
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
QTS 5.0 doesn't always pass a qtoken, in some circumstances
it sends a NAS_SID cookie for us to verify instead.
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
|
|
Updates #5029
Change-Id: Ibee5e0c9076fe764eb5d856d5ef8b09f4d0e2921
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
It's not the Tailscale version.
Change-Id: Icfbd5ff36300b2125b19cd2fa6caa22876965317
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
We were not handling errors occurred while copying data between the subprocess and the connection.
This makes it so that we pass the appropriate signals when to the process and the connection.
This also fixes mosh.
Updates #4919
Co-authored-by: James Tucker <raggi@tailscale.com>
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: Xe <xe@tailscale.com>
|
|
GitHub Actions lets you annotate lines in files as errors[1]. This syntax
will only fire on syntax errors. Future improvements can extend this to
properly annotate ACL tests too.
[1]: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message
Signed-off-by: Xe <xe@tailscale.com>
|
|
See https://github.com/tailscale/go/pull/32
Updates #4760
Updates #5030?
Updates #4891?
Change-Id: I066aafddc09fade30a5f3fdee23e6bd200eda9fa
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
FS implements Chonk, and given the expected load characteristics (frequent use
of AUM() + ChildAUMs(), and infrequent use of Heads() + CommitVerifiedAUMs()), the
implementation avoids scanning the filesystem to service AUM() and ChildAUMs().
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
3f686688a6cff regressed the Windows beFirewallKillswitch code,
preventing the /firewall subprocess from running.
Fixes tailscale/corp#6063
Change-Id: Ibd105759e5fecfeffc54f587f8ddcd0f1cbc4dca
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
We make assertions about stringification of 0.5. IEEE floating point and
all reasonable proprietary floating point can exactly represent 0.5.
We don't make assertions about other floating point values, too brittle
in tests.
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
|
|
Chonks are responsible for efficient storage of AUMs and other TKA state.
For testing/prototyping I've implemented an in-memory version, but once we
start to use this from tailscaled we'll need a file-based version.
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
Clients may have platform-specific metrics they would like uploaded
(e.g. extracted from MetricKit on iOS). Add a new local API endpoint
that allows metrics to be updated by a simple name/value JSON-encoded
struct.
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
|
|
Closes #5023
Signed-off-by: Xe <xe@tailscale.com>
|
|
Apparently the API for running ACL tests returns a 200 if the ACL tests
fail. This is weird, but we can handle it.
Signed-off-by: Xe <xe@tailscale.com>
|
|
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
|
|
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
This is the first in a series of PRs implementing the internals for the
Tailnet Key Authority. This PR implements the AUM and Key types, which
are used by pretty much everything else. Future PRs:
- The State type & related machinery
- The Tailchonk (storage) type & implementation
- The Authority type and sync implementation
Signed-off-by: Tom DNetto <tom@tailscale.com>
|
|
Fixes https://github.com/tailscale/tailscale/issues/4959
Fixes https://github.com/tailscale/tailscale/issues/4897
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
|
|
If ConfigFromFile cannot find the configuration file,
we must not initialize it with NewConfig.
Instead, we need it to fail validation so that it eventually writes
a newly constructed configuration file.
Otherwise, new tailscale instances will never be able store a persistent
log config and start with a new config file upon every bootup.
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
|
