| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Proxies know how to reload configfile on changes since 1.80, which
is going to be the earliest supported proxy version with 1.84 operator,
so remove the mechanism that was updating configfile hash to force
proxy Pod restarts on config changes.
Updates #13032
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
|
I earlier thought this saved a second of CPU even on a fast machine,
but I think when I was previously measuring, I still had a 4096 bit
RSA key being generated in the code I was measuring.
Measuring again for this, it's plenty fast.
Prep for using this package more, for derp, etc.
Updates #16315
Change-Id: I4c9008efa9aa88a3d65409d6ffd7b3807f4d75e9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
magicsock.endpoint (#16244)" (#16322)
This reverts commit 6a93b17c8cafc1d8e1c52e133511e52ed9086355.
The reverted commit added more complexity than it was worth at the
current stage. Handling delta CapVer changes requires extensive changes
to relayManager datastructures in order to also support delta updates of
relay servers.
Updates tailscale/corp#27502
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
|
If you had HTTPS_PROXY=https://some-valid-cert.example.com running a
CONNECT proxy, we should've been able to do a TLS CONNECT request to
e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure
it used to work, but refactorings and lack of integration tests made
it regress.
It probably regressed when we added the baked-in LetsEncrypt root cert
validation fallback code, which was testing against the wrong hostname
(the ultimate one, not the one which we were being asked to validate)
Fixes #16222
Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates #15830
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Resolver.PreferGo didn't used to work on Windows.
It was fixed in 2022, though. (https://github.com/golang/go/issues/33097)
Updates #5161
Change-Id: I4e1aeff220ebd6adc8a14f781664fa6a2068b48c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Same with UpdateNetmapDelta.
Updates tailscale/corp#27502
Updates #15160
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
|
Fixes #16088
Signed-off-by: Raj Singh <raj@tailscale.com>
|
|
Fixes tailscale/corp#24417
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
This patch contains the following cleanups:
1. Simplify `ffcli.Command` definitions;
2. Word-wrap help text, consistent with other commands;
3. `tailscale dns --help` usage makes subcommand usage more obvious;
4. `tailscale dns query --help` describes DNS record types.
Updates #cleanup
Signed-off-by: Simon Law <sfllaw@tailscale.com>
|
|
Signed-off-by: Juan Francisco Cantero Hurtado <jfch@30041993.xyz>
|
|
Updates tailscale/corp#29702
Signed-off-by: Percy Wegmann <percy@tailscale.com>
|
|
We aim to make the tsgo directories be read-only mounts on builders.
But gocross was previously writing within the ~/.cache/tsgo/$HASH/
directories to make the synthetic GOROOT directories.
This moves them to ~/.cache/tsgoroot/$HASH/ instead.
Updates tailscale/corp#28679
Updates tailscale/corp#26717
Change-Id: I0d17730bbdce3d6374e79d49486826575d4690af
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
The caller of client.RunWatchConnectionLoop may need to be
aware of errors that occur within loop. Add a channel
that notifies of errors to the caller to allow for
decisions to be make as to the state of the client.
Updates tailscale/corp#25756
Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
|
|
Make the OS-specific staticcheck jobs only test stuff that's specialized
for that OS. Do that using a new ./tool/listpkgs program that's a fancy
'go list' with more filtering flags.
Updates tailscale/corp#28679
Change-Id: I790be2e3a0b42b105bd39f68c4b20e217a26de60
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Fixes #16290
Updates tailscale/corp#28679
Change-Id: Ic90129b686779d0ed1cb40acf187cfcbdd39eb83
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Tests that go mod version matches ./tool/go version.
Mismatched versions result in incosistent Go versions being used i.e.
in CI jobs as the version in go.mod is used to determine what Go version
Github actions pull in.
Updates #16283
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
|
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
|
gocross is not needed like it used to be, now that Go does
version stamping itself.
We keep it for the xcode and Windows builds for now.
This simplifies things in the build, especially with upcoming build
system updates.
Updates tailscale/corp#28679
Updates tailscale/corp#26717
Change-Id: Ib4bebe6f50f3b9c3d6cd27323fca603e3dfb43cc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates tailscale/corp#29650
Change-Id: Iad4e4ccd9d68ebb1d1a12f335cc5295d0bd05b60
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
If natc is running on a host with tailscale using `--accept-dns=true`
then a DNS loop can occur. Provide a flag for some specific DNS
upstreams for natc to use instead, to overcome such situations.
Updates #14667
Signed-off-by: James Tucker <james@tailscale.com>
|
|
Updates #cleanup
Signed-off-by: James Sanderson <jsanderson@tailscale.com>
|
|
lock for access to a.peers
Fixes #16284
Signed-off-by: Fran Bull <fran@tailscale.com>
|
|
eventbus.Publish() calls newPublisher(), which in turn invokes (*Client).addPublisher().
That method adds the new publisher to c.pub, so we don’t need to add it again in eventbus.Publish.
Updates #cleanup
Signed-off-by: Nick Khyl <nickk@tailscale.com>
|
|
Updates tailscale/corp#28679
Change-Id: Ib0127cb2b03f781fc3187199abe4881e97074f5f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
nodeBackend now publishes filter and node changes to eventbus topics
that are consumed by magicsock.Conn
Updates tailscale/corp#27502
Updates tailscale/corp#29543
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
|
Fixes tailscale/corp#19447
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.19 to 3.29.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/fca7ace96b7d713c7035871441bd52efbe39e27e...ce28f5bb42b7a9f2c824e633a3f6ee835bab6858)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 3.29.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
Ensure that if the ProxyGroup for HA Ingress changes, the TLS Secret
and Role and RoleBinding that allow proxies to read/write to it are
updated.
Fixes #16259
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
|
We update LocalBackend to shut down the current nodeBackend
when switching to a different node, and to mark the new node's
nodeBackend as ready when the switch completes.
Updates tailscale/corp#28014
Updates tailscale/corp#29543
Updates #12614
Signed-off-by: Nick Khyl <nickk@tailscale.com>
|
|
This means the caller does not have to remember to close the reader, and avoids
having to duplicate the logic to decode JSON into events.
Updates #15160
Change-Id: I20186fabb02f72522f61d5908c4cc80b86b8936b
Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
|
|
We renamed the type in #15866 but didn't update the comments at the time.
Updates #cleanup
Signed-off-by: Nick Khyl <nickk@tailscale.com>
|
|
See https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
This dependency is used in our release builder indirectly via
https://github.com/ProtonMail/go-crypto/blob/3b22d8539b95b3b7e76a911053023e6ef9ef51d6/go.mod#L6
We should not be affected, since this is used indirectly for pgp
signatures on our .deb releases, where we use only trusted inputs.
Updates #cleanup
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Record dropped packets as soon as they time out, rather than after tx
record queues spill over, this will more accurately capture small
amounts of packet loss in a timely fashion.
Updates tailscale/corp#24522
Signed-off-by: James Tucker <james@tailscale.com>
|
|
The first packet fragment guard had an additional guard clause that was
incorrectly comparing a length in bytes to a length in octets, and was
also comparing what should have been an entire IPv4 through transport
header length to a subprotocol payload length. The subprotocol header
size guards were otherwise protecting against short transport headers,
as is the conservative non-first fragment minimum offset size. Add an
explicit disallowing of fragmentation for TSMP for the avoidance of
doubt.
Updates #cleanup
Updates #5727
Signed-off-by: James Tucker <james@tailscale.com>
|
|
During a short period of packet loss, a TCP connection to the home DERP
may be maintained. If no other regions emerge as winners, such as when
all regions but one are avoided/disallowed as candidates, ensure that
the current home region, if still active, is not dropped as the
preferred region until it has failed two keepalives.
Relatedly apply avoid and no measure no home to ICMP and HTTP checks as
intended.
Updates tailscale/corp#12894
Updates tailscale/corp#29491
Signed-off-by: James Tucker <james@tailscale.com>
|
|
The relay server now fetches IPs from local interfaces and external
perspective IP:port's via netcheck (STUN).
Updates tailscale/corp#27502
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
|
Fixes tailscale/corp#29530
Change-Id: Iae04456d7ac5527897f060370e90c9517c00a818
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates#cleanup
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
|
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.4.0 to 5.5.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/0aaccfd150d50ccaeb58ebd88d36e91967a5f35b...d35c59abb061a4a6fb18e82ac0862c26744d6ab5)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-version: 5.5.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 2.0.0 to 2.1.0.
- [Release notes](https://github.com/slackapi/slack-github-action/releases)
- [Commits](https://github.com/slackapi/slack-github-action/compare/485a9d42d3a73031f12ec201c457e2162c45d02d...b0fa283ad8fea605de13dc3f449259339835fc52)
---
updated-dependencies:
- dependency-name: slackapi/slack-github-action
dependency-version: 2.1.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.15 to 3.28.19.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/45775bd8235c68ba998cffa5171334d58593da47...fca7ace96b7d713c7035871441bd52efbe39e27e)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 3.28.19
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
Updates: #15160
Signed-off-by: Claus Lensbøl <claus@tailscale.com>
|
|
Which can make operating the service more convenient.
It makes sense to put the cluster state with this if specified, so
rearrange the logic to handle that.
Updates #14667
Signed-off-by: Fran Bull <fran@tailscale.com>
|
|
This enables us to mark nodes as relay capable or not. We don't actually
do that yet, as we haven't established a relay CapVer.
Updates tailscale/corp#27502
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
|
Updates #cleanup
Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
|
|
Add mesh key support to derpprobe for
probing derpers with verify set to true.
Move MeshKey checking to central point for code reuse.
Fix a bad error fmt msg.
Fixes tailscale/corp#27294
Fixes tailscale/corp#25756
Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
|
|
We already present a health warning about this, but it is easy to miss
on a server when blackholing traffic makes it unreachable.
In addition to a health warning, present a risk message when exit node
is enabled.
Example:
```
$ tailscale up --exit-node=lizard
The following issues on your machine will likely make usage of exit nodes impossible:
- interface "ens4" has strict reverse-path filtering enabled
- interface "tailscale0" has strict reverse-path filtering enabled
Please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310
To skip this warning, use --accept-risk=linux-strict-rp-filter
$
```
Updates #3310
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
Updates #cleanup
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
|
It might complete, interrupting it reduces the chances of establishing a
relay path.
Updates tailscale/corp#27502
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
