| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The first 3 functions are helpers for running functions
under the protection of a lock.
The Mutex type is a wrapper over sync.Mutex with a Do method
that runs a function under the protection of a lock.
Updates #11038
Updates #cleanup
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
|
|
Updates tailscale/corp#8497
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
This fixes an issue caused by the merge order of 2b638f550d0871b997506bb27edd0c330d7d9940 and 8bd442ba8c2fc11195b1356499794f023ed3e190.
Updates #Cleanup
Signed-off-by: Nick Khyl <nickk@tailscale.com>
|
|
Updates #bart
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
This adds a package with GP-related functions and types to be used in the future PRs.
It also updates nrptRuleDatabase to use the new package instead of its own gpNotificationWatcher implementation.
Updates #12687
Signed-off-by: Nick Khyl <nickk@tailscale.com>
|
|
We added a workaround for --wait, but didn't confirm the other flags,
which were added in systemd 235 and 236. Check systemd version for
deciding when to set all 3 flags.
Fixes #12136
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
While `clientupdate.Updater` won't be able to apply updates on macsys,
we use `clientupdate.CanAutoUpdate` to gate the EditPrefs endpoint in
localAPI. We should allow the GUI client to set AutoUpdate.Apply on
macsys for it to properly get reported to the control plane. This also
allows the tailnet-wide default for auto-updates to propagate to macsys
clients.
Updates https://github.com/tailscale/corp/issues/21339
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Updates #12736
Signed-off-by: Nick Khyl <nickk@tailscale.com>
|
|
I apparently missed this in 4b6a0c42c89a6a004686a13e16d6a0821680d74d.
Updates tailscale/corp#18266
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
sessions via Kubernetes operator's API server proxy (#12274)
cmd/k8s-operator,ssh/tailssh,tsnet: optionally record kubectl exec sessions
The Kubernetes operator's API server proxy, when it receives a request
for 'kubectl exec' session now reads 'RecorderAddrs', 'EnforceRecorder'
fields from tailcfg.KubernetesCapRule.
If 'RecorderAddrs' is set to one or more addresses (of a tsrecorder instance(s)),
it attempts to connect to those and sends the session contents
to the recorder before forwarding the request to the kube API
server. If connection cannot be established or fails midway,
it is only allowed if 'EnforceRecorder' is not true (fail open).
Updates tailscale/corp#19821
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Maisem Ali <maisem@tailscale.com>
|
|
Updates #12742
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
|
|
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
|
|
For testing. Lee wants to play with 'AWS Global Accelerator Custom
Routing with Amazon Elastic Kubernetes Service'. If this works well
enough, we can promote it.
Updates #12578
Change-Id: I5018347ed46c15c9709910717d27305d0aedf8f4
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
The DERP Return Path Optimization (DRPO) is over four years old (and
on by default for over two) and we haven't had problems, so time to
remove the emergency shutoff code (controlknob) which we've never
used. The controlknobs are only meant for new features, to mitigate
risk. But we don't want to keep them forever, as they kinda pollute
the code.
Updates #150
Change-Id: If021bc8fd1b51006d8bddd1ffab639bb1abb0ad1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
And fix up a bogus comment and flesh out some other comments.
Updates #cleanup
Change-Id: Ia60a1c04b0f5e44e8d9587914af819df8e8f442a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This is #cleanup
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
|
|
Updates tailscale/corp#20732
Change-Id: Ic0272fe9a226afef4e23dfca5da8cd1d550c1cd6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies
Don't skip installing egress forwarding rules for IPv6 (as long as the host
supports IPv6), and set headless services `ipFamilyPolicy` to
`PreferDualStack` to optionally enable both IP families when possible. Note
that even with `PreferDualStack` set, testing a dual-stack GKE cluster with
the default DNS setup of kube-dns did not correctly set both A and
AAAA records for the headless service, and instead only did so when
switching the cluster DNS to Cloud DNS. For both IPv4 and IPv6 to work
simultaneously in a dual-stack cluster, we require headless services to
return both A and AAAA records.
If the host doesn't support IPv6 but the FQDN specified only has IPv6
addresses available, containerboot will exit with error code 1 and an
error message because there is no viable egress route.
Fixes #12215
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
|
|
Updates tailscale/tailscale#4136
We should make sure to send the value of ImpactsConnectivity over to the clients using LocalAPI as they need it to display alerts in the GUI properly.
Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
|
|
(#12699)
This change expands the `exit-node list -filter` command to display all
location based exit nodes for the filtered country. This allows users
to switch to alternative servers when our recommended exit node is not
working as intended.
This change also makes the country filter matching case insensitive,
e.g. both USA and usa will work.
Updates #12698
Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
|
|
Fixes #12186
Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
Co-authored-by: Chris Palmer <cpalmer@tailscale.com>
|
|
Updates tailscale/tailscale#4136
High severity health warning = a system notification will appear, which can be quite disruptive to the user and cause unnecessary concern in the event of a temporary network issue.
Per design decision (@sonovawolf), the severity of all warnings but "network is down" should be tuned down to medium/low. ImpactsConnectivity should be set, to change the icon to an exclamation mark in some cases, but without a notification bubble.
I also tweaked the messaging for update-available, to reflect how each platform gets updates in different ways.
Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
|
|
Updates https://github.com/tailscale/corp/issues/21304
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Updates tailscale/corp#20677
The recover function wasn't getting set in the benchmark
tests. Default changed to an empty func.
Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
|
|
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
|
|
Updates tailscale/corp#21262
Change-Id: I80bd880b53f6d851c15479f39fad62b25f1095f1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Updates tailscale/corp#20344
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
|
Fix regression from #8108 (Mar 2023). Since that change, gocross has
always been rebuilt on each run of ./tool/go (gocross-wrapper.sh),
adding ~100ms. (Well, not totally rebuilt; cmd/go's caching still
ends up working fine.)
The problem was $gocross_path was just "gocross", which isn't in my
path (and "." isn't in my $PATH, as it shouldn't be), so this line was
always evaluating to the empty string:
gotver="$($gocross_path gocross-version 2>/dev/null || echo '')"
The ./gocross is fine because of the earlier `cd "$repo_root"`
Updates tailscale/corp#21262
Updates tailscale/corp#21263
Change-Id: I80d25446097a3bb3423490c164352f0b569add5f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
|
|
Updates #12467
Signed-off-by: Percy Wegmann <percy@tailscale.com>
|
|
go get github.com/tailscale/mkctr@main
Pulls in changes to support a local target that only pushes
a single-platform image to the machine's local image store.
Fixes tailscale/mkctr#18
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
|
|
Updates tailscale/corp#19681
Signed-off-by: Claire Wang <claire@tailscale.com>
|
|
BPF links require that the owning FD remains open, this FD is embedded
into the RawLink returned by the attach function and must live for the
duration of the server.
Updates ENG-4274
Signed-off-by: James Tucker <james@tailscale.com>
|
|
This makes deployment easier in hetrogenous environments.
Updates ENG-4274
Signed-off-by: James Tucker <james@tailscale.com>
|
|
Detection of duplicate Network Lock signature chains added in
01847e0123dee3b7a6f9645155da69270f01155e failed to account for chains
originating with a SigCredential signature, which is used for wrapped
auth keys. This results in erroneous removal of signatures that
originate from the same re-usable auth key.
This change ensures that multiple nodes created by the same re-usable
auth key are not getting filtered out by the network lock.
Updates tailscale/corp#19764
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
This change moves handling of wrapped auth keys to the `tka` package and
adds a test covering auth key originating signatures (SigCredential) in
netmap.
Updates tailscale/corp#19764
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
Fixes #12644
Change-Id: I3589b01a9c671937192caaedbb1312fd906ca712
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
|
|
This pulls in device.WaitPool fixes from tailscale/wireguard-go@1e08883
and tailscale/wireguard-go@cfa4567.
Updates tailscale/corp#21095
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
|
When auto-udpates are enabled, we don't need to nag users to update
after a new release, before we release auto-updates.
Updates https://github.com/tailscale/corp/issues/20081
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Updates tailscale/corp#20583
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
Signed-off-by: Josh McKinney <joshka@users.noreply.github.com>
|
|
This is not valid in many situations, specifically when running a local astro site that listens on localhost, but ignores 127.0.0.1
Fixes: https://github.com/tailscale/tailscale/issues/12201
Signed-off-by: Josh McKinney <joshka@users.noreply.github.com>
|
|
Fixes #12617
Change-Id: Ifc87b7d9cf699635087afb57febd01fb9a6d11b7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
In hopes it'll be found more.
Updates tailscale/corp#20844
Change-Id: Ic92ee9908f45b88f8770de285f838333f9467465
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
|
|
A few other minor language updates.
Updates tailscale/corp#20844
Change-Id: Idba85941baa0e2714688cc8a4ec3e242e7d1a362
Signed-off-by: James Tucker <james@tailscale.com>
|
|
And some misc doc tweaks for idiomatic Go style.
Updates #cleanup
Change-Id: I3ca45f78aaca037f433538b847fd6a9571a2d918
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Bumps [golang.org/x/image](https://github.com/golang/image) from 0.15.0 to 0.18.0.
- [Commits](https://github.com/golang/image/compare/v0.15.0...v0.18.0)
---
updated-dependencies:
- dependency-name: golang.org/x/image
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
This was correct before, I think I just made a copy/paste error when
updating that PR.
Updates #12383
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
|
