summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)AuthorFilesLines
2024-04-29cmd/containerboot,kube,ipn/store/kubestore: allow interactive login on kube, ↵Irbe Krumina6-77/+366
check Secret create perms, allow empty state Secret (#11326) cmd/containerboot,kube,ipn/store/kubestore: allow interactive login and empty state Secrets, check perms * Allow users to pre-create empty state Secrets * Add a fake internal kube client, test functionality that has dependencies on kube client operations. * Fix an issue where interactive login was not allowed in an edge case where state Secret does not exist * Make the CheckSecretPermissions method report whether we have permissions to create/patch a Secret if it's determined that these operations will be needed Updates tailscale/tailscale#11170 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-04-29api.md: fix missing links after move of device postureKristoffer Dalby1-2/+2
Updates tailscale/corp#18572 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-04-28net/{interfaces,netmon}, all: merge net/interfaces package into net/netmonBrad Fitzpatrick45-874/+846
In prep for most of the package funcs in net/interfaces to become methods in a long-lived netmon.Monitor that can cache things. (Many of the funcs are very heavy to call regularly, whereas the long-lived netmon.Monitor can subscribe to things from the OS and remember answers to questions it's asked regularly later) Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: Ie4e8dedb70136af2d611b990b865a822cd1797e5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-28net/netmon, add: add netmon.State type alias of interfaces.StateBrad Fitzpatrick11-27/+32
... in prep for merging the net/interfaces package into net/netmon. This is a no-op change that updates a bunch of the API signatures ahead of a future change to actually move things (and remove the type alias) Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: I477613388f09389214db0d77ccf24a65bff2199c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-27cmd/containerboot: wait on tailscaled process only (#11897)Irbe Krumina1-10/+11
Modifies containerboot to wait on tailscaled process only, not on any child process of containerboot. Waiting on any subprocess was racing with Go's exec.Cmd.Run, used to run iptables commands and that starts its own subprocesses and waits on them. Containerboot itself does not run anything else except for tailscaled, so there shouldn't be a need to wait on anything else. Updates tailscale/tailscale#11593 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-04-27net/netns, net/dns/resolver, etc: make netmon required in most placesBrad Fitzpatrick34-86/+228
The goal is to move more network state accessors to netmon.Monitor where they can be cheaper/cached. But first (this change and others) we need to make sure the one netmon.Monitor is plumbed everywhere. Some notable bits: * tsdial.NewDialer is added, taking a now-required netmon * because a tsdial.Dialer always has a netmon, anything taking both a Dialer and a NetMon is now redundant; take only the Dialer and get the NetMon from that if/when needed. * netmon.NewStatic is added, primarily for tests Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: I877f9cb87618c4eb037cee098241d18da9c01691 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-27ipn/ipnlocal: skip TestOnTailnetDefaultAutoUpdate on macOS for nowBrad Fitzpatrick1-0/+4
While it's broken. Updates #11894 Change-Id: I24698707ffe405471a14ab2683aea7e836531da8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-26net/netcheck, wgengine/magicsock: make netmon.Monitor requiredBrad Fitzpatrick5-67/+78
This has been a TODO for ages. Time to do it. The goal is to move more network state accessors to netmon.Monitor where they can be cheaper/cached. Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: I60fc6508cd2d8d079260bda371fc08b6318bcaf1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-26net/netutil: remove a use of deprecated interfaces.GetStateBrad Fitzpatrick2-8/+11
I'm working on moving all network state queries to be on netmon.Monitor, removing old APIs. Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: If0de137e0e2e145520f69e258597fb89cf39a2a3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-26health, wgengine/magicsock: remove last of health package globalsBrad Fitzpatrick3-36/+73
Fixes #11874 Updates #4136 Change-Id: Ib70e6831d4c19c32509fe3d7eee4aa0e9f233564 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-26ipn/ipnlocal: fix null dereference for early suggested exit node queries ↵Jonathan Nobels1-0/+4
(#11885) Fixes tailscale/corp#19558 A request for the suggested exit nodes that occurs too early in the VPN lifecycle would result in a null deref of the netmap and/or the netcheck report. This checks both and errors out. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
2024-04-26health, all: remove health.Global, finish plumbing health.TrackerBrad Fitzpatrick40-125/+151
Updates #11874 Updates #4136 Change-Id: I414470f71d90be9889d44c3afd53956d9f26cd61 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-26control/controlclient: plumb health.TrackerBrad Fitzpatrick3-16/+19
Updates #11874 Updates #4136 Change-Id: Ia941153bd83523f0c8b56852010f5231d774d91a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-26ipn/{ipnlocal,localapi},wgengine{,/magicsock}: plumb health.TrackerBrad Fitzpatrick15-46/+79
Down to 25 health.Global users. After this remains controlclient & net/dns & wgengine/router. Updates #11874 Updates #4136 Change-Id: I6dd1856e3d9bf523bdd44b60fb3b8f7501d5dc0d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-26cmd/k8s-operator,k8s-operator: optionally serve tailscaled metrics on Pod IP ↵Irbe Krumina10-15/+169
(#11699) Adds a new .spec.metrics field to ProxyClass to allow users to optionally serve client metrics (tailscaled --debug) on <Pod-IP>:9001. Metrics cannot currently be enabled for proxies that egress traffic to tailnet and for Ingress proxies with tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation (because they currently forward all cluster traffic to their respective backends). The assumption is that users will want to have these metrics enabled continuously to be able to monitor proxy behaviour (as opposed to enabling them temporarily for debugging). Hence we expose them on Pod IP to make it easier to consume them i.e via Prometheus PodMonitor. Updates tailscale/tailscale#11292 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-04-25tsd, ipnlocal, etc: add tsd.System.HealthTracker, start some plumbingBrad Fitzpatrick19-45/+91
This adds a health.Tracker to tsd.System, accessible via a new tsd.System.HealthTracker method. In the future, that new method will return a tsd.System-specific HealthTracker, so multiple tsnet.Servers in the same process are isolated. For now, though, it just always returns the temporary health.Global value. That permits incremental plumbing over a number of changes. When the second to last health.Global reference is gone, then the tsd.System.HealthTracker implementation can return a private Tracker. The primary plumbing this does is adding it to LocalBackend and its dozen and change health calls. A few misc other callers are also plumbed. Subsequent changes will flesh out other parts of the tree (magicsock, controlclient, etc). Updates #11874 Updates #4136 Change-Id: Id51e73cfc8a39110425b6dc19d18b3975eac75ce Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-25health: permit Tracker method calls on nil receiverBrad Fitzpatrick2-0/+103
In prep for tsd.System Tracker plumbing throughout tailscaled, defensively permit all methods on Tracker to accept a nil receiver without crashing, lest I screw something up later. (A health tracking system that itself causes crashes would be no good.) Methods on nil receivers should not be called, so a future change will also collect their stacks (and panic during dev/test), but we should at least not crash in prod. This also locks that in with a test using reflect to automatically call all methods on a nil receiver and check they don't crash. Updates #11874 Updates #4136 Change-Id: I8e955046ebf370ec8af0c1fb63e5123e6282a9d3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-25safeweb: handle mux pattern collisions more generally (#11801)Chris Palmer2-15/+107
Fixes #11800 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
2024-04-25health: break Warnable into a global and per-Tracker value halvesBrad Fitzpatrick5-58/+49
Previously it was both metadata about the class of warnable item as well as the value. Now it's only metadata and the value is per-Tracker. Updates #11874 Updates #4136 Change-Id: Ia1ed1b6c95d34bc5aae36cffdb04279e6ba77015 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-25health: add Tracker type, in prep for removing global variablesBrad Fitzpatrick17-256/+268
This moves most of the health package global variables to a new `health.Tracker` type. But then rather than plumbing the Tracker in tsd.System everywhere, this only goes halfway and makes one new global Tracker (`health.Global`) that all the existing callers now use. A future change will eliminate that global. Updates #11874 Updates #4136 Change-Id: I6ee27e0b2e35f68cb38fecdb3b2dc4c3f2e09d68 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-25tailcfg: add auto exit node attribute (#11871)Claire Wang1-0/+3
Updates tailscale/corp#19515 Signed-off-by: Claire Wang <claire@tailscale.com>
2024-04-25release/dist/qnap: omit .qpkg.codesigning filesSonia Appasamy1-0/+8
Updates tailscale/tailscale-qpkg#135 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2024-04-24ipn/ipnlocal: only show Taildrive peers to which ACLs grant us accessPercy Wegmann3-25/+37
This improves convenience and security. * Convenience - no need to see nodes that can't share anything with you. * Security - malicious nodes can't expose shares to peers that aren't allowed to access their shares. Updates tailscale/corp#19432 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2024-04-24release/dist/qnap: update perms for tmpDir filesSonia Appasamy1-4/+5
Allows all users to read all files, and .sh/.cgi files to be executable. Updates tailscale/tailscale-qpkg#135 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2024-04-24cmd/k8s-operator,k8s-operator: proxyclass affinity (#11862)Lee Briggs8-1/+2420
add ability to set affinity rules to proxyclass Updates#11861 Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>
2024-04-24ipn/ipnlocal: always stop the engine on auth when key has expiredAnton Tolchanov1-2/+5
If seamless key renewal is enabled, we typically do not stop the engine (deconfigure networking). However, if the node key has expired there is no point in keeping the connection up, and it might actually prevent key renewal if auth relies on endpoints routed via app connectors. Fixes tailscale/corp#5800 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2024-04-23util/syspolicy: add ReadStringArray interface (#11857)Andrea Gottardo9-0/+81
Fixes tailscale/corp#19459 This PR adds the ability for users of the syspolicy handler to read string arrays from the MDM solution configured on the system. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
2024-04-23release/dist/qnap: use tmp file directory for qpkg buildingSonia Appasamy14-48/+97
This change allows for the release/dist/qnap package to be used outside of the tailscale repo (notably, will be used from corp), by using an embedded file system for build files which gets temporarily written to a new folder during qnap build runs. Without this change, when used from corp, the release/dist/qnap folder will fail to be found within the corp repo, causing various steps of the build to fail. The file renames in this change are to combine the build files into a /files folder, separated into /scripts and /Tailscale. Updates tailscale/tailscale-qpkg#135 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2024-04-23wgengine/router: consolidate routes before reconfiguring router for mobile ↵Percy Wegmann3-1/+146
clients This helps reduce memory pressure on tailnets with large numbers of routes. Updates tailscale/corp#19332 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2024-04-23util/linuxfw,go.{mod,sum}: don't log errors when deleting non-existant ↵Irbe Krumina5-40/+24
chains and rules (#11852) This PR bumps iptables to a newer version that has a function to detect 'NotExists' errors and uses that function to determine whether errors received on iptables rule and chain clean up are because the rule/chain does not exist- if so don't log the error. Updates corp#19336 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-04-23cmd{containerboot,k8s-operator},util/linuxfw: support ExternalName Services ↵Irbe Krumina8-27/+351
(#11802) * cmd/containerboot,util/linuxfw: support proxy backends specified by DNS name Adds support for optionally configuring containerboot to proxy traffic to backends configured by passing TS_EXPERIMENTAL_DEST_DNS_NAME env var to containerboot. Containerboot will periodically (every 10 minutes) attempt to resolve the DNS name and ensure that all traffic sent to the node's tailnet IP gets forwarded to the resolved backend IP addresses. Currently: - if the firewall mode is iptables, traffic will be load balanced accross the backend IP addresses using round robin. There are no health checks for whether the IPs are reachable. - if the firewall mode is nftables traffic will only be forwarded to the first IP address in the list. This is to be improved. * cmd/k8s-operator: support ExternalName Services Adds support for exposing endpoints, accessible from within a cluster to the tailnet via DNS names using ExternalName Services. This can be done by annotating the ExternalName Service with tailscale.com/expose: "true" annotation. The operator will deploy a proxy configured to route tailnet traffic to the backend IPs that service.spec.externalName resolves to. The backend IPs must be reachable from the operator's namespace. Updates tailscale/tailscale#10606 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-04-23licenses: update license noticesLicense Updater4-32/+27
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
2024-04-23util/osuser: add unit test for parseGroupIdsPercy Wegmann2-1/+31
Updates #11682 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2024-04-23ssh/tailssh: try fetching group IDs for user with the 'id' commandAndrew Dunham2-8/+52
Since the tailscaled binaries that we distribute are static and don't link cgo, we previously wouldn't fetch group IDs that are returned via NSS. Try shelling out to the 'id' command, similar to how we call 'getent', to detect such cases. Updates #11682 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I9bdc938bd76c71bc130d44a97cc2233064d64799
2024-04-23api.md: move device posture api to api.mdKristoffer Dalby1-0/+133
Updates tailscale/corp#18572 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-04-22syncs: fix flaky test by deleting the code it tested (Watch)Brad Fitzpatrick2-174/+0
Fixes #11766 Change-Id: Id5a875aab23eb1b48a57dc379d0cdd42412fd18b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-22ipn/local: log OS-specific diagnostic information as JSON (#11700)Joe Tsai5-27/+10
There is an undocumented 16KiB limit for text log messages. However, the limit for JSON messages is 256KiB. Even worse, logging JSON as text results in significant overhead since each double quote needs to be escaped. Instead, use logger.Logf.JSON to explicitly log the info as JSON. We also modify osdiag to return the information as structured data rather than implicitly have the package log on our behalf. This gives more control to the caller on how to log. Updates #7802 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2024-04-22ipn/ipnlocal: reset auto-updates if unsupported on profile load (#11838)Andrew Lytvynov2-0/+34
Prior to https://github.com/tailscale/tailscale/pull/11814/commits/1613b18f8280c2bce786980532d012c9f0454fa2#diff-314ba0d799f70c8998940903efb541e511f352b39a9eeeae8d475c921d66c2ac, nodes could set AutoUpdate.Apply=true on unsupported platforms via `EditPrefs`. Specifically, this affects tailnets where default auto-updates are on. Fix up those invalid prefs on profile reload, as a migration. Updates #11544 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2024-04-22release/dist/qnap: add qnap target builderSonia Appasamy17-3/+658
Creates new QNAP builder target, which builds go binaries then uses docker to build into QNAP packages. Much of the docker/script code here is pulled over from https://github.com/tailscale/tailscale-qpkg, with adaptation into our builder structures. The qnap/Tailscale folder contains static resources needed to build Tailscale qpkg packages, and is an exact copy of the existing folder in the tailscale-qpkg repo. Builds can be run with: ``` sudo ./tool/go run ./cmd/dist build qnap ``` Updates tailscale/tailscale-qpkg#135 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2024-04-22ipn/ipnlocal,ssh/tailssh: reject c2n /update if SSH conns are active (#11820)Andrew Lytvynov3-0/+18
Since we already track active SSH connections, it's not hard to proactively reject updates until those finish. We attempt to do the same on the control side, but the detection latency for new connections is in the minutes, which is not fast enough for common short sessions. Handle a `force=true` query parameter to override this behavior, so that control can still trigger an update on a server where some long-running abandoned SSH session is open. Updates https://github.com/tailscale/corp/issues/18556 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2024-04-21types/persist: remove unused field Persist.ProviderBrad Fitzpatrick5-19/+1
It was only obviously unused after the previous change, c39cde79d. Updates #19334 Change-Id: I9896d5fa692cb4346c070b4a339d0d12340c18f7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-21tailcfg: remove some unused fields from RegisterResponseAuthBrad Fitzpatrick4-13/+2
Fixes #19334 Change-Id: Id6463f28af23078a7bc25b9280c99d4491bd9651 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-21tailcfg: pointerify RegisterRequest.Auth, omitemptify RegisterResponseAuthBrad Fitzpatrick5-12/+20
We were storing server-side lots of: "Auth":{"Provider":"","LoginName":"","Oauth2Token":null,"AuthKey":""}, That was about 7% of our total storage of pending RegisterRequest bodies. Updates tailscale/corp#19327 Change-Id: Ib73842759a2b303ff5fe4c052a76baea0d68ae7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-19net/tsdial: assume all connections are affected if no default route is presentAndrew Dunham1-1/+15
If this happens, it results in us pessimistically closing more connections than might be necessary, but is more correct since we won't "miss" a change to the default route interface and keep trying to send data over a nonexistent interface, or one that can't reach the internet. Updates tailscale/corp#19124 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ia0b8b04cb8cdcb0da0155fd08751c9dccba62c1a
2024-04-19wgengine\router: fix the Tailscale-In firewall rule to work on domain networksNick Khyl2-2/+2
The Network Location Awareness service identifies networks authenticated against an Active Directory domain and categorizes them as "Domain Authenticated". This includes the Tailscale network if a Domain Controller is reachable through it. If a network is categories as NLM_NETWORK_CATEGORY_DOMAIN_AUTHENTICATED, it is not possible to override its category, and we shouldn't attempt to do so. Additionally, our Windows Firewall rules should be compatible with both private and domain networks. This fixes both issues. Fixes #11813 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-04-19ipn/ipnlocal,clientupdate: disallow auto-updates in containers (#11814)Andrew Lytvynov3-13/+62
Containers are typically immutable and should be updated as a whole (and not individual packages within). Deny enablement of auto-updates in containers. Also, add the missing check in EditPrefs in LocalAPI, to catch cases like tailnet default auto-updates getting enabled for nodes that don't support it. Updates #11544 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2024-04-19clientupdate: return OS-specific version from LatestTailscaleVersion (#11812)Andrew Lytvynov1-3/+16
We don't always have the same latest version for all platforms (like with 1.64.2 is only Synology+Windows), so we should use the OS-specific result from pkgs JSON response instead of the main Version field. Updates #11795 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2024-04-19cmd/k8s-operator: correctly determine cluster domain (#11512)Irbe Krumina3-4/+139
Kubernetes cluster domain defaults to 'cluster.local', but can also be customized. We need to determine cluster domain to set up in-cluster forwarding to our egress proxies. This was previously hardcoded to 'cluster.local', so was the egress proxies were not usable in clusters with custom domains. This PR ensures that we attempt to determine the cluster domain by parsing /etc/resolv.conf. In case the cluster domain cannot be determined from /etc/resolv.conf, we fall back to 'cluster.local'. Updates tailscale/tailscale#10399,tailscale/tailscale#11445 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-04-18ipn/ipnlocal: remove origin and referer headers from Taildrive requestsPercy Wegmann1-4/+5
peerapi does not want these, but rclone includes them. Removing them allows rclone to work with Taildrive configured as a WebDAV remote. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>
2024-04-18ipn/ipnlocal: strip origin and referer headers from Taildrive requestsPercy Wegmann1-0/+4
peerapi does not want these, but rclone includes them. Stripping them out allows rclone to work with Taildrive configured as a WebDAV remote. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>