| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Fixes #18118
Change-Id: I118fcc6537af9ccbdc7ce6b78134e8059b0b5ccf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
app connector packets
We introduce the Conn25PacketHooks interface to be used as a nil-able
field in userspaceEngine. The engine then plumbs through the functions
to the corresponding tstun.Wrapper intercepts.
The new intercepts run pre-filter when egressing toward WireGuard,
and post-filter when ingressing from WireGuard. This is preserve the
design invariant that the filter recognizes the traffic as interesting
app connector traffic.
This commit does not plumb through implementation of the interface, so
should be a functional no-op.
Fixes tailscale/corp#35985
Signed-off-by: Michael Ben-Ami <mzb@tailscale.com>
|
|
bart has gained a bunch of purported performance and usability
improvements since the current version we are using (0.18.0,
from 1y ago)
Updates tailscale/corp#36982
Signed-off-by: Amal Bansode <amal@tailscale.com>
|
|
wiki.nixos.org is and has been the official wiki for quite some time now.
Signed-off-by: faukah <fau@faukah.com>
|
|
This updates the URL shown by systemd to the new URL used by the docs
after the recent migration.
Fixes #18646
Signed-off-by: Tim Walters <tim@tailscale.com>
|
|
Add new "webbrowser" and "colorable" feature tags so that the
github.com/toqueteos/webbrowser and mattn/go-colorable packages
can be excluded from minbox builds.
Updates #12614
Change-Id: Iabd38b242f5a56aa10ef2050113785283f4e1fe8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This commit adds a bool named PeerRelay to Hostinfo, to identify the host's status of acting as a peer relay.
Considering the RelayServerPort number can be 0, I just made this a bool in stead of a port number. If the port
info is needed in future this would also help indicating if the port was set to 0 (meaning any port in peer relay
context).
Updates tailscale/corp#35862
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
|
|
Updates #18629
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Under extremely high load it appears we may have some retention issues
as a result of queue depth build up, but there is currently no direct
way to observe this. The scenario does not trigger the slow subscriber
log message, and the event stream debugging endpoint produces a
saturating volume of information.
Updates tailscale/corp#36904
Signed-off-by: James Tucker <james@tailscale.com>
|
|
Updates #cleanup
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
Currently the expvar exporter attempts to write expvar.String, which
breaks the Prometheus metric page.
Updates tailscale/corp#36552
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
|
|
concurrent netmaps that if the first is logged in, it is never skipped.
This should have been covered be the skip test case, but that case
wasn't updated to include level set state.
Updates #12639
Updates #17869
Signed-off-by: James Tucker <james@tailscale.com>
|
|
Updates #12614
Updates #18562
Change-Id: Ife4f10c55d1d68569938ffd68ffe72eef889e200
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
If any profiles exist and an Authkey is provided via syspolicy, the
AuthKey is ignored on backend start, preventing re-auth attempts. This
is useful for one-time device provisioning scenarios, skipping authKey
use after initial setup when the authKey may no longer be valid.
updates #18618
Signed-off-by: Will Hannah <willh@tailscale.com>
|
|
Use the parsed and validated advertise tags value from prefs instead of
doing a strings.Split on the raw tags value as an input to the OAuth and
identity federation auth key generation methods.
The previous strings.Split method would return an array with a single
empty string element which would pass downstream length checks on the
tags argument before eventually failing with a confusing message when
hitting the API.
Fixes https://github.com/tailscale/tailscale/issues/18617
Signed-off-by: Mario Minardi <mario@tailscale.com>
|
|
Updates #12614
Change-Id: I49351fe0c463af0b8d940e8088d4748906a8aec3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Package feature/conn25 is excludeable from a build via the featuretag.
Test it is excluded for minimal builds.
Updates #12614
Signed-off-by: Fran Bull <fran@tailscale.com>
|
|
We already had a featuretag for clientupdate, but the CLI wasn't using
it, making the "minbox" build (minimal combined tailscaled + CLI
build) larger than necessary.
Updates #12614
Change-Id: Idd7546c67dece7078f25b8f2ae9886f58d599002
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This resolves a gap in test coverage, ensuring Server.ListenService
functions as expected in combination with user-supplied TUN devices
Fixes tailscale/corp#36603
Co-authored-by: Harry Harpham <harry@tailscale.com>
Signed-off-by: Harry Harpham <harry@tailscale.com>
|
|
When the NodeAttrDNSSubdomainResolve capability is present, enable
wildcard certificate issuance to cover all single-level subdomains
of a node's CertDomain.
Without the capability, only exact CertDomain matches are allowed,
so node.ts.net yields a cert for node.ts.net. With the capability,
we now generate wildcard certificates. Wildcard certs include both
the wildcard and base domain in their SANs, and ACME authorization
requests both identifiers. The cert filenames are kept still based
on the base domain with the wildcard prefix stripped, so we aren't
creating separate files. DNS challenges still used the base domain
The checkCertDomain function is replaced by resolveCertDomain that
both validates and returns the appropriate cert domain to request.
Name validation is now moved earlier into GetCertPEMWithValidity()
Fixes #1196
Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
|
|
Not all Linux distros use systemd yet, for example GL.iNet KVM devices
use busybox's init, which is similar to SysV init.
This is a best-effort restart attempt after the update, it probably
won't cover 100% of init.d setups out there.
Fixes #18567
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Updates tailscale/go#149
Change-Id: If0483466eb1fc2196838c75f6d53925b1809abff
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
Found by @cmol. When rewriting the same value into the cache, we were dropping
the unchanged keys, resulting in the cache being pruned incorrectly.
Also update the tests to catch this.
Updates #12639
Change-Id: Iab67e444eb7ddc22ccc680baa2f6a741a00eb325
Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
|
|
(#18375)
Updates #17965
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
|
|
This commit fixes an issue within containerboot that arose from the
kubernetes operator. When users enable metrics on custom resources that
are running on dual stack or ipv6 only clusters, they end up with an error
as we pass the hostport combintation using $(POD_IP):PORT.
In go, `netip.ParseAddrPort` expects square brackets `[]` to wrap the host
portion of an ipv6 address and would naturally, crash.
When loading the containerboot configuration from the environment we now
check if the `TS_LOCAL_ADDR_PORT` value contains the pod's v6 ip address.
If it does & does not already contain brackets, we add the brackets in.
Closes: #15762
Closes: #15467
Signed-off-by: David Bond <davidsbond93@gmail.com>
|
|
Follow up from https://github.com/tailscale/tailscale/pull/18563 which I
totally botched.
Updates #18562
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
This provides a mechanism to block, waiting for Tailscale's IP to be
ready for a bind/listen, to gate the starting of other services.
It also adds a new --assert=[IP] option to "tailscale ip", for services
that want extra paranoia about what IP is in use, if they're worried about
having switched to the wrong tailnet prior to reboot or something.
Updates #3340
Updates #11504
... and many more, IIRC
Change-Id: I88ab19ac5fae58fd8c516065bab685e292395565
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This ensures that D-Bus is active for the unit and will correctly
shut down when the default target ends.
Fixes: https://github.com/tailscale/tailscale/issues/18458
Signed-off-by: Neal Gompa <ngompa@velocitylimitless.com>
|
|
Go1.25 for tailscale/go#149
Go1.26 for tailscale/go#149 + upstream release-branch.go1.26 work since rc2.
Updates tailscale/go#149
Change-Id: Ib56b5b5119f181c4a81d4b599b8bbdb405ee6704
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
The forwarder was not setting the Truncated (TC) flag when UDP DNS
responses exceeded either the EDNS buffer size (if present) or the
RFC 1035 default 512-byte limit. This affected DoH, TCP fallback,
and UDP response paths.
The fix ensures checkResponseSizeAndSetTC is called in all code paths
that return UDP responses, enforcing both EDNS and default UDP size
limits.
Added comprehensive unit tests and consolidated duplicate test helpers.
Updates #18107
Signed-off-by: Brendan Creane <bcreane@gmail.com>
|
|
Fix precedence logic to skip federated identity logic when the
associated environment variables are empty.
Updates https://github.com/tailscale/gitops-acl-action/issues/71
Signed-off-by: Mario Minardi <mario@tailscale.com>
|
|
locally (#18461)
* wgengine/netstack: add local tailscale service IPs to route and terminate locally
This commit adds the tailscales service IPs served locally to OS routes, and
make interception to packets so that the traffic terminates locally without
making affects to the HA traffics.
Fixes tailscale/corp#34048
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* fix test
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* add ready field to avoid accessing lb before netstack starts
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* wgengine/netstack: store values from lb to avoid acquiring a lock
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* add active services to netstack on starts with stored prefs.
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* fix comments
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
* update comments
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
---------
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
|
|
By dropping inbound disco.Ping messages received over direct UDP paths.
Fixes #18560
Signed-off-by: Jordan Whited <jordan@tailscale.com>
|
|
So callers can run testwrapper with -vet=off if they're already
running vet explicitly in a concurrent test job.
Updates tailscale/corp#28679
Change-Id: I74ad56e560076d187f5e3a7d7381e1dac89d860c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
On Windows, TempDir cleanup fails if file handles are still open.
TestConcurrentSameFile wasn't closing Filch instances before exit
Fixes #18570
Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
|
|
This adds a new node capability 'dns-subdomain-resolve' that signals
that all of hosts' subdomains should resolve to the same IP address.
It allows wildcard matching on any node marked with this capability.
This change also includes an util/dnsname utility function that lets
us access the parent of a full qualified domain name. MagicDNS takes
this function and recursively searchs for a matching real node name.
One important thing to observe is that, in this context, a subdomain
can have multiple sub labels. This means that for a given node named
machine, both my.machine and be.my.machine will be a positive match.
Updates #1196
Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
|
|
When tailscaled gets started with userspace networking, it won't
modify your system's network configuration. For this, it creates
a noopManager for DNS management. noopManager correctly observes
that there's no real OS DNS to send queries to. This leads to we
completely dropping any DNS internal resolution from `dns query`
This change alters this so that even without a base config we'll
still allow the internal resolver to handle internal DNS queries
Fixes #18354
Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
|
|
Running a command like `tailscale up --auth-key tskey-foo --auth-key tskey-bar` used to print
```
invalid value "tskey-bar" for flag -auth-key: flag provided multiple times
```
but now we print
```
invalid value "tskey-REDACTED" for flag -auth-key: flag provided multiple times
```
Fixes #18562
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
This allows fetching auth keys, OAuth client secrets, and ID tokens (for
workload identity federation) from AWS Parameter Store by passing an ARN
as the value. This is a relatively low-overhead mechanism for fetching
these values from an external secret store without needing to run a
secret service.
Usage examples:
# Auth key
tailscale up \
--auth-key=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/auth-key
# OAuth client secret
tailscale up \
--client-secret=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/oauth-secret \
--advertise-tags=tag:server
# ID token (for workload identity federation)
tailscale up \
--client-id=my-client \
--id-token=arn:aws:ssm:us-east-1:123456789012:parameter/tailscale/id-token \
--advertise-tags=tag:server
Updates tailscale/corp#28792
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
|
|
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
|
|
Using -coverprofile was breaking the (cached) detection logic because
that adds extra information to the end of the line.
Updates tailscale/go#150
Change-Id: Ie1bf4e1e04e21db00a6829695098fb61d80a2641
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
|
|
NetmapFromMapResponseForDebug (#17878)
We were seeing some panics from nodes:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xd42570]
goroutine 362555 [running]:
tailscale.com/types/persist.PersistView.PrivateNodeKey(...)
tailscale.com@v1.89.0-pre.0.20250926180200-7cbf56345bb3/types/persist/persist_view.go:89
tailscale.com/control/controlclient.NetmapFromMapResponseForDebug({0x1bac2e0, 0xc0a8692380}, {0xc0de5da0c0?}, 0xc0de66fd40)
tailscale.com@v1.89.0-pre.0.20250926180200-7cbf56345bb3/control/controlclient/direct.go:1175 +0x90
tailscale.com/ipn/ipnlocal.handleC2NDebugNetMap(0xc0b3f5af08, {0x1baa520, 0xc0a887b0c0}, 0xc0a869a280)
tailscale.com@v1.89.0-pre.0.20250926180200-7cbf56345bb3/ipn/ipnlocal/c2n.go:186 +0x405
tailscale.com/ipn/ipnlocal.(*LocalBackend).handleC2N(0xc0b3f5af08, {0x1baa520, 0xc0a887b0c0}, 0xc0a869a280)
tailscale.com@v1.89.0-pre.0.20250926180200-7cbf56345bb3/ipn/ipnlocal/c2n.go:121 +0x155
net/http.HandlerFunc.ServeHTTP(0x1bac150?, {0x1baa520?, 0xc0a887b0c0?}, 0xc049d47b20?)
net/http/server.go:2322 +0x29
tailscale.com/control/controlclient.answerC2NPing(0xc0d9808f20, {0x1b90f40, 0xc0c3bd0db0}, 0xc0b1c84ea0, 0xc0a29b3c80)
tailscale.com@v1.89.0-pre.0.20250926180200-7cbf56345bb3/control/controlclient/direct.go:1454 +0x455
tailscale.com/control/controlclient.(*Direct).answerPing(0xc09b173b88, 0xc0a29b3c80)
tailscale.com@v1.89.0-pre.0.20250926180200-7cbf56345bb3/control/controlclient/direct.go:1398 +0x127
created by tailscale.com/control/controlclient.(*Direct).sendMapRequest in goroutine 361922
tailscale.com@v1.89.0-pre.0.20250926180200-7cbf56345bb3/control/controlclient/direct.go:1104 +0x20e5
Updates tailscale/corp#31367
Updates tailscale/corp#32095
Signed-off-by: Paul Scott <408401+icio@users.noreply.github.com>
|
|
Updates tailscale/go#150
Updates tailscale/corp#28679
Change-Id: Ieb4780f157451f5c6660c96c6efaec9ddcfcb415
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
In the event of multiple Filch intances being backed by the same file,
it is possible that concurrent rotateLocked calls occur.
One operation might clear the file,
resulting in another skipping the call to resetReadBuffer,
resulting in a later panic because the read index is invalid.
To at least avoid the panic, always call resetReadBuffer.
Note that the behavior of Filch is undefined when using the same file.
While this avoids the panic, we may still experience data corruption or less.
Fixes #18552
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
|
|
We weren't parsing that out previously, making it look like tests
were re-running even though they were cached.
Updates tailscale/go#150
Updates tailscale/corp#28679
Updates tailscale/corp#34696
Change-Id: I6254362852a82ccc86ac464a805379d941408dad
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This pulls in tailscale/go#153, which we want to begin experimenting with.
Updates tailscale/go#150
Change-Id: Id3e03558ee69e74361431650530e8227dfdef978
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
The file-based cache implementation was not reporting the correct error when
attempting to load a missing column key. Make it do so, and update the tests to
cover that case.
Updates #12639
Change-Id: Ie2c45a0a7e528d4125f857859c92df807116a56e
Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
|
|
This pulls in tailscale/go#151, which we want to begin experimenting with.
Updates tailscale/go#150
Change-Id: I69aa2631ecf36356430969f423ea3943643a144a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
|
This is for a future test scheduler, so it can run potentially flaky
tests separately, doing all the non-flaky ones together in one batch.
Updates tailscale/corp#28679
Change-Id: Ic4a11f9bf394528ef75792fd622f17bc01a4ec8a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
|
