summaryrefslogtreecommitdiffhomepage
path: root/cmd
AgeCommit message (Collapse)AuthorFilesLines
2021-10-04cmd/tailscale: let certs/keys be written to stdout, warn about macOS sandboxBrad Fitzpatrick1-20/+52
Fixes https://twitter.com/SeanHood/status/1443668378468720647 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04cmd/tailscale: make netcheck work when logged outBrad Fitzpatrick1-1/+5
Fixes #2993 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-01cmd/tailscale: make cert subcommand give hints on access deniedBrad Fitzpatrick1-0/+4
Lot of people have been hitting this. Now it says: $ tailscale cert tsdev.corp.ts.net Access denied: cert access denied Use 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-30cmd/tailscale/cli: fix typo in cert usageBrad Fitzpatrick1-1/+1
2021-09-29cmd/tailscale: make cert give hints on usage failureBrad Fitzpatrick1-1/+14
Like mentioning which cert domain(s) are valid.
2021-09-29cmd/tailscaled: rename outbound HTTP proxy flagBrad Fitzpatrick1-1/+1
The old name invited confusion: * is this the HTTP proxy to use ourselves? (no, that's via an environment variable, per proxy conventions) * is this for LetsEncrypt https-to-localhost-http proxying? (no, that'll come later) So rename to super verbose --outbound-http-proxy-listen before the 1.16.0 release to make it clear what it is. It listens (serves) and it's for outbound, not inbound. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29cmd/tailscale: let up --authkey be of form file:/path/to/secretBrad Fitzpatrick1-5/+22
Fixes #2958 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29cmd/tailscaled: conditionally flush Windows DNS cache on SessionChangeAaron Klotz1-0/+22
For the service, all we need to do is handle the `svc.SessionChange` command. Upon receipt of a `windows.WTS_SESSION_UNLOCK` event, we fire off a goroutine to flush the DNS cache. (Windows expects responses to service requests to be quick, so we don't want to do that synchronously.) This is gated on an integral registry value named `FlushDNSOnSessionUnlock`, whose value we obtain during service initialization. (See [this link](https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nc-winsvc-lphandler_function_ex) for information re: handling `SERVICE_CONTROL_SESSIONCHANGE`.) Fixes #2956 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-09-28all: disable TCP keep-alives on iOS/AndroidBrad Fitzpatrick2-0/+2
Updates #2442 Updates tailscale/corp#2750 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28cmd/tailscaled: add support for running an HTTP proxyBrad Fitzpatrick3-18/+112
This adds support for tailscaled to be an HTTP proxy server. It shares the same backend dialing code as the SOCK5 server, but the client protocol is HTTP (including CONNECT), rather than SOCKS. Fixes #2289 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28cmd/tailscaled: set StateDirectoryMode=0700 in tailscaled.serviceBrad Fitzpatrick1-1/+1
Updates #2934 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-24cmd/tailscale: add debug -envBrad Fitzpatrick1-0/+8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-23cmd/tailscale: make debug profiling output - mean stdoutBrad Fitzpatrick1-6/+24
Because the macOS CLI runs in the sandbox, including the filesystem, so users would be confused that -cpu-profile=prof.cpu succeeds but doesn't write to their current directory, but rather in some random Library/Containers directory somewhere on the machine (which varies depending on the Mac build type: App Store vs System Extension) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-23ipn/localapi, cmd/tailscale: add CPU & memory profile support, debug commandBrad Fitzpatrick2-1/+29
This was already possible on Linux if you ran tailscaled with --debug (which runs net/http/pprof), but it requires the user have the Go toolchain around. Also, it wasn't possible on macOS, as there's no way to run the IPNExtension with a debug server (it doesn't run tailscaled). And on Windows it's super tedious: beyond what users want to do or what we want to explain. Instead, put it in "tailscale debug" so it works and works the same on all platforms. Then we can ask users to run it when we're debugging something and they can email us the output files. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-23cmd/tailscale/web: support TLS from env vars.Denton Gentry1-2/+39
pfSense stores its SSL certificate and key in the PHP config. We wrote PHP code to pull the two out of the PHP config and into environment variables before running "tailscale web". The pfSense web UI is served over https, we need "tailscale web" to also support https in order to put it in an <iframe>. Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-09-22cmd/tailscaled: appease a security scannerBrad Fitzpatrick1-1/+8
There are two reasons this can't ever go to actual logs, but rewrite it to make it happy. Fixes tailscale/corp#2695 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-22go.mod: bump github.com/klauspost/compress to 1.13.6David Anderson1-1/+2
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-09-22ipn, paths: ensure that the state directory for Windows has the correct permsAaron Klotz2-2/+2
ProgramData has a permissive ACL. For us to safely store machine-wide state information, we must set a more restrictive ACL on our state directory. We set the ACL so that only talescaled's user (ie, LocalSystem) and the Administrators group may access our directory. We must include Administrators to ensure that logs continue to be easily accessible; omitting that group would force users to use special tools to log in interactively as LocalSystem, which is not ideal. (Note that the ACL we apply matches the ACL that was used for LocalSystem's AppData\Local). There are two cases where we need to reset perms: One is during migration from the old location to the new. The second case is for clean installations where we are creating the file store for the first time. Updates #2856 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-09-17util/codegen: reorder AssertStructUnchanged argsJosh Bleecher Snyder1-1/+1
The fully qualified name of the type is thisPkg.tname, so write the args like that too. Suggested-by: Joe Tsai <joetsai@digital-static.net> Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-17util/codegen: add ContainsPointersJosh Bleecher Snyder1-36/+5
And use it in cmd/cloner. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-17cmd/cloner: unify switch casesJosh Bleecher Snyder1-3/+1
And in the process, fix a bug: The fmt formatting was being applied by writef, not fmt.Sprintf, thus emitting a MISSING string. And there's no guarantee that fmt will be imported in the generated code. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-17util/codegen: add NamedTypesJosh Bleecher Snyder1-26/+4
And use it in cmd/cloner. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-17cmd/cloner: delete some debug codeJosh Bleecher Snyder1-4/+0
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-17cmd/cloner: simplify codeJosh Bleecher Snyder1-77/+79
Change from a single-case type switch to a type assertion with an early return. That exposes that the name arg to gen is unneeded. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-17cmd/cloner: add Clone context to regen struct assignmentsJosh Bleecher Snyder1-1/+1
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-17util/codegen: add AssertStructUnchangedJosh Bleecher Snyder1-18/+1
Refactored out from cmd/cloner. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-17util/codegen: add packageJosh Bleecher Snyder1-8/+2
This is a package for shared utilities used in doing codegen programs. The inaugural API is for writing gofmt'd code to a file. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-16cmd/tailscale: make status show health check problemsBrad Fitzpatrick1-1/+9
Fixes #2775 RELNOTE=tailscale status now shows health check problems Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-15cmd/cloner: reduce diff noise when changing commandJosh Bleecher Snyder1-3/+3
Spelling out the command to run for every type means that changing the command makes for a large, repetitive diff. Stop doing that. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-14cmd: upgrade to ffcli v3Josh Bleecher Snyder16-19/+19
None of the breaking changes from v2 to v3 are relevant to us. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2021-09-13cmd/derper: refactor STUN path for testing, add serverSTUN benchmarkBrad Fitzpatrick2-24/+66
Real goal is to eliminate some allocs in the STUN path, but that requires work in the standard library. See comments in #2783. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-11cmd/tailscaled: disable netns earlier in userspace-networking modeBrad Fitzpatrick1-4/+4
The earlier 382b349c54ed38bbc4d2936a8c9de6cc2f905eb8 was too late, as engine creation itself needed to listen on things. Fixes #2827 Updates #2822 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-09cmd/tailscaled: disable netns in userspace-networking modeBrad Fitzpatrick1-0/+4
Updates #2827 Updates #2822 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-08cmd/derper: fix real staticcheck failure from prior commitBrad Fitzpatrick1-1/+2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-08cmd/derper: support manual TLS certificate mode (#2793)Silver Bullet2-16/+103
Add a mode control for derp server, and add a "manual" mode to get derp server certificate. Under manual mode, certificate is searched in the directory given by "--cert-dir". Certificate should in PEM format, and use "hostname.{key,crt}" as filename. If no hostname is used, search by the hostname given for listen. Fixes #2794 Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>
2021-09-07all: update tests to use tstest.MemLoggerBrad Fitzpatrick1-5/+3
And give MemLogger a mutex, as one caller had, which does match the logf contract better. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-07cmd/tailscale: fix "tailscale ip $self-host-hostname"Brad Fitzpatrick3-12/+33
And in the process, fix the related confusing error messages from pinging your own IP or hostname. Fixes #2803 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-07cmd/tailscale: fix typo/pasteo in error message textBrad Fitzpatrick1-1/+1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-03types/key: add a special key with custom serialization for control private ↵Dave Anderson2-2/+2
keys (#2792) * Revert "Revert "types/key: add MachinePrivate and MachinePublic."" This reverts commit 61c3b98a24317dcfd5cbe3db29e7d6b64b8c27a7. Signed-off-by: David Anderson <danderson@tailscale.com> * types/key: add ControlPrivate, with custom serialization. ControlPrivate is just a MachinePrivate that serializes differently in JSON, to be compatible with how the Tailscale control plane historically serialized its private key. Signed-off-by: David Anderson <danderson@tailscale.com>
2021-09-03Revert "types/key: add MachinePrivate and MachinePublic."David Anderson2-2/+2
Broke the tailscale control plane due to surprise different serialization. This reverts commit 4fdb88efe1d9b4f8af0aad99bbacc814323ef92a.
2021-09-03types/key: add MachinePrivate and MachinePublic.David Anderson2-2/+2
Plumb throughout the codebase as a replacement for the mixed use of tailcfg.MachineKey and wgkey.Private/Public. Signed-off-by: David Anderson <danderson@tailscale.com>
2021-09-02metrics: optimize CurrentFDs to not allocate on LinuxBrad Fitzpatrick2-2/+2
It was 50% of our allocs on one of our servers. (!!) Updates #2784 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-02cmd/derper: increase port 80's WriteTimeout to permit longer CPU profilesBrad Fitzpatrick1-4/+8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-02cmd/derper: listen on host of flag server addr for port 80 and 3478 (#2768)Chuangbo Li1-5/+10
cmd/derper: listen on host of flag server addr for port 80 and 3478 When using custom derp on the server with multiple IP addresses, we would like to bind derp 80, 443 and stun 3478 to a certain IP. derp command provides flag `-a` to customize which address to bind for port 443. But port :80 and :3478 were hard-coded. Fixes #2767 Signed-off-by: Li Chuangbo <im@chuangbo.li>
2021-09-01ipn/store: add ability to store data as k8s secrets.Maisem Ali3-1/+3
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-09-01cmd/tailscale/cli: make up block until state Running, not just StartingBrad Fitzpatrick1-9/+9
At "Starting", the DERP connection isn't yet up. After the first netmap and DERP connect, then it transitions into "Running". Fixes #2708 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-08-31cmd/derper: also add port 80 timeoutsBrad Fitzpatrick1-1/+7
Didn't notice this one in earlier 00b3c1c0422d033a479a2efedbbd239c05dab68c Updates tailscale/corp#2486 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-08-31client/tailscale, cmd/tailscale/cli: move version mismatch check to CLIBrad Fitzpatrick1-0/+8
So people can use the package for whois checks etc without version skew errors. The earlier change faa891c1f2ff759f4e5cbc158f310b3201d91b59 for #1905 was a bit too aggressive. Fixes #2757 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-08-31safesocket: add connect retry loop to wait for tailscaledBrad Fitzpatrick2-1/+2
Updates #2708 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-08-31cmd/derper: add missing read/write timeoutsBrad Fitzpatrick1-0/+10
Updates tailscale/corp#2486 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>