| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This file was never truly necessary and has never actually been used in
the history of Tailscale's open source releases.
A Brief History of AUTHORS files
---
The AUTHORS file was a pattern developed at Google, originally for
Chromium, then adopted by Go and a bunch of other projects. The problem
was that Chromium originally had a copyright line only recognizing
Google as the copyright holder. Because Google (and most open source
projects) do not require copyright assignemnt for contributions, each
contributor maintains their copyright. Some large corporate contributors
then tried to add their own name to the copyright line in the LICENSE
file or in file headers. This quickly becomes unwieldy, and puts a
tremendous burden on anyone building on top of Chromium, since the
license requires that they keep all copyright lines intact.
The compromise was to create an AUTHORS file that would list all of the
copyright holders. The LICENSE file and source file headers would then
include that list by reference, listing the copyright holder as "The
Chromium Authors".
This also become cumbersome to simply keep the file up to date with a
high rate of new contributors. Plus it's not always obvious who the
copyright holder is. Sometimes it is the individual making the
contribution, but many times it may be their employer. There is no way
for the proejct maintainer to know.
Eventually, Google changed their policy to no longer recommend trying to
keep the AUTHORS file up to date proactively, and instead to only add to
it when requested: https://opensource.google/docs/releasing/authors.
They are also clear that:
> Adding contributors to the AUTHORS file is entirely within the
> project's discretion and has no implications for copyright ownership.
It was primarily added to appease a small number of large contributors
that insisted that they be recognized as copyright holders (which was
entirely their right to do). But it's not truly necessary, and not even
the most accurate way of identifying contributors and/or copyright
holders.
In practice, we've never added anyone to our AUTHORS file. It only lists
Tailscale, so it's not really serving any purpose. It also causes
confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header
in other open source repos which don't actually have an AUTHORS file, so
it's ambiguous what that means.
Instead, we just acknowledge that the contributors to Tailscale (whoever
they are) are copyright holders for their individual contributions. We
also have the benefit of using the DCO (developercertificate.org) which
provides some additional certification of their right to make the
contribution.
The source file changes were purely mechanical with:
git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g'
Updates #cleanup
Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d
Signed-off-by: Will Norris <will@tailscale.com>
|
|
Adds a new diagram for ProxyGroups running in Ingress mode.
Documentation is currently not publicly available, but a link needs
adding once it is.
Updates tailscale/corp#24795
Change-Id: I0d5dd6bf6f0e1b8b0becae848dc97d8b4bfb9ccb
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
|
|
This is an experiment to see how useful we will find it to have some
text-based diagrams to document how various components of the operator
work. There are no plans to link to this from elsewhere yet, but
hopefully it will be a useful reference internally.
Updates #cleanup
Change-Id: If5911ed39b09378fec0492e87738ec0cc3d8731e
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
|
|
(#14262)
We were previously relying on unintended behaviour by runc where
all containers where by default given read/write/mknod permissions
for tun devices.
This behaviour was removed in https://github.com/opencontainers/runc/pull/3468
and released in runc 1.2.
Containerd container runtime, used by Docker and majority of Kubernetes distributions
bumped runc to 1.2 in 1.7.24 https://github.com/containerd/containerd/releases/tag/v1.7.24
thus breaking our reference tun mode Tailscale Kubernetes manifests and Kubernetes
operator proxies.
This PR changes the all Kubernetes container configs that run Tailscale in tun mode
to privileged. This should not be a breaking change because all these containers would
run in a Pod that already has a privileged init container.
Updates tailscale/tailscale#14256
Updates tailscale/tailscale#10814
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
|
small fixes (#14164)
This is a follow-up to #14112 where our internal kube client was updated
to allow it to emit Events - this updates our sample kube manifests
and tsrecorder manifest templates so they can benefit from this functionality.
Updates tailscale/tailscale#14080
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
|
In https://github.com/tailscale/tailscale/pull/11363
I changed the subnet router manifest to run in tun
mode (for performance reasons), but did not
change the security context to give it net_admin,
which is required to for the tailscale socket.
Updates tailscale/tailscale#12083
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
|
There should not be a need to do that unless we run on host network
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
|
Update docs for static Tailscale deployments on kube
to always use firewall mode autodection when in non-userspace.
Also add a note about running multiple replicas and a few suggestions how folks could do that.
Updates#cleanup
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>
|
|
We already have sysctl in the `tailscale/tailscale` image, just use that.
Updates #cleanup
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Instead of calling kubectl directly in k8s Makefile, write the yaml to
stdout so it can be reviewed/edited/etc before manually applying with
kubectl.
Fixes: #8511
Signed-off-by: David Wolever <david@wolever.net>
|
|
This updates all source files to use a new standard header for copyright
and license declaration. Notably, copyright no longer includes a date,
and we now use the standard SPDX-License-Identifier header.
This commit was done almost entirely mechanically with perl, and then
some minimal manual fixes.
Updates #6865
Signed-off-by: Will Norris <will@tailscale.com>
|
|
Updates https://github.com/tailscale/tailscale-www/issues/2199.
Signed-off-by: Walter Poupore <walterp@tailscale.com>
|
|
Fixes #6225.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
This implements the same functionality as the former run.sh, but in Go
and with a little better awareness of tailscaled's lifecycle.
Also adds TS_AUTH_ONCE, which fixes the unfortunate behavior run.sh had
where it would unconditionally try to reauth every time if you gave it
an authkey, rather than try to use it only if auth is actually needed.
This makes it a bit nicer to deploy these containers in automation, since
you don't have to run the container once, then go and edit its definition
to remove authkeys.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Fixes #5805
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: Anton Schubert <anton.schubert@riedel.net>
|
|
Signed-off-by: hlts2 <hiroto.funakoshi.hiroto@gmail.com>
|
|
Signed-off-by: Tyler Lee <tyler.lee@radius.ai>
|
|
Signed-off-by: Tyler Lee <tyler.lee@radius.ai>
|
|
It was previously using jobcontrol to achieve this, but that apparently
doesn't work when there is no tty. This makes it so that it directly
handles SIGINT and SIGTERM and passes it on to tailscaled. I tested this
works on a Digital Ocean K8s cluster.
Fixes #5512
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Fixes https://github.com/tailscale/tailscale/issues/4999
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
|
|
Signed-off-by: Walter Poupore <walterp@tailscale.com>
|
|
This has the benefit of propagating SIGINT to tailscaled, which in turn
can react to the event and logout in case of an ephemeral node.
Also fix missing run.sh in Dockerfile.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
This makes `tailscale cert` and Taildrop work on k8s and in ephemeral
mode.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
- TS_SOCKS5_SERVER, argument passed to tailscaled --socks5-server
- TS_OUTBOUND_HTTP_PROXY_LISTEN, argument passed to tailscaled -outbound-http-proxy-listen
- TS_TAILSCALED_EXTRA_ARGS extra arguments passed to tailscaled
Fixes #4985
Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>
|
|
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
|
|
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
|
|
Fixes #4071
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: Brian Fallik <bfallik@gmail.com>
|
|
Signed-off-by: Robert <rspier@pobox.com>
Co-authored-by: Maisem Ali <3953239+maisem@users.noreply.github.com>
|
|
Use the correct KUBE_SECRET value
|
|
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
|
Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
