health,ipn/ipnlocal: report the node being locked out as a health issue

Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
Tom DNetto 2023-01-04 10:36:07 -08:00 committed by Tom
parent 907f85cd67
commit 0088c5ddc0
2 changed files with 20 additions and 0 deletions

View File

@ -70,6 +70,9 @@
// SysDNSManager is the name of the net/dns manager subsystem. // SysDNSManager is the name of the net/dns manager subsystem.
SysDNSManager = Subsystem("dns-manager") SysDNSManager = Subsystem("dns-manager")
// SysTKA is the name of the tailnet key authority subsystem.
SysTKA = Subsystem("tailnet-lock")
) )
// NewWarnable returns a new warnable item that the caller can mark // NewWarnable returns a new warnable item that the caller can mark
@ -194,6 +197,12 @@ func SetDNSManagerHealth(err error) { setErr(SysDNSManager, err) }
// DNSOSHealth returns the net/dns.OSConfigurator error state. // DNSOSHealth returns the net/dns.OSConfigurator error state.
func DNSOSHealth() error { return get(SysDNSOS) } func DNSOSHealth() error { return get(SysDNSOS) }
// SetTKAHealth sets the health of the tailnet key authority.
func SetTKAHealth(err error) { setErr(SysTKA, err) }
// TKAHealth returns the tailnet key authority error state.
func TKAHealth() error { return get(SysTKA) }
// SetLocalLogConfigHealth sets the error state of this client's local log configuration. // SetLocalLogConfigHealth sets the error state of this client's local log configuration.
func SetLocalLogConfigHealth(err error) { func SetLocalLogConfigHealth(err error) {
mu.Lock() mu.Lock()

View File

@ -20,6 +20,7 @@
"time" "time"
"tailscale.com/envknob" "tailscale.com/envknob"
"tailscale.com/health"
"tailscale.com/ipn" "tailscale.com/ipn"
"tailscale.com/ipn/ipnstate" "tailscale.com/ipn/ipnstate"
"tailscale.com/net/tsaddr" "tailscale.com/net/tsaddr"
@ -60,9 +61,11 @@ func (b *LocalBackend) permitTKAInitLocked() bool {
func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) { func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
// TODO(tom): Remove this guard for 1.35 and later. // TODO(tom): Remove this guard for 1.35 and later.
if b.tka == nil && !b.permitTKAInitLocked() { if b.tka == nil && !b.permitTKAInitLocked() {
health.SetTKAHealth(nil)
return return
} }
if b.tka == nil { if b.tka == nil {
health.SetTKAHealth(nil)
return // TKA not enabled. return // TKA not enabled.
} }
@ -111,6 +114,13 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
} else { } else {
b.tka.filtered = nil b.tka.filtered = nil
} }
// Check that we ourselves are not locked out, report a health issue if so.
if nm.SelfNode != nil && b.tka.authority.NodeKeyAuthorized(nm.SelfNode.Key, nm.SelfNode.KeySignature) != nil {
health.SetTKAHealth(errors.New("this node is locked out; it will not have connectivity until it is signed. For more info, see https://tailscale.com/s/locked-out"))
} else {
health.SetTKAHealth(nil)
}
} }
// tkaSyncIfNeeded examines TKA info reported from the control plane, // tkaSyncIfNeeded examines TKA info reported from the control plane,
@ -177,6 +187,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
b.logf("Disablement failed, leaving TKA enabled. Error: %v", err) b.logf("Disablement failed, leaving TKA enabled. Error: %v", err)
} else { } else {
isEnabled = false isEnabled = false
health.SetTKAHealth(nil)
} }
} else { } else {
return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled") return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled")