mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 13:05:46 +00:00
health,ipn/ipnlocal: report the node being locked out as a health issue
Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
parent
907f85cd67
commit
0088c5ddc0
@ -70,6 +70,9 @@
|
|||||||
|
|
||||||
// SysDNSManager is the name of the net/dns manager subsystem.
|
// SysDNSManager is the name of the net/dns manager subsystem.
|
||||||
SysDNSManager = Subsystem("dns-manager")
|
SysDNSManager = Subsystem("dns-manager")
|
||||||
|
|
||||||
|
// SysTKA is the name of the tailnet key authority subsystem.
|
||||||
|
SysTKA = Subsystem("tailnet-lock")
|
||||||
)
|
)
|
||||||
|
|
||||||
// NewWarnable returns a new warnable item that the caller can mark
|
// NewWarnable returns a new warnable item that the caller can mark
|
||||||
@ -194,6 +197,12 @@ func SetDNSManagerHealth(err error) { setErr(SysDNSManager, err) }
|
|||||||
// DNSOSHealth returns the net/dns.OSConfigurator error state.
|
// DNSOSHealth returns the net/dns.OSConfigurator error state.
|
||||||
func DNSOSHealth() error { return get(SysDNSOS) }
|
func DNSOSHealth() error { return get(SysDNSOS) }
|
||||||
|
|
||||||
|
// SetTKAHealth sets the health of the tailnet key authority.
|
||||||
|
func SetTKAHealth(err error) { setErr(SysTKA, err) }
|
||||||
|
|
||||||
|
// TKAHealth returns the tailnet key authority error state.
|
||||||
|
func TKAHealth() error { return get(SysTKA) }
|
||||||
|
|
||||||
// SetLocalLogConfigHealth sets the error state of this client's local log configuration.
|
// SetLocalLogConfigHealth sets the error state of this client's local log configuration.
|
||||||
func SetLocalLogConfigHealth(err error) {
|
func SetLocalLogConfigHealth(err error) {
|
||||||
mu.Lock()
|
mu.Lock()
|
||||||
|
@ -20,6 +20,7 @@
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"tailscale.com/envknob"
|
"tailscale.com/envknob"
|
||||||
|
"tailscale.com/health"
|
||||||
"tailscale.com/ipn"
|
"tailscale.com/ipn"
|
||||||
"tailscale.com/ipn/ipnstate"
|
"tailscale.com/ipn/ipnstate"
|
||||||
"tailscale.com/net/tsaddr"
|
"tailscale.com/net/tsaddr"
|
||||||
@ -60,9 +61,11 @@ func (b *LocalBackend) permitTKAInitLocked() bool {
|
|||||||
func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
|
func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
|
||||||
// TODO(tom): Remove this guard for 1.35 and later.
|
// TODO(tom): Remove this guard for 1.35 and later.
|
||||||
if b.tka == nil && !b.permitTKAInitLocked() {
|
if b.tka == nil && !b.permitTKAInitLocked() {
|
||||||
|
health.SetTKAHealth(nil)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if b.tka == nil {
|
if b.tka == nil {
|
||||||
|
health.SetTKAHealth(nil)
|
||||||
return // TKA not enabled.
|
return // TKA not enabled.
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -111,6 +114,13 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
|
|||||||
} else {
|
} else {
|
||||||
b.tka.filtered = nil
|
b.tka.filtered = nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check that we ourselves are not locked out, report a health issue if so.
|
||||||
|
if nm.SelfNode != nil && b.tka.authority.NodeKeyAuthorized(nm.SelfNode.Key, nm.SelfNode.KeySignature) != nil {
|
||||||
|
health.SetTKAHealth(errors.New("this node is locked out; it will not have connectivity until it is signed. For more info, see https://tailscale.com/s/locked-out"))
|
||||||
|
} else {
|
||||||
|
health.SetTKAHealth(nil)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// tkaSyncIfNeeded examines TKA info reported from the control plane,
|
// tkaSyncIfNeeded examines TKA info reported from the control plane,
|
||||||
@ -177,6 +187,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
|
|||||||
b.logf("Disablement failed, leaving TKA enabled. Error: %v", err)
|
b.logf("Disablement failed, leaving TKA enabled. Error: %v", err)
|
||||||
} else {
|
} else {
|
||||||
isEnabled = false
|
isEnabled = false
|
||||||
|
health.SetTKAHealth(nil)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled")
|
return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled")
|
||||||
|
Loading…
Reference in New Issue
Block a user