envknob: support changing envknobs post-init

Updates #5114 Change-Id: Ia423fc7486e1b3f3180a26308278be0086fae49b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2022-09-14 12:49:39 -07:00
parent 33ee2c058e
commit 74674b110d
31 changed files with 311 additions and 167 deletions
--- a/net/dns/manager_windows.go
+++ b/net/dns/manager_windows.go
@@ -32,7 +32,7 @@ const (
 	versionKey = `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
 )

-var configureWSL = envknob.Bool("TS_DEBUG_CONFIGURE_WSL")
+var configureWSL = envknob.RegisterBool("TS_DEBUG_CONFIGURE_WSL")

 type windowsManager struct {
 	logf       logger.Logf
@@ -359,7 +359,7 @@ func (m windowsManager) SetDNS(cfg OSConfig) error {

 	// On initial setup of WSL, the restart caused by --shutdown is slow,
 	// so we do it out-of-line.
-	if configureWSL {
+	if configureWSL() {
 		go func() {
 			if err := m.wslManager.SetDNS(cfg); err != nil {
 				m.logf("WSL SetDNS: %v", err) // continue
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -484,13 +484,13 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
 	return res, err
 }

-var verboseDNSForward = envknob.Bool("TS_DEBUG_DNS_FORWARD_SEND")
+var verboseDNSForward = envknob.RegisterBool("TS_DEBUG_DNS_FORWARD_SEND")

 // send sends packet to dst. It is best effort.
 //
 // send expects the reply to have the same txid as txidOut.
 func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) (ret []byte, err error) {
-	if verboseDNSForward {
+	if verboseDNSForward() {
 		f.logf("forwarder.send(%q) ...", rr.name.Addr)
 		defer func() {
 			f.logf("forwarder.send(%q) = %v, %v", rr.name.Addr, len(ret), err)
--- a/net/dnscache/dnscache.go
+++ b/net/dnscache/dnscache.go
@@ -141,7 +141,7 @@ func (r *Resolver) ttl() time.Duration {
 	return 10 * time.Minute
 }

-var debug = envknob.Bool("TS_DEBUG_DNS_CACHE")
+var debug = envknob.RegisterBool("TS_DEBUG_DNS_CACHE")

 // LookupIP returns the host's primary IP address (either IPv4 or
 // IPv6, but preferring IPv4) and optionally its IPv6 address, if
@@ -167,14 +167,14 @@ func (r *Resolver) LookupIP(ctx context.Context, host string) (ip, v6 netip.Addr
 	}
 	if ip, err := netip.ParseAddr(host); err == nil {
 		ip = ip.Unmap()
-		if debug {
+		if debug() {
 			log.Printf("dnscache: %q is an IP", host)
 		}
 		return ip, zaddr, []netip.Addr{ip}, nil
 	}

 	if ip, ip6, allIPs, ok := r.lookupIPCache(host); ok {
-		if debug {
+		if debug() {
 			log.Printf("dnscache: %q = %v (cached)", host, ip)
 		}
 		return ip, ip6, allIPs, nil
@@ -192,13 +192,13 @@ func (r *Resolver) LookupIP(ctx context.Context, host string) (ip, v6 netip.Addr
 		if res.Err != nil {
 			if r.UseLastGood {
 				if ip, ip6, allIPs, ok := r.lookupIPCacheExpired(host); ok {
-					if debug {
+					if debug() {
 						log.Printf("dnscache: %q using %v after error", host, ip)
 					}
 					return ip, ip6, allIPs, nil
 				}
 			}
-			if debug {
+			if debug() {
 				log.Printf("dnscache: error resolving %q: %v", host, res.Err)
 			}
 			return zaddr, zaddr, nil, res.Err
@@ -206,7 +206,7 @@ func (r *Resolver) LookupIP(ctx context.Context, host string) (ip, v6 netip.Addr
 		r := res.Val
 		return r.ip, r.ip6, r.allIPs, nil
 	case <-ctx.Done():
-		if debug {
+		if debug() {
 			log.Printf("dnscache: context done while resolving %q: %v", host, ctx.Err())
 		}
 		return zaddr, zaddr, nil, ctx.Err()
@@ -250,7 +250,7 @@ func (r *Resolver) lookupTimeoutForHost(host string) time.Duration {

 func (r *Resolver) lookupIP(host string) (ip, ip6 netip.Addr, allIPs []netip.Addr, err error) {
 	if ip, ip6, allIPs, ok := r.lookupIPCache(host); ok {
-		if debug {
+		if debug() {
 			log.Printf("dnscache: %q found in cache as %v", host, ip)
 		}
 		return ip, ip6, allIPs, nil
@@ -300,13 +300,13 @@ func (r *Resolver) addIPCache(host string, ip, ip6 netip.Addr, allIPs []netip.Ad
 	if ip.IsPrivate() {
 		// Don't cache obviously wrong entries from captive portals.
 		// TODO: use DoH or DoT for the forwarding resolver?
-		if debug {
+		if debug() {
 			log.Printf("dnscache: %q resolved to private IP %v; using but not caching", host, ip)
 		}
 		return
 	}

-	if debug {
+	if debug() {
 		log.Printf("dnscache: %q resolved to IP %v; caching", host, ip)
 	}

@@ -382,7 +382,7 @@ func (d *dialer) DialContext(ctx context.Context, network, address string) (retC
 	}
 	i4s := v4addrs(allIPs)
 	if len(i4s) < 2 {
-		if debug {
+		if debug() {
 			log.Printf("dnscache: dialing %s, %s for %s", network, ip, address)
 		}
 		c, err := dc.dialOne(ctx, ip.Unmap())
@@ -406,7 +406,7 @@ func (d *dialer) shouldTryBootstrap(ctx context.Context, err error, dc *dialCall

 	// Can't try bootstrap DNS if we don't have a fallback function
 	if d.dnsCache.LookupIPFallback == nil {
-		if debug {
+		if debug() {
 			log.Printf("dnscache: not using bootstrap DNS: no fallback")
 		}
 		return false
@@ -415,7 +415,7 @@ func (d *dialer) shouldTryBootstrap(ctx context.Context, err error, dc *dialCall
 	// We can't retry if the context is canceled, since any further
 	// operations with this context will fail.
 	if ctxErr := ctx.Err(); ctxErr != nil {
-		if debug {
+		if debug() {
 			log.Printf("dnscache: not using bootstrap DNS: context error: %v", ctxErr)
 		}
 		return false
@@ -423,7 +423,7 @@ func (d *dialer) shouldTryBootstrap(ctx context.Context, err error, dc *dialCall

 	wasTrustworthy := dc.dnsWasTrustworthy()
 	if wasTrustworthy {
-		if debug {
+		if debug() {
 			log.Printf("dnscache: not using bootstrap DNS: DNS was trustworthy")
 		}
 		return false
--- a/net/dnscache/dnscache_test.go
+++ b/net/dnscache/dnscache_test.go
@@ -167,10 +167,8 @@ func TestInterleaveSlices(t *testing.T) {

 func TestShouldTryBootstrap(t *testing.T) {
 	oldDebug := debug
-	t.Cleanup(func() {
-		debug = oldDebug
-	})
-	debug = true
+	t.Cleanup(func() { debug = oldDebug })
+	debug = func() bool { return true }

 	type step struct {
 		ip  netip.Addr // IP we pretended to dial
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -43,7 +43,7 @@ import (

 // Debugging and experimentation tweakables.
 var (
-	debugNetcheck = envknob.Bool("TS_DEBUG_NETCHECK")
+	debugNetcheck = envknob.RegisterBool("TS_DEBUG_NETCHECK")
 )

 // The various default timeouts for things.
@@ -210,7 +210,7 @@ func (c *Client) logf(format string, a ...any) {
 }

 func (c *Client) vlogf(format string, a ...any) {
-	if c.Verbose || debugNetcheck {
+	if c.Verbose || debugNetcheck() {
 		c.logf(format, a...)
 	}
 }
--- a/net/netns/netns_linux.go
+++ b/net/netns/netns_linux.go
@@ -63,12 +63,12 @@ func socketMarkWorks() bool {
 	return true
 }

-var forceBindToDevice = envknob.Bool("TS_FORCE_LINUX_BIND_TO_DEVICE")
+var forceBindToDevice = envknob.RegisterBool("TS_FORCE_LINUX_BIND_TO_DEVICE")

 // UseSocketMark reports whether SO_MARK is in use.
 // If it doesn't, we have to use SO_BINDTODEVICE on our sockets instead.
 func UseSocketMark() bool {
-	if forceBindToDevice {
+	if forceBindToDevice() {
 		return false
 	}
 	socketMarkWorksOnce.Do(func() {
--- a/net/tlsdial/tlsdial.go
+++ b/net/tlsdial/tlsdial.go
@@ -32,7 +32,7 @@ var counterFallbackOK int32 // atomic
 // See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
 var sslKeyLogFile = os.Getenv("SSLKEYLOGFILE")

-var debug = envknob.Bool("TS_DEBUG_TLS_DIAL")
+var debug = envknob.RegisterBool("TS_DEBUG_TLS_DIAL")

 // Config returns a tls.Config for connecting to a server.
 // If base is non-nil, it's cloned as the base config before
@@ -77,7 +77,7 @@ func Config(host string, base *tls.Config) *tls.Config {
 			opts.Intermediates.AddCert(cert)
 		}
 		_, errSys := cs.PeerCertificates[0].Verify(opts)
-		if debug {
+		if debug() {
 			log.Printf("tlsdial(sys %q): %v", host, errSys)
 		}
 		if errSys == nil {
@@ -88,7 +88,7 @@ func Config(host string, base *tls.Config) *tls.Config {
 		// or broken, fall back to trying LetsEncrypt at least.
 		opts.Roots = bakedInRoots()
 		_, err := cs.PeerCertificates[0].Verify(opts)
-		if debug {
+		if debug() {
 			log.Printf("tlsdial(bake %q): %v", host, err)
 		}
 		if err == nil {
@@ -142,7 +142,7 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 			opts.Intermediates.AddCert(cert)
 		}
 		_, errSys := certs[0].Verify(opts)
-		if debug {
+		if debug() {
 			log.Printf("tlsdial(sys %q/%q): %v", c.ServerName, certDNSName, errSys)
 		}
 		if errSys == nil {
@@ -150,7 +150,7 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 		}
 		opts.Roots = bakedInRoots()
 		_, err := certs[0].Verify(opts)
-		if debug {
+		if debug() {
 			log.Printf("tlsdial(bake %q/%q): %v", c.ServerName, certDNSName, err)
 		}
 		if err == nil {
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -20,14 +20,6 @@ import (
 	"tailscale.com/types/logger"
 )

-var tunMTU = DefaultMTU
-
-func init() {
-	if mtu, ok := envknob.LookupInt("TS_DEBUG_MTU"); ok {
-		tunMTU = mtu
-	}
-}
-
 // createTAP is non-nil on Linux.
 var createTAP func(tapName, bridgeName string) (tun.Device, error)

@@ -52,6 +44,10 @@ func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
 		}
 		dev, err = createTAP(tapName, bridgeName)
 	} else {
+		tunMTU := DefaultMTU
+		if mtu, ok := envknob.LookupInt("TS_DEBUG_MTU"); ok {
+			tunMTU = mtu
+		}
 		dev, err = tun.CreateTUN(tunName, tunMTU)
 	}
 	if err != nil {