From fbc6a9ec5a797d9a551e74a90bc96947825b7719 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Thu, 10 Jul 2025 11:14:08 -0700
Subject: [PATCH] all: detect JetKVM and specialize a handful of things for it

Updates #16524

Change-Id: I183428de8c65d7155d82979d2d33f031c22e3331
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 cmd/tailscaled/tailscaled.go    | 15 +++++++--------
 logpolicy/logpolicy.go          |  3 +++
 net/dns/manager_linux.go        |  5 +++++
 net/tstun/tun.go                | 20 +++++++++++++++++++-
 net/tstun/tun_linux.go          | 10 +++++++++-
 paths/paths.go                  | 32 ++++++++++++++++++++++++++++++++
 paths/paths_unix.go             |  3 +++
 util/linuxfw/detector.go        |  5 +++++
 util/linuxfw/iptables_runner.go |  5 +++--
 version/distro/distro.go        |  3 +++
 10 files changed, 89 insertions(+), 12 deletions(-)

diff --git a/cmd/tailscaled/tailscaled.go b/cmd/tailscaled/tailscaled.go
index 3987b0c26..ab1590132 100644
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -257,14 +257,13 @@ func main() {
 	// Only apply a default statepath when neither have been provided, so that a
 	// user may specify only --statedir if they wish.
 	if args.statepath == "" && args.statedir == "" {
-		if runtime.GOOS == "plan9" {
-			home, err := os.UserHomeDir()
-			if err != nil {
-				log.Fatalf("failed to get home directory: %v", err)
-			}
-			args.statedir = filepath.Join(home, "tailscale-state")
-			if err := os.MkdirAll(args.statedir, 0700); err != nil {
-				log.Fatalf("failed to create state directory: %v", err)
+		if paths.MakeAutomaticStateDir() {
+			d := paths.DefaultTailscaledStateDir()
+			if d != "" {
+				args.statedir = d
+				if err := os.MkdirAll(d, 0700); err != nil {
+					log.Fatalf("failed to create state directory: %v", err)
+				}
 			}
 		} else {
 			args.statepath = paths.DefaultTailscaledStateFile()
diff --git a/logpolicy/logpolicy.go b/logpolicy/logpolicy.go
index b84528d7b..f5c475712 100644
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -224,6 +224,9 @@ func LogsDir(logf logger.Logf) string {
 		logf("logpolicy: using LocalAppData dir %v", dir)
 		return dir
 	case "linux":
+		if distro.Get() == distro.JetKVM {
+			return "/userdata/tailscale/var"
+		}
 		// STATE_DIRECTORY is set by systemd 240+ but we support older
 		// systems-d. For example, Ubuntu 18.04 (Bionic Beaver) is 237.
 		systemdStateDir := os.Getenv("STATE_DIRECTORY")
diff --git a/net/dns/manager_linux.go b/net/dns/manager_linux.go
index 6bd368f50..643cc280a 100644
--- a/net/dns/manager_linux.go
+++ b/net/dns/manager_linux.go
@@ -22,6 +22,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/cmpver"
+	"tailscale.com/version/distro"
 )
 
 type kv struct {
@@ -38,6 +39,10 @@ var publishOnce sync.Once
 //
 // The health tracker may be nil; the knobs may be nil and are ignored on this platform.
 func NewOSConfigurator(logf logger.Logf, health *health.Tracker, _ *controlknobs.Knobs, interfaceName string) (ret OSConfigurator, err error) {
+	if distro.Get() == distro.JetKVM {
+		return NewNoopManager()
+	}
+
 	env := newOSConfigEnv{
 		fs:                directFS{},
 		dbusPing:          dbusPing,
diff --git a/net/tstun/tun.go b/net/tstun/tun.go
index 88679daa2..bfdaddf58 100644
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -24,6 +24,9 @@ import (
 // CrateTAP is the hook set by feature/tap.
 var CreateTAP feature.Hook[func(logf logger.Logf, tapName, bridgeName string) (tun.Device, error)]
 
+// modprobeTunHook is a Linux-specific hook to run "/sbin/modprobe tun".
+var modprobeTunHook feature.Hook[func() error]
+
 // New returns a tun.Device for the requested device name, along with
 // the OS-dependent name that was allocated to the device.
 func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
@@ -51,7 +54,22 @@ func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
 		if runtime.GOOS == "plan9" {
 			cleanUpPlan9Interfaces()
 		}
-		dev, err = tun.CreateTUN(tunName, int(DefaultTUNMTU()))
+		// Try to create the TUN device up to two times. If it fails
+		// the first time and we're on Linux, try a desperate
+		// "modprobe tun" to load the tun module and try again.
+		for try := range 2 {
+			dev, err = tun.CreateTUN(tunName, int(DefaultTUNMTU()))
+			if err == nil || !modprobeTunHook.IsSet() {
+				if try > 0 {
+					logf("created TUN device %q after doing `modprobe tun`", tunName)
+				}
+				break
+			}
+			if modprobeTunHook.Get()() != nil {
+				// modprobe failed; no point trying again.
+				break
+			}
+		}
 	}
 	if err != nil {
 		return nil, "", err
diff --git a/net/tstun/tun_linux.go b/net/tstun/tun_linux.go
index 9600ceb77..05cf58c17 100644
--- a/net/tstun/tun_linux.go
+++ b/net/tstun/tun_linux.go
@@ -17,6 +17,14 @@ import (
 
 func init() {
 	tunDiagnoseFailure = diagnoseLinuxTUNFailure
+	modprobeTunHook.Set(func() error {
+		_, err := modprobeTun()
+		return err
+	})
+}
+
+func modprobeTun() ([]byte, error) {
+	return exec.Command("/sbin/modprobe", "tun").CombinedOutput()
 }
 
 func diagnoseLinuxTUNFailure(tunName string, logf logger.Logf, createErr error) {
@@ -36,7 +44,7 @@ func diagnoseLinuxTUNFailure(tunName string, logf logger.Logf, createErr error)
 	kernel := utsReleaseField(&un)
 	logf("Linux kernel version: %s", kernel)
 
-	modprobeOut, err := exec.Command("/sbin/modprobe", "tun").CombinedOutput()
+	modprobeOut, err := modprobeTun()
 	if err == nil {
 		logf("'modprobe tun' successful")
 		// Either tun is currently loaded, or it's statically
diff --git a/paths/paths.go b/paths/paths.go
index 28c3be02a..6c9c3fa6c 100644
--- a/paths/paths.go
+++ b/paths/paths.go
@@ -6,6 +6,7 @@
 package paths
 
 import (
+	"log"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -70,6 +71,37 @@ func DefaultTailscaledStateFile() string {
 	return ""
 }
 
+// DefaultTailscaledStateDir returns the default state directory
+// to use for tailscaled, for use when the user provided neither
+// a state directory or state file path to use.
+//
+// It returns the empty string if there's no reasonable default.
+func DefaultTailscaledStateDir() string {
+	if runtime.GOOS == "plan9" {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			log.Fatalf("failed to get home directory: %v", err)
+		}
+		return filepath.Join(home, "tailscale-state")
+	}
+	return filepath.Dir(DefaultTailscaledStateFile())
+}
+
+// MakeAutomaticStateDir reports whether the platform
+// automatically creates the state directory for tailscaled
+// when it's absent.
+func MakeAutomaticStateDir() bool {
+	switch runtime.GOOS {
+	case "plan9":
+		return true
+	case "linux":
+		if distro.Get() == distro.JetKVM {
+			return true
+		}
+	}
+	return false
+}
+
 // MkStateDir ensures that dirPath, the daemon's configuration directory
 // containing machine keys etc, both exists and has the correct permissions.
 // We want it to only be accessible to the user the daemon is running under.
diff --git a/paths/paths_unix.go b/paths/paths_unix.go
index 50a8b7ca5..d317921d5 100644
--- a/paths/paths_unix.go
+++ b/paths/paths_unix.go
@@ -21,6 +21,9 @@ func init() {
 }
 
 func statePath() string {
+	if runtime.GOOS == "linux" && distro.Get() == distro.JetKVM {
+		return "/userdata/tailscale/var/tailscaled.state"
+	}
 	switch runtime.GOOS {
 	case "linux", "illumos", "solaris":
 		return "/var/lib/tailscale/tailscaled.state"
diff --git a/util/linuxfw/detector.go b/util/linuxfw/detector.go
index f3ee4aa0b..fffa523af 100644
--- a/util/linuxfw/detector.go
+++ b/util/linuxfw/detector.go
@@ -23,6 +23,11 @@ func detectFirewallMode(logf logger.Logf, prefHint string) FirewallMode {
 		hostinfo.SetFirewallMode("nft-gokrazy")
 		return FirewallModeNfTables
 	}
+	if distro.Get() == distro.JetKVM {
+		// JetKVM doesn't have iptables.
+		hostinfo.SetFirewallMode("nft-jetkvm")
+		return FirewallModeNfTables
+	}
 
 	mode := envknob.String("TS_DEBUG_FIREWALL_MODE")
 	// If the envknob isn't set, fall back to the pref suggested by c2n or
diff --git a/util/linuxfw/iptables_runner.go b/util/linuxfw/iptables_runner.go
index 9a6fc0224..78844065a 100644
--- a/util/linuxfw/iptables_runner.go
+++ b/util/linuxfw/iptables_runner.go
@@ -688,8 +688,9 @@ func (i *iptablesRunner) DelMagicsockPortRule(port uint16, network string) error
 // IPTablesCleanUp removes all Tailscale added iptables rules.
 // Any errors that occur are logged to the provided logf.
 func IPTablesCleanUp(logf logger.Logf) {
-	if distro.Get() == distro.Gokrazy {
-		// Gokrazy uses nftables and doesn't have the "iptables" command.
+	switch distro.Get() {
+	case distro.Gokrazy, distro.JetKVM:
+		// These use nftables and don't have the "iptables" command.
 		// Avoid log spam on cleanup. (#12277)
 		return
 	}
diff --git a/version/distro/distro.go b/version/distro/distro.go
index f7997e1d9..dd5e0b21b 100644
--- a/version/distro/distro.go
+++ b/version/distro/distro.go
@@ -31,6 +31,7 @@ const (
 	Unraid    = Distro("unraid")
 	Alpine    = Distro("alpine")
 	UBNT      = Distro("ubnt") // Ubiquiti Networks
+	JetKVM    = Distro("jetkvm")
 )
 
 var distro lazy.SyncValue[Distro]
@@ -102,6 +103,8 @@ func linuxDistro() Distro {
 		return Unraid
 	case have("/etc/alpine-release"):
 		return Alpine
+	case haveDir("/userdata/jetkvm") && haveDir("/sys/kernel/config/usb_gadget/jetkvm"):
+		return JetKVM
 	}
 	return ""
 }