Commit Graph

4999 Commits

Author SHA1 Message Date
David Anderson
c89875f416 cmd/containerboot: allow disabling secret storage in k8s.
In some configurations, user explicitly do not want to store
tailscale state in k8s secrets, because doing that leads to
some annoying permission issues with sidecar containers.
With this change, TS_KUBE_SECRET="" and TS_STATE_DIR=/foo
will force storage to file when running in kubernetes.

Fixes #6704.

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit af3127711a)
2022-12-16 15:58:59 -08:00
Denton Gentry
331d553a5e
VERSION.txt: this is v1.34.1
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-12-13 10:57:03 -08:00
Brad Fitzpatrick
c1d23495bd
wgengine/magicsock: fix panic in wireguard-go rate limiting path
Fixes #6686

Change-Id: I1055a87141b07261afed8e36c963a69f3be26088
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit 44be59c15a)
2022-12-13 10:54:12 -08:00
Mihai Parparita
22ad72014f
wgengine/magicsock: fix panic when rebinding fails
We would replace the existing real implementation of nettype.PacketConn
with a blockForeverConn, but that violates the contract of atomic.Value
(where the type cannot change). Fix by switching to a pointer value
(atomic.Pointer[nettype.PacketConn]).

A longstanding issue, but became more prevalent when we started binding
connections to interfaces on macOS and iOS (#6566), which could lead to
the bind call failing if the interface was no longer available.

Fixes #6641

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
(cherry picked from commit bdc45b9066)
2022-12-13 05:24:59 -08:00
Andrew Dunham
84ecf773a4
wgengine/router: fix tests on systems with older Busybox 'ip' binary
Adjust the expected system output by removing the unsupported mask
component including and after the slash in expected output like:
  fwmask 0xabc/0xdef

This package's tests now pass in an Alpine container when the 'go' and
'iptables' packages are installed (and run as privileged so /dev/net/tun
exists).

Fixes #5928

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Id1a3896282bfa36b64afaec7a47205e63ad88542
(cherry picked from commit b63094431b)
2022-12-13 05:24:43 -08:00
shayne
394c275d7f
cmd/tailscale/cli: [ssh] fix typo in help text (#6694)
arugments => arguments

Signed-off-by: shayne <79330+shayne@users.noreply.github.com>
(cherry picked from commit 9d335aabb2)
2022-12-13 05:24:24 -08:00
Mihai Parparita
8a112e40f1
ipn/ipnlocal: add a few metrics for PeerAPI and LocalAPI
Mainly motivated by wanting to know how much Taildrop is used, but
also useful when tracking down how many invalid requests are
generated.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
(cherry picked from commit 47002d93a3)
2022-12-13 05:23:13 -08:00
James Tucker
8ed27fa75d
cmd/tailscale/cli: add workaround for improper named socket quoting in ssh command
This avoids the issue in the common case where the socket path is the
default path, avoiding the immediate need for a Windows shell quote
implementation.

Updates #6639

Signed-off-by: James Tucker <james@tailscale.com>
(cherry picked from commit 389238fe4a)
2022-12-12 15:49:50 -08:00
David Anderson
1e03baee59 cmd/containerboot: gracefully degrade if missing patch permissions in k8s.
Fixes #6629.

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit 367228ef82)
2022-12-07 17:33:11 -08:00
David Anderson
77a3efaf2c cmd/containerboot: check that k8s secret permissions are correct.
Updates #6629.

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit e36c27bcd1)
2022-12-07 17:33:11 -08:00
David Anderson
ae1ca4f887 cmd/containerboot: refactor tests to have more explicit phases.
In preparation for making startup more complex with IPN bus watches.

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit e79a1eb24a)
2022-12-07 17:33:11 -08:00
David Anderson
cc440cc27c cmd/containerboot: split tailscaled bringup and auth phases.
In preparation for reworking auth to use IPN bus watch.

Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit e04aaa7575)
2022-12-07 17:33:11 -08:00
David Anderson
97e3919a83 cmd/containerboot: fix some lint.
Signed-off-by: David Anderson <danderson@tailscale.com>
(cherry picked from commit a469ec8ff6)
2022-12-07 17:33:11 -08:00
Anton Tolchanov
682abd94ba cmd/containerboot: fix TS_STATE_DIR environment variable
It's supposed to set `--statedir` rather than `--state` file.

Fixes #6634.

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
(cherry picked from commit 5ff946a9e6)
2022-12-07 17:33:11 -08:00
Denton Gentry
988801d5d9
VERSION.txt: this is v1.34.0
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-12-05 09:41:28 -08:00
Brad Fitzpatrick
964d723aba ipn/{ipnserver,localapi}: fix InUseOtherUser handling with WatchIPNBus
Updates tailscale/corp#8222

Change-Id: I2d6fa6514c7b8d0f89fded35a2d44e7df27e6fb1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-03 18:58:19 -08:00
Maisem Ali
86b6ff61e6 ipn/ipnlocal: fix Prefs access without mu being held
Noticed while working on a different fix.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-12-03 11:44:39 +05:00
Maisem Ali
cdb924f87b ipn/ipnlocal: sanitize prefs in more notify code paths
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-12-03 11:44:39 +05:00
Denton Gentry
7c4d017636 paths: set QNAP socket to /tmp.
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-12-02 22:07:42 -08:00
Brad Fitzpatrick
57124e2126 ipn/localapi: add debug (root-required) access to inject debug Notify
For testing of Windows GUI client.

Updates #6480

Change-Id: I42f7526d95723e14bed7085fb759e371b43aa9da
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-02 20:26:08 -08:00
Maisem Ali
96cad35870 cmd/tailscaled: rename variables to be more descriptive
renamed from `useNetstack` to `onlyNetstack` which is 1 letter more but
more descriptive because we always have netstack enabled and `useNetstack`
doesn't convey what it is supposed to be used for. e.g. we always use
netstack for Tailscale SSH.

Also renamed shouldWrapNetstack to handleSubnetsInNetstack as it was only used
to configure subnet routing via netstack.

Updates tailscale/corp#8020

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-12-03 03:11:13 +05:00
Mihai Parparita
a87e0b4ea8 ipn: update comments that refer to Options.Prefs
Things are slightly less tangled now that we've migrated prefs to the
backend (and renamed the field to LegacyMigrationPrefs).

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-12-02 11:55:54 -08:00
Brad Fitzpatrick
b9dd3fa534 paths, version/distro: detect Synology DSM version better, use for socket path
Resolves a TODO in the code noted while discussing QNAP defaults.

Tested on DSM6 and DSM7.

Change-Id: Icce03ff41fafd7b3a358cfee16f2ed13d5cc3c5d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-02 09:54:08 -08:00
Mihai Parparita
5b8323509f cmd/tailscale/cli: use "account" instead of "profile" in user-visible text
Matches the UI clients

Updates #713

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-12-02 09:01:44 -08:00
Anton Tolchanov
d6dbefaa91 api.md: lowercase ACL field names
Making this match https://tailscale.com/kb/1018/acls

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2022-12-02 13:17:59 +00:00
Anton Tolchanov
71c0e8d428 api.md: update documentation for the "set ACL" endpoint
This documents the `If-Match: ts-default` header that can be set to only
overwrite the default ACL contents, and also briefly mentions a few of
the new top-level ACL fields.

Updates tailscale/terraform-provider-tailscale#182

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2022-12-02 13:17:59 +00:00
Brad Fitzpatrick
e1d7d072a3 ipn/ipnlocal: set Notify.Version on initial Notifies
Missed when added recently in 8dd1418774

Change-Id: Id682640a54c3717afe084edaf69258ad23031b6c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-01 19:36:57 -08:00
Maya Kaczorowski
d5b4d2e276
cmd/tailscale/cli: improve tailnet lock help (#6583)
Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>

Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
2022-12-01 09:19:28 -08:00
Walter Poupore
74b47eaad6
cmd/tailscale/cli: Fix 'tailscale switch' error message (#6585)
Updates #713.

Signed-off-by: Walter Poupore <walterp@tailscale.com>

Signed-off-by: Walter Poupore <walterp@tailscale.com>
2022-12-01 08:17:16 -08:00
Maisem Ali
99aa335923 net/dns: [linux] log and add metric for dnsMode
I couldn't find any logs that indicated which mode it was running in so adding that.
Also added a gauge metric for dnsMode.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-12-01 19:57:08 +05:00
Maisem Ali
a5a3188b7e cmd/tailscale/cli: unhide login and switch subcommands
Updates #713

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-12-01 18:38:04 +05:00
Maya Kaczorowski
a1084047ce
cmd/tailscale/cli: capitalize Get (#6586)
Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>

Signed-off-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
2022-11-30 21:32:14 -08:00
Tom DNetto
74c1f632f6 types/key,cmd/tailscale/cli: support tlpub prefix for tailnet-lock keys
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-30 18:04:47 -08:00
Brad Fitzpatrick
8dd1418774 ipn{,/ipnlocal}: add ipn.NotifyInitial* flags to WatchIPNBus
To simplify clients getting the initial state when they subscribe.

Change-Id: I2490a5ab2411253717c74265a46a98012b80db82
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-11-30 17:50:51 -08:00
Brad Fitzpatrick
197a4f1ae8 types/ptr: move all the ptrTo funcs to one new package's ptr.To
Change-Id: Ia0b820ffe7aa72897515f19bd415204b6fe743c7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-11-30 17:50:51 -08:00
Brad Fitzpatrick
a277eb4dcf ipn/ipnlocal: add missing context cancel
If user's fn returned false and never canceled their ctx, we never
stopped the NotifyWatchEngineUpdates goroutine.

This was introduced recently (this cycle).

Change-Id: I3453966ac71e00727296ddd237ef845782f4e52e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-11-30 17:50:51 -08:00
Mihai Parparita
978d6af91a ipn/ipnlocal: tweak error handling in interfaces PeerAPI debug endpoint
We were writing the error when getting the default interface before
setting the content type, so we'd get HTML treated as plain text.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-11-30 17:47:37 -08:00
Brad Fitzpatrick
5bdca747b7 ipn/ipnlocal: fix netstack peerapi crash over IPv6
The peerapi IPv6 listener has a nil listener.
But we didn't need the listener's address anyway, so don't
try to use it.

Change-Id: I8e8a1a895046d129a3683973e732d9bed82f3b02
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-11-30 16:28:53 -08:00
Tom DNetto
f1ab11e961 ipn/ipnlocal,tailcfg: introduce capability to gate TKA init paths
Previously, `TAILSCALE_USE_WIP_CODE` was needed to hit a bunch of the TKA paths. With
this change:

 - Enablement codepaths (NetworkLockInit) and initialization codepaths (tkaBootstrapFromGenesisLocked via tkaSyncIfNeeded)
   require either the WIP envknob or CapabilityTailnetLockAlpha.
 - Normal operation codepaths (tkaSyncIfNeeded, tkaFilterNetmapLocked) require TKA to be initialized, or either-or the
   envknob / capability.
 - Auxillary commands (ie: changing tka keys) require TKA to be initialized.

The end result is that it shouldn't be possible to initialize TKA (or subsequently use any of its features) without being
sent the capability or setting the envknob on tailscaled yourself.

I've also pulled out a bunch of unnecessary checks for CanSupportNetworkLock().

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-30 13:50:22 -08:00
Tom DNetto
9a80b8fb10 cmd/tailscale,ipn: surface TKA-filtered peers in lock status command
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-30 13:25:31 -08:00
Tom DNetto
731be07777 cmd/tailscale/cli: show rotation key when suggesting lock sign command
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-30 13:25:21 -08:00
Andrew Dunham
a6dff4fb74 docs/webhooks: use subtle.ConstantTimeCompare for comparing signatures
Fixes #6572

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I58610c46e0ea1d3a878f91d154db3da4de9cae00
2022-11-30 11:58:25 -05:00
Brad Fitzpatrick
74744b0a4c ipn: be more consistent with omitempty on debug/rare Prefs
Change-Id: Ib0ec72f243cdb2aca8dd392644d4eed33c3f92e6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-11-30 04:33:27 -08:00
Brad Fitzpatrick
f710d1cb20 cmd/tailscale/cli: add set --unattended on Windows
Fixes #6567

Change-Id: I8cb57196c601466401f8602eb50456e7cf7c31ef
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-11-30 04:33:03 -08:00
License Updater
d2a51f03ce licenses: update win/apple licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-11-29 16:24:40 -08:00
Denton Gentry
a200a23f97 Revert "cmd/tailscale: access QNAP via localhost"
When running `tailscale web` as a standalone process,
it was necessary to send auth requests to QTS using
localhost to avoid hitting the proxy recursively.

However running `tailscale web` as a process means it is
consuming RAM all the time even when it isn't actively
doing anything.

After switching back to the `tailscale web` CGI mode, we
don't need to specifically use localhost for QNAP auth.

This reverts commit e0cadc5496.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-11-29 16:17:34 -08:00
Maisem Ali
82ad585b5b ipn/ipnlocal: account for ControlURL when merging profiles
We merge/dedupe profiles based on UserID and NodeID, however we were not accounting for ControlURLs.

Updates #713

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-11-30 04:39:06 +05:00
Maisem Ali
adc302f428 all: use named pipes on windows
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-11-30 04:05:26 +05:00
Tom DNetto
45042a76cd cmd/tailscale,ipn: store disallowed TKA's in prefs, lock local-disable
Take 2 of https://github.com/tailscale/tailscale/pull/6546

Builds on https://github.com/tailscale/tailscale/pull/6560

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-29 13:43:38 -08:00
Tom DNetto
c4980f33f7 ipn,types/persist: add DisallowedTKAStateIDs, refactor as view type
Supercedes https://github.com/tailscale/tailscale/pull/6557, precursor to trying https://github.com/tailscale/tailscale/pull/6546 again

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-29 12:29:42 -08:00