Commit Graph

5214 Commits

Author SHA1 Message Date
Tom DNetto
cca25f6107 tka: implement Chonk type & an in-memory implementation
Chonks are responsible for efficient storage of AUMs and other TKA state.

For testing/prototyping I've implemented an in-memory version, but once we
start to use this from tailscaled we'll need a file-based version.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-11 10:38:29 -07:00
Mihai Parparita
e37167b3ef ipn/localapi: add API for uploading client metrics
Clients may have platform-specific metrics they would like uploaded
(e.g. extracted from MetricKit on iOS). Add a new local API endpoint
that allows metrics to be updated by a simple name/value JSON-encoded
struct.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-07-11 09:51:09 -07:00
Xe Iaso
d6b8a18b09
cmd/proxy-to-grafana: use localClient.GetCertificate (#5024)
Closes #5023

Signed-off-by: Xe <xe@tailscale.com>
2022-07-08 14:33:14 -04:00
Xe Iaso
5bb44a4a5c
cmd/gitops-pusher: correctly handle ACL tests failing (#5016)
Apparently the API for running ACL tests returns a 200 if the ACL tests
fail. This is weird, but we can handle it.

Signed-off-by: Xe <xe@tailscale.com>
2022-07-08 10:53:50 -04:00
Andrew Dunham
c7993d2b88
net/dns/resolver: add fuzz/unit test for #2533 (#5018)
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2022-07-08 09:22:50 -04:00
Tom DNetto
3709074e55 tka: implement State and applying AUMs
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-07 11:25:26 -07:00
Tom DNetto
1cfd96cdc2 tka: implement AUM and Key types
This is the first in a series of PRs implementing the internals for the
Tailnet Key Authority. This PR implements the AUM and Key types, which
are used by pretty much everything else. Future PRs:

 - The State type & related machinery
 - The Tailchonk (storage) type & implementation
 - The Authority type and sync implementation

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-06 12:19:37 -07:00
Denton Gentry
e6572a0f08 install.sh: Add archarm and Raspbian Stretch
Fixes https://github.com/tailscale/tailscale/issues/4959
Fixes https://github.com/tailscale/tailscale/issues/4897

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-07-06 05:41:06 -07:00
Joe Tsai
fe3426b4c7
logpolicy: fix config initialization bug (#5010)
If ConfigFromFile cannot find the configuration file,
we must not initialize it with NewConfig.
Instead, we need it to fail validation so that it eventually writes
a newly constructed configuration file.
Otherwise, new tailscale instances will never be able store a persistent
log config and start with a new config file upon every bootup.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-07-05 18:27:31 -07:00
Tom DNetto
d6817d0f22 net/dns/resolver: respond with SERVFAIL if all upstreams fail
Fixes #4722

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-05 10:22:52 -07:00
Brad Fitzpatrick
c93fd0d22b go.mod: bump wireguard-go to set CLOEXEC on tun/netlink fds
To get:
c31a7b1ab4

Diff:
95b48cdb39..c31a7b1ab4

Fixes #4992

Change-Id: I077586fefcde923a2721712dd54548f97d010f72
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-03 17:11:49 -07:00
Craig Rodrigues
9584d8aa7d docs/k8s: Add env vars for tailscaled args
- TS_SOCKS5_SERVER, argument passed to tailscaled --socks5-server
- TS_OUTBOUND_HTTP_PROXY_LISTEN, argument passed to tailscaled -outbound-http-proxy-listen
- TS_TAILSCALED_EXTRA_ARGS extra arguments passed to tailscaled

Fixes #4985

Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>
2022-07-01 14:45:51 -07:00
Jake Edgington
ea6e9099b9 fix: typo rename, ROUTES -> TS_ROUTES
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
2022-06-30 20:23:37 -07:00
Jake Edgington
72b7edbba9 fix: typo rename, KUBE_SECRET -> TS_KUBE_SECRET
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
2022-06-30 20:23:37 -07:00
Brad Fitzpatrick
6b71568eb7 util/cloudenv: add Azure support & DNS IPs
And rewrite cloud detection to try to do only zero or one metadata
discovery request for all clouds, only doing a first (or second) as
confidence increases. Work remains for Windows, but a start.

And add Cloud to tailcfg.Hostinfo, which helped with testing using
"tailcfg debug hostinfo".

Updates #4983 (Linux only)
Updates #4984

Change-Id: Ib03337089122ce0cb38c34f724ba4b4812bc614e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-30 17:03:46 -07:00
Mihai Parparita
ec649e707f ipn/ipnlocal: prefer to use one CGNAT route on the Mac
Together with 06aa141632 this minimizes
the number of NEPacketTunnelNetworkSettings updates that we have to do,
and thus avoids Chrome interrupting outstanding requests due to
(perceived) network changes.

Updates #3102

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-30 13:18:52 -07:00
Aaron Bieber
3f4fd64311 cmd/tailscale: exit loop when timeout and pingArgs.num are met
Currently if you use '-c' and ping a host that times out, ping will
continue running indefinitely. This change exits the loop with "no
reply" when we time out, hit the value specified by '-c' and do not
have anyPong. If we have anyPong it returns nil.

Signed-off-by: Aaron Bieber <aaron@bolddaemon.com>
2022-06-30 11:52:56 -07:00
Brad Fitzpatrick
aa37aece9c ipn/ipnlocal, net/dns*, util/cloudenv: add AWS DNS support
And remove the GCP special-casing from ipn/ipnlocal; do it only in the
forwarder for *.internal.

Fixes #4980
Fixes #4981

Change-Id: I5c481e96d91f3d51d274a80fbd37c38f16dfa5cb
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-29 20:37:44 -07:00
Brad Fitzpatrick
88c2afd1e3 ipn/ipnlocal, net/dns*, util/cloudenv: specialize DNS config on Google Cloud
This does three things:

* If you're on GCP, it adds a *.internal DNS split route to the
  metadata server, so we never break GCP DNS names. This lets people
  have some Tailscale nodes on GCP and some not (e.g. laptops at home)
  without having to add a Tailnet-wide *.internal DNS route.
  If you already have such a route, though, it won't overwrite it.

* If the 100.100.100.100 DNS forwarder has nowhere to forward to,
  it forwards it to the GCP metadata IP, which forwards to 8.8.8.8.
  This means there are never errNoUpstreams ("upstream nameservers not set")
  errors on GCP due to e.g. mangled /etc/resolv.conf (GCP default VMs
  don't have systemd-resolved, so it's likely a DNS supremacy fight)

* makes the DNS fallback mechanism use the GCP metadata IP as a
  fallback before our hosted HTTP-based fallbacks

I created a default GCP VM from their web wizard. It has no
systemd-resolved.

I then made its /etc/resolv.conf be empty and deleted its GCP
hostnames in /etc/hosts.

I then logged in to a tailnet with no global DNS settings.

With this, tailscaled writes /etc/resolv.conf (direct mode, as no
systemd-resolved) and sets it to 100.100.100.100, which then has
regular DNS via the metadata IP and *.internal DNS via the metadata IP
as well. If the tailnet configures explicit DNS servers, those are used
instead, except for *.internal.

This also adds a new util/cloudenv package based on version/distro
where the cloud type is only detected once. We'll likely expand it in
the future for other clouds, doing variants of this change for other
popular cloud environments.

Fixes #4911

RELNOTES=Google Cloud DNS improvements

Change-Id: I19f3c2075983669b2b2c0f29a548da8de373c7cf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-29 17:39:13 -07:00
Mihai Parparita
6f58497647 .github/workflows: downgrade MinGW to work around windows-race failures
Updates #4926

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-29 14:27:57 -07:00
Maisem Ali
88133c361e Docker: add ALPINE.txt to manage alpine versions
The goal here is to

1. make it so that the number doesn't diverge between the various places
   we had it defined
2. not define the number in corp, only in oss

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-29 11:47:09 -07:00
Maisem Ali
cfa484e1a2 Dockerfile: bump alpine to 3.16
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-29 10:29:37 -07:00
Brad Fitzpatrick
ef351ac0dd Dockerfile: fix build
The Dockerfile directions said:

But that failed with:

Step 14/15 : FROM ghcr.io/tailscale/alpine-base:3.14
Head "https://ghcr.io/v2/tailscale/alpine-base/manifests/3.14": denied: denied

So I guess the Dockerfile.base part was undocumented. But it only had
one line anyway, so move it here to avoid the intermediate layer's
published permissions problem entirely.

Also optimize the cachability a bit while here.

Change-Id: I846ad59fe7e88e6126925689fae78bfb80c279f0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-29 08:18:01 -07:00
Mihai Parparita
06aa141632 wgengine/router: avoid unncessary routing configuration changes
The iOS and macOS networking extension API only exposes a single setter
for the entire routing and DNS configuration, and does not appear to
do any kind of diffing or deltas when applying changes. This results
in spurious "network changed" errors in Chrome, even when the
`OneCGNATRoute` flag from df9ce972c7 is
used (because we're setting the same configuration repeatedly).

Since we already keep track of the current routing and DNS configuration
in CallbackRouter, use that to detect if they're actually changing, and
only invoke the platform setter if it's actually necessary.

Updates #3102

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-28 16:59:37 -07:00
Brad Fitzpatrick
3b1f99ded1 ssh/tailssh: fix Tailscale SSH to Linux Arch machines
See https://github.com/tailscale/tailscale/issues/4924#issuecomment-1168201823

Arch uses a different login binary that makes the -h flag set the PAM
service to "remote". So if they don't have that configured, don't pass -h.

Thanks to @eddiezane for debugging!

Updates #4924

Change-Id: I8d33e0afb2dfb99517bcea2f9d5d0c6247519b3c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-28 15:35:51 -07:00
kylecarbs
9280d39678 wgengine/netstack: close ipstack when netstack.Impl is closed
Fixes netstack.Impl leaking goroutines after shutdown.

Signed-off-by: kylecarbs <kyle@carberry.com>
2022-06-28 14:59:29 -07:00
Denton Gentry
d7f452c0a1 net/portmapper: send discovery packet for IGD specifically.
There appear to be devices out there which send only their
first descriptor in response to a discovery packet for
`ssdp:all`, for example the Sagemcom FAST3890V3 only sends
urn:schemas-wifialliance-org:device:WFADevice:1

Send both ssdp:all and a discovery frame for
InternetGatewayDevice specifically.

Updates https://github.com/tailscale/tailscale/issues/3557

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-28 03:55:17 -07:00
Denton Gentry
09eaba91ad net/portmap: add a test for Sagemcom FAST3890V3.
Updates https://github.com/tailscale/tailscale/issues/3557

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-28 03:55:17 -07:00
Denton Gentry
b5553c6ad2 net/portmap: run go fmt
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-28 03:55:17 -07:00
Denton Gentry
de4c635e54 net/portmapper: make pcpCodeNotAuthorized log more descriptive
If PCP is present but disabled, turning it on might help
get direct connections.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-28 03:55:17 -07:00
Brad Fitzpatrick
3ac8ab1791 tsnet: add Server.AuthKey field
... so callers can provide the AuthKey via mechanisms other than
environment variables which means multiple Servers can't be started
concurrently in the same process without coordination.

Change-Id: I7736ef4f59b7cc29637939e140e990613ce58e0d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-27 21:57:57 -07:00
Jordan Whited
bef6e2831a
cmd/tailscale: move call to cli.CleanUpArgs() from main() into cli.Run() (#4954)
Not all distributions build from package main.

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2022-06-27 14:56:25 -07:00
Maisem Ali
40503ef07a ssh/tailssh: fix logging typo
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 13:23:09 -07:00
soypete
412c4c55e2 cmd/tailscale: make up respect explicitly empty --operator= value
Fixes #3808

Signed-off-by: soypete <miriah@tailscale.com>
2022-06-27 13:59:45 -06:00
Maisem Ali
c434e47f2d ssh/tailssh: always use current time for policy evaluation
Whenever the SSH policy changes we revaluate all open connections to
make sure they still have access. This check was using the wrong
timestamp and would match against expired policies, however this really
isn't a problem today as we don't have policy that would be impacted by
this check. Fixing it for future use.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 12:25:04 -07:00
Maisem Ali
a7d2024e35 ssh/tailssh: allow multiple sessions on the same conn
Fixes #4920
Fixes tailscale/corp#5633
Updates #4479

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 11:54:54 -07:00
mattn
1d04e01d1e
use C:\Windows\System32\OpenSSH\ssh.exe (#4933)
cmd/tailscale: make ssh command prefer Windows ssh.exe over PATH

Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
2022-06-25 22:26:21 -07:00
Adam Eijdenberg
9294a14a37 ssh/tailssh: limit setgroups to 16 on macOS
Fixes #4938

Signed-off-by: Adam Eijdenberg <adam@continusec.com>
2022-06-25 22:17:53 -07:00
Adam Eijdenberg
7f807fef6c ssh/tailssh: fix /usr/bin/login args on macOS
Fixes #4931

Signed-off-by: Adam Eijdenberg <adam@continusec.com>
2022-06-25 22:17:53 -07:00
Brad Fitzpatrick
35782f891d util/deephash: add canMemHash func + typeInfo property
Currently unused. (breaking up a bigger change)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-25 13:09:30 -07:00
Brad Fitzpatrick
7b9a901489 util/deephash: add packet filter benchmark
(breaking up parts of another change)

This adds a PacketFilter hashing benchmark with an input that both
contains every possible field, but also is somewhat representative in
the shape of what real packet filters contain.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-25 12:55:15 -07:00
James Tucker
c88bd53b1b .github/workflows: windows-race: print gcc version
Signed-off-by: James Tucker <james@tailscale.com>
2022-06-24 15:30:36 -07:00
Maisem Ali
2d65c1a950 client/tailscale: update ACLRow and ACLTest with new ACL fields
Signed-off-by: Maisem Ali <maisem@tailscale.com>
Co-authored-by: Will Norris <will@tailscale.com>
2022-06-24 12:20:08 -07:00
Aaron Klotz
4baf34cf25 net/dns: set appropriate Windows registry values to prevent it from sending DNS changes concerning our interface to AD domain controllers.
We do this unconditionally inside SetDNS such that the values are always set
before we make any other changes to DNS configurations.

It should not be harmful for the settings to remain even when other DNS
settings are cleared out (since they only affect our network interface).

See https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003 for details about the registry value.

Fixes https://github.com/tailscale/tailscale/issues/4829

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-06-24 11:41:33 -06:00
Aaron Klotz
8cdfd12977 net/dns: update Windows split DNS settings to work alongside other NRPT entries set by group policy.
When there are group policy entries for the NRPT that do not belong to Tailscale,
we recognize that we need to add ourselves to group policy and use that registry
key instead of the local one. We also refresh the group policy settings as
necessary to ensure that our changes take effect immediately.

Fixes https://github.com/tailscale/tailscale/issues/4607

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-06-23 15:42:22 -06:00
James Tucker
76256d22d8 wgengine/router: windows: set SkipAsSource on IPv6 LL addresses
Link-local addresses on the Tailscale interface are not routable.
Ideally they would be removed, however, a concern exists that the
operating system will attempt to re-add them which would lead to
thrashing.

Setting SkipAsSource attempts to avoid production of packets using the
address as a source in any default behaviors.

Before, in powershell: `ping (hostname)` would ping the link-local
address of the Tailscale interface, and fail.
After: `ping (hostname)` now pings the link-local address on the next
highest priority metric local interface.

Fixes #4647
Signed-off-by: James Tucker <james@tailscale.com>
2022-06-22 15:26:40 -07:00
Brad Fitzpatrick
8c5c87be26 util/deephash: fix collisions between different types
Updates #4883

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-21 22:29:04 -07:00
Tom DNetto
4f6fa3d63a shell.nix: use 1.18 from system nixpkgs
(Now that 22.05 / 22.11 are released and presumably everyone has updated).

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-06-21 15:36:39 -07:00
Xe Iaso
dee95d0894
cmd/gitops-pusher: add new GitOps assistant (#4893)
This is for an upcoming blogpost on how to manage Tailscale ACLs using a
GitOps flow. This tool is intended to be used in CI and will allow users
to have a git repository be the ultimate source of truth for their ACL
file. This enables ACL changes to be proposed, approved and discussed
before they are applied.

Signed-off-by: Xe <xe@tailscale.com>
2022-06-21 16:04:48 -04:00
Sofiane Hamlaoui
1007983159 Adding pkg for Freebsd installation
Signed-off-by: Sofiane Hamlaoui <s0fianehaml40u1@gmail.com>
2022-06-20 11:31:10 -07:00