Commit Graph

4233 Commits

Author SHA1 Message Date
Brad Fitzpatrick
b3d268c5a1 control/controlclient: turn off Go's implicit compression
We don't use it anyway, so be explicit that we're not using it.

Change-Id: Iec953271ef0169a2e227811932f5b65b479624af
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-02-07 13:55:42 -08:00
Brad Fitzpatrick
df8f02db3f tsweb: add gzip support to JSONHandlerFunc
Change-Id: I337e05f92f744bfc7e9d6fb8e67c87c191ba4da8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-02-07 10:31:25 -08:00
Denton Gentry
16652ae52c installer.sh: accommodate linuxmint versioning.
Recent linuxmint releases now use VERSION_CODENAME for
a linuxmint release (like "uma") and set UBUNTU_CODENAME to
the Ubuntu release they branched from.

Tested in a linuxmint 20.2 VM.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-02-07 07:06:00 -08:00
Sonia Appasamy
aaba49ca10
api.md: add docs for device tags and keys endpoints
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2022-02-04 16:20:46 -05:00
Maisem Ali
e64cecac8e chirp: remove regex dependency
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-02-03 11:24:17 -08:00
Brad Fitzpatrick
2a67beaacf net/interfaces: bound Linux /proc/net/route parsing
tailscaled was using 100% CPU on a machine with ~1M lines, 100MB+
of /proc/net/route data.

Two problems: in likelyHomeRouterIPLinux, we didn't stop reading the
file once we found the default route (which is on the first non-header
line when present). Which meant it was finding the answer and then
parsing 100MB over 1M lines unnecessarily. Second was that if the
default route isn't present, it'd read to the end of the file looking
for it. If it's not in the first 1,000 lines, it ain't coming, or at
least isn't worth having. (it's only used for discovering a potential
UPnP/PMP/PCP server, which is very unlikely to be present in the
environment of a machine with a ton of routes)

Change-Id: I2c4a291ab7f26aedc13885d79237b8f05c2fd8e4
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-02-03 09:31:25 -08:00
Brad Fitzpatrick
0626cf4183 util/winutil: fix build
It was broken on Windows:

Error: util\winutil\winutil_windows.go:15:7: regBase redeclared in this block
Error:                                       D:\a\tailscale\tailscale\util\winutil\winutil_notwindows.go:7:17: previous declaration
Error: util\winutil\winutil_windows.go:29:6: getRegString redeclared in this block
Error:                                       D:\a\tailscale\tailscale\util\winutil\winutil_notwindows.go:9:40: previous declaration
Error: util\winutil\winutil_windows.go:47:6: getRegInteger redeclared in this block
Error:                                       D:\a\tailscale\tailscale\util\winutil\winutil_notwindows.go:11:48: previous declaration
Error: util\winutil\winutil_windows.go:77:6: isSIDValidPrincipal redeclared in this block
Error:                                       D:\a\tailscale\tailscale\util\winutil\winutil_notwindows.go:13:38: previous declaration

Change-Id: Ib1ce4b647f5711547840c736b933a6c42bf09583
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-02-02 16:45:29 -08:00
Aaron Klotz
d7962e3bcf ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals.
Our current workaround made the user check too lax, thus allowing deleted
users. This patch adds a helper function to winutil that checks that the
uid's SID represents a valid Windows security principal.

Now if `lookupUserFromID` determines that the SID is invalid, we simply
propagate the error.

Updates https://github.com/tailscale/tailscale/issues/869

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-02-02 15:01:28 -07:00
Brad Fitzpatrick
6eed2811b2 wgengine/netstack: start supporting different SSH users
Updates #3802

Change-Id: I44de6897e36b1362cd74c9b10c9cbfeb9abc3dbc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-02-02 13:58:31 -08:00
Maisem Ali
e3dccfd7ff chirp: handle multiline responses from BIRD
Also add tests to verify the parsing logic.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-02-02 13:48:07 -08:00
Brad Fitzpatrick
fa612c28cf cmd/derper: make --stun default to on, flesh out flag docs
Change-Id: I49e80c61ab19e78e4c8b4bc9012bb70cfe3bfa75
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-31 17:42:45 -08:00
Aaron Bieber
e5cd765e00 net/dns/resolvd: properly handle not having "search" entries
This prevents adding an empty "search" line when no search domains are set.

Signed-off-by: Aaron Bieber <aaron@bolddaemon.com>
2022-01-31 15:11:28 -08:00
Brad Fitzpatrick
bd90781b34 ipn/ipnlocal, wgengine/netstack: use netstack for peerapi server
We're finding a bunch of host operating systems/firewalls interact poorly
with peerapi. We either get ICMP errors from the host or users need to run
commands to allow the peerapi port:

https://github.com/tailscale/tailscale/issues/3842#issuecomment-1025133727

... even though the peerapi should be an internal implementation detail.

Rather than fight the host OS & firewalls, this change handles the
server side of peerapi entirely in netstack (except on iOS), so it
never makes its way to the host OS where it might be messed with. Two
main downsides are:

1) netstack isn't as fast, but we don't really need speed for peerapi.
   And actually, with fewer trips to/from the kernel, we might
   actually make up for some of the netstack performance loss by
   staying in userspace.

2) tcpdump / Wireshark etc packet captures will no longer see the peerapi
   traffic. Oh well. Crawshaw's been wanting to add packet capture server
   support to tailscaled, so we'll probably do that sooner now.

A future change might also then use peerapi for the client-side
(except on iOS).

Updates #3842 (probably fixes, as well as many exit node issues I bet)

Change-Id: Ibc25edbb895dc083d1f07bd3cab614134705aa39
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-31 14:20:08 -08:00
Josh Bleecher Snyder
e45d51b060 logtail: add a few new methods to PublicID
These are for use in our internal systems.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2022-01-31 14:14:10 -08:00
Brad Fitzpatrick
730aa1c89c derp/derphttp, wgengine/magicsock: prefer IPv6 to DERPs when IPv6 works
Fixes #3838

Change-Id: Ie47a2a30c7e8e431512824798d2355006d72fb6a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-29 15:55:54 -08:00
David Anderson
f5ec916214 cmd/derper: disable TLS 1.0 and 1.1.
Updates tailscale/corp#3568

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-28 01:13:30 +00:00
Brad Fitzpatrick
69392411d9 .github/workflows: add some iOS CI coverage
Updates #3812

Change-Id: Ia779c6a2e9a0fd02418bf5479fdb76d4c80c55a4
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-27 15:57:49 -08:00
Brad Fitzpatrick
02bdc654d5 cmd/tailscale: fix up --reset, again
Also fix a somewhat related printing bug in the process where
some paths would print "Success." inconsistently even
when there otherwise was no output (in the EditPrefs path)

Fixes #3830
Updates #3702 (which broke it once while trying to fix it)

Change-Id: Ic51e14526ad75be61ba00084670aa6a98221daa5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-27 15:54:33 -08:00
Brad Fitzpatrick
70d71ba1e7 cmd/derpprobe: check derper TLS certs too
Change-Id: If8c48e012b294570ebbb1a46bacdc58fafbfbcc5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-27 10:09:04 -08:00
Brad Fitzpatrick
1af26222b6 go.mod: bump netstack, switch to upstream netstack
Now that Go 1.17 has module graph pruning
(https://go.dev/doc/go1.17#go-command), we should be able to use
upstream netstack without breaking our private repo's build
that then depends on the tailscale.com Go module.

This is that experiment.

Updates #1518 (the original bug to break out netstack to own module)
Updates #2642 (this updates netstack, but doesn't remove workaround)

Change-Id: I27a252c74a517053462e5250db09f379de8ac8ff
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-26 11:30:03 -08:00
Brad Fitzpatrick
857cd6c0d7 ipn/ipnstate: add TailnetName to status
RELNOTE=tailscale status --json | jq .TailnetName

Fixes tailscale/corp#3665

Change-Id: I85de027ba2781eb31ee1e0c5ab913b0dfa5b4c86
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-26 10:08:39 -08:00
Xe Iaso
ae525a7394
scripts/installer: add Centos Stream 9 support (#3818)
Blocked on package server support being deployed

Signed-off-by: Xe <xe@tailscale.com>
2022-01-26 10:49:32 -05:00
David Anderson
7a18fe3dca wgengine/magicsock: make debugUseDerpRoute an opt.Bool.
Can still be constant, just needs the extra methods.

Fixes #3812

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-25 17:25:08 -08:00
David Anderson
c2059d5b8a words: fallout from mudpuppy-gate.
Salamanders also have no scales. I checked the interweb, and there
doesn't seem to be any subspecies that would let us claim that
*some* salamanders are scaley.

But they are tailey, for sure.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-26 01:05:49 +00:00
Brad Fitzpatrick
ca774c3249 ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert access
So you can run Caddy etc as a non-root user and let it have access to
get certs.

Updates caddyserver/caddy#4541

Change-Id: Iecc5922274530e2b00ba107d4b536580f374109b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-25 12:12:41 -08:00
David Anderson
508f332bb2 cmd/derper: export TLS vars with derper_ prefix, not stun_
Updates tailscale/corp#3568

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-25 18:57:30 +00:00
davideger
f31546809f
cmd/tailscale: propagate tailscaled 403s as AccessDeniedErrors
So Linux/etc CLI users get helpful advice to run tailscale
with --operator=$USER when they try to 'tailscale file {cp,get}'
but are mysteriously forbidden.

Signed-off-by: David Eger <eger@google.com>
Signed-off-by: David Eger <david.eger@gmail.com>
2022-01-25 09:58:21 -08:00
Brad Fitzpatrick
f3c0023add wgengine/netstack: add an SSH server experiment
Disabled by default.

To use, run tailscaled with:

    TS_SSH_ALLOW_LOGIN=you@bar.com

And enable with:

    $ TAILSCALE_USE_WIP_CODE=true tailscale up --ssh=true

Then ssh [any-user]@[your-tailscale-ip] for a root bash shell.
(both the "root" and "bash" part are temporary)

Updates #3802

Change-Id: I268f8c3c95c8eed5f3231d712a5dc89615a406f0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-24 19:14:13 -08:00
Brad Fitzpatrick
41fd4eab5c envknob: add new package for all the strconv.ParseBool(os.Getenv(..))
A new package can also later record/report which knobs are checked and
set. It also makes the code cleaner & easier to grep for env knobs.

Change-Id: Id8a123ab7539f1fadbd27e0cbeac79c2e4f09751
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-24 11:51:23 -08:00
Brad Fitzpatrick
6feb8f4c51 net/dns: log why resolved does not look like it's on use [Linux]
Updates #3742
Updates #3531

Change-Id: I9fc7fa0f4bcab1cf8001ba92408c660a5b25f105
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-24 09:14:53 -08:00
David Anderson
ff3442d92d cmd/derper: record TLS versions used for requests.
Surveying the fleet prior to turning off old/unused/insecure
TLS versions.

Updates tailscale/corp#3615

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-22 02:35:55 +00:00
Maisem Ali
0ada42684b Makefile: update make spk target to use the new go spk builder
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-01-21 12:27:00 -08:00
David Anderson
7ba874d7f1 words: correct inexcusable oversight re: mudpuppies.
Mudpuppies are salamanders, and as such have tails but no scales.
The management apologizes for the error.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-20 21:12:09 +00:00
Brad Fitzpatrick
92dfaf53bb cmd/tailscaled: include Go runtime metrics in /debug/metrics
Fixes #3772

Change-Id: I237ea23268664d99e83d27890146018b04474556
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-20 09:49:54 -08:00
Aaron Bieber
411c6c316c net/dns/resolvd: store nameservers
Currently only search domains are stored. This was an oversight
(under?) on my part.

As things are now, when MagicDNS is on and "Override local DNS" is
off, the dns forwarder has to timeout before names resolve. This
introduces a pretty annoying lang that makes everything feel
extremely slow. You will also see an error: "upstream nameservers
not set".

I tested with "Override local DNS" on and off. In both situations
things seem to function as expected (and quickly).

Signed-off-by: Aaron Bieber <aaron@bolddaemon.com>
2022-01-19 21:17:31 -08:00
Brad Fitzpatrick
c64af5e676 wgengine/netstack: clear TCP ECN bits before giving to gvisor
Updates #2642

Change-Id: Ic219442a2656dd9dc99ae1dd91e907fd3d924987
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-19 20:09:24 -08:00
Josh Bleecher Snyder
de4696da10 wgengine/magicsock: fix deadlock on shutdown
This fixes a deadlock on shutdown.
One goroutine is waiting to send on c.derpRecvCh before unlocking c.mu.
The other goroutine is waiting to lock c.mu before receiving from c.derpRecvCh.

#3736 has a more detailed explanation of the sequence of events.

Fixes #3736

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2022-01-19 14:39:28 -08:00
Brad Fitzpatrick
390490e7b1 net/packet: fix typo in comment
Change-Id: Ia666609fde18db44bf38d4e656f490fc372ac3b6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-19 12:59:13 -08:00
Joe Tsai
3e50a265be
go.toolchain.rev: pick up new bufio.Writer API for Go1.18 (#3768)
25fe91a25c

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-01-19 12:40:56 -08:00
Brad Fitzpatrick
185825df11 wgengine/netstack: add a missing refcount decrement after packet injection
Fixes #3762
Updates #3745 (probably fixes?)

Change-Id: I1d3f0590fd5b8adfbc9110bc45ff717bb9e79aae
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-19 12:28:43 -08:00
Brad Fitzpatrick
790e41645b wgengine/netstack: add an Impl.Close method for tests
Change-Id: Idbb3fd6d749d3e4effdf96de77a1106584822fef
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-19 12:28:43 -08:00
Brad Fitzpatrick
166fe3fb12 wgengine/netstack: add missing error logging in a RST case
Updates #2642

Change-Id: I9f2f8fd28fc980208b0739eb9caf9db7b0977c09
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-18 14:15:32 -08:00
Brad Fitzpatrick
6be48dfcc6 wgengine/netstack: fix netstack ping timeout on darwin
-W is milliseconds on darwin, not seconds, and empirically it's
milliseconds after a 1 second base.

Change-Id: I2520619e6699d9c505d9645ce4dfee4973555227
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-18 08:00:30 -08:00
David Anderson
96f008cf87 control/controlhttp: package to get a controlbase.Conn over HTTP(S).
Updates #3488

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-17 23:52:27 +00:00
David Anderson
d5a7eabcd0 control/controlbase: enable asynchronous client handshaking.
With this change, the client can obtain the initial handshake message
separately from the rest of the handshake, for embedding into another
protocol. This enables things like RTT reduction by stuffing the
handshake initiation message into an HTTP header.

Similarly, the server API optionally accepts a pre-read Noise initiation
message, in addition to reading the message directly off a net.Conn.

Updates #3488

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-17 23:52:27 +00:00
David Anderson
6cd180746f control/controlbase: rename from control/noise.
Updates #3488

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-17 23:52:27 +00:00
Jay Stapleton
02461ea459 Update installer.sh 2022-01-17 11:37:05 -05:00
Josh Bleecher Snyder
8cf1af8a07 tstime/rate: deflake TestLongRunningQPS
This test set the bar too high.
Just a couple of missed timers was enough to fail.
Change the test to more of a sanity check.
While we're here, run it for just 1s instead of 5s.

Prior to this change, on a 13" M1 MPB, with

stress -p 512 ./rate.test -test.run=QPS

I saw 90%+ failures.

After this change, I'm at 30k runs with no failures yet.

Fixes #3733

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2022-01-13 16:48:29 -08:00
David Anderson
463b3e8f62 net/dnscache: use tls.Conn.HandshakeContext.
Go 1.17 added a HandshakeContext func to take care of timeouts during
TLS handshaking, so switch from our homegrown goroutine implementation
to the standard way.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-13 23:01:29 +00:00
David Anderson
a9da6b73a8 net/dnscache: don't cancel the TLS context before writing to the result channel.
Cancelling the context makes the timeout goroutine race with the write that
reports a successful TLS handshake, so you can end up with a successful TLS
handshake that mysteriously reports that it timed out after ~0s in flight.

The context is always canceled and cleaned up as the function exits, which
happens mere microseconds later, so just let function exit clean up and
thereby avoid races.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-13 23:01:29 +00:00