9073 Commits

Author SHA1 Message Date
Brad Fitzpatrick
49a7685af9 feature/taildrop: add integration test variant with profiles that exist
Updates #15970
Updates #15812
Updates tailscale/corp#28449

Change-Id: I52cf25f98636b0beac16275f46e58d0816963895
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-14 13:37:06 -05:00
Irbe Krumina
abe04bfa78
cmd/k8s-operator: warn if Tailscale Services use attempted for tailnet without the feature enabled (#15931)
Also renames VIPService -> Tailscale Service (including user facing messages)

Updates tailscale/corp#24795

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-05-14 18:25:08 +01:00
Mike O'Driscoll
fccba5a2f1
prober: fix test logic (#15952)
Catch failing tests that have no expected error string.

Updates #15912

Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
2025-05-13 09:19:18 -04:00
Anton Tolchanov
65e005ccaa ipn/ipnlocal: attach Tailnet Lock status to bugreports
Fixes tailscale/corp#28524

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2025-05-13 11:34:43 +01:00
Nick Khyl
ffb1dda245 ipn/ipnlocal,wgengine: move (*tsdial.Dialer).SetRoutes() calls from LocalBackend to userspaceEngine
This avoids reconfiguring the dialer unless the router config has changed.

Updates #12027

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-12 20:51:08 -05:00
Simon Law
d303570ab7
docs/commit-messages.md: explain #cleanup commits (#15933)
Adapted from http://go/cleanup.

Fixes: #15932

Signed-off-by: Simon Law <sfllaw@tailscale.com>
2025-05-12 16:23:36 -07:00
Simon Law
7f4aaed1d5
cmd/derpprobe: exit with non-zero status if --once fails (#15926)
`cmd/derpprobe --once` didn’t respect the convention of non-zero exit
status for a failed run. It would always exit zero (i.e. success),
even. This patch fixes that, but only for `--once` mode.

Fixes: #15925

Signed-off-by: Simon Law <sfllaw@tailscale.com>
2025-05-12 12:53:55 -07:00
Aaron Klotz
13e91f4a2f docs/windows/policy: add OnboardingFlow policy to ADMX file
Fixes #15907

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2025-05-12 12:39:44 -06:00
Nick Khyl
fb188c5b53 net/dns,docs/windows/policy,util/syspolicy: register Tailscale IP addresses in AD DNS if required by policy
In this PR, we make DNS registration behavior configurable via the EnableDNSRegistration policy setting.
We keep the default behavior unchanged, but allow admins to either enforce DNS registration and dynamic
DNS updates for the Tailscale interface, or prevent Tailscale from modifying the settings configured in
the network adapter's properties or by other means.

Updates #14917

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-12 11:31:12 -05:00
Irbe Krumina
2c16fcaa06
util/linuxfw,wgengine/router: add new netfilter rules for HA ingresses (#15896)
Add new rules to update DNAT rules for Kubernetes operator's
HA ingress where it's expected that rules will be added/removed
frequently (so we don't want to keep old rules around or rewrite
existing rules unnecessarily):
- allow deleting DNAT rules using metadata lookup
- allow inserting DNAT rules if they don't already
exist (using metadata lookup)

Updates tailscale/tailscale#15895

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>
2025-05-12 17:26:23 +01:00
Jordan Whited
d6dd74fe0e
net/udprelay{/endpoint}: move ServerEndpoint tests (#15949)
Commit 0841477 moved ServerEndpoint to an independent package. Move its
tests over as well.

Updates tailscale/corp#27502

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2025-05-12 09:25:59 -07:00
Mike O'Driscoll
b02de31563
prober: update cert check for prober (#15919)
OCSP has been removed from the LE certs.
Use CRL verification instead.

If a cert provides a CRL, check its revocation
status, if no CRL is provided and otherwise
is valid, pass the check.

Fixes #15912

Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
Co-authored-by: Simon Law <sfllaw@tailscale.com>
2025-05-12 10:25:31 -04:00
Nick Khyl
b70c0c50fd ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.

Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.

As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.

While there, we also fix TestSSHAuthFlow not to use log.Printf.

Updates #15568
Updates #7707 (probably related)

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-10 10:44:11 -05:00
Nick Khyl
565ebbdeb8 ipn/ipnlocal: move nodeBackend methods from local.go to node_backend.go
We previously kept these methods in local.go when we started moving node-specific state
from LocalBackend to nodeBackend, to make those changes easier to review. But it's time
to move them to node_backend.go.

Updates #cleanup
Updates #12614

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 18:17:36 -05:00
Nick Khyl
f0a27066c4 ipn/ipn{server,test}: extract the LocalAPI test client and server into ipntest
In this PR, we extract the in-process LocalAPI client/server implementation from ipn/ipnserver/server_test.go
into a new ipntest package to be used in high‑level black‑box tests, such as those for the tailscale CLI.

Updates #15575

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 18:12:54 -05:00
Jordan Whited
0f4f808e70
wgengine/magicsock: re-shape relayManager to use an event loop (#15935)
The event loop removes the need for growing locking complexities and
synchronization. Now we simply use channels. The event loop only runs
while there is active work to do.

relayManager remains no-op inside magicsock for the time being.
endpoints are never 'relayCapable' and therefore endpoint & Conn will
not feed CallMeMaybeVia or allocation events into it.

A number of relayManager events remain unimplemented, e.g.
CallMeMaybeVia reception and relay handshaking.

Updates tailscale/corp#27502

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2025-05-09 14:50:01 -07:00
Nick Khyl
cffb809569 net/tsdial: update (*Dialer).SetRoutes() to log the size of the resulting bart.Table
Updates #12027

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 16:43:01 -05:00
Nick Khyl
a9be049c19 ipn/ipnlocal,net/dns/resolver: use the user dialer and routes for DNS forwarding by default, except on iOS and Android
In this PR, we make the "user-dial-routes" behavior default on all platforms except for iOS and Android.
It can be disabled by setting the TS_DNS_FORWARD_USE_ROUTES envknob to 0 or false.

Updates #12027
Updates #13837

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 16:43:01 -05:00
Patrick O'Doherty
3177e50b14
safeweb: Set Cross-Origin-Opener-Policy for browser requests (#15936)
Set Cross-Origin-Opener-Policy: same-origin for all browser requests to
prevent window.location manipulation by malicious origins.

Updates tailscale/corp#28480

Thank you to Triet H.M. Pham for the report.

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
2025-05-09 13:44:36 -07:00
Simon Law
3c98964065
ssh/tailssh: chdir to user's homedir when directly running a command (#15351)
Commit 4b525fdda (ssh/tailssh: only chdir incubator process to user's
homedir when necessary and possible, 2024-08-16) defers changing the
working directory until the incubator process drops its privileges.

However, it didn't account for the case where there is no incubator
process, because no tailscaled was found on the PATH. In that case, it
only intended to run `tailscaled be-child` in the root directory but
accidentally ran everything there.

Fixes: #15350

Signed-off-by: Simon Law <sfllaw@sfllaw.ca>
2025-05-09 12:55:57 -07:00
Jordan Whited
0841477743
net/udprelay{/endpoint}, all: move ServerEndpoint to independent pkg (#15934)
ServerEndpoint will be used within magicsock and potentially elsewhere,
which should be possible without needing to import the server
implementation itself.

Updates tailscale/corp#27502

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2025-05-09 11:29:36 -07:00
Jonathan Nobels
7d6d2b4c50
health, ipn/ipnlocal: add metrics for various client events (#15828)
updates tailscale/corp#28092

Adds metrics for various client events:
* Enabling an exit node
* Enabling a mullvad exit node
* Enabling a preferred exit node
* Setting WantRunning to true/false
* Requesting a bug report ID
* Profile counts
* Profile deletions
* Captive portal detection

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
2025-05-09 12:03:22 -04:00
Olivier Mengué
b1c2860485 client/local: add godoc links
Signed-off-by: Olivier Mengué <dolmen@cpan.org>
2025-05-09 07:34:47 -07:00
Nick Khyl
cb6fc37d66 util/deephash: move tests that depend on other tailscale packages to deephash_test
This is done to prevent import cycles in tests.

Fixes #15923

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-08 19:59:08 -05:00
Brad Fitzpatrick
165b99278b feature/taildrop, ipn/ipnlocal: remove leftover dup calls to osshare
I'd moved the osshare calls to feature/taildrop hooks, but forgot to
remove them from ipnlocal, or lost them during a rebase.

But then I noticed cmd/tailscaled also had some, so turn those into a
hook.

Updates #12614

Change-Id: I024fb1d27fbcc49c013158882ee5982c2737037d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-08 10:08:27 -07:00
Brad Fitzpatrick
e2814871a7 util/eventbus: also disable websocket debug on Android
So tsnet-on-Android is smaller, like iOS.

Updates #12614
Updates #15297

Change-Id: I97ae997f5d17576024470fe5fea93d9f5f134bde
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-08 10:03:42 -07:00
James Sanderson
85a7abef0c tsnet: add test for packet filter generation from netmap
This is an integration test that covers all the code in Direct, Auto, and
LocalBackend that processes NetMaps and creates a Filter. The test uses
tsnet as a convenient proxy for setting up all the client pieces correctly,
but is not actually a test specific to tsnet.

Updates tailscale/corp#20514

Signed-off-by: James Sanderson <jsanderson@tailscale.com>
2025-05-08 17:18:30 +01:00
Brad Fitzpatrick
5be6ff9b62 all: remove non-applicable "linux" deps on Android
Updates #12614

Change-Id: I0e2a18eca3515d3d6206c059110556d2bbbb0c5c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-07 21:05:13 -07:00
Brad Fitzpatrick
9d623cf5eb util/systemd: don't link systemd-notification package on Android
Updates #12614

Change-Id: Ie5f0bb072571249f08aca09132c8491c31d01605
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-07 16:54:29 -07:00
Brad Fitzpatrick
02f68e5d9f net/dns: don't link dbus, gonotify on Android
Android is Linux, but doesn't use Linux DNS managers (or D-Bus).

Updates #12614

Change-Id: I487802ac74a259cd5d2480ac26f7faa17ca8d1c3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-07 16:20:07 -07:00
Brian Palmer
f5cc657e13
control/controlclient: send optional ConnectionHandleForTest with map requests (#15904)
This handle can be used in tests and debugging to identify the specific
client connection.

Updates tailscale/corp#28368

Change-Id: I48cc573fc0bcf018c66a18e67ad6c4f248fb760c

Signed-off-by: Brian Palmer <brianp@tailscale.com>
2025-05-07 12:57:56 -06:00
Brad Fitzpatrick
fd263adc1b ipn/store: don't link in AWS & Kubernetes stuff on Android
Android is Linux, but that not much Linux.

Updates #12614

Change-Id: Ice80bd3e3d173511c30d05a43d25a31e18928db7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-07 10:38:47 -07:00
Brad Fitzpatrick
04936d6c05 tsnet: add android & iOS results to depaware
Updates #12614

Change-Id: Icd21deb754e7073871eeb34edadd41c167ec5984
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-07 09:53:21 -07:00
Jordan Whited
7e2630235f
feature/relayserver: consider relay:server node attribute for enablement (#15901)
Updates tailscale/corp#27502

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2025-05-07 09:15:33 -07:00
Brad Fitzpatrick
48dacf1bf7 cmd/tailscale/cli: omit "file" subcommand if taildrop is omitted from build
Updates #15812
Updates #12614

Change-Id: Ic945b26a127ba15399abdaab8fe43b1cfa64d874
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-07 07:25:23 -07:00
Brad Fitzpatrick
7cc2837594 tsnet: don't depend on condregister & its default tailscaled features
None of them are applicable to the common tsnet use cases.

If somebody wants one of them, they can empty import it.

Updates #12614

Change-Id: I3d7f74b555eed22e05a09ad667e4572a5bc452d8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-07 07:23:10 -07:00
Brad Fitzpatrick
fee78de1ee Makefile: add tsnet to depaware
Updates #12614

Change-Id: Iff30bc457efcc96f60b563195b213cbc4dccc349
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-07 07:23:10 -07:00
Brad Fitzpatrick
5b597489bc taildrop: merge taildrop and feature/taildrop packages together
Fixes #15812

Change-Id: I3bf0666bf9e7a9caea5f0f99fdb0eb2812157608
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-06 21:11:41 -07:00
Brad Fitzpatrick
068d5ab655 feature/taildrop: move rest of Taildrop out of LocalBackend
Updates #12614

Change-Id: If451dec1d796f6a4216fe485975c87f0c62a53e5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Co-authored-by: Nick Khyl <nickk@tailscale.com>
2025-05-06 20:41:27 -07:00
Brad Fitzpatrick
cf6a593196 cmd/tailscale/cli: rename "--posture-checking" to "--report-posture"
For consistency with other flags, per Slack chat.

Updates #5902

Change-Id: I7ae1e4c97b37185573926f5fafda82cf8b46f071
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-06 07:44:57 -07:00
Tom Proctor
62182f3bcf
cmd/k8s-operator,k8s-operator/api-proxy: move k8s proxy code to library (#15857)
The defaultEnv and defaultBool functions are copied over temporarily
to minimise diff. This lays the ground work for having both the operator
and the new k8s-proxy binary implement the API proxy

Updates #13358

Change-Id: Ieacc79af64df2f13b27a18135517bb31c80a5a02
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-05-06 14:52:16 +01:00
Brad Fitzpatrick
597d0e8fd5 ipn/ipnlocal, tailcfg: add MagicDNS opt-in attr for IPv6 AAAA records
Until we turn on AAAA by default (which might make some people rely on
Happy Eyeballs for targets without IPv6), this lets people turn it on
explicitly if they want.

We still should add a peer cap as well in the future to let a peer
explicitly say that it's cool with IPv6.

Related: #9574

Updates #1813
Updates #1152

Change-Id: Iec6ec9b4b5db7a4dc700ecdf4a11146cc5303989
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-05 10:14:03 -07:00
Brad Fitzpatrick
b03a2a323b tstest/integration: work around ETXTBSY flake
This is a hack, but should suffice and be fast enough.

I really want to figure out what's keeping that writable fd open.

Fixes #15868

Change-Id: I285d836029355b11b7467841d31432cc5890a67e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-04 11:00:56 -07:00
Brad Fitzpatrick
32ce1bdb48 ipn/ipnlocal: use "nb" consistently as receiver for nodeBackend
Cleanup after #15866. It was using a mix of "b" and "c" before. But "b"
is ambiguous with LocalBackend's usual "b".

Updates #12614

Change-Id: I8c2e84597555ec3db0d783a00ac1c12549ce6706
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-02 17:44:40 -07:00
Brad Fitzpatrick
653c45585e ipn/ipnlocal: rename localNodeContext to nodeBackend
As just discussed on Slack with @nickkhyl.

Updates #12614

Change-Id: I138dd7eaffb274494297567375d969b4122f3f50
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-02 17:30:46 -07:00
Brad Fitzpatrick
4fa9411e3f logtail: remove unneeded IP redaction code
Updates tailscale/corp#15664

Change-Id: I9523a43860685048548890cf1931ee6cbd60452c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-02 13:37:27 -07:00
Jordan Whited
fd63123849
wgengine/magicsock: shape relayManager and CallMeMaybeVia handling (#15864)
relayManager will eventually be responsible for handling the allocation
and handshaking of UDP relay server endpoints.

relay servers are endpoint-independent, and Conn must already maintain
handshake state for all endpoints. This justifies a new data structure
to fill these roles.

Updates tailscale/corp#27502

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2025-05-02 13:08:17 -07:00
Brad Fitzpatrick
761aea3036 tstest/integration: don't require TestMake, stop leaking binaries in /tmp
Previously all tests shared their tailscale+tailscaled binaries in
system /tmp directories, which often leaked, and required TestMain to
clean up (which feature/taildrop didn't use).

This makes it use testing.T.TempDir for the binaries, but still only
builds them once and efficiently as possible depending on the OS
copies them around between each test's temp dir.

Updates #15812

Change-Id: I0e2585613f272c3d798a423b8ad1737f8916f527
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-02 12:22:47 -07:00
Andrew Lytvynov
3105ecd958
hostinfo,tailcfg: report TPM availability on windows/linux (#15831)
Start collecting fleet data on TPM availability via hostinfo.

Updates #15830

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-05-02 11:01:13 -07:00
Jordan Whited
f05347a5bf
wgengine/magicsock: implement more relay handshake disco handling (#15856)
Conn.handleDiscoMessage() now makes a distinction between relay
handshake disco messages and peer disco messages.

Updates tailscale/corp#27502

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2025-05-02 09:04:18 -07:00