Commit Graph

6928 Commits

Author SHA1 Message Date
Brad Fitzpatrick
e6b84f2159 all: make client use server-provided DERP map, add DERP region support
Instead of hard-coding the DERP map (except for cmd/tailscale netcheck
for now), get it from the control server at runtime.

And make the DERP map support multiple nodes per region with clients
picking the first one that's available. (The server will balance the
order presented to clients for load balancing)

This deletes the stunner package, merging it into the netcheck package
instead, to minimize all the config hooks that would've been
required.

Also fix some test flakes & races.

Fixes #387 (Don't hard-code the DERP map)
Updates #388 (Add DERP region support)
Fixes #399 (wgengine: flaky tests)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-05-23 22:31:59 -07:00
David Anderson
e8b3a5e7a1 wgengine/filter: implement a destination IP pre-filter.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-22 17:03:30 +00:00
Brad Fitzpatrick
35a8586f7e go.sum: go mod tidy 2020-05-22 09:07:02 -07:00
Avery Pennarun
3ed2124356 ipn: Resolve some resource leaks in test.
Updates tailscale/corp#255.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-21 16:37:25 -04:00
Avery Pennarun
ea8f92b312 ipn/local: get rid of some straggling calls to the log module.
Use b.logf() instead.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-21 15:51:41 -04:00
Avery Pennarun
af9328c1b7 log rate limiting: reformat limiter messages, and use nonempty burst size.
- Reformat the warning about a message being rate limited to print the
  format string, rather than the formatted message. This helps give a
  clue what "type" of message is being limited.

- Change the rate limit warning to be [RATE LIMITED] in all caps. This
  uses less space on each line, plus is more noticeable.

- In tailscaled, change the frequency to be less often (once every 5
  seconds per format string) but to allow bursts of up to 5 messages.
  This greatly reduces the number of messages that are rate limited
  during startup, but allows us to tighten the limit even further during
  normal runtime.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-20 11:59:21 -04:00
Avery Pennarun
f2db4ac277 cmd/tailscaled: SetGCPercent() if GOGC is not set.
This cuts RSS from ~30MB to ~20MB on my machine, after the previous fix
to get rid of unnecessary zstd buffers.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-20 11:40:50 -04:00
Avery Pennarun
db051fb013 ipnserver and logpolicy: configure zstd with low-memory settings.
The compressed blobs we send back and forth are small and infrequent,
which doesn't justify the 8MB * GOMAXPROCS memory that was being
allocated. This was the overwhelming majority of memory use in
tailscaled. On my system it goes from ~100M RSS to ~15M RSS (which is
still suspiciously high, but we can worry about that more later).

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-20 11:23:26 -04:00
Avery Pennarun
d074ec6571 cmd/tailscaled: eliminate unnecessary use of an init() function.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-20 11:23:26 -04:00
Avery Pennarun
c5fcc38bf1 controlclient tests: fix more memory leaks and add resource checking.
I can now run these tests with -count=1000 without running out of RAM.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-20 11:23:26 -04:00
Avery Pennarun
d03de31404 controlclient/direct: fix a race condition accessing auth keys.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-19 03:02:09 -04:00
Avery Pennarun
1013cda799 controlclient/auto_test: don't print the s.control object.
This contains atomic ints that trigger a race check error if we access
them non-atomically.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-19 02:07:05 -04:00
Avery Pennarun
806de4ac94 portlist: fix "readdirent: no such file or directory" errors on Linux.
This could happen when a process disappeared while we were reading its
file descriptor list.

I was able to replicate the problem by running this in another
terminal:

    while :; do for i in $(seq 10); do
      /bin/true & done >&/dev/null; wait >&/dev/null;
    done

And then running the portlist tests thousands of times.

Fixes #339.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-19 01:51:21 -04:00
David Anderson
c97c45f268 ipn: sprinkle documentation and clarity rewrites through LocalBackend.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-19 02:32:34 +00:00
David Anderson
39d20e8a75 go.mod: bump wireguard-go version. 2020-05-18 21:03:48 +00:00
David Anderson
cd2f6679bb go.mod: bump wireguard-go version.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-15 22:29:27 +00:00
David Anderson
7fb33123d3 wgengine/router: warn about another variation of busybox's ip.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-15 20:48:25 +00:00
Wendi Yu
bb55694c95
wgengine: log node IDs when peers are added/removed (#381)
Also stop logging data sent/received from nodes we're not connected to (ie all those `x`s being logged in the `peers: ` line)
Signed-off-by: Wendi <wendi.yu@yahoo.ca>
2020-05-15 14:13:44 -06:00
Dmytro Shynkevych
635f7b99f1 wgengine: pass tun.NativeDevice to router
Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
2020-05-15 10:11:56 -04:00
David Anderson
9c914dc7dd wgengine/router: stop using -m comment.
The comment module is compiled out on several embedded systems (and
also gentoo, because netfilter can't go brrrr with comments holding it
back). Attempting to use comments results in a confusing error, and a
non-functional firewall.

Additionally, make the legacy rule cleanup non-fatal, because we *do*
have to probe for the existence of these -m comment rules, and doing
so will error out on these systems.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-15 07:09:33 +00:00
David Anderson
3e27b3c33c wgengine/router: more comments.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-14 23:51:44 -07:00
David Anderson
0fe262f093 ipn: plumb NetfilterMode all the way out to the CLI.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-14 23:51:44 -07:00
David Anderson
c67c8913c3 wgengine/router: add a test for linux router state transitions.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-14 23:51:44 -07:00
David Anderson
292606a975 wgengine/router: support multiple levels of netfilter involvement.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-14 23:51:44 -07:00
Brad Fitzpatrick
cff53c6e6d tailcfg: add DERP map structures
Updates #387
Updates #388

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-05-14 21:09:54 -07:00
Brad Fitzpatrick
5ec7ac1d02 tstest: document PanicOnLog 2020-05-14 10:05:32 -07:00
Brad Fitzpatrick
e6d0c92b1d wgengine/magicsock: clean up earlier fix a bit
Move WaitReady from fc88e34f42 into the
test code, and keep the derp-reading goroutine named for debugging.
2020-05-14 10:01:48 -07:00
Avery Pennarun
d0754760e7 controlclient/auto_test: fix flake "peer OS is not linux" on macOS.
We were mis-counting the number of Synchronized messages that we should
have been generating.
2020-05-14 06:31:19 -04:00
Avery Pennarun
8f8607b6bf control/controlclient/auto_test: clean up logging to defeat 'go test' idiocy.
By default, nothing differentiates errors or fatals from regular logs, so they just
blend into the rest of the logs.

As a bonus, if you run a test using t.Run(), the log messages printed
via the sub-t.Run() are printed at a different time from log messages
printed via the parent t.Run(), making debugging almost impossible.

This doesn't actually fix the test flake I'm looking for, but at least
I can find it in the logs now.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-14 06:31:09 -04:00
Avery Pennarun
d53e8fc0da router_darwin_support: we can build this on every platform.
Our new build scripts try to build ipn-go-bridge on more than just
linux and darwin, so let's enable this file so it can be successful on
every platform.
2020-05-14 04:42:36 -04:00
Avery Pennarun
3b1ce30967 Merge branch 'master' of github.com:tailscale/tailscale
* 'master' of github.com:tailscale/tailscale:
  derp/derphttp: don't use x/net/proxy for SOCKS on iOS
2020-05-14 02:56:49 -04:00
Avery Pennarun
286f96e412 control/controlclient: fix a very rare httptest.Server log.Printf.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-14 01:52:35 -04:00
Brad Fitzpatrick
040a0d5121 derp/derphttp: don't use x/net/proxy for SOCKS on iOS
We don't want those extra dependencies on iOS, at least yet.

Especially since there's no way to set the relevant environment
variables so it's just bloat with no benefits. Perhaps we'll need to
do SOCKS on iOS later, but probably differently if/when so.

Updates #227

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-05-13 22:35:17 -07:00
Avery Pennarun
fc88e34f42 wgengine/magicsock/tests: wait for home DERP connection before sending packets.
This fixes an elusive test flake. Fixes #161.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-13 23:50:25 -04:00
Avery Pennarun
4f128745d8 magicsock/test: oops, fix a data race in nested-test logf hack.
Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-13 23:50:09 -04:00
Avery Pennarun
42a0e0c601 wgengine/magicsock/tests: call tstest.ResourceCheck for each test.
This didn't catch anything yet, but it's good practice for detecting
goroutine leaks that we might not find otherwise.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-13 23:17:51 -04:00
Avery Pennarun
08acb502e5 Add tstest.PanicOnLog(), and fix various problems detected by this.
If a test calls log.Printf, 'go test' horrifyingly rearranges the
output to no longer be in chronological order, which makes debugging
virtually impossible. Let's stop that from happening by making
log.Printf panic if called from any module, no matter how deep, during
tests.

This required us to change the default error handler in at least one
http.Server, as well as plumbing a bunch of logf functions around,
especially in magicsock and wgengine, but also in logtail and backoff.

To add insult to injury, 'go test' also rearranges the output when a
parent test has multiple sub-tests (all the sub-test's t.Logf is always
printed after all the parent tests t.Logf), so we need to screw around
with a special Logf that can point at the "current" t (current_t.Logf)
in some places. Probably our entire way of using subtests is wrong,
since 'go test' would probably like to run them all in parallel if you
called t.Parallel(), but it definitely can't because the're all
manipulating the shared state created by the parent test. They should
probably all be separate toplevel tests instead, with common
setup/teardown logic. But that's a job for another time.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-13 23:12:35 -04:00
Avery Pennarun
e0b666c5d2 tstest.ResourceCheck: clarify success message.
Inclusion of the word "assert" made it seem like a failure, even though
it was supposed to be identifying the name of the function (Assert()).

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-13 23:02:32 -04:00
Avery Pennarun
89a6f27cf8 Merge remote-tracking branch 'origin/master' into base
* origin/master:
  types/logger: add ArgWriter
  wgengine: wrap tun.Device to support filtering and packet injection (#358)
2020-05-13 23:01:32 -04:00
Avery Pennarun
a7edf11a40 {ipn,control/controlclient}/tests: pass a logf function to control.New().
This matches the new API requirements.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-13 22:44:20 -04:00
Brad Fitzpatrick
fe97bedf67 types/logger: add ArgWriter 2020-05-13 14:47:13 -07:00
Dmytro Shynkevych
33b2f30cea
wgengine: wrap tun.Device to support filtering and packet injection (#358)
Right now, filtering and packet injection in wgengine depend
on a patch to wireguard-go that probably isn't suitable for upstreaming.

This need not be the case: wireguard-go/tun.Device is an interface.
For example, faketun.go implements it to mock a TUN device for testing.

This patch implements the same interface to provide filtering
and packet injection at the tunnel device level,
at which point the wireguard-go patch should no longer be necessary.

This patch has the following performance impact on i7-7500U @ 2.70GHz,
tested in the following namespace configuration:
┌────────────────┐    ┌─────────────────────────────────┐     ┌────────────────┐
│      $ns1      │    │               $ns0              │     │      $ns2      │
│    client0     │    │      tailcontrol, logcatcher    │     │     client1    │
│  ┌─────┐       │    │  ┌──────┐         ┌──────┐      │     │  ┌─────┐       │
│  │vethc│───────┼────┼──│vethrc│         │vethrs│──────┼─────┼──│veths│       │
│  ├─────┴─────┐ │    │  ├──────┴────┐    ├──────┴────┐ │     │  ├─────┴─────┐ │
│  │10.0.0.2/24│ │    │  │10.0.0.1/24│    │10.0.1.1/24│ │     │  │10.0.1.2/24│ │
│  └───────────┘ │    │  └───────────┘    └───────────┘ │     │  └───────────┘ │
└────────────────┘    └─────────────────────────────────┘     └────────────────┘
Before:
---------------------------------------------------
| TCP send               | UDP send               |
|------------------------|------------------------|
| 557.0 (±8.5) Mbits/sec | 3.03 (±0.02) Gbits/sec |
---------------------------------------------------
After:
---------------------------------------------------
| TCP send               | UDP send               |
|------------------------|------------------------|
| 544.8 (±1.6) Mbits/sec | 3.13 (±0.02) Gbits/sec |
---------------------------------------------------
The impact on receive performance is similar.

Signed-off-by: Dmytro Shynkevych <dmytro@tailscale.com>
2020-05-13 09:16:17 -04:00
David Anderson
9ccbcda612 wgengine/router: rename config.Settings to config.Config, make pointer.
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-12 15:58:33 -07:00
David Anderson
72cae5504c wgengine: generate and plumb router.Settings in from ipn.
This saves a layer of translation, and saves us having to
pass in extra bits and pieces of the netmap and prefs to
wgengine. Now it gets one Wireguard config, and one OS
network stack config.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-12 15:58:33 -07:00
Brad Fitzpatrick
e42ec4efba derp/derphttp: use SOCKS/etc proxies for derphttp dials
Updates #227

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-05-12 14:38:15 -07:00
Wendi Yu
3663797815 Reduce logspam from node with no peers
Signed-off-by: Wendi Yu <wendi.yu@yahoo.ca>
2020-05-12 12:28:51 -07:00
David Anderson
cd01bcc395 wgengine/router: allow loopback traffic from our own IP(s).
Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-11 16:57:35 -07:00
Brad Fitzpatrick
64f6104e63 portlist: reduce log spam/scariness for portlist in mac sandbox
Fixes tailscale/corp#235
2020-05-11 16:13:29 -07:00
David Anderson
bfdc8175b1 wgengine/router: add a setting to disable SNAT for subnet routes.
Part of #320.

Signed-off-by: David Anderson <danderson@tailscale.com>
2020-05-11 20:17:13 +00:00
Brad Fitzpatrick
8eda667aa1 types/logger: simplify mutex locking in rate-limited logger
Updates #365

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-05-11 08:44:10 -07:00