Commit Graph

4574 Commits

Author SHA1 Message Date
Brad Fitzpatrick
fbc079d82d ipn/ipnlocal: prevent attempting to run SSH on Synology for now
On DSM7 as a non-root user it'll run into problems.

And we haven't tested on DSM6, even though it might work, but I doubt
it.

Updates #3802
Updates tailscale/corp#5468

Change-Id: I75729042e4788f03f9eb82057482a44b319f04f3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-03 13:50:33 -07:00
Brad Fitzpatrick
2bac8b6013 Revert "cmd/tailscale/cli: disallow --ssh on Synology"
This reverts commit 03e3e6abcd
in favor of #4785.

Change-Id: Ied65914106917c4cb8d15d6ad5e093a6299d1d48
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-03 13:49:42 -07:00
Maisem Ali
03e3e6abcd cmd/tailscale/cli: disallow --ssh on Synology
Updates tailscale/corp#5468
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-04 01:39:33 +05:00
Brad Fitzpatrick
a9b4bf1535 ipn/ipnserver, cmd/tailscaled: fix peerapi on Windows
We weren't wiring up netstack.Impl to the LocalBackend in some cases
on Windows. This fixes Windows 7 when run as a service.

Updates #4750 (fixes after pull in to corp repo)

Change-Id: I9ce51b797710f2bedfa90545776b7628c7528e99
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-03 12:24:47 -07:00
Jordan Whited
43f9c25fd2
cmd/tailscale: surface authentication errors in status.Health (#4748)
Fixes #3713

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2022-06-03 10:52:07 -07:00
Charlotte Brandhorst-Satzkorn
c980bf01be
words: The lists continue to drag-on. (#4780)
For Zaku and Pretzel.

Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
2022-06-03 10:55:17 -04:00
Mihai Parparita
a9f32656f5 control/controlhttp: allow client and server to communicate over WebSockets
We can't do Noise-over-HTTP in Wasm/JS (because we don't have bidirectional
communication), but we should be able to do it over WebSockets. Reuses
derp WebSocket support that allows us to turn a WebSocket connection
into a net.Conn.

Updates #3157

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-02 21:20:54 -07:00
Maisem Ali
80157f3f37 net/dns/resolver: add support for <IPv4>.via-<site-id>
Currently we only support "via-<site-id>.<IPv4>", however that does not
work with Google Chrome which parses `http://via-1.10.0.0.1` as a search
string and not as a URL. This commit introduces "<IPv4>.via-<site-id>"
(`http://10.0.0.1.via-1`) which is parsed correctly by Chrome.

Updates #3616

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-02 23:20:37 +05:00
Brad Fitzpatrick
69b535c01f wgengine/netstack: replace a 1500 with a const + doc
Per post-submit code review feedback of 1336fb740b from @maisem.

Change-Id: Ic5c16306cbdee1029518448642304981f77ea1fd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-02 08:24:35 -07:00
Brad Fitzpatrick
e428bba7a3 ssh/tailssh: add metrics
Updates #3802

Change-Id: Ic9a4b8c51cff6dfe148a1c78bc0e5074195b7f80
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-02 08:18:53 -07:00
Maisem Ali
67325d334e cmd/tailscale/cli: add lose-ssh risk
This makes it so that the user is notified that the action
they are about to take may result in them getting disconnected from
the machine. It then waits for 5s for the user to maybe Ctrl+C out of
it.

It also introduces a `--accept-risk=lose-ssh` flag for automation, which
allows the caller to pre-acknowledge the risk.

The two actions that cause this are:
- updating `--ssh` from `true` to `false`
- running `tailscale down`

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-02 13:14:43 +05:00
Brad Fitzpatrick
1336fb740b wgengine/netstack: make netstack MTU be 1280 also
Updates #3878

Change-Id: I1850085b32c8a40d85607b4ad433622c97d96a8d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-01 12:16:41 -07:00
Maisem Ali
81487169f0 build_docker.sh: pin github.com/tailscale/mkctr
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-01 19:55:06 +05:00
Tobias Klauser
3a926348a4 hostinfo: use ByteSliceToString from golang.org/x/sys/unix
Use unix.ByteSliceToString in osVersionFreebsd and osVersionLinux to
convert the Utsname.Release []byte field to string.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2022-06-01 07:43:44 -07:00
Tobias Klauser
2a61261a5a hostinfo: use Uname from golang.org/x/sys/unix in osVersionLinux
As already done in osVersionFreebsd. This will allow to use the Utsname
fields as []byte for easier conversion to string.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2022-06-01 07:43:44 -07:00
Maisem Ali
928530a112 ipn/ipnlocal: shutdown sshServer on tailscale down
Also lazify SSHServer initialization to allow restarting the server on a
subsequent `tailscale up`

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-05-30 15:01:22 +05:00
Brad Fitzpatrick
4d85cf586b cmd/tailscale, ipn/ipnlocal: add "peerapi" ping type
For debugging when stuff like #4750 isn't working.

RELNOTE=tailscale ping -peerapi

Change-Id: I9c52c90fb046e3ab7d2b121387073319fbf27b99
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-05-28 13:47:12 -07:00
Maisem Ali
575aacb1e2 ssh/tailssh: terminate sessions on stdout copy failures
Currently, killing a SCP copy with a Ctrl+C leaves the session hanging
even though the stdout copy goroutine fails with an io.EOF. Taking a
step back, when we are unable to send any more data back to the client
we should just terminate the session as the client will stop getting any
response from the server anyways.

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-05-28 21:30:54 +05:00
Maisem Ali
7cd8c3e839 ssh/tailssh: terminate sessions when tailscaled shutsdown
Ideally we would re-establish these sessions when tailscaled comes back
up, however we do not do that yet so this is better than leaking the
sessions.

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-05-28 21:30:54 +05:00
Maisem Ali
760740905e ssh/tailssh: only use login with TTY sessions
Otherwise, the shell exits immediately causing applications like mosh
and VSCode to fail.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-05-28 21:03:40 +05:00
Brad Fitzpatrick
02e580c1d2 logtail: use http.NewRequestWithContext
Saves some allocs. Not hot, but because we can now.

And a const instead of a var.

Change-Id: Ieb2b64534ed38051c36b2c0aa2e82739d9d0e015
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-05-27 16:33:43 -07:00
Tom
2903d42921
wgengine/router: delete hardcoded link-local address on Windows (#4740)
Fixes #4647

It seems that Windows creates a link-local address for the TUN driver, seemingly
based on the (fixed) adapter GUID. This results in a fixed MAC address, which
for some reason doesn't handle loopback correctly. Given the derived link-local
address is preferred for lookups (thanks LLMNR), traffic which addresses the
current node by hostname uses this broken address and never works.

To address this, we remove the broken link-local address from the wintun adapter.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-05-27 14:42:55 -07:00
Aaron Klotz
b005b79236 net/dns, paths, util/winutil: change net/dns/windowsManager NRPT management to support more than 50 domains.
AFAICT this isn't documented on MSDN, but based on the issue referenced below,
NRPT rules are not working when a rule specifies > 50 domains.

This patch modifies our NRPT rule generator to split the list of domains
into chunks as necessary, and write a separate rule for each chunk.

For compatibility reasons, we continue to use the hard-coded rule ID, but
as additional rules are required, we generate new GUIDs. Those GUIDs are
stored under the Tailscale registry path so that we know which rules are ours.

I made some changes to winutils to add additional helper functions in support
of both the code and its test: I added additional registry accessors, and also
moved some token accessors from paths to util/winutil.

Fixes https://github.com/tailscale/coral/issues/63

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-05-27 14:56:09 -06:00
Joel Cressy
c16271fb46 ipn/localapi: implement LoginInteractive via localapi
Updates: #4738

Signed-off-by: Joel Cressy <joel@jtcressy.net>
2022-05-27 06:34:27 -07:00
Denton Gentry
0f95eaa8bb scripts/installer: fix elementaryOS
c2b907c965 moved UBUNTU_VERSION out
of the ubuntu case and into linuxmint, but linuxmint wasn't the
only Ubuntu-based system which needed it. Restore UBUNTU_VERSION
handling in the ubuntu case.

Break elementaryOS out into its own handling so we can get the
version number handling correct for keyring support.
Tested on an elementaryOS 6.1 VM.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-05-27 06:21:15 -07:00
James Tucker
3f686688a6 cmd/tailscaled: fix state path for windows svc
Signed-off-by: James Tucker <james@tailscale.com>
2022-05-26 17:59:50 -07:00
Aaron Klotz
c163b2a3f1 util/winutil, util/winutil/vss: remove winrestore and vss as they are unnecessary.
I wrote this code way back at the beginning of my tenure at Tailscale when we
had concerns about needing to restore deleted machine keys from backups.

We never ended up using this functionality, and the code is now getting in the
way, so we might as well remove it.

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-05-26 12:13:36 -06:00
Tom
fc5839864b
wgengine/netstack: handle multiple magicDNS queries per UDP socket (#4708)
Fixes: #4686

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-05-20 13:30:11 -07:00
Brad Fitzpatrick
c81be7b899 control/controlclient: avoid Noise protocol for js/wasm for now
Updates #3157

Change-Id: I04accc09783a68257d28cadde5818bf0724a8013
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-05-20 12:09:09 -07:00
Denton Gentry
36af49ae7f install.sh: add RHEL9.
Fixes https://github.com/tailscale/tailscale/issues/4718

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-05-20 09:49:39 -07:00
Mihai Parparita
bded712e58 .github/workflows: fix duplicated build target in Wasm action
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-05-20 09:31:14 -07:00
Mihai Parparita
7cfc6130e5 .github/workflows: add cross-builder for Wasm
For now just checks that we can build cmd/tailscale/cli, will be
broadened once we can actually build more things.

Updates #3157

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-05-19 20:57:31 -07:00
Mihai Parparita
eda647cb47 cmd/tailscale/cli: fix ssh CLI command breaking the Wasm build
Adds a stub for syscall.Exec when GOOS=js. We also had a separate branch
for Windows, might as well use the same mechanism there too.

For #3157

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-05-19 20:49:34 -07:00
Brad Fitzpatrick
cc91a05686 ipn/ipnserver: fix build on js/wasm
Broken by 3dedcd1640 but we don't have CI coverage yet.

Updates #3157

Change-Id: Ie8e95ebd36264887fdeed16fc9f25a857d48124b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-05-19 15:01:27 -07:00
Mihai Parparita
3222bce02d logtail: add instance metadata to the entry logtail
Allows instances that are running with the same machine ID (due to
cloning) to be distinguished.

Also adds sequence numbers to detect duplicates.

For tailscale/corp#5244

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-05-18 13:57:14 -07:00
Tom
acfe5bd33b
net/dns{., resolver}: time out DNS queries after 10 seconds (#4690)
Fixes https://github.com/tailscale/corp/issues/5198

The upstream forwarder will block indefinitely on `udpconn.ReadFrom` if no
reply is recieved, due to the lack of deadline on the connection object.

There still isn't a deadline on the connection object, but the automatic closing
of the context on deadline expiry will close the connection via `closeOnCtxDone`,
unblocking the read and resulting in a normal teardown.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-05-18 10:40:04 -07:00
Tom
ec4c49a338
types/key: make NodePublic implement Shardable (#4698)
Needed for an experiment in Control.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-05-17 10:37:25 -07:00
Denton Gentry
53f6c3f9f2 api.md: document preauthorized and tags fields
Updates https://github.com/tailscale/tailscale/issues/2120
Updates https://github.com/tailscale/tailscale/issues/4571
Updates https://github.com/tailscale/tailscale/issues/1369

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-05-17 09:25:13 -07:00
Brad Fitzpatrick
48d43134d7 cmd/tsshd: delete, leaving only forwarding docs
Updates #3802

Change-Id: I89d4d3d68d64af9bc7288a149b4b34f61884f5f4
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-05-16 11:52:44 -07:00
Denton Gentry
afb3f62b01 scripts/installer.sh: add Xen Enterprise
Tested on a VM running Xen Enterprise 8.2.1.
https://xcp-ng.org/
Fixes https://github.com/tailscale/tailscale/issues/4655

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-05-16 08:37:39 -07:00
Brad Fitzpatrick
da601c23e1 ipn/ipnlocal: add missing place where we set the SSH atomic
This fixes the "tailscale up --authkey=... --ssh" path (or any "up"
path that used Start instead of EditPrefs) which wasn't setting the
bit.

Updates #3802

Change-Id: Ifca532ec58296fedcedb5582312dfee884367ed7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-05-14 12:47:28 -07:00
David Anderson
e1c1d47991 tsweb: memoize the string forms of HTTP response codes.
Saves 1-2 allocs per HTTP request after warmup, thanks to
avoiding strconv and fmt.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-05-13 14:25:17 -07:00
Tom
9343967317
wgengine/filter: preallocate some hot slices in MatchesFromFilterRules (#4672)
Profiling identified this as a fairly hot path for growing a slice.

Given this is only used in control & when a new packet filter is received, this shouldnt be hot in the client.
2022-05-13 13:56:53 -07:00
David Anderson
c48513b2be tsweb: support recording unabridged HTTP status codes as well.
Signed-off-by: David Anderson <danderson@tailscale.com>
2022-05-13 13:50:23 -07:00
Mihai Parparita
561f7be434 wgengine/magicsock: remove unused metric
We don't increment the metricRecvData anywhere, just the per-protocol
ones.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-05-13 11:15:56 -07:00
Mihai Parparita
dd5548771e util/clientmetric: add gauge_ name prefix when uploading names
The prefix is a signal to tsweb to treat this as a gauge metric when
generating the Prometheus version.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-05-12 09:52:56 -07:00
Mihai Parparita
86069874c9 net/tstun, wgengine: use correct type for counter metrics
We were marking them as gauges, but they are only ever incremented,
thus counter is more appropriate.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-05-12 09:30:50 -07:00
James Tucker
87b44aa311 go.mod: bump golang.org/x/sys for CVE-2022-29526
Signed-off-by: James Tucker <james@tailscale.com>
2022-05-10 17:57:51 -07:00
James Tucker
4bb7440094 cmd/tailscaled: use --statedir as documented
Enables the behavior described in the statepath flag, where if only
statedir is passed, then state is statedir/tailscaled.state.

Signed-off-by: James Tucker <james@tailscale.com>
2022-05-10 15:13:13 -07:00
Maisem Ali
6dae9e47f9 types/views: remove alloc in hot path
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-05-10 11:20:00 -07:00