I want to move the guts (after the HTTP layer) of the certificate
fetching into the ipnlocal package, out of localapi.
As prep, refactor a bit:
* add a method to do the fetch-from-cert-or-as-needed-with-refresh,
rather than doing it in the HTTP hander
* convert two methods to funcs, taking the one extra field (LocalBackend)
then needed from their method receiver. One of the methods needed
nothing from its receiver.
This will make a future change easier to reason about.
Change-Id: I2a7811e5d7246139927bb86e7db8009bf09b3be3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
We added the tailnet organization name to to the settings page with
tailscale/corp#6977, but the docs were not updated to reflect this.
We later also changed "tailnet name" to refer to the MagicDNS hostname
(tailscale/corp#7537), which further confuses things (see https://stackoverflow.com/questions/74132318).
Make it slightly clearer what is the expected value for tailnet names in
API calls and how to get it.
Signed-off-by: Mihai Parparita <mihai@tailscale.com>
Only enable forwarding for an IP family if any forwarding is required
for that family.
Fixes#6221.
Signed-off-by: David Anderson <danderson@tailscale.com>
Not for end users (unless directed by support). Mostly for ease of
development for some upcoming webserver work.
Change-Id: I43acfed217514567acb3312367b24d620e739f88
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
strings.Cut allows us to be more precise here. This example was written
before strings.Cut existed.
Signed-off-by: Xe <xe@tailscale.com>
Signed-off-by: Xe <xe@tailscale.com>
This is similar to the golang.org/x/tools/internal/fastwalk I'd
previously written but not recursive and using mem.RO.
The metrics package already had some Linux-specific directory reading
code in it. Move that out to a new general package that can be reused
by portlist too, which helps its scanning of all /proc files:
name old time/op new time/op delta
FindProcessNames-8 2.79ms ± 6% 2.45ms ± 7% -12.11% (p=0.000 n=10+10)
name old alloc/op new alloc/op delta
FindProcessNames-8 62.9kB ± 0% 33.5kB ± 0% -46.76% (p=0.000 n=9+10)
name old allocs/op new allocs/op delta
FindProcessNames-8 2.25k ± 0% 0.38k ± 0% -82.98% (p=0.000 n=9+10)
Change-Id: I75db393032c328f12d95c39f71c9742c375f207a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Previously:
* 036f70b7b4 for linux
* 35bee36549 for windows
This does macOS.
And removes all the compat code for the old style. (e.g. iOS, js are
no longer mentioned; all platforms without implementations just
default to not doing anything)
One possible regression is that platforms without explicit
implementations previously tried to do the "netstat -na" style to get
open ports (but not process names). Maybe that worked on FreeBSD and
OpenBSD previously, but nobody ever really tested it. And it was kinda
useless without associated process names. So better off removing those
for now until they get a good implementation.
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
The //go:build syntax was introduced in Go 1.17:
https://go.dev/doc/go1.17#build-lines
gofmt has kept the +build and go:build lines in sync since
then, but enough time has passed. Time to remove them.
Done with:
perl -i -npe 's,^// \+build.*\n,,' $(git grep -l -F '+build')
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
It is currently a `ipn.PrefsView` which means when we do a JSON roundtrip,
we go from an invalid Prefs to a valid one.
This makes it a pointer, which fixes the JSON roundtrip.
This was introduced in 0957bc5af2.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
It's normal for HKLM\SOFTWARE\Policies\Tailscale to not exist but that
currently produces a lot of log spam.
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
This implements the same functionality as the former run.sh, but in Go
and with a little better awareness of tailscaled's lifecycle.
Also adds TS_AUTH_ONCE, which fixes the unfortunate behavior run.sh had
where it would unconditionally try to reauth every time if you gave it
an authkey, rather than try to use it only if auth is actually needed.
This makes it a bit nicer to deploy these containers in automation, since
you don't have to run the container once, then go and edit its definition
to remove authkeys.
Signed-off-by: David Anderson <danderson@tailscale.com>
This allows reusing the NoiseClient in other repos without having to reimplement the earlyPayload logic.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
To collect some data on how widespread this is and whether there's
any correlation between different versions of Windows, etc.
Updates #4811
Change-Id: I003041d0d7e61d2482acd8155c1a4ed413a2c5c4
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
It's leftover from an earlier Tailscale SSH wiring and I forgot to
delete it apparently.
Change-Id: I14f071f450e272b98d90080a71ce68ba459168d1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Exit node traffic is aggregated to protect the privacy
of those using an exit node. However, it is reasonable to
at least log which nodes are making most use of an exit node.
For a node using an exit node,
the source will be the taiscale IP address of itself,
while the destination will be zeroed out.
For a node that serves as an exit node,
the source will be zeroed out,
while the destination will be tailscale IP address
of the node that initiated the exit traffic.
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
This switches from using an atomic.Bool to a mutex for reasons that are
described in the commit, and should address the flakes that we're still
seeing.
Fixes#3020
Change-Id: I4e39471c0eb95886db03020ea1ccf688c7564a11
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
In the future this will cause a node to be unable to join the tailnet
if network logging is enabled.
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
This was tested by running 10000 test iterations and observing no flakes
after this change was made.
Change-Id: Ib036fd03a3a17800132c53c838cc32bfe2961306
Signed-off-by: Andrew Dunham <andrew@tailscale.com>
It was from very early Tailscale and no longer makes sense.
Change-Id: I31b4e728789f26b0376ebe73aa1b4bbbb1d62607
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Setting TCP KeepAlives for Tailscale SSH connections results in them
unnecessarily disconnecting. However, we can't turn them off completely
as that would mean we start leaking sessions waiting for a peer to come
back which may have gone away forever (e.g. if the node was deleted from
the tailnet during a session).
Updates #5021
Signed-off-by: Maisem Ali <maisem@tailscale.com>
* Plumb disablement values through some of the internals of TKA enablement.
* Transmit the node's TKA hash at the end of sync so the control plane understands each node's head.
* Implement /machine/tka/disable RPC to actuate disablement on the control plane.
There is a partner PR for the control server I'll send shortly.
Signed-off-by: Tom DNetto <tom@tailscale.com>
It does nothing and never did and I don't think anybody remembers what
the original goal for it was.
Updates #5229 (fixes, but need to clean it up in another repo too)
Change-Id: I81cc6ff44d6d2888bc43e9145437f4c407907ea6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Make "tailscale set" by itself be equivalent to "tailscale set -h"
rather than just say "you did it wrong" and make people do another -h
step.
Change-Id: Iad2b2ddb2595c0121d2536de5b78648f3eded3e3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Basic HTTP/2-over-noise client test. To be fleshed out in subsequent
commits that add more functionality to the noise client.
Updates #5972
Change-Id: I0178343523ef4ae8e8fc87bae53cbc81f4e32fde
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Instead of returning a custom error, use ErrGetBaseConfigNotSupported
that seems to be intended for this use case. This fixes DNS resolution
on macOS clients compiled from source.
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
This makes tags, creation time, exit node option and primary routes
for the current node exposed via `tailscale status --json`
Signed-off-by: Anton Tolchanov <anton@tailscale.com>