Commit Graph

5029 Commits

Author SHA1 Message Date
Maisem Ali
bd4b27753e docs/k8s: set statedir to /tmp when not specified
This makes `tailscale cert` and Taildrop work on k8s and in ephemeral
mode.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-18 10:19:19 -07:00
Brad Fitzpatrick
469c30c33b ipn/localapi: define a cert dir for Synology DSM6
Fixes #4060

Change-Id: I5f145d4f56f6edb14825268e858d419c55918673
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-18 09:51:24 -07:00
Maisem Ali
c6648db333 cmd/tailscale/cli: make cert use localClient
This was seeminlgy missed in 87ba528ae0.

Fixes #5072

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-17 13:22:29 -07:00
Denton Gentry
9fcda1f0a0 cmd/tailscale/cli/web: add QNAP NAS_SID authentication
QTS 5.0 doesn't always pass a qtoken, in some circumstances
it sends a NAS_SID cookie for us to verify instead.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-07-17 12:21:03 -07:00
Brad Fitzpatrick
0d52674a84 net/tstun: diagnose /dev/net/tun fd leak, give better failure message
Updates #5029

Change-Id: Ibee5e0c9076fe764eb5d856d5ef8b09f4d0e2921
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-16 14:21:56 -07:00
Brad Fitzpatrick
931f18b575 derp: add missing docs on clientInfo.Version
It's not the Tailscale version.

Change-Id: Icfbd5ff36300b2125b19cd2fa6caa22876965317
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-15 12:00:19 -07:00
Tom DNetto
4f1374ec9e tka: implement consensus & state computation internals
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-15 10:44:43 -07:00
Maisem Ali
af412e8874 ssh/tailssh: better handling of signals and exits
We were not handling errors occurred while copying data between the subprocess and the connection.
This makes it so that we pass the appropriate signals when to the process and the connection.

This also fixes mosh.

Updates #4919

Co-authored-by: James Tucker <raggi@tailscale.com>
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-15 09:06:01 -07:00
Xe Iaso
004f0ca3e0
cmd/gitops-pusher: format HuJSON, enabling exact ACL matches (#5061)
Signed-off-by: Xe <xe@tailscale.com>
2022-07-15 11:09:44 -04:00
Xe Iaso
16c85d0dc5
cmd/gitops-pusher: support GitHub Actions error syntax (#5060)
GitHub Actions lets you annotate lines in files as errors[1]. This syntax
will only fire on syntax errors. Future improvements can extend this to
properly annotate ACL tests too.

[1]: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message

Signed-off-by: Xe <xe@tailscale.com>
2022-07-15 10:20:54 -04:00
Brad Fitzpatrick
7fb6781bda go.toolchain.rev: bump for Go 1.18.4 + runtime timer spin
See https://github.com/tailscale/go/pull/32

Updates #4760
Updates #5030?
Updates #4891?

Change-Id: I066aafddc09fade30a5f3fdee23e6bd200eda9fa
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-13 20:56:59 -07:00
Tom DNetto
ec4f849079 tka: implement filesystem-based tailchonk implementation
FS implements Chonk, and given the expected load characteristics (frequent use
of AUM() + ChildAUMs(), and infrequent use of Heads() + CommitVerifiedAUMs()), the
implementation avoids scanning the filesystem to service AUM() and ChildAUMs().

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-13 10:07:17 -07:00
Brad Fitzpatrick
505ca2750d cmd/tailscaled: fix Windows "Allow local LAN access" regression
3f686688a6 regressed the Windows beFirewallKillswitch code,
preventing the /firewall subprocess from running.

Fixes tailscale/corp#6063

Change-Id: Ibd105759e5fecfeffc54f587f8ddcd0f1cbc4dca
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-13 08:01:32 -07:00
David Anderson
96afd1db46 jsondb: small package to load/save JSON DBs.
Signed-off-by: David Anderson <danderson@tailscale.com>
2022-07-12 11:56:38 -07:00
Denton Gentry
755396d6fe tsweb: add Float expvar support in varz
We make assertions about stringification of 0.5. IEEE floating point and
all reasonable proprietary floating point can exactly represent 0.5.
We don't make assertions about other floating point values, too brittle
in tests.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-07-11 21:16:46 -07:00
Tom DNetto
cca25f6107 tka: implement Chonk type & an in-memory implementation
Chonks are responsible for efficient storage of AUMs and other TKA state.

For testing/prototyping I've implemented an in-memory version, but once we
start to use this from tailscaled we'll need a file-based version.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-11 10:38:29 -07:00
Mihai Parparita
e37167b3ef ipn/localapi: add API for uploading client metrics
Clients may have platform-specific metrics they would like uploaded
(e.g. extracted from MetricKit on iOS). Add a new local API endpoint
that allows metrics to be updated by a simple name/value JSON-encoded
struct.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-07-11 09:51:09 -07:00
Xe Iaso
d6b8a18b09
cmd/proxy-to-grafana: use localClient.GetCertificate (#5024)
Closes #5023

Signed-off-by: Xe <xe@tailscale.com>
2022-07-08 14:33:14 -04:00
Xe Iaso
5bb44a4a5c
cmd/gitops-pusher: correctly handle ACL tests failing (#5016)
Apparently the API for running ACL tests returns a 200 if the ACL tests
fail. This is weird, but we can handle it.

Signed-off-by: Xe <xe@tailscale.com>
2022-07-08 10:53:50 -04:00
Andrew Dunham
c7993d2b88
net/dns/resolver: add fuzz/unit test for #2533 (#5018)
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2022-07-08 09:22:50 -04:00
Tom DNetto
3709074e55 tka: implement State and applying AUMs
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-07 11:25:26 -07:00
Tom DNetto
1cfd96cdc2 tka: implement AUM and Key types
This is the first in a series of PRs implementing the internals for the
Tailnet Key Authority. This PR implements the AUM and Key types, which
are used by pretty much everything else. Future PRs:

 - The State type & related machinery
 - The Tailchonk (storage) type & implementation
 - The Authority type and sync implementation

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-06 12:19:37 -07:00
Denton Gentry
e6572a0f08 install.sh: Add archarm and Raspbian Stretch
Fixes https://github.com/tailscale/tailscale/issues/4959
Fixes https://github.com/tailscale/tailscale/issues/4897

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-07-06 05:41:06 -07:00
Joe Tsai
fe3426b4c7
logpolicy: fix config initialization bug (#5010)
If ConfigFromFile cannot find the configuration file,
we must not initialize it with NewConfig.
Instead, we need it to fail validation so that it eventually writes
a newly constructed configuration file.
Otherwise, new tailscale instances will never be able store a persistent
log config and start with a new config file upon every bootup.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-07-05 18:27:31 -07:00
Tom DNetto
d6817d0f22 net/dns/resolver: respond with SERVFAIL if all upstreams fail
Fixes #4722

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-07-05 10:22:52 -07:00
Brad Fitzpatrick
c93fd0d22b go.mod: bump wireguard-go to set CLOEXEC on tun/netlink fds
To get:
c31a7b1ab4

Diff:
95b48cdb39..c31a7b1ab4

Fixes #4992

Change-Id: I077586fefcde923a2721712dd54548f97d010f72
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-03 17:11:49 -07:00
Craig Rodrigues
9584d8aa7d docs/k8s: Add env vars for tailscaled args
- TS_SOCKS5_SERVER, argument passed to tailscaled --socks5-server
- TS_OUTBOUND_HTTP_PROXY_LISTEN, argument passed to tailscaled -outbound-http-proxy-listen
- TS_TAILSCALED_EXTRA_ARGS extra arguments passed to tailscaled

Fixes #4985

Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>
2022-07-01 14:45:51 -07:00
Jake Edgington
ea6e9099b9 fix: typo rename, ROUTES -> TS_ROUTES
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
2022-06-30 20:23:37 -07:00
Jake Edgington
72b7edbba9 fix: typo rename, KUBE_SECRET -> TS_KUBE_SECRET
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
2022-06-30 20:23:37 -07:00
Brad Fitzpatrick
6b71568eb7 util/cloudenv: add Azure support & DNS IPs
And rewrite cloud detection to try to do only zero or one metadata
discovery request for all clouds, only doing a first (or second) as
confidence increases. Work remains for Windows, but a start.

And add Cloud to tailcfg.Hostinfo, which helped with testing using
"tailcfg debug hostinfo".

Updates #4983 (Linux only)
Updates #4984

Change-Id: Ib03337089122ce0cb38c34f724ba4b4812bc614e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-30 17:03:46 -07:00
Mihai Parparita
ec649e707f ipn/ipnlocal: prefer to use one CGNAT route on the Mac
Together with 06aa141632 this minimizes
the number of NEPacketTunnelNetworkSettings updates that we have to do,
and thus avoids Chrome interrupting outstanding requests due to
(perceived) network changes.

Updates #3102

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-30 13:18:52 -07:00
Aaron Bieber
3f4fd64311 cmd/tailscale: exit loop when timeout and pingArgs.num are met
Currently if you use '-c' and ping a host that times out, ping will
continue running indefinitely. This change exits the loop with "no
reply" when we time out, hit the value specified by '-c' and do not
have anyPong. If we have anyPong it returns nil.

Signed-off-by: Aaron Bieber <aaron@bolddaemon.com>
2022-06-30 11:52:56 -07:00
Brad Fitzpatrick
aa37aece9c ipn/ipnlocal, net/dns*, util/cloudenv: add AWS DNS support
And remove the GCP special-casing from ipn/ipnlocal; do it only in the
forwarder for *.internal.

Fixes #4980
Fixes #4981

Change-Id: I5c481e96d91f3d51d274a80fbd37c38f16dfa5cb
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-29 20:37:44 -07:00
Brad Fitzpatrick
88c2afd1e3 ipn/ipnlocal, net/dns*, util/cloudenv: specialize DNS config on Google Cloud
This does three things:

* If you're on GCP, it adds a *.internal DNS split route to the
  metadata server, so we never break GCP DNS names. This lets people
  have some Tailscale nodes on GCP and some not (e.g. laptops at home)
  without having to add a Tailnet-wide *.internal DNS route.
  If you already have such a route, though, it won't overwrite it.

* If the 100.100.100.100 DNS forwarder has nowhere to forward to,
  it forwards it to the GCP metadata IP, which forwards to 8.8.8.8.
  This means there are never errNoUpstreams ("upstream nameservers not set")
  errors on GCP due to e.g. mangled /etc/resolv.conf (GCP default VMs
  don't have systemd-resolved, so it's likely a DNS supremacy fight)

* makes the DNS fallback mechanism use the GCP metadata IP as a
  fallback before our hosted HTTP-based fallbacks

I created a default GCP VM from their web wizard. It has no
systemd-resolved.

I then made its /etc/resolv.conf be empty and deleted its GCP
hostnames in /etc/hosts.

I then logged in to a tailnet with no global DNS settings.

With this, tailscaled writes /etc/resolv.conf (direct mode, as no
systemd-resolved) and sets it to 100.100.100.100, which then has
regular DNS via the metadata IP and *.internal DNS via the metadata IP
as well. If the tailnet configures explicit DNS servers, those are used
instead, except for *.internal.

This also adds a new util/cloudenv package based on version/distro
where the cloud type is only detected once. We'll likely expand it in
the future for other clouds, doing variants of this change for other
popular cloud environments.

Fixes #4911

RELNOTES=Google Cloud DNS improvements

Change-Id: I19f3c2075983669b2b2c0f29a548da8de373c7cf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-29 17:39:13 -07:00
Mihai Parparita
6f58497647 .github/workflows: downgrade MinGW to work around windows-race failures
Updates #4926

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-29 14:27:57 -07:00
Maisem Ali
88133c361e Docker: add ALPINE.txt to manage alpine versions
The goal here is to

1. make it so that the number doesn't diverge between the various places
   we had it defined
2. not define the number in corp, only in oss

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-29 11:47:09 -07:00
Maisem Ali
cfa484e1a2 Dockerfile: bump alpine to 3.16
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-29 10:29:37 -07:00
Brad Fitzpatrick
ef351ac0dd Dockerfile: fix build
The Dockerfile directions said:

But that failed with:

Step 14/15 : FROM ghcr.io/tailscale/alpine-base:3.14
Head "https://ghcr.io/v2/tailscale/alpine-base/manifests/3.14": denied: denied

So I guess the Dockerfile.base part was undocumented. But it only had
one line anyway, so move it here to avoid the intermediate layer's
published permissions problem entirely.

Also optimize the cachability a bit while here.

Change-Id: I846ad59fe7e88e6126925689fae78bfb80c279f0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-29 08:18:01 -07:00
Mihai Parparita
06aa141632 wgengine/router: avoid unncessary routing configuration changes
The iOS and macOS networking extension API only exposes a single setter
for the entire routing and DNS configuration, and does not appear to
do any kind of diffing or deltas when applying changes. This results
in spurious "network changed" errors in Chrome, even when the
`OneCGNATRoute` flag from df9ce972c7 is
used (because we're setting the same configuration repeatedly).

Since we already keep track of the current routing and DNS configuration
in CallbackRouter, use that to detect if they're actually changing, and
only invoke the platform setter if it's actually necessary.

Updates #3102

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-28 16:59:37 -07:00
Brad Fitzpatrick
3b1f99ded1 ssh/tailssh: fix Tailscale SSH to Linux Arch machines
See https://github.com/tailscale/tailscale/issues/4924#issuecomment-1168201823

Arch uses a different login binary that makes the -h flag set the PAM
service to "remote". So if they don't have that configured, don't pass -h.

Thanks to @eddiezane for debugging!

Updates #4924

Change-Id: I8d33e0afb2dfb99517bcea2f9d5d0c6247519b3c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-28 15:35:51 -07:00
kylecarbs
9280d39678 wgengine/netstack: close ipstack when netstack.Impl is closed
Fixes netstack.Impl leaking goroutines after shutdown.

Signed-off-by: kylecarbs <kyle@carberry.com>
2022-06-28 14:59:29 -07:00
Denton Gentry
d7f452c0a1 net/portmapper: send discovery packet for IGD specifically.
There appear to be devices out there which send only their
first descriptor in response to a discovery packet for
`ssdp:all`, for example the Sagemcom FAST3890V3 only sends
urn:schemas-wifialliance-org:device:WFADevice:1

Send both ssdp:all and a discovery frame for
InternetGatewayDevice specifically.

Updates https://github.com/tailscale/tailscale/issues/3557

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-28 03:55:17 -07:00
Denton Gentry
09eaba91ad net/portmap: add a test for Sagemcom FAST3890V3.
Updates https://github.com/tailscale/tailscale/issues/3557

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-28 03:55:17 -07:00
Denton Gentry
b5553c6ad2 net/portmap: run go fmt
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-28 03:55:17 -07:00
Denton Gentry
de4c635e54 net/portmapper: make pcpCodeNotAuthorized log more descriptive
If PCP is present but disabled, turning it on might help
get direct connections.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-06-28 03:55:17 -07:00
Brad Fitzpatrick
3ac8ab1791 tsnet: add Server.AuthKey field
... so callers can provide the AuthKey via mechanisms other than
environment variables which means multiple Servers can't be started
concurrently in the same process without coordination.

Change-Id: I7736ef4f59b7cc29637939e140e990613ce58e0d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-27 21:57:57 -07:00
Jordan Whited
bef6e2831a
cmd/tailscale: move call to cli.CleanUpArgs() from main() into cli.Run() (#4954)
Not all distributions build from package main.

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2022-06-27 14:56:25 -07:00
Maisem Ali
40503ef07a ssh/tailssh: fix logging typo
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 13:23:09 -07:00
soypete
412c4c55e2 cmd/tailscale: make up respect explicitly empty --operator= value
Fixes #3808

Signed-off-by: soypete <miriah@tailscale.com>
2022-06-27 13:59:45 -06:00
Maisem Ali
c434e47f2d ssh/tailssh: always use current time for policy evaluation
Whenever the SSH policy changes we revaluate all open connections to
make sure they still have access. This check was using the wrong
timestamp and would match against expired policies, however this really
isn't a problem today as we don't have policy that would be impacted by
this check. Fixing it for future use.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 12:25:04 -07:00