Commit Graph

3261 Commits

Author SHA1 Message Date
Brad Fitzpatrick
0410f1a35a util/groupmember: adjust build tags for osusergo
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 15:38:57 -07:00
Brad Fitzpatrick
2a0d3f72c5 util/groupmember: fix typo of package's name in its package doc
And canonicalize a func comment while I'm here.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 15:21:18 -07:00
Brad Fitzpatrick
cb4a2c00d1 ipn: remove unused Prefs.OSVersion and Prefs.DeviceModel
iOS and Android no longer use these. They both now (as of today)
use the hostinfo.SetFoo setters instead.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 15:18:32 -07:00
Brad Fitzpatrick
67e5fabdbd hostinfo, ipn/ipnlocal: add SetPackage, remove ipnlocal hacks
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 15:02:35 -07:00
Brad Fitzpatrick
81269fad28 hostinfo: add SetOSVersion like SetDeviceModel, deprecate ipn.Prefs way
Turns out the iOS client has been only sending the OS version it first
started at. This whole hostinfo-via-prefs mechanism was never a good idea.
Start removing it.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-05 13:29:06 -07:00
Brad Fitzpatrick
98b3fa78aa cmd/tailscale: let certs/keys be written to stdout, warn about macOS sandbox
Fixes https://twitter.com/SeanHood/status/1443668378468720647

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 12:12:09 -07:00
Brad Fitzpatrick
2d464cecd1 cmd/tailscale: make netcheck work when logged out
Fixes #2993

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 11:42:51 -07:00
Brad Fitzpatrick
58e1475ec7 hostinfo: look up Synology hardware a more specific way
Fixes #2991

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 10:28:28 -07:00
Brad Fitzpatrick
a71fb6428d version: new month, new date bump 2021-10-04 08:56:41 -07:00
Brad Fitzpatrick
22a1a5d7cf ipn/ipnlocal: for IPv6-only nodes, publish IPv6 MagicDNS records of peers
See https://github.com/tailscale/tailscale/issues/2970#issuecomment-931885268

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-04 08:54:23 -07:00
David Crawshaw
45f51d4fa6 types/opt: implement Bool.Scan
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-10-03 15:24:13 -07:00
Brad Fitzpatrick
6d43cbc325 ipn/ipnlocal: make sure mobile clients don't use the old control server URL
The new frontends are better for battery.

Updates #2442
Updates tailscale/corp#2750

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-03 14:11:12 -07:00
Nathan Dias
babd163aac bencher: add config to suppress failures on benchmark regressions.
This config update will let tailscale use bencher without worrying about the bencher check appearing as failed due to a benchmark regressing.

Updates #2938

Signed-off-by: Nathan Dias <nathan@orijtech.com>
2021-10-01 16:16:02 -07:00
Brad Fitzpatrick
09c2462ae5 net/tlsdial: add forgotten test file for go mod tidy
I forgot to include this file in the earlier
7cf8ec8108 commit.

This exists purely to keep "go mod tidy" happy.

Updates #1609

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-01 10:30:01 -07:00
Brad Fitzpatrick
f62e6d83a9 cmd/tailscale: make cert subcommand give hints on access denied
Lot of people have been hitting this.

Now it says:

    $ tailscale cert tsdev.corp.ts.net
    Access denied: cert access denied

    Use 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-01 10:27:48 -07:00
Brad Fitzpatrick
7cf8ec8108 net/tlsdial: bake in LetsEncrypt's ISRG Root X1 root
We still try the host's x509 roots first, but if that fails (like if
the host is old), we fall back to using LetsEncrypt's root and
retrying with that.

tlsdial was used in the three main places: logs, control, DERP. But it
was missing in dnsfallback. So added it there too, so we can run fine
now on a machine with no DNS config and no root CAs configured.

Also, move SSLKEYLOGFILE support out of DERP. tlsdial is the logical place
for that support.

Fixes #1609

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-01 08:30:07 -07:00
Brad Fitzpatrick
b10a55e4ed cmd/tailscale/cli: fix typo in cert usage 2021-09-30 21:23:18 -07:00
Filippo Valsorda
d7ce2be5f4 net/dns/resolver: add unsecured Quad9 resolvers
DNSSEC is an availability issue, as recently demonstrated by the
Slack issue, with limited security advantage. DoH on the other hand
is a critical security upgrade. This change adds DoH support for the
non-DNSSEC endpoints of Quad9.

https://www.quad9.net/service/service-addresses-and-features#unsec
Signed-off-by: Filippo Valsorda <hi@filippo.io>
2021-09-30 18:08:19 -07:00
Brad Fitzpatrick
891e7986cc cmd/tailscale: make cert give hints on usage failure
Like mentioning which cert domain(s) are valid.
2021-09-29 14:35:00 -07:00
Brad Fitzpatrick
080381c79f net/tstun: block looped disco traffic, take 17
It was in the wrong filter direction before, per CPU profiles
we now have.

Updates #1526 (maybe fixes? time will tell)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29 14:17:40 -07:00
Brad Fitzpatrick
3618e8d8ac cmd/tailscaled: rename outbound HTTP proxy flag
The old name invited confusion:

* is this the HTTP proxy to use ourselves? (no, that's
  via an environment variable, per proxy conventions)
* is this for LetsEncrypt https-to-localhost-http
  proxying? (no, that'll come later)

So rename to super verbose --outbound-http-proxy-listen
before the 1.16.0 release to make it clear what it is.
It listens (serves) and it's for outbound, not inbound.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29 11:25:09 -07:00
Brad Fitzpatrick
b822b5c798 cmd/tailscale: let up --authkey be of form file:/path/to/secret
Fixes #2958

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-29 09:27:17 -07:00
Aaron Klotz
e016eaf410 cmd/tailscaled: conditionally flush Windows DNS cache on SessionChange
For the service, all we need to do is handle the `svc.SessionChange` command.
Upon receipt of a `windows.WTS_SESSION_UNLOCK` event, we fire off a goroutine to flush the DNS cache.
(Windows expects responses to service requests to be quick, so we don't want to do that synchronously.)

This is gated on an integral registry value named `FlushDNSOnSessionUnlock`,
whose value we obtain during service initialization.

(See [this link](https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nc-winsvc-lphandler_function_ex) for information re: handling `SERVICE_CONTROL_SESSIONCHANGE`.)

Fixes #2956

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-09-29 09:43:22 -06:00
Aaron Klotz
3386a86fe5 util/winutil: add GetRegInteger
This helper allows us to retrieve `DWORD` and `QWORD` values from the Tailscale key in the Windows registry.

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-09-29 09:43:22 -06:00
dependabot[bot]
5809386525 go.mod: bump golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10
Bumps golang.zx2c4.com/wireguard/windows from 0.4.9 to 0.4.10.

---
updated-dependencies:
- dependency-name: golang.zx2c4.com/wireguard/windows
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-29 08:16:35 -07:00
dependabot[bot]
0fa1da2d1b go.mod: bump golang.org/x/tools from 0.1.6 to 0.1.7
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.6 to 0.1.7.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.1.6...v0.1.7)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-29 07:47:38 -07:00
Brad Fitzpatrick
173bbaa1a1 all: disable TCP keep-alives on iOS/Android
Updates #2442
Updates tailscale/corp#2750

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28 12:03:18 -07:00
Brad Fitzpatrick
a7cb241db1 cmd/tailscaled: add support for running an HTTP proxy
This adds support for tailscaled to be an HTTP proxy server.
It shares the same backend dialing code as the SOCK5 server, but the
client protocol is HTTP (including CONNECT), rather than SOCKS.

Fixes #2289

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28 10:57:46 -07:00
Brad Fitzpatrick
29a8fb45d3 wgengine/netstack: include DNS.ExtraRecords in DNSMap
So SOCKS5 dialer can dial HTTPS cert names, for instance.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28 10:01:36 -07:00
Brad Fitzpatrick
56d8c2da34 cmd/tailscaled: set StateDirectoryMode=0700 in tailscaled.service
Updates #2934

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-28 09:09:24 -07:00
dependabot[bot]
8949305820 go.mod: bump github.com/creack/pty from 1.1.15 to 1.1.16
Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.15 to 1.1.16.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.15...v1.1.16)

---
updated-dependencies:
- dependency-name: github.com/creack/pty
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-28 07:39:14 -07:00
Brad Fitzpatrick
52737c14ac wgengine/monitor: ignore ipsec link monitor events on iOS/macOS
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-27 20:45:51 -07:00
Brad Fitzpatrick
5263c8d0b5 paths: skip unix chmod if state directory is already 0700
Updates #2934

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-27 16:24:49 -07:00
Brad Fitzpatrick
3b3994f0db ipn{,/localapi,ipnlocal}: infer cert dir from state file location
This fixes "tailscale cert" on Synology where the var directory is
typically like /volume2/@appdata/Tailscale, or any other tailscaled
user who specifies a non-standard state file location.

This is a interim fix on the way to #2932.

Fixes #2927
Updates #2932

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-27 15:28:50 -07:00
David Crawshaw
29fa8c17d2 .github: revert dependabot change for vm builder
In a56520c3c7 dependabot attempted to bump
the setup-go action version. It appears to work for most builders, but
not the self-hosted VM builder. Revert for now.

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-09-27 14:08:56 -07:00
dependabot[bot]
7f0fcf8571 go.mod: bump github.com/pkg/sftp from 1.13.3 to 1.13.4
Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.3 to 1.13.4.
- [Release notes](https://github.com/pkg/sftp/releases)
- [Commits](https://github.com/pkg/sftp/compare/v1.13.3...v1.13.4)

---
updated-dependencies:
- dependency-name: github.com/pkg/sftp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-27 07:22:40 -07:00
Brad Fitzpatrick
3a72ebb109 ipn: test TestFileStore in a fresh subdirectory
Fixes #2923

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-24 15:05:10 -07:00
Aaron Klotz
21e9f98fc1 ipn, paths: unconditionally attempt to set state dir perms, but only if the state dir is ours
We unconditionally set appropriate perms on the statefile dir.

We look at the basename of the statefile dir, and if it is "tailscale", then
we set perms as appropriate.

Fixes #2925
Updates #2856

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2021-09-24 15:53:58 -06:00
Brad Fitzpatrick
82117f7a63 safesocket: actually fix CLI on macsys build
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-24 13:58:26 -07:00
Brad Fitzpatrick
ec2249b6f2 cmd/tailscale: add debug -env
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-24 13:57:45 -07:00
Brad Fitzpatrick
5bc6d17f87 safesocket: fix CLI for macsys GUI variant
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-24 12:35:24 -07:00
Brad Fitzpatrick
ace2faf7ec cmd/tailscale: make debug profiling output - mean stdout
Because the macOS CLI runs in the sandbox, including the filesystem,
so users would be confused that -cpu-profile=prof.cpu succeeds but doesn't
write to their current directory, but rather in some random Library/Containers
directory somewhere on the machine (which varies depending on the Mac build
type: App Store vs System Extension)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-23 15:06:53 -07:00
Brad Fitzpatrick
efb84ca60d ipn/localapi, cmd/tailscale: add CPU & memory profile support, debug command
This was already possible on Linux if you ran tailscaled with --debug
(which runs net/http/pprof), but it requires the user have the Go
toolchain around.

Also, it wasn't possible on macOS, as there's no way to run the IPNExtension
with a debug server (it doesn't run tailscaled).

And on Windows it's super tedious: beyond what users want to do or
what we want to explain.

Instead, put it in "tailscale debug" so it works and works the same on
all platforms. Then we can ask users to run it when we're debugging something
and they can email us the output files.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-23 10:01:14 -07:00
Denton Gentry
27bc4e744c cmd/tailscale/web: support TLS from env vars.
pfSense stores its SSL certificate and key in the PHP config.
We wrote PHP code to pull the two out of the PHP config and
into environment variables before running "tailscale web".

The pfSense web UI is served over https, we need "tailscale web"
to also support https in order to put it in an <iframe>.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2021-09-23 08:15:33 -07:00
dependabot[bot]
b7b7d21514 go.mod: bump github.com/frankban/quicktest from 1.13.0 to 1.13.1
Bumps [github.com/frankban/quicktest](https://github.com/frankban/quicktest) from 1.13.0 to 1.13.1.
- [Release notes](https://github.com/frankban/quicktest/releases)
- [Commits](https://github.com/frankban/quicktest/compare/v1.13.0...v1.13.1)

---
updated-dependencies:
- dependency-name: github.com/frankban/quicktest
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-23 08:13:41 -07:00
dependabot[bot]
46b59e8c48 go.mod: bump github.com/google/uuid from 1.1.2 to 1.3.0
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.2 to 1.3.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Commits](https://github.com/google/uuid/compare/v1.1.2...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-23 08:13:32 -07:00
Brad Fitzpatrick
b0481ba37a go.mod: bump x/tools
Fixes #2912 (which had rebase issues)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-23 08:11:35 -07:00
dependabot[bot]
9219ca49f5 go.mod: bump golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9
Bumps golang.zx2c4.com/wireguard/windows from 0.3.16 to 0.4.9.

---
updated-dependencies:
- dependency-name: golang.zx2c4.com/wireguard/windows
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-23 08:07:52 -07:00
Brad Fitzpatrick
9ca334a560 cmd/tailscaled: appease a security scanner
There are two reasons this can't ever go to actual logs,
but rewrite it to make it happy.

Fixes tailscale/corp#2695

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-22 23:23:47 -07:00
David Anderson
1eabb5b2d9 ipn: don't log IPN messages that may contain an authkey.
Signed-off-by: David Anderson <danderson@tailscale.com>
2021-09-22 20:32:49 -07:00