Commit Graph

5576 Commits

Author SHA1 Message Date
Brad Fitzpatrick
e36cdacf70 envknob: add time.Duration knob support
Updates #6818

Change-Id: I9c8147c02fb514f9f6f1f272bdb0f974c8b3ccbb
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-21 08:34:49 -08:00
andig
14e8afe444 go.mod, etc: bump gvisor
Fixes #6554

Change-Id: Ia04ae37a47b67fa57091c9bfe1d45a1842589aa8
Signed-off-by: andig <cpuidle@gmx.de>
2022-12-20 22:02:40 -08:00
Brad Fitzpatrick
8aac77aa19 cmd/tailscale: fix "up" warning about netfilter-mode on Synology
Fixes #6811

Change-Id: Ia43723e6ebedc9b01729897cec271c462b16e9ae
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-20 12:03:17 -08:00
Brad Fitzpatrick
f837d179b9 ssh/tailssh: fix typo in error message
"look up" is the verb. "lookup" is a noun.

Change-Id: I81c99e12c236488690758fb5c121e7e4e1622a36
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-20 11:42:26 -08:00
Brad Fitzpatrick
2eff9c8277 wgengine/magicsock: avoid ReadBatch/WriteBatch on old Linux kernels
Fixes #6807

Change-Id: I161424ef8a7338e1941d5e43d72dc6529993a0e3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-20 10:54:24 -08:00
Andrew Dunham
0372e14d79 net/dns: bump DNS-over-TCP size limit to 4k
We saw a few cases where we hit this limit; bumping to 4k seems
relatively uncontroversial.

Change-Id: I218fee3bc0d2fa5fde16eddc36497a73ebd7cbda
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2022-12-20 12:08:19 -05:00
License Updater
98daf99775 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-12-19 20:56:17 -08:00
Brad Fitzpatrick
7c77c48bd4 go.toolchain.rev: bump Go
For:
dc0ce6324d
and
2cf198bc80

Updates #6792
Updates #6799

Change-Id: I58f022b5fb790e968938f90eb76e9dfdb74041fc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-19 20:30:34 -08:00
Brad Fitzpatrick
243490f932 go.mod: bump x/sys for linux/arm64 cpu SIGILL fix
Bump to get 2204b6615f

Updates #5793

Change-Id: I6ab78824047cb2c8d042f3f3bf47368ec6da5a34
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-19 19:18:33 -08:00
David Anderson
a1ded4c166 cmd/sync-containers: add a dry-run option.
Updates tailscale/corp#8461

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-19 19:00:53 -08:00
David Anderson
e5fe205c31 cmd/sync-containers: program to sync tags between container registries.
Updates tailscale/corp#8461

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-19 18:17:34 -08:00
License Updater
237f030cd9 licenses: update android licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-12-19 14:05:59 -08:00
Aaron Klotz
296f53524c netstat, portlist: update Windows implementation to disambiguate svchost processes
We change our invocations of GetExtendedTcpTable to request additional
information about the "module" responsible for the port. In addition to pid,
this output also includes sufficient metadata to enable Windows to resolve
process names and disambiguate svchost processes.

We store the OS-specific output in an OSMetadata field in netstat.Entry, which
portlist may then use as necessary to actually resolve the process/module name.

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-12-19 15:38:49 -06:00
Brad Fitzpatrick
a06217a8bd cmd/tailscale/cli: hide Windows named pipe default name in flag help
It's long & distracting for how low value it is.

Fixes #6766

Change-Id: I51364f25c0088d9e63deb9f692ba44031f12251b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-19 13:38:08 -08:00
Brad Fitzpatrick
5caf609d7b go.toolchain.rev: bump Go to 1.19.4
Updates tailscale/go#36

Change-Id: I0b741c18ef0286b511a79ec39b1e91464c7ce77b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-19 13:30:12 -08:00
Brad Fitzpatrick
0f604923d3 ipn/ipnlocal: fix StatusWithoutPeers not populating parts of Status
Fixes #4311

Change-Id: Iaae0615148fa7154f4ef8f66b455e3a6c2fa9df3
Co-authored-by: Claire Wang <claire@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-19 13:15:28 -08:00
Aaron Klotz
3c452b9880 util/winutil: fix erroneous condition in implementation of getRegIntegerInternal
We only want to log when err != registry.ErrNotExist. The condition was backward.

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-12-19 15:12:53 -06:00
License Updater
14d07b7b20 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-12-19 11:55:27 -08:00
Jordan Whited
914d115f65
go.mod: bump tailscale/wireguard-go for big-endian fix (#6785)
Signed-off-by: Jordan Whited <jordan@tailscale.com>
2022-12-19 11:49:06 -08:00
David Anderson
af3127711a cmd/containerboot: allow disabling secret storage in k8s.
In some configurations, user explicitly do not want to store
tailscale state in k8s secrets, because doing that leads to
some annoying permission issues with sidecar containers.
With this change, TS_KUBE_SECRET="" and TS_STATE_DIR=/foo
will force storage to file when running in kubernetes.

Fixes #6704.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-16 15:46:38 -08:00
License Updater
6d5527e4b3 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-12-16 12:02:42 -08:00
Joe Tsai
d9df023e6f
net/connstats: enforce maximum number of connections (#6760)
The Tailscale logging service has a hard limit on the maximum
log message size that can be accepted.
We want to ensure that netlog messages never exceed
this limit otherwise a client cannot transmit logs.

Move the goroutine for periodically dumping netlog messages
from wgengine/netlog to net/connstats.
This allows net/connstats to manage when it dumps messages,
either based on time or by size.

Updates tailscale/corp#8427

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-12-16 10:14:00 -08:00
Brad Fitzpatrick
651e0d8aad ssh/tailssh: add envknob for default PATH
As backup plan, just in case the earlier fix's logic wasn't correct
and we want to experiment in the field or have users have a quicker
fix.

Updates #5285

Change-Id: I7447466374d11f8f609de6dfbc4d9a944770826d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-15 15:01:04 -08:00
License Updater
fc0fe99edf licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-12-15 10:49:12 -08:00
Brad Fitzpatrick
c02ccf6424 go.mod: bump dhcp dep to remove another endian package from our tree
To pull in insomniacslk/dhcp#484 to pull in u-root/uio#8

Updates golang/go#57237

Change-Id: I1e56656e0dc9ec0b870f799fe3bc18b3caac1ee4
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-15 10:47:25 -08:00
License Updater
97c615889d licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-12-15 10:10:19 -08:00
License Updater
a8f07153a6 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply@tailscale.com>
2022-12-15 09:11:33 -08:00
Anton Tolchanov
53c4892841 ipn/ipnserver: propagate http.Serve error
This ensures that we capture error returned by `Serve` and exit with a
non-zero exit code if it happens.

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2022-12-15 15:01:56 +00:00
David Anderson
8171eb600c cmd/k8s-operator: move the operator into its own namespace.
The operator creates a fair bit of internal cluster state to manage proxying,
dumping it all in the default namespace is handy for development but rude
for production.

Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-14 20:05:35 -08:00
Brad Fitzpatrick
56f7da0cfd
ssh/tailssh: set default Tailscale SSH $PATH for non-interactive commands
Fixes #5285

Co-authored-by: Andrew Dunham <andrew@tailscale.com>
Change-Id: Ic7e967bf6a53b056cac5f21dd39565d9c31563af
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-14 18:45:35 -08:00
Joe Tsai
350aab05e5
util/multierr: optimize New for nil cases (#6750)
Consider the following pattern:

	err1 := foo()
	err2 := bar()
	err3 := baz()
	return multierr.New(err1, err2, err3)

If err1, err2, and err3 are all nil, then multierr.New should not allocate.
Thus, modify the logic of New to count the number of distinct error values
and allocate the exactly needed slice. This also speeds up non-empty error
situation since repeatedly growing with append is slow.

Performance:

	name         old time/op    new time/op    delta
	Empty-24       41.8ns ± 2%     6.4ns ± 1%   -84.73%  (p=0.000 n=10+10)
	NonEmpty-24     120ns ± 3%      69ns ± 1%   -42.01%  (p=0.000 n=9+10)

	name         old alloc/op   new alloc/op   delta
	Empty-24        64.0B ± 0%      0.0B       -100.00%  (p=0.000 n=10+10)
	NonEmpty-24      168B ± 0%       88B ± 0%   -47.62%  (p=0.000 n=10+10)

	name         old allocs/op  new allocs/op  delta
	Empty-24         1.00 ± 0%      0.00       -100.00%  (p=0.000 n=10+10)
	NonEmpty-24      3.00 ± 0%      2.00 ± 0%   -33.33%  (p=0.000 n=10+10)

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-12-14 18:17:38 -08:00
Jordan Whited
55b24009f7
net/tstun: don't return early from a partial tun.Read() (#6745)
Fixes #6730

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2022-12-14 16:29:34 -08:00
David Anderson
3a5fc233aa cmd/k8s-operator: use oauth credentials for API access.
This automates both the operator's initial login, and
provisioning/deprovisioning of proxies.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-14 14:05:28 -08:00
David Anderson
a7ab3429b6 cmd/k8s-operator: refactor reconcile loop, un-plumbing reconcile.Result.
We used to need to do timed requeues in a few places in the reconcile logic,
and the easiest way to do that was to plumb reconcile.Result return values
around. But now we're purely event-driven, so the only thing we care about
is whether or not an error occurred.

Incidentally also fix a very minor bug where headless services would get
completely ignored, rather than reconciled into the correct state. This
shouldn't matter in practice because you can't transition from a headful
to a headless service without a deletion, but for consistency let's avoid
having a path that takes no definite action if a service of interest does
exist.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-14 11:35:59 -08:00
Denton Gentry
da53b1347b cmd/gitops-pusher: support alternate api-server URLs
Fixes https://github.com/tailscale/coral/issues/90

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-12-14 05:07:12 -08:00
David Anderson
835a73cc1f cmd/k8s-operator: remove unnecessary timed requeue.
Previously, we had to do blind timed requeues while waiting for
the tailscale hostname, because we looked up the hostname through
the API. But now the proxy container image writes back its hostname
to the k8s secret, so we get an event-triggered reconcile automatically
when the time is right.

Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-13 17:15:06 -08:00
David Anderson
d857fd00b3 cmd/k8s-operator: sprinkle debug logging throughout.
As is convention in the k8s world, use zap for structured logging. For
development, OPERATOR_LOGGING=dev switches to a more human-readable output
than JSON.

Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-13 17:15:06 -08:00
David Anderson
8ccd707218 cmd/k8s-operator: remove times requeues in proxy deletion path.
Our reconcile loop gets triggered again when the StatefulSet object
finally disappears (in addition to when its deletion starts, as indicated
by DeletionTimestamp != 0). So, we don't need to queue additional
reconciliations to proceed with the remainder of the cleanup, that
happens organically.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-13 13:49:35 -08:00
David Anderson
c0fcab01ac client/tailscale: fix request object for key creation.
The request takes key capabilities as an argument, but wrapped in a parent
object.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-13 13:49:35 -08:00
Andrew Dunham
3f4d51c588 net/dns: don't send on closed channel when message too large
Previously, if a DNS-over-TCP message was received while there were
existing queries in-flight, and it was over the size limit, we'd close
the 'responses' channel. This would cause those in-flight queries to
send on the closed channel and panic.

Instead, don't close the channel at all and rely on s.ctx being
canceled, which will ensure that in-flight queries don't hang.

Fixes #6725

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I8267728ac37ed7ae38ddd09ce2633a5824320097
2022-12-13 15:54:17 -05:00
Brad Fitzpatrick
44be59c15a wgengine/magicsock: fix panic in wireguard-go rate limiting path
Fixes #6686

Change-Id: I1055a87141b07261afed8e36c963a69f3be26088
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-13 10:51:55 -08:00
Andrew Dunham
0d47cd2284 wgengine/monitor: fix panic due to race on Windows
It's possible for the 'somethingChanged' callback to be registered and
then trigger before the ctx field is assigned; move the assignment
earlier so this can't happen.

Change-Id: Ia7ee8b937299014a083ab40adf31a8b3e0db4ec5
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2022-12-13 13:28:12 -05:00
David Anderson
d81a2b2ce2 Makefile: add a target for doing dev builds of the k8s operator.
Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-13 09:50:57 -08:00
David Anderson
9c77205ba1 cmd/k8s-operator: add more tests for "normal" paths.
Tests cover configuring a proxy through an annotation rather than a
LoadBalancerClass, and converting between those two modes at runtime.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-13 09:31:01 -08:00
David Anderson
c902190e67 cmd/k8s-operator: factor out some of the larger expected test outputs.
For other test cases, the operator is going to produce similar generated
objects in several codepaths, and those objects are large. Move them out
to helpers so that the main test code stays a bit more intelligible.

The top-level Service that we start and end with remains in the main test
body, because its shape at the start and end is one of the main things that
varies a lot between test cases.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-13 09:31:01 -08:00
David Anderson
8dbb3b8bbe cmd/k8s-operator: remove unused structs. Cleanup missed in #6718.
Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-12 21:31:06 -08:00
David Anderson
53a9cc76c7 cmd/k8s-operator: rename main.go -> operator.go.
Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-12 21:18:31 -08:00
David Anderson
bc8f5a7734 cmd/k8s-operator: add a basic unit test.
The test verifies one of the successful reconcile paths, where
a client requests an exposed service via a LoadBalancer class.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-12 21:18:31 -08:00
David Anderson
3b7ae39a06 cmd/k8s-operator: use the client's authkey method to create auth keys.
Also introduces an intermediary interface for the tailscale client, in
preparation for operator tests that fake out the Tailscale API interaction.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-12 21:18:31 -08:00
Brad Fitzpatrick
ca08e316af util/endian: delete package; use updated josharian/native instead
See josharian/native#3

Updates golang/go#57237

Change-Id: I238c04c6654e5b9e7d9cfb81a7bbc5e1043a84a2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-12-12 20:12:45 -08:00