mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-10 18:13:41 +00:00
a482dc037b
This package grew organically over time and is an awful mix of explicitly declared options and globally set parameters via environment variables and other subtle effects. Add a new Options and TransportOptions type to allow for the creation of a Policy or http.RoundTripper with some set of options. The options struct avoids the need to add yet more NewXXX functions for every possible combination of ordered arguments. The goal of this refactor is to allow specifying the http.Client to use with the Policy. Updates tailscale/corp#18177 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
974 lines
29 KiB
Go
974 lines
29 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
// Package logpolicy manages the creation or reuse of logtail loggers,
|
|
// caching collection instance state on disk for use on future runs of
|
|
// programs on the same machine.
|
|
package logpolicy
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"cmp"
|
|
"context"
|
|
"crypto/tls"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"net"
|
|
"net/http"
|
|
"net/netip"
|
|
"net/url"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
"runtime"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"golang.org/x/term"
|
|
"tailscale.com/atomicfile"
|
|
"tailscale.com/envknob"
|
|
"tailscale.com/health"
|
|
"tailscale.com/hostinfo"
|
|
"tailscale.com/log/filelogger"
|
|
"tailscale.com/logtail"
|
|
"tailscale.com/logtail/filch"
|
|
"tailscale.com/net/dnscache"
|
|
"tailscale.com/net/dnsfallback"
|
|
"tailscale.com/net/netknob"
|
|
"tailscale.com/net/netmon"
|
|
"tailscale.com/net/netns"
|
|
"tailscale.com/net/tlsdial"
|
|
"tailscale.com/net/tshttpproxy"
|
|
"tailscale.com/paths"
|
|
"tailscale.com/safesocket"
|
|
"tailscale.com/types/logger"
|
|
"tailscale.com/types/logid"
|
|
"tailscale.com/util/clientmetric"
|
|
"tailscale.com/util/must"
|
|
"tailscale.com/util/racebuild"
|
|
"tailscale.com/util/syspolicy"
|
|
"tailscale.com/util/testenv"
|
|
"tailscale.com/version"
|
|
"tailscale.com/version/distro"
|
|
)
|
|
|
|
var getLogTargetOnce struct {
|
|
sync.Once
|
|
v string // URL of logs server, or empty for default
|
|
}
|
|
|
|
func getLogTarget() string {
|
|
getLogTargetOnce.Do(func() {
|
|
envTarget, _ := os.LookupEnv("TS_LOG_TARGET")
|
|
getLogTargetOnce.v, _ = syspolicy.GetString(syspolicy.LogTarget, envTarget)
|
|
})
|
|
|
|
return getLogTargetOnce.v
|
|
}
|
|
|
|
// LogURL is the base URL for the configured logtail server, or the default.
|
|
// It is guaranteed to not terminate with any forward slashes.
|
|
func LogURL() string {
|
|
if v := getLogTarget(); v != "" {
|
|
return strings.TrimRight(v, "/")
|
|
}
|
|
return "https://" + logtail.DefaultHost
|
|
}
|
|
|
|
// LogHost returns the hostname only (without port) of the configured
|
|
// logtail server, or the default.
|
|
//
|
|
// Deprecated: Use LogURL instead.
|
|
func LogHost() string {
|
|
if v := getLogTarget(); v != "" {
|
|
if u, err := url.Parse(v); err == nil {
|
|
return u.Hostname()
|
|
}
|
|
}
|
|
return logtail.DefaultHost
|
|
}
|
|
|
|
// Config represents an instance of logs in a collection.
|
|
type Config struct {
|
|
Collection string
|
|
PrivateID logid.PrivateID
|
|
PublicID logid.PublicID
|
|
}
|
|
|
|
// Policy is a logger and its public ID.
|
|
type Policy struct {
|
|
// Logtail is the logger.
|
|
Logtail *logtail.Logger
|
|
// PublicID is the logger's instance identifier.
|
|
PublicID logid.PublicID
|
|
// Logf is where to write informational messages about this Logger.
|
|
Logf logger.Logf
|
|
}
|
|
|
|
// NewConfig creates a Config with collection and a newly generated PrivateID.
|
|
func NewConfig(collection string) *Config {
|
|
id := must.Get(logid.NewPrivateID())
|
|
return &Config{
|
|
Collection: collection,
|
|
PrivateID: id,
|
|
PublicID: id.Public(),
|
|
}
|
|
}
|
|
|
|
// Validate verifies that the Config matches the collection,
|
|
// and that the PrivateID and PublicID pair are sensible.
|
|
func (c *Config) Validate(collection string) error {
|
|
switch {
|
|
case c == nil:
|
|
return errors.New("config is nil")
|
|
case c.Collection != collection:
|
|
return fmt.Errorf("config collection %q does not match %q", c.Collection, collection)
|
|
case c.PrivateID.IsZero():
|
|
return errors.New("config has zero PrivateID")
|
|
case c.PrivateID.Public() != c.PublicID:
|
|
return errors.New("config PrivateID does not match PublicID")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ToBytes returns the JSON representation of c.
|
|
func (c *Config) ToBytes() []byte {
|
|
data, err := json.MarshalIndent(c, "", "\t")
|
|
if err != nil {
|
|
log.Fatalf("logpolicy.Config marshal: %v", err)
|
|
}
|
|
return data
|
|
}
|
|
|
|
// Save writes the JSON representation of c to stateFile.
|
|
func (c *Config) Save(stateFile string) error {
|
|
c.PublicID = c.PrivateID.Public()
|
|
if err := os.MkdirAll(filepath.Dir(stateFile), 0750); err != nil {
|
|
return err
|
|
}
|
|
data := c.ToBytes()
|
|
if err := atomicfile.WriteFile(stateFile, data, 0600); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ConfigFromFile reads a Config from a JSON file.
|
|
func ConfigFromFile(statefile string) (*Config, error) {
|
|
b, err := os.ReadFile(statefile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return ConfigFromBytes(b)
|
|
}
|
|
|
|
// ConfigFromBytes parses a Config from its JSON encoding.
|
|
func ConfigFromBytes(jsonEnc []byte) (*Config, error) {
|
|
c := &Config{}
|
|
if err := json.Unmarshal(jsonEnc, c); err != nil {
|
|
return nil, err
|
|
}
|
|
return c, nil
|
|
}
|
|
|
|
// stderrWriter is an io.Writer that always writes to the latest
|
|
// os.Stderr, even if os.Stderr changes during the lifetime of the
|
|
// stderrWriter value.
|
|
type stderrWriter struct{}
|
|
|
|
func (stderrWriter) Write(buf []byte) (int, error) {
|
|
return os.Stderr.Write(buf)
|
|
}
|
|
|
|
type logWriter struct {
|
|
logger *log.Logger
|
|
}
|
|
|
|
func (l logWriter) Write(buf []byte) (int, error) {
|
|
l.logger.Printf("%s", buf)
|
|
return len(buf), nil
|
|
}
|
|
|
|
// LogsDir returns the directory to use for log configuration and
|
|
// buffer storage.
|
|
func LogsDir(logf logger.Logf) string {
|
|
if d := os.Getenv("TS_LOGS_DIR"); d != "" {
|
|
fi, err := os.Stat(d)
|
|
if err == nil && fi.IsDir() {
|
|
return d
|
|
}
|
|
}
|
|
|
|
switch runtime.GOOS {
|
|
case "windows":
|
|
if version.CmdName() == "tailscaled" {
|
|
// In the common case, when tailscaled is run as the Local System (as a service),
|
|
// we want to use %ProgramData% (C:\ProgramData\Tailscale), aside the
|
|
// system state config with the machine key, etc. But if that directory's
|
|
// not accessible, then it's probably because the user is running tailscaled
|
|
// as a regular user (perhaps in userspace-networking/SOCK5 mode) and we should
|
|
// just use the %LocalAppData% instead. In a user context, %LocalAppData% isn't
|
|
// subject to random deletions from Windows system updates.
|
|
dir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
|
|
if winProgramDataAccessible(dir) {
|
|
logf("logpolicy: using dir %v", dir)
|
|
return dir
|
|
}
|
|
}
|
|
dir := filepath.Join(os.Getenv("LocalAppData"), "Tailscale")
|
|
logf("logpolicy: using LocalAppData dir %v", dir)
|
|
return dir
|
|
case "linux":
|
|
// STATE_DIRECTORY is set by systemd 240+ but we support older
|
|
// systems-d. For example, Ubuntu 18.04 (Bionic Beaver) is 237.
|
|
systemdStateDir := os.Getenv("STATE_DIRECTORY")
|
|
if systemdStateDir != "" {
|
|
logf("logpolicy: using $STATE_DIRECTORY, %q", systemdStateDir)
|
|
return systemdStateDir
|
|
}
|
|
case "js":
|
|
logf("logpolicy: no logs directory in the browser")
|
|
return ""
|
|
}
|
|
|
|
// Default to e.g. /var/lib/tailscale or /var/db/tailscale on Unix.
|
|
if d := paths.DefaultTailscaledStateFile(); d != "" {
|
|
d = filepath.Dir(d) // directory of e.g. "/var/lib/tailscale/tailscaled.state"
|
|
if err := os.MkdirAll(d, 0700); err == nil {
|
|
logf("logpolicy: using system state directory %q", d)
|
|
return d
|
|
}
|
|
}
|
|
|
|
cacheDir, err := os.UserCacheDir()
|
|
if err == nil {
|
|
d := filepath.Join(cacheDir, "Tailscale")
|
|
logf("logpolicy: using UserCacheDir, %q", d)
|
|
return d
|
|
}
|
|
|
|
// Use the current working directory, unless we're being run by a
|
|
// service manager that sets it to /.
|
|
wd, err := os.Getwd()
|
|
if err == nil && wd != "/" {
|
|
logf("logpolicy: using current directory, %q", wd)
|
|
return wd
|
|
}
|
|
|
|
// No idea where to put stuff. Try to create a temp dir. It'll
|
|
// mean we might lose some logs and rotate through log IDs, but
|
|
// it's something.
|
|
tmp, err := os.MkdirTemp("", "tailscaled-log-*")
|
|
if err != nil {
|
|
panic("no safe place found to store log state")
|
|
}
|
|
logf("logpolicy: using temp directory, %q", tmp)
|
|
return tmp
|
|
}
|
|
|
|
// runningUnderSystemd reports whether we're running under systemd.
|
|
func runningUnderSystemd() bool {
|
|
if runtime.GOOS == "linux" && os.Getppid() == 1 {
|
|
slurp, _ := os.ReadFile("/proc/1/stat")
|
|
return bytes.HasPrefix(slurp, []byte("1 (systemd) "))
|
|
}
|
|
return false
|
|
}
|
|
|
|
func redirectStderrToLogPanics() bool {
|
|
return runningUnderSystemd() || envknob.Bool("TS_PLEASE_PANIC")
|
|
}
|
|
|
|
// winProgramDataAccessible reports whether the directory (assumed to
|
|
// be a Windows %ProgramData% directory) is accessible to the current
|
|
// process. It's created if needed.
|
|
func winProgramDataAccessible(dir string) bool {
|
|
if err := os.MkdirAll(dir, 0700); err != nil {
|
|
// TODO: windows ACLs
|
|
return false
|
|
}
|
|
// The C:\ProgramData\Tailscale directory should be locked down
|
|
// by with ACLs to only be readable by the local system so a
|
|
// regular user shouldn't be able to do this operation:
|
|
if _, err := os.ReadDir(dir); err != nil {
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
// tryFixLogStateLocation is a temporary fixup for
|
|
// https://github.com/tailscale/tailscale/issues/247 . We accidentally
|
|
// wrote logging state files to /, and then later to $CACHE_DIRECTORY
|
|
// (which is incorrect because the log ID is not reconstructible if
|
|
// deleted - it's state, not cache data).
|
|
//
|
|
// If log state for cmdname exists in / or $CACHE_DIRECTORY, and no
|
|
// log state for that command exists in dir, then the log state is
|
|
// moved from wherever it does exist, into dir. Leftover logs state
|
|
// in / and $CACHE_DIRECTORY is deleted.
|
|
func tryFixLogStateLocation(dir, cmdname string, logf logger.Logf) {
|
|
switch runtime.GOOS {
|
|
case "linux", "freebsd", "openbsd":
|
|
// These are the OSes where we might have written stuff into
|
|
// root. Others use different logic to find the logs storage
|
|
// dir.
|
|
default:
|
|
return
|
|
}
|
|
if cmdname == "" {
|
|
logf("[unexpected] no cmdname given to tryFixLogStateLocation, please file a bug at https://github.com/tailscale/tailscale")
|
|
return
|
|
}
|
|
if dir == "/" {
|
|
// Trying to store things in / still. That's a bug, but don't
|
|
// abort hard.
|
|
logf("[unexpected] storing logging config in /, please file a bug at https://github.com/tailscale/tailscale")
|
|
return
|
|
}
|
|
if os.Getuid() != 0 {
|
|
// Only root could have written log configs to weird places.
|
|
return
|
|
}
|
|
|
|
// We stored logs in 2 incorrect places: either /, or CACHE_DIR
|
|
// (aka /var/cache/tailscale). We want to move files into the
|
|
// provided dir, preferring those in CACHE_DIR over those in / if
|
|
// both exist. If files already exist in dir, don't
|
|
// overwrite. Finally, once we've maybe moved files around, we
|
|
// want to delete leftovers in / and CACHE_DIR, to clean up after
|
|
// our past selves.
|
|
|
|
files := []string{
|
|
fmt.Sprintf("%s.log.conf", cmdname),
|
|
fmt.Sprintf("%s.log1.txt", cmdname),
|
|
fmt.Sprintf("%s.log2.txt", cmdname),
|
|
}
|
|
|
|
// checks if any of the files above exist in d.
|
|
checkExists := func(d string) (bool, error) {
|
|
for _, file := range files {
|
|
p := filepath.Join(d, file)
|
|
_, err := os.Stat(p)
|
|
if os.IsNotExist(err) {
|
|
continue
|
|
} else if err != nil {
|
|
return false, fmt.Errorf("stat %q: %w", p, err)
|
|
}
|
|
return true, nil
|
|
}
|
|
return false, nil
|
|
}
|
|
// move files from d into dir, if they exist.
|
|
moveFiles := func(d string) error {
|
|
for _, file := range files {
|
|
src := filepath.Join(d, file)
|
|
_, err := os.Stat(src)
|
|
if os.IsNotExist(err) {
|
|
continue
|
|
} else if err != nil {
|
|
return fmt.Errorf("stat %q: %v", src, err)
|
|
}
|
|
dst := filepath.Join(dir, file)
|
|
bs, err := exec.Command("mv", src, dst).CombinedOutput()
|
|
if err != nil {
|
|
return fmt.Errorf("mv %q %q: %v (%s)", src, dst, err, bs)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
existsInRoot, err := checkExists("/")
|
|
if err != nil {
|
|
logf("checking for configs in /: %v", err)
|
|
return
|
|
}
|
|
existsInCache := false
|
|
cacheDir := os.Getenv("CACHE_DIRECTORY")
|
|
if cacheDir != "" {
|
|
existsInCache, err = checkExists("/var/cache/tailscale")
|
|
if err != nil {
|
|
logf("checking for configs in %s: %v", cacheDir, err)
|
|
}
|
|
}
|
|
existsInDest, err := checkExists(dir)
|
|
if err != nil {
|
|
logf("checking for configs in %s: %v", dir, err)
|
|
return
|
|
}
|
|
|
|
switch {
|
|
case !existsInRoot && !existsInCache:
|
|
// No leftover files, nothing to do.
|
|
return
|
|
case existsInDest:
|
|
// Already have "canonical" configs, just delete any remnants
|
|
// (below).
|
|
case existsInCache:
|
|
// CACHE_DIRECTORY takes precedence over /, move files from
|
|
// there.
|
|
if err := moveFiles(cacheDir); err != nil {
|
|
logf("%v", err)
|
|
return
|
|
}
|
|
case existsInRoot:
|
|
// Files from root is better than nothing.
|
|
if err := moveFiles("/"); err != nil {
|
|
logf("%v", err)
|
|
return
|
|
}
|
|
}
|
|
|
|
// If moving succeeded, or we didn't need to move files, try to
|
|
// delete any leftover files, but it's okay if we can't delete
|
|
// them for some reason.
|
|
dirs := []string{}
|
|
if existsInCache {
|
|
dirs = append(dirs, cacheDir)
|
|
}
|
|
if existsInRoot {
|
|
dirs = append(dirs, "/")
|
|
}
|
|
for _, d := range dirs {
|
|
for _, file := range files {
|
|
p := filepath.Join(d, file)
|
|
_, err := os.Stat(p)
|
|
if os.IsNotExist(err) {
|
|
continue
|
|
} else if err != nil {
|
|
logf("stat %q: %v", p, err)
|
|
return
|
|
}
|
|
if err := os.Remove(p); err != nil {
|
|
logf("rm %q: %v", p, err)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Deprecated: Use [Options.New] instead.
|
|
func New(collection string, netMon *netmon.Monitor, health *health.Tracker, logf logger.Logf) *Policy {
|
|
return Options{
|
|
Collection: collection,
|
|
NetMon: netMon,
|
|
Health: health,
|
|
Logf: logf,
|
|
}.New()
|
|
}
|
|
|
|
// Deprecated: Use [Options.New] instead.
|
|
func NewWithConfigPath(collection, dir, cmdName string, netMon *netmon.Monitor, health *health.Tracker, logf logger.Logf) *Policy {
|
|
return Options{
|
|
Collection: collection,
|
|
Dir: dir,
|
|
CmdName: cmdName,
|
|
NetMon: netMon,
|
|
Health: health,
|
|
Logf: logf,
|
|
}.New()
|
|
}
|
|
|
|
// Options is used to construct a [Policy].
|
|
type Options struct {
|
|
// Collection is a required collection to upload logs under.
|
|
// Collection is a namespace for the type logs.
|
|
// For example, logs for a node use "tailnode.log.tailscale.io".
|
|
Collection string
|
|
|
|
// Dir is an optional directory to store the log configuration.
|
|
// If empty, [LogsDir] is used.
|
|
Dir string
|
|
|
|
// CmdName is an optional name of the current binary.
|
|
// If empty, [version.CmdName] is used.
|
|
CmdName string
|
|
|
|
// NetMon is an optional parameter for monitoring.
|
|
// If non-nil, it's used to do faster interface lookups.
|
|
NetMon *netmon.Monitor
|
|
|
|
// Health is an optional parameter for health status.
|
|
// If non-nil, it's used to construct the default HTTP client.
|
|
Health *health.Tracker
|
|
|
|
// Logf is an optional logger to use.
|
|
// If nil, [log.Printf] will be used instead.
|
|
Logf logger.Logf
|
|
|
|
// HTTPC is an optional client to use upload logs.
|
|
// If nil, [TransportOptions.New] is used to construct a new client
|
|
// with that particular transport sending logs to the default logs server.
|
|
HTTPC *http.Client
|
|
}
|
|
|
|
// New returns a new log policy (a logger and its instance ID).
|
|
func (opts Options) New() *Policy {
|
|
if hostinfo.IsNATLabGuestVM() {
|
|
// In NATLab Gokrazy instances, tailscaled comes up concurently with
|
|
// DHCP and the doesn't have DNS for a while. Wait for DHCP first.
|
|
awaitGokrazyNetwork()
|
|
}
|
|
var lflags int
|
|
if term.IsTerminal(2) || runtime.GOOS == "windows" {
|
|
lflags = 0
|
|
} else {
|
|
lflags = log.LstdFlags
|
|
}
|
|
if envknob.Bool("TS_DEBUG_LOG_TIME") {
|
|
lflags = log.LstdFlags | log.Lmicroseconds
|
|
}
|
|
if runningUnderSystemd() {
|
|
// If journalctl is going to prepend its own timestamp
|
|
// anyway, no need to add one.
|
|
lflags = 0
|
|
}
|
|
console := log.New(stderrWriter{}, "", lflags)
|
|
|
|
var earlyErrBuf bytes.Buffer
|
|
earlyLogf := func(format string, a ...any) {
|
|
fmt.Fprintf(&earlyErrBuf, format, a...)
|
|
earlyErrBuf.WriteByte('\n')
|
|
}
|
|
|
|
if opts.Dir == "" {
|
|
opts.Dir = LogsDir(earlyLogf)
|
|
}
|
|
if opts.CmdName == "" {
|
|
opts.CmdName = version.CmdName()
|
|
}
|
|
|
|
useStdLogger := opts.Logf == nil
|
|
if useStdLogger {
|
|
opts.Logf = log.Printf
|
|
}
|
|
tryFixLogStateLocation(opts.Dir, opts.CmdName, opts.Logf)
|
|
|
|
cfgPath := filepath.Join(opts.Dir, fmt.Sprintf("%s.log.conf", opts.CmdName))
|
|
|
|
if runtime.GOOS == "windows" {
|
|
switch opts.CmdName {
|
|
case "tailscaled":
|
|
// Tailscale 1.14 and before stored state under %LocalAppData%
|
|
// (usually "C:\WINDOWS\system32\config\systemprofile\AppData\Local"
|
|
// when tailscaled.exe is running as a non-user system service).
|
|
// However it is frequently cleared for almost any reason: Windows
|
|
// updates, System Restore, even various System Cleaner utilities.
|
|
//
|
|
// The Windows service previously ran as tailscale-ipn.exe, so
|
|
// machines which ran very old versions might still have their
|
|
// log conf named %LocalAppData%\tailscale-ipn.log.conf
|
|
//
|
|
// Machines which started using Tailscale more recently will have
|
|
// %LocalAppData%\tailscaled.log.conf
|
|
//
|
|
// Attempt to migrate the log conf to C:\ProgramData\Tailscale
|
|
oldDir := filepath.Join(os.Getenv("LocalAppData"), "Tailscale")
|
|
|
|
oldPath := filepath.Join(oldDir, "tailscaled.log.conf")
|
|
if fi, err := os.Stat(oldPath); err != nil || !fi.Mode().IsRegular() {
|
|
// *Only* if tailscaled.log.conf does not exist,
|
|
// check for tailscale-ipn.log.conf
|
|
oldPathOldCmd := filepath.Join(oldDir, "tailscale-ipn.log.conf")
|
|
if fi, err := os.Stat(oldPathOldCmd); err == nil && fi.Mode().IsRegular() {
|
|
oldPath = oldPathOldCmd
|
|
}
|
|
}
|
|
|
|
cfgPath = paths.TryConfigFileMigration(earlyLogf, oldPath, cfgPath)
|
|
case "tailscale-ipn":
|
|
for _, oldBase := range []string{"wg64.log.conf", "wg32.log.conf"} {
|
|
oldConf := filepath.Join(opts.Dir, oldBase)
|
|
if fi, err := os.Stat(oldConf); err == nil && fi.Mode().IsRegular() {
|
|
cfgPath = paths.TryConfigFileMigration(earlyLogf, oldConf, cfgPath)
|
|
break
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
newc, err := ConfigFromFile(cfgPath)
|
|
if err != nil {
|
|
earlyLogf("logpolicy.ConfigFromFile %v: %v", cfgPath, err)
|
|
}
|
|
if err := newc.Validate(opts.Collection); err != nil {
|
|
earlyLogf("logpolicy.Config.Validate for %v: %v", cfgPath, err)
|
|
newc = NewConfig(opts.Collection)
|
|
if err := newc.Save(cfgPath); err != nil {
|
|
earlyLogf("logpolicy.Config.Save for %v: %v", cfgPath, err)
|
|
}
|
|
}
|
|
|
|
conf := logtail.Config{
|
|
Collection: newc.Collection,
|
|
PrivateID: newc.PrivateID,
|
|
Stderr: logWriter{console},
|
|
CompressLogs: true,
|
|
}
|
|
if opts.Collection == logtail.CollectionNode {
|
|
conf.MetricsDelta = clientmetric.EncodeLogTailMetricsDelta
|
|
conf.IncludeProcID = true
|
|
conf.IncludeProcSequence = true
|
|
}
|
|
|
|
if envknob.NoLogsNoSupport() || testenv.InTest() {
|
|
opts.Logf("You have disabled logging. Tailscale will not be able to provide support.")
|
|
conf.HTTPC = &http.Client{Transport: noopPretendSuccessTransport{}}
|
|
} else {
|
|
// Only attach an on-disk filch buffer if we are going to be sending logs.
|
|
// No reason to persist them locally just to drop them later.
|
|
attachFilchBuffer(&conf, opts.Dir, opts.CmdName, opts.Logf)
|
|
conf.HTTPC = opts.HTTPC
|
|
|
|
if conf.HTTPC == nil {
|
|
logHost := logtail.DefaultHost
|
|
if val := getLogTarget(); val != "" {
|
|
opts.Logf("You have enabled a non-default log target. Doing without being told to by Tailscale staff or your network administrator will make getting support difficult.")
|
|
conf.BaseURL = val
|
|
u, _ := url.Parse(val)
|
|
logHost = u.Host
|
|
}
|
|
conf.HTTPC = &http.Client{Transport: TransportOptions{
|
|
Host: logHost,
|
|
NetMon: opts.NetMon,
|
|
Health: opts.Health,
|
|
Logf: opts.Logf,
|
|
}.New()}
|
|
}
|
|
}
|
|
lw := logtail.NewLogger(conf, opts.Logf)
|
|
|
|
var logOutput io.Writer = lw
|
|
|
|
if runtime.GOOS == "windows" && conf.Collection == logtail.CollectionNode {
|
|
logID := newc.PublicID.String()
|
|
exe, _ := os.Executable()
|
|
if strings.EqualFold(filepath.Base(exe), "tailscaled.exe") {
|
|
diskLogf := filelogger.New("tailscale-service", logID, lw.Logf)
|
|
logOutput = logger.FuncWriter(diskLogf)
|
|
}
|
|
}
|
|
|
|
if useStdLogger {
|
|
log.SetFlags(0) // other log flags are set on console, not here
|
|
log.SetOutput(logOutput)
|
|
}
|
|
|
|
opts.Logf("Program starting: v%v, Go %v: %#v",
|
|
version.Long(),
|
|
goVersion(),
|
|
os.Args)
|
|
opts.Logf("LogID: %v", newc.PublicID)
|
|
if earlyErrBuf.Len() != 0 {
|
|
opts.Logf("%s", earlyErrBuf.Bytes())
|
|
}
|
|
|
|
return &Policy{
|
|
Logtail: lw,
|
|
PublicID: newc.PublicID,
|
|
Logf: opts.Logf,
|
|
}
|
|
}
|
|
|
|
// attachFilchBuffer creates an on-disk ring buffer using filch and attaches
|
|
// it to the logtail config. Note that this is optional; if no buffer is set,
|
|
// logtail will use an in-memory buffer.
|
|
func attachFilchBuffer(conf *logtail.Config, dir, cmdName string, logf logger.Logf) {
|
|
filchOptions := filch.Options{
|
|
ReplaceStderr: redirectStderrToLogPanics(),
|
|
}
|
|
filchPrefix := filepath.Join(dir, cmdName)
|
|
|
|
// NAS disks cannot hibernate if we're writing logs to them all the time.
|
|
// https://github.com/tailscale/tailscale/issues/3551
|
|
if runtime.GOOS == "linux" && (distro.Get() == distro.Synology || distro.Get() == distro.QNAP) {
|
|
tmpfsLogs := "/tmp/tailscale-logs"
|
|
if err := os.MkdirAll(tmpfsLogs, 0755); err == nil {
|
|
filchPrefix = filepath.Join(tmpfsLogs, cmdName)
|
|
filchOptions.MaxFileSize = 1 << 20
|
|
} else {
|
|
// not a fatal error, we can leave the log files on the spinning disk
|
|
logf("Unable to create /tmp directory for log storage: %v\n", err)
|
|
}
|
|
}
|
|
|
|
filchBuf, filchErr := filch.New(filchPrefix, filchOptions)
|
|
if filchBuf != nil {
|
|
conf.Buffer = filchBuf
|
|
if filchBuf.OrigStderr != nil {
|
|
conf.Stderr = filchBuf.OrigStderr
|
|
}
|
|
}
|
|
if filchErr != nil {
|
|
logf("filch failed: %v", filchErr)
|
|
}
|
|
}
|
|
|
|
// dialLog is used by NewLogtailTransport to log the happy path of its
|
|
// own dialing.
|
|
//
|
|
// By default it goes nowhere and is only enabled when
|
|
// tailscaled's in verbose mode.
|
|
//
|
|
// log.Printf isn't used so its own logs don't loop back into logtail
|
|
// in the happy path, thus generating more logs.
|
|
var dialLog = log.New(io.Discard, "logtail: ", log.LstdFlags|log.Lmsgprefix)
|
|
|
|
// SetVerbosityLevel controls the verbosity level that should be
|
|
// written to stderr. 0 is the default (not verbose). Levels 1 or higher
|
|
// are increasingly verbose.
|
|
//
|
|
// It should not be changed concurrently with log writes.
|
|
func (p *Policy) SetVerbosityLevel(level int) {
|
|
p.Logtail.SetVerbosityLevel(level)
|
|
if level > 0 {
|
|
dialLog.SetOutput(os.Stderr)
|
|
}
|
|
}
|
|
|
|
// Close immediately shuts down the logger.
|
|
func (p *Policy) Close() {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
cancel()
|
|
p.Shutdown(ctx)
|
|
}
|
|
|
|
// Shutdown gracefully shuts down the logger, finishing any current
|
|
// log upload if it can be done before ctx is canceled.
|
|
func (p *Policy) Shutdown(ctx context.Context) error {
|
|
if p.Logtail != nil {
|
|
p.Logf("flushing log.")
|
|
return p.Logtail.Shutdown(ctx)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// MakeDialFunc creates a net.Dialer.DialContext function specialized for use
|
|
// by logtail.
|
|
// It does the following:
|
|
// - If DNS lookup fails, consults the bootstrap DNS list of Tailscale hostnames.
|
|
// - If TLS connection fails, try again using LetsEncrypt's built-in root certificate,
|
|
// for the benefit of older OS platforms which might not include it.
|
|
//
|
|
// The netMon parameter is optional. It should be specified in environments where
|
|
// Tailscaled is manipulating the routing table.
|
|
func MakeDialFunc(netMon *netmon.Monitor, logf logger.Logf) func(ctx context.Context, netw, addr string) (net.Conn, error) {
|
|
if netMon == nil {
|
|
netMon = netmon.NewStatic()
|
|
}
|
|
return func(ctx context.Context, netw, addr string) (net.Conn, error) {
|
|
return dialContext(ctx, netw, addr, netMon, logf)
|
|
}
|
|
}
|
|
|
|
func dialContext(ctx context.Context, netw, addr string, netMon *netmon.Monitor, logf logger.Logf) (net.Conn, error) {
|
|
nd := netns.FromDialer(logf, netMon, &net.Dialer{
|
|
Timeout: 30 * time.Second,
|
|
KeepAlive: netknob.PlatformTCPKeepAlive(),
|
|
})
|
|
t0 := time.Now()
|
|
c, err := nd.DialContext(ctx, netw, addr)
|
|
d := time.Since(t0).Round(time.Millisecond)
|
|
if err == nil {
|
|
dialLog.Printf("dialed %q in %v", addr, d)
|
|
return c, nil
|
|
}
|
|
|
|
if version.IsWindowsGUI() && strings.HasPrefix(netw, "tcp") {
|
|
if c, err := safesocket.ConnectContext(ctx, ""); err == nil {
|
|
fmt.Fprintf(c, "CONNECT %s HTTP/1.0\r\n\r\n", addr)
|
|
br := bufio.NewReader(c)
|
|
res, err := http.ReadResponse(br, nil)
|
|
if err == nil && res.StatusCode != 200 {
|
|
err = errors.New(res.Status)
|
|
}
|
|
if err != nil {
|
|
logf("logtail: CONNECT response error from tailscaled: %v", err)
|
|
c.Close()
|
|
} else {
|
|
dialLog.Printf("connected via tailscaled")
|
|
return c, nil
|
|
}
|
|
}
|
|
}
|
|
|
|
// If we failed to dial, try again with bootstrap DNS.
|
|
logf("logtail: dial %q failed: %v (in %v), trying bootstrap...", addr, err, d)
|
|
dnsCache := &dnscache.Resolver{
|
|
Forward: dnscache.Get().Forward, // use default cache's forwarder
|
|
UseLastGood: true,
|
|
LookupIPFallback: dnsfallback.MakeLookupFunc(logf, netMon),
|
|
}
|
|
dialer := dnscache.Dialer(nd.DialContext, dnsCache)
|
|
c, err = dialer(ctx, netw, addr)
|
|
if err == nil {
|
|
logf("logtail: bootstrap dial succeeded")
|
|
}
|
|
return c, err
|
|
}
|
|
|
|
// Deprecated: Use [TransportOptions.New] instead.
|
|
func NewLogtailTransport(host string, netMon *netmon.Monitor, health *health.Tracker, logf logger.Logf) http.RoundTripper {
|
|
return TransportOptions{Host: host, NetMon: netMon, Health: health, Logf: logf}.New()
|
|
}
|
|
|
|
// TransportOptions is used to construct an [http.RoundTripper].
|
|
type TransportOptions struct {
|
|
// Host is the optional hostname of the logs server.
|
|
// If empty, then [logtail.DefaultHost] is used.
|
|
Host string
|
|
|
|
// NetMon is an optional parameter for monitoring.
|
|
// If non-nil, it's used to do faster interface lookups.
|
|
NetMon *netmon.Monitor
|
|
|
|
// Health is an optional parameter for health status.
|
|
// If non-nil, it's used to construct the default HTTP client.
|
|
Health *health.Tracker
|
|
|
|
// Logf is an optional logger to use.
|
|
// If nil, [log.Printf] will be used instead.
|
|
Logf logger.Logf
|
|
|
|
// TLSClientConfig is an optional TLS configuration to use.
|
|
// If non-nil, the configuration will be cloned.
|
|
TLSClientConfig *tls.Config
|
|
}
|
|
|
|
// New returns an HTTP Transport particularly suited to uploading logs
|
|
// to the given host name. See [DialContext] for details on how it works.
|
|
func (opts TransportOptions) New() http.RoundTripper {
|
|
if testenv.InTest() {
|
|
return noopPretendSuccessTransport{}
|
|
}
|
|
if opts.NetMon == nil {
|
|
opts.NetMon = netmon.NewStatic()
|
|
}
|
|
// Start with a copy of http.DefaultTransport and tweak it a bit.
|
|
tr := http.DefaultTransport.(*http.Transport).Clone()
|
|
if opts.TLSClientConfig != nil {
|
|
tr.TLSClientConfig = opts.TLSClientConfig.Clone()
|
|
}
|
|
|
|
tr.Proxy = tshttpproxy.ProxyFromEnvironment
|
|
tshttpproxy.SetTransportGetProxyConnectHeader(tr)
|
|
|
|
// We do our own zstd compression on uploads, and responses never contain any payload,
|
|
// so don't send "Accept-Encoding: gzip" to save a few bytes on the wire, since there
|
|
// will never be any body to decompress:
|
|
tr.DisableCompression = true
|
|
|
|
// Log whenever we dial:
|
|
if opts.Logf == nil {
|
|
opts.Logf = log.Printf
|
|
}
|
|
tr.DialContext = MakeDialFunc(opts.NetMon, opts.Logf)
|
|
|
|
// We're uploading logs ideally infrequently, with specific timing that will
|
|
// change over time. Try to keep the connection open, to avoid repeatedly
|
|
// paying the cost of TLS setup.
|
|
tr.IdleConnTimeout = time.Hour
|
|
|
|
// We're contacting exactly 1 hostname, so the default's 100
|
|
// max idle conns is very high for our needs. Even 2 is
|
|
// probably double what we need:
|
|
tr.MaxIdleConns = 2
|
|
|
|
// Provide knob to force HTTP/1 for log uploads.
|
|
// TODO(bradfitz): remove this debug knob once we've decided
|
|
// to upload via HTTP/1 or HTTP/2 (probably HTTP/1). Or we might just enforce
|
|
// it server-side.
|
|
if envknob.Bool("TS_DEBUG_FORCE_H1_LOGS") {
|
|
tr.TLSClientConfig = nil // DefaultTransport's was already initialized w/ h2
|
|
tr.ForceAttemptHTTP2 = false
|
|
tr.TLSNextProto = map[string]func(authority string, c *tls.Conn) http.RoundTripper{}
|
|
}
|
|
|
|
host := cmp.Or(opts.Host, logtail.DefaultHost)
|
|
tr.TLSClientConfig = tlsdial.Config(host, opts.Health, tr.TLSClientConfig)
|
|
// Force TLS 1.3 since we know log.tailscale.io supports it.
|
|
tr.TLSClientConfig.MinVersion = tls.VersionTLS13
|
|
|
|
return tr
|
|
}
|
|
|
|
func goVersion() string {
|
|
v := strings.TrimPrefix(runtime.Version(), "go")
|
|
if racebuild.On {
|
|
return v + "-race"
|
|
}
|
|
return v
|
|
}
|
|
|
|
type noopPretendSuccessTransport struct{}
|
|
|
|
func (noopPretendSuccessTransport) RoundTrip(req *http.Request) (*http.Response, error) {
|
|
io.Copy(io.Discard, req.Body)
|
|
req.Body.Close()
|
|
return &http.Response{
|
|
StatusCode: 200,
|
|
Status: "200 OK",
|
|
}, nil
|
|
}
|
|
|
|
func awaitGokrazyNetwork() {
|
|
if runtime.GOOS != "linux" || distro.Get() != distro.Gokrazy {
|
|
return
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
|
defer cancel()
|
|
|
|
for {
|
|
// Before DHCP finishes, the /etc/resolv.conf file has just "#MANUAL".
|
|
all, _ := os.ReadFile("/etc/resolv.conf")
|
|
if bytes.Contains(all, []byte("nameserver ")) {
|
|
good := true
|
|
firstLine, _, ok := strings.Cut(string(all), "\n")
|
|
if ok {
|
|
ns, ok := strings.CutPrefix(firstLine, "nameserver ")
|
|
if ok {
|
|
if ip, err := netip.ParseAddr(ns); err == nil && ip.Is6() && !ip.IsLinkLocalUnicast() {
|
|
good = haveGlobalUnicastIPv6()
|
|
}
|
|
}
|
|
}
|
|
if good {
|
|
return
|
|
}
|
|
}
|
|
select {
|
|
case <-ctx.Done():
|
|
return
|
|
case <-time.After(500 * time.Millisecond):
|
|
}
|
|
}
|
|
}
|
|
|
|
// haveGlobalUnicastIPv6 reports whether the machine has a IPv6 non-private
|
|
// (non-ULA) global unicast address.
|
|
//
|
|
// It's only intended for use in natlab integration tests so only works on
|
|
// Linux/macOS now and not environments (such as Android) where net.Interfaces
|
|
// doesn't work directly.
|
|
func haveGlobalUnicastIPv6() bool {
|
|
ifs, _ := net.Interfaces()
|
|
for _, ni := range ifs {
|
|
aa, _ := ni.Addrs()
|
|
for _, a := range aa {
|
|
ipn, ok := a.(*net.IPNet)
|
|
if !ok {
|
|
continue
|
|
}
|
|
ip, _ := netip.AddrFromSlice(ipn.IP)
|
|
if ip.Is6() && ip.IsGlobalUnicast() && !ip.IsPrivate() {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
return false
|
|
}
|