N #4
Merged
N #4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updates tailscale#10659 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
…10871) Updates tailscale#7667 Signed-off-by: Anishka Singh <anishkasingh66@gmail.com>
When tailscaled is run with "-debug 127.0.0.1:12345", these metrics are
available at:
http://localhost:12345/debug/metrics
Updates tailscale#8210
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I19db6c445ac1f8344df2bc1066a3d9c9030606f8
Plan9 CI is disabled. 3p dependencies do not build for the target. Contributor enthusiasm appears to have ceased again, and no usage has been made. Skipped gvisor, nfpm, and k8s. Updates tailscale#5794 Updates tailscale#8043 Signed-off-by: James Tucker <james@tailscale.com>
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
* VERSION.txt: this is v1.58.0 Signed-off-by: kari-ts <kari@tailscale.com> * VERSION.txt: this is v1.59.0 --------- Signed-off-by: kari-ts <kari@tailscale.com>
We issue redirects in a few different places, it's time to have a common helper to do target validation. Updates tailscale/corp#16875 Signed-off-by: David Anderson <danderson@tailscale.com>
The new 'toolchain' directive in go.mod can sometimes force the use of an upstream toolchain against our wishes. Concurrently, some of our dependencies have added the 'toolchain' directive, which transitively adds it to our own go.mod. Force all uses of gocross to ignore that directive and stick to our customized toolchain. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>
Updates tailscale#8043 Signed-off-by: James Tucker <james@tailscale.com>
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
Updates tailscale/go#83 Signed-off-by: James Tucker <james@tailscale.com>
This no longer results in a nil pointer exception when we get a valid UPnP response with no supported clients. Updates tailscale#10911 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6e3715a49a193ff5261013871ad7fff197a4d77e
…ds (tailscale#10919) Do not provision resources for a tailscale Ingress that has no valid backends. Updates tailscale#10910 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
This change allows us to perform batch modification for new route advertisements and route removals. Additionally, we now handle the case where newly added routes are covered by existing ranges. This change also introduces a new appctest package that contains some shared functions used for testing. Updates tailscale/corp#16833 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
…oute updates If control advised the connector to advertise a route that had already been discovered by DNS it would be incorrectly removed. Now those routes are preserved. Updates tailscale/corp#16833 Signed-off-by: James Tucker <james@tailscale.com>
…#10844) This commit implements probing of UDP path lifetime on the tail end of an active direct connection. Probing configuration has two parts - Cliffs, which are various timeout cliffs of interest, and CycleCanStartEvery, which limits how often a probing cycle can start, per-endpoint. Initially a statically defined default configuration will be used. The default configuration has cliffs of 10s, 30s, and 60s, with a CycleCanStartEvery of 24h. Probing results are communicated via clientmetric counters. Probing is off by default, and can be enabled via control knob. Probing is purely informational and does not yet drive any magicsock behaviors. Updates tailscale#540 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Don't append a trailing slash to a request path to the reverse proxy that matches the mount point exactly. Updates tailscale#10730 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>
These are functionally the same as the "urn:schemas-upnp-org" services with a few minor changes, and are still used by older devices. Support them to improve our ability to obtain an external IP on such networks. Updates tailscale#10911 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I05501fad9d6f0a3b8cf19fc95eee80e7d16cc2cf
expvarx.SafeFunc wraps an expvar.Func with a time limit. On reaching the time limit, calls to Value return nil, and no new concurrent calls to the underlying expvar.Func will be started until the call completes. Updates tailscale/corp#16999 Signed-off-by: James Tucker <james@tailscale.com>
When running as non-root non-operator user, you get this error: ``` $ tailscale serve 8080 Access denied: watch IPN bus access denied, must set ipn.NotifyNoPrivateKeys when not running as admin/root or operator Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` It should fail, but the error message is confusing. With this fix: ``` $ tailscale serve 8080 sending serve config: Access denied: serve config denied Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Updates tailscale/corp#14698 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
gitops-pusher supports authenticating with an API key or OAuth credentials (added in tailscale#7393). You shouldn't ever use both of those together, so we error if both are set. In tailscale/gitops-acl-action#24, OAuth support is being added to the GitHub action. In that environment, both the TS_API_KEY and OAuth variables will be set, even if they are empty values. This causes an error in gitops-pusher which expects only one to be set. Update gitops-pusher to check that only one set of environment variables are non-empty, rather than just checking if they are set. Updates tailscale#7393 Signed-off-by: Will Norris <will@tailscale.com>
Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
When reporting ssh host keys to control, log a warning if we're unable to get the SSH host keys. Updates tailscale/escalations#21 Signed-off-by: Percy Wegmann <percy@tailscale.com>
The API on the DNS record parser is slightly subtle and requires explicit handling of unhandled records. Failure to advance previously resulted in an infinite loop in the pretty responder for any reply that contains a record other than A/AAAA/TXT. Updates tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>
Updates: corp#16409 Signed-off-by: Tom DNetto <tom@tailscale.com>
…ain is routed If any domain along a CNAME chain matches any of the routed domains, add routes for the discovered domains. Fixes tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>
If an app connector is also configured as an exit node, it should still advertise discovered routes that are not covered by advertised routes, excluding the exit node routes. Updates tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>
Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>
This eliminates unnecessary map.Clone() calls and also eliminates repetitive notifications about the same set of shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Remove IPv6 NAT check when routing is being set up using nftables. This is unnecessary as support for nftables was added after support for IPv6. https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s04.html https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources Additionally, run an extra check for IPv6 NAT support when the routing is set up with iptables. This is because the earlier checks rely on being able to use modprobe and on /proc/net/ip6_tables_names being populated on start - these conditions are usually not true in container environments. Updates tailscale#11344 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
In case we want to change the format to something opaque later. Updates tailscale/corp#2549 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie2eac8b885b694be607e9d5101d24b650026d89c
The `stack.PacketBufferPtr` type no longer exists; replace it with `*stack.PacketBuffer` instead. Updates tailscale#8043 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib56ceff09166a042aa3d9b80f50b2aa2d34b3683
This test could hang because the subprocess was blocked on writing to the stdout pipe if we find the address we're looking for early in the output. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I68d82c22a5d782098187ae6d8577e43063b72573
There should not be a need to do that unless we run on host network Signed-off-by: Irbe Krumina <irbe@tailscale.com>
So we can use it in trunkd to quiet down the logs there. Updates tailscale#5563 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie3177dc33f5ad103db832aab5a3e0e4f128f973f
Run yarn-deduplicate on yarn.lock to dedupe packages. This is being done to reduce the number of redundant packages fetched by yarn when existing versions in the lockfile satisfy the version dependency we need. See https://github.com/scinos/yarn-deduplicate for details on the tool used to perform this deduplication. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
bump version for adding NodeAttrSuggestExitNode remove extra s from NodeAttrSuggestExitNode Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>
Synology requires version numbers are within int32 range. This change updates the version logic to keep things closer within the range, and errors on building when the range is exceeded. Updates #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This pretty much always results in an outage because peers won't discover our new home region and thus won't be able to establish connectivity. Updates tailscale/corp#18095 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic0d09133f198b528dd40c6383b16d7663d9d37a7
Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>
Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
…hares - Updates API to support renaming TailFS shares. - Adds a CLI rename subcommand for renaming a share. - Renames the CLI subcommand 'add' to 'set' to make it clear that this is an add or update. - Adds a unit test for TailFS in ipnlocal Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
build_docker, update-flake: cleanup and apply shellcheck fixes Was editing this file to match my needs while shellcheck warnings bugged me out. REV isn't getting used anywhere. Better remove it. Updates #cleanup Signed-off-by: Panchajanya1999 <kernel@panchajanya.dev> Signed-off-by: James Tucker <james@tailscale.com>
Updates tailscale#11344 Updates tailscale#11354 Signed-off-by: James Tucker <james@tailscale.com>
tailscale#11381) There are container environments such as GitHub codespaces that have partial IPv6 support - routing support is enabled at the kernel level, but lacking IPv6 filter support in the iptables module. In the specific example of the codespaces environment, this also has pre-existing legacy iptables rules in the IPv4 tables, as such the nascent firewall mode detection will always pick iptables. We would previously fault trying to install rules to the filter table, this catches that condition earlier, and disables IPv6 support under these conditions. Updates tailscale#5621 Updates tailscale#11344 Updates tailscale#11354 Signed-off-by: James Tucker <james@tailscale.com>
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
To force the problem in its worst case scenario before fixing it. Updates tailscale/corp#17859 Change-Id: I2c8b8e5f15c7801e1ab093feeafac52ec175a763 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This fixes a bug that was introduced in tailscale#11258 where the handling of the per-client limit didn't properly account for the fact that the gVisor TCP forwarder will return 'true' to indicate that it's handled a duplicate SYN packet, but not launch the handler goroutine. In such a case, we neither decremented our per-client limit in the wrapper function, nor did we do so in the handler function, leading to our per-client limit table slowly filling up without bound. Fix this by doing the same duplicate-tracking logic that the TCP forwarder does so we can detect such cases and appropriately decrement our in-flight counter. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib6011a71d382a10d68c0802593f34b8153d06892
Updates #cleanup Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Updates tailscale/corp#17912 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Signed-off-by: Asutorufa <16442314+Asutorufa@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| return | ||
| } | ||
| share.Path = path.Clean(share.Path) | ||
| fi, err := os.Stat(share.Path) |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.