-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
N #4
Commits on Jan 19, 2024
-
cmd/k8s-operator/deploy: allow modifying operator tags via Helm values
Updates tailscale#10659 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
Configuration menu - View commit details
-
Copy full SHA for 2ce596e - Browse repository at this point
Copy the full SHA 2ce596eView commit details -
util/nocasemaps: add AppendSliceElem method to nocasemaps (tailscale#…
…10871) Updates tailscale#7667 Signed-off-by: Anishka Singh <anishkasingh66@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 832e5c7 - Browse repository at this point
Copy the full SHA 832e5c7View commit details -
wgengine/netstack: expose gVisor metrics through expvar
When tailscaled is run with "-debug 127.0.0.1:12345", these metrics are available at: http://localhost:12345/debug/metrics Updates tailscale#8210 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I19db6c445ac1f8344df2bc1066a3d9c9030606f8
Configuration menu - View commit details
-
Copy full SHA for 7a0392a - Browse repository at this point
Copy the full SHA 7a0392aView commit details
Commits on Jan 20, 2024
-
go.mod: bump most deps for start of cycle
Plan9 CI is disabled. 3p dependencies do not build for the target. Contributor enthusiasm appears to have ceased again, and no usage has been made. Skipped gvisor, nfpm, and k8s. Updates tailscale#5794 Updates tailscale#8043 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 457102d - Browse repository at this point
Copy the full SHA 457102dView commit details -
go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 5b4eb47 - Browse repository at this point
Copy the full SHA 5b4eb47View commit details -
VERSION.txt: this is v1.59.0 (tailscale#10884)
* VERSION.txt: this is v1.58.0 Signed-off-by: kari-ts <kari@tailscale.com> * VERSION.txt: this is v1.59.0 --------- Signed-off-by: kari-ts <kari@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 62b056d - Browse repository at this point
Copy the full SHA 62b056dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 213d696 - Browse repository at this point
Copy the full SHA 213d696View commit details -
tsweb: add a helper to validate redirect URLs
We issue redirects in a few different places, it's time to have a common helper to do target validation. Updates tailscale/corp#16875 Signed-off-by: David Anderson <danderson@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for ae79b2e - Browse repository at this point
Copy the full SHA ae79b2eView commit details -
tool/gocross: force use of our custom toolchain
The new 'toolchain' directive in go.mod can sometimes force the use of an upstream toolchain against our wishes. Concurrently, some of our dependencies have added the 'toolchain' directive, which transitively adds it to our own go.mod. Force all uses of gocross to ignore that directive and stick to our customized toolchain. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 17eae5b - Browse repository at this point
Copy the full SHA 17eae5bView commit details -
go.mod,wgengine/netstack: bump gvisor
Updates tailscale#8043 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 7e3bcd2 - Browse repository at this point
Copy the full SHA 7e3bcd2View commit details -
go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for b787c27 - Browse repository at this point
Copy the full SHA b787c27View commit details -
go.toolchain.rev: bump Tailscale Go version to 1.21.6
Updates tailscale/go#83 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 4e822c0 - Browse repository at this point
Copy the full SHA 4e822c0View commit details
Commits on Jan 22, 2024
-
net/portmapper: handle cases where we have no supported clients
This no longer results in a nil pointer exception when we get a valid UPnP response with no supported clients. Updates tailscale#10911 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6e3715a49a193ff5261013871ad7fff197a4d77e
Configuration menu - View commit details
-
Copy full SHA for b45089a - Browse repository at this point
Copy the full SHA b45089aView commit details -
cmd/k8s-operator: don't proceed with Ingress that has no valid backen…
…ds (tailscale#10919) Do not provision resources for a tailscale Ingress that has no valid backends. Updates tailscale#10910 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 370ec6b - Browse repository at this point
Copy the full SHA 370ec6bView commit details
Commits on Jan 23, 2024
-
appc,ipn/ipnlocal: optimize preference adjustments when routes update
This change allows us to perform batch modification for new route advertisements and route removals. Additionally, we now handle the case where newly added routes are covered by existing ranges. This change also introduces a new appctest package that contains some shared functions used for testing. Updates tailscale/corp#16833 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for ce4553b - Browse repository at this point
Copy the full SHA ce4553bView commit details -
appc: add test to ensure that individual IPs are not removed during r…
…oute updates If control advised the connector to advertise a route that had already been discovered by DNS it would be incorrectly removed. Now those routes are preserved. Updates tailscale/corp#16833 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 0e2cb76 - Browse repository at this point
Copy the full SHA 0e2cb76View commit details -
wgengine/magicsock: implement probing of UDP path lifetime (tailscale…
…#10844) This commit implements probing of UDP path lifetime on the tail end of an active direct connection. Probing configuration has two parts - Cliffs, which are various timeout cliffs of interest, and CycleCanStartEvery, which limits how often a probing cycle can start, per-endpoint. Initially a statically defined default configuration will be used. The default configuration has cliffs of 10s, 30s, and 60s, with a CycleCanStartEvery of 24h. Probing results are communicated via clientmetric counters. Probing is off by default, and can be enabled via control knob. Probing is purely informational and does not yet drive any magicsock behaviors. Updates tailscale#540 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 8b47322 - Browse repository at this point
Copy the full SHA 8b47322View commit details -
ipn/ipnlocal: fix proxy path that matches mount point (tailscale#10864)
Don't append a trailing slash to a request path to the reverse proxy that matches the mount point exactly. Updates tailscale#10730 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 6ee9563 - Browse repository at this point
Copy the full SHA 6ee9563View commit details -
ipn/ipnlocal: fix failing test (tailscale#10937)
Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 75f1d3e - Browse repository at this point
Copy the full SHA 75f1d3eView commit details
Commits on Jan 24, 2024
-
net/portmapper: support legacy "urn:dslforum-org" portmapping services
These are functionally the same as the "urn:schemas-upnp-org" services with a few minor changes, and are still used by older devices. Support them to improve our ability to obtain an external IP on such networks. Updates tailscale#10911 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I05501fad9d6f0a3b8cf19fc95eee80e7d16cc2cf
Configuration menu - View commit details
-
Copy full SHA for fd94d96 - Browse repository at this point
Copy the full SHA fd94d96View commit details
Commits on Jan 25, 2024
-
util/expvarx: add a time and concurrency limiting expvar.Func wrapper
expvarx.SafeFunc wraps an expvar.Func with a time limit. On reaching the time limit, calls to Value return nil, and no new concurrent calls to the underlying expvar.Func will be started until the call completes. Updates tailscale/corp#16999 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 0f3b2e7 - Browse repository at this point
Copy the full SHA 0f3b2e7View commit details -
cmd/tailscale/cli: run Watch with NotifyNoPrivateKeys (tailscale#10950)
When running as non-root non-operator user, you get this error: ``` $ tailscale serve 8080 Access denied: watch IPN bus access denied, must set ipn.NotifyNoPrivateKeys when not running as admin/root or operator Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` It should fail, but the error message is confusing. With this fix: ``` $ tailscale serve 8080 sending serve config: Access denied: serve config denied Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for fbfc3b7 - Browse repository at this point
Copy the full SHA fbfc3b7View commit details
Commits on Jan 27, 2024
-
words: i like the direction this list is taking
Updates tailscale/corp#14698 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for cce189b - Browse repository at this point
Copy the full SHA cce189bView commit details
Commits on Jan 29, 2024
-
cmd/gitops-pusher: fix logic for checking credentials
gitops-pusher supports authenticating with an API key or OAuth credentials (added in tailscale#7393). You shouldn't ever use both of those together, so we error if both are set. In tailscale/gitops-acl-action#24, OAuth support is being added to the GitHub action. In that environment, both the TS_API_KEY and OAuth variables will be set, even if they are empty values. This causes an error in gitops-pusher which expects only one to be set. Update gitops-pusher to check that only one set of environment variables are non-empty, rather than just checking if they are set. Updates tailscale#7393 Signed-off-by: Will Norris <will@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 13f8a66 - Browse repository at this point
Copy the full SHA 13f8a66View commit details -
cmd/hello: avoid deprecated apis (tailscale#10957)
Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
Chris Palmer committedJan 29, 2024 Configuration menu - View commit details
-
Copy full SHA for 9744ad4 - Browse repository at this point
Copy the full SHA 9744ad4View commit details
Commits on Jan 30, 2024
-
ipnlocal: log failure to get ssh host keys
When reporting ssh host keys to control, log a warning if we're unable to get the SSH host keys. Updates tailscale/escalations#21 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for fad6bae - Browse repository at this point
Copy the full SHA fad6baeView commit details
Commits on Jan 31, 2024
-
ipn/ipnlocal: fix pretty printing of multi-record peer DNS results
The API on the DNS record parser is slightly subtle and requires explicit handling of unhandled records. Failure to advance previously resulted in an infinite loop in the pretty responder for any reply that contains a record other than A/AAAA/TXT. Updates tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for b4b2ec7 - Browse repository at this point
Copy the full SHA b4b2ec7View commit details
Commits on Feb 1, 2024
-
util/deephash: implement SelfHasher to allow types to hash themselves
Updates: corp#16409 Signed-off-by: Tom DNetto <tom@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 2aeef4e - Browse repository at this point
Copy the full SHA 2aeef4eView commit details -
appc,ipn/ipnlocal: add app connector routes if any part of a CNAME ch…
…ain is routed If any domain along a CNAME chain matches any of the routed domains, add routes for the discovered domains. Fixes tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for e1a4b89 - Browse repository at this point
Copy the full SHA e1a4b89View commit details -
ipn/ipnlocal: fix app connector route advertisements on exit nodes
If an app connector is also configured as an exit node, it should still advertise discovered routes that are not covered by advertised routes, excluding the exit node routes. Updates tailscale/corp#16928 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for ba70cbb - Browse repository at this point
Copy the full SHA ba70cbbView commit details -
util/deephash: document pathological deephash behavior (tailscale#11010)
Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Configuration menu - View commit details
-
Copy full SHA for 84f8311 - Browse repository at this point
Copy the full SHA 84f8311View commit details
Commits on Feb 2, 2024
-
util/deephash: tighten up SelfHasher API (tailscale#11012)
Providing a hash.Block512 is an implementation detail of how deephash works today, but providing an opaque type with mostly equivalent API (i.e., HashUint8, HashBytes, etc. methods) is still sensible. Thus, define a public Hasher type that exposes exactly the API that an implementation of SelfHasher would want to call. This gives us freedom to change the hashing algorithm of deephash at some point in the future. Also, this type is likely going to be called by types that are going to memoize their own hash results, we additionally add a HashSum method to simplify this use case. Add documentation to SelfHasher on how a type might implement it. Updates: corp#16409 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Configuration menu - View commit details
-
Copy full SHA for 60657ac - Browse repository at this point
Copy the full SHA 60657acView commit details -
cmd/hello: link to the Hello KB article (tailscale#11022)
Fixes https://github.com/tailscale/corp/issues/17104 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
Chris Palmer committedFeb 2, 2024 Configuration menu - View commit details
-
Copy full SHA for a633a30 - Browse repository at this point
Copy the full SHA a633a30View commit details
Commits on Feb 5, 2024
-
ipn/localapi: more http status cleanup (tailscale#10995)
Use Http.StatusOk instead of 200 Updates #cleanup
Configuration menu - View commit details
-
Copy full SHA for 5595b61 - Browse repository at this point
Copy the full SHA 5595b61View commit details
Commits on Feb 6, 2024
-
types/views: add SliceMapKey[T]
views.Slice are meant to be immutable, and if used as such it is at times desirable to use them as a key in a map. For non-viewed slices it was kinda doable by creating a custom key struct but views.Slice didn't allow for the same so add a method to create that struct here. Updates tailscale/corp#17122 Signed-off-by: Maisem Ali <maisem@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for b752bde - Browse repository at this point
Copy the full SHA b752bdeView commit details
Commits on Feb 7, 2024
-
tsweb: implementing bucketed statistics for started/finished counts
Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: corp#17075
Configuration menu - View commit details
-
Copy full SHA for 36efc50 - Browse repository at this point
Copy the full SHA 36efc50View commit details -
tsweb: replace domains/emails in paths when bucketing stats
Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: corp#17075
Configuration menu - View commit details
-
Copy full SHA for af931dc - Browse repository at this point
Copy the full SHA af931dcView commit details -
go.toolchain.rev: bump to Go 1.22.0 (tailscale#11055)
Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for db3776d - Browse repository at this point
Copy the full SHA db3776dView commit details -
appc: optimize dns response observation for large route tables
Advertise DNS discovered addresses as a single preference update rather than one at a time. Sort the list of observed addresses and use binary search to consult the list. Updates tailscale/corp#16636 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 0f5e031 - Browse repository at this point
Copy the full SHA 0f5e031View commit details -
.github/workflows: add privileged tests workflow
We had missed regressions from privileged tests not running, now they can run. Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 0b16620 - Browse repository at this point
Copy the full SHA 0b16620View commit details -
words: add a list of things you should yahoo!
Updates #self Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for e0762fe - Browse repository at this point
Copy the full SHA e0762feView commit details -
tsweb: normalize common StableID's in bucketed stats, export as LabelMap
Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: corp#17075
Configuration menu - View commit details
-
Copy full SHA for 8d6d9d2 - Browse repository at this point
Copy the full SHA 8d6d9d2View commit details
Commits on Feb 8, 2024
-
tsweb: normalize passkey identities in bucketed stats
Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: corp#17075
Configuration menu - View commit details
-
Copy full SHA for 6537215 - Browse repository at this point
Copy the full SHA 6537215View commit details -
go.mod, README.md: use Go 1.22
Updates tailscale#11058 Change-Id: I95eecdc7afe2b5f8189016fdb8a773f78e9f5c42 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for b6153ef - Browse repository at this point
Copy the full SHA b6153efView commit details -
.github/workflows: update golangci-lint for Go 1.22
Updates tailscale#11058 Change-Id: I3785c1f1bea4a4663e7e5fb6d209d3caedae436d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 9612001 - Browse repository at this point
Copy the full SHA 9612001View commit details -
Updates tailscale#11058 Change-Id: I0f63be498be33d71bd90b7956f9fe9666fd7a696 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 5ea0711 - Browse repository at this point
Copy the full SHA 5ea0711View commit details -
util/cmpx: delete now that we're using Go 1.22
Updates tailscale#11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 2bd3c14 - Browse repository at this point
Copy the full SHA 2bd3c14View commit details -
.github/workflows: temporarily disable broken oss-fuzz action
Updates tailscale#11064 Updates tailscale#11058 Change-Id: I63acc13dece3379a0b2df573afecfd245b7cd6c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for c424e19 - Browse repository at this point
Copy the full SHA c424e19View commit details -
go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 2404b14 - Browse repository at this point
Copy the full SHA 2404b14View commit details -
cmd/{containerboot,k8s-operator/deploy/manifests}: optionally allow p…
…roxying cluster traffic to a cluster target via ingress proxy (tailscale#11036) * cmd/containerboot,cmd/k8s-operator/deploy/manifests: optionally forward cluster traffic via ingress proxy. If a tailscale Ingress has tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation, configure the associated ingress proxy to have its tailscale serve proxy to listen on Pod's IP address. This ensures that cluster traffic too can be forwarded via this proxy to the ingress backend(s). In containerboot, if EXPERIMENTAL_PROXY_CLUSTER_TRAFFIC_VIA_INGRESS is set to true and the node is Kubernetes operator ingress proxy configured via Ingress, make sure that traffic from within the cluster can be proxied to the ingress target. Updates tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for a6cc2fd - Browse repository at this point
Copy the full SHA a6cc2fdView commit details -
licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 5486d8a - Browse repository at this point
Copy the full SHA 5486d8aView commit details -
licenses: update android licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 78f257d - Browse repository at this point
Copy the full SHA 78f257dView commit details -
licenses: update win/apple licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 9f0eaa4 - Browse repository at this point
Copy the full SHA 9f0eaa4View commit details -
client/web: add new readonly mode
The new read-only mode is only accessible when running `tailscale web` by passing a new `-readonly` flag. This new mode is identical to the existing login mode with two exceptions: - the management client in tailscaled is not started (though if it is already running, it is left alone) - the client does not prompt the user to login or switch to the management client. Instead, a message is shown instructing the user to use other means to manage the device. Updates tailscale#10979 Signed-off-by: Will Norris <will@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 128c99d - Browse repository at this point
Copy the full SHA 128c99dView commit details -
client/web: use smart quotes in web UI frontend
add the curly-quotes eslint plugin (same that we use for the admin panel), and fix existing straight quotes in the current web UI. Updates #cleanup Signed-off-by: Will Norris <will@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 6f0c5e0 - Browse repository at this point
Copy the full SHA 6f0c5e0View commit details -
go.mod: update web-client-prebuilt module
Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 664b861 - Browse repository at this point
Copy the full SHA 664b861View commit details -
cmd/dist: update logs for synology builds
Update logs for synology builds to more clearly callout which variant is being built. The two existing variants are: 1. Sideloaded (can be manual installed on a device by anyone) 2. Package center distribution (by the tailscale team) Updates #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 1217f65 - Browse repository at this point
Copy the full SHA 1217f65View commit details -
ipnlocal: force-regen new authURL when it is too old (tailscale#10971)
Fixes tailscale/support-escalations#23. authURLs returned by control expire after 1 hour from creation. Customer reported that the Tailscale client on macOS would sending users to a stale authentication page when clicking on the `Login...` menu item. This can happen when clicking on Login after leaving the device unattended for several days. The device key expires, leading to the creation of a new authURL, however the client doesn't keep track of when the authURL was created. Meaning that `login-interactive` would send the user to an authURL that had expired server-side a long time before. This PR ensures that whenever `login-interactive` is called via LocalAPI, an authURL that is too old won't be used. We force control to give us a new authURL whenever it's been more than 30 minutes since the last authURL was sent down from control. Apply suggestions from code review Set interval to 6 days and 23 hours Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Configuration menu - View commit details
-
Copy full SHA for 6c79f55 - Browse repository at this point
Copy the full SHA 6c79f55View commit details -
cmd/tailscale/cli: fix exit node status output (tailscale#11076)
This change fixes the format of tailscale status output when location based exit nodes are present. Fixes tailscale#11065 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 0f042b9 - Browse repository at this point
Copy the full SHA 0f042b9View commit details
Commits on Feb 9, 2024
-
util/deephash: cleanup TODO in TestHash (tailscale#11080)
Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Configuration menu - View commit details
-
Copy full SHA for efddad7 - Browse repository at this point
Copy the full SHA efddad7View commit details -
all: use reflect.TypeFor now available in Go 1.22 (tailscale#11078)
Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Configuration menu - View commit details
-
Copy full SHA for 94a4f70 - Browse repository at this point
Copy the full SHA 94a4f70View commit details -
all: use new AppendEncode methods available in Go 1.22 (tailscale#11079)
Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Configuration menu - View commit details
-
Copy full SHA for 2e404b7 - Browse repository at this point
Copy the full SHA 2e404b7View commit details -
tailfs: initial implementation
Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 993acf4 - Browse repository at this point
Copy the full SHA 993acf4View commit details -
cmd/gitops-pusher: only use OAuth creds if non-empty string
`os.LookupEnv` may return true if the variable is present in the environment but an empty string. We should only attempt to set OAuth Config if thsoe values are non-empty. Updates gitops-acl-action#33 Signed-off-by: Jenny Zhang <jz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for c446451 - Browse repository at this point
Copy the full SHA c446451View commit details -
tsweb: update ServeMux matching to 1.22.0 syntax (tailscale#11087)
Updates #cleanup Go 1.22.0 introduced the ability to use more expressive routing patterns that include HTTP method when constructing ServeMux entries. Applications that attempted to use these patterns in combination with the old `tsweb.Debugger` would experience a panic as Go would not permit the use of matching rules with mixed level of specificity. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 291f91d - Browse repository at this point
Copy the full SHA 291f91dView commit details -
Revert "tsweb: update ServeMux matching to 1.22.0 syntax (tailscale#1…
…1087)" (tailscale#11089) This reverts commit 291f91d. Updates #cleanup This PR needs additional changes to the registration of child handlers under /debug Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 7c52b27 - Browse repository at this point
Copy the full SHA 7c52b27View commit details -
fix toolchain not available error (tailscale#11083)
Relates to golang/go#62278 Updates tailscale#11058 Signed-off-by: keisku <keisuke.umegaki.630@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 7039c06 - Browse repository at this point
Copy the full SHA 7039c06View commit details -
.github: fuzzing is now unbroken
Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I10dca601c79411b412180a46b3f82136e40544b0
Configuration menu - View commit details
-
Copy full SHA for 6f6383f - Browse repository at this point
Copy the full SHA 6f6383fView commit details -
client/web: only check policy caps for tagged nodes
For user-owned nodes, only the owner is ever allowed to manage the node. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 2bb837a - Browse repository at this point
Copy the full SHA 2bb837aView commit details -
util/rands: add Shuffle and Perm functions with on-stack RNG state
The new math/rand/v2 package includes an m-local global random number generator that can not be reseeded by the user, which is suitable for most uses without the RNG pools we have in a number of areas of the code base. The new API still does not have an allocation-free way of performing a seeded operations, due to the long term compiler bug around interface parameter escapes, and the Source interface. This change introduces the two APIs that math/rand/v2 can not yet replace efficiently: seeded Perm() and Shuffle() operations. This implementation chooses to use the PCG random source from math/rand/v2, as with sufficient compiler optimization, this source should boil down to only two on-stack registers for random state under ideal conditions. Updates #17243 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 24bac27 - Browse repository at this point
Copy the full SHA 24bac27View commit details -
build(deps-dev): bump vite from 4.4.9 to 4.5.2 in /client/web
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 4.4.9 to 4.5.2. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v4.5.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v4.5.2/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
Configuration menu - View commit details
-
Copy full SHA for 79b5478 - Browse repository at this point
Copy the full SHA 79b5478View commit details
Commits on Feb 10, 2024
-
tailfs: clean up naming and package structure
- Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for abab0d4 - Browse repository at this point
Copy the full SHA abab0d4View commit details -
tailfs: disable TailFSForLocal via policy
Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for ddcffae - Browse repository at this point
Copy the full SHA ddcffaeView commit details -
tailfs: fix startup issues on windows
Starts TailFS for Windows too, initializes shares on startup. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 87154a2 - Browse repository at this point
Copy the full SHA 87154a2View commit details -
tailscaled: revert to using pointers for subcommands
As part of tailscale#10631, we stopped using function pointers for subcommands, preventing us from registering platform-specific installSystemDaemon and uninstallSystemDaemon subcommands. Fixes tailscale#11099 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 55b372a - Browse repository at this point
Copy the full SHA 55b372aView commit details -
util/cloudenv: add support for DigitalOcean
Updates tailscale#4984 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib229eb40af36a80e6b0fd1dd0cabb07f0d50a7d1
Configuration menu - View commit details
-
Copy full SHA for c1c50cf - Browse repository at this point
Copy the full SHA c1c50cfView commit details
Commits on Feb 11, 2024
-
tailcfg: remove UserProfile.Groups
Removing as per go/group-all-the-things. Updates tailscale/corp#17445 Signed-off-by: Maisem Ali <maisem@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 370ecb4 - Browse repository at this point
Copy the full SHA 370ecb4View commit details
Commits on Feb 12, 2024
-
flake.nix: build tailscale with go 1.22
Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 58b8f78 - Browse repository at this point
Copy the full SHA 58b8f78View commit details -
cmd/tailscale: hide share subcommand
Fixes tailscale#1115 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for d0ef3a2 - Browse repository at this point
Copy the full SHA d0ef3a2View commit details -
tailfs: listen for local clients only on 100.100.100.100
FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for c42a4e4 - Browse repository at this point
Copy the full SHA c42a4e4View commit details
Commits on Feb 13, 2024
-
types/views: add test that LenIter doesn't allocate
For a second we thought this was allocating but we were looking at a CPU profile (which showed calls to mallocgc view makeslice) instead of the alloc profile. Updates golang/go#65685 (which if fixed wouldn't have confused us) Change-Id: Ic0132310d52d8a65758a516142525339aa23b1ed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for f7f4960 - Browse repository at this point
Copy the full SHA f7f4960View commit details -
cmd/k8s-operator,k8s-operator: proxy configuration mechanism via a ne…
…w ProxyClass custom resource (tailscale#11074) * cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource. ProxyClass custom resource can be used to specify customizations for the proxy resources created by the operator. Add a reconciler that validates ProxyClass resources and sets a Ready condition to True or False with a corresponding reason and message. This is required because some fields (labels and annotations) require complex validations that cannot be performed at custom resource apply time. Reconcilers that use the ProxyClass to configure proxy resources are expected to verify that the ProxyClass is Ready and not proceed with resource creation if configuration from a ProxyClass that is not yet Ready is required. If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet. If a tailscale Ingress has a tailscale.com/proxy-class annotation and the referenced ProxyClass custom resource is available and Ready, apply configuration from the ProxyClass to the proxy resources that will be created for the Ingress. Add a new .proxyClass field to the Connector spec. If connector.spec.proxyClass is set to a ProxyClass that is available and Ready, apply configuration from the ProxyClass to the proxy resources created for the Connector. Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 5bd19fd - Browse repository at this point
Copy the full SHA 5bd19fdView commit details -
tsweb: update ServeMux matching to 1.22.0 syntax (tailscale#11090)
* tsweb: update ServeMux matching to 1.22.0 syntax Updates #cleanup Go 1.22.0 introduced the ability to use more expressive routing patterns that include HTTP method when constructing ServeMux entries. Applications that attempted to use these patterns in combination with the old `tsweb.Debugger` would experience a panic as Go would not permit the use of matching rules with mixed level of specificity. We now specify the method for each `/debug` handler to prevent incompatibilities. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 30c9189 - Browse repository at this point
Copy the full SHA 30c9189View commit details -
wgengine/router: make the Windows ifconfig implementation reuse exist…
…ing MibIPforwardRow2 when possible Looking at profiles, we spend a lot of time in winipcfg.LUID.DeleteRoute looking up the routing table entry for the provided RouteData. But we already have the row! We previously obtained that data via the full table dump we did in getInterfaceRoutes. We can make this a lot faster by hanging onto a reference to the wipipcfg.MibIPforwardRow2 and executing the delete operation directly on that. Fixes tailscale#11123 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for f7acbef - Browse repository at this point
Copy the full SHA f7acbefView commit details -
Revert "tsweb: update ServeMux matching to 1.22.0 syntax (tailscale#1…
…1090)" (tailscale#11125) This reverts commit 30c9189. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 256ecd0 - Browse repository at this point
Copy the full SHA 256ecd0View commit details -
scripts/installer.sh: add tuxedoOS to the Ubuntu copies
Signed-off-by: Nathan Woodburn <github@nathan.woodburn.au>
Configuration menu - View commit details
-
Copy full SHA for 7c0651a - Browse repository at this point
Copy the full SHA 7c0651aView commit details
Commits on Feb 14, 2024
-
net/dns: log more info when openresolv commands fail
Updates tailscale#11129 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic594868ba3bc31f6d3b0721ecba4090749a81f7f
Configuration menu - View commit details
-
Copy full SHA for b0e96a6 - Browse repository at this point
Copy the full SHA b0e96a6View commit details -
go.mod, all: move away from inet.af domain seized by Taliban
Updates inetaf/tcpproxy#39 Change-Id: I7fee276b116bd08397347c6c949011d76a2842cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 61a1644 - Browse repository at this point
Copy the full SHA 61a1644View commit details -
go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 7ad2bb8 - Browse repository at this point
Copy the full SHA 7ad2bb8View commit details -
util/topk: add package containing a probabilistic top-K tracker
This package uses a count-min sketch and a heap to track the top K items in a stream of data. Tracking a new item and adding a count to an existing item both require no memory allocations and is at worst O(log(k)) complexity. Change-Id: I0553381be3fef2470897e2bd806d43396f2dbb36 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Configuration menu - View commit details
-
Copy full SHA for b7104cd - Browse repository at this point
Copy the full SHA b7104cdView commit details -
clientupdate: disable auto update on NixOS (tailscale#11136)
Updates #cleanup NixOS packages are immutable and attempts to update via our tarball mechanism will always fail as a result. Instead we now direct users to update their nix channel or nixpkgs flake input to receive the latest Tailscale release. Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 38bba2d - Browse repository at this point
Copy the full SHA 38bba2dView commit details
Commits on Feb 15, 2024
-
doctor/ethtool, ipn/ipnlocal: add ethtool bugreport check
Updates tailscale#11137 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Idbe862d80e428adb044249c47d9096b87f29d5d8
Configuration menu - View commit details
-
Copy full SHA for 52f16b5 - Browse repository at this point
Copy the full SHA 52f16b5View commit details -
wgengine/router: fix ip rule restoration
Fixes tailscale#10857 Signed-off-by: Jason Barnett <J@sonBarnett.com>
Configuration menu - View commit details
-
Copy full SHA for 4d66841 - Browse repository at this point
Copy the full SHA 4d66841View commit details -
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 3aca29e - Browse repository at this point
Copy the full SHA 3aca29eView commit details
Commits on Feb 16, 2024
-
ipn/ipnlocal: fix doctor API endpoint (tailscale#11155)
Small fix to make sure doctor API endpoint returns correctly - I spotted it when checking my tailscaled node and noticed it was handled slightly different compare to the rest Signed-off-by: San <santrancisco@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 69f5664 - Browse repository at this point
Copy the full SHA 69f5664View commit details -
cmd/tailscale: make web client URL clickable
Updates tailscale#11151 Signed-off-by: Will Norris <will@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 2448781 - Browse repository at this point
Copy the full SHA 2448781View commit details -
cmd/tailscale: support clickable IPv6 web client addresses
Instead of constructing the `ip:port` string ourselves, use netip.AddrPortFrom which handles IPv6 correctly. Updates tailscale#11164 Signed-off-by: Will Norris <will@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 6b582cb - Browse repository at this point
Copy the full SHA 6b582cbView commit details -
tool/gocross: pass flags for visionOS and visionOS Simulator (tailsca…
…le#11127) Adds logic in gocross to detect environment variables and pass the right flags so that the backend can be built with the visionOS SDK. Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Configuration menu - View commit details
-
Copy full SHA for 44e337c - Browse repository at this point
Copy the full SHA 44e337cView commit details -
net/dns: fix infinite loop when run on Amazon Linux 2023
This fixes an infinite loop caused by the configuration of systemd-resolved on Amazon Linux 2023 and how that interacts with Tailscale's "direct" mode. We now drop the Tailscale service IP from the OS's "base configuration" when we detect this configuration. Updates tailscale#7816 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I73a4ea8e65571eb368c7e179f36af2c049a588ee
Configuration menu - View commit details
-
Copy full SHA for 70b7201 - Browse repository at this point
Copy the full SHA 70b7201View commit details
Commits on Feb 17, 2024
-
logpolicy: allow longer idle log upload connections
From a packet trace we have seen log connections being closed prematurely by the client, resulting in unnecessary extra TLS setup traffic. Updates tailscale#3363 Updates tailscale/corp#9230 Updates tailscale/corp#8564 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 6c3899e - Browse repository at this point
Copy the full SHA 6c3899eView commit details -
ipn/ipnlocal: remove ancient transition mechanism for https certs
And confusing error message that duplicated the valid cert domains. Fixes tailscale/corp#15876 Change-Id: I098bc45d83c8d1e0a233dcdf3188869cce66e128 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 794af40 - Browse repository at this point
Copy the full SHA 794af40View commit details
Commits on Feb 19, 2024
-
prober: add TLS probe constructor to split dial addr from cert name
So we can probe load balancers by their unique DNS name but without asking for that cert name. Updates tailscale/corp#13050 Change-Id: Ie4c0a2f951328df64281ed1602b4e624e3c8cf2e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for a4a909a - Browse repository at this point
Copy the full SHA a4a909aView commit details
Commits on Feb 20, 2024
-
net/ktimeout: add a package to set TCP user timeout
Setting a user timeout will be a more practical tuning knob for a number of endpoints, this provides a way to set it. Updates tailscale/corp#17587 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 8fe5042 - Browse repository at this point
Copy the full SHA 8fe5042View commit details -
Configuration menu - View commit details
-
Copy full SHA for d756622 - Browse repository at this point
Copy the full SHA d756622View commit details
Commits on Feb 21, 2024
-
cmd/testwrapper: apply results of all unit tests to coverage for all …
…packages This allows coverage from tests that hit multiple packages at once to be reflected in all those packages' coverage. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 91a1019 - Browse repository at this point
Copy the full SHA 91a1019View commit details -
cmd/tailscale/cli: pass "-o 'CanonicalizeHostname no'" to ssh
Fixes tailscale#10348 Signed-off-by: Paul Scott <paul@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 7708ab6 - Browse repository at this point
Copy the full SHA 7708ab6View commit details
Commits on Feb 22, 2024
-
derp: plumb context to Server.verifyClient
Updates tailscale/corp#17693 Change-Id: If17e02c77d5ad86b820e639176da2d3e61296bae Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 2988c1e - Browse repository at this point
Copy the full SHA 2988c1eView commit details -
cmd/derper, derp, tailcfg: add admission controller URL option
So derpers can check an external URL for whether to permit access to a certain public key. Updates tailscale/corp#17693 Change-Id: I8594de58f54a08be3e2dbef8bcd1ff9b728ab297 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 10d130b - Browse repository at this point
Copy the full SHA 10d130bView commit details -
util/syspolicy: add 'ResetToDefaults' (tailscale#11194)
Updates ENG-2133. Adds the ResetToDefaults visibility policy currently only available on macOS, so that the Windows client can read its value. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Configuration menu - View commit details
-
Copy full SHA for 0359c2f - Browse repository at this point
Copy the full SHA 0359c2fView commit details -
cmd/derper: add user timeout and reduce TCP keepalive
The derper sends an in-protocol keepalive every 60-65s, so frequent TCP keepalives are unnecessary. In this tuning TCP keepalives should never occur for a DERP client connection, as they will send an L7 keepalive often enough to always reset the TCP keepalive timer. If however a connection does not receive an ACK promptly it will now be shutdown, which happens sooner than it would with a normal TCP keepalive tuning. This re-tuning reduces the frequency of network traffic from derp to client, reducing battery cost. Updates tailscale/corp#17587 Updates tailscale#3363 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for edbad6d - Browse repository at this point
Copy the full SHA edbad6dView commit details -
client/web: update vite-plugin-svgr to latest version (tailscale#11197)
Update vite-plugin-svgr to the latest version (4.2.0) ahead of updating vite to 5.x. This is a major version bump from our previous 3.x, and requires changing the import paths used for SVGs. Updates tailscale/corp#17715 Signed-off-by: Mario Minardi <mario@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 72140da - Browse repository at this point
Copy the full SHA 72140daView commit details -
client/web: update plugin-react-swc to latest version (tailscale#11199)
Update plugin-react-swc to the latest version (3.6.0) ahead of updating vite to 5.x. Updates tailscale/corp#17715 Signed-off-by: Mario Minardi <mario@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 713d292 - Browse repository at this point
Copy the full SHA 713d292View commit details
Commits on Feb 23, 2024
-
net/tshttpproxy: log when we're using a proxy
Updates tailscale#11196 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id6334c10f52f4cfbda9f03dc8096ab7a6c54a088
Configuration menu - View commit details
-
Copy full SHA for e8d2fc7 - Browse repository at this point
Copy the full SHA e8d2fc7View commit details -
wgengine/wglog: quieten WireGuard logs for allowedips
An increasing number of users have very large subnet route configurations, which can produce very large amounts of log data when WireGuard is reconfigured. The logs don't contain the actual routes, so they're largely useless for diagnostics, so we'll just suppress them. Fixes tailscale/corp#17532 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 131f909 - Browse repository at this point
Copy the full SHA 131f909View commit details -
cmd/tailscale: add node attribute instructions to share command help
This adds details on how to configure node attributes to allow sharing and accessing shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 15b2c67 - Browse repository at this point
Copy the full SHA 15b2c67View commit details -
client/web: update vite and vitest to latest versions (tailscale#11200)
Update vite to 5.1.4, and vitest to 1.3.1 (their latest versions). Also remove vite-plugin-rewrite-all as this is no longer necessary with vite 5.x and has a dependency on vite 4.x. Updates tailscale/corp#17715 Signed-off-by: Mario Minardi <mario@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for ac281dd - Browse repository at this point
Copy the full SHA ac281ddView commit details -
cli/debug: rename DERP debug mode (tailscale#11220)
Renames a debug flag in the CLI. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Configuration menu - View commit details
-
Copy full SHA for c8c999d - Browse repository at this point
Copy the full SHA c8c999dView commit details
Commits on Feb 24, 2024
-
net/interfaces: reduce & cleanup logs on iOS
We don't need a log line every time defaultRoute is read in the good case, and we now only log default interface updates that are actually changes. Updates tailscale#3363 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 651c489 - Browse repository at this point
Copy the full SHA 651c489View commit details -
.github/workflows: fix typo in XDG_CACHE_HOME
This appears to be one of the contributors to this CI target regularly entering a bad state with a partially written toolchain. Updates #self Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for c9b6d19 - Browse repository at this point
Copy the full SHA c9b6d19View commit details -
cmd/derper: apply TCP keepalive and timeout to TLS as well
I missed a case in the earlier patch, and so we're still sending 15s TCP keepalive for TLS connections, now adjusted there too. Updates tailscale/corp#17587 Updates tailscale#3363 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 0c5e65e - Browse repository at this point
Copy the full SHA 0c5e65eView commit details -
net/dns: timeout DOH requests after 10s without response headers
If a client socket is remotely lost but the client is not sent an RST in response to the next request, the socket might sit in RTO for extended lengths of time, resulting in "no internet" for users. Instead, timeout after 10s, which will close the underlying socket, recovering from the situation more promptly. Updates tailscale#10967 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 8d0d464 - Browse repository at this point
Copy the full SHA 8d0d464View commit details -
wgengine/wgcfg: don't send UAPI to disable keep-alives on new peers
That's already the default. Avoid the overhead of writing it on one side and reading it on the other to do nothing. Updates #cleanup (noticed while researching something else) Change-Id: I449c88a022271afb9be5da876bfaf438fe5d3f58 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 8b9474b - Browse repository at this point
Copy the full SHA 8b9474bView commit details -
wgengine/wglog: add TS_DEBUG_RAW_WGLOG envknob for raw wg logs
Updates tailscale#7617 (part of debugging it) Change-Id: I1bcbdcf0f929e3bcf83f244b1033fd438aa6dac1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 6ad6d6b - Browse repository at this point
Copy the full SHA 6ad6d6bView commit details
Commits on Feb 25, 2024
-
net/dns/publicdns: add Mullvad family DNS to the list of known DoH se…
…rvers Adds the new Mullvad family DNS server to the known DNS over HTTPS server list. Signed-off-by: mrrfv <rm-rfv-no-preserve-root@protonmail.com>
Configuration menu - View commit details
-
Copy full SHA for ff1391a - Browse repository at this point
Copy the full SHA ff1391aView commit details -
all: remove LenIter, use Go 1.22 range-over-int instead
Updates tailscale#11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for e1bd748 - Browse repository at this point
Copy the full SHA e1bd748View commit details
Commits on Feb 26, 2024
-
tailfs: replace webdavfs with reverse proxies
Instead of modeling remote WebDAV servers as actual webdav.FS instances, we now just proxy traffic to them. This not only simplifies the code, but it also allows WebDAV locking to work correctly by making sure locks are handled by the servers that need to (i.e. the ones actually serving the files). Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 50fb8b9 - Browse repository at this point
Copy the full SHA 50fb8b9View commit details -
wgengine/netstack: expose TCP forwarder drops via clientmetrics
- add a clientmetric with a counter of TCP forwarder drops due to the max attempts; - fix varz metric types, as they are all counters. Updates tailscale#8210 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for cd9cf93 - Browse repository at this point
Copy the full SHA cd9cf93View commit details -
client/web: restrict serveAPI endpoints to peer capabilities
This change adds a new apiHandler struct for use from serveAPI to aid with restricting endpoints to specific peer capabilities. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 9aa704a - Browse repository at this point
Copy the full SHA 9aa704aView commit details -
client/web: use grants on web UI frontend
Starts using peer capabilities to restrict the management client on a per-view basis. This change also includes a bulky cleanup of the login-toggle.tsx file, which was getting pretty unwieldy in its previous form. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 95f2656 - Browse repository at this point
Copy the full SHA 95f2656View commit details -
go.mod: update web-client-prebuilt module
Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 82c569a - Browse repository at this point
Copy the full SHA 82c569aView commit details -
net/dns: do not wait for the interface registry key to appear if the …
…windowsManager is being closed The WinTun adapter may have been removed by the time we're closing the dns.windowsManager, and its associated interface registry key might also have been deleted. We shouldn't use winutil.OpenKeyWait and wait for the interface key to appear when performing a cleanup as a part of the windowsManager shutdown. Updates tailscale#11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for b42b981 - Browse repository at this point
Copy the full SHA b42b981View commit details -
cmd/tailscaled, ipn/ipnlocal, wgengine: shutdown tailscaled if wgdevi…
…ce is closed Tailscaled becomes inoperative if the Tailscale Tunnel wintun adapter is abruptly removed. wireguard-go closes the device in case of a read error, but tailscaled keeps running. This adds detection of a closed WireGuard device, triggering a graceful shutdown of tailscaled. It is then restarted by the tailscaled watchdog service process. Fixes tailscale#11222 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 7ef1fb1 - Browse repository at this point
Copy the full SHA 7ef1fb1View commit details
Commits on Feb 27, 2024
-
health: warn about reverse path filtering and exit nodes
When reverse path filtering is in strict mode on Linux, using an exit node blocks all network connectivity. This change adds a warning about this to `tailscale status` and the logs. Example in `tailscale status`: ``` - not connected to home DERP region 22 - The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see tailscale#3310 ``` Example in the logs: ``` 2024/02/21 21:17:07 health("overall"): error: multiple errors: not in map poll The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see tailscale#3310 ``` Updates tailscale#3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 8cc5c51 - Browse repository at this point
Copy the full SHA 8cc5c51View commit details -
types/key: remove copy returning array by value
It's unnecessary. Returning an array value is already a copy. Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: If7f350b61003ea08f16a531b7b4e8ae483617939
Configuration menu - View commit details
-
Copy full SHA for 9a8c2f4 - Browse repository at this point
Copy the full SHA 9a8c2f4View commit details -
wgengine: reduce critical section
No need to hold wgLock while using the device to LookupPeer; that has its own mutex already. Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Ib56049fcc7163cf5a2c2e7e12916f07b4f9d67cb
Configuration menu - View commit details
-
Copy full SHA for 219efeb - Browse repository at this point
Copy the full SHA 219efebView commit details -
wgengine: make pendOpen time later, after dup check
Otherwise on OS retransmits, we'd make redundant timers in Go's timer heap that upon firing just do nothing (well, grab a mutex and check a map and see that there's nothing to do). Updates #cleanup Change-Id: Id30b8b2d629cf9c7f8133a3f7eca5dc79e81facb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for eb28818 - Browse repository at this point
Copy the full SHA eb28818View commit details -
ipn/ipnstate, wgengine/wgint: add handshake attempts accessors
Not yet used. This is being made available so magicsock/wgengine can use it to ignore certain sends (UDP + DERP) later on at least mobile, letting wireguard-go think it's doing its full attempt schedule, but we can cut it short conditionally based on what we know from the control plane. Updates tailscale#7617 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Ia367cf6bd87b2aeedd3c6f4989528acdb6773ca7
Configuration menu - View commit details
-
Copy full SHA for 1cf8582 - Browse repository at this point
Copy the full SHA 1cf8582View commit details -
scripts/installer.sh: auto-start tailscale on Alpine (tailscale#11214)
On Alpine, we add the tailscale service but fail to call start. This means that tailscale does not start up until the user reboots the machine. Fixes tailscale#11161 Signed-off-by: Keli Velazquez <keli@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 086ef19 - Browse repository at this point
Copy the full SHA 086ef19View commit details -
tailfs: fix race condition in tailfs_test
Ues a noop authenticator to avoid potential races in gowebdav's built-in authenticator. Fixes tailscale#11259 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 05acf76 - Browse repository at this point
Copy the full SHA 05acf76View commit details -
cmd/k8s-operator,k8s-operator,go.{mod,sum},tstest/tools: add Tailscal…
…e Kubernetes operator API docs (tailscale#11246) Add logic to autogenerate CRD docs. .github/workflows/kubemanifests.yaml CI workflow will fail if the doc is out of date with regard to the current CRDs. Docs can be refreshed by running make kube-generate-all. Updates tailscale#11023 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 45d27fa - Browse repository at this point
Copy the full SHA 45d27faView commit details -
cmd/k8s-operator: configure all proxies with declarative config (tail…
…scale#11238) Containerboot container created for operator's ingress and egress proxies are now always configured by passing a configfile to tailscaled (tailscaled --config <configfile-path>. It does not run 'tailscale set' or 'tailscale up'. Upgrading existing setups to this version as well as downgrading existing setups at this version works. Updates tailscale#10869 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 303125d - Browse repository at this point
Copy the full SHA 303125dView commit details -
cmd/k8s-operator: reconcile tailscale Ingresses when their backend Se…
…rvices change. (tailscale#11255) This is so that if a backend Service gets created after the Ingress, it gets picked up by the operator. Updates tailscale#11251 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 95dcc17 - Browse repository at this point
Copy the full SHA 95dcc17View commit details -
tailcfg: add latitude, longitude for node location (tailscale#11162)
Updates tailscale/corp#17590 Signed-off-by: Claire Wang <claire@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 352c1ac - Browse repository at this point
Copy the full SHA 352c1acView commit details -
wgengine/netstack: add a per-client limit for in-flight TCP forwards
This is a fun one. Right now, when a client is connecting through a subnet router, here's roughly what happens: 1. The client initiates a connection to an IP address behind a subnet router, and sends a TCP SYN 2. The subnet router gets the SYN packet from netstack, and after running through acceptTCP, starts DialContext-ing the destination IP, without accepting the connection¹ 3. The client retransmits the SYN packet a few times while the dial is in progress, until either... 4. The subnet router successfully establishes a connection to the destination IP and sends the SYN-ACK back to the client, or... 5. The subnet router times out and sends a RST to the client. 6. If the connection was successful, the client ACKs the SYN-ACK it received, and traffic starts flowing As a result, the notification code in forwardTCP never notices when a new connection attempt is aborted, and it will wait until either the connection is established, or until the OS-level connection timeout is reached and it aborts. To mitigate this, add a per-client limit on how many in-flight TCP forwarding connections can be in-progress; after this, clients will see a similar behaviour to the global limit, where new connection attempts are aborted instead of waiting. This prevents a single misbehaving client from blocking all other clients of a subnet router by ensuring that it doesn't starve the global limiter. Also, bump the global limit again to a higher value. ¹ We can't accept the connection before establishing a connection to the remote server since otherwise we'd be opening the connection and then immediately closing it, which breaks a bunch of stuff; see tailscale#5503 for more details. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I76e7008ddd497303d75d473f534e32309c8a5144
Configuration menu - View commit details
-
Copy full SHA for c5abbcd - Browse repository at this point
Copy the full SHA c5abbcdView commit details -
client/web: update to typescript 5.3.3 (tailscale#11267)
Update typescript to 5.3.3. This is a major bump from the previous version of 4.8.3. This also requires adding newer versions of @typescript-eslint/eslint-plugin and @typescript-eslint/parser to our resolutions as eslint-config-react-app pulls in versions that otherwise do not support typescript 5.x. eslint-config-react-app has not been updated in 2 years and is seemingly abandoned, so we may wish to fork it or move to a different eslint config in the future. Updates tailscale/corp#17810 Signed-off-by: Mario Minardi <mario@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 7912d76 - Browse repository at this point
Copy the full SHA 7912d76View commit details -
tsweb: expose function to generate request IDs
For use in corp. Updates tailscale/corp#2549 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I71debae1ce9ae48cf69cc44c2ab5c443fc3b2005
Configuration menu - View commit details
-
Copy full SHA for 23e9447 - Browse repository at this point
Copy the full SHA 23e9447View commit details
Commits on Feb 28, 2024
-
util/cache: fix missing interface methods (tailscale#11275)
Updates #cleanup Change-Id: Ib3a33a7609530ef8c9f3f58fc607a61e8655c4b5 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Configuration menu - View commit details
-
Copy full SHA for a20e46a - Browse repository at this point
Copy the full SHA a20e46aView commit details -
net/tstun: fix spelling of "WireGuard"
Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida7e30f4689bc18f5f7502f53a0adb5ac3c7981a
Configuration menu - View commit details
-
Copy full SHA for 3dd8ae2 - Browse repository at this point
Copy the full SHA 3dd8ae2View commit details -
ipn/ipnstate, wgengine: make PeerStatusLite.LastHandshake zero Time m…
…eans none ... rather than 1970. Code was using IsZero against the 1970 team (which isn't a zero value), but fortunately not anywhere that seems to have mattered. Updates #cleanup Change-Id: I708a3f2a9398aaaedc9503678b4a8a311e0e019e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 74b8985 - Browse repository at this point
Copy the full SHA 74b8985View commit details -
wgengine: use slices.Clone in two places
Updates #cleanup Change-Id: I1cb30efb6d09180e82b807d6146f37897ef99307 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for a8a5252 - Browse repository at this point
Copy the full SHA a8a5252View commit details -
wgengine: rename local variable from 'found' to conventional 'ok'
Updates #cleanup Change-Id: I799dc86ea9e4a3a949592abdd8e74282e7e5d086 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for b4ff9a5 - Browse repository at this point
Copy the full SHA b4ff9a5View commit details -
.github/workflows: fix regular breakage of go toolchains
This server recently had a common ansible applied, which added a periodic /tmp cleaner, as is needed on other CI machines to deal with test tempfile leakage. The setting of $HOME to /tmp means that the go toolchain in there was regularly getting pruned by the tmp cleaner, but often incompletely, because it was also in use. Move HOME to a runner owned directory. Updates tailscale#11248 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 7e17aeb - Browse repository at this point
Copy the full SHA 7e17aebView commit details -
wgengine{,/wgint}: add wgint.Peer wrapper type, add to wgengine.Engine
This adds a method to wgengine.Engine and plumbed down into magicsock to add a way to get a type-safe Tailscale-safe wrapper around a wireguard-go device.Peer that only exposes methods that are safe for Tailscale to use internally. It also removes HandshakeAttempts from PeerStatusLite that was just added as it wasn't needed yet and is now accessible ala cart as needed from the Peer type accessor. None of this is used yet. Updates tailscale#7617 Change-Id: I07be0c4e6679883e6eeddf8dbed7394c9e79c5f4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 69f4b45 - Browse repository at this point
Copy the full SHA 69f4b45View commit details -
client/web: fix Vite CJS deprecation warning (tailscale#11288)
Starting in Vite 5, Vite now issues a deprecation warning when using a CJS-based Vite config file. This commit fixes it by adding the `"type": "module"` to our package.json to opt our files into ESM module behaviours. Fixes #cleanup Signed-off-by: Ross Zurowski <ross@rosszurowski.com>
Configuration menu - View commit details
-
Copy full SHA for e83e2e8 - Browse repository at this point
Copy the full SHA e83e2e8View commit details -
ipn,wgengine: only intercept TailFS traffic on quad 100
This fixes a regression introduced with 993acf4 and released in v1.60.0. The regression caused us to intercept all userspace traffic to port 8080 which prevented users from exposing their own services to their tailnet at port 8080. Now, we only intercept traffic to port 8080 if it's bound for 100.100.100.100 or fd7a:115c:a1e0::53. Fixes tailscale#11283 Signed-off-by: Percy Wegmann <percy@tailscale.com> (cherry picked from commit 17cd062)
Configuration menu - View commit details
-
Copy full SHA for 2d5d6f5 - Browse repository at this point
Copy the full SHA 2d5d6f5View commit details -
ipn/ipnlocal: make active IPN sessions keyed by sessionID
We used a HandleSet before when we didn't have a unique handle. But a sessionID is a unique handle, so use that instead. Then that replaces the other map we had. And now we'll have a way to look up an IPN session by sessionID for later. Updates tailscale/corp#17859 Change-Id: I5f647f367563ec8783c643e49f93817b341d9064 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for b68a09c - Browse repository at this point
Copy the full SHA b68a09cView commit details -
tsweb: allow empty redirect URL in CleanRedirectURL (tailscale#11295)
Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for c747443 - Browse repository at this point
Copy the full SHA c747443View commit details
Commits on Feb 29, 2024
-
wgengine: plumb the PeerByKey from wgengine to magicsock
This was just added in 69f4b45 which doesn't yet use it. This still doesn't yet use it. It just pushes it down deeper into magicsock where it'll used later. Updates tailscale#7617 Change-Id: If2f8fd380af150ffc763489e1ff4f8ca2899fac6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for f18f591 - Browse repository at this point
Copy the full SHA f18f591View commit details -
tailfs: support storing bookmark data on shares
This allows the sandboxed Mac application to store security- scoped URL bookmarks in order to maintain access to restricted folders across restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 80f1cb6 - Browse repository at this point
Copy the full SHA 80f1cb6View commit details -
ipn: include full tailfs shares in ipn notifications
This allows the Mac application to regain access to restricted folders after restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for e324a56 - Browse repository at this point
Copy the full SHA e324a56View commit details -
util/linuxfw: insert rather than append nftables DNAT rule (tailscale…
…#11303) Ensure that the latest DNATNonTailscaleTraffic rule gets inserted on top of any pre-existing rules. Updates tailscale#11281 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 097c5ed - Browse repository at this point
Copy the full SHA 097c5edView commit details -
clientupdate: handle multiple versions in "apk info tailscale" output (…
…tailscale#11310) The package info output can list multiple package versions, and not in descending order. Find the newest version in the output, instead of the first one. Fixes tailscale#11309 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 23fbf00 - Browse repository at this point
Copy the full SHA 23fbf00View commit details
Commits on Mar 1, 2024
-
go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 00554ad - Browse repository at this point
Copy the full SHA 00554adView commit details -
tailfs: only impersonate unprivileged user if able to sudo -u as that…
… user When serving TailFS shares, tailscaled executes another tailscaled to act as a file server. It attempts to execute this child process as an unprivileged user using sudo -u. This is important to avoid accessing files as root, which would result in potential privilege escalation. Previously, tailscaled assumed that it was running as someone who can sudo -u, and would fail if it was unable to sudo -u. With this commit, if tailscaled is unable to sudo -u as the requested user, and tailscaled is not running as root, then tailscaled executes the the file server process under the same identity that ran tailscaled, since this is already an unprivileged identity. In the unlikely event that tailscaled is running as root but is unable to sudo -u, it will refuse to run the child file server process in order to avoid privilege escalation. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 232a2d6 - Browse repository at this point
Copy the full SHA 232a2d6View commit details
Commits on Mar 4, 2024
-
docs/k8s: update docs (tailscale#11307)
Update docs for static Tailscale deployments on kube to always use firewall mode autodection when in non-userspace. Also add a note about running multiple replicas and a few suggestions how folks could do that. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for dff6f33 - Browse repository at this point
Copy the full SHA dff6f33View commit details
Commits on Mar 5, 2024
-
tsweb: add more test cases for TestCleanRedirectURL (tailscale#11331)
Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
Chris Palmer committedMar 5, 2024 Configuration menu - View commit details
-
Copy full SHA for 13853e7 - Browse repository at this point
Copy the full SHA 13853e7View commit details -
tailcfg: add suggest exit node related node attribute (tailscale#11329)
Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for d610f8e - Browse repository at this point
Copy the full SHA d610f8eView commit details -
util/cmpver: add Less/LessEq helper funcs
Updates tailscale/corp#17199 Signed-off-by: Paul Scott <paul@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 2fa20e3 - Browse repository at this point
Copy the full SHA 2fa20e3View commit details -
go.toolchain.rev: bump Go toolchain to 1.22.1
Updates tailscale/corp#18000 Change-Id: I45de95e974ea55b0dac2218b3c82d124c4793390 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 8780e33 - Browse repository at this point
Copy the full SHA 8780e33View commit details -
{ipn/serve,cmd/tailscale/cli}: move some shared funcs to ipn
In preparation for changes to allow configuration of serve/funnel from the web client, this commit moves some functionality that will be shared between the CLI and web client to the ipn package's serve.go file, where some other util funcs are already defined. Updates tailscale#10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 65c3c69 - Browse repository at this point
Copy the full SHA 65c3c69View commit details
Commits on Mar 6, 2024
-
wgengine/magicsock: prefer link-local addresses to private ones
Since link-local addresses are definitionally more likely to be a direct (lower-latency, more reliable) connection than a non-link-local private address, give those a bit of a boost when selecting endpoints. Updates tailscale#8097 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I93fdeb07de55ba39ba5fcee0834b579ca05c2a4e
Configuration menu - View commit details
-
Copy full SHA for 4338db2 - Browse repository at this point
Copy the full SHA 4338db2View commit details -
licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 6a4e532 - Browse repository at this point
Copy the full SHA 6a4e532View commit details -
licenses: update win/apple licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 797d75c - Browse repository at this point
Copy the full SHA 797d75cView commit details -
licenses: update android licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for d59878e - Browse repository at this point
Copy the full SHA d59878eView commit details -
client/tailscale: add postures to UserRuleMatch
Updates tailscale/corp#17770 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 65255b0 - Browse repository at this point
Copy the full SHA 65255b0View commit details -
{ipn,cmd/tailscale/cli}: move ServeConfig mutation logic to ipn/serve
Moving logic that manipulates a ServeConfig into recievers on the ServeConfig in the ipn package. This is setup work to allow the web client and cli to both utilize these shared functions to edit the serve config. Any logic specific to flag parsing or validation is left untouched in the cli command. The web client will similarly manage its validation of user's requested changes. If validation logic becomes similar-enough, we can make a serve util for shared functionality, which likely does not make sense in ipn. Updates tailscale#10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for c58c59e - Browse repository at this point
Copy the full SHA c58c59eView commit details -
ipn/ipnlocal: exclude mullvad exit nodes from TailFS peers list
This is a temporary solution to at least omit Mullvad exit nodes from the list of TailFS peers. Once we can identify peers that are actually sharing via TailFS, we can remove this, but for alpha it'll be sufficient to just omit Mullvad. Updates tailscale/corp#17766 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 00373f0 - Browse repository at this point
Copy the full SHA 00373f0View commit details -
ipn/localapi: add set-gui-visible endpoint
Updates tailscale/corp#17859 Provides a local API endpoint to be called from the GUI to inform the backend when the client menu is opened or closed. cc @bradfitz Signed-off-by: Andrea Gottardo <andrea@gottardo.me> Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Configuration menu - View commit details
-
Copy full SHA for 0cb8646 - Browse repository at this point
Copy the full SHA 0cb8646View commit details -
ipn: add comment about thread-safety to StateStore
Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 6f66f5a - Browse repository at this point
Copy the full SHA 6f66f5aView commit details -
ipn/ipnlocal: reduce allocations in TailFS share notifications
This eliminates unnecessary map.Clone() calls and also eliminates repetitive notifications about the same set of shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for fd942b5 - Browse repository at this point
Copy the full SHA fd942b5View commit details -
util/linuxfw: add container-friendly IPv6 NAT check (tailscale#11353)
Remove IPv6 NAT check when routing is being set up using nftables. This is unnecessary as support for nftables was added after support for IPv6. https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s04.html https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources Additionally, run an extra check for IPv6 NAT support when the routing is set up with iptables. This is because the earlier checks rely on being able to use modprobe and on /proc/net/ip6_tables_names being populated on start - these conditions are usually not true in container environments. Updates tailscale#11344 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 90c4067 - Browse repository at this point
Copy the full SHA 90c4067View commit details
Commits on Mar 7, 2024
-
tsweb: add String method to tsweb.RequestID
In case we want to change the format to something opaque later. Updates tailscale/corp#2549 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie2eac8b885b694be607e9d5101d24b650026d89c
Configuration menu - View commit details
-
Copy full SHA for 8f27d51 - Browse repository at this point
Copy the full SHA 8f27d51View commit details -
The `stack.PacketBufferPtr` type no longer exists; replace it with `*stack.PacketBuffer` instead. Updates tailscale#8043 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib56ceff09166a042aa3d9b80f50b2aa2d34b3683
Configuration menu - View commit details
-
Copy full SHA for 62cf83e - Browse repository at this point
Copy the full SHA 62cf83eView commit details -
net/interfaces: fix test hang on Darwin
This test could hang because the subprocess was blocked on writing to the stdout pipe if we find the address we're looking for early in the output. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I68d82c22a5d782098187ae6d8577e43063b72573
Configuration menu - View commit details
-
Copy full SHA for 9884d06 - Browse repository at this point
Copy the full SHA 9884d06View commit details -
docs/k8s: don't run subnet router in userspace mode (tailscale#11363)
There should not be a need to do that unless we run on host network Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 3047b62 - Browse repository at this point
Copy the full SHA 3047b62View commit details -
cmd/derper, types/logger: move log filter to shared package
So we can use it in trunkd to quiet down the logs there. Updates tailscale#5563 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie3177dc33f5ad103db832aab5a3e0e4f128f973f
Configuration menu - View commit details
-
Copy full SHA for 3417643 - Browse repository at this point
Copy the full SHA 3417643View commit details -
client/web: dedupe packages in yarn.lock (tailscale#11327)
Run yarn-deduplicate on yarn.lock to dedupe packages. This is being done to reduce the number of redundant packages fetched by yarn when existing versions in the lockfile satisfy the version dependency we need. See https://github.com/scinos/yarn-deduplicate for details on the tool used to perform this deduplication. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for c662bd9 - Browse repository at this point
Copy the full SHA c662bd9View commit details -
tailcfg: bump CapabilityVersion (tailscale#11368)
bump version for adding NodeAttrSuggestExitNode remove extra s from NodeAttrSuggestExitNode Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 74e33b9 - Browse repository at this point
Copy the full SHA 74e33b9View commit details
Commits on Mar 8, 2024
-
version/mkversion: enforce synology versions within int32 range
Synology requires version numbers are within int32 range. This change updates the version logic to keep things closer within the range, and errors on building when the range is exceeded. Updates #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 54e5253 - Browse repository at this point
Copy the full SHA 54e5253View commit details -
wgengine/magicsock: don't change DERP home when not connected to control
This pretty much always results in an outage because peers won't discover our new home region and thus won't be able to establish connectivity. Updates tailscale/corp#18095 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic0d09133f198b528dd40c6383b16d7663d9d37a7
Configuration menu - View commit details
-
Copy full SHA for f072d01 - Browse repository at this point
Copy the full SHA f072d01View commit details -
cmd/viewer: import views when generating byteSliceField
Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 16ae0f6 - Browse repository at this point
Copy the full SHA 16ae0f6View commit details -
ipn,tailfs: tie TailFS share configuration to user profile
Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 6c160e6 - Browse repository at this point
Copy the full SHA 6c160e6View commit details -
ipn,cmd/tailscale,client/tailscale: add support for renaming TailFS s…
…hares - Updates API to support renaming TailFS shares. - Adds a CLI rename subcommand for renaming a share. - Renames the CLI subcommand 'add' to 'set' to make it clear that this is an add or update. - Adds a unit test for TailFS in ipnlocal Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for e496451 - Browse repository at this point
Copy the full SHA e496451View commit details -
Code Improvements (tailscale#11311)
build_docker, update-flake: cleanup and apply shellcheck fixes Was editing this file to match my needs while shellcheck warnings bugged me out. REV isn't getting used anywhere. Better remove it. Updates #cleanup Signed-off-by: Panchajanya1999 <kernel@panchajanya.dev> Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 50a570a - Browse repository at this point
Copy the full SHA 50a570aView commit details -
util/linuxfw: correct logical error in NAT table check (tailscale#11380)
Updates tailscale#11344 Updates tailscale#11354 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 43fba6e - Browse repository at this point
Copy the full SHA 43fba6eView commit details -
util/linuxfw: fix support for containers without IPv6 iptables filters (
tailscale#11381) There are container environments such as GitHub codespaces that have partial IPv6 support - routing support is enabled at the kernel level, but lacking IPv6 filter support in the iptables module. In the specific example of the codespaces environment, this also has pre-existing legacy iptables rules in the IPv4 tables, as such the nascent firewall mode detection will always pick iptables. We would previously fault trying to install rules to the filter table, this catches that condition earlier, and disables IPv6 support under these conditions. Updates tailscale#5621 Updates tailscale#11344 Updates tailscale#11354 Signed-off-by: James Tucker <james@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 055117a - Browse repository at this point
Copy the full SHA 055117aView commit details
Commits on Mar 9, 2024
-
go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 04fceae - Browse repository at this point
Copy the full SHA 04fceaeView commit details
Commits on Mar 10, 2024
-
ipn/{ipnlocal,localapi}: add debug verb to force spam IPN bus NetMap
To force the problem in its worst case scenario before fixing it. Updates tailscale/corp#17859 Change-Id: I2c8b8e5f15c7801e1ab093feeafac52ec175a763 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for ad33e47 - Browse repository at this point
Copy the full SHA ad33e47View commit details
Commits on Mar 11, 2024
-
wgengine/netstack: fix bug with duplicate SYN packets in client limit
This fixes a bug that was introduced in tailscale#11258 where the handling of the per-client limit didn't properly account for the fact that the gVisor TCP forwarder will return 'true' to indicate that it's handled a duplicate SYN packet, but not launch the handler goroutine. In such a case, we neither decremented our per-client limit in the wrapper function, nor did we do so in the handler function, leading to our per-client limit table slowly filling up without bound. Fix this by doing the same duplicate-tracking logic that the TCP forwarder does so we can detect such cases and appropriately decrement our in-flight counter. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib6011a71d382a10d68c0802593f34b8153d06892
Configuration menu - View commit details
-
Copy full SHA for 7429e89 - Browse repository at this point
Copy the full SHA 7429e89View commit details
Commits on Mar 13, 2024
-
prober: export probe counters and cumulative latency
Updates #cleanup Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 205a10b - Browse repository at this point
Copy the full SHA 205a10bView commit details -
prober: remove unused derp prober latency measurements
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for 5018683 - Browse repository at this point
Copy the full SHA 5018683View commit details -
prober: add a DERP bandwidth probe
Updates tailscale/corp#17912 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for f12d255 - Browse repository at this point
Copy the full SHA f12d255View commit details -
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Configuration menu - View commit details
-
Copy full SHA for da3cf12 - Browse repository at this point
Copy the full SHA da3cf12View commit details -
* net/interfaces: fix android "route ip+net: netlinkrib: permission denied" * remove github ci
Configuration menu - View commit details
-
Copy full SHA for 358177b - Browse repository at this point
Copy the full SHA 358177bView commit details -
Merge branch 'tailscale-main' into n
Signed-off-by: Asutorufa <16442314+Asutorufa@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a69d557 - Browse repository at this point
Copy the full SHA a69d557View commit details