This repository was archived by the owner on Jul 13, 2025. It is now read-only.
Fork Sync: Update from parent repository #36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updates #cleanup Signed-off-by: James Sanderson <jsanderson@tailscale.com>
In particular on Windows, the `transport.TPMCloser` we get is not safe for concurrent use. This is especially noticeable because `tpm.attestationKey.Clone` uses the same open handle as the original key. So wrap the operations on ak.tpm with a mutex and make a deep copy with a new connection in Clone. Updates #15830 Updates #17662 Updates #17644 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Add options to the eventbus.Bus to plumb in a logger. Route that logger in to the subscriber machinery, and trigger a log message to it when a subscriber fails to respond to its delivered events for 5s or more. The log message includes the package, filename, and line number of the call site that created the subscription. Add tests that verify this works. Updates #17680 Change-Id: I0546516476b1e13e6a9cf79f19db2fe55e56c698 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
…17642) Prior to this change a SubscriberFunc treated the call to the subscriber's function as the completion of delivery. But that means when we are closing the subscriber, that callback could continue to execute for some time after the close returns. For channel-based subscribers that works OK because the close takes effect before the subscriber ever sees the event. To make the two subscriber types symmetric, we should also wait for the callback to finish before returning. This ensures that a Close of the client means the same thing with both kinds of subscriber. Updates #17638 Change-Id: I82fd31bcaa4e92fab07981ac0e57e6e3a7d9d60b Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
Include the node's OS with network flow log information. Refactor the JSON-length computation to be a bit more precise. Updates tailscale/corp#33352 Fixes tailscale/corp#34030 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
The cmd/jsontags is non-idiomatic since it is not a main binary. Move it to a vet directory, which will eventually contain a vettool binary. Update tailscale/corp#791 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
This starts running the jsontags vet checker on the module. All existing findings are adding to an allowlist. Updates tailscale/corp#791 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Now that the feature is in beta, no one should encounter this error. Updates #cleanup Change-Id: I69ed3f460b7f28c44da43ce2f552042f980a0420 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
The feature is currently in private alpha, so requires a tailnet feature
flag. Initially focuses on supporting the operator's own auth, because the
operator is the only device we maintain that uses static long-lived
credentials. All other operator-created devices use single-use auth keys.
Testing steps:
* Create a cluster with an API server accessible over public internet
* kubectl get --raw /.well-known/openid-configuration | jq '.issuer'
* Create a federated OAuth client in the Tailscale admin console with:
* The issuer from the previous step
* Subject claim `system:serviceaccount:tailscale:operator`
* Write scopes services, devices:core, auth_keys
* Tag tag:k8s-operator
* Allow the Tailscale control plane to get the public portion of
the ServiceAccount token signing key without authentication:
* kubectl create clusterrolebinding oidc-discovery \
--clusterrole=system:service-account-issuer-discovery \
--group=system:unauthenticated
* helm install --set oauth.clientId=... --set oauth.audience=...
Updates #17457
Change-Id: Ib29c85ba97b093c70b002f4f41793ffc02e6c6e9
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Use GetGlobalAddrs() to discover all STUN endpoints, handling bad NATs that create multiple mappings. When MappingVariesByDestIP is true, also add the first STUN IPv4 address with the relay's local port for static port mapping scenarios. Updates #17796 Signed-off-by: Raj Singh <raj@tailscale.com>
Updates #17805 Change-Id: I540f50d067eee12e430dfd9de6871dc784fffb8a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
It was disabled in May 2024 in #12205 (9eb72bb). This removes the unused symbols. Updates #188 Updates tailscale/corp#19106 Updates tailscale/corp#19116 Change-Id: I5208b7b750b18226ed703532ed58c4ea17195a8e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Fixes #17805 Change-Id: I36e37cb0cfb2ea7b2341fd4b9809fbf1dd46d991 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
* lock released early just to call `b.send` when it can call `b.sendToLocked` instead * `UnlockEarly` called to release the lock before trivially fast operations, we can wait for a defer there Updates #11649 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Updates #cleanup Change-Id: I86ee7a0d048dafc8c0d030291261240050451721 Signed-off-by: Alex Chan <alexc@tailscale.com>
Previously if `chains` was empty, it would be passed to `computeActiveAncestor()`, which would fail with the misleading error "multiple distinct chains". Updates tailscale/corp#33846 Signed-off-by: Alex Chan <alexc@tailscale.com> Change-Id: Ib93a755dbdf4127f81cbf69f3eece5a388db31c8
This removes one of the O(n=peers) allocs in getStatus, as Engine.getStatus happens more often than Reconfig. Updates #17814 Change-Id: I8a87fbebbecca3aedadba38e46cc418fd163c2b0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>
When systemd notification support was omitted from the build, or on non-Linux systems, we were unnecessarily emitting code and generating garbage stringifying addresses upon transition to the Running state. Updates #12614 Change-Id: If713f47351c7922bb70e9da85bf92725b25954b9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates #12614 Change-Id: I3c16b94fcb997088ff18d5a21355e0279845ed7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
So they're not all run N times on the sharded oss builders and are only run one time each. Updates tailscale/corp#28679 Change-Id: Ie21e84b06731fdc8ec3212eceb136c8fc26b0115 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Unfortunately I closed the tab and lost it in my sea of CI failures I'm currently fighting. Updates #cleanup Change-Id: I4e3a652d57d52b75238f25d104fc1987add64191 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates #17830 Signed-off-by: Jordan Whited <jordan@tailscale.com>
I noticed a deadlock in a test in a in-development PR where during a shutdown storm of things (from a tsnet.Server.Close), LocalBackend was trying to call magicsock.Conn.Synchronize but the magicsock and/or eventbus was already shut down and no longer processing events. Updates #16369 Change-Id: I58b1f86c8959303c3fb46e2e3b7f38f6385036f1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates #17680 Change-Id: Ie48dc2d64b7583d68578a28af52f6926f903ca4f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Fixes #17837 Signed-off-by: Sachin Iyer <siyer@detail.dev>
Fixes #17833 Signed-off-by: Sachin Iyer <siyer@detail.dev>
Fixes #17834 Signed-off-by: Sachin Iyer <siyer@detail.dev>
QR codes are used by `tailscale up --qr` to provide an easy way to open a web-page without transcribing a difficult URI. However, there’s no need for this feature if the client will never be called interactively. So this PR adds the `ts_omit_qrcodes` build tag. Updates #18182 Signed-off-by: Simon Law <sfllaw@tailscale.com>
Add support for authenticating the gitops-pusher using workload identity federation. Updates tailscale/corp#34172 Signed-off-by: Mario Minardi <mario@tailscale.com>
To prevent peer relay servers from sending packets *over* Tailscale. Updates tailscale/corp#35651 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Prior to this change, we were resetting the tsnet's serve config every time tsnet.Server.Up was run. This is important to do on startup, to prevent messy interactions with stale configuration when the code has changed. However, Up is frequently run as a just-in-case step (for example, by Server.ListenTLS/ListenFunnel and possibly by consumers of tsnet). When the serve config is reset on each of these calls to Up, this creates situations in which the serve config disappears unexpectedly. The solution is to reset the serve config only on the first call to Up. Fixes #8800 Updates tailscale/corp#27200 Signed-off-by: Harry Harpham <harry@tailscale.com>
Previously the funnel listener would leave artifacts in the serve config. This caused weird out-of-sync effects like the admin panel showing that funnel was enabled for a node, but the node rejecting packets because the listener was closed. This change resolves these synchronization issues by ensuring that funnel listeners clean up the serve config when closed. See also: e109cf9 Updates #cleanup Signed-off-by: Harry Harpham <harry@tailscale.com>
Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
Expose the node's home DERP region ID as a Prometheus gauge via the usermetrics endpoint. Fixes #18061 Signed-off-by: Raj Singh <raj@tailscale.com>
Updates #18376 (follow up on feedback) Signed-off-by: Harry Harpham <harry@tailscale.com>
Updates #cleanup Signed-off-by: Harry Harpham <harry@tailscale.com>
Fixes a bug where, for kube HA proxies, TLS certs for the replica responsible for cert issuance where loaded in memory on startup, although the in-memory store was not updated after renewal (to avoid failing re-issuance for re-created Ingresses). Now the 'write' replica always reads certs from the kube Secret. Updates #18394 Signed-off-by: Irbe Krumina <irbekrm@gmail.com>
…#18398) Recently, the golangci-lint workflow has been taking longer and longer to complete, causing it to timeout after the default of 5 minutes. Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: context deadline exceeded Timeout exceeded: try increasing it by passing --timeout option This PR upgrades actions/setup-go to version 6, the latest, and enables caching for Go modules and build outputs. This should speed up linting because most packages won’t have to be downloaded over and over again. Fixes #18366 Signed-off-by: Simon Law <sfllaw@tailscale.com>
Updates tailscale/corp#31174 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Updates tailscale/corp#31174 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
…#18373) Adds the ability to detect what provider the client is running on and tries fetch the ID token to use with Workload Identity. Updates tailscale/corp#33316 Signed-off-by: Danni Popova <danni@tailscale.com>
…ck to ./tool/go (#18409) If local tailscale/tailscale checkout is not available, pulll cigocacher remotely. Fall back to ./tool/go if no other Go installation is present. Updates tailscale/corp#32493 Signed-off-by: Irbe Krumina <irbekrm@gmail.com>
Allow for optionally specifiying an audience for tsnet. This is passed to the underlying identity federation logic to allow for tsnet auth to use automatic ID token generation for authentication. Updates tailscale/corp#33316 Signed-off-by: Mario Minardi <mario@tailscale.com>
Allow for optionally specifying an audience for containerboot. This is passed to tailscale up to allow for containerboot to use automatic ID token generation for authentication. Updates tailscale/corp#34430 Signed-off-by: Mario Minardi <mario@tailscale.com>
Recently, the golangci-lint workflow has been taking longer and longer
to complete, causing it to timeout after the default of 5 minutes.
Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: context deadline exceeded
Timeout exceeded: try increasing it by passing --timeout option
Although PR #18398 enabled the Go module cache, bootstrapping with a
cold cache still takes too long.
This PR doubles the default 5 minute timeout for golangci-lint to 10
minutes so that golangci-lint can finish downloading all of its
dependencies.
Note that this doesn’t affect the 5 minute timeout configured in
.golangci.yml, since running golangci-lint on your local instance
should still be plenty fast.
Fixes #18366
Signed-off-by: Simon Law <sfllaw@tailscale.com>
Signed-off-by: Nick O'Neill <nick@tailscale.com>
…olving tar gocross-wrapper.ps1 is written to use the version of tar that ships with Windows; we want to avoid conflicts with any other tar on the PATH, such ones installed by MSYS and/or Cygwin. Updates tailscale/corp#29940 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
…grants (#18393) Updates #35796 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
…state of EnableDNSRegistration Policy editors, such as gpedit.msc and gpme.msc, rely on both the presence and the value of the registry value to determine whether a policy is enabled. Unless an enabledValue is specified explicitly, it defaults to REG_DWORD 1. Therefore, we cannot rely on the same registry value to track the policy configuration state when it is already used by a policy option, such as a dropdown. Otherwise, while the policy setting will be written and function correctly, it will appear as Not Configured in the policy editor due to the value mismatch (for example, REG_SZ "always" vs REG_DWORD 1). In this PR, we update the DNSRegistration policy setting to use the DNSRegistrationConfigured registry value for tracking. This change has no effect on the client side and exists solely to satisfy ADMX and policy editor requirements. Updates #14917 Signed-off-by: Nick Khyl <nickk@tailscale.com>
fixes #18418 Both Serve and PeerAPI broke when we moved the TailscaleInterfaceName into State, which is updated asynchronously and may not be available when we configure the listeners. This extracts the explicit interface name property from netmon.State and adds as a static struct with getters that have proper error handling. The bug is only found in sandboxed Darwin clients, where we need to know the Tailscale interface details in order to set up the listeners correctly (they must bind to our interface explicitly to escape the network sandboxing that is applied by NECP). Currently set only sandboxed macOS and Plan9 set this but it will also be useful on Windows to simplify interface filtering in netns. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
This change adds API to ipn.LocalBackend to retrieve the ETag when querying for the current serve config. This allows consumers of ipn.LocalBackend.SetServeConfig to utilize the concurrency control offered by ETags. Previous to this change, utilizing serve config ETags required copying the local backend's internal ETag calcuation. The local API server was previously copying the local backend's ETag calculation as described above. With this change, the local API server now uses the new ETag retrieval function instead. Serve config ETags are therefore now opaque to clients, in line with best practices. Fixes tailscale/corp#35857 Signed-off-by: Harry Harpham <harry@tailscale.com>
This change allows tsnet nodes to act as Service hosts by adding a new function, tsnet.Server.ListenService. Invoking this function will advertise the node as a host for the Service and create a listener to receive traffic for the Service. Fixes #17697 Fixes tailscale/corp#27200 Signed-off-by: Harry Harpham <harry@tailscale.com>
…Map (#18452) * k8s-operator,kube: removing enableSessionRecordings option. It seems like it is going to create a confusing user experience and it's going to be a very niche use case, so we have decided to defer this for now. Updates tailscale/corp#35796 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * k8s-operator: adding metric for env var deprecation Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Polls IMDS (currently only AWS) for extra IPs to advertise as udprelay. Updates #17796 Change-Id: Iaaa899ef4575dc23b09a5b713ce6693f6a6a6964 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>
…ersion (#18462) fixes tailscale/corp#27182 tailscale version --json now includes an osVariant field that will report one of macsys, appstore or darwin. We can extend this to other platforms where tailscaled can have multiple personalities. This also adds the concept of a platform-specific callback for querying an explicit application identifier. On Apple, we can use CFBundleGetIdentifier(mainBundle) to get the bundle identifier via cgo. This removes all the ambiguity and lets us remove other less direct methods (like env vars, locations, etc). Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.