This is not currently exposed as a user-settable preference through
`tailscale up` or `tailscale set`. Instead, the preference is set when
turning the web client on and off via localapi. In a subsequent commit,
the pref will be used to automatically start the web client on startup
when appropriate.
Updates tailscale/corp#14335
Signed-off-by: Will Norris <will@tailscale.com>
Allows for serving the web interface from tailscaled, with the
ability to start and stop the server via localapi endpoints
(/web/start and /web/stop).
This will be used to run the new full management web client,
which will only be accessible over Tailscale (with an extra auth
check step over noise) from the daemon. This switch also allows
us to run the web interface as a long-lived service in environments
where the CLI version is restricted to CGI, allowing us to manage
certain auth state in memory.
ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for
ios builds to satisfy ios restriction from adding "text/template"
and "html/template" dependencies.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
We were inconsistent whether we checked if the feature was already
enabled which we could do cheaply using the locally available status.
We would do the checks fine if we were turning on funnel, but not serve.
This moves the cap checks down into enableFeatureInteractive so that
are always run.
Updates #9984
Co-authored-by: Tyler Smalley <tyler@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
We prevent shodow configs when starting a foreground when a background serve config already exists for the serve type and port. This PR improves the messaging to let the user know how to remove the previous config.
Updates #8489
ENG-2314
Signed-off-by: Tyler Smalley <tyler@tailscale.com>
The `--http` flag can not be used with Funnel, so we should remove it to remove confusion.
Updates #8489
ENG-2316
Signed-off-by: Tyler Smalley <tyler@tailscale.com>
This PR changes the -https, -http, -tcp, and -tls-terminated-tcp
flags from string to int and also updates the validation to ensure
they fit the uint16 size as the flag library does not have a Uint16Var
method.
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
The TestServeDevConfigMutations test has 63 steps that all run
under the same scope. This tests breaks them out into isolated
subtests that can be run independently.
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
We currently print out "run tailscale serve --help" when the subcmd
might be funnel. This PR ensures the right subcmd is passed.
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
On `tailscale set --auto-update`, set the Sparkle plist option for it.
Also make macsys report not supporting auto-updates over c2n, since they
will be triggered by Sparkle locally.
Updates #755
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
A few people have run into issues with understanding why `--set-path` started in background mode, and/or why they couldn't use a path in foreground mode. This change allows `--set-path` to be used in either case (foreground or background).
updates #8489
Signed-off-by: Tyler Smalley <tyler@tailscale.com>
clientupdate.Updater will have a non-nil Update func in a few cases
where it doesn't actually perform an update:
* on Arch-like distros, where it prints instructions on how to update
* on macOS app store version, where it opens the app store page
Add a new clientupdate.Arguments field to cause NewUpdater to fail when
we hit one of these cases. This results in c2n updates being "not
supported" and `tailscale set --auto-update` returning an error.
Updates #755
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
* Fixes issue with template string not being provided in help text
* Updates background information to provide full URL, including path, to make it clear the source and destination
* Restores some tests
* Removes AllowFunnel in ServeConfig if no proxy exists for that port.
updates #8489
Signed-off-by: Tyler Smalley <tyler@tailscale.com>
This PR adds the same set-raw from the old flow into the new one
so that users can continue to use it when transitioning into the new
flow.
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
This PR fixes the isLegacyInvocation to better catch serve and
funnel legacy commands. In addition, it now also returns a string
that translates the old command into the new one so that users
can have an easier transition story.
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
This PR allows you to do "tailscale serve -bg -https:4545 off" and it
will delete all handlers under it. It will also prompt you for a y/n in case
you wanted to delete a single port.
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
Users should delete proxies by deleting or modifying the k8s cluster resources
that they used to tell the operator to create they proxy. With this flow,
the tailscale operator will delete the associated device from the control.
However, in some cases users might have already deleted the device from the control manually.
Updates tailscale/tailscale#9773
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
We no longer build Windows releases with cgo enabled, which
automatically turned off certstore support. Rather than re-enabling cgo,
we updated our fork of the certstore package to no longer require cgo.
This updates the package, cleans up how the feature is configured, and
removes the cgo build tag requirement.
Fixestailscale/corp#14797Fixestailscale/coral#118
Change-Id: Iaea34340761c0431d759370532c16a48c0913374
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
In the sandboxed app from the app store, we cannot check
`/Library/Preferences/com.apple.commerce.plist` or run `softwareupdate`.
We can at most print a helpful message and open the app store page.
Also, reenable macsys update function to mark it as supporting c2n
updates. macsys support in `tailscale update` was fixed.
Updates #755
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
The progress printer was buggy where it would not print correctly
and some of the truncation logic was faulty.
The progress printer now prints something like:
go1.21.3.linux-amd64.tar.gz 21.53MiB 13.83MiB/s 33.88% ETA 00:00:03
where it shows
* the number of bytes transferred so far
* the rate of bytes transferred
(using a 1-second half-life for an exponentially weighted average)
* the progress made as a percentage
* the estimated time
(as calculated from the rate of bytes transferred)
Other changes:
* It now correctly prints the progress for very small files
* It prints at a faster rate (4Hz instead of 1Hz)
* It uses IEC units for byte quantities
(to avoid ambiguities of "kb" being kilobits or kilobytes)
Updates tailscale/corp#14772
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
The `serve` command for TCP has always required the scheme of the target to be specified. However, when it's omitted the error message reported is misleading
```
error: failed to apply TCP serve: invalid TCP target "localhost:5900": missing port in address
```
Since we know the target is TCP, we shouldn't require it to be specified. This aligns with the changes for HTTP proxies in https://github.com/tailscale/tailscale/issues/8489closes#9855
Signed-off-by: Tyler Smalley <tyler@tailscale.com>
The `off` subcommand removes a serve/funnel for the corresponding type and port. Previously, we were not providing this which would result in an error if someone was using something than the default https=443.
closes#9858
Signed-off-by: Tyler Smalley <tyler@tailscale.com>
It's required as of the recent 5297bd2cff.
Updates #7894
Updates #9394 (sure would be nice)
Change-Id: Id6672408dd8a6c82dba71022c8763e589d789fcd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
* cmd/k8s-operator: users can configure operator to set firewall mode for proxies
Users can now pass PROXY_FIREWALL_MODE={nftables,auto,iptables} to operator to make it create ingress/egress proxies with that firewall mode
Also makes sure that if an invalid firewall mode gets configured, the operator will not start provisioning proxy resources, but will instead log an error and write an error event to the related Service.
Updates tailscale/tailscale#9310
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
The change is being kept to a minimum to make a revert easy if necessary. After the release, we will go back for a final cleanup.
updates #8489
Signed-off-by: Tyler Smalley <tyler@tailscale.com>
Previously we were just smushing together args and not trying
to parse the values at all. This resulted in the args to testwrapper
being limited and confusing.
This makes it so that testwrapper parses flags in the exact format as `go test`
command and passes them down in the provided order. It uses tesing.Init to
register flags that `go test` understands, however those are not the only
flags understood by `go test` (such as `-exec`) so we register these separately.
Updates tailscale/corp#14975
Signed-off-by: Maisem Ali <maisem@tailscale.com>
This partially reverts commits a61a9ab087
and 7538f38671 and fully reverts
4823a7e591.
The goal of that commit was to reapply known config whenever the
container restarts. However, that already happens when TS_AUTH_ONCE was
false (the default back then). So we only had to selectively reapply the
config if TS_AUTH_ONCE is true, this does exactly that.
This is a little sad that we have to revert to `tailscale up`, but it
fixes the backwards incompatibility problem.
Updates tailscale/tailscale#9539
Signed-off-by: Maisem Ali <maisem@tailscale.com>
This change:
* adds a partial files peerAPI endpoint to get a list of partial files
* adds a helper function to extract the basename of a file
* updates the peer put peerAPI endpoint
* updates the file put localapi endpoint to allow resume functionality
Updates #14772
Signed-off-by: Rhea Ghosh <rhea@tailscale.com>
We were too strict and required the user not specify the host field at all
in the ingress rules, but that degrades compatibility with existing helm charts.
Relax the constraint so that rule.Host can either be empty, or match the tls.Host[0]
value exactly.
Fixes#9548
Signed-off-by: Maisem Ali <maisem@tailscale.com>
Replace the deprecated var with the one in docs to avoid confusion.
Introduced in 335a5aaf9a.
Updates #8317Fixes#9764
Signed-off-by: Maisem Ali <maisem@tailscale.com>
IPProto has been being converted to and from string formats in multiple
locations with variations in behavior. TextMarshaller and JSONMarshaller
implementations are now added, along with defined accepted and preferred
formats to centralize the logic into a single cross compatible
implementation.
Updates tailscale/corp#15043Fixestailscale/corp#15141
Signed-off-by: James Tucker <james@tailscale.com>
The current structure meant that we were embedding netstack in
the tailscale CLI and in the GUIs. This removes that by isolating
the checksum munging to a different pkg which is only called from
`net/tstun`.
Fixes#9756
Signed-off-by: Maisem Ali <maisem@tailscale.com>
This migrates containerboot to reuse the NetfilterRunner used
by tailscaled instead of manipulating iptables rule itself.
This has the added advantage of now working with nftables and
we can potentially drop the `iptables` command from the container
image in the future.
Updates #9310
Co-authored-by: Irbe Krumina <irbe@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
This is only relevant for unstable releases and local builds. When local
version is newer than upstream, abort release.
Also, re-add missing newlines in output that were missed in
https://github.com/tailscale/tailscale/pull/9694.
Updates #cleanup
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit adds support for getting serial numbers from SMBIOS
on Windows/Linux (and BSD) using go-smbios.
Updates #5902
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
In case cli.Stdout/Stderr get overriden, all CLI output should use them
instead of os.Stdout/Stderr. Update the `update` command to follow this
pattern.
Updates #cleanup
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Add available update message in "tailscale up" output. Also update the
message in "tailscale status" to match and mention auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Over time all taildrop functionality will be contained in the
taildrop package. This will include end to end unit tests. This is
simply the first smallest piece to move over.
There is no functionality change in this commit.
Updates tailscale/corp#14772
Signed-off-by: Rhea Ghosh <rhea@tailscale.com>
Co-authored-by: Joseph Tsai <joetsai@tailscale.com>
Instead of just falling back to making a TCP query to an upstream DNS
server when the UDP query returns a truncated query, also start a TCP
query in parallel with the UDP query after a given race timeout. This
ensures that if the upstream DNS server does not reply over UDP (or if
the response packet is blocked, or there's an error), we can still make
queries if the server replies to TCP queries.
This also adds a new package, util/race, to contain the logic required for
racing two different functions and returning the first non-error answer.
Updates tailscale/corp#14809
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I4311702016c1093b1beaa31b135da1def6d86316
Make the 'tailscale debug component-logs' command print the component names for
which extra logging can be turned on, for easier discoverability of debug
functions.
Updates #cleanup
Co-authored-by: Paul Scott <paul@tailscale.com>
Signed-off-by: Val <valerie@tailscale.com>
Implements the ability for the address-rewriting code to support rewriting IPv6 addresses.
Specifically, UpdateSrcAddr & UpdateDstAddr.
Signed-off-by: Tom DNetto <tom@tailscale.com>
Updates https://github.com/tailscale/corp/issues/11202
We had a misstep with the semantics when applying an optimization that
showed up in the roll into corp. This test ensures that case and related
cases must be retained.
Updates #9410
Updates #9601
Signed-off-by: James Tucker <james@tailscale.com>
This reverts commit ee90cd02fd.
The outcome is not identical for empty slices. Cloner really needs
tests!
Updates #9601
Signed-off-by: James Tucker <james@tailscale.com>
go-billy is held back at v5.4.1 in order to avoid a newly introduced
subdependency that is not compatible with plan9.
Updates #8043
Signed-off-by: James Tucker <james@tailscale.com>
1.50.0 switched containerboot from using `tailscale up`
to `tailscale login`. A side-effect is that a re-usable
authkey is now re-applied on every boot by `tailscale login`,
where `tailscale up` would ignore an authkey if already
authenticated.
Though this looks like it is changing the default, in reality
it is setting the default to match what 1.48 and all
prior releases actually implemented.
Fixes https://github.com/tailscale/tailscale/issues/9539
Fixes https://github.com/tailscale/corp/issues/14953
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
These were missed when adding NodeCapMap and resulted
in tsnet binaries not being able to turn on funnel.
Fixes#9566
Signed-off-by: Maisem Ali <maisem@tailscale.com>
Ensure that when there is an event on a Tailscale managed Ingress or Service child resource, the right parent type gets reconciled
Updates tailscale/tailscale#502
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
This PR ensures zombie foregrounds are shutdown if a new
ServeConfig is created that wipes the ongoing foreground ones.
For example, "tailscale serve|funnel reset|off" should close
all open sessions.
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
For loading testing & profiling the cost of full netmap updates.
Updates #1909
Change-Id: I0afdf5de9967f8d95c7f81d5b531ed1c92c3208f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Update github.com/go-json-experiment/json to the latest version
and fix the build in light of some breaking API changes.
Updates #cleanup
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
The test was sending SIGKILL to containerboot, which results in no
signal propagation down to the bash script that is running as a child
process, thus it leaks.
Minor changes to the test daemon script, so that it cleans up the socket
that it creates on exit, and spawns fewer processes.
Fixestailscale/corp#14833
Signed-off-by: James Tucker <james@tailscale.com>
In typical k8s setups, the MTU configured on the eth0 interfaces is typically 1500 which
results in packets being dropped when they make it to proxy pods as the tailscale0 interface
has a 1280 MTU.
As the primary use of this functionality is TCP, add iptables based MSS clamping to allow
connectivity.
Updates #502
Signed-off-by: Maisem Ali <maisem@tailscale.com>
It was tailscale.com/ts-tailnet-target-ip, which was pretty
redundant. Change it to tailscale.com/tailnet-ip.
Updates #502
Signed-off-by: Maisem Ali <maisem@tailscale.com>
Like PeerCapMap, add a field to `tailcfg.Node` which provides
a map of Capability to raw JSON messages which are deferred to be
parsed later by the application code which cares about the specific
capabilities. This effectively allows us to prototype new behavior
without having to commit to a schema in tailcfg, and it also opens up
the possibilities to develop custom behavior in tsnet applications w/o
having to plumb through application specific data in the MapResponse.
Updates #4217
Signed-off-by: Maisem Ali <maisem@tailscale.com>
This adds a new RawMessage type backed by string instead of the
json.RawMessage which is backed by []byte. The byte slice makes
the generated views be a lot more defensive than the need to be
which we can get around by using a string instead.
Updates #cleanup
Signed-off-by: Maisem Ali <maisem@tailscale.com>
And convert all callers over to the methods that check SelfNode.
Now we don't have multiple ways to express things in tests (setting
fields on SelfNode vs NetworkMap, sometimes inconsistently) and don't
have multiple ways to check those two fields (often only checking one
or the other).
Updates #9443
Change-Id: I2d7ba1cf6556142d219fae2be6f484f528756e3c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This PR fixes a bug to make sure that we don't allow two configs
exist with duplicate ports
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
The kube-apiserver proxy in the operator would only run in
auth proxy mode but thats not always desirable. There are
situations where the proxy should just be a transparent
proxy and not inject auth headers, so do that using a new
env var APISERVER_PROXY and deprecate the AUTH_PROXY env.
THe new env var has three options `false`, `true` and `noauth`.
Updates #8317
Signed-off-by: Maisem Ali <maisem@tailscale.com>
tailcfg.Node zero-value clone equality checks failed when I added a
[]*foo to the structure, as the zero value and it's clone contained a
different slice header.
Updates #9377
Updates #9408
Signed-off-by: James Tucker <james@tailscale.com>
This PR adds validations for the new new funnel/serve
commands under the following rules:
1. There is always a single config for one port (bg or fg).
2. Foreground configs under the same port cannot co-exists (for now).
3. Background configs can change as long as the serve type is the same.
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
This PR uses the etag/if-match pattern to ensure multiple calls
to SetServeConfig are synchronized. It currently errors out and
asks the user to retry but we can add occ retries as a follow up.
Updates #8489
Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
It became required as of 6e967446e4
Updates #8052
Change-Id: I08d100534254865293c1beca5beff8e529e4e9ac
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
General cleanup and additional test coverage of WIP code.
* use enum for serveType
* combine instances of ServeConfig access within unset
* cleanMountPoint rewritten into cleanURLPath as it only handles URL paths
* refactor and test expandProxyTargetDev
> **Note**
> Behind the `TAILSCALE_USE_WIP_CODE` flag
updates #8489
Signed-off-by: Tyler Smalley <tyler@tailscale.com>
I missed this in 343c0f1031 and I guess we don't have integration
tests for wasm. But it compiled! :)
Updates #fixup to a #cleanup
Change-Id: If147b90bab254d144ec851a392e8db10ab97f98e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Will Norris
Sonia Appasamy
Irbe Krumina
Maisem Ali
Aaron Klotz
Tyler Smalley
Marwan Sulaiman
Andrew Lytvynov
Adrian Dewhurst
Joe Tsai
Brad Fitzpatrick
Tyler Smalley
Rhea Ghosh
James Tucker
Kristoffer Dalby
Simon Leonhardt
Andrew Dunham
Val
Tom DNetto
Claire Wang
Denton Gentry
Andrea Barisani