This repository was archived by the owner on Jul 13, 2025. It is now read-only.
Fork Sync: Update from parent repository#36
Open
github-actions[bot] wants to merge 949 commits intoMultiMx:mainfrom
Open
Fork Sync: Update from parent repository#36github-actions[bot] wants to merge 949 commits intoMultiMx:mainfrom
github-actions[bot] wants to merge 949 commits intoMultiMx:mainfrom
Conversation
This requires making the internals of LocalBackend a bit more generic, and implementing the `tka.CompactableChonk` interface for `tka.Mem`. Signed-off-by: Alex Chan <alexc@tailscale.com> Updates tailscale/corp#33599
Let's fix all the typos, which lets the code be more readable, lest we confuse our readers. Updates #cleanup Change-Id: I4954601b0592b1fda40269009647bb517a4457be Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…ol map poll For manual (human) testing, this lets the user disable control plane map polls with "tailscale set --sync=false" (which survives restarts) and "tailscale set --sync" to restore. A high severity health warning is shown while this is active. Updates #12639 Updates #17945 Change-Id: I83668fa5de3b5e5e25444df0815ec2a859153a6d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
) DA protection is not super helpful because we don't set an authorization password on the key. But if authorization fails for other reasons (like TPM being reset), we will eventually cause DA lockout with tailscaled trying to load the key. DA lockout then leads to (1) issues for other processes using the TPM and (2) the underlying authorization error being masked in logs. Updates #17654 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Perform a path check first before attempting exec of `true`. Try /usr/bin/true first, as that is now and increasingly so, the more common and more portable path. Fixes tests on macOS arm64 where exec was returning a different kind of path error than previously checked. Updates #16569 Signed-off-by: James Tucker <james@tailscale.com>
The REST API does not return a node name with a trailing dot, while the internal node name reported in the netmap does have one. In order to be consistent with the API, strip the dot when recording node information. Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Updates tailscale/corp#21570 Signed-off-by: James Sanderson <jsanderson@tailscale.com>
Updates tailscale/corp#34238 Signed-off-by: James Sanderson <jsanderson@tailscale.com>
See http://go/no-ell Signed-off-by: Alex Chan <alexc@tailscale.com> Updates #cleanup Change-Id: I8c976b51ce7a60f06315048b1920516129cc1d5d
I added a RemoveAll() method on tka.Chonk in #17946, but it's only used in the node to purge local AUMs. We don't need it in the SQLite storage, which currently implements tka.Chonk, so move it to CompactableChonk instead. Also add some automated tests, as a safety net. Updates tailscale/corp#33599 Change-Id: I54de9ccf1d6a3d29b36a94eccb0ebd235acd4ebc Signed-off-by: Alex Chan <alexc@tailscale.com>
Updates #17945 Change-Id: I8987271420feb190f5e4d85caff305c8d4e84aae Signed-off-by: Alex Chan <alexc@tailscale.com>
Updates #17957 Change-Id: I904fd5b544ac3090b58c678c4726e7ace41a52dd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates #12639 Change-Id: Ia50b15529bd1c002cdd2c937cdfbe69c06fa2dc8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Existing compaction logic seems to have had an assumption that markActiveChain would cover a longer part of the chain than markYoungAUMs. This prevented long, but fresh, chains, from being compacted correctly. Updates tailscale/corp#33537 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
We use `tka.AUMHash` in `netmap.NetworkMap`, and we serialise it as JSON in the `/debug/netmap` C2N endpoint. If the binary omits Tailnet Lock support, the debug endpoint returns an error because it's unable to marshal the AUMHash. This patch adds a sentinel value so this marshalling works, and we can use the debug endpoint. Updates #17115 Signed-off-by: Alex Chan <alexc@tailscale.com> Change-Id: I51ec1491a74e9b9f49d1766abd89681049e09ce4
As part of the conn25 work we will want to be able to keep track of a pool of IP Addresses and know which have been used and which have not. Fixes tailscale/corp#34247 Signed-off-by: Fran Bull <fran@tailscale.com>
…co key rotation Adds the ability to rotate discovery keys on running clients, needed for testing upcoming disco key distribution changes. Introduces key.DiscoKey, an atomic container for a disco private key, public key, and the public key's ShortString, replacing the prior separate atomic fields. magicsock.Conn has a new RotateDiscoKey method, and access to this is provided via localapi and a CLI debug command. Note that this implementation is primarily for testing as it stands, and regular use should likely introduce an additional mechanism that allows the old key to be used for some time, to provide a seamless key rotation rather than one that invalidates all sessions. Updates tailscale/corp#34037 Signed-off-by: James Tucker <james@tailscale.com>
…17955) We now embed node information into network flow logs. By default, netlogfmt still prints out using Tailscale IP addresses. Support a "--resolve-addrs=TYPE" flag that can be used to specify resolving IP addresses as node IDs, hostnames, users, or tags. Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Updates tailscale/corp#25406 Change-Id: I7832dbe3dce3774bcc831e3111feb75bcc9e021d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(trying to get in smaller obvious chunks ahead of later PRs to make them smaller) Updates #17925 Change-Id: I184002001055790484e4792af8ffe2a9a2465b2e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit modifies the helm/static manifest configuration for the k8s-operator to prefer the stable image tag. This avoids making those using static manifests seeing unstable behaviour by default if they do not manually make the change. This is managed for us when using helm but not when generating the static manifests. Updates #10655 Signed-off-by: David Bond <davidsbond93@gmail.com>
Previously a TKA compaction would only run when a node starts, which means a long-running node could use unbounded storage as it accumulates ever-increasing amounts of TKA state. This patch changes TKA so it runs a compaction after every sync. Updates tailscale/corp#33537 Change-Id: I91df887ea0c5a5b00cb6caced85aeffa2a4b24ee Signed-off-by: Alex Chan <alexc@tailscale.com>
Updates tailscale/corp#33537 Signed-off-by: Alex Chan <alexc@tailscale.com>
Our style guide recommends avoiding Latin abbreviations in technical documentation, which includes the CLI help text. This is causing linter issues for the docs site, because this help text is copied into the docs. See http://go/style-guide/kb/language-and-grammar/abbreviations#latin-abbreviations Updates #cleanup Change-Id: I980c28d996466f0503aaaa65127685f4af608039 Signed-off-by: Alex Chan <alexc@tailscale.com>
Updates #cleanup Change-Id: Ib7b497e22c6cdd80578c69cf728d45754e6f909e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Now that we support using an in-memory backend for TKA state (#17946), this function always returns `nil` – we can always support Network Lock. We don't need it any more. Plus, clean up a couple of errant TODOs from that PR. Updates tailscale/corp#33599 Change-Id: Ief93bb9adebb82b9ad1b3e406d1ae9d2fa234877 Signed-off-by: Alex Chan <alexc@tailscale.com>
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
This commit enables user to set service backend to remote destinations, that can be a partial URL or a full URL. The commit also prevents user to set remote destinations on linux system when socket mark is not working. For user on any version of mac extension they can't serve a service either. The socket mark usability is determined by a new local api. Fixes tailscale/corp#24783 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
This adds a new node capability 'dns-subdomain-resolve' that signals that all of hosts' subdomains should resolve to the same IP address. It allows wildcard matching on any node marked with this capability. This change also includes an util/dnsname utility function that lets us access the parent of a full qualified domain name. MagicDNS takes this function and recursively searchs for a matching real node name. One important thing to observe is that, in this context, a subdomain can have multiple sub labels. This means that for a given node named machine, both my.machine and be.my.machine will be a positive match. Updates #1196 Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
On Windows, TempDir cleanup fails if file handles are still open. TestConcurrentSameFile wasn't closing Filch instances before exit Fixes #18570 Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
So callers can run testwrapper with -vet=off if they're already running vet explicitly in a concurrent test job. Updates tailscale/corp#28679 Change-Id: I74ad56e560076d187f5e3a7d7381e1dac89d860c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…cisions By dropping inbound disco.Ping messages received over direct UDP paths. Fixes #18560 Signed-off-by: Jordan Whited <jordan@tailscale.com>
…nate locally (#18461) * wgengine/netstack: add local tailscale service IPs to route and terminate locally This commit adds the tailscales service IPs served locally to OS routes, and make interception to packets so that the traffic terminates locally without making affects to the HA traffics. Fixes tailscale/corp#34048 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * fix test Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * add ready field to avoid accessing lb before netstack starts Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * wgengine/netstack: store values from lb to avoid acquiring a lock Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * add active services to netstack on starts with stored prefs. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * fix comments Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * update comments Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> --------- Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
Fix precedence logic to skip federated identity logic when the associated environment variables are empty. Updates tailscale/gitops-acl-action#71 Signed-off-by: Mario Minardi <mario@tailscale.com>
…18157) The forwarder was not setting the Truncated (TC) flag when UDP DNS responses exceeded either the EDNS buffer size (if present) or the RFC 1035 default 512-byte limit. This affected DoH, TCP fallback, and UDP response paths. The fix ensures checkResponseSizeAndSetTC is called in all code paths that return UDP responses, enforcing both EDNS and default UDP size limits. Added comprehensive unit tests and consolidated duplicate test helpers. Updates #18107 Signed-off-by: Brendan Creane <bcreane@gmail.com>
Go1.25 for tailscale/go#149 Go1.26 for tailscale/go#149 + upstream release-branch.go1.26 work since rc2. Updates tailscale/go#149 Change-Id: Ib56b5b5119f181c4a81d4b599b8bbdb405ee6704 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This ensures that D-Bus is active for the unit and will correctly shut down when the default target ends. Fixes: #18458 Signed-off-by: Neal Gompa <ngompa@velocitylimitless.com>
This provides a mechanism to block, waiting for Tailscale's IP to be ready for a bind/listen, to gate the starting of other services. It also adds a new --assert=[IP] option to "tailscale ip", for services that want extra paranoia about what IP is in use, if they're worried about having switched to the wrong tailnet prior to reboot or something. Updates #3340 Updates #11504 ... and many more, IIRC Change-Id: I88ab19ac5fae58fd8c516065bab685e292395565 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…#18519) This commit fixes an issue within containerboot that arose from the kubernetes operator. When users enable metrics on custom resources that are running on dual stack or ipv6 only clusters, they end up with an error as we pass the hostport combintation using $(POD_IP):PORT. In go, `netip.ParseAddrPort` expects square brackets `[]` to wrap the host portion of an ipv6 address and would naturally, crash. When loading the containerboot configuration from the environment we now check if the `TS_LOCAL_ADDR_PORT` value contains the pod's v6 ip address. If it does & does not already contain brackets, we add the brackets in. Closes: #15762 Closes: #15467 Signed-off-by: David Bond <davidsbond93@gmail.com>
#18590) Found by @cmol. When rewriting the same value into the cache, we were dropping the unchanged keys, resulting in the cache being pruned incorrectly. Also update the tests to catch this. Updates #12639 Change-Id: Iab67e444eb7ddc22ccc680baa2f6a741a00eb325 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
Updates tailscale/go#149 Change-Id: If0483466eb1fc2196838c75f6d53925b1809abff Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…8568) Not all Linux distros use systemd yet, for example GL.iNet KVM devices use busybox's init, which is similar to SysV init. This is a best-effort restart attempt after the update, it probably won't cover 100% of init.d setups out there. Fixes #18567 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
…8356) When the NodeAttrDNSSubdomainResolve capability is present, enable wildcard certificate issuance to cover all single-level subdomains of a node's CertDomain. Without the capability, only exact CertDomain matches are allowed, so node.ts.net yields a cert for node.ts.net. With the capability, we now generate wildcard certificates. Wildcard certs include both the wildcard and base domain in their SANs, and ACME authorization requests both identifiers. The cert filenames are kept still based on the base domain with the wildcard prefix stripped, so we aren't creating separate files. DNS challenges still used the base domain The checkCertDomain function is replaced by resolveCertDomain that both validates and returns the appropriate cert domain to request. Name validation is now moved earlier into GetCertPEMWithValidity() Fixes #1196 Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
This resolves a gap in test coverage, ensuring Server.ListenService functions as expected in combination with user-supplied TUN devices Fixes tailscale/corp#36603 Co-authored-by: Harry Harpham <harry@tailscale.com> Signed-off-by: Harry Harpham <harry@tailscale.com>
We already had a featuretag for clientupdate, but the CLI wasn't using it, making the "minbox" build (minimal combined tailscaled + CLI build) larger than necessary. Updates #12614 Change-Id: Idd7546c67dece7078f25b8f2ae9886f58d599002 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…uretags Package feature/conn25 is excludeable from a build via the featuretag. Test it is excluded for minimal builds. Updates #12614 Signed-off-by: Fran Bull <fran@tailscale.com>
Updates #12614 Change-Id: I49351fe0c463af0b8d940e8088d4748906a8aec3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Use the parsed and validated advertise tags value from prefs instead of doing a strings.Split on the raw tags value as an input to the OAuth and identity federation auth key generation methods. The previous strings.Split method would return an array with a single empty string element which would pass downstream length checks on the tags argument before eventually failing with a confusing message when hitting the API. Fixes #18617 Signed-off-by: Mario Minardi <mario@tailscale.com>
If any profiles exist and an Authkey is provided via syspolicy, the AuthKey is ignored on backend start, preventing re-auth attempts. This is useful for one-time device provisioning scenarios, skipping authKey use after initial setup when the authKey may no longer be valid. updates #18618 Signed-off-by: Will Hannah <willh@tailscale.com>
Currently the expvar exporter attempts to write expvar.String, which breaks the Prometheus metric page. Updates tailscale/corp#36552 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Updates #cleanup Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Under extremely high load it appears we may have some retention issues as a result of queue depth build up, but there is currently no direct way to observe this. The scenario does not trigger the slow subscriber log message, and the event stream debugging endpoint produces a saturating volume of information. Updates tailscale/corp#36904 Signed-off-by: James Tucker <james@tailscale.com>
Updates #18629 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit adds a bool named PeerRelay to Hostinfo, to identify the host's status of acting as a peer relay. Considering the RelayServerPort number can be 0, I just made this a bool in stead of a port number. If the port info is needed in future this would also help indicating if the port was set to 0 (meaning any port in peer relay context). Updates tailscale/corp#35862 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.