-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update go1.21.6 #83
Merged
Merged
Update go1.21.6 #83
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…an, > 1 byte elements The shift amounts were wrong in this case, leading to miscompilation of load combining. Also the store combining was not triggering when it should. Fixes golang#64472 Change-Id: Iaeb08972c5fc1d6f628800334789c6af7216e87b Reviewed-on: https://go-review.googlesource.com/c/go/+/546355 Reviewed-by: David Chase <[email protected]> Reviewed-by: Mauri de Souza Meneguzzo <[email protected]> Reviewed-by: Keith Randall <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/546356
…n/max When I was plumbing min/max support through the compiler, I was thinking mostly about numeric argument types. As a result, I forgot that escape analysis would need to be aware that min/max can operate on string values, which contain pointers. Updates golang#64565. Fixes golang#64567. Change-Id: I36127ce5a2da942401910fa0f9de922726c9f94d Reviewed-on: https://go-review.googlesource.com/c/go/+/547715 Reviewed-by: Keith Randall <[email protected]> Reviewed-by: Mauri de Souza Meneguzzo <[email protected]> Auto-Submit: Matthew Dempsky <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> (cherry picked from commit 34416d7) Reviewed-on: https://go-review.googlesource.com/c/go/+/547757 Reviewed-by: Cuong Manh Le <[email protected]> Reviewed-by: Keith Randall <[email protected]>
Since CL 226138, TestNohup has a bit of a strange construction: it wants to run the "uncaught" subtests in parallel with each other, and the "nohup" subtests in parallel with each other, but also needs join between "uncaught" and "nohop" so it can Stop notifying for SIGHUP. It achieves this by doing `go t.Run` with a WaitGroup rather than using `t.Parallel` in the subtest (which would make `t.Run` return immediately). However, this makes things more difficult to understand than necessary. As noted on https://pkg.go.dev/testing#hdr-Subtests_and_Sub_benchmarks, a second layer of subtest can be used to join parallel subtests. Switch to this form, which makes the test simpler to follow (particularly the cleanup that goes with "uncaught"). For golang#63799. For golang#63911. Change-Id: Ibfce0f439508a7cfca848c7ccfd136c9c453ad8b Reviewed-on: https://go-review.googlesource.com/c/go/+/538899 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Bryan Mills <[email protected]> (cherry picked from commit 5622a4b) Reviewed-on: https://go-review.googlesource.com/c/go/+/546021
The new LUCI builders have a temporary limitation that breaks nohup. Skip nohup tests there. For golang#63875. Fixes golang#63911. Cq-Include-Trybots: luci.golang.try:go1.21-darwin-amd64_13 Change-Id: Ia9ffecea7310f84a21f6138d8f8cdfc5e1392307 Reviewed-on: https://go-review.googlesource.com/c/go/+/538698 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Bryan Mills <[email protected]> (cherry picked from commit a334c45) Reviewed-on: https://go-review.googlesource.com/c/go/+/546022
profileBuilder is using Frame->Function as key for checking if we already emitted a function. However for generics functions it has dots there [...], so sometimes for different functions with different generics types, the profileBuilder emits wrong functions. For golang#64528 For golang#64609 Change-Id: I8b39245e0b18f4288ce758c912c6748f87cba39a Reviewed-on: https://go-review.googlesource.com/c/go/+/546815 Reviewed-by: Cherry Mui <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Michael Pratt <[email protected]> (cherry picked from commit 20a03fc) Reviewed-on: https://go-review.googlesource.com/c/go/+/549535 Auto-Submit: Matthew Dempsky <[email protected]>
Go 1.21.1 and Go 1.22 have ceased working around an issue with Linux kernel defaults for transparent huge pages that can result in excessive memory overheads. (https://bugzilla.kernel.org/show_bug.cgi?id=93111) Many Linux distributions disable huge pages altogether these days, so this problem isn't quite as far-reaching as it used to be. Also, the problem only affects Go programs with very particular memory usage patterns. That being said, because the runtime used to actively deal with this problem (but with some unpredictable behavior), it's preventing users that don't have a lot of control over their execution environment from upgrading to Go beyond Go 1.20. This change adds a GODEBUG to smooth over the transition. The GODEBUG setting disables transparent huge pages for all heap memory on Linux, which is much more predictable than restoring the old behavior. For golang#64332. Fixes golang#64561. Change-Id: I73b1894337f0f0b1a5a17b90da1221e118e0b145 Reviewed-on: https://go-review.googlesource.com/c/go/+/547475 Reviewed-by: Michael Pratt <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> (cherry picked from commit c915215) Reviewed-on: https://go-review.googlesource.com/c/go/+/547636 Reviewed-by: Mauri de Souza Meneguzzo <[email protected]> TryBot-Bypass: Michael Knyszek <[email protected]> Auto-Submit: Matthew Dempsky <[email protected]>
…hind a double-check mode ReadMemStats has a few assertions it makes about the consistency of the stats it's about to produce. Specifically, how those stats line up with runtime-internal stats. These checks are generally useful, but crashing just because some stats are wrong is a heavy price to pay. For a long time this wasn't a problem, but very recently it became a real problem. It turns out that there's real benign skew that can happen wherein sysmon (which doesn't synchronize with a STW) generates a trace event when tracing is enabled, and may mutate some stats while ReadMemStats is running its checks. Fix this by synchronizing with both sysmon and the tracer. This is a bit heavy-handed, but better that than false positives. Also, put the checks behind a debug mode. We want to reduce the risk of backporting this change, and again, it's not great to crash just because user-facing stats are off. Still, enable this debug mode during the runtime tests so we don't lose quite as much coverage from disabling these checks by default. For golang#64401. Fixes golang#64410. Change-Id: I9adb3e5c7161d207648d07373a11da8a5f0fda9a Reviewed-on: https://go-review.googlesource.com/c/go/+/545277 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Michael Pratt <[email protected]> Reviewed-by: Felix Geisendörfer <[email protected]> (cherry picked from commit b2efd1d) Reviewed-on: https://go-review.googlesource.com/c/go/+/545557 Auto-Submit: Matthew Dempsky <[email protected]> TryBot-Bypass: Matthew Dempsky <[email protected]>
Make sure to alloc+copy large keys and values instead of aliasing them, when they might be updated by a future assignment. Fixes golang#64475 Change-Id: Ie2226a81cf3897e4e2ee24472f2966d397ace53f Reviewed-on: https://go-review.googlesource.com/c/go/+/546515 Reviewed-by: Cherry Mui <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Keith Randall <[email protected]> Reviewed-by: Mauri de Souza Meneguzzo <[email protected]> (cherry picked from commit 16d3040) Reviewed-on: https://go-review.googlesource.com/c/go/+/547375 TryBot-Bypass: Matthew Dempsky <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> Auto-Submit: Matthew Dempsky <[email protected]>
Also use CompareAndSwap to make the code actually less racy. Added a test which will be meaningful when run under the race detector (tested it -race with broken fix in runtime, it failed). This backport incorporates the correction in CL 551856, using racereleasemerge instead of racerelease. Fixes golang#64757 Change-Id: I5972e08901d1adc8ba74858edad7eba91be1b0ce Reviewed-on: https://go-review.googlesource.com/c/go/+/549796 Run-TryBot: David Chase <[email protected]> Reviewed-by: Mauri de Souza Meneguzzo <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]> (cherry picked from commit 3313bbb) Reviewed-on: https://go-review.googlesource.com/c/go/+/550236 Auto-Submit: Matthew Dempsky <[email protected]> TryBot-Bypass: Matthew Dempsky <[email protected]> Reviewed-by: Michael Knyszek <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]>
…s-20220613 Also, add EVP_aead_aes_*_gcm_tls13 to the build, which we will need in a following CL, to avoid rebuilding the syso twice. Updates golang#64717 Updates golang#62372 Updates golang#64719 Change-Id: Ie4d853ad9b914c1095cad60694a1ae6f77dc22ce Cq-Include-Trybots: luci.golang.try:go1.21-linux-amd64-boringcrypto Reviewed-on: https://go-review.googlesource.com/c/go/+/549695 Reviewed-by: Than McIntosh <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/553855 Auto-Submit: Matthew Dempsky <[email protected]> TryBot-Result: Gopher Robot <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Run-TryBot: Matthew Dempsky <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]>
…SL policy This enables TLS 1.3, disables P-521, and disables non-ECDHE suites. Updates golang#64717 Updates golang#62372 Fixes golang#64719 Change-Id: I3a65b239ef0198bbdbe5e55e0810e7128f90a091 Reviewed-on: https://go-review.googlesource.com/c/go/+/549975 Reviewed-by: Roland Shoemaker <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/553856 Auto-Submit: Matthew Dempsky <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]>
Change-Id: I85e48d54e6938b3882a0bb8f2de75fee6ecb2668 Reviewed-on: https://go-review.googlesource.com/c/go/+/554839 Commit-Queue: Gopher Robot <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> Auto-Submit: Gopher Robot <[email protected]> TryBot-Bypass: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
* tag 'go1.21.6': [release-branch.go1.21] go1.21.6 [release-branch.go1.21] crypto/tls: align FIPS-only mode with BoringSSL policy [release-branch.go1.21] crypto/internal/boring: upgrade module to fips-20220613 [release-branch.go1.21] runtime: add race annotations in IncNonDefault [release-branch.go1.21] maps: fix aliasing problems with Clone [release-branch.go1.21] runtime: put ReadMemStats debug assertions behind a double-check mode [release-branch.go1.21] runtime: add the disablethp GODEBUG setting [release-branch.go1.21] runtime/pprof: fix generics function names [release-branch.go1.21] os/signal: skip nohup tests on darwin builders [release-branch.go1.21] os/signal: remove go t.Run from TestNohup [release-branch.go1.21] cmd/compile: fix escape analysis of string min/max [release-branch.go1.21] cmd/compile: fix memcombine pass for big endian, > 1 byte elements
DentonGentry
approved these changes
Jan 20, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reportedly, attempting to merge from GitHub tends to go sideways in this repository. Brad seeks PR review but then uses git push origin tailscale.go1.21
from the shell.
awly
approved these changes
Jan 20, 2024
raggi
added a commit
to tailscale/tailscale
that referenced
this pull request
Jan 20, 2024
Updates tailscale/go#83 Signed-off-by: James Tucker <[email protected]>
raggi
added a commit
to tailscale/tailscale
that referenced
this pull request
Jan 20, 2024
Updates tailscale/go#83 Signed-off-by: James Tucker <[email protected]>
Asutorufa
added a commit
to Asutorufa/tailscale
that referenced
this pull request
Mar 13, 2024
* cmd/k8s-operator/deploy: allow modifying operator tags via Helm values Updates tailscale/tailscale#10659 Signed-off-by: Chandon Pierre <[email protected]> * util/nocasemaps: add AppendSliceElem method to nocasemaps (#10871) Updates #7667 Signed-off-by: Anishka Singh <[email protected]> * wgengine/netstack: expose gVisor metrics through expvar When tailscaled is run with "-debug 127.0.0.1:12345", these metrics are available at: http://localhost:12345/debug/metrics Updates #8210 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I19db6c445ac1f8344df2bc1066a3d9c9030606f8 * go.mod: bump most deps for start of cycle Plan9 CI is disabled. 3p dependencies do not build for the target. Contributor enthusiasm appears to have ceased again, and no usage has been made. Skipped gvisor, nfpm, and k8s. Updates #5794 Updates #8043 Signed-off-by: James Tucker <[email protected]> * go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <[email protected]> * VERSION.txt: this is v1.59.0 (#10884) * VERSION.txt: this is v1.58.0 Signed-off-by: kari-ts <[email protected]> * VERSION.txt: this is v1.59.0 --------- Signed-off-by: kari-ts <[email protected]> * magicsock: mute noisy expected peer mtu related error (#10870) * tsweb: add a helper to validate redirect URLs We issue redirects in a few different places, it's time to have a common helper to do target validation. Updates tailscale/corp#16875 Signed-off-by: David Anderson <[email protected]> * tool/gocross: force use of our custom toolchain The new 'toolchain' directive in go.mod can sometimes force the use of an upstream toolchain against our wishes. Concurrently, some of our dependencies have added the 'toolchain' directive, which transitively adds it to our own go.mod. Force all uses of gocross to ignore that directive and stick to our customized toolchain. Updates #cleanup Signed-off-by: David Anderson <[email protected]> * go.mod,wgengine/netstack: bump gvisor Updates #8043 Signed-off-by: James Tucker <[email protected]> * go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <[email protected]> * go.toolchain.rev: bump Tailscale Go version to 1.21.6 Updates tailscale/go#83 Signed-off-by: James Tucker <[email protected]> * net/portmapper: handle cases where we have no supported clients This no longer results in a nil pointer exception when we get a valid UPnP response with no supported clients. Updates #10911 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I6e3715a49a193ff5261013871ad7fff197a4d77e * cmd/k8s-operator: don't proceed with Ingress that has no valid backends (#10919) Do not provision resources for a tailscale Ingress that has no valid backends. Updates tailscale/tailscale#10910 Signed-off-by: Irbe Krumina <[email protected]> * appc,ipn/ipnlocal: optimize preference adjustments when routes update This change allows us to perform batch modification for new route advertisements and route removals. Additionally, we now handle the case where newly added routes are covered by existing ranges. This change also introduces a new appctest package that contains some shared functions used for testing. Updates tailscale/corp#16833 Signed-off-by: Charlotte Brandhorst-Satzkorn <[email protected]> * appc: add test to ensure that individual IPs are not removed during route updates If control advised the connector to advertise a route that had already been discovered by DNS it would be incorrectly removed. Now those routes are preserved. Updates tailscale/corp#16833 Signed-off-by: James Tucker <[email protected]> * wgengine/magicsock: implement probing of UDP path lifetime (#10844) This commit implements probing of UDP path lifetime on the tail end of an active direct connection. Probing configuration has two parts - Cliffs, which are various timeout cliffs of interest, and CycleCanStartEvery, which limits how often a probing cycle can start, per-endpoint. Initially a statically defined default configuration will be used. The default configuration has cliffs of 10s, 30s, and 60s, with a CycleCanStartEvery of 24h. Probing results are communicated via clientmetric counters. Probing is off by default, and can be enabled via control knob. Probing is purely informational and does not yet drive any magicsock behaviors. Updates #540 Signed-off-by: Jordan Whited <[email protected]> * ipn/ipnlocal: fix proxy path that matches mount point (#10864) Don't append a trailing slash to a request path to the reverse proxy that matches the mount point exactly. Updates tailscale/tailscale#10730 Signed-off-by: Irbe Krumina <[email protected]> * ipn/ipnlocal: fix failing test (#10937) Updates#cleanup Signed-off-by: Irbe Krumina <[email protected]> * net/portmapper: support legacy "urn:dslforum-org" portmapping services These are functionally the same as the "urn:schemas-upnp-org" services with a few minor changes, and are still used by older devices. Support them to improve our ability to obtain an external IP on such networks. Updates #10911 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I05501fad9d6f0a3b8cf19fc95eee80e7d16cc2cf * util/expvarx: add a time and concurrency limiting expvar.Func wrapper expvarx.SafeFunc wraps an expvar.Func with a time limit. On reaching the time limit, calls to Value return nil, and no new concurrent calls to the underlying expvar.Func will be started until the call completes. Updates tailscale/corp#16999 Signed-off-by: James Tucker <[email protected]> * cmd/tailscale/cli: run Watch with NotifyNoPrivateKeys (#10950) When running as non-root non-operator user, you get this error: ``` $ tailscale serve 8080 Access denied: watch IPN bus access denied, must set ipn.NotifyNoPrivateKeys when not running as admin/root or operator Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` It should fail, but the error message is confusing. With this fix: ``` $ tailscale serve 8080 sending serve config: Access denied: serve config denied Use 'sudo tailscale serve 8080' or 'tailscale up --operator=$USER' to not require root. ``` Updates #cleanup Signed-off-by: Andrew Lytvynov <[email protected]> * words: i like the direction this list is taking Updates tailscale/corp#14698 Signed-off-by: Charlotte Brandhorst-Satzkorn <[email protected]> * cmd/gitops-pusher: fix logic for checking credentials gitops-pusher supports authenticating with an API key or OAuth credentials (added in #7393). You shouldn't ever use both of those together, so we error if both are set. In tailscale/gitops-acl-action#24, OAuth support is being added to the GitHub action. In that environment, both the TS_API_KEY and OAuth variables will be set, even if they are empty values. This causes an error in gitops-pusher which expects only one to be set. Update gitops-pusher to check that only one set of environment variables are non-empty, rather than just checking if they are set. Updates #7393 Signed-off-by: Will Norris <[email protected]> * cmd/hello: avoid deprecated apis (#10957) Updates #cleanup Signed-off-by: Chris Palmer <[email protected]> * ipnlocal: log failure to get ssh host keys When reporting ssh host keys to control, log a warning if we're unable to get the SSH host keys. Updates tailscale/escalations#21 Signed-off-by: Percy Wegmann <[email protected]> * ipn/ipnlocal: fix pretty printing of multi-record peer DNS results The API on the DNS record parser is slightly subtle and requires explicit handling of unhandled records. Failure to advance previously resulted in an infinite loop in the pretty responder for any reply that contains a record other than A/AAAA/TXT. Updates tailscale/corp#16928 Signed-off-by: James Tucker <[email protected]> * util/deephash: implement SelfHasher to allow types to hash themselves Updates: corp#16409 Signed-off-by: Tom DNetto <[email protected]> * appc,ipn/ipnlocal: add app connector routes if any part of a CNAME chain is routed If any domain along a CNAME chain matches any of the routed domains, add routes for the discovered domains. Fixes tailscale/corp#16928 Signed-off-by: James Tucker <[email protected]> * ipn/ipnlocal: fix app connector route advertisements on exit nodes If an app connector is also configured as an exit node, it should still advertise discovered routes that are not covered by advertised routes, excluding the exit node routes. Updates tailscale/corp#16928 Signed-off-by: James Tucker <[email protected]> * util/deephash: document pathological deephash behavior (#11010) Updates #cleanup Signed-off-by: Joe Tsai <[email protected]> * util/deephash: tighten up SelfHasher API (#11012) Providing a hash.Block512 is an implementation detail of how deephash works today, but providing an opaque type with mostly equivalent API (i.e., HashUint8, HashBytes, etc. methods) is still sensible. Thus, define a public Hasher type that exposes exactly the API that an implementation of SelfHasher would want to call. This gives us freedom to change the hashing algorithm of deephash at some point in the future. Also, this type is likely going to be called by types that are going to memoize their own hash results, we additionally add a HashSum method to simplify this use case. Add documentation to SelfHasher on how a type might implement it. Updates: corp#16409 Signed-off-by: Joe Tsai <[email protected]> * cmd/hello: link to the Hello KB article (#11022) Fixes https://github.com/tailscale/corp/issues/17104 Signed-off-by: Chris Palmer <[email protected]> * ipn/localapi: more http status cleanup (#10995) Use Http.StatusOk instead of 200 Updates #cleanup * types/views: add SliceMapKey[T] views.Slice are meant to be immutable, and if used as such it is at times desirable to use them as a key in a map. For non-viewed slices it was kinda doable by creating a custom key struct but views.Slice didn't allow for the same so add a method to create that struct here. Updates tailscale/corp#17122 Signed-off-by: Maisem Ali <[email protected]> * tsweb: implementing bucketed statistics for started/finished counts Signed-off-by: Tom DNetto <[email protected]> Updates: corp#17075 * tsweb: replace domains/emails in paths when bucketing stats Signed-off-by: Tom DNetto <[email protected]> Updates: corp#17075 * go.toolchain.rev: bump to Go 1.22.0 (#11055) Updates #cleanup Signed-off-by: Andrew Lytvynov <[email protected]> * appc: optimize dns response observation for large route tables Advertise DNS discovered addresses as a single preference update rather than one at a time. Sort the list of observed addresses and use binary search to consult the list. Updates tailscale/corp#16636 Signed-off-by: James Tucker <[email protected]> * .github/workflows: add privileged tests workflow We had missed regressions from privileged tests not running, now they can run. Updates #cleanup Signed-off-by: James Tucker <[email protected]> * words: add a list of things you should yahoo! Updates #self Signed-off-by: James Tucker <[email protected]> * tsweb: normalize common StableID's in bucketed stats, export as LabelMap Signed-off-by: Tom DNetto <[email protected]> Updates: corp#17075 * tsweb: normalize passkey identities in bucketed stats Signed-off-by: Tom DNetto <[email protected]> Updates: corp#17075 * go.mod, README.md: use Go 1.22 Updates #11058 Change-Id: I95eecdc7afe2b5f8189016fdb8a773f78e9f5c42 Signed-off-by: Brad Fitzpatrick <[email protected]> * .github/workflows: update golangci-lint for Go 1.22 Updates #11058 Change-Id: I3785c1f1bea4a4663e7e5fb6d209d3caedae436d Signed-off-by: Brad Fitzpatrick <[email protected]> * Dockerfile: use Go 1.22 Updates #11058 Change-Id: I0f63be498be33d71bd90b7956f9fe9666fd7a696 Signed-off-by: Brad Fitzpatrick <[email protected]> * util/cmpx: delete now that we're using Go 1.22 Updates #11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <[email protected]> * .github/workflows: temporarily disable broken oss-fuzz action Updates #11064 Updates #11058 Change-Id: I63acc13dece3379a0b2df573afecfd245b7cd6c2 Signed-off-by: Brad Fitzpatrick <[email protected]> * go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <[email protected]> * cmd/{containerboot,k8s-operator/deploy/manifests}: optionally allow proxying cluster traffic to a cluster target via ingress proxy (#11036) * cmd/containerboot,cmd/k8s-operator/deploy/manifests: optionally forward cluster traffic via ingress proxy. If a tailscale Ingress has tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation, configure the associated ingress proxy to have its tailscale serve proxy to listen on Pod's IP address. This ensures that cluster traffic too can be forwarded via this proxy to the ingress backend(s). In containerboot, if EXPERIMENTAL_PROXY_CLUSTER_TRAFFIC_VIA_INGRESS is set to true and the node is Kubernetes operator ingress proxy configured via Ingress, make sure that traffic from within the cluster can be proxied to the ingress target. Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <[email protected]> * licenses: update tailscale{,d} licenses Signed-off-by: License Updater <[email protected]> * licenses: update android licenses Signed-off-by: License Updater <[email protected]> * licenses: update win/apple licenses Signed-off-by: License Updater <[email protected]> * client/web: add new readonly mode The new read-only mode is only accessible when running `tailscale web` by passing a new `-readonly` flag. This new mode is identical to the existing login mode with two exceptions: - the management client in tailscaled is not started (though if it is already running, it is left alone) - the client does not prompt the user to login or switch to the management client. Instead, a message is shown instructing the user to use other means to manage the device. Updates #10979 Signed-off-by: Will Norris <[email protected]> * client/web: use smart quotes in web UI frontend add the curly-quotes eslint plugin (same that we use for the admin panel), and fix existing straight quotes in the current web UI. Updates #cleanup Signed-off-by: Will Norris <[email protected]> * go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <[email protected]> * cmd/dist: update logs for synology builds Update logs for synology builds to more clearly callout which variant is being built. The two existing variants are: 1. Sideloaded (can be manual installed on a device by anyone) 2. Package center distribution (by the tailscale team) Updates #cleanup Signed-off-by: Sonia Appasamy <[email protected]> * ipnlocal: force-regen new authURL when it is too old (#10971) Fixes tailscale/support-escalations#23. authURLs returned by control expire after 1 hour from creation. Customer reported that the Tailscale client on macOS would sending users to a stale authentication page when clicking on the `Login...` menu item. This can happen when clicking on Login after leaving the device unattended for several days. The device key expires, leading to the creation of a new authURL, however the client doesn't keep track of when the authURL was created. Meaning that `login-interactive` would send the user to an authURL that had expired server-side a long time before. This PR ensures that whenever `login-interactive` is called via LocalAPI, an authURL that is too old won't be used. We force control to give us a new authURL whenever it's been more than 30 minutes since the last authURL was sent down from control. Apply suggestions from code review Set interval to 6 days and 23 hours Signed-off-by: Andrea Gottardo <[email protected]> Signed-off-by: Andrea Gottardo <[email protected]> * cmd/tailscale/cli: fix exit node status output (#11076) This change fixes the format of tailscale status output when location based exit nodes are present. Fixes #11065 Signed-off-by: Charlotte Brandhorst-Satzkorn <[email protected]> * util/deephash: cleanup TODO in TestHash (#11080) Updates #cleanup Signed-off-by: Joe Tsai <[email protected]> * all: use reflect.TypeFor now available in Go 1.22 (#11078) Updates #cleanup Signed-off-by: Joe Tsai <[email protected]> * all: use new AppendEncode methods available in Go 1.22 (#11079) Updates #cleanup Signed-off-by: Joe Tsai <[email protected]> * tailfs: initial implementation Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * cmd/gitops-pusher: only use OAuth creds if non-empty string `os.LookupEnv` may return true if the variable is present in the environment but an empty string. We should only attempt to set OAuth Config if thsoe values are non-empty. Updates gitops-acl-action#33 Signed-off-by: Jenny Zhang <[email protected]> * tsweb: update ServeMux matching to 1.22.0 syntax (#11087) Updates #cleanup Go 1.22.0 introduced the ability to use more expressive routing patterns that include HTTP method when constructing ServeMux entries. Applications that attempted to use these patterns in combination with the old `tsweb.Debugger` would experience a panic as Go would not permit the use of matching rules with mixed level of specificity. Signed-off-by: Patrick O'Doherty <[email protected]> * Revert "tsweb: update ServeMux matching to 1.22.0 syntax (#11087)" (#11089) This reverts commit 291f91d164f1ec60ca77c0cb935a7895ac4cc555. Updates #cleanup This PR needs additional changes to the registration of child handlers under /debug Signed-off-by: Patrick O'Doherty <[email protected]> * fix toolchain not available error (#11083) Relates to golang/go#62278 Updates #11058 Signed-off-by: keisku <[email protected]> * .github: fuzzing is now unbroken Updates #cleanup Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I10dca601c79411b412180a46b3f82136e40544b0 * client/web: only check policy caps for tagged nodes For user-owned nodes, only the owner is ever allowed to manage the node. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <[email protected]> * util/rands: add Shuffle and Perm functions with on-stack RNG state The new math/rand/v2 package includes an m-local global random number generator that can not be reseeded by the user, which is suitable for most uses without the RNG pools we have in a number of areas of the code base. The new API still does not have an allocation-free way of performing a seeded operations, due to the long term compiler bug around interface parameter escapes, and the Source interface. This change introduces the two APIs that math/rand/v2 can not yet replace efficiently: seeded Perm() and Shuffle() operations. This implementation chooses to use the PCG random source from math/rand/v2, as with sufficient compiler optimization, this source should boil down to only two on-stack registers for random state under ideal conditions. Updates #17243 Signed-off-by: James Tucker <[email protected]> * build(deps-dev): bump vite from 4.4.9 to 4.5.2 in /client/web Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 4.4.9 to 4.5.2. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v4.5.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v4.5.2/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> * tailfs: clean up naming and package structure - Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * tailfs: disable TailFSForLocal via policy Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * tailfs: fix startup issues on windows Starts TailFS for Windows too, initializes shares on startup. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * tailscaled: revert to using pointers for subcommands As part of #10631, we stopped using function pointers for subcommands, preventing us from registering platform-specific installSystemDaemon and uninstallSystemDaemon subcommands. Fixes #11099 Signed-off-by: Percy Wegmann <[email protected]> * util/cloudenv: add support for DigitalOcean Updates #4984 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Ib229eb40af36a80e6b0fd1dd0cabb07f0d50a7d1 * tailcfg: remove UserProfile.Groups Removing as per go/group-all-the-things. Updates tailscale/corp#17445 Signed-off-by: Maisem Ali <[email protected]> * flake.nix: build tailscale with go 1.22 Updates #cleanup Signed-off-by: David Anderson <[email protected]> * cmd/tailscale: hide share subcommand Fixes #1115 Signed-off-by: Percy Wegmann <[email protected]> * tailfs: listen for local clients only on 100.100.100.100 FileSystemForLocal was listening on the node's Tailscale address, which potentially exposes the user's view of TailFS shares to other Tailnet users. Remote nodes should connect to exported shares via the peerapi. This removes that code so that FileSystemForLocal is only avaialable on 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * types/views: add test that LenIter doesn't allocate For a second we thought this was allocating but we were looking at a CPU profile (which showed calls to mallocgc view makeslice) instead of the alloc profile. Updates golang/go#65685 (which if fixed wouldn't have confused us) Change-Id: Ic0132310d52d8a65758a516142525339aa23b1ed Signed-off-by: Brad Fitzpatrick <[email protected]> * cmd/k8s-operator,k8s-operator: proxy configuration mechanism via a new ProxyClass custom resource (#11074) * cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource. ProxyClass custom resource can be used to specify customizations for the proxy resources created by the operator. Add a reconciler that validates ProxyClass resources and sets a Ready condition to True or False with a corresponding reason and message. This is required because some fields (labels and annotations) require complex validations that cannot be performed at custom resource apply time. Reconcilers that use the ProxyClass to configure proxy resources are expected to verify that the ProxyClass is Ready and not proceed with resource creation if configuration from a ProxyClass that is not yet Ready is required. If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet. If a tailscale Ingress has a tailscale.com/proxy-class annotation and the referenced ProxyClass custom resource is available and Ready, apply configuration from the ProxyClass to the proxy resources that will be created for the Ingress. Add a new .proxyClass field to the Connector spec. If connector.spec.proxyClass is set to a ProxyClass that is available and Ready, apply configuration from the ProxyClass to the proxy resources created for the Connector. Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml Signed-off-by: Irbe Krumina <[email protected]> * tsweb: update ServeMux matching to 1.22.0 syntax (#11090) * tsweb: update ServeMux matching to 1.22.0 syntax Updates #cleanup Go 1.22.0 introduced the ability to use more expressive routing patterns that include HTTP method when constructing ServeMux entries. Applications that attempted to use these patterns in combination with the old `tsweb.Debugger` would experience a panic as Go would not permit the use of matching rules with mixed level of specificity. We now specify the method for each `/debug` handler to prevent incompatibilities. Signed-off-by: Patrick O'Doherty <[email protected]> * wgengine/router: make the Windows ifconfig implementation reuse existing MibIPforwardRow2 when possible Looking at profiles, we spend a lot of time in winipcfg.LUID.DeleteRoute looking up the routing table entry for the provided RouteData. But we already have the row! We previously obtained that data via the full table dump we did in getInterfaceRoutes. We can make this a lot faster by hanging onto a reference to the wipipcfg.MibIPforwardRow2 and executing the delete operation directly on that. Fixes #11123 Signed-off-by: Aaron Klotz <[email protected]> * Revert "tsweb: update ServeMux matching to 1.22.0 syntax (#11090)" (#11125) This reverts commit 30c9189ed307df6f2c1567aa7945bde77bb54c52. Signed-off-by: Patrick O'Doherty <[email protected]> * scripts/installer.sh: add tuxedoOS to the Ubuntu copies Signed-off-by: Nathan Woodburn <[email protected]> * net/dns: log more info when openresolv commands fail Updates #11129 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Ic594868ba3bc31f6d3b0721ecba4090749a81f7f * go.mod, all: move away from inet.af domain seized by Taliban Updates inetaf/tcpproxy#39 Change-Id: I7fee276b116bd08397347c6c949011d76a2842cf Signed-off-by: Brad Fitzpatrick <[email protected]> * go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <[email protected]> * util/topk: add package containing a probabilistic top-K tracker This package uses a count-min sketch and a heap to track the top K items in a stream of data. Tracking a new item and adding a count to an existing item both require no memory allocations and is at worst O(log(k)) complexity. Change-Id: I0553381be3fef2470897e2bd806d43396f2dbb36 Signed-off-by: Andrew Dunham <[email protected]> * clientupdate: disable auto update on NixOS (#11136) Updates #cleanup NixOS packages are immutable and attempts to update via our tarball mechanism will always fail as a result. Instead we now direct users to update their nix channel or nixpkgs flake input to receive the latest Tailscale release. Signed-off-by: Patrick O'Doherty <[email protected]> * doctor/ethtool, ipn/ipnlocal: add ethtool bugreport check Updates #11137 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Idbe862d80e428adb044249c47d9096b87f29d5d8 * wgengine/router: fix ip rule restoration Fixes #10857 Signed-off-by: Jason Barnett <[email protected]> * VERSION.txt: this is v1.61.0 Signed-off-by: Percy Wegmann <[email protected]> * ipn/ipnlocal: fix doctor API endpoint (#11155) Small fix to make sure doctor API endpoint returns correctly - I spotted it when checking my tailscaled node and noticed it was handled slightly different compare to the rest Signed-off-by: San <[email protected]> * cmd/tailscale: make web client URL clickable Updates #11151 Signed-off-by: Will Norris <[email protected]> * cmd/tailscale: support clickable IPv6 web client addresses Instead of constructing the `ip:port` string ourselves, use netip.AddrPortFrom which handles IPv6 correctly. Updates #11164 Signed-off-by: Will Norris <[email protected]> * tool/gocross: pass flags for visionOS and visionOS Simulator (#11127) Adds logic in gocross to detect environment variables and pass the right flags so that the backend can be built with the visionOS SDK. Signed-off-by: Andrea Gottardo <[email protected]> Signed-off-by: Andrea Gottardo <[email protected]> * net/dns: fix infinite loop when run on Amazon Linux 2023 This fixes an infinite loop caused by the configuration of systemd-resolved on Amazon Linux 2023 and how that interacts with Tailscale's "direct" mode. We now drop the Tailscale service IP from the OS's "base configuration" when we detect this configuration. Updates #7816 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I73a4ea8e65571eb368c7e179f36af2c049a588ee * logpolicy: allow longer idle log upload connections From a packet trace we have seen log connections being closed prematurely by the client, resulting in unnecessary extra TLS setup traffic. Updates #3363 Updates tailscale/corp#9230 Updates tailscale/corp#8564 Signed-off-by: James Tucker <[email protected]> * ipn/ipnlocal: remove ancient transition mechanism for https certs And confusing error message that duplicated the valid cert domains. Fixes tailscale/corp#15876 Change-Id: I098bc45d83c8d1e0a233dcdf3188869cce66e128 Signed-off-by: Brad Fitzpatrick <[email protected]> * prober: add TLS probe constructor to split dial addr from cert name So we can probe load balancers by their unique DNS name but without asking for that cert name. Updates tailscale/corp#13050 Change-Id: Ie4c0a2f951328df64281ed1602b4e624e3c8cf2e Signed-off-by: Brad Fitzpatrick <[email protected]> * net/ktimeout: add a package to set TCP user timeout Setting a user timeout will be a more practical tuning knob for a number of endpoints, this provides a way to set it. Updates tailscale/corp#17587 Signed-off-by: James Tucker <[email protected]> * util/syspolicy: add ManagedBy keys for Windows (#11183) * cmd/testwrapper: apply results of all unit tests to coverage for all packages This allows coverage from tests that hit multiple packages at once to be reflected in all those packages' coverage. Updates #cleanup Signed-off-by: Percy Wegmann <[email protected]> * cmd/tailscale/cli: pass "-o 'CanonicalizeHostname no'" to ssh Fixes #10348 Signed-off-by: Paul Scott <[email protected]> * derp: plumb context to Server.verifyClient Updates tailscale/corp#17693 Change-Id: If17e02c77d5ad86b820e639176da2d3e61296bae Signed-off-by: Brad Fitzpatrick <[email protected]> * cmd/derper, derp, tailcfg: add admission controller URL option So derpers can check an external URL for whether to permit access to a certain public key. Updates tailscale/corp#17693 Change-Id: I8594de58f54a08be3e2dbef8bcd1ff9b728ab297 Co-authored-by: Maisem Ali <[email protected]> Signed-off-by: Brad Fitzpatrick <[email protected]> * util/syspolicy: add 'ResetToDefaults' (#11194) Updates ENG-2133. Adds the ResetToDefaults visibility policy currently only available on macOS, so that the Windows client can read its value. Signed-off-by: Andrea Gottardo <[email protected]> * cmd/derper: add user timeout and reduce TCP keepalive The derper sends an in-protocol keepalive every 60-65s, so frequent TCP keepalives are unnecessary. In this tuning TCP keepalives should never occur for a DERP client connection, as they will send an L7 keepalive often enough to always reset the TCP keepalive timer. If however a connection does not receive an ACK promptly it will now be shutdown, which happens sooner than it would with a normal TCP keepalive tuning. This re-tuning reduces the frequency of network traffic from derp to client, reducing battery cost. Updates tailscale/corp#17587 Updates #3363 Signed-off-by: James Tucker <[email protected]> * client/web: update vite-plugin-svgr to latest version (#11197) Update vite-plugin-svgr to the latest version (4.2.0) ahead of updating vite to 5.x. This is a major version bump from our previous 3.x, and requires changing the import paths used for SVGs. Updates https://github.com/tailscale/corp/issues/17715 Signed-off-by: Mario Minardi <[email protected]> * client/web: update plugin-react-swc to latest version (#11199) Update plugin-react-swc to the latest version (3.6.0) ahead of updating vite to 5.x. Updates https://github.com/tailscale/corp/issues/17715 Signed-off-by: Mario Minardi <[email protected]> * net/tshttpproxy: log when we're using a proxy Updates #11196 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Id6334c10f52f4cfbda9f03dc8096ab7a6c54a088 * wgengine/wglog: quieten WireGuard logs for allowedips An increasing number of users have very large subnet route configurations, which can produce very large amounts of log data when WireGuard is reconfigured. The logs don't contain the actual routes, so they're largely useless for diagnostics, so we'll just suppress them. Fixes tailscale/corp#17532 Signed-off-by: James Tucker <[email protected]> * cmd/tailscale: add node attribute instructions to share command help This adds details on how to configure node attributes to allow sharing and accessing shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * client/web: update vite and vitest to latest versions (#11200) Update vite to 5.1.4, and vitest to 1.3.1 (their latest versions). Also remove vite-plugin-rewrite-all as this is no longer necessary with vite 5.x and has a dependency on vite 4.x. Updates https://github.com/tailscale/corp/issues/17715 Signed-off-by: Mario Minardi <[email protected]> * cli/debug: rename DERP debug mode (#11220) Renames a debug flag in the CLI. Signed-off-by: Andrea Gottardo <[email protected]> * net/interfaces: reduce & cleanup logs on iOS We don't need a log line every time defaultRoute is read in the good case, and we now only log default interface updates that are actually changes. Updates #3363 Signed-off-by: James Tucker <[email protected]> * .github/workflows: fix typo in XDG_CACHE_HOME This appears to be one of the contributors to this CI target regularly entering a bad state with a partially written toolchain. Updates #self Signed-off-by: James Tucker <[email protected]> * cmd/derper: apply TCP keepalive and timeout to TLS as well I missed a case in the earlier patch, and so we're still sending 15s TCP keepalive for TLS connections, now adjusted there too. Updates tailscale/corp#17587 Updates #3363 Signed-off-by: James Tucker <[email protected]> * net/dns: timeout DOH requests after 10s without response headers If a client socket is remotely lost but the client is not sent an RST in response to the next request, the socket might sit in RTO for extended lengths of time, resulting in "no internet" for users. Instead, timeout after 10s, which will close the underlying socket, recovering from the situation more promptly. Updates #10967 Signed-off-by: James Tucker <[email protected]> * wgengine/wgcfg: don't send UAPI to disable keep-alives on new peers That's already the default. Avoid the overhead of writing it on one side and reading it on the other to do nothing. Updates #cleanup (noticed while researching something else) Change-Id: I449c88a022271afb9be5da876bfaf438fe5d3f58 Signed-off-by: Brad Fitzpatrick <[email protected]> * wgengine/wglog: add TS_DEBUG_RAW_WGLOG envknob for raw wg logs Updates #7617 (part of debugging it) Change-Id: I1bcbdcf0f929e3bcf83f244b1033fd438aa6dac1 Signed-off-by: Brad Fitzpatrick <[email protected]> * net/dns/publicdns: add Mullvad family DNS to the list of known DoH servers Adds the new Mullvad family DNS server to the known DNS over HTTPS server list. Signed-off-by: mrrfv <[email protected]> * all: remove LenIter, use Go 1.22 range-over-int instead Updates #11058 Updates golang/go#65685 Change-Id: Ibb216b346e511d486271ab3d84e4546c521e4e22 Signed-off-by: Brad Fitzpatrick <[email protected]> * tailfs: replace webdavfs with reverse proxies Instead of modeling remote WebDAV servers as actual webdav.FS instances, we now just proxy traffic to them. This not only simplifies the code, but it also allows WebDAV locking to work correctly by making sure locks are handled by the servers that need to (i.e. the ones actually serving the files). Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * wgengine/netstack: expose TCP forwarder drops via clientmetrics - add a clientmetric with a counter of TCP forwarder drops due to the max attempts; - fix varz metric types, as they are all counters. Updates #8210 Signed-off-by: Anton Tolchanov <[email protected]> * client/web: restrict serveAPI endpoints to peer capabilities This change adds a new apiHandler struct for use from serveAPI to aid with restricting endpoints to specific peer capabilities. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <[email protected]> * client/web: use grants on web UI frontend Starts using peer capabilities to restrict the management client on a per-view basis. This change also includes a bulky cleanup of the login-toggle.tsx file, which was getting pretty unwieldy in its previous form. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <[email protected]> * go.mod: update web-client-prebuilt module Signed-off-by: OSS Updater <[email protected]> * net/dns: do not wait for the interface registry key to appear if the windowsManager is being closed The WinTun adapter may have been removed by the time we're closing the dns.windowsManager, and its associated interface registry key might also have been deleted. We shouldn't use winutil.OpenKeyWait and wait for the interface key to appear when performing a cleanup as a part of the windowsManager shutdown. Updates #11222 Signed-off-by: Nick Khyl <[email protected]> * cmd/tailscaled, ipn/ipnlocal, wgengine: shutdown tailscaled if wgdevice is closed Tailscaled becomes inoperative if the Tailscale Tunnel wintun adapter is abruptly removed. wireguard-go closes the device in case of a read error, but tailscaled keeps running. This adds detection of a closed WireGuard device, triggering a graceful shutdown of tailscaled. It is then restarted by the tailscaled watchdog service process. Fixes #11222 Signed-off-by: Nick Khyl <[email protected]> * health: warn about reverse path filtering and exit nodes When reverse path filtering is in strict mode on Linux, using an exit node blocks all network connectivity. This change adds a warning about this to `tailscale status` and the logs. Example in `tailscale status`: ``` - not connected to home DERP region 22 - The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Example in the logs: ``` 2024/02/21 21:17:07 health("overall"): error: multiple errors: not in map poll The following issues on your machine will likely make usage of exit nodes impossible: [interface "eth0" has strict reverse-path filtering enabled], please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 ``` Updates #3310 Signed-off-by: Anton Tolchanov <[email protected]> * types/key: remove copy returning array by value It's unnecessary. Returning an array value is already a copy. Updates #cleanup Signed-off-by: Brad Fitzpatrick <[email protected]> Change-Id: If7f350b61003ea08f16a531b7b4e8ae483617939 * wgengine: reduce critical section No need to hold wgLock while using the device to LookupPeer; that has its own mutex already. Updates #cleanup Signed-off-by: Brad Fitzpatrick <[email protected]> Change-Id: Ib56049fcc7163cf5a2c2e7e12916f07b4f9d67cb * wgengine: make pendOpen time later, after dup check Otherwise on OS retransmits, we'd make redundant timers in Go's timer heap that upon firing just do nothing (well, grab a mutex and check a map and see that there's nothing to do). Updates #cleanup Change-Id: Id30b8b2d629cf9c7f8133a3f7eca5dc79e81facb Signed-off-by: Brad Fitzpatrick <[email protected]> * ipn/ipnstate, wgengine/wgint: add handshake attempts accessors Not yet used. This is being made available so magicsock/wgengine can use it to ignore certain sends (UDP + DERP) later on at least mobile, letting wireguard-go think it's doing its full attempt schedule, but we can cut it short conditionally based on what we know from the control plane. Updates #7617 Signed-off-by: Brad Fitzpatrick <[email protected]> Change-Id: Ia367cf6bd87b2aeedd3c6f4989528acdb6773ca7 * scripts/installer.sh: auto-start tailscale on Alpine (#11214) On Alpine, we add the tailscale service but fail to call start. This means that tailscale does not start up until the user reboots the machine. Fixes #11161 Signed-off-by: Keli Velazquez <[email protected]> * tailfs: fix race condition in tailfs_test Ues a noop authenticator to avoid potential races in gowebdav's built-in authenticator. Fixes #11259 Signed-off-by: Percy Wegmann <[email protected]> * cmd/k8s-operator,k8s-operator,go.{mod,sum},tstest/tools: add Tailscale Kubernetes operator API docs (#11246) Add logic to autogenerate CRD docs. .github/workflows/kubemanifests.yaml CI workflow will fail if the doc is out of date with regard to the current CRDs. Docs can be refreshed by running make kube-generate-all. Updates tailscale/tailscale#11023 Signed-off-by: Irbe Krumina <[email protected]> * cmd/k8s-operator: configure all proxies with declarative config (#11238) Containerboot container created for operator's ingress and egress proxies are now always configured by passing a configfile to tailscaled (tailscaled --config <configfile-path>. It does not run 'tailscale set' or 'tailscale up'. Upgrading existing setups to this version as well as downgrading existing setups at this version works. Updates tailscale/tailscale#10869 Signed-off-by: Irbe Krumina <[email protected]> * cmd/k8s-operator: reconcile tailscale Ingresses when their backend Services change. (#11255) This is so that if a backend Service gets created after the Ingress, it gets picked up by the operator. Updates tailscale/tailscale#11251 Signed-off-by: Irbe Krumina <[email protected]> Co-authored-by: Anton Tolchanov <[email protected]> * tailcfg: add latitude, longitude for node location (#11162) Updates tailscale/corp#17590 Signed-off-by: Claire Wang <[email protected]> * wgengine/netstack: add a per-client limit for in-flight TCP forwards This is a fun one. Right now, when a client is connecting through a subnet router, here's roughly what happens: 1. The client initiates a connection to an IP address behind a subnet router, and sends a TCP SYN 2. The subnet router gets the SYN packet from netstack, and after running through acceptTCP, starts DialContext-ing the destination IP, without accepting the connection¹ 3. The client retransmits the SYN packet a few times while the dial is in progress, until either... 4. The subnet router successfully establishes a connection to the destination IP and sends the SYN-ACK back to the client, or... 5. The subnet router times out and sends a RST to the client. 6. If the connection was successful, the client ACKs the SYN-ACK it received, and traffic starts flowing As a result, the notification code in forwardTCP never notices when a new connection attempt is aborted, and it will wait until either the connection is established, or until the OS-level connection timeout is reached and it aborts. To mitigate this, add a per-client limit on how many in-flight TCP forwarding connections can be in-progress; after this, clients will see a similar behaviour to the global limit, where new connection attempts are aborted instead of waiting. This prevents a single misbehaving client from blocking all other clients of a subnet router by ensuring that it doesn't starve the global limiter. Also, bump the global limit again to a higher value. ¹ We can't accept the connection before establishing a connection to the remote server since otherwise we'd be opening the connection and then immediately closing it, which breaks a bunch of stuff; see #5503 for more details. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I76e7008ddd497303d75d473f534e32309c8a5144 * client/web: update to typescript 5.3.3 (#11267) Update typescript to 5.3.3. This is a major bump from the previous version of 4.8.3. This also requires adding newer versions of @typescript-eslint/eslint-plugin and @typescript-eslint/parser to our resolutions as eslint-config-react-app pulls in versions that otherwise do not support typescript 5.x. eslint-config-react-app has not been updated in 2 years and is seemingly abandoned, so we may wish to fork it or move to a different eslint config in the future. Updates https://github.com/tailscale/corp/issues/17810 Signed-off-by: Mario Minardi <[email protected]> * tsweb: expose function to generate request IDs For use in corp. Updates tailscale/corp#2549 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I71debae1ce9ae48cf69cc44c2ab5c443fc3b2005 * util/cache: fix missing interface methods (#11275) Updates #cleanup Change-Id: Ib3a33a7609530ef8c9f3f58fc607a61e8655c4b5 Signed-off-by: Andrew Dunham <[email protected]> * net/tstun: fix spelling of "WireGuard" Updates #cleanup Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Ida7e30f4689bc18f5f7502f53a0adb5ac3c7981a * ipn/ipnstate, wgengine: make PeerStatusLite.LastHandshake zero Time means none ... rather than 1970. Code was using IsZero against the 1970 team (which isn't a zero value), but fortunately not anywhere that seems to have mattered. Updates #cleanup Change-Id: I708a3f2a9398aaaedc9503678b4a8a311e0e019e Signed-off-by: Brad Fitzpatrick <[email protected]> * wgengine: use slices.Clone in two places Updates #cleanup Change-Id: I1cb30efb6d09180e82b807d6146f37897ef99307 Signed-off-by: Brad Fitzpatrick <[email protected]> * wgengine: rename local variable from 'found' to conventional 'ok' Updates #cleanup Change-Id: I799dc86ea9e4a3a949592abdd8e74282e7e5d086 Signed-off-by: Brad Fitzpatrick <[email protected]> * .github/workflows: fix regular breakage of go toolchains This server recently had a common ansible applied, which added a periodic /tmp cleaner, as is needed on other CI machines to deal with test tempfile leakage. The setting of $HOME to /tmp means that the go toolchain in there was regularly getting pruned by the tmp cleaner, but often incompletely, because it was also in use. Move HOME to a runner owned directory. Updates #11248 Signed-off-by: James Tucker <[email protected]> * wgengine{,/wgint}: add wgint.Peer wrapper type, add to wgengine.Engine This adds a method to wgengine.Engine and plumbed down into magicsock to add a way to get a type-safe Tailscale-safe wrapper around a wireguard-go device.Peer that only exposes methods that are safe for Tailscale to use internally. It also removes HandshakeAttempts from PeerStatusLite that was just added as it wasn't needed yet and is now accessible ala cart as needed from the Peer type accessor. None of this is used yet. Updates #7617 Change-Id: I07be0c4e6679883e6eeddf8dbed7394c9e79c5f4 Signed-off-by: Brad Fitzpatrick <[email protected]> * client/web: fix Vite CJS deprecation warning (#11288) Starting in Vite 5, Vite now issues a deprecation warning when using a CJS-based Vite config file. This commit fixes it by adding the `"type": "module"` to our package.json to opt our files into ESM module behaviours. Fixes #cleanup Signed-off-by: Ross Zurowski <[email protected]> * ipn,wgengine: only intercept TailFS traffic on quad 100 This fixes a regression introduced with 993acf4 and released in v1.60.0. The regression caused us to intercept all userspace traffic to port 8080 which prevented users from exposing their own services to their tailnet at port 8080. Now, we only intercept traffic to port 8080 if it's bound for 100.100.100.100 or fd7a:115c:a1e0::53. Fixes #11283 Signed-off-by: Percy Wegmann <[email protected]> (cherry picked from commit 17cd0626f35dbc7948a78665d06a5862fc3dfdab) * ipn/ipnlocal: make active IPN sessions keyed by sessionID We used a HandleSet before when we didn't have a unique handle. But a sessionID is a unique handle, so use that instead. Then that replaces the other map we had. And now we'll have a way to look up an IPN session by sessionID for later. Updates tailscale/corp#17859 Change-Id: I5f647f367563ec8783c643e49f93817b341d9064 Signed-off-by: Brad Fitzpatrick <[email protected]> * tsweb: allow empty redirect URL in CleanRedirectURL (#11295) Updates #cleanup Signed-off-by: Andrew Lytvynov <[email protected]> * wgengine: plumb the PeerByKey from wgengine to magicsock This was just added in 69f4b459 which doesn't yet use it. This still doesn't yet use it. It just pushes it down deeper into magicsock where it'll used later. Updates #7617 Change-Id: If2f8fd380af150ffc763489e1ff4f8ca2899fac6 Signed-off-by: Brad Fitzpatrick <[email protected]> * tailfs: support storing bookmark data on shares This allows the sandboxed Mac application to store security- scoped URL bookmarks in order to maintain access to restricted folders across restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * ipn: include full tailfs shares in ipn notifications This allows the Mac application to regain access to restricted folders after restarts. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * util/linuxfw: insert rather than append nftables DNAT rule (#11303) Ensure that the latest DNATNonTailscaleTraffic rule gets inserted on top of any pre-existing rules. Updates tailscale/tailscale#11281 Signed-off-by: Irbe Krumina <[email protected]> * clientupdate: handle multiple versions in "apk info tailscale" output (#11310) The package info output can list multiple package versions, and not in descending order. Find the newest version in the output, instead of the first one. Fixes #11309 Signed-off-by: Andrew Lytvynov <[email protected]> * go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <[email protected]> * tailfs: only impersonate unprivileged user if able to sudo -u as that user When serving TailFS shares, tailscaled executes another tailscaled to act as a file server. It attempts to execute this child process as an unprivileged user using sudo -u. This is important to avoid accessing files as root, which would result in potential privilege escalation. Previously, tailscaled assumed that it was running as someone who can sudo -u, and would fail if it was unable to sudo -u. With this commit, if tailscaled is unable to sudo -u as the requested user, and tailscaled is not running as root, then tailscaled executes the the file server process under the same identity that ran tailscaled, since this is already an unprivileged identity. In the unlikely event that tailscaled is running as root but is unable to sudo -u, it will refuse to run the child file server process in order to avoid privilege escalation. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * docs/k8s: update docs (#11307) Update docs for static Tailscale deployments on kube to always use firewall mode autodection when in non-userspace. Also add a note about running multiple replicas and a few suggestions how folks could do that. Updates#cleanup Signed-off-by: Irbe Krumina <[email protected]> Co-authored-by: Anton Tolchanov <[email protected]> * tsweb: add more test cases for TestCleanRedirectURL (#11331) Updates #cleanup Signed-off-by: Chris Palmer <[email protected]> * tailcfg: add suggest exit node related node attribute (#11329) Updates tailscale/corp#17516 Signed-off-by: Claire Wang <[email protected]> * util/cmpver: add Less/LessEq helper funcs Updates tailscale/corp#17199 Signed-off-by: Paul Scott <[email protected]> * go.toolchain.rev: bump Go toolchain to 1.22.1 Updates tailscale/corp#18000 Change-Id: I45de95e974ea55b0dac2218b3c82d124c4793390 Signed-off-by: Brad Fitzpatrick <[email protected]> * {ipn/serve,cmd/tailscale/cli}: move some shared funcs to ipn In preparation for changes to allow configuration of serve/funnel from the web client, this commit moves some functionality that will be shared between the CLI and web client to the ipn package's serve.go file, where some other util funcs are already defined. Updates #10261 Signed-off-by: Sonia Appasamy <[email protected]> * wgengine/magicsock: prefer link-local addresses to private ones Since link-local addresses are definitionally more likely to be a direct (lower-latency, more reliable) connection than a non-link-local private address, give those a bit of a boost when selecting endpoints. Updates #8097 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I93fdeb07de55ba39ba5fcee0834b579ca05c2a4e * licenses: update tailscale{,d} licenses Signed-off-by: License Updater <[email protected]> * licenses: update win/apple licenses Signed-off-by: License Updater <[email protected]> * licenses: update android licenses Signed-off-by: License Updater <[email protected]> * client/tailscale: add postures to UserRuleMatch Updates tailscale/corp#17770 Signed-off-by: Kristoffer Dalby <[email protected]> * {ipn,cmd/tailscale/cli}: move ServeConfig mutation logic to ipn/serve Moving logic that manipulates a ServeConfig into recievers on the ServeConfig in the ipn package. This is setup work to allow the web client and cli to both utilize these shared functions to edit the serve config. Any logic specific to flag parsing or validation is left untouched in the cli command. The web client will similarly manage its validation of user's requested changes. If validation logic becomes similar-enough, we can make a serve util for shared functionality, which likely does not make sense in ipn. Updates #10261 Signed-off-by: Sonia Appasamy <[email protected]> * ipn/ipnlocal: exclude mullvad exit nodes from TailFS peers list This is a temporary solution to at least omit Mullvad exit nodes from the list of TailFS peers. Once we can identify peers that are actually sharing via TailFS, we can remove this, but for alpha it'll be sufficient to just omit Mullvad. Updates tailscale/corp#17766 Signed-off-by: Percy Wegmann <[email protected]> * ipn/localapi: add set-gui-visible endpoint Updates tailscale/corp#17859 Provides a local API endpoint to be called from the GUI to inform the backend when the client menu is opened or closed. cc @bradfitz Signed-off-by: Andrea Gottardo <[email protected]> Signed-off-by: Andrea Gottardo <[email protected]> Signed-off-by: Andrea Gottardo <[email protected]> * ipn: add comment about thread-safety to StateStore Updates #cleanup Signed-off-by: Percy Wegmann <[email protected]> * ipn/ipnlocal: reduce allocations in TailFS share notifications This eliminates unnecessary map.Clone() calls and also eliminates repetitive notifications about the same set of shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * util/linuxfw: add container-friendly IPv6 NAT check (#11353) Remove IPv6 NAT check when routing is being set up using nftables. This is unnecessary as support for nftables was added after support for IPv6. https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s04.html https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources Additionally, run an extra check for IPv6 NAT support when the routing is set up with iptables. This is because the earlier checks rely on being able to use modprobe and on /proc/net/ip6_tables_names being populated on start - these conditions are usually not true in container environments. Updates tailscale/tailscale#11344 Signed-off-by: Irbe Krumina <[email protected]> * tsweb: add String method to tsweb.RequestID In case we want to change the format to something opaque later. Updates tailscale/corp#2549 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Ie2eac8b885b694be607e9d5101d24b650026d89c * go.mod: bump gvisor The `stack.PacketBufferPtr` type no longer exists; replace it with `*stack.PacketBuffer` instead. Updates #8043 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Ib56ceff09166a042aa3d9b80f50b2aa2d34b3683 * net/interfaces: fix test hang on Darwin This test could hang because the subprocess was blocked on writing to the stdout pipe if we find the address we're looking for early in the output. Updates #cleanup Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I68d82c22a5d782098187ae6d8577e43063b72573 * docs/k8s: don't run subnet router in userspace mode (#11363) There should not be a need to do that unless we run on host network Signed-off-by: Irbe Krumina <[email protected]> * cmd/derper, types/logger: move log filter to shared package So we can use it in trunkd to quiet down the logs there. Updates #5563 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Ie3177dc33f5ad103db832aab5a3e0e4f128f973f * client/web: dedupe packages in yarn.lock (#11327) Run yarn-deduplicate on yarn.lock to dedupe packages. This is being done to reduce the number of redundant packages fetched by yarn when existing versions in the lockfile satisfy the version dependency we need. See https://github.com/scinos/yarn-deduplicate for details on the tool used to perform this deduplication. Updates #cleanup Signed-off-by: Mario Minardi <[email protected]> * tailcfg: bump CapabilityVersion (#11368) bump version for adding NodeAttrSuggestExitNode remove extra s from NodeAttrSuggestExitNode Updates tailscale/corp#17516 Signed-off-by: Claire Wang <[email protected]> * version/mkversion: enforce synology versions within int32 range Synology requires version numbers are within int32 range. This change updates the version logic to keep things closer within the range, and errors on building when the range is exceeded. Updates #cleanup Signed-off-by: Sonia Appasamy <[email protected]> * wgengine/magicsock: don't change DERP home when not connected to control This pretty much always results in an outage because peers won't discover our new home region and thus won't be able to establish connectivity. Updates tailscale/corp#18095 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Ic0d09133f198b528dd40c6383b16d7663d9d37a7 * cmd/viewer: import views when generating byteSliceField Updates #cleanup Signed-off-by: Percy Wegmann <[email protected]> * ipn,tailfs: tie TailFS share configuration to user profile Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * ipn,cmd/tailscale,client/tailscale: add support for renaming TailFS shares - Updates API to support renaming TailFS shares. - Adds a CLI rename subcommand for renaming a share. - Renames the CLI subcommand 'add' to 'set' to make it clear that this is an add or update. - Adds a unit test for TailFS in ipnlocal Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <[email protected]> * Code Improvements (#11311) build_docker, update-flake: cleanup and apply shellcheck fixes Was editing this file to match my needs while shellcheck warnings bugged me out. REV isn't getting used anywhere. Better remove it. Updates #cleanup Signed-off-by: Panchajanya1999 <[email protected]> Signed-off-by: James Tucker <[email protected]> * util/linuxfw: correct logical error in NAT table check (#11380) Updates #11344 Updates #11354 Signed-off-by: James Tucker <[email protected]> * util/linuxfw: fix support for containers without IPv6 iptables filters (#11381) There are container environments such as GitHub codespaces that have partial IPv6 support - routing support is enabled at the kernel level, but lacking IPv6 filter support in the iptables module. In the specific example of the codespaces environment, this also has pre-existing legacy iptables rules in the IPv4 tables, as such the nascent firewall mode detection will always pick iptables. We would previously fault trying to install rules to the filter table, this catches that condition earlier, and disables IPv6 support under these conditions. Updates #5621 Updates #11344 Updates #11354 Signed-off-by: James Tucker <[email protected]> * go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <[email protected]> * ipn/{ipnlocal,localapi}: add debug verb to force spam IPN bus NetMap To force the problem in its worst case scenario before fixing it. Updates tailscale/corp#17859 Change-Id: I2c8b8e5f15c7801e1ab093feeafac52ec175a763 Signed-off-by: Brad Fitzpatrick <[email protected]> * wgengine/netstack: fix bug with duplicate SYN packets in client limit This fixes a bug that was introduced in #11258 where the handling of the per-client limit didn't properly account for the fact that the gVisor TCP forwarder will return 'true' to indicate that it's handled a duplicate SYN packet, but not launch the handler goroutine. In such a case, we neither decremented our per-client limit in the wrapper function, nor did we do so in the handler function, leading to our per-client limit table slowly filling up without bound. Fix this by doing the same duplicate-tracking logic that the TCP forwarder does so we can detect such cases and appropriately decrement our in-flight counter. Updates tailscale/corp#12184 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: Ib6011a71d382a10d68c0802593f34b8153d06892 * prober: export probe counters and cumulative latency Updates #cleanup Signed-off-by: Anton Tolchanov <[email protected]> * prober: remove unused derp prober latency measurements Signed-off-by: Anton Tolchanov <[email protected]> * prober: add a DERP bandwidth probe Updates tailscale/corp#17912 Signed-off-by: Anton Tolchanov <[email protected]> * VERSION.txt: this is v1.63.0 Signed-off-by: Anton Tolchanov <[email protected]> * Bakup (#2) * net/interfaces: fix android "route ip+net: netlinkrib: permission denied" * remove github ci --------- Signed-off-by: Chandon Pierre <[email protected]> Signed-off-by: Anishka Singh <[email protected]> Signed-off-by: Andrew Dunham <[email protected]> Signed-off-by: James Tucker <[email protected]> Signed-off-by: Flakes Updater <[email protected]> Signed-off-by: kari-ts <[email protected]> Signed-off-by: David Anderson <[email protected]> Signed-off-by: Irbe Krumina <[email protected]> Signed-off-by: Charlotte Brandhorst-Satzkorn <[email protected]> Signed-off-by: Jordan Whited <[email protected]> Signed-off-by: Andrew Lytvynov <[email protected]> Signed-off-by: Will Norris <[email protected]> Signed-off-by: Chris Palmer <[email protected]>…
chen8945
pushed a commit
to Ckid-Home/tailscale
that referenced
this pull request
Jul 31, 2024
Updates tailscale/go#83 Signed-off-by: James Tucker <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge the go1.21.6 tag into tailscale.go1.21