feat(ci): bump to upstream 1.74.0 #11
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Andrea Gottardo <[email protected]>
…e#13146) updates tailcale/corp#22371 Adds custom macOS vm tooling. See the README for the general gist, but this will spin up VMs with unixgram capable network interfaces listening to a named socket, and with a virtio socket device for host-guest communication. We can add other devices like consoles, serial, etc as needed. The whole things is buildable with a single make command, and everything is controllable via the command line using the TailMac utility. This should all be generally functional but takes a few shortcuts with error handling and the like. The virtio socket device support has not been tested and may require some refinement. Signed-off-by: Jonathan Nobels <[email protected]>
…n policies Fixes tailscale#13182 Signed-off-by: Aaron Klotz <[email protected]>
Signed-off-by: tomholford <[email protected]>
…#13061) Updates tailscale/corp#22120 Adds the ability to start the backend by reading an authkey stored in the syspolicy database (MDM). This is useful for devices that are provisioned in an unattended fashion. Signed-off-by: Andrea Gottardo <[email protected]>
Updates tailscale/corp#20931 Signed-off-by: Kristoffer Dalby <[email protected]>
…C role definitions with verbs cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs fixes: tailscale#13168 Signed-off-by: Pierig Le Saux <[email protected]>
…rage and retrieval of string values in HKEY_CURRENT_USER Fixes tailscale#13187 Signed-off-by: Aaron Klotz <[email protected]>
…ale#12711) Signed-off-by: ChandonPierre <[email protected]> Closes tailscale#12421
…for Linux (tailscale#13172) In 2f27319 we disabled GRO due to a data race around concurrent calls to tstun.Wrapper.Write(). This commit refactors GRO to be thread-safe, and re-enables it on Linux. This refactor now carries a GRO type across tstun and netstack APIs with a lifetime that is scoped to a single tstun.Wrapper.Write() call. In 25f0a3f we used build tags to prevent importation of gVisor's GRO package on iOS as at the time we believed it was contributing to additional memory usage on that platform. It wasn't, so this commit simplifies and removes those build tags. Updates tailscale/corp#22353 Updates tailscale/corp#22125 Updates tailscale#6816 Signed-off-by: Jordan Whited <[email protected]>
…ailscale#13202) In df6014f we removed build tag gating preventing importation, which tripped a NetworkExtension limit test in corp. This was a reversal of 25f0a3f which actually made the situation worse, hence the simplification. This commit goes back to the strategy in 25f0a3f, and gets us back under the limit in my local testing. Admittedly, we don't fully understand the effects of importing or excluding importation of this package, and have seen mixed results, but this commit allows us to move forward again. Updates tailscale/corp#22125 Signed-off-by: Jordan Whited <[email protected]>
This involved the following: 1. Pass the su command path as first of args in call to unix.Exec to make sure that busybox sees the correct program name. Busybox is a single executable userspace that implements various core userspace commands in a single binary. You'll see it used via symlinking, so that for example /bin/su symlinks to /bin/busybox. Busybox knows that you're trying to execute /bin/su because argv[0] is '/bin/su'. When we called unix.Exec, we weren't including the program name for argv[0], which caused busybox to fail with 'applet not found', meaning that it didn't know which command it was supposed to run. 2. Tell su to whitelist the SSH_AUTH_SOCK environment variable in order to support ssh agent forwarding. 3. Run integration tests on alpine, which uses busybox. 4. Increment CurrentCapabilityVersion to allow turning on SSH V2 behavior from control. Fixes tailscale#12849 Signed-off-by: Percy Wegmann <[email protected]>
In Tailnet Lock, there is an implicit limit on the number of rotation signatures that can be chained before the signature becomes too long. This program helps tailnet admins to identify nodes that have signatures with long chains and prints commands to re-sign those node keys with a fresh direct signature. It's a temporary mitigation measure, and we will remove this tool as we design and implement a long-term approach for rotation signatures. Example output: ``` 2024/08/20 18:25:03 Self: does not need re-signing 2024/08/20 18:25:03 Visible peers with valid signatures: 2024/08/20 18:25:03 Peer xxx2.yy.ts.net. (100.77.192.34) nodeid=nyDmhiZiGA11KTM59, current signature kind=direct: does not need re-signing 2024/08/20 18:25:03 Peer xxx3.yy.ts.net. (100.84.248.22) nodeid=ndQ64mDnaB11KTM59, current signature kind=direct: does not need re-signing 2024/08/20 18:25:03 Peer xxx4.yy.ts.net. (100.85.253.53) nodeid=nmZfVygzkB21KTM59, current signature kind=rotation: chain length 4, printing command to re-sign tailscale lock sign nodekey:530bddbfbe69e91fe15758a1d6ead5337aa6307e55ac92dafad3794f8b3fc661 tlpub:4bf07597336703395f2149dce88e7c50dd8694ab5bbde3d7c2a1c7b3e231a3c2 ``` To support this, the NetworkLockStatus localapi response now includes information about signatures of all peers rather than just the invalid ones. This is not displayed by default in `tailscale lock status`, but will be surfaced in `tailscale lock status --json`. Updates tailscale#13185 Signed-off-by: Anton Tolchanov <[email protected]>
This adds a new package containing generic types to be used for defining preference hierarchies. These include prefs.Item, prefs.List, prefs.StructList, and prefs.StructMap. Each of these types represents a configurable preference, holding the preference's state, value, and metadata. The metadata includes the default value (if it differs from the zero value of the Go type) and flags indicating whether a preference is managed via syspolicy or is hidden/read-only for another reason. This information can be marshaled and sent to the GUI, CLI and web clients as a source of truth regarding preference configuration, management, and visibility/mutability states. We plan to use these types to define device preferences, such as the updater preferences, the permission mode to be used on Windows with #tailscale/corp#18342, and certain global options that are currently exposed as tailscaled flags. We also aim to eventually use these types for profile-local preferences in ipn.Prefs and and as a replacement for ipn.MaskedPrefs. The generic preference types are compatible with the tailscale.com/cmd/viewer and tailscale.com/cmd/cloner utilities. Updates tailscale#12736 Signed-off-by: Nick Khyl <[email protected]>
…ssary and possible Instead of changing the working directory before launching the incubator process, this now just changes the working directory after dropping privileges, at which point we're more likely to be able to enter the user's home directory since we're running as the user. For paths that use the 'login' or 'su -l' commands, those already take care of changing the working directory to the user's home directory. Fixes tailscale#13120 Signed-off-by: Percy Wegmann <[email protected]>
net/tstun.Wrapper.InjectInboundPacketBuffer is not GSO-aware, which can break quad-100 TCP streams as a result. Linux is the only platform where gVisor GSO was previously enabled. Updates tailscale/corp#22511 Updates tailscale#13211 Signed-off-by: Jordan Whited <[email protected]>
To avoid dig vs nslookup vs $X availability issues between OSes/distros. And to be in Go, to match the resolver we use. Updates tailscale#13038 Change-Id: Ib7e5c351ed36b5470a42cbc230b8f27eed9a1bf8 Signed-off-by: Brad Fitzpatrick <[email protected]>
… if they've changed Fixes tailscale#13195 Signed-off-by: Percy Wegmann <[email protected]>
In prep for updating to new staticcheck required for Go 1.23. Updates tailscale#12912 Change-Id: If77892a023b79c6fa798f936fc80428fd4ce0673 Signed-off-by: Brad Fitzpatrick <[email protected]>
Updates tailscale#12912 Change-Id: Ib4ae26eb5fb68ad2216cab4913811b94f7eed5b6 Signed-off-by: Brad Fitzpatrick <[email protected]>
…text Signed-off-by: Ilarion Kovalchuk <[email protected]>
Signed-off-by: Flakes Updater <[email protected]>
And convert a few callers as an example, but nowhere near all. Updates tailscale#12912 Change-Id: I5eaa12a29a6cd03b58d6f1072bd27bc0467852f2 Signed-off-by: Brad Fitzpatrick <[email protected]>
…equire vishvananda/netlink After the upstream PR is merged, we can point directly at github.com/vishvananda/netlink and retire github.com/tailscale/netlink. See vishvananda/netlink#1006 Updates tailscale#12298 Signed-off-by: Percy Wegmann <[email protected]>
…ishvananda/netlink Fixes tailscale#12298 Signed-off-by: Percy Wegmann <[email protected]>
updates tailcale/corp#22371 For dgram mode, we need to store the write addresses of the client socket(s) alongside the writer functions and the write operation needs to use WriteToUnix. Unix also has multiple clients writing to the same socket, so the serve method is modified to handle packets from multiple mac addresses. Cleans up a bit of cruft from the initial tailmac tooling commit. Now all the macOS packets are belong to us. Signed-off-by: Jonathan Nobels <[email protected]>
Signed-off-by: Flakes Updater <[email protected]>
This adds a systray app for linux, similar to the apps for macOS and windows. There are already a number of community-developed systray apps, but most of them are either long abandoned, are built for a specific desktop environment, or simply wrap the tailscale CLI. This uses fyne.io/systray (a fork of github.com/getlantern/systray) which uses newer D-Bus specifications to render the tray icon and menu. This results in a pretty broad support for modern desktop environments. This initial commit lacks a number of features like profile switching, device listing, and exit node selection. This is really focused on the application structure, the interaction with LocalAPI, and some system integration pieces like the app icon, notifications, and the clipboard. Updates tailscale#1708 Signed-off-by: Will Norris <[email protected]>
Otherwise you get "Access denied: watch IPN bus access denied, must set ipn.NotifyNoPrivateKeys when not running as admin/root or operator". This lets a non-operator at least start the app and see the status, even if they can't change everything. (the web UI is unaffected by operator) A future change can add a LocalAPI call to check permissions and guide people through adding a user as an operator (perhaps the web client can do that?) Updates tailscale#1708 Change-Id: I699e035a251b4ebe14385102d5e7a2993424c4b7 Signed-off-by: Brad Fitzpatrick <[email protected]>
Signed-off-by: Flakes Updater <[email protected]>
Fixes tailscale#13204 Change-Id: I7154cdabc9dc362dcc3221fd5a86e21f610bbff0 Signed-off-by: Brad Fitzpatrick <[email protected]>
Discovered this while investigating the following issue; I think it's unrelated, but might as well fix it. Also, add a test helper for checking things that have an IsZero method using the reflect package. Updates tailscale/support-escalations#55 Signed-off-by: Andrew Dunham <[email protected]> Change-Id: I57b7adde43bcef9483763b561da173b4c35f49e2
Disable TCP & UDP GRO if the probe fails. torvalds/linux@e269d79 broke virtio_net TCP & UDP GRO causing GRO writes to return EINVAL. The bug was then resolved later in torvalds/linux@89add40. The offending commit was pulled into various LTS releases. Updates tailscale#13041 Signed-off-by: Jordan Whited <[email protected]>
Signed-off-by: Flakes Updater <[email protected]>
When tailscaled restarts and our watch connection goes down, we get stuck in an infinite loop printing `ipnbus error: EOF` (which ended up consuming all the disk space on my laptop via the log file). Instead, handle errors in `watchIPNBus` and reconnect after a short delay. Updates tailscale#1708 Signed-off-by: Andrew Lytvynov <[email protected]>
We no longer need this on Windows, and it was never required on other platforms. It just results in more short-lived connections unless we use HTTP/2. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <[email protected]>
Updates #cleanup Signed-off-by: Jordan Whited <[email protected]>
Updates tailscale#13359 Change-Id: I28e048bf9d1d114d07d140f165f4ea89a82be79f Signed-off-by: Brad Fitzpatrick <[email protected]>
Update Go toolchain to 1.23.1. Updates #cleanup Signed-off-by: Patrick O'Doherty <[email protected]>
…ress (tailscale#13382) Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <[email protected]>
We already disable dynamic updates by setting DisableDynamicUpdate to 1 for the Tailscale interface. However, this does not prevent non-dynamic DNS registration from happening when `ipconfig /registerdns` runs and in similar scenarios. Notably, dns/windowsManager.SetDNS runs `ipconfig /registerdns`, triggering DNS registration for all interfaces that do not explicitly disable it. In this PR, we update dns/windowsManager.disableDynamicUpdates to also set RegistrationEnabled to 0. Fixes tailscale#13411 Signed-off-by: Nick Khyl <[email protected]>
…ailscale#13410) Updates tailscale/corp#22920 Signed-off-by: Irbe Krumina <[email protected]>
…epaware.txt: split out kube types (tailscale#13417) Further split kube package into kube/{client,api,types}. This is so that consumers who only need constants/static types don't have to import the client and api bits. Updates#cleanup Signed-off-by: Irbe Krumina <[email protected]>
…epaware.txt: rename packages (tailscale#13418) Rename kube/{types,client,api} -> kube/{kubetypes,kubeclient,kubeapi} so that we don't need to rename the package on each import to convey that it's kubernetes specific. Updates#cleanup Signed-off-by: Irbe Krumina <[email protected]>
It was scaring people. It's been pretty stable for quite some time now and we're unlikely to change the API and break people at this point. We might, but have been trying not to. Fixes tailscale/corp#22933 Change-Id: I0c3c79b57ccac979693c62ba320643a940ac947e Signed-off-by: Brad Fitzpatrick <[email protected]>
…scale#13370) This mimics having Tailscale in the 'Stopped' state by programming an empty DNS configuration when the current node key is expired. Updates tailscale/support-escalations#55 Change-Id: I68ff4665761fb621ed57ebf879263c2f4b911610 Signed-off-by: Andrew Dunham <[email protected]>
We started out with a single protocol & port, now it's many. Updates #cleanup Signed-off-by: Jordan Whited <[email protected]>
…ilscale#13419) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.1 to 7.0.1. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@284f54f...8867c4a) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…12524) Bumps [ws](https://github.com/websockets/ws) from 8.14.2 to 8.17.1. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.14.2...8.17.1) --- updated-dependencies: - dependency-name: ws dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Fixes tailscale#13432 Signed-off-by: Fran Bull <[email protected]>
Updates tailscale/corp#20600 Change-Id: I2bb17af0f40603ada1ba4cecc087443e00f9392a Co-authored-by: Maisem Ali <[email protected]> Signed-off-by: Brad Fitzpatrick <[email protected]>
…ailscale#13299) cmd/k8s-operator,k8s-operator,kube: Add TSRecorder CRD + controller Deploys tsrecorder images to the operator's cluster. S3 storage is configured via environment variables from a k8s Secret. Currently only supports a single tsrecorder replica, but I've tried to take early steps towards supporting multiple replicas by e.g. having a separate secret for auth and state storage. Example CR: ```yaml apiVersion: tailscale.com/v1alpha1 kind: Recorder metadata: name: rec spec: enableUI: true ``` Updates tailscale#13298 Signed-off-by: Tom Proctor <[email protected]>
When the desired netfilter mode was unset, we would always try to use the `iptables` binary. In such cases if iptables was not found, tailscaled would just crash as seen in tailscale#13440. To work around this, in those cases check if the `iptables` binary even exists and if it doesn't fall back to the nftables implementation. Verified that it works on stock Ubuntu 24.04. Updates tailscale#5621 Updates tailscale#8555 Updates tailscale#8762 Fixes tailscale#13440 Signed-off-by: Maisem Ali <[email protected]>
Updates tailscale#12912 Signed-off-by: Maisem Ali <[email protected]>
7328059 for tailscale#2751 added a "clientSet" interface to distinguish the two cases of a client being singly connected (the common case) vs tolerating multiple connections from the client at once. At the time (three years ago) it was kinda an experiment and we didn't know whether it'd stop the reconnect floods we saw from certain clients. It did. So this promotes it to a be first-class thing a bit, removing the interface. The old tests from 7328059 were invaluable in ensuring correctness while writing this change (they failed a bunch). But the real motivation for this change is that it'll permit a future optimization to add flow tracking for stats & performance where we don't contend on Server.mu for each packet sent via DERP. Instead, each client can track its active flows and hold on to a *clientSet and ask the clientSet per packet what the active client is via one atomic load rather than a mutex. And if the atomic load returns nil, we'll know we need to ask the server to see if they died and reconnected and got a new clientSet. But that's all coming later. Updates tailscale#3560 Change-Id: I9ccda3e5381226563b5ec171ceeacf5c210e1faf Signed-off-by: Brad Fitzpatrick <[email protected]>
And update a few callers as examples of motivation. (there are a couple others, but these are the ones where it's prettier) Updates #cleanup Change-Id: Ic8c5cb7af0a59c6e790a599136b591ebe16d38eb Signed-off-by: Brad Fitzpatrick <[email protected]>
Signed-off-by: kari-ts <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://tailscale.com/changelog#2024-09-12