ipn/ipnlocal: send vipServices info via c2n even it's incomplete (#15166)
This commit updates the logic of vipServicesFromPrefsLocked, so that it would return the vipServices list
even when service host is only advertising the service but not yet serving anything. This makes control
always get accurate state of service host in terms of serving a service.
Fixes tailscale/corp#26843
Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
go.{mod,sum}: bump mkctr (#15161)
Updates tailscale/tailscale#15159
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
licenses: add README
Add description of the license reports in this directory and brief
instructions for reviewers. I recently needed to convert these to CSV,
so I also wanted to place to stash that regex so I didn't lose it.
Updates tailscale/corp#5780
Signed-off-by: Will Norris <will@tailscale.com>
safesocket: return an error for LocalTCPPortAndToken for tailscaled (#15144)
fixes tailscale/corp#26806
Fixes a regression where LocalTCPPortAndToken needs to error out early
if we're not running as sandboxed macos so that we attempt to connect
using the normal unix machinery.
Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
cmd/containerboot: fix nil pointer exception (#15090)
Updates tailscale/tailscale#15081
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
ipn/{ipnlocal,store},kube/kubeclient: store TLS cert and key pair to a Secret in a single operation. (#15147)
To avoid duplicate issuances/slowness while the state Secret
contains a mismatched cert and key.
Updates tailscale/tailscale#15134
Updates tailscale/corp#24795
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
all: statically enforce json/v2 interface satisfaction (#15154)
The json/v2 prototype is still in flux and the API can/will change.
Statically enforce that types implementing the v2 methods
satisfy the correct interface so that changes to the signature
can be statically detected by the compiler.
Updates tailscale/corp#791
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
client/web: fix CSRF handler order in web UI (#15143)
Fix the order of the CSRF handlers (HTTP plaintext context setting,
_then_ enforcement) in the construction of the web UI server. This
resolves false-positive "invalid Origin" 403 exceptions when attempting
to update settings in the web UI.
Add unit test to exercise the CSRF protection failure and success cases
for our web UI configuration.
Updates #14822
Updates #14872
Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
go.mod: bump github.com/go-json-experiment/json (#15010)
The upstream module has seen significant work making
the v1 emulation layer a high fidelity re-implementation
of v1 "encoding/json".
This addresses several upstream breaking changes:
* MarshalJSONV2 renamed as MarshalJSONTo
* UnmarshalJSONV2 renamed as UnmarshalJSONFrom
* Options argument removed from MarshalJSONV2
* Options argument removed from UnmarshalJSONV2
Updates tailscale/corp#791
Signed-off-by: Joe Tsai <joetsai@digital-static.net>
scripts/installer.sh: ensure default umask for the installer (#15139)
Ensures default Linux umask 022 for the installer script to
make sure that files created by the installer can be accessed
by other tools, such as apt.
Updates tailscale/tailscale#15133
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
maths: add exponentially weighted moving average type
In order to improve latency tracking, we will use an exponentially
weighted moving average that will smooth change over time and suppress
large outlier values.
Updates tailscale/corp#26649
Signed-off-by: James Tucker <james@tailscale.com>
cmd/derper: add --socket flag to change unix socket path to tailscaled
Fixes #10359
Change-Id: Ide49941c486d29856841016686827316878c9433
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
ipn/ipnlocal,util/syspolicy,docs/windows/policy: implement the ReconnectAfter policy setting
In this PR, we update the LocalBackend so that when the ReconnectAfter policy setting is configured
and a user disconnects Tailscale by setting WantRunning to false in the profile prefs, the LocalBackend
will now start a timer to set WantRunning back to true once the ReconnectAfter timer expires.
We also update the ADMX/ADML policy definitions to allow configuring this policy setting for Windows
via Group Policy and Intune.
Updates #14824
Signed-off-by: Nick Khyl <nickk@tailscale.com>
cmd/testwrapper/flakytest: add Marked to check if in flakytest (#15119)
Updates tailscale/corp#26637
Signed-off-by: Paul Scott <paul@tailscale.com>
tstest/deptest: add DepChecker.ExtraEnv option for callers to set
For tests (in another repo) that use cgo, we'd like to set CGO_ENABLED=1
explicitly when evaluating cross-compiled deps with "go list".
Updates tailscale/corp#26717
Updates tailscale/corp#26737
Change-Id: Ic21a54379ae91688d2456985068a47e73d04a645
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
go.toolchain.rev: bump Tailscale Go 1.24 for a Tailscale revert + upstream bump
Diff:
https://github.com/tailscale/go/commit/7c083839130f799407787d693dc95af44190cc83
This reverts our previous CGO_ENABLED change: https://github.com/tailscale/go/commit/c1d3e9e81461bf43e010bd5f79315b715ed68023
It was causing depaware problems and is no longer necessary it seems? Upstream cmd/go is static nowadays.
And pulls in:
[release-branch.go1.24] doc/godebug: mention GODEBUG=fips140
[release-branch.go1.24] cmd/compile: avoid infinite recursion when inlining closures
[release-branch.go1.24] syscall: don't truncate newly created files on Windows
[release-branch.go1.24] runtime: fix usleep on s390x/linux
[release-branch.go1.24] runtime: add some linknames back for `github.com/bytedance/sonic`
Of those, really the only the 2nd and 3rd might affect us.
Updates #15015
Updates tailscale/go#52
Change-Id: I0fa479f8b2d39f43f2dcdff6c28289dbe50b0773
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
client/systray: show message on localapi permission error
When LocalAPI returns an AccessDeniedError, display a message in the
menu and hide or disable most other menu items. This currently includes
a placeholder KB link which I'll update if we end up using something
different.
I debated whether to change the app icon to indicate an error, but opted
not to since there is actually nothing wrong with the client itself and
Tailscale will continue to function normally. It's just that the systray
app itself is in a read-only state.
Updates #1708
Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d
Signed-off-by: Will Norris <will@tailscale.com>
scripts/installer.sh: add SparkyLinux as a Debian derivative (#15076)
Fixes #15075
Signed-off-by: Erisa A <erisa@tailscale.com>
client/tailscale: fix Client.BuildURL and Client.BuildTailnetURL (#15064)
This method uses `path.Join` to build the URL. Turns out with 1.24 this
started stripping consecutive "/" characters, so "http://..." in baseURL
becomes "http:/...".
Also, `c.Tailnet` is a function that returns `c.tailnet`. Using it as a
path element would encode as a pointer instead of the tailnet name.
Finally, provide a way to prevent escaping of path elements e.g. for `?`
in `acl?details=1`.
Updates #15015
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>