feat(ci): Bump to upstream v1.82.5#23
Merged
Merged
Conversation
Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates #cleanup Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
SliceEqualAnyOrderFunc had an optimization missing from SliceEqualAnyOrder. Now they share the same code and both have the optimization. Updates tailscale#14593 Change-Id: I550726e0964fc4006e77bb44addc67be989c131c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…ere appropriate Conventionally, we use views (e.g., ipn.PrefsView, tailcfg.NodeView, etc.) when dealing with structs that shouldn't be mutated. However, ipn.LoginProfile has been an exception so far, with a mix of passing and returning LoginProfile by reference (allowing accidental mutations) and by value (which is wasteful, given its current size of 192 bytes). In this PR, we generate an ipn.LoginProfileView and use it instead of passing/returning LoginProfiles by mutable reference or copying them when passing/returning by value. Now, LoginProfiles can only be mutated by (*profileManager).setProfilePrefs. Updates tailscale#14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>
…heckProfileAccess method The implementations define it to verify whether the actor has the requested access to a login profile. Updates tailscale#14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Updates tailscale#14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>
In this PR, we update LocalBackend to set WantRunning=true when applying policy settings to the current profile's prefs, if the "always-on" mode is enabled. We also implement a new (*LocalBackend).EditPrefsAs() method, which is like EditPrefs but accepts an actor (e.g., a LocalAPI client's identity) that initiated the change. If WantRunning is being set to false, the new EditPrefsAs method checks whether the actor has ipnauth.Disconnect access to the profile and propagates an error if they do not. Finally, we update (*ipnserver.actor).CheckProfileAccess to allow a disconnect only if the "always-on" mode is not enabled by the AlwaysOn policy setting. This is not a comprehensive solution to the "always-on" mode across platforms, as instead of disconnecting a user could achieve the same effect by creating a new empty profile, initiating a reauth, or by deleting the profile. These are the things we should address in future PRs. Updates tailscale#14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Updates #cleanup Updates tailscale#14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>
…ypto/ssh with golang.org/x/crypto/ssh The upstream crypto package now supports sending banners at any time during authentication, so the Tailscale fork of crypto/ssh is no longer necessary. github.com/tailscale/golang-x-crypto is still needed for some custom ACME autocert functionality. tempfork/gliderlabs is still necessary because of a few other customizations, mostly related to TTY handling. Originally implemented in 46fd4e5, which was reverted in b60f6b8 to keep the change out of v1.80. Updates tailscale#8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>
The AlwaysOn policy can be applied by (*LocalBackend).applySysPolicy, flipping WantRunning from false to true before (*LocalBackend).Start() has been called for the first time and set a control client in b.cc. This results in a nil pointer dereference and a panic when setPrefsLockedOnEntry applies the change and calls controlclient.Client.Login(). In this PR, we fix it by only doing a login if b.cc has been set. Updates tailscale#14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>
…tric names Dots are not allowed in metric names and cause panics. Since we use dots in names like AlwaysOn.OverrideWithReason, let's replace them with underscores. We don’t want to use setting.KeyPathSeparator here just yet to make it fully hierarchical, but we will decide as we progress on the (experimental) AlwaysOn.* policy settings. tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com>
…AlwaysOn.OverrideWithReason policy setting
In this PR, we update client/tailscale.LocalClient to allow sending requests with an optional X-Tailscale-Reason
header. We then update ipn/ipnserver.{actor,Server} to retrieve this reason, if specified, and use it to determine
whether ipnauth.Disconnect is allowed when the AlwaysOn.OverrideWithReason policy setting is enabled.
For now, we log the reason, along with the profile and OS username, to the backend log.
Finally, we update LocalBackend to remember when a disconnect was permitted and do not reconnect automatically
unless the policy changes.
Updates tailscale/corp#26146
Signed-off-by: Nick Khyl <nickk@tailscale.com>
To fix a logging crash. Updates tailscale/corp#20503 Change-Id: I1beafe34afeb577aaaf6800a408faf6454b16912 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
If specified, the reason is sent via the LocalAPI for auditing purposes. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com>
… to captive portal detection Observed on some airlines (British Airways, WestJet), Squid is configured to cache and transform these results, which is disruptive. The server and client should both actively request that this is not done by setting Cache-Control headers. Send a timestamp parameter to further work against caches that do not respect the cache-control headers. Updates tailscale#14856 Signed-off-by: James Tucker <james@tailscale.com>
Updates tailscale#14881 Change-Id: I708d29244fe901ab037203a5d7c2cae3c77e4c78 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Many places that need to work with node/peer capabilities end up with a something-View and need to either reimplement the helper code or make an expensive copy. We have the machinery to easily handle this now. Updates #cleanup Change-Id: Ic3f55be329f0fc6c178de26b34359d0e8c6ca5fc Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
Without adding this, the packet filter rejects traffic to VIP service addresses before checking the filters sent in the netmap. Fixes tailscale/corp#26241 Change-Id: Idd54448048e9b786cf4873fd33b3b21e03d3ad4c Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
We once again have a report of a panic from ParseRIB. This panic guard should probably remain permanent. Updates tailscale#14201 This reverts commit de9d4b2. Signed-off-by: James Tucker <james@tailscale.com>
) Updates tailscale/corp#26316 Signed-off-by: Jordan Whited <jordan@tailscale.com>
This change: - reinstates the HA Ingress controller that was disabled for 1.80 release - fixes the API calls to manage VIPServices as the API was changed - triggers the HA Ingress reconciler on ProxyGroup changes Updates tailscale/tailscale#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
… ipnserver to ipnauth In this PR, we move the code that checks the AlwaysOn policy from ipnserver.actor to ipnauth. It is intended to be used by ipnauth.Actor implementations, and we temporarily make it exported while these implementations reside in ipnserver and in corp. We'll unexport it later. We also update [ipnauth.Actor.CheckProfileAccess] to accept an auditLogger, which is called to write details about the action to the audit log when required by the policy, and update LocalBackend.EditPrefsAs to use an auditLogger that writes to the regular backend log. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com>
…14903) Updates tailscale/corp#26342 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
…t localapi handlers With tailscale#14843 merged, (*localapi.Handler).servePrefs() now requires a non-nil actor, and other places may soon require it as well. In this PR, we update localapi.NewHandler with a new required parameter for the actor. We then update tsnet to use ipnauth.Self. We also rearrange the code in (*ipnserver.Server).serveHTTP() to pass the actor via Handler's constructor instead of the field. Updates tailscale#14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>
When running via tsnet, c2n will be hooked up so requests to update can reach the node. But it will then apply whatever OS-specific update function, upgrading the local tailscaled instead. We can't update tsnet automatically, so refuse it. Fixes tailscale#14892 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Add setec secret support for derper. Support dev mode via env var, and setec via secrets URL. For backwards compatibility use setec load from file also. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
A previous PR accidentally logged the key as part of an error. Remove logging of the key. Add log print for Setec store steup. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
Shells on FreeBSD don't support the -l option. This means that when handling SSH in-process, we can't give the user a login shell, but this change at least allows connecting at all. Updates tailscale#13338 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Updates tailscale#13338 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Something I accidentally added in tailscale#14217. It doesn't seem to impact Intune or the Administrative Templates MMC extension, but it should still be fixed. Updates #cleanup Signed-off-by: Nick Khyl <nickk@tailscale.com>
I noticed logs on one of my machines where it can't auto-update with scary log spam about "failed to apply tailnet-wide default for auto-updates". This avoids trying to do the EditPrefs if we know it's just going to fail anyway. Updates tailscale#282 Change-Id: Ib7db3b122185faa70efe08b60ebd05a6094eed8c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
To let you easily run multiple tailscaled instances for development and let you route CLI commands to the right one. Updates tailscale#15145 Change-Id: I06b6a7bf024f341c204f30705b4c3068ac89b1a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Baby step towards tailscale#15408. Updates tailscale#15408 Change-Id: I11fca6e677af2ad2f065d83aa0d83550143bff29 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Currently nobody calls SetTailscaleInterfaceName yet, so this is a no-op. I checked oss, android, and the macOS/iOS client. Nobody calls this, or ever did. But I want to in the future. Updates tailscale#15408 Updates tailscale#9040 Change-Id: I05dfabe505174f9067b929e91c6e0d8bc42628d7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
These tests aren't perfect, nor is this complete coverage, but this is a set of coverage that is at least stable. Updates tailscale#15367 Signed-off-by: James Tucker <james@tailscale.com>
Only send a stored raw map message in reply to a streaming map response. Otherwise a non-streaming map response might pick it up first, and potentially drop it. This guarantees that a map response sent via AddRawMapResponse will be picked up by the main map response loop in the client. Fixes tailscale#15362 Signed-off-by: James Sanderson <jsanderson@tailscale.com>
On Windows and Android, peerAPIListeners may be initialized after a link change. This commit adds log statements to make it easier to trace this flow. Updates tailscale#14393 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Add a label which differentiates the address family for STUN checks. Also initialize the derpprobe_attempts_total and derpprobe_seconds_total metrics by adding 0 for the alternate fail/ok case. Updates tailscale/corp#27249 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
…ale#15421) fixes tailscale#15394 In the current iteration, usage of the memstore for the audit logger is expected on some platforms. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
Minimal mitigation that doesn't do the full refactor that's probably warranted. Updates tailscale#15402 Change-Id: I79fd91de0e0661d25398f7d95563982ed1d11561 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
When compiled into TailscaleKit.framework (via the libtailscale repository), os.Executable() returns an error instead of the name of the executable. This commit adds another branch to the switch statement that enumerates platforms which behave in this manner, and defaults to "tsnet" in the same manner as those other platforms. Fixes tailscale#15410. Signed-off-by: James Nugent <james@jen20.com>
…ode (tailscale#15417) ipn/store/kubestore: skip cache for the write replica in cert share mode This is to avoid issues where stale cache after Ingress recreation causes the certs not to be re-issued. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
…IPService (tailscale#15427) cmd/{k8s-operator,containerboot}: check TLS cert before advertising VIPService - Ensures that Ingress status does not advertise port 443 before TLS cert has been issued - Ensure that Ingress backends do not advertise a VIPService before TLS cert has been issued, unless the service also exposes port 80 Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Bumps Alpine 3.18 -> 3.19. Alpine 3.19 links iptables to nftables-based implementation that can break hosts that don't support nftables. Link iptables back to the legacy implementation till we have some certainty that changing to nftables based implementation will not break existing setups. Updates tailscale#15328 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
This is a very dumb fix as it has an unbounded worst case runtime. IP allocation needs to be done in a more sane way in a follow-up. Updates tailscale#15367 Signed-off-by: James Tucker <james@tailscale.com>
We now have a tailscale/alpine-base:3.19 use that as the default base image. Updates tailscale#15328 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
…se (tailscale#15433) Temporarily make sure that the HA Ingress reconciler does not run, as we do not want to release this to stable just yet. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Signed-off-by: kari-ts <kari@tailscale.com>
…5613) (tailscale#15632) Updates tailscale#13452 Signed-off-by: kari-ts <kari@tailscale.com> (cherry picked from commit 6fb5e3b)
Signed-off-by: kari-ts <kari@tailscale.com>
Signed-off-by: kari-ts <kari@tailscale.com>
Signed-off-by: kari-ts <kari@tailscale.com>
…ailscale#15493) fixes tailscale/corp#27506 The source address link selection on sandboxed macOS doesn't deal with loopback addresses correctly. This adds an explicit check to ensure we return the loopback interface for loopback addresses instead of the default empty interface. Specifically, this allows the dns resolver to route queries to a loopback IP which is a common tactic for local DNS proxies. Tested on both macos, macsys and tailscaled. Forwarded requests to 127/8 all bound to lo0. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
[G,S]etWindowLongPtrW are not available on 32-bit Windows, where [G,S]etWindowLongW should be used instead. The initial revision of tailscale#14945 imported the win package for calling and other Win32 API functions, which exported the correct API depending on the platform. However, the same logic wasn't implemented when we removed the win package dependency in a later revision, resulting in panics on Windows 10 x86 (there's no 32-bit Windows 11). In this PR, we update the ipn/desktop package to use either [G,S]etWindowLongPtrW or [G,S]etWindowLongW depending on the platform. Fixes tailscale#15684 Signed-off-by: Nick Khyl <nickk@tailscale.com> (cherry picked from commit 60614fa)
…scale#15709) Cherry-picked from 62182fc. Updates google/gvisor#11632 Updates tailscale/corp#27717 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Signed-off-by: kari-ts <kari@tailscale.com>
aanthonyrizzo
approved these changes
Apr 22, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://tailscale.com/changelog#2025-03-26
https://tailscale.com/changelog#2025-04-17