feat(ci): bump to upstream 1.72 #9
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
Fixes tailscale#12842 Signed-off-by: Cameron Stokes <cameron@cameronstokes.com>
Fixes tailscale/corp#21448 Change-Id: Id60fb5cd7d31ef94cdbb176141e034845a480a00 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
... and then do approximately nothing with that information, other than a big TODO. This is mostly me relearning this code and leaving breadcrumbs for others in the future. Updates tailscale#12724 Signed-off-by: Brad Fitzpatrick <brad@danga.com>
With this change, the error handling and request logging are all done in defers after calling inner.ServeHTTP. This ensures that any recovered values which we want to re-panic with retain a useful stacktrace. However, we now only re-panic from errorHandler when there's no outside logHandler. Which if you're using StdHandler there always is. We prefer this to ensure that we are able to write a 500 Internal Server Error to the client. If a panic hits http.Server then the response is not sent back. Updates tailscale#12784 Signed-off-by: Paul Scott <paul@tailscale.com>
And justify its legacy name. Updates tailscale#1931 Change-Id: I3eff043679bf8f046aed6e2c4fb7592fe2e66514 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Windows requires routes to have a nexthop. Routes created using the interface's local IP address or an unspecified IP address ("0.0.0.0" or "::") as the nexthop are considered on-link routes. Notably, Windows treats on-link subnet routes differently, reserving the last IP in the range as the broadcast IP and therefore prohibiting TCP connections to it, resulting in WSA error 10049: "The requested address is not valid in its context. This does not happen with single-host routes, such as routes to Tailscale IP addresses, but becomes a problem with advertised subnets when all IPs in the range should be reachable.
Before Windows 8, only routes created with an unspecified IP address were considered on-link, so our previous approach of using the interface's own IP as the nexthop likely worked on Windows 7.
This PR updates configureInterface to use the TailscaleServiceIP (100.100.100.100) and its IPv6 counterpart as the nexthop for subnet routes.
Fixes tailscale/support-escalations#57
Signed-off-by: Nick Khyl <nickk@tailscale.com>
Bump node version to latest lts on the 18.x line which is 18.20.4 at the time of writing. Updates tailscale/corp#21741 Signed-off-by: Mario Minardi <mario@tailscale.com>
Updates tailscale/corp#19681 Change-Id: I6d396780b058ff0fbea0e9e53100f04ef3b76339 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
Fixes tailscale#12860 Signed-off-by: Paul Scott <paul@tailscale.com>
…cy (tailscale#12862) Remove fybrik.io/crdoc dependency as it is causing issues for folks attempting to vendor tailscale using GOPROXY=direct. This means that the CRD API docs in ./k8s-operator/api.md will no longer be generated- I am going to look at replacing it with another tool in a follow-up. Updates tailscale#12859 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Fixes tailscale#12857 Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>
…#12822) Some users run "tailscale cert" in a cron job to renew their certificates on disk. The time until the next cron job run may be long enough for the old cert to expire with our default heristics. Add a `--min-validity` flag which ensures that the returned cert is valid for at least the provided duration (unless it's longer than the cert lifetime set by Let's Encrypt). Updates tailscale#8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
…container types This adds support for container-like types such as Container[T] that don't explicitly specify a view type for T. Instead, a package implementing a container type should also implement and export a ContainerView[T, V] type and a ContainerViewOf(*Container[T]) ContainerView[T, V] function, which returns a view for the specified container, inferring the element view type V from the element type T. Updates tailscale#12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Updates tailscale#12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
…tions The standard library includes these for strings and byte slices, but it lacks similar functions for generic slices of comparable types. Although they are not as commonly used, these functions are useful in scenarios such as working with field index sequences (i.e., []int) via reflection. Updates tailscale#12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>
It is sometimes necessary to change a global lazy.SyncValue for the duration of a test. This PR adds a (*SyncValue[T]).SetForTest method to facilitate that. Updates tailscale#12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
…caled configfile (tailscale#12882) wgengine/magicsock,ipn: allow setting static node endpoints via tailscaled config file. Adds a new StaticEndpoints field to tailscaled config that can be used to statically configure the endpoints that the node advertizes. This field will replace TS_DEBUG_PRETENDPOINTS env var that can be used to achieve the same. Additionally adds some functionality that ensures that endpoints are updated when configfile is reloaded. Also, refactor configuring/reconfiguring components to use the same functionality when configfile is parsed the first time or subsequent times (after reload). Previously a configfile reload did not result in resetting of prefs. Now it does- but does not yet tell the relevant components to consume the new prefs. This is to be done in a follow-up. Updates tailscale#12578 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Updates tailscale#12141 Signed-off-by: Paul Scott <paul@tailscale.com>
…fore SetForTest Updates tailscale#12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>
…le#12907) Fixes tailscale#12909 Signed-off-by: Paul Scott <paul@tailscale.com>
Updates #cleanup Change-Id: I66878b08a75d44170460cbf33c895277c187bd8d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates tailscale#1634 This PR introduces a new `captive-portal-detected` Warnable which is set to an unhealthy state whenever a captive portal is detected on the local network, preventing Tailscale from connecting. ipn/ipnlocal: fix captive portal loop shutdown Change-Id: I7cafdbce68463a16260091bcec1741501a070c95 net/captivedetection: fix mutex misuse ipn/ipnlocal: ensure that we don't fail to start the timer Change-Id: I3e43fb19264d793e8707c5031c0898e48e3e7465 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/corp#21949 As discussed with @raggi, this PR updates the static DERPMap embedded in the client to reflect the availability of HTTP on the DERP servers run by Tailscale. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Remove the restriction that getent is skipped on non-Linux unixes. Improve validation of the parsed output from getent, in case unknown systems return unusable information. Fixes tailscale#12730. Signed-off-by: Ross Williams <ross@ross-williams.net>
… CRD API docs (tailscale#12884) Re-instates the functionality that generates CRD API docs, but using a different library as the one we were using earlier seemed to have some issues with its Git history. Also regenerates the docs (make kube-generate-all). Updates tailscale#12859 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Allows the use of tsweb.LogHandler exclusively for callbacks describing the handler HTTP requests. Fixes tailscale#12837 Signed-off-by: Paul Scott <paul@tailscale.com>
…ailssh: refactor session recording functionality (tailscale#12945) cmd/k8s-operator,k8s-operator/sessionrecording,sessionrecording,ssh/tailssh: refactor session recording functionality Refactor SSH session recording functionality (mostly the bits related to Kubernetes API server proxy 'kubectl exec' session recording): - move the session recording bits used by both Tailscale SSH and the Kubernetes API server proxy into a shared sessionrecording package, to avoid having the operator to import ssh/tailssh - move the Kubernetes API server proxy session recording functionality into a k8s-operator/sessionrecording package, add some abstractions in preparation for adding support for a second streaming protocol (WebSockets) Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
…le#13057) * cmd/k8s-operator: fix DNS reconciler for dual-stack clusters This fixes a bug where DNS reconciler logic was always assuming that no more than one EndpointSlice exists for a Service. In fact, there can be multiple, for example, in dual-stack clusters, but also in other cases this is valid (as per kube docs). This PR: - allows for multiple EndpointSlices - picks out the ones for IPv4 family - deduplicates addresses Updates tailscale#13056 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
The change in b7e4805 was too loose; it also captured the CLI being run as a child process under cmd/tta. Updates tailscale#13038 Updates tailscale#1866 Change-Id: Id410b87132938dd38ed4dd3959473c5d0d242ff5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
The heartbeat package does nothing if not configured anyway, so don't even put it in the image and pay the cost of it running. Updates tailscale#13038 Updates tailscale#1866 Change-Id: Id22c0fb1f8395ad21ab0e0350973d31730e8d39f
Updates tailscale#13038 Change-Id: I36cde97b74e4a675b6c0f3be30f817bccdbe8715
No need to print all the internal fields. We only care about the BackendState. Updates tailscale#13038 Change-Id: Iaa0e47ade3c6d30e1887ab1e2a7412ed4e0dab7d
84adfa1 made MAC addresses 1-based too, but didn't adjust this IP address calculation which was based on the MAC address Updates tailscale#13038 Change-Id: Idc112b303b0b85f41fe51fd61ce1c0d8a3f0f57e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
It's too new to be supported in Debian bookworm so just remove it. It doesn't seem to matter or help speed anything up. Updates tailscale#13038 Change-Id: I39077ba8032bebecd75209552b88f1842c843c33 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
... rather than abusing the generic tsapp. Per discussion in gokrazy/gokrazy#275 It also means we can remove stuff we don't need, like ntp or randomd. Updates tailscale#13038 Change-Id: Iccf579c354bd3b5025d05fa1128e32f1d5bde4e4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This latest version allows for building on various OpenBSD architectures. (such as openbsd/riscv64) Updates tailscale#8043 Change-Id: Ie9a8738e6aa96335214d5750e090db35e526a4a4 Signed-off-by: Aaron Bieber <aaron@bolddaemon.com>
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
…12899) Add functionality to optionally serve a health check endpoint (off by default). Users can enable health check endpoint by setting TS_HEALTHCHECK_ADDR_PORT to [<addr>]:<port>. Containerboot will then serve an unauthenticatd HTTP health check at /healthz at that address. The health check returns 200 OK if the node has at least one tailnet IP address, else returns 503. Updates tailscale#12898 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Signed-off-by: cai.li <cai.li@qingteng.cn>
Fixes tailscale/corp#22356 Change-Id: I959efae716a22bcf582c20d261fb1b57bacf6dd9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…ectl exec sessions over WebSockets (tailscale#12947) cmd/k8s-operator,k8s-operator/sessionrecording: support recording WebSocket sessions Kubernetes currently supports two streaming protocols, SPDY and WebSockets. WebSockets are replacing SPDY, see kubernetes/enhancements#4006. We were currently only supporting SPDY, erroring out if session was not SPDY and relying on the kube's built-in SPDY fallback. This PR: - adds support for parsing contents of 'kubectl exec' sessions streamed over WebSockets - adds logic to distinguish 'kubectl exec' requests for a SPDY/WebSockets sessions and call the relevant handler Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
….Flush() This prevents two things: 1. Crashing if there's no response body 2. Sending a nonsensical 0 response status code Updates tailscale/corp#22357 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Updates tailscale#10976 Change-Id: I86d30151a25c7d42ed36e273fb207873f4acfdb4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
A SIGSEGV was observed around packet merging logic in gVisor's GRO package. Updates tailscale/corp#22353 Signed-off-by: Jordan Whited <jordan@tailscale.com>
This PR modifies viewTypeForContainerType to use the last type parameter of a container type as the value type, enabling the implementation of map-like container types where the second-to-last (usually first) type parameter serves as the key type. It also adds a MapContainer type to test the code generation. Updates tailscale#12736 Signed-off-by: Nick Khyl <nickk@tailscale.com>
…bsocket Coder has just adopted nhooyr/websocket which unfortunately changes the import path. `github.com/coder/coder` imports `tailscale.com/net/wsconn` which was still pointing to `nhooyr.io/websocket`, but this change updates it. See https://coder.com/blog/websocket Updates tailscale#13154 Change-Id: I3dec6512472b14eae337ae22c5bcc1e3758888d5 Signed-off-by: Kyle Carberry <kyle@carberry.com>
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
By default, Windows sets the SIO_UDP_CONNRESET and SIO_UDP_NETRESET options on created UDP sockets. These behaviours make the UDP socket ICMP-aware; when the system gets an ICMP message (e.g. an "ICMP Port Unreachable" message, in the case of SIO_UDP_CONNRESET), it will cause the underlying UDP socket to throw an error. Confusingly, this can occur even on reads, if the same UDP socket is used to write a packet that triggers this response. The Go runtime disabled the SIO_UDP_CONNRESET behavior in 3114bd6, but did not change SIO_UDP_NETRESET–probably because that socket option isn't documented particularly well. Various other networking code seem to disable this behaviour, such as the Godot game engine (godotengine/godot#22332) and the Eclipse TCF agent (link below). Others appear to work around this by ignoring the error returned (anacrolix/dht#16, among others). For now, until it's clear whether this ends up in the upstream Go implementation or not, let's also disable the SIO_UDP_NETRESET in a similar manner to SIO_UDP_CONNRESET. Eclipse TCF agent: https://gitlab.eclipse.org/eclipse/tcf/tcf.agent/-/blob/master/agent/tcf/framework/mdep.c Updates tailscale#10976 Updates golang/go#68614 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I70a2f19855f8dec1bfb82e63f6d14fc4a22ed5c3
Updates tailscale/corp#14881 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
…ilscale#13161) In a93dc6c tryUpgradeToBatchingConn() moved to build tag gated files, but the runtime.GOOS condition excluding Android was removed unintentionally from batching_conn_linux.go. Add it back. Updates tailscale/corp#22348 Signed-off-by: Jordan Whited <jordan@tailscale.com>
`DNS unavailable` was marked as a high severity warning. On Android (and other platforms), these trigger a system notification. Here we reduce the severity level to medium. A medium severity warning will still display the warning icon on platforms with a tray icon because of the `ImpactsConnectivity=true` flag being set here, but it won't show a notification anymore. If people enter an area with bad cellular reception, they're bound to receive so many of these notifications and we need to reduce notification fatigue. Signed-off-by: Andrea Gottardo <andrea@tailscale.com>
Some machines have multiple network interfaces with the same MAC address. Updates tailscale/corp#21371 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://github.com/tailscale/tailscale/releases/tag/v1.72.0