From b8aad5451daa24c8eeac9ab52c92b42542078675 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Tue, 15 Mar 2022 13:22:25 +0100 Subject: [PATCH 01/44] Make STUN run by default when embedded DERP is enabled This commit also allows to set an external STUN server, while running the embedded DERP server (without embedded STUN) --- app.go | 5 +++++ cmd/headscale/cli/utils.go | 3 +++ config-example.yaml | 7 +++++-- derp_server.go | 18 ++++++++---------- 4 files changed, 21 insertions(+), 12 deletions(-) diff --git a/app.go b/app.go index f1426bbb..177c3ee1 100644 --- a/app.go +++ b/app.go @@ -62,6 +62,7 @@ const ( errUnsupportedLetsEncryptChallengeType = Error( "unknown value for Lets Encrypt challenge type", ) + errSTUNAddressNotSet = Error("STUN address not set") DisabledClientAuth = "disabled" RelaxedClientAuth = "relaxed" @@ -502,6 +503,10 @@ func (h *Headscale) Serve() error { h.DERPMap = GetDERPMap(h.cfg.DERP) if h.cfg.DERP.ServerEnabled { + if h.cfg.DERP.STUNAddr == "" { // When embedded DERP is enabled we always need a STUN server address, embedded or external + return errSTUNAddressNotSet + } + h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region if h.cfg.DERP.STUNEnabled { go h.ServeSTUN() diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go index dc7a4e9f..eb26a835 100644 --- a/cmd/headscale/cli/utils.go +++ b/cmd/headscale/cli/utils.go @@ -55,6 +55,9 @@ func LoadConfig(path string) error { viper.SetDefault("dns_config", nil) + viper.SetDefault("derp.server.enabled", false) + viper.SetDefault("derp.server.stun.enabled", true) + viper.SetDefault("unix_socket", "/var/run/headscale.sock") viper.SetDefault("unix_socket_permission", "0o770") diff --git a/config-example.yaml b/config-example.yaml index 2075e69a..31d7a8aa 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -69,10 +69,13 @@ derp: region_code: "headscale" region_name: "Headscale Embedded DERP" - # If enabled, also listens in UDP at the configured address for STUN connections to help on NAT traversal + # Enabled by default when embedded DERP is enabled. Listens in UDP at the configured address for STUN connections + # to help on NAT traversal. + # If DERP is enabled, but STUN is disabled you still need to input an external STUN server in the listen_addr field. + # # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ stun: - enabled: false + enabled: true listen_addr: "0.0.0.0:3478" # List of externally available DERP maps encoded in JSON diff --git a/derp_server.go b/derp_server.go index 11e3eb14..6580419e 100644 --- a/derp_server.go +++ b/derp_server.go @@ -77,17 +77,15 @@ func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) { }, } - if h.cfg.DERP.STUNEnabled { - _, portStr, err := net.SplitHostPort(h.cfg.DERP.STUNAddr) - if err != nil { - return tailcfg.DERPRegion{}, err - } - port, err := strconv.Atoi(portStr) - if err != nil { - return tailcfg.DERPRegion{}, err - } - localDERPregion.Nodes[0].STUNPort = port + _, portSTUNStr, err := net.SplitHostPort(h.cfg.DERP.STUNAddr) + if err != nil { + return tailcfg.DERPRegion{}, err } + portSTUN, err := strconv.Atoi(portSTUNStr) + if err != nil { + return tailcfg.DERPRegion{}, err + } + localDERPregion.Nodes[0].STUNPort = portSTUN return localDERPregion, nil } From 98ac88d5ef5d94fca6da47600d031f10e6833d62 Mon Sep 17 00:00:00 2001 From: Juan Font Date: Wed, 16 Mar 2022 18:45:34 +0100 Subject: [PATCH 02/44] Changed comment position Co-authored-by: Kristoffer Dalby --- app.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app.go b/app.go index 0e10b3fb..aad41a20 100644 --- a/app.go +++ b/app.go @@ -501,7 +501,8 @@ func (h *Headscale) Serve() error { h.DERPMap = GetDERPMap(h.cfg.DERP) if h.cfg.DERP.ServerEnabled { - if h.cfg.DERP.STUNAddr == "" { // When embedded DERP is enabled we always need a STUN server address, embedded or external + // When embedded DERP is enabled we always need a STUN server address, embedded or external + if h.cfg.DERP.STUNAddr == "" { return errSTUNAddressNotSet } From 8f5875efe4267ad859fae5e1afc21581856dc6af Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Wed, 16 Mar 2022 19:46:59 +0100 Subject: [PATCH 03/44] Reorg errors --- app.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/app.go b/app.go index aad41a20..9f270108 100644 --- a/app.go +++ b/app.go @@ -47,6 +47,14 @@ import ( "tailscale.com/types/key" ) +const ( + errSTUNAddressNotSet = Error("STUN address not set") + errUnsupportedDatabase = Error("unsupported DB") + errUnsupportedLetsEncryptChallengeType = Error( + "unknown value for Lets Encrypt challenge type", + ) +) + const ( AuthPrefix = "Bearer " Postgres = "postgres" @@ -58,12 +66,6 @@ const ( registerCacheExpiration = time.Minute * 15 registerCacheCleanup = time.Minute * 20 - errUnsupportedDatabase = Error("unsupported DB") - errUnsupportedLetsEncryptChallengeType = Error( - "unknown value for Lets Encrypt challenge type", - ) - errSTUNAddressNotSet = Error("STUN address not set") - DisabledClientAuth = "disabled" RelaxedClientAuth = "relaxed" EnforcedClientAuth = "enforced" From b781446e860254558e189eb6ad1536da385ffd57 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Thu, 17 Mar 2022 17:43:11 +0000 Subject: [PATCH 04/44] Upgrade to go 1.18 --- .github/workflows/build.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test-integration.yml | 2 +- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- Dockerfile.alpine | 2 +- Dockerfile.debug | 2 +- go.mod | 4 ++-- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 37423c38..46fcd375 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,7 +31,7 @@ jobs: if: steps.changed-files.outputs.any_changed == 'true' uses: actions/setup-go@v2 with: - go-version: "1.17.7" + go-version: "1.18.0" - name: Install dependencies if: steps.changed-files.outputs.any_changed == 'true' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8999f7bf..140ea0b0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v2 with: - go-version: 1.17.7 + go-version: 1.18.0 - name: Install dependencies run: | diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml index b8fd85a6..c5910233 100644 --- a/.github/workflows/test-integration.yml +++ b/.github/workflows/test-integration.yml @@ -25,7 +25,7 @@ jobs: if: steps.changed-files.outputs.any_changed == 'true' uses: actions/setup-go@v2 with: - go-version: "1.17.7" + go-version: "1.18.0" - name: Run Integration tests if: steps.changed-files.outputs.any_changed == 'true' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 663220be..a3306768 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,7 +25,7 @@ jobs: if: steps.changed-files.outputs.any_changed == 'true' uses: actions/setup-go@v2 with: - go-version: "1.17.7" + go-version: "1.18.0" - name: Install dependencies if: steps.changed-files.outputs.any_changed == 'true' diff --git a/Dockerfile b/Dockerfile index 3ab9c1d1..8d53f6d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Builder image -FROM docker.io/golang:1.17.8-bullseye AS build +FROM docker.io/golang:1.18.0-bullseye AS build ENV GOPATH /go WORKDIR /go/src/headscale diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 1f0d6353..45fa171d 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,5 +1,5 @@ # Builder image -FROM docker.io/golang:1.17.8-alpine AS build +FROM docker.io/golang:1.18.0-alpine AS build ENV GOPATH /go WORKDIR /go/src/headscale diff --git a/Dockerfile.debug b/Dockerfile.debug index e73c0647..91fe2893 100644 --- a/Dockerfile.debug +++ b/Dockerfile.debug @@ -1,5 +1,5 @@ # Builder image -FROM docker.io/golang:1.17.8-bullseye AS build +FROM docker.io/golang:1.18.0-bullseye AS build ENV GOPATH /go WORKDIR /go/src/headscale diff --git a/go.mod b/go.mod index 1ec291c3..e072eb26 100644 --- a/go.mod +++ b/go.mod @@ -1,9 +1,10 @@ module github.com/juanfont/headscale -go 1.17 +go 1.18 require ( github.com/AlecAivazis/survey/v2 v2.3.2 + github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 github.com/coreos/go-oidc/v3 v3.1.0 github.com/efekarakus/termcolor v1.0.1 github.com/fatih/set v0.2.1 @@ -49,7 +50,6 @@ require ( github.com/akutz/memconn v0.1.0 // indirect github.com/atomicgo/cursor v0.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 // indirect github.com/cenkalti/backoff/v4 v4.1.2 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/containerd/continuity v0.2.2 // indirect From 61ebb713f298564db76c43ef14046ed5d0b597ab Mon Sep 17 00:00:00 2001 From: Adrien Raffin-Caboisse Date: Fri, 18 Mar 2022 09:32:07 +0100 Subject: [PATCH 05/44] fix(oidc): Reset expiry for reauthentication The previous code resetted the expiry time to be expired. So the machine was never reauthenticated --- oidc.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/oidc.go b/oidc.go index 29ce351f..65e2807f 100644 --- a/oidc.go +++ b/oidc.go @@ -10,6 +10,7 @@ import ( "html/template" "net/http" "strings" + "time" "github.com/coreos/go-oidc/v3/oidc" "github.com/gin-gonic/gin" @@ -229,7 +230,7 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) { Str("machine", machine.Name). Msg("machine already registered, reauthenticating") - h.RefreshMachine(machine, *machine.Expiry) + h.RefreshMachine(machine, time.Time{}) var content bytes.Buffer if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{ From 882c0c34c11596e2442a4fb4ab2034323d437215 Mon Sep 17 00:00:00 2001 From: Adrien Raffin-Caboisse Date: Fri, 18 Mar 2022 09:34:18 +0100 Subject: [PATCH 06/44] chore(changelog): update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ce0c35b..6c943940 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ - Fix a limitation in the ACLs that prevented users to write rules with `*` as source [#374](https://github.com/juanfont/headscale/issues/374) - Reduce the overhead of marshal/unmarshal for Hostinfo, routes and endpoints by using specific types in Machine [#371](https://github.com/juanfont/headscale/pull/371) - Apply normalization function to FQDN on hostnames when hosts registers and retrieve informations [#363](https://github.com/juanfont/headscale/issues/363) +- Fix a bug that prevented the use of `tailscale logout` with OIDC [#508](https://github.com/juanfont/headscale/issues/508) ## 0.14.0 (2022-02-24) From 2e04abf4bb1f75d81726f04dc8ab5fc39ed4d183 Mon Sep 17 00:00:00 2001 From: Adrien Raffin-Caboisse Date: Fri, 18 Mar 2022 09:40:12 +0100 Subject: [PATCH 07/44] feat(oidc): add debug log --- oidc.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/oidc.go b/oidc.go index 29ce351f..e9f9d302 100644 --- a/oidc.go +++ b/oidc.go @@ -129,6 +129,10 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) { oauth2Token, err := h.oauth2Config.Exchange(context.Background(), code) if err != nil { + log.Error(). + Err(err). + Caller(). + Msg("Could not exchange code for token") ctx.String(http.StatusBadRequest, "Could not exchange code for token") return From 2e6687209bd3334f96e1d105375085966beda808 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Fri, 18 Mar 2022 12:58:00 +0100 Subject: [PATCH 08/44] Make STUN server mandatory if DERP embedded is enabled --- cmd/headscale/cli/utils.go | 8 +++++--- config-example.yaml | 10 ++++------ integration_test/etc_embedded_derp/config.yaml | 5 ++--- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go index eb26a835..768a9713 100644 --- a/cmd/headscale/cli/utils.go +++ b/cmd/headscale/cli/utils.go @@ -124,8 +124,11 @@ func GetDERPConfig() headscale.DERPConfig { serverRegionID := viper.GetInt("derp.server.region_id") serverRegionCode := viper.GetString("derp.server.region_code") serverRegionName := viper.GetString("derp.server.region_name") - stunEnabled := viper.GetBool("derp.server.stun.enabled") - stunAddr := viper.GetString("derp.server.stun.listen_addr") + stunAddr := viper.GetString("derp.server.stun_listen_addr") + + if serverEnabled && stunAddr == "" { + log.Fatal().Msg("derp.server.stun_listen_addr must be set if derp.server.enabled is true") + } urlStrs := viper.GetStringSlice("derp.urls") @@ -152,7 +155,6 @@ func GetDERPConfig() headscale.DERPConfig { ServerRegionID: serverRegionID, ServerRegionCode: serverRegionCode, ServerRegionName: serverRegionName, - STUNEnabled: stunEnabled, STUNAddr: stunAddr, URLs: urls, Paths: paths, diff --git a/config-example.yaml b/config-example.yaml index 31d7a8aa..430b82c5 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -69,14 +69,12 @@ derp: region_code: "headscale" region_name: "Headscale Embedded DERP" - # Enabled by default when embedded DERP is enabled. Listens in UDP at the configured address for STUN connections - # to help on NAT traversal. - # If DERP is enabled, but STUN is disabled you still need to input an external STUN server in the listen_addr field. + + # Listens in UDP at the configured address for STUN connections to help on NAT traversal. + # When the embedded DERP server is enabled stun_listen_addr MUST be defined. # # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ - stun: - enabled: true - listen_addr: "0.0.0.0:3478" + stun_listen_addr: "0.0.0.0:3478" # List of externally available DERP maps encoded in JSON urls: diff --git a/integration_test/etc_embedded_derp/config.yaml b/integration_test/etc_embedded_derp/config.yaml index 1531d347..a8b57af5 100644 --- a/integration_test/etc_embedded_derp/config.yaml +++ b/integration_test/etc_embedded_derp/config.yaml @@ -24,6 +24,5 @@ derp: region_id: 999 region_code: "headscale" region_name: "Headscale Embedded DERP" - stun: - enabled: true - listen_addr: "0.0.0.0:3478" + + stun_listen_addr: "0.0.0.0:3478" From d5ce7d752315cf31520052b67c182f25872a3ec1 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Fri, 18 Mar 2022 13:09:57 +0100 Subject: [PATCH 09/44] Prettier --- config-example.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/config-example.yaml b/config-example.yaml index 430b82c5..dee25cb3 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -69,7 +69,6 @@ derp: region_code: "headscale" region_name: "Headscale Embedded DERP" - # Listens in UDP at the configured address for STUN connections to help on NAT traversal. # When the embedded DERP server is enabled stun_listen_addr MUST be defined. # From db9ba17920ca3eeea306b8f82fc121403e4f3c29 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Fri, 18 Mar 2022 13:10:35 +0100 Subject: [PATCH 10/44] Added missing file --- app.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/app.go b/app.go index 9f270108..b87fb33c 100644 --- a/app.go +++ b/app.go @@ -127,7 +127,6 @@ type DERPConfig struct { ServerRegionID int ServerRegionCode string ServerRegionName string - STUNEnabled bool STUNAddr string URLs []url.URL Paths []string @@ -503,15 +502,13 @@ func (h *Headscale) Serve() error { h.DERPMap = GetDERPMap(h.cfg.DERP) if h.cfg.DERP.ServerEnabled { - // When embedded DERP is enabled we always need a STUN server address, embedded or external + // When embedded DERP is enabled we always need a STUN server if h.cfg.DERP.STUNAddr == "" { return errSTUNAddressNotSet } h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region - if h.cfg.DERP.STUNEnabled { - go h.ServeSTUN() - } + go h.ServeSTUN() } if h.cfg.DERP.AutoUpdate { From 749c92954c5fcd3a49e6a4b904efffe64616c00a Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Fri, 18 Mar 2022 17:05:28 +0100 Subject: [PATCH 11/44] Add Tailscale unstable channel and repo HEAD to integration tests In preparation for the implementation of the new TS2021 protocol (Tailscale control protocol v2) we are expanding the test infrastructure --- Dockerfile.tailscale | 5 ++-- Dockerfile.tailscale-HEAD | 21 +++++++++++++++ integration_common_test.go | 45 ++++++++++++++++++++++++++++++- integration_embedded_derp_test.go | 12 ++------- integration_test.go | 12 ++------- 5 files changed, 72 insertions(+), 23 deletions(-) create mode 100644 Dockerfile.tailscale-HEAD diff --git a/Dockerfile.tailscale b/Dockerfile.tailscale index 32a8ce7b..7a3f575a 100644 --- a/Dockerfile.tailscale +++ b/Dockerfile.tailscale @@ -1,11 +1,12 @@ FROM ubuntu:latest ARG TAILSCALE_VERSION +ARG TAILSCALE_CHANNEL RUN apt-get update \ && apt-get install -y gnupg curl \ - && curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | apt-key add - \ - && curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \ + && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \ + && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \ && apt-get update \ && apt-get install -y ca-certificates tailscale=${TAILSCALE_VERSION} dnsutils \ && rm -rf /var/lib/apt/lists/* diff --git a/Dockerfile.tailscale-HEAD b/Dockerfile.tailscale-HEAD new file mode 100644 index 00000000..2cd0b813 --- /dev/null +++ b/Dockerfile.tailscale-HEAD @@ -0,0 +1,21 @@ +FROM golang:latest + +RUN apt-get update \ + && apt-get install -y ca-certificates dnsutils git \ + && rm -rf /var/lib/apt/lists/* + + +RUN git clone https://github.com/tailscale/tailscale.git + +WORKDIR tailscale + +RUN sh build_dist.sh tailscale.com/cmd/tailscale +RUN sh build_dist.sh tailscale.com/cmd/tailscaled + +RUN cp tailscale /usr/local/ +RUN cp tailscaled /usr/local/ + +ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/ +RUN chmod 644 /usr/local/share/ca-certificates/server.crt + +RUN update-ca-certificates diff --git a/integration_common_test.go b/integration_common_test.go index 70285fc4..33f3177d 100644 --- a/integration_common_test.go +++ b/integration_common_test.go @@ -20,7 +20,7 @@ var ( IpPrefix4 = netaddr.MustParseIPPrefix("100.64.0.0/10") IpPrefix6 = netaddr.MustParseIPPrefix("fd7a:115c:a1e0::/48") - tailscaleVersions = []string{"1.22.0", "1.20.4", "1.18.2", "1.16.2", "1.14.3", "1.12.3"} + tailscaleVersions = []string{"HEAD", "unstable", "1.22.0", "1.20.4", "1.18.2", "1.16.2", "1.14.3", "1.12.3"} ) type TestNamespace struct { @@ -128,6 +128,49 @@ func DockerAllowNetworkAdministration(config *docker.HostConfig) { }) } +func getDockerBuildOptions(version string) *dockertest.BuildOptions { + var tailscaleBuildOptions *dockertest.BuildOptions + switch version { + case "HEAD": + tailscaleBuildOptions = &dockertest.BuildOptions{ + Dockerfile: "Dockerfile.tailscale-HEAD", + ContextDir: ".", + BuildArgs: []docker.BuildArg{}, + } + case "unstable": + tailscaleBuildOptions = &dockertest.BuildOptions{ + Dockerfile: "Dockerfile.tailscale", + ContextDir: ".", + BuildArgs: []docker.BuildArg{ + { + Name: "TAILSCALE_VERSION", + Value: "*", // Installs the latest version https://askubuntu.com/a/824926 + }, + { + Name: "TAILSCALE_CHANNEL", + Value: "unstable", + }, + }, + } + default: + tailscaleBuildOptions = &dockertest.BuildOptions{ + Dockerfile: "Dockerfile.tailscale", + ContextDir: ".", + BuildArgs: []docker.BuildArg{ + { + Name: "TAILSCALE_VERSION", + Value: version, + }, + { + Name: "TAILSCALE_CHANNEL", + Value: "stable", + }, + }, + } + } + return tailscaleBuildOptions +} + func getIPs( tailscales map[string]dockertest.Resource, ) (map[string][]netaddr.IP, error) { diff --git a/integration_embedded_derp_test.go b/integration_embedded_derp_test.go index a1737173..10ddc9f5 100644 --- a/integration_embedded_derp_test.go +++ b/integration_embedded_derp_test.go @@ -245,16 +245,8 @@ func (s *IntegrationDERPTestSuite) Join( func (s *IntegrationDERPTestSuite) tailscaleContainer(identifier, version string, network dockertest.Network, ) (string, *dockertest.Resource) { - tailscaleBuildOptions := &dockertest.BuildOptions{ - Dockerfile: "Dockerfile.tailscale", - ContextDir: ".", - BuildArgs: []docker.BuildArg{ - { - Name: "TAILSCALE_VERSION", - Value: version, - }, - }, - } + tailscaleBuildOptions := getDockerBuildOptions(version) + hostname := fmt.Sprintf( "tailscale-%s-%s", strings.Replace(version, ".", "-", -1), diff --git a/integration_test.go b/integration_test.go index 1649f322..27b27e98 100644 --- a/integration_test.go +++ b/integration_test.go @@ -168,16 +168,8 @@ func (s *IntegrationTestSuite) Join( func (s *IntegrationTestSuite) tailscaleContainer( namespace, identifier, version string, ) (string, *dockertest.Resource) { - tailscaleBuildOptions := &dockertest.BuildOptions{ - Dockerfile: "Dockerfile.tailscale", - ContextDir: ".", - BuildArgs: []docker.BuildArg{ - { - Name: "TAILSCALE_VERSION", - Value: version, - }, - }, - } + tailscaleBuildOptions := getDockerBuildOptions(version) + hostname := fmt.Sprintf( "%s-tailscale-%s-%s", namespace, From 1eafe960b85eac57e1ad4331b15499a97b2f3adb Mon Sep 17 00:00:00 2001 From: Aofei Sheng Date: Sat, 19 Mar 2022 01:18:20 +0800 Subject: [PATCH 12/44] fix: possible panic in `Headscale.scheduledDERPMapUpdateWorker` There is a possible nil pointer dereference panic in the `Headscale.scheduledDERPMapUpdateWorker`. Such as when the embedded DERP server is disabled. --- derp.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/derp.go b/derp.go index 7a9b2367..7abce683 100644 --- a/derp.go +++ b/derp.go @@ -148,7 +148,9 @@ func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) { case <-ticker.C: log.Info().Msg("Fetching DERPMap updates") h.DERPMap = GetDERPMap(h.cfg.DERP) - h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region + if h.cfg.DERP.ServerEnabled { + h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region + } namespaces, err := h.ListNamespaces() if err != nil { From 0165b89941306a77cd96e55080b4acf9c44bc180 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Fri, 18 Mar 2022 19:35:09 +0100 Subject: [PATCH 13/44] Fixed paths --- Dockerfile.tailscale-HEAD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.tailscale-HEAD b/Dockerfile.tailscale-HEAD index 2cd0b813..40c0ad87 100644 --- a/Dockerfile.tailscale-HEAD +++ b/Dockerfile.tailscale-HEAD @@ -12,8 +12,8 @@ WORKDIR tailscale RUN sh build_dist.sh tailscale.com/cmd/tailscale RUN sh build_dist.sh tailscale.com/cmd/tailscaled -RUN cp tailscale /usr/local/ -RUN cp tailscaled /usr/local/ +RUN cp tailscale /usr/local/bin/ +RUN cp tailscaled /usr/local/bin/ ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/ RUN chmod 644 /usr/local/share/ca-certificates/server.crt From a6455653c0d0e499737bcbac728ee9113784b5ae Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Sun, 20 Mar 2022 12:30:08 +0100 Subject: [PATCH 14/44] Added missing package --- Dockerfile.tailscale-HEAD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.tailscale-HEAD b/Dockerfile.tailscale-HEAD index 40c0ad87..b62f7e2b 100644 --- a/Dockerfile.tailscale-HEAD +++ b/Dockerfile.tailscale-HEAD @@ -1,7 +1,7 @@ FROM golang:latest RUN apt-get update \ - && apt-get install -y ca-certificates dnsutils git \ + && apt-get install -y ca-certificates dnsutils git iptables \ && rm -rf /var/lib/apt/lists/* From f42868f67f9877bb6e51a7a1eea3105f11921507 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Sun, 20 Mar 2022 12:30:56 +0100 Subject: [PATCH 15/44] Docker requires lowercase for the container names --- integration_common_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integration_common_test.go b/integration_common_test.go index 33f3177d..f7afb807 100644 --- a/integration_common_test.go +++ b/integration_common_test.go @@ -20,7 +20,7 @@ var ( IpPrefix4 = netaddr.MustParseIPPrefix("100.64.0.0/10") IpPrefix6 = netaddr.MustParseIPPrefix("fd7a:115c:a1e0::/48") - tailscaleVersions = []string{"HEAD", "unstable", "1.22.0", "1.20.4", "1.18.2", "1.16.2", "1.14.3", "1.12.3"} + tailscaleVersions = []string{"head", "unstable", "1.22.2", "1.20.4", "1.18.2", "1.16.2", "1.14.3", "1.12.3"} ) type TestNamespace struct { @@ -131,7 +131,7 @@ func DockerAllowNetworkAdministration(config *docker.HostConfig) { func getDockerBuildOptions(version string) *dockertest.BuildOptions { var tailscaleBuildOptions *dockertest.BuildOptions switch version { - case "HEAD": + case "head": tailscaleBuildOptions = &dockertest.BuildOptions{ Dockerfile: "Dockerfile.tailscale-HEAD", ContextDir: ".", From a1caa5b45c9e35107d3477e06e158a9239793334 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Sun, 20 Mar 2022 12:31:18 +0100 Subject: [PATCH 16/44] Minor improvements on logging --- integration_cli_test.go | 2 +- integration_embedded_derp_test.go | 4 ++-- integration_test.go | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/integration_cli_test.go b/integration_cli_test.go index 7ce0758f..9644037d 100644 --- a/integration_cli_test.go +++ b/integration_cli_test.go @@ -72,7 +72,7 @@ func (s *IntegrationCLITestSuite) SetupTest() { if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil { s.headscale = *pheadscale } else { - log.Fatalf("Could not start resource: %s", err) + log.Fatalf("Could not start headscale container: %s", err) } fmt.Println("Created headscale container") diff --git a/integration_embedded_derp_test.go b/integration_embedded_derp_test.go index 10ddc9f5..54eec804 100644 --- a/integration_embedded_derp_test.go +++ b/integration_embedded_derp_test.go @@ -121,7 +121,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() { if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil { s.headscale = *pheadscale } else { - log.Fatalf("Could not start resource: %s", err) + log.Fatalf("Could not start headscale container: %s", err) } log.Println("Created headscale container to test DERP") @@ -271,7 +271,7 @@ func (s *IntegrationDERPTestSuite) tailscaleContainer(identifier, version string DockerAllowNetworkAdministration, ) if err != nil { - log.Fatalf("Could not start resource: %s", err) + log.Fatalf("Could not start tailscale container version %s: %s", version, err) } log.Printf("Created %s container\n", hostname) diff --git a/integration_test.go b/integration_test.go index 27b27e98..52f1765b 100644 --- a/integration_test.go +++ b/integration_test.go @@ -192,7 +192,7 @@ func (s *IntegrationTestSuite) tailscaleContainer( DockerAllowNetworkAdministration, ) if err != nil { - log.Fatalf("Could not start resource: %s", err) + log.Fatalf("Could not start tailscale container version %s: %s", version, err) } log.Printf("Created %s container\n", hostname) @@ -241,7 +241,7 @@ func (s *IntegrationTestSuite) SetupSuite() { if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil { s.headscale = *pheadscale } else { - log.Fatalf("Could not start resource: %s", err) + log.Fatalf("Could not start headscale container: %s", err) } log.Println("Created headscale container") From a8a683d3cccb356dd7c3cd90d39387781d75ae0b Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Sun, 20 Mar 2022 12:33:41 +0100 Subject: [PATCH 17/44] Added default values in Dockerfile.tailscale --- Dockerfile.tailscale | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.tailscale b/Dockerfile.tailscale index 7a3f575a..145ab6f7 100644 --- a/Dockerfile.tailscale +++ b/Dockerfile.tailscale @@ -1,7 +1,7 @@ FROM ubuntu:latest -ARG TAILSCALE_VERSION -ARG TAILSCALE_CHANNEL +ARG TAILSCALE_VERSION=* +ARG TAILSCALE_CHANNEL=stable RUN apt-get update \ && apt-get install -y gnupg curl \ From af6a47fdd3c16da5d4e861931cff32cf1c88a235 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Sun, 20 Mar 2022 12:36:30 +0100 Subject: [PATCH 18/44] Changelog updated --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c943940..f8872af3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ - Users can now use emails in ACL's groups [#372](https://github.com/juanfont/headscale/issues/372) - Add shorthand aliases for commands and subcommands [#376](https://github.com/juanfont/headscale/pull/376) - Add `/windows` endpoint for Windows configuration instructions + registry file download [#392](https://github.com/juanfont/headscale/pull/392) -- Added embedded DERP server into Headscale [#388](https://github.com/juanfont/headscale/pull/388) +- Added embedded DERP (and STUN) server into Headscale [#388](https://github.com/juanfont/headscale/pull/388) ### Changes @@ -30,6 +30,7 @@ - Reduce the overhead of marshal/unmarshal for Hostinfo, routes and endpoints by using specific types in Machine [#371](https://github.com/juanfont/headscale/pull/371) - Apply normalization function to FQDN on hostnames when hosts registers and retrieve informations [#363](https://github.com/juanfont/headscale/issues/363) - Fix a bug that prevented the use of `tailscale logout` with OIDC [#508](https://github.com/juanfont/headscale/issues/508) +- Added Tailscale repo HEAD and unstable releases channel to the integration tests targets [#513](https://github.com/juanfont/headscale/pull/513) ## 0.14.0 (2022-02-24) From 631cf58ff01cb5795f9163b027311787651cc795 Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Sun, 20 Mar 2022 13:36:25 +0100 Subject: [PATCH 19/44] Added date for 0.15.0 in changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f8872af3..6cea8cde 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # CHANGELOG -## 0.15.0 (2022-xx-xx) +## 0.15.0 (2022-03-20) **Note:** Take a backup of your database before upgrading. From 452286552c350e136418688223b18882366960a9 Mon Sep 17 00:00:00 2001 From: Juan Font Date: Sun, 20 Mar 2022 15:07:22 +0100 Subject: [PATCH 20/44] Update CHANGELOG.md to include future 0.16.0 Co-authored-by: Kristoffer Dalby --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6cea8cde..1a1c429f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # CHANGELOG +## 0.16.0 (2022-xx-xx) + ## 0.15.0 (2022-03-20) **Note:** Take a backup of your database before upgrading. From 8758ee1c4d2d6f072984962e95b165ecdd757e2e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 20 Mar 2022 14:18:39 +0000 Subject: [PATCH 21/44] docs(README): update contributors --- README.md | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 596c2580..e3ed5377 100644 --- a/README.md +++ b/README.md @@ -315,6 +315,15 @@ make build Abraham Ingersoll + + + Aofei +
+ Aofei Sheng + + + + Artem @@ -322,8 +331,6 @@ make build Artem Klevtsov - - Arthur @@ -359,6 +366,8 @@ make build JJGadgets + + Jamie @@ -366,8 +375,6 @@ make build Jamie Greeff - - Jim @@ -403,6 +410,8 @@ make build Ryan Fowler + + Shaanan @@ -410,8 +419,6 @@ make build Shaanan Cohney - - Tanner/ @@ -447,6 +454,8 @@ make build Tjerk Woudsma + + Yang @@ -454,8 +463,6 @@ make build Yang Bin - - Zakhar @@ -491,6 +498,8 @@ make build ignoramous + + lion24/ @@ -498,8 +507,6 @@ make build lion24 - - pernila/ From 52fd13bfc4a689f93d2ecbbfcf1ea38e01c7e21a Mon Sep 17 00:00:00 2001 From: hdhoang Date: Mon, 21 Mar 2022 15:49:14 +0700 Subject: [PATCH 22/44] Fix labels cardinality error when registering unknown pre-auth key --- CHANGELOG.md | 4 ++++ api.go | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a1c429f..d3aa8d53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## 0.16.0 (2022-xx-xx) +### Changes + +- Fix labels cardinality error when registering unknown pre-auth key [#519](https://github.com/juanfont/headscale/pull/519) + ## 0.15.0 (2022-03-20) **Note:** Take a backup of your database before upgrading. diff --git a/api.go b/api.go index eab8076e..61ec1b5f 100644 --- a/api.go +++ b/api.go @@ -573,7 +573,7 @@ func (h *Headscale) handleAuthKey( machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name). Inc() } else { - machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error").Inc() + machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", "unknown").Inc() } return From 7e286c570e70ed1504f055e0e727c85b95104947 Mon Sep 17 00:00:00 2001 From: Niek van der Maas Date: Tue, 22 Mar 2022 13:45:30 +0100 Subject: [PATCH 23/44] Docker docs enhancements While configuring a Docker setup I noticed that the docs could use some enhancements. --- docs/running-headscale-container.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/docs/running-headscale-container.md b/docs/running-headscale-container.md index 36e63de9..36ea77e1 100644 --- a/docs/running-headscale-container.md +++ b/docs/running-headscale-container.md @@ -14,8 +14,8 @@ not work with alternatives like [Podman](https://podman.io). The Docker image ca 1. Prepare a directory on the host Docker node in your directory of choice, used to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database: ```shell -mkdir ./headscale && cd ./headscale -mkdir ./config +mkdir -p ./headscale/config +cd ./headscale ``` 2. Create an empty SQlite datebase in the headscale directory: @@ -44,7 +44,13 @@ curl https://raw.githubusercontent.com/juanfont/headscale/main/config-example.ya touch ./config/config.yaml ``` -Modify the config file to your preferences before launching Docker container. +Modify the config file to your preferences before launching Docker container. Here are some settings that you likely want: +```yaml +server_url: http://your-host-name:8080 # Change to your hostname or host IP +metrics_listen_addr: 0.0.0.0:9090 # Listen to 0.0.0.0 so it's accessible outside the container +private_key_path: /etc/headscale/private.key # The default /var/lib/headscale path is not writable in the container +db_path: /etc/headscale/db.sqlite # The default /var/lib/headscale path is not writable in the container +``` 4. Start the headscale server while working in the host headscale directory: @@ -54,7 +60,7 @@ docker run \ --detach \ --rm \ --volume $(pwd)/config:/etc/headscale/ \ - --publish 127.0.0.1:8080:8080 \ + --publish 0.0.0.0:8080:8080 \ --publish 127.0.0.1:9090:9090 \ headscale/headscale: \ headscale serve @@ -87,7 +93,7 @@ curl http://127.0.0.1:9090/metrics 6. Create a namespace ([tailnet](https://tailscale.com/kb/1136/tailnet/)): ```shell -docker exec headscale -- headscale namespaces create myfirstnamespace +docker exec headscale headscale namespaces create myfirstnamespace ``` ### Register a machine (normal login) @@ -101,7 +107,7 @@ tailscale up --login-server YOUR_HEADSCALE_URL To register a machine when running `headscale` in a container, take the headscale command and pass it to the container: ```shell -docker exec headscale -- \ +docker exec headscale \ headscale --namespace myfirstnamespace nodes register --key ``` @@ -110,7 +116,7 @@ docker exec headscale -- \ Generate a key using the command line: ```shell -docker exec headscale -- \ +docker exec headscale \ headscale --namespace myfirstnamespace preauthkeys create --reusable --expiration 24h ``` From 8cee31d8d77a1c4a1e13b0c2a307005ce1f20628 Mon Sep 17 00:00:00 2001 From: Niek van der Maas Date: Fri, 25 Mar 2022 07:43:15 +0000 Subject: [PATCH 24/44] Fix prettier --- docs/running-headscale-container.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/running-headscale-container.md b/docs/running-headscale-container.md index 36ea77e1..69edce84 100644 --- a/docs/running-headscale-container.md +++ b/docs/running-headscale-container.md @@ -45,6 +45,7 @@ touch ./config/config.yaml ``` Modify the config file to your preferences before launching Docker container. Here are some settings that you likely want: + ```yaml server_url: http://your-host-name:8080 # Change to your hostname or host IP metrics_listen_addr: 0.0.0.0:9090 # Listen to 0.0.0.0 so it's accessible outside the container From 73f1c06f65e1b010da2bf37044d100f2f2af52c5 Mon Sep 17 00:00:00 2001 From: Niek van der Maas Date: Fri, 25 Mar 2022 07:46:01 +0000 Subject: [PATCH 25/44] Fix long line --- docs/running-headscale-container.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/running-headscale-container.md b/docs/running-headscale-container.md index 69edce84..57961dd0 100644 --- a/docs/running-headscale-container.md +++ b/docs/running-headscale-container.md @@ -44,7 +44,8 @@ curl https://raw.githubusercontent.com/juanfont/headscale/main/config-example.ya touch ./config/config.yaml ``` -Modify the config file to your preferences before launching Docker container. Here are some settings that you likely want: +Modify the config file to your preferences before launching Docker container. +Here are some settings that you likely want: ```yaml server_url: http://your-host-name:8080 # Change to your hostname or host IP From 7dae780be1f324b14d113d1672a00e7750d38c2c Mon Sep 17 00:00:00 2001 From: Niek van der Maas Date: Fri, 25 Mar 2022 23:44:55 +0100 Subject: [PATCH 26/44] Update docs/running-headscale-container.md Co-authored-by: Kristoffer Dalby --- docs/running-headscale-container.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/running-headscale-container.md b/docs/running-headscale-container.md index 57961dd0..064fa03e 100644 --- a/docs/running-headscale-container.md +++ b/docs/running-headscale-container.md @@ -49,9 +49,12 @@ Here are some settings that you likely want: ```yaml server_url: http://your-host-name:8080 # Change to your hostname or host IP -metrics_listen_addr: 0.0.0.0:9090 # Listen to 0.0.0.0 so it's accessible outside the container -private_key_path: /etc/headscale/private.key # The default /var/lib/headscale path is not writable in the container -db_path: /etc/headscale/db.sqlite # The default /var/lib/headscale path is not writable in the container +# Listen to 0.0.0.0 so it's accessible outside the container +metrics_listen_addr: 0.0.0.0:9090 +# The default /var/lib/headscale path is not writable in the container +private_key_path: /etc/headscale/private.key +# The default /var/lib/headscale path is not writable in the container +db_path: /etc/headscale/db.sqlite ``` 4. Start the headscale server while working in the host headscale directory: From 3272febfb3e42081d14b620b0863f3c6defa7440 Mon Sep 17 00:00:00 2001 From: Niek van der Maas Date: Sat, 26 Mar 2022 13:33:31 +0100 Subject: [PATCH 27/44] Change publish interface --- docs/running-headscale-container.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/running-headscale-container.md b/docs/running-headscale-container.md index 064fa03e..de5ec38c 100644 --- a/docs/running-headscale-container.md +++ b/docs/running-headscale-container.md @@ -65,13 +65,15 @@ docker run \ --detach \ --rm \ --volume $(pwd)/config:/etc/headscale/ \ - --publish 0.0.0.0:8080:8080 \ + --publish 127.0.0.1:8080:8080 \ --publish 127.0.0.1:9090:9090 \ headscale/headscale: \ headscale serve ``` +Note: use `0.0.0.0:8080:8080` instead of `127.0.0.1:8080:8080` if you want to expose the container externally. + This command will mount `config/` under `/etc/headscale`, forward port 8080 out of the container so the `headscale` instance becomes available and then detach so headscale runs in the background. From 6d296a195db75925db009acdbe5529ad3d2f0937 Mon Sep 17 00:00:00 2001 From: Niek van der Maas Date: Mon, 28 Mar 2022 08:58:33 +0200 Subject: [PATCH 28/44] Update docs/running-headscale-container.md Co-authored-by: Kristoffer Dalby --- docs/running-headscale-container.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/running-headscale-container.md b/docs/running-headscale-container.md index de5ec38c..b36f3bbf 100644 --- a/docs/running-headscale-container.md +++ b/docs/running-headscale-container.md @@ -100,7 +100,8 @@ curl http://127.0.0.1:9090/metrics 6. Create a namespace ([tailnet](https://tailscale.com/kb/1136/tailnet/)): ```shell -docker exec headscale headscale namespaces create myfirstnamespace +docker exec headscale \ + headscale namespaces create myfirstnamespace ``` ### Register a machine (normal login) From 5e44266292b2418aba6aeb5c60dd3a4756957218 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 28 Mar 2022 15:06:39 +0000 Subject: [PATCH 29/44] docs(README): update contributors --- README.md | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index e3ed5377..b2bac98d 100644 --- a/README.md +++ b/README.md @@ -220,6 +220,13 @@ make build Nico + + + Niek +
+ Niek van der Maas + + Eugen @@ -227,6 +234,8 @@ make build Eugen Biegler + + Aaron @@ -234,8 +243,6 @@ make build Aaron Bieber - - Fernando @@ -271,6 +278,8 @@ make build Paul Tötterman + + Casey @@ -278,8 +287,6 @@ make build Casey Marshall - - Silver @@ -315,6 +322,8 @@ make build Abraham Ingersoll + + Aofei @@ -322,8 +331,6 @@ make build Aofei Sheng - - Artem @@ -359,6 +366,8 @@ make build Felix Yan + + JJGadgets/ @@ -366,8 +375,6 @@ make build JJGadgets - - Jamie @@ -403,6 +410,8 @@ make build WhiteSource Renovate + + Ryan @@ -410,8 +419,6 @@ make build Ryan Fowler - - Shaanan @@ -447,6 +454,8 @@ make build Tianon Gravi + + Tjerk @@ -454,8 +463,6 @@ make build Tjerk Woudsma - - Yang @@ -491,6 +498,8 @@ make build derelm + + ignoramous/ @@ -498,8 +507,6 @@ make build ignoramous - - lion24/ From b2ae9b6cacc576d18bec905a05bbb29dd9ceff84 Mon Sep 17 00:00:00 2001 From: henning mueller Date: Tue, 5 Apr 2022 18:44:08 +0200 Subject: [PATCH 30/44] fix: Remove days from expiry option value examples --- cmd/headscale/cli/api_key.go | 2 +- cmd/headscale/cli/preauthkeys.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/headscale/cli/api_key.go b/cmd/headscale/cli/api_key.go index 06099aa1..aa056c54 100644 --- a/cmd/headscale/cli/api_key.go +++ b/cmd/headscale/cli/api_key.go @@ -23,7 +23,7 @@ func init() { apiKeysCmd.AddCommand(listAPIKeys) createAPIKeyCmd.Flags(). - DurationP("expiration", "e", DefaultAPIKeyExpiry, "Human-readable expiration of the key (30m, 24h, 365d...)") + DurationP("expiration", "e", DefaultAPIKeyExpiry, "Human-readable expiration of the key (e.g. 30m, 24h)") apiKeysCmd.AddCommand(createAPIKeyCmd) diff --git a/cmd/headscale/cli/preauthkeys.go b/cmd/headscale/cli/preauthkeys.go index 950cbcc5..7efb72fb 100644 --- a/cmd/headscale/cli/preauthkeys.go +++ b/cmd/headscale/cli/preauthkeys.go @@ -31,7 +31,7 @@ func init() { createPreAuthKeyCmd.PersistentFlags(). Bool("ephemeral", false, "Preauthkey for ephemeral nodes") createPreAuthKeyCmd.Flags(). - DurationP("expiration", "e", DefaultPreAuthKeyExpiry, "Human-readable expiration of the key (30m, 24h, 365d...)") + DurationP("expiration", "e", DefaultPreAuthKeyExpiry, "Human-readable expiration of the key (e.g. 30m, 24h)") } var preauthkeysCmd = &cobra.Command{ From 6e082417128a3b0de55e171683d37a10e8f23cbb Mon Sep 17 00:00:00 2001 From: Nico Rey Date: Wed, 6 Apr 2022 11:05:08 -0300 Subject: [PATCH 31/44] Exit Headscale if ACL policy file cannot be parsed --- cmd/headscale/cli/utils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go index 768a9713..992d1254 100644 --- a/cmd/headscale/cli/utils.go +++ b/cmd/headscale/cli/utils.go @@ -408,7 +408,7 @@ func getHeadscaleApp() (*headscale.Headscale, error) { aclPath := absPath(viper.GetString("acl_policy_path")) err = app.LoadACLPolicy(aclPath) if err != nil { - log.Error(). + log.Fatal(). Str("path", aclPath). Err(err). Msg("Could not load the ACL policy") From c3324371d6cb6b0dd73f732e86094def4ccf9c21 Mon Sep 17 00:00:00 2001 From: Nico Rey Date: Wed, 6 Apr 2022 18:41:13 -0300 Subject: [PATCH 32/44] Update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d3aa8d53..65d22955 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ ## 0.16.0 (2022-xx-xx) ### Changes - +- Headscale fails to serve if the ACL policy file cannot be parsed [#537](https://github.com/juanfont/headscale/pull/537) - Fix labels cardinality error when registering unknown pre-auth key [#519](https://github.com/juanfont/headscale/pull/519) ## 0.15.0 (2022-03-20) From fa7ef3df2fa6e982dd1a34771683f842c7d300e5 Mon Sep 17 00:00:00 2001 From: Nico Rey Date: Thu, 7 Apr 2022 15:21:26 -0300 Subject: [PATCH 33/44] make linter happy --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65d22955..c970be23 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 0.16.0 (2022-xx-xx) ### Changes + - Headscale fails to serve if the ACL policy file cannot be parsed [#537](https://github.com/juanfont/headscale/pull/537) - Fix labels cardinality error when registering unknown pre-auth key [#519](https://github.com/juanfont/headscale/pull/519) From 98e98a8adbcfab168a6b60a610818d605fb7f45f Mon Sep 17 00:00:00 2001 From: Artem Klevtsov Date: Sat, 9 Apr 2022 16:24:57 +0700 Subject: [PATCH 34/44] Fix wrong metrics port in docs It should be 9090. --- docs/running-headscale-linux.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/running-headscale-linux.md b/docs/running-headscale-linux.md index 1e9d11c4..98a67f1d 100644 --- a/docs/running-headscale-linux.md +++ b/docs/running-headscale-linux.md @@ -178,7 +178,7 @@ systemctl status headscale Verify `headscale` is available: ```shell -curl http://127.0.0.1:8080/metrics +curl http://127.0.0.1:9090/metrics ``` `headscale` will now run in the background and start at boot. From 62d774b6ee014bcbadd612262037dc32262c8b9d Mon Sep 17 00:00:00 2001 From: Carson Yang Date: Sun, 10 Apr 2022 09:53:27 +0800 Subject: [PATCH 35/44] Fix key name about derp port --- derp-example.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/derp-example.yaml b/derp-example.yaml index 0ebe32ed..732c4ba0 100644 --- a/derp-example.yaml +++ b/derp-example.yaml @@ -12,4 +12,4 @@ regions: ipv6: "2604:a880:400:d1::828:b001" stunport: 0 stunonly: false - derptestport: 0 + derpport: 0 From 9cdaa9730b35f47958c4970fc8e60f7700746a9c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 10 Apr 2022 09:03:16 +0000 Subject: [PATCH 36/44] docs(README): update contributors --- README.md | 50 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index b2bac98d..74abc85b 100644 --- a/README.md +++ b/README.md @@ -280,6 +280,13 @@ make build + + + Artem +
+ Artem Klevtsov + + Casey @@ -315,6 +322,8 @@ make build thomas + + Abraham @@ -322,8 +331,6 @@ make build Abraham Ingersoll - - Aofei @@ -331,13 +338,6 @@ make build Aofei Sheng - - - Artem -
- Artem Klevtsov - - Arthur @@ -352,6 +352,13 @@ make build Bryan Stenson + + + Carson +
+ Carson Yang + + Felix @@ -359,6 +366,8 @@ make build Felix Kronlage-Dammers + + Felix @@ -366,8 +375,6 @@ make build Felix Yan - - JJGadgets/ @@ -403,6 +410,8 @@ make build rcursaru + + WhiteSource @@ -410,8 +419,6 @@ make build WhiteSource Renovate - - Ryan @@ -447,6 +454,8 @@ make build The Gitter Badger + + Tianon @@ -454,8 +463,6 @@ make build Tianon Gravi - - Tjerk @@ -491,6 +498,8 @@ make build bravechamp + + derelm/ @@ -498,8 +507,13 @@ make build derelm - - + + + henning +
+ henning mueller + + ignoramous/ @@ -528,6 +542,8 @@ make build Wakeful-Cloud + + zy/ From 22dd61d8497165c28d51109cf7f9d6b5da404a6d Mon Sep 17 00:00:00 2001 From: Moritz Poldrack Date: Sun, 10 Apr 2022 00:37:13 +0200 Subject: [PATCH 37/44] fixed the issue of sending on closed channel This commit fixes the issue of headscale crashing after sending on a closed channel by moving the channel close to the sender side, instead of the creator. closeChanWithLog is also implemented with generics now. Fixes: https://github.com/juanfont/headscale/issues/342 Signed-off-by: Moritz Poldrack --- poll.go | 68 ++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 45 insertions(+), 23 deletions(-) diff --git a/poll.go b/poll.go index 15945a9b..3bad0b89 100644 --- a/poll.go +++ b/poll.go @@ -175,32 +175,13 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) { Str("machine", machine.Name). Msg("Loading or creating update channel") - // TODO: could probably remove all that duplication once generics land. - closeChanWithLog := func(channel interface{}, name string) { - log.Trace(). - Str("handler", "PollNetMap"). - Str("machine", machine.Name). - Str("channel", "Done"). - Msg(fmt.Sprintf("Closing %s channel", name)) - - switch c := channel.(type) { - case (chan struct{}): - close(c) - - case (chan []byte): - close(c) - } - } - const chanSize = 8 updateChan := make(chan struct{}, chanSize) - defer closeChanWithLog(updateChan, "updateChan") pollDataChan := make(chan []byte, chanSize) - defer closeChanWithLog(pollDataChan, "pollDataChan") + defer closeChanWithLog(pollDataChan, machine.Name, "pollDataChan") keepAliveChan := make(chan []byte) - defer closeChanWithLog(keepAliveChan, "keepAliveChan") if req.OmitPeers && !req.Stream { log.Info(). @@ -273,7 +254,27 @@ func (h *Headscale) PollNetMapStream( updateChan chan struct{}, ) { { - ctx, cancel := context.WithCancel(ctx.Request.Context()) + machine, err := h.GetMachineByMachineKey(machineKey) + if err != nil { + if errors.Is(err, gorm.ErrRecordNotFound) { + log.Warn(). + Str("handler", "PollNetMap"). + Msgf("Ignoring request, cannot find machine with key %s", machineKey.String()) + ctx.String(http.StatusUnauthorized, "") + + return + } + log.Error(). + Str("handler", "PollNetMap"). + Msgf("Failed to fetch machine from the database with Machine key: %s", machineKey.String()) + ctx.String(http.StatusInternalServerError, "") + + return + } + + ctx := context.WithValue(ctx.Request.Context(), "machineName", machine.Name) + + ctx, cancel := context.WithCancel(ctx) defer cancel() go h.scheduledPollWorker( @@ -564,8 +565,8 @@ func (h *Headscale) PollNetMapStream( func (h *Headscale) scheduledPollWorker( ctx context.Context, - updateChan chan<- struct{}, - keepAliveChan chan<- []byte, + updateChan chan struct{}, + keepAliveChan chan []byte, machineKey key.MachinePublic, mapRequest tailcfg.MapRequest, machine *Machine, @@ -573,6 +574,17 @@ func (h *Headscale) scheduledPollWorker( keepAliveTicker := time.NewTicker(keepAliveInterval) updateCheckerTicker := time.NewTicker(updateCheckInterval) + defer closeChanWithLog( + updateChan, + fmt.Sprint(ctx.Value("machineName")), + "updateChan", + ) + defer closeChanWithLog( + keepAliveChan, + fmt.Sprint(ctx.Value("machineName")), + "updateChan", + ) + for { select { case <-ctx.Done(): @@ -606,3 +618,13 @@ func (h *Headscale) scheduledPollWorker( } } } + +func closeChanWithLog[C chan []byte | chan struct{}](channel C, machine, name string) { + log.Trace(). + Str("handler", "PollNetMap"). + Str("machine", machine). + Str("channel", "Done"). + Msg(fmt.Sprintf("Closing %s channel", name)) + + close(channel) +} From 9f03a012fb7faa8cde35ba39addfb287b2ffa5cd Mon Sep 17 00:00:00 2001 From: Moritz Poldrack Date: Sun, 10 Apr 2022 22:47:35 +0200 Subject: [PATCH 38/44] updated changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d3aa8d53..4408f130 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ### Changes - Fix labels cardinality error when registering unknown pre-auth key [#519](https://github.com/juanfont/headscale/pull/519) +- Fix send on closed channel crash in polling [#542](https://github.com/juanfont/headscale/pull/542) ## 0.15.0 (2022-03-20) From 1f43c39f93aeb4018b6481365369e07022f09341 Mon Sep 17 00:00:00 2001 From: Moritz Poldrack Date: Mon, 11 Apr 2022 08:54:12 +0200 Subject: [PATCH 39/44] replaced version-at-commit script with git-describe call --- Makefile | 2 +- scripts/version-at-commit.sh | 39 ------------------------------------ 2 files changed, 1 insertion(+), 40 deletions(-) delete mode 100755 scripts/version-at-commit.sh diff --git a/Makefile b/Makefile index 73630d3f..a2c225de 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ # Calculate version -version = $(shell ./scripts/version-at-commit.sh) +version = $(git describe --always --tags --dirty) rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d)) diff --git a/scripts/version-at-commit.sh b/scripts/version-at-commit.sh deleted file mode 100755 index 2f7fab84..00000000 --- a/scripts/version-at-commit.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env bash - -set -e -o pipefail -commit="$1" -versionglob="v[0-9].[0-9]*.[0-9]*" -devsuffix=".dev" -if [ -z "$commit" ]; then - commit=`git log -n1 --first-parent "--format=format:%h"` -fi - -# automatically assign version -# -# handles the following cases: -# -# 0. no tags on the repository. Print "dev". -# -# 1. no local modifications and commit is directly tagged. Print tag. -# -# 2. no local modifications and commit is not tagged. Take greatest version tag in repo X.Y.Z and assign X.Y.(Z+1). Print that + $devsuffix + $timestamp. -# -# 3. local modifications. Print "dev". - -tags=$(git tag) -if [[ -z "$tags" ]]; then - echo "dev" -elif `git diff --quiet 2>/dev/null`; then - tagged=$(git tag --points-at "$commit") - if [[ -n "$tagged" ]] ; then - echo $tagged - else - nearest_tag=$(git describe --tags --abbrev=0 --match "$versionglob" "$commit") - v=$(echo $nearest_tag | perl -pe 's/(\d+)$/$1+1/e') - isodate=$(TZ=UTC git log -n1 --format=%cd --date=iso "$commit") - ts=$(TZ=UTC date --date="$isodate" "+%Y%m%d%H%M%S") - echo "${v}${devsuffix}${ts}" - fi -else - echo "dev" -fi From c312f8bf4a8e21284b1a1b41c414ad957142b469 Mon Sep 17 00:00:00 2001 From: Moritz Poldrack Date: Mon, 11 Apr 2022 08:56:40 +0200 Subject: [PATCH 40/44] set up Makefile for reproducible builds --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a2c225de..a708a103 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ PROTO_SOURCES = $(call rwildcard,,*.proto) build: - GGO_ENABLED=0 go build -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go + GGO_ENABLED=0 go build -trimpath -buildmode=pie -mod=readonly -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go dev: lint test build From 8601dd1f4235c52d7f123c7bf802ab2be865978f Mon Sep 17 00:00:00 2001 From: Moritz Poldrack Date: Mon, 11 Apr 2022 14:56:11 +0200 Subject: [PATCH 41/44] fixed CGO disabling --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a708a103..74ecd89e 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ PROTO_SOURCES = $(call rwildcard,,*.proto) build: - GGO_ENABLED=0 go build -trimpath -buildmode=pie -mod=readonly -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go + CGO_ENABLED=0 go build -trimpath -buildmode=pie -mod=readonly -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go dev: lint test build From 3d8dc9d2bff741089184cc10b5fc5d41eeab5251 Mon Sep 17 00:00:00 2001 From: Moritz Poldrack Date: Mon, 11 Apr 2022 13:43:49 +0200 Subject: [PATCH 42/44] fix discord invite Fixes: https://github.com/juanfont/headscale/issues/533 --- .github/ISSUE_TEMPLATE/config.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 99cc36fa..37a8cb80 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -7,5 +7,5 @@ contact_links: url: "https://github.com/juanfont/headscale/blob/main/docs" about: "Find documentation about how to configure and run headscale." - name: "headscale Discord community" - url: "https://discord.com/invite/XcQxk2VHjx" + url: "https://discord.gg/xGj2TuqyxY" about: "Please ask and answer questions about usage of headscale here." diff --git a/README.md b/README.md index 74abc85b..7f712416 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ An open source, self-hosted implementation of the Tailscale control server. -Join our [Discord](https://discord.gg/XcQxk2VHjx) server for a chat. +Join our [Discord](https://discord.gg/xGj2TuqyxY) server for a chat. **Note:** Always select the same GitHub tag as the released version you use to ensure you have the correct example configuration and documentation. From 9254afff2ddb48b6e60688ddad83abd6441893ec Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Thu, 21 Apr 2022 09:06:13 +0100 Subject: [PATCH 43/44] Add direnv and nix output to gitignore --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index d047cbfd..5556580d 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,7 @@ derp.yaml .idea test_output/ + +# Nix and direnv +.direnv/ +result From 580c72bf167f48fad9b534ad50c3247334480eff Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Thu, 21 Apr 2022 09:06:30 +0100 Subject: [PATCH 44/44] Update discord link so it does not grant temp memberships --- README.md | 2 +- docs/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7f712416..8631eb92 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ An open source, self-hosted implementation of the Tailscale control server. -Join our [Discord](https://discord.gg/xGj2TuqyxY) server for a chat. +Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat. **Note:** Always select the same GitHub tag as the released version you use to ensure you have the correct example configuration and documentation. diff --git a/docs/README.md b/docs/README.md index 7a3080e3..459a6c21 100644 --- a/docs/README.md +++ b/docs/README.md @@ -3,7 +3,7 @@ This page contains the official and community contributed documentation for `headscale`. If you are having trouble with following the documentation or get unexpected results, -please ask on [Discord](https://discord.gg/XcQxk2VHjx) instead of opening an Issue. +please ask on [Discord](https://discord.gg/c84AZQhmpx) instead of opening an Issue. ## Official documentation