feat(ci): Bump to upstream v1.96.5#32
Merged
ChandonPierre merged 203 commits intocoreweavefrom Apr 1, 2026
Merged
Conversation
Signed-off-by: Nick O'Neill <nick@tailscale.com>
…olving tar gocross-wrapper.ps1 is written to use the version of tar that ships with Windows; we want to avoid conflicts with any other tar on the PATH, such ones installed by MSYS and/or Cygwin. Updates tailscale/corp#29940 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
…grants (tailscale#18393) Updates #35796 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
…state of EnableDNSRegistration Policy editors, such as gpedit.msc and gpme.msc, rely on both the presence and the value of the registry value to determine whether a policy is enabled. Unless an enabledValue is specified explicitly, it defaults to REG_DWORD 1. Therefore, we cannot rely on the same registry value to track the policy configuration state when it is already used by a policy option, such as a dropdown. Otherwise, while the policy setting will be written and function correctly, it will appear as Not Configured in the policy editor due to the value mismatch (for example, REG_SZ "always" vs REG_DWORD 1). In this PR, we update the DNSRegistration policy setting to use the DNSRegistrationConfigured registry value for tracking. This change has no effect on the client side and exists solely to satisfy ADMX and policy editor requirements. Updates tailscale#14917 Signed-off-by: Nick Khyl <nickk@tailscale.com>
…le#18428) fixes tailscale#18418 Both Serve and PeerAPI broke when we moved the TailscaleInterfaceName into State, which is updated asynchronously and may not be available when we configure the listeners. This extracts the explicit interface name property from netmon.State and adds as a static struct with getters that have proper error handling. The bug is only found in sandboxed Darwin clients, where we need to know the Tailscale interface details in order to set up the listeners correctly (they must bind to our interface explicitly to escape the network sandboxing that is applied by NECP). Currently set only sandboxed macOS and Plan9 set this but it will also be useful on Windows to simplify interface filtering in netns. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
This change adds API to ipn.LocalBackend to retrieve the ETag when querying for the current serve config. This allows consumers of ipn.LocalBackend.SetServeConfig to utilize the concurrency control offered by ETags. Previous to this change, utilizing serve config ETags required copying the local backend's internal ETag calcuation. The local API server was previously copying the local backend's ETag calculation as described above. With this change, the local API server now uses the new ETag retrieval function instead. Serve config ETags are therefore now opaque to clients, in line with best practices. Fixes tailscale/corp#35857 Signed-off-by: Harry Harpham <harry@tailscale.com>
This change allows tsnet nodes to act as Service hosts by adding a new function, tsnet.Server.ListenService. Invoking this function will advertise the node as a host for the Service and create a listener to receive traffic for the Service. Fixes tailscale#17697 Fixes tailscale/corp#27200 Signed-off-by: Harry Harpham <harry@tailscale.com>
…al port (tailscale#18349) net/portmapper: Stop replacing the internal port with the upnp external port This causes the UPnP mapping to break in the next recreation of the mapping. Fixes tailscale#18348 Signed-off-by: Eduardo Sorribas <eduardo@sorribas.org>
…Map (tailscale#18452) * k8s-operator,kube: removing enableSessionRecordings option. It seems like it is going to create a confusing user experience and it's going to be a very niche use case, so we have decided to defer this for now. Updates tailscale/corp#35796 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * k8s-operator: adding metric for env var deprecation Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
…ale#18368) Polls IMDS (currently only AWS) for extra IPs to advertise as udprelay. Updates tailscale#17796 Change-Id: Iaaa899ef4575dc23b09a5b713ce6693f6a6a6964 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>
…ersion (tailscale#18462) fixes tailscale/corp#27182 tailscale version --json now includes an osVariant field that will report one of macsys, appstore or darwin. We can extend this to other platforms where tailscaled can have multiple personalities. This also adds the concept of a platform-specific callback for querying an explicit application identifier. On Apple, we can use CFBundleGetIdentifier(mainBundle) to get the bundle identifier via cgo. This removes all the ambiguity and lets us remove other less direct methods (like env vars, locations, etc). Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
…ilscale#18344) This commit contains the implementation of multi-tailnet support within the Kubernetes Operator Each of our custom resources now expose the `spec.tailnet` field. This field is a string that must match the name of an existing `Tailnet` resource. A `Tailnet` resource looks like this: ```yaml apiVersion: tailscale.com/v1alpha1 kind: Tailnet metadata: name: example # This is the name that must be referenced by other resources spec: credentials: secretName: example-oauth ``` Each `Tailnet` references a `Secret` resource that contains a set of oauth credentials. This secret must be created in the same namespace as the operator: ```yaml apiVersion: v1 kind: Secret metadata: name: example-oauth # This is the name that's referenced by the Tailnet resource. namespace: tailscale stringData: client_id: "client-id" client_secret: "client-secret" ``` When created, the operator performs a basic check that the oauth client has access to all required scopes. This is done using read actions on devices, keys & services. While this doesn't capture a missing "write" permission, it catches completely missing permissions. Once this check passes, the `Tailnet` moves into a ready state and can be referenced. Attempting to use a `Tailnet` in a non-ready state will stall the deployment of `Connector`s, `ProxyGroup`s and `Recorder`s until the `Tailnet` becomes ready. The `spec.tailnet` field informs the operator that a `Connector`, `ProxyGroup`, or `Recorder` must be given an auth key generated using the specified oauth client. For backwards compatibility, the set of credentials the operator is configured with are considered the default. That is, where `spec.tailnet` is not set, the resource will be deployed in the same tailnet as the operator. Updates tailscale/corp#34561
Fixes tailscale#18439 Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
) New gauge reflects endpoints state via labels: - open, when both peers are connected and ready to talk, and - connecting. when at least one peer hasn't connected yet. Corresponding client metrics are logged as - udprelay_endpoints_connecting - udprelay_endpoints_open Updates tailscale/corp#30820 Change-Id: Idb1baa90a38c97847e14f9b2390093262ad0ea23 Signed-off-by: Alex Valiushko <alexvaliushko@tailscale.com>
When we have not yet communicated with a peer, send a TSMPDiscoAdvertisement to let the peer know of our disco key. This is in most cases redundant, but will allow us to set up direct connections when the client cannot access control. Some parts taken from: tailscale#18073 Updates tailscale#12639 Signed-off-by: Claus Lensbøl <claus@tailscale.com>
Every other listen method on tsnet.Server makes this clarification, so should ListenService. Fixes tailscale/corp#36207 Signed-off-by: Harry Harpham <harry@tailscale.com>
tsnet users can now provide a tun.Device, including any custom implementation that conforms to the interface. netstack has a new option CheckLocalTransportEndpoints that when used alongside a TUN enables netstack listens and dials to correctly capture traffic associated with those sockets. tsnet with a TUN sets this option, while all other builds leave this at false to preserve existing performance. Updates tailscale#18423 Signed-off-by: James Tucker <james@tailscale.com>
…ale#18492) `dnf config-manager addrepo` will fail if the Tailscale repo is already installed. Without the --overwrite flag, the installer will error out instead of succeeding like with dnf3. Fixes tailscale#18491 Signed-off-by: Francois Marier <francois@fmarier.org>
…ailscale#18485) In order to better manage per-profile data resources on the client, add methods to the LocalBackend to support creation of per-profile directory structures in local storage. These methods build on the existing TailscaleVarRoot config, and have the same limitation (i.e., if no local storage is available, it will report an error when used). The immediate motivation is to support netmap caching, but we can also use this mechanism for other per-profile resources including pending taildrop files and Tailnet Lock authority caches. This commit only adds the directory-management plumbing; later commits will handle migrating taildrop, TKA, etc. to this mechanism, as well as caching network maps. Updates tailscale#12639 Change-Id: Ia75741955c7bf885e49c1ad99f856f669a754169 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>
…n exit node on Windows Similarly to allowing link-local multicast in tailscale#13661, we should also allow broadcast traffic on permitted interfaces when the killswitch is enabled due to exit node usage on Windows. This always includes internal interfaces, such as Hyper-V/WSL2, and also the LAN when "Allow local network access" is enabled in the client. Updates tailscale#18504 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Updates tailscale#18506 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
Fixes tailscale#18498 Signed-off-by: James Tucker <james@tailscale.com>
If conn25 config is sent in the netmap: add split DNS entries to use appropriately tagged peers' PeerAPI to resolve DNS requests for those domains. This will enable future work where we use the peers as connectors for the configured domains. Updates tailscale/corp#34252 Signed-off-by: Fran Bull <fran@tailscale.com>
RELNOTE=Add DNS-over-HTTPS support for CIRA Canadian Shield Fixes tailscale#18524 Signed-off-by: Andrew Dunham <andrew@tailscale.com>
Someone asked me if we use DNS-over-HTTPS if the system's resolver is an IP address that supports DoH and there's no global nameserver set (i.e. no "Override DNS servers" set). I didn't know the answer offhand, and it took a while for me to figure it out. The answer is yes, in cases where we take over the system's DNS configuration and read the base config, we do upgrade any DoH-capable resolver to use DoH. Here's a test that verifies this behaviour (and hopefully helps as documentation the next time someone has this question). Updates #cleanup Signed-off-by: Andrew Dunham <andrew@tailscale.com>
Fixes tailscale/corp#36365 Signed-off-by: Harry Harpham <harry@tailscale.com>
…ps (tailscale#18497) This commit is based on part of tailscale#17925, reworked as a separate package. Add a package that can store and load netmap.NetworkMap values in persistent storage, using a basic columnar representation. This commit includes a default storage interface based on plain files, but the interface can be implemented with more structured storage if we want to later. The tests are set up to require that all the fields of the NetworkMap are handled, except those explicitly designated as not-cached, and check that a fully-populated value can round-trip correctly through the cache. Adding or removing fields, either in the NetworkMap or in the cached representation, will trigger either build failures (e.g., for type mismatch) or test failures (e.g., for representation changes or missing fields). This isn't quite as nice as automatically updating the representation, which I also prototyped, but is much simpler to maintain and less code. This commit does not yet hook up the cache to the backend, that will be a subsequent change. Updates tailscale#12639 Change-Id: Icb48639e1d61f2aec59904ecd172c73e05ba7bf9 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
The Tailscale CLI has some methods to watch the IPN bus for messages, say, the current netmap (`tailscale debug netmap`). The Tailscale daemon supports this using a streaming HTTP response. Sometimes, the client can close its connection abruptly -- due to an interruption, or in the case of `debug netmap`, intentionally after consuming one message. If the server daemon is writing a response as the client closes its end of the socket, the daemon typically encounters a "broken pipe" error. The "Watch IPN Bus" handler currently logs such errors after they're propagated by a JSON encoding/writer helper. Since the Tailscale CLI nominally closes its socket with the daemon in this slightly ungraceful way (viz. `debug netmap`), stop logging these broken pipe errors as far as possible. This will help avoid confounding users when they scan backend logs. Updates tailscale#18477 Signed-off-by: Amal Bansode <amal@tailscale.com>
…dates This is a minimal hacky fix for a case where the portlist poller extension could miss updates to NetMap's CollectServices bool. Updates tailscale/corp#36813 Change-Id: I9b50de8ba8b09e4a44f9fbfe90c9df4d8ab4d586 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
After fixing the flakey tests in tailscale#18811 and tailscale#18814 we can enable running the natlab testsuite running on CI generally. Fixes tailscale#18810 Signed-off-by: Claus Lensbøl <claus@tailscale.com>
…8883) We use the TS_USE_CACHED_NETMAP knob to condition loading a cached netmap, but were hitherto writing the map out to disk even when it was disabled. Let's not do that; the two should travel together. Updates tailscale#12639 Change-Id: Iee5aa828e2c59937d5b95093ea1ac26c9536721e Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
runtime.NumCPU() returns the number of CPUs on the host, which in containerized environments is the node's CPU count rather than the container's CPU limit. This causes excessive memory allocation in pods with low CPU requests running on large nodes, as each socket's packetReadLoop allocates significant buffer memory. Use runtime.GOMAXPROCS(0) instead, which is container-aware since Go 1.25 and respects CPU limits set via cgroups. Fixes tailscale#18774 Signed-off-by: Daniel Pañeda <daniel.paneda@clickhouse.com>
Go 1.26's url.Parser is stricter and made our tests elsewhere fail with this scheme because when these listen addresses get shoved into a URL, it can't parse back out. I verified this makes tests elsewhere pass with Go 1.26. Updates tailscale#18682 Change-Id: I04dd3cee591aa85a9417a0bbae2b6f699d8302fa Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates tailscale#18682 Change-Id: I1eadfab950e55d004484af880a5d8df6893e85e8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…ailscale#18893) Remove the TS_EXPERIMENTAL_KUBE_API_EVENTS env var from the operator and its helm chart. This has already been marked as deprecated, and has been scheduled to be removed in release 1.96. Add a check in helm chart to fail if the removed variable is set to true, prompting users to move to ACLs instead. Fixes: tailscale#18875 Signed-off-by: Becky Pauley <becky@tailscale.com>
This commit adds `--json` output mode to dns debug commands. It defines structs for the data that is returned from: `tailscale dns status` and `tailscale dns query <DOMAIN>` and populates that as it runs the diagnostics. When all the information is collected, it is serialised to JSON or string built into an output and returned to the user. The structs are defined and exported to golang consumers of this command can use them for unmarshalling. Updates tailscale#13326 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
…ilscale#18545) OpenWrt is changing to using alpine like `apk` for package installation over its previous opkg. Additionally, they are not using the same repo files as alpine making installation fail. Add support for the new repository files and ensure that the required package detection system uses apk. Updates tailscale#18535 Signed-off-by: Claus Lensbøl <claus@tailscale.com>
…18179) considerable latency was seen when using k8s-proxy with ProxyGroup in the kubernetes operator. Switching to L4 TCPForward solves this. Fixes tailscale#18171 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>
Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
We did so for Linux and macOS already, so also do so for Windows. We only didn't already because originally we never produced binaries for it (due to our corp repo not needing them), and later because we had no ./tool/go wrapper. But we have both of those things now. Updates tailscale#18884 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit 0023f1a)
Updates tailscale#18682 Change-Id: I855c0dfa4c61eb33123bbb7b00c1ab5506e80b09 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit 4453cc5)
This picks up the change in tailscale/go@5cce30e Updates tailscale#18884 Updates tailscale/go#158 Updates golang/go#77975 Signed-off-by: Nick Khyl <nickk@tailscale.com> (cherry picked from commit 8d3efd4)
Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
…ailscale#18749) (tailscale#18938) * cmd/k8s-operator: use correct tailnet client for L7 & L3 ingresses This commit fixes a bug when using multi-tailnet within the operator to spin up L7 & L3 ingresses where the client used to create the tailscale services was not switching depending on the tailnet used by the proxygroup backing the service/ingress. Updates: tailscale/corp#34561 * cmd/k8s-operator: adding server url to proxygroups when a custom tailnet has been specified (cherry picked from commit 3b21ac5504e713e32dfcd43d9ee21e7e712ac200) --------- (cherry picked from commit 9522619) Signed-off-by: David Bond <davidsbond93@gmail.com> Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>
…ailscale#18946) (tailscale#18947) When IPv6 is unavailable on a system, AddConnmarkSaveRule() and DelConnmarkSaveRule() would panic with a nil pointer dereference. Both methods directly iterated over []iptablesInterface{i.ipt4, i.ipt6} without checking if ipt6 was nil. Use `getTables()` instead to properly retrieve the available tables on a given system Fixes tailscale#3310 (cherry picked from commit 021de2e) Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
tailscale#16450) (tailscale#18962) Adds logic for containerboot to signal that it can't auth, so the operator can reissue a new auth key. This only applies when running with a config file and with a kube state store. If the operator sees reissue_authkey in a state Secret, it will create a new auth key iff the config has no auth key or its auth key matches the value of reissue_authkey from the state Secret. This is to ensure we don't reissue auth keys in a tight loop if the proxy is slow to start or failing for some other reason. The reissue logic also uses a burstable rate limiter to ensure there's no way a terminally misconfigured or buggy operator can automatically generate new auth keys in a tight loop. Additional implementation details (ChaosInTheCRD): - Added `ipn.NotifyInitialHealthState` to ipn watcher, to ensure that `n.Health` is populated when notify's are returned. - on auth failure, containerboot: - Disconnects from control server - Sets reissue_authkey marker in state Secret with the failing key - Polls config file for new auth key (10 minute timeout) - Restarts after receiving new key to apply it - modified operator's reissue logic slightly: - Deletes old device from tailnet before creating new key - Rate limiting: 1 key per 30s with initial burst equal to replica count - In-flight tracking (authKeyReissuing map) prevents duplicate API calls across reconcile loops Updates tailscale#14080 Change-Id: I6982f8e741932a6891f2f48a2936f7f6a455317f (cherry picked from commit 969927c) (cherry picked from commit 95a135e) Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Signed-off-by: Nick O'Neill <nick@tailscale.com>
…scale#19020) (tailscale#19021) After tailscale#18179 switched to L4 TCPForward, EnsureCertLoops found no domains since it only checked service.Web entries. Certs were never provisioned, leaving kube-apiserver ProxyGroups stuck at 0/N ready. Fixes tailscale#19019 (cherry picked from commit a565833) Signed-off-by: Raj Singh <raj@tailscale.com> Co-authored-by: Raj Singh <raj@tailscale.com>
…RPT rule on Windows
If an NRPT rule lists more than one server, those servers should be separated by a semicolon (";"),
rather than a semicolon followed by a space ("; "). Otherwise, Windows fails to parse the created
registry value, and DNS resolution may fail.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/06088ca3-4cf1-48fa-8837-ca8d853ee1e8
Fixes tailscale#19040
Updates tailscale#15404 (enabled MagicDNS IPv6 by default, adding a second server and triggering the issue)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
(cherry picked from commit 0d8d383)
…git repo This test was failing on Alpine's CI which had 'git' but wasn't in a git repo: tailscale@036b6a1#commitcomment-180001647 Updates tailscale#12614 Change-Id: Ic1b8856aaf020788a2a57e48738851e13ea85a93 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit ac19bd5)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
Updates tailscale#19039 Updates tailscale/go#160 Updates tailscale/go#162 Updates golang/go#77730 Updates golang/go#77930 Signed-off-by: Nick Khyl <nickk@tailscale.com> (cherry picked from commit 33da8a8)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
The tailscale-online.target and tailscale-wait-online.service systemd units were added in 30e1231 but never included in the release packaging (tarballs, debs, rpms). Updates tailscale#11504 Change-Id: I93e03e1330a7ff8facf845c7ca062ed2f0d35eaa Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> (cherry picked from commit 2b1030a)
Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
Release 1.96.5
cmtly
approved these changes
Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://tailscale.com/changelog#2026-03-30
This takes this repo from 1.94.1 > 1.96.5