VERSION.txt: this is v1.30.2

Signed-off-by: Denton Gentry <dgentry@tailscale.com>

.github/workflows/cifuzz.yml

@@ -1,7 +1,5 @@
 name: CIFuzz
-on:
-  push:
-    branches: [ main, release-branch/* ]
+on: [pull_request]
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
@@ -9,7 +7,7 @@ concurrency:
 
 jobs:
   Fuzzing:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
     steps:
     - name: Build Fuzzers
       id: build
@@ -22,7 +20,7 @@ jobs:
       uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
       with:
         oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 900
+        fuzz-seconds: 300
         dry-run: false
         language: go
     - name: Upload Crash

.github/workflows/codeql-analysis.yml

@@ -27,7 +27,7 @@ concurrency:
 jobs:
   analyze:
     name: Analyze
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read

.github/workflows/cross-android.yml

@@ -1,54 +0,0 @@
-name: Android-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: github-4vcpu-ubuntu-2204
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Android smoke build
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
-      env:
-        GOOS: android
-        GOARCH: arm64
-      run: go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/cross-darwin.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/cross-freebsd.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/cross-openbsd.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/cross-wasm.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/cross-windows.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/linux-race.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/linux.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
@@ -38,6 +38,10 @@ jobs:
 
     - name: Get QEMU
       run: |
+        # The qemu in Ubuntu 20.04 (Focal) is too old; we need 5.x something
+        # to run Go binaries. 5.2.0 (Debian bullseye) empirically works, and
+        # use this PPA which brings in a modern qemu.
+        sudo add-apt-repository -y ppa:jacob/virtualisation
         sudo apt-get -y update
         sudo apt-get -y install qemu-user
 

.github/workflows/linux32.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/static-analysis.yml

@@ -40,7 +40,7 @@ jobs:
       if: failure() && github.event_name == 'push'
 
   vet:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
     steps:
     - name: Set up Go
       uses: actions/setup-go@v3
@@ -66,7 +66,7 @@ jobs:
       if: failure() && github.event_name == 'push'
 
   staticcheck:
-    runs-on: github-4vcpu-ubuntu-2204
+    runs-on: ubuntu-latest
     strategy:
       matrix:
         goos: [linux, windows, darwin]

.github/workflows/windows.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   test:
-    runs-on: windows-8vcpu
+    runs-on: windows-latest
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

Dockerfile

@@ -32,7 +32,7 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.19-alpine AS build-env
+FROM golang:1.18-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 

VERSION.txt

@@ -1 +1 @@
-1.31.0
+1.30.2

atomicfile/atomicfile.go

@@ -9,6 +9,7 @@
 package atomicfile // import "tailscale.com/atomicfile"
 
 import (
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -17,7 +18,7 @@ import (
 // WriteFile writes data to filename+some suffix, then renames it
 // into filename. The perm argument is ignored on Windows.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
-	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
+	f, err := ioutil.TempFile(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err
 	}

client/tailscale/localclient.go

@@ -15,6 +15,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/http/httptrace"
@@ -136,7 +137,7 @@ func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Respons
 			onVersionMismatch(ipn.IPCVersion(), server)
 		}
 		if res.StatusCode == 403 {
-			all, _ := io.ReadAll(res.Body)
+			all, _ := ioutil.ReadAll(res.Body)
 			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
 		}
 		return res, nil
@@ -206,7 +207,7 @@ func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus
 		return nil, err
 	}
 	defer res.Body.Close()
-	slurp, err := io.ReadAll(res.Body)
+	slurp, err := ioutil.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -364,7 +365,7 @@ func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc
 		return nil, 0, fmt.Errorf("unexpected chunking")
 	}
 	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
+		body, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
 		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
 	}

client/tailscale/tailscale.go

@@ -17,6 +17,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 )
 
@@ -130,7 +131,7 @@ func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error)
 
 	// Read response. Limit the response to 10MB.
 	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := io.ReadAll(body)
+	b, err := ioutil.ReadAll(body)
 	if len(b) > maxReadSize {
 		err = errors.New("API response too large")
 	}

cmd/derper/bootstrap_dns.go

@@ -17,31 +17,16 @@ import (
 	"tailscale.com/syncs"
 )
 
-const refreshTimeout = time.Minute
+var dnsCache syncs.AtomicValue[[]byte]
 
-type dnsEntryMap map[string][]net.IP
-
-var (
-	dnsCache            syncs.AtomicValue[dnsEntryMap]
-	dnsCacheBytes       syncs.AtomicValue[[]byte] // of JSON
-	unpublishedDNSCache syncs.AtomicValue[dnsEntryMap]
-)
-
-var (
-	bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
-	publishedDNSHits     = expvar.NewInt("counter_bootstrap_dns_published_hits")
-	publishedDNSMisses   = expvar.NewInt("counter_bootstrap_dns_published_misses")
-	unpublishedDNSHits   = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
-	unpublishedDNSMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
-)
+var bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
 
 func refreshBootstrapDNSLoop() {
-	if *bootstrapDNS == "" && *unpublishedDNS == "" {
+	if *bootstrapDNS == "" {
 		return
 	}
 	for {
 		refreshBootstrapDNS()
-		refreshUnpublishedDNS()
 		time.Sleep(10 * time.Minute)
 	}
 }
@@ -50,34 +35,10 @@ func refreshBootstrapDNS() {
 	if *bootstrapDNS == "" {
 		return
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
+	dnsEntries := make(map[string][]net.IP)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
-	j, err := json.MarshalIndent(dnsEntries, "", "\t")
-	if err != nil {
-		// leave the old values in place
-		return
-	}
-
-	dnsCache.Store(dnsEntries)
-	dnsCacheBytes.Store(j)
-}
-
-func refreshUnpublishedDNS() {
-	if *unpublishedDNS == "" {
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
-	defer cancel()
-
-	dnsEntries := resolveList(ctx, strings.Split(*unpublishedDNS, ","))
-	unpublishedDNSCache.Store(dnsEntries)
-}
-
-func resolveList(ctx context.Context, names []string) dnsEntryMap {
-	dnsEntries := make(dnsEntryMap)
-
+	names := strings.Split(*bootstrapDNS, ",")
 	var r net.Resolver
 	for _, name := range names {
 		addrs, err := r.LookupIP(ctx, "ip", name)
@@ -87,47 +48,21 @@ func resolveList(ctx context.Context, names []string) dnsEntryMap {
 		}
 		dnsEntries[name] = addrs
 	}
-	return dnsEntries
+	j, err := json.MarshalIndent(dnsEntries, "", "\t")
+	if err != nil {
+		// leave the old values in place
+		return
+	}
+	dnsCache.Store(j)
 }
 
 func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	bootstrapDNSRequests.Add(1)
-
 	w.Header().Set("Content-Type", "application/json")
-	// Bootstrap DNS requests occur cross-regions, and are randomized per
-	// request, so keeping a connection open is pointlessly expensive.
+	j := dnsCache.Load()
+	// Bootstrap DNS requests occur cross-regions,
+	// and are randomized per request,
+	// so keeping a connection open is pointlessly expensive.
 	w.Header().Set("Connection", "close")
-
-	// Try answering a query from our hidden map first
-	if q := r.URL.Query().Get("q"); q != "" {
-		if ips, ok := unpublishedDNSCache.Load()[q]; ok && len(ips) > 0 {
-			unpublishedDNSHits.Add(1)
-
-			// Only return the specific query, not everything.
-			m := dnsEntryMap{q: ips}
-			j, err := json.MarshalIndent(m, "", "\t")
-			if err == nil {
-				w.Write(j)
-				return
-			}
-		}
-
-		// If we have a "q" query for a name in the published cache
-		// list, then track whether that's a hit/miss.
-		if m, ok := dnsCache.Load()[q]; ok {
-			if len(m) > 0 {
-				publishedDNSHits.Add(1)
-			} else {
-				publishedDNSMisses.Add(1)
-			}
-		} else {
-			// If it wasn't in either cache, treat this as a query
-			// for the unpublished cache, and thus a cache miss.
-			unpublishedDNSMisses.Add(1)
-		}
-	}
-
-	// Fall back to returning the public set of cached DNS names
-	j := dnsCacheBytes.Load()
 	w.Write(j)
 }

cmd/derper/bootstrap_dns_test.go

@@ -5,12 +5,7 @@
 package main
 
 import (
-	"encoding/json"
-	"net"
 	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"reflect"
 	"testing"
 )
 
@@ -22,12 +17,11 @@ func BenchmarkHandleBootstrapDNS(b *testing.B) {
 	}()
 	refreshBootstrapDNS()
 	w := new(bitbucketResponseWriter)
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.io"), nil)
 	b.ReportAllocs()
 	b.ResetTimer()
 	b.RunParallel(func(b *testing.PB) {
 		for b.Next() {
-			handleBootstrapDNS(w, req)
+			handleBootstrapDNS(w, nil)
 		}
 	})
 }
@@ -39,116 +33,3 @@ func (b *bitbucketResponseWriter) Header() http.Header { return make(http.Header
 func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p), nil }
 
 func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}
-
-func getBootstrapDNS(t *testing.T, q string) dnsEntryMap {
-	t.Helper()
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape(q), nil)
-	w := httptest.NewRecorder()
-	handleBootstrapDNS(w, req)
-
-	res := w.Result()
-	if res.StatusCode != 200 {
-		t.Fatalf("got status=%d; want %d", res.StatusCode, 200)
-	}
-	var ips dnsEntryMap
-	if err := json.NewDecoder(res.Body).Decode(&ips); err != nil {
-		t.Fatalf("error decoding response body: %v", err)
-	}
-	return ips
-}
-
-func TestUnpublishedDNS(t *testing.T) {
-	const published = "login.tailscale.com"
-	const unpublished = "log.tailscale.io"
-
-	prev1, prev2 := *bootstrapDNS, *unpublishedDNS
-	*bootstrapDNS = published
-	*unpublishedDNS = unpublished
-	t.Cleanup(func() {
-		*bootstrapDNS = prev1
-		*unpublishedDNS = prev2
-	})
-
-	refreshBootstrapDNS()
-	refreshUnpublishedDNS()
-
-	hasResponse := func(q string) bool {
-		_, found := getBootstrapDNS(t, q)[q]
-		return found
-	}
-
-	if !hasResponse(published) {
-		t.Errorf("expected response for: %s", published)
-	}
-	if !hasResponse(unpublished) {
-		t.Errorf("expected response for: %s", unpublished)
-	}
-
-	// Verify that querying for a random query or a real query does not
-	// leak our unpublished domain
-	m1 := getBootstrapDNS(t, published)
-	if _, found := m1[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m1)
-	}
-	m2 := getBootstrapDNS(t, "random.example.com")
-	if _, found := m2[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m2)
-	}
-}
-
-func resetMetrics() {
-	publishedDNSHits.Set(0)
-	publishedDNSMisses.Set(0)
-	unpublishedDNSHits.Set(0)
-	unpublishedDNSMisses.Set(0)
-}
-
-// Verify that we don't count an empty list in the unpublishedDNSCache as a
-// cache hit in our metrics.
-func TestUnpublishedDNSEmptyList(t *testing.T) {
-	pub := dnsEntryMap{
-		"tailscale.com": {net.IPv4(10, 10, 10, 10)},
-	}
-	dnsCache.Store(pub)
-	dnsCacheBytes.Store([]byte(`{"tailscale.com":["10.10.10.10"]}`))
-
-	unpublishedDNSCache.Store(dnsEntryMap{
-		"log.tailscale.io":           {},
-		"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
-	})
-
-	t.Run("CacheMiss", func(t *testing.T) {
-		// One domain in map but empty, one not in map at all
-		for _, q := range []string{"log.tailscale.io", "login.tailscale.com"} {
-			resetMetrics()
-			ips := getBootstrapDNS(t, q)
-
-			// Expected our public map to be returned on a cache miss
-			if !reflect.DeepEqual(ips, pub) {
-				t.Errorf("got ips=%+v; want %+v", ips, pub)
-			}
-			if v := unpublishedDNSHits.Value(); v != 0 {
-				t.Errorf("got hits=%d; want 0", v)
-			}
-			if v := unpublishedDNSMisses.Value(); v != 1 {
-				t.Errorf("got misses=%d; want 1", v)
-			}
-		}
-	})
-
-	// Verify that we do get a valid response and metric.
-	t.Run("CacheHit", func(t *testing.T) {
-		resetMetrics()
-		ips := getBootstrapDNS(t, "controlplane.tailscale.com")
-		want := dnsEntryMap{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
-		if !reflect.DeepEqual(ips, want) {
-			t.Errorf("got ips=%+v; want %+v", ips, want)
-		}
-		if v := unpublishedDNSHits.Value(); v != 1 {
-			t.Errorf("got hits=%d; want 1", v)
-		}
-		if v := unpublishedDNSMisses.Value(); v != 0 {
-			t.Errorf("got misses=%d; want 0", v)
-		}
-	})
-}

cmd/derper/depaware.txt

@@ -51,7 +51,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale
         tailscale.com/syncs                                          from tailscale.com/cmd/derper+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
-        tailscale.com/tka                                            from tailscale.com/client/tailscale+
+        tailscale.com/tka                                            from tailscale.com/client/tailscale
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
      💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
         tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter

cmd/derper/derper.go

@@ -14,6 +14,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"math"
 	"net"
@@ -25,7 +26,6 @@ import (
 	"strings"
 	"time"
 
-	"go4.org/mem"
 	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
@@ -46,13 +46,11 @@ var (
 	certDir    = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
 	hostname   = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
 	runSTUN    = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
-	runDERP    = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
 
-	meshPSKFile    = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith       = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
-	bootstrapDNS   = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	unpublishedDNS = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
-	verifyClients  = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
+	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
+	bootstrapDNS  = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
+	verifyClients = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
 
 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
@@ -98,7 +96,7 @@ func loadConfig() config {
 		}
 		log.Printf("no config path specified; using %s", *configPath)
 	}
-	b, err := os.ReadFile(*configPath)
+	b, err := ioutil.ReadFile(*configPath)
 	switch {
 	case errors.Is(err, os.ErrNotExist):
 		return writeNewConfig()
@@ -154,7 +152,7 @@ func main() {
 	s.SetVerifyClient(*verifyClients)
 
 	if *meshPSKFile != "" {
-		b, err := os.ReadFile(*meshPSKFile)
+		b, err := ioutil.ReadFile(*meshPSKFile)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -171,15 +169,9 @@ func main() {
 	expvar.Publish("derp", s.ExpVar())
 
 	mux := http.NewServeMux()
-	if *runDERP {
-		derpHandler := derphttp.Handler(s)
-		derpHandler = addWebSocketSupport(s, derpHandler)
-		mux.Handle("/derp", derpHandler)
-	} else {
-		mux.Handle("/derp", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			http.Error(w, "derp server disabled", http.StatusNotFound)
-		}))
-	}
+	derpHandler := derphttp.Handler(s)
+	derpHandler = addWebSocketSupport(s, derpHandler)
+	mux.Handle("/derp", derpHandler)
 	mux.HandleFunc("/derp/probe", probeHandler)
 	go refreshBootstrapDNSLoop()
 	mux.HandleFunc("/bootstrap-dns", handleBootstrapDNS)
@@ -195,17 +187,10 @@ func main() {
   server.
 </p>
 `)
-		if !*runDERP {
-			io.WriteString(w, `<p>Status: <b>disabled</b></p>`)
-		}
 		if tsweb.AllowDebugAccess(r) {
 			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
 		}
 	}))
-	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		io.WriteString(w, "User-agent: *\nDisallow: /\n")
-	}))
-	mux.Handle("/generate_204", http.HandlerFunc(serveNoContent))
 	debug := tsweb.Debugger(mux)
 	debug.KV("TLS hostname", *hostname)
 	debug.KV("Mesh key", s.HasMeshKey())
@@ -223,11 +208,9 @@ func main() {
 		go serveSTUN(listenHost, *stunPort)
 	}
 
-	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
-		Addr:     *addr,
-		Handler:  mux,
-		ErrorLog: quietLogger,
+		Addr:    *addr,
+		Handler: mux,
 
 		// Set read/write timeout. For derper, this basically
 		// only affects TLS setup, as read/write deadlines are
@@ -293,13 +276,9 @@ func main() {
 		})
 		if *httpPort > -1 {
 			go func() {
-				port80mux := http.NewServeMux()
-				port80mux.HandleFunc("/generate_204", serveNoContent)
-				port80mux.Handle("/", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 				port80srv := &http.Server{
 					Addr:        net.JoinHostPort(listenHost, fmt.Sprintf("%d", *httpPort)),
-					Handler:     port80mux,
-					ErrorLog:    quietLogger,
+					Handler:     certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}),
 					ReadTimeout: 30 * time.Second,
 					// Crank up WriteTimeout a bit more than usually
 					// necessary just so we can do long CPU profiles
@@ -325,11 +304,6 @@ func main() {
 	}
 }
 
-// For captive portal detection
-func serveNoContent(w http.ResponseWriter, r *http.Request) {
-	w.WriteHeader(http.StatusNoContent)
-}
-
 // probeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
 func probeHandler(w http.ResponseWriter, r *http.Request) {
@@ -475,22 +449,3 @@ func (l *rateLimitedListener) Accept() (net.Conn, error) {
 	l.numAccepts.Add(1)
 	return cn, nil
 }
-
-// logFilter is used to filter out useless error logs that are logged to
-// the net/http.Server.ErrorLog logger.
-type logFilter struct{}
-
-func (logFilter) Write(p []byte) (int, error) {
-	b := mem.B(p)
-	if mem.HasSuffix(b, mem.S(": EOF\n")) ||
-		mem.HasSuffix(b, mem.S(": i/o timeout\n")) ||
-		mem.HasSuffix(b, mem.S(": read: connection reset by peer\n")) ||
-		mem.HasSuffix(b, mem.S(": remote error: tls: bad certificate\n")) ||
-		mem.HasSuffix(b, mem.S(": tls: first record does not look like a TLS handshake\n")) {
-		// Skip this log message, but say that we processed it
-		return len(p), nil
-	}
-
-	log.Printf("%s", p)
-	return len(p), nil
-}

cmd/derper/websocket.go

@@ -33,12 +33,6 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
 			Subprotocols:   []string{"derp"},
 			OriginPatterns: []string{"*"},
-			// Disable compression because we transmit WireGuard messages that
-			// are not compressible.
-			// Additionally, Safari has a broken implementation of compression
-			// (see https://github.com/nhooyr/websocket/issues/218) that makes
-			// enabling it actively harmful.
-			CompressionMode: websocket.CompressionDisabled,
 		})
 		if err != nil {
 			log.Printf("websocket.Accept: %v", err)

cmd/hello/hello.go

@@ -13,6 +13,7 @@ import (
 	"errors"
 	"flag"
 	"html/template"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -105,7 +106,7 @@ func devMode() bool { return *httpsAddr == "" && *httpAddr != "" }
 
 func getTmpl() (*template.Template, error) {
 	if devMode() {
-		tmplData, err := os.ReadFile("hello.tmpl.html")
+		tmplData, err := ioutil.ReadFile("hello.tmpl.html")
 		if os.IsNotExist(err) {
 			log.Printf("using baked-in template in dev mode; can't find hello.tmpl.html in current directory")
 			return tmpl, nil

cmd/nginx-auth/nginx-auth.go

@@ -75,7 +75,12 @@ func main() {
 				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
 				return
 			}
-			tailnet = strings.TrimSuffix(tailnet, ".beta.tailscale.net")
+			tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net")
+			if !ok {
+				w.WriteHeader(http.StatusUnauthorized)
+				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+				return
+			}
 		}
 
 		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {

cmd/speedtest/speedtest.go

@@ -110,12 +110,11 @@ func runSpeedtest(ctx context.Context, args []string) error {
 	w := tabwriter.NewWriter(os.Stdout, 12, 0, 0, ' ', tabwriter.TabIndent)
 	fmt.Println("Results:")
 	fmt.Fprintln(w, "Interval\t\tTransfer\t\tBandwidth\t\t")
-	startTime := results[0].IntervalStart
 	for _, r := range results {
 		if r.Total {
 			fmt.Fprintln(w, "-------------------------------------------------------------------------")
 		}
-		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Sub(startTime).Seconds(), r.IntervalEnd.Sub(startTime).Seconds(), r.MegaBits(), r.MBitsPerSecond())
+		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Seconds(), r.IntervalEnd.Seconds(), r.MegaBits(), r.MBitsPerSecond())
 	}
 	w.Flush()
 	return nil

cmd/tailscale/cli/cert.go

@@ -29,7 +29,7 @@ var certCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("cert")
 		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
+		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
 		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
 		return fs
 	})(),

cmd/tailscale/cli/cli_test.go

@@ -762,9 +762,6 @@ func TestPrefFlagMapping(t *testing.T) {
 		case "NotepadURLs":
 			// TODO(bradfitz): https://github.com/tailscale/tailscale/issues/1830
 			continue
-		case "Egg":
-			// Not applicable.
-			continue
 		}
 		t.Errorf("unexpected new ipn.Pref field %q is not handled by up.go (see addPrefFlagMapping and checkForAccidentalSettingReverts)", prefName)
 	}
@@ -789,10 +786,6 @@ func TestUpdatePrefs(t *testing.T) {
 		curPrefs *ipn.Prefs
 		env      upCheckEnv // empty goos means "linux"
 
-		// sshOverTailscale specifies if the cmd being run over SSH over Tailscale.
-		// It is used to test the --accept-risks flag.
-		sshOverTailscale bool
-
 		// checkUpdatePrefsMutations, if non-nil, is run with the new prefs after
 		// updatePrefs might've mutated them (from applyImplicitPrefs).
 		checkUpdatePrefsMutations func(t *testing.T, newPrefs *ipn.Prefs)
@@ -920,159 +913,15 @@ func TestUpdatePrefs(t *testing.T) {
 				}
 			},
 		},
-		{
-			name:  "enable_ssh",
-			flags: []string{"--ssh"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
-		{
-			name:  "disable_ssh",
-			flags: []string{"--ssh=false"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				RunSSH:           true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to false")
-				}
-			},
-			env: upCheckEnv{backendState: "Running", upArgs: upArgsT{
-				runSSH: true,
-			}},
-		},
-		{
-			name:             "disable_ssh_over_ssh_no_risk",
-			flags:            []string{"--ssh=false"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				RunSSH:           true,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "enable_ssh_over_ssh_no_risk",
-			flags:            []string{"--ssh=true"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "enable_ssh_over_ssh",
-			flags:            []string{"--ssh=true", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
-		{
-			name:             "disable_ssh_over_ssh",
-			flags:            []string{"--ssh=false", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				RunSSH:           true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to false")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.sshOverTailscale {
-				old := getSSHClientEnvVar
-				getSSHClientEnvVar = func() string { return "100.100.100.100 1 1" }
-				t.Cleanup(func() { getSSHClientEnvVar = old })
-			}
 			if tt.env.goos == "" {
 				tt.env.goos = "linux"
 			}
 			tt.env.flagSet = newUpFlagSet(tt.env.goos, &tt.env.upArgs)
 			flags := CleanUpArgs(tt.flags)
-			if err := tt.env.flagSet.Parse(flags); err != nil {
-				t.Fatal(err)
-			}
+			tt.env.flagSet.Parse(flags)
 
 			newPrefs, err := prefsFromUpArgs(tt.env.upArgs, t.Logf, new(ipnstate.Status), tt.env.goos)
 			if err != nil {
@@ -1087,8 +936,6 @@ func TestUpdatePrefs(t *testing.T) {
 					return
 				}
 				t.Fatal(err)
-			} else if tt.wantErrSubtr != "" {
-				t.Fatalf("want error %q, got nil", tt.wantErrSubtr)
 			}
 			if tt.checkUpdatePrefsMutations != nil {
 				tt.checkUpdatePrefsMutations(t, newPrefs)
@@ -1102,18 +949,13 @@ func TestUpdatePrefs(t *testing.T) {
 				justEditMP.Prefs = ipn.Prefs{} // uninteresting
 			}
 			if !reflect.DeepEqual(justEditMP, tt.wantJustEditMP) {
-				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was \n%v", asJSON(oldEditPrefs))
+				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was %+v", oldEditPrefs)
 				t.Fatalf("justEditMP: %v\n\n: ", cmp.Diff(justEditMP, tt.wantJustEditMP, cmpIP))
 			}
 		})
 	}
 }
 
-func asJSON(v any) string {
-	b, _ := json.MarshalIndent(v, "", "\t")
-	return string(b)
-}
-
 var cmpIP = cmp.Comparer(func(a, b netip.Addr) bool {
 	return a == b
 })

cmd/tailscale/cli/configure-host.go

@@ -48,11 +48,11 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if uid := os.Getuid(); uid != 0 {
 		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
 	}
-	hi:= hostinfo.New()
-	isDSM6 := strings.HasPrefix(hi.DistroVersion, "6.")
-	isDSM7 := strings.HasPrefix(hi.DistroVersion, "7.")
+	osVer := hostinfo.GetOSVersion()
+	isDSM6 := strings.HasPrefix(osVer, "Synology 6")
+	isDSM7 := strings.HasPrefix(osVer, "Synology 7")
 	if !isDSM6 && !isDSM7 {
-		return fmt.Errorf("unsupported DSM version %q", hi.DistroVersion)
+		return fmt.Errorf("unsupported DSM version %q", osVer)
 	}
 	if _, err := os.Stat("/dev/net/tun"); os.IsNotExist(err) {
 		if err := os.MkdirAll("/dev/net", 0755); err != nil {

cmd/tailscale/cli/debug.go

@@ -489,15 +489,7 @@ func runTS2021(ctx context.Context, args []string) error {
 		return c, err
 	}
 
-	conn, err := (&controlhttp.Dialer{
-		Hostname:        ts2021Args.host,
-		HTTPPort:        "80",
-		HTTPSPort:       "443",
-		MachineKey:      machinePrivate,
-		ControlKey:      keys.PublicKey,
-		ProtocolVersion: uint16(ts2021Args.version),
-		Dialer:          dialFunc,
-	}).Dial(ctx)
+	conn, err := controlhttp.Dial(ctx, ts2021Args.host, "80", "443", machinePrivate, keys.PublicKey, uint16(ts2021Args.version), dialFunc)
 	log.Printf("controlhttp.Dial = %p, %v", conn, err)
 	if err != nil {
 		return err

cmd/tailscale/cli/down.go

@@ -22,13 +22,9 @@ var downCmd = &ffcli.Command{
 	FlagSet: newDownFlagSet(),
 }
 
-var downArgs struct {
-	acceptedRisks string
-}
-
 func newDownFlagSet() *flag.FlagSet {
 	downf := newFlagSet("down")
-	registerAcceptRiskFlag(downf, &downArgs.acceptedRisks)
+	registerAcceptRiskFlag(downf)
 	return downf
 }
 
@@ -38,7 +34,7 @@ func runDown(ctx context.Context, args []string) error {
 	}
 
 	if isSSHOverTailscale() {
-		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`, downArgs.acceptedRisks); err != nil {
+		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`); err != nil {
 			return err
 		}
 	}

cmd/tailscale/cli/netcheck.go

@@ -10,6 +10,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"sort"
@@ -133,9 +134,6 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	printf("\t* MappingVariesByDestIP: %v\n", report.MappingVariesByDestIP)
 	printf("\t* HairPinning: %v\n", report.HairPinning)
 	printf("\t* PortMapping: %v\n", portMapping(report))
-	if report.CaptivePortal != "" {
-		printf("\t* CaptivePortal: %v\n", report.CaptivePortal)
-	}
 
 	// When DERP latency checking failed,
 	// magicsock will try to pick the DERP server that
@@ -204,7 +202,7 @@ func prodDERPMap(ctx context.Context, httpc *http.Client) (*tailcfg.DERPMap, err
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}

cmd/tailscale/cli/risks.go

@@ -16,8 +16,9 @@ import (
 )
 
 var (
-	riskTypes   []string
-	riskLoseSSH = registerRiskType("lose-ssh")
+	riskTypes     []string
+	acceptedRisks string
+	riskLoseSSH   = registerRiskType("lose-ssh")
 )
 
 func registerRiskType(riskType string) string {
@@ -27,13 +28,12 @@ func registerRiskType(riskType string) string {
 
 // registerAcceptRiskFlag registers the --accept-risk flag. Accepted risks are accounted for
 // in presentRiskToUser.
-func registerAcceptRiskFlag(f *flag.FlagSet, acceptedRisks *string) {
-	f.StringVar(acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
+func registerAcceptRiskFlag(f *flag.FlagSet) {
+	f.StringVar(&acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
 }
 
-// isRiskAccepted reports whether riskType is in the comma-separated list of
-// risks in acceptedRisks.
-func isRiskAccepted(riskType, acceptedRisks string) bool {
+// riskAccepted reports whether riskType is in acceptedRisks.
+func riskAccepted(riskType string) bool {
 	for _, r := range strings.Split(acceptedRisks, ",") {
 		if r == riskType {
 			return true
@@ -49,16 +49,12 @@ var errAborted = errors.New("aborted, no changes made")
 // It is used by the presentRiskToUser function below.
 const riskAbortTimeSeconds = 5
 
-// presentRiskToUser displays the risk message and waits for the user to cancel.
-// It returns errorAborted if the user aborts. In tests it returns errAborted
-// immediately unless the risk has been explicitly accepted.
-func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
-	if isRiskAccepted(riskType, acceptedRisks) {
+// presentRiskToUser displays the risk message and waits for the user to
+// cancel. It returns errorAborted if the user aborts.
+func presentRiskToUser(riskType, riskMessage string) error {
+	if riskAccepted(riskType) {
 		return nil
 	}
-	if inTest() {
-		return errAborted
-	}
 	outln(riskMessage)
 	printf("To skip this warning, use --accept-risk=%s\n", riskType)
 

cmd/tailscale/cli/up.go

@@ -116,7 +116,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 		upf.BoolVar(&upArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
 	}
 	upf.DurationVar(&upArgs.timeout, "timeout", 0, "maximum amount of time to wait for tailscaled to enter a Running state; default (0s) blocks forever")
-	registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
+	registerAcceptRiskFlag(upf)
 	return upf
 }
 
@@ -150,7 +150,6 @@ type upArgsT struct {
 	opUser                 string
 	json                   bool
 	timeout                time.Duration
-	acceptedRisks          string
 }
 
 func (a upArgsT) getAuthKey() (string, error) {
@@ -377,20 +376,6 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 		return false, nil, fmt.Errorf("can't change --login-server without --force-reauth")
 	}
 
-	// Do this after validations to avoid the 5s delay if we're going to error
-	// out anyway.
-	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
-	if wantSSH != haveSSH && isSSHOverTailscale() {
-		if wantSSH {
-			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		} else {
-			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		}
-		if err != nil {
-			return false, nil, err
-		}
-	}
-
 	tagsChanged := !reflect.DeepEqual(curPrefs.AdvertiseTags, prefs.AdvertiseTags)
 
 	simpleUp = env.flagSet.NFlag() == 0 &&
@@ -421,12 +406,8 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 }
 
 func runUp(ctx context.Context, args []string) (retErr error) {
-	var egg bool
 	if len(args) > 0 {
-		egg = fmt.Sprint(args) == "[up down down left right left right b a]"
-		if !egg {
-			fatalf("too many non-flag arguments: %q", args)
-		}
+		fatalf("too many non-flag arguments: %q", args)
 	}
 
 	st, err := localClient.Status(ctx)
@@ -490,6 +471,17 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		curExitNodeIP: exitNodeIP(curPrefs, st),
 	}
 
+	if upArgs.runSSH != curPrefs.RunSSH && isSSHOverTailscale() {
+		if upArgs.runSSH {
+			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`)
+		} else {
+			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`)
+		}
+		if err != nil {
+			return err
+		}
+	}
+
 	defer func() {
 		if retErr == nil {
 			checkSSHUpWarnings(ctx)
@@ -501,7 +493,6 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		justEditMP.EggSet = true
 		_, err := localClient.EditPrefs(ctx, justEditMP)
 		return err
 	}

cmd/tailscale/cli/web.go

@@ -15,6 +15,7 @@ import (
 	"fmt"
 	"html/template"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -253,7 +254,7 @@ func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
 		return "", nil, err
 	}
 	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
+	out, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", nil, err
 	}

cmd/tailscale/depaware.txt

@@ -100,7 +100,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
         tailscale.com/util/mak                                       from tailscale.com/net/netcheck
-        tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
    L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
    W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+

cmd/tailscaled/debug.go

@@ -15,6 +15,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -172,7 +173,7 @@ func checkDerp(ctx context.Context, derpRegion string) error {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}

cmd/tailscaled/depaware.txt

@@ -212,7 +212,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
      💣 tailscale.com/metrics                                        from tailscale.com/derp+
         tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver+
+        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver
         tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
         tailscale.com/net/dns/resolver                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
@@ -281,7 +281,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
         tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
         tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
-        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
+   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
         tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
         tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
      💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
@@ -290,7 +290,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
         tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
         tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
         tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+

cmd/tailscaled/install_darwin.go

@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -141,7 +142,7 @@ func installSystemDaemonDarwin(args []string) (err error) {
 		return err
 	}
 
-	if err := os.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
+	if err := ioutil.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
 		return err
 	}
 

cmd/tailscaled/tailscaled.go

@@ -26,7 +26,6 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime"
-	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -98,20 +97,6 @@ func defaultTunName() string {
 	return "tailscale0"
 }
 
-// defaultPort returns the default UDP port to listen on for disco+wireguard.
-// By default it returns 0, to pick one randomly from the kernel.
-// If the environment variable PORT is set, that's used instead.
-// The PORT environment variable is chosen to match what the Linux systemd
-// unit uses, to make documentation more consistent.
-func defaultPort() uint16 {
-	if s := envknob.String("PORT"); s != "" {
-		if p, err := strconv.ParseUint(s, 10, 16); err == nil {
-			return uint16(p)
-		}
-	}
-	return 0
-}
-
 var args struct {
 	// tunname is a /dev/net/tun tunnel name ("tailscale0"), the
 	// string "userspace-networking", "tap:TAPNAME[:BRIDGENAME]"
@@ -128,7 +113,6 @@ var args struct {
 	verbose        int
 	socksAddr      string // listen address for SOCKS5 server
 	httpProxyAddr  string // listen address for HTTP proxy server
-	disableLogs    bool
 }
 
 var (
@@ -147,9 +131,6 @@ var subCommands = map[string]*func([]string) error{
 var beCLI func() // non-nil if CLI is linked in
 
 func main() {
-	envknob.PanicIfAnyEnvCheckedInInit()
-	envknob.ApplyDiskConfig()
-
 	printVersion := false
 	flag.IntVar(&args.verbose, "verbose", 0, "log verbosity level; 0 is default, 1 or higher are increasingly verbose")
 	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
@@ -157,13 +138,12 @@ func main() {
 	flag.StringVar(&args.socksAddr, "socks5-server", "", `optional [ip]:port to run a SOCK5 server (e.g. "localhost:1080")`)
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
-	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
+	flag.Var(flagtype.PortValue(&args.port, 0), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
 	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
 	flag.BoolVar(&printVersion, "version", false, "print version information and exit")
-	flag.BoolVar(&args.disableLogs, "no-logs-no-support", false, "disable log uploads; this also disables any technical support")
 
 	if len(os.Args) > 0 && filepath.Base(os.Args[0]) == "tailscale" && beCLI != nil {
 		beCLI()
@@ -219,10 +199,6 @@ func main() {
 		args.statepath = paths.DefaultTailscaledStateFile()
 	}
 
-	if args.disableLogs {
-		envknob.SetNoLogsNoSupport()
-	}
-
 	if beWindowsSubprocess() {
 		return
 	}
@@ -326,10 +302,6 @@ func run() error {
 		pol.Shutdown(ctx)
 	}()
 
-	if err := envknob.ApplyDiskConfigError(); err != nil {
-		log.Printf("Error reading environment config: %v", err)
-	}
-
 	if isWindowsService() {
 		// Run the IPN server from the Windows service manager.
 		log.Printf("Running service...")
@@ -398,7 +370,7 @@ func run() error {
 		return fmt.Errorf("newNetstack: %w", err)
 	}
 	ns.ProcessLocalIPs = useNetstack
-	ns.ProcessSubnets = useNetstack || shouldWrapNetstack()
+	ns.ProcessSubnets = useNetstack || wrapNetstack
 
 	if useNetstack {
 		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
@@ -499,6 +471,8 @@ func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer)
 	return nil, false, multierr.New(errs...)
 }
 
+var wrapNetstack = shouldWrapNetstack()
+
 func shouldWrapNetstack() bool {
 	if v, ok := envknob.LookupBool("TS_DEBUG_WRAP_NETSTACK"); ok {
 		return v
@@ -569,7 +543,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 		}
 		conf.DNS = d
 		conf.Router = r
-		if shouldWrapNetstack() {
+		if wrapNetstack {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
 		}
 	}

cmd/tailscaled/tailscaled.service

@@ -7,7 +7,7 @@ After=network-pre.target NetworkManager.service systemd-resolved.service
 [Service]
 EnvironmentFile=/etc/default/tailscaled
 ExecStartPre=/usr/sbin/tailscaled --cleanup
-ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS
+ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS
 ExecStopPost=/usr/sbin/tailscaled --cleanup
 
 Restart=on-failure

cmd/tailscaled/tailscaled_windows.go

@@ -197,9 +197,6 @@ func beWindowsSubprocess() bool {
 
 	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
 	log.Printf("subproc mode: logid=%v", logid)
-	if err := envknob.ApplyDiskConfigError(); err != nil {
-		log.Printf("Error reading environment config: %v", err)
-	}
 
 	go func() {
 		b := make([]byte, 16)
@@ -277,7 +274,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 			dev.Close()
 			return nil, nil, fmt.Errorf("router: %w", err)
 		}
-		if shouldWrapNetstack() {
+		if wrapNetstack {
 			r = netstack.NewSubnetRouterWrapper(r)
 		}
 		d, err := dns.NewOSConfigurator(logf, devName)
@@ -304,7 +301,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 			return nil, nil, fmt.Errorf("newNetstack: %w", err)
 		}
 		ns.ProcessLocalIPs = false
-		ns.ProcessSubnets = shouldWrapNetstack()
+		ns.ProcessSubnets = wrapNetstack
 		if err := ns.Start(); err != nil {
 			return nil, nil, fmt.Errorf("failed to start netstack: %w", err)
 		}

cmd/tsconnect/README.md

@@ -38,12 +38,3 @@ The client is also available as an NPM package. To build it, run:
 ```
 
 That places the output in the `pkg/` directory, which may then be uploaded to a package registry (or installed from the file path directly).
-
-To do two-sided development (on both the NPM package and code that uses it), run:
-
-```
-./tool/go run ./cmd/tsconnect dev-pkg
-
-```
-
-This serves the module at http://localhost:9090/pkg/pkg.js and the generated wasm file at http://localhost:9090/pkg/main.wasm. The two files can be used as drop-in replacements for normal imports of the NPM module.

cmd/tsconnect/build-pkg.go

@@ -11,12 +11,13 @@ import (
 	"os"
 	"path"
 
+	esbuild "github.com/evanw/esbuild/pkg/api"
 	"github.com/tailscale/hujson"
 	"tailscale.com/version"
 )
 
 func runBuildPkg() {
-	buildOptions, err := commonPkgSetup(prodMode)
+	buildOptions, err := commonSetup(prodMode)
 	if err != nil {
 		log.Fatalf("Cannot setup: %v", err)
 	}
@@ -30,6 +31,10 @@ func runBuildPkg() {
 		log.Fatalf("Cannot clean %s: %v", *pkgDir, err)
 	}
 
+	buildOptions.EntryPoints = []string{"src/pkg/pkg.ts", "src/pkg/pkg.css"}
+	buildOptions.Outdir = *pkgDir
+	buildOptions.Format = esbuild.FormatESModule
+	buildOptions.AssetNames = "[name]"
 	buildOptions.Write = true
 	buildOptions.MinifyWhitespace = true
 	buildOptions.MinifyIdentifiers = true

cmd/tsconnect/build.go

@@ -7,6 +7,7 @@ package main
 import (
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"os"
 	"path"
@@ -46,7 +47,7 @@ func runBuild() {
 	if err != nil {
 		log.Fatalf("Cannot fix esbuild metadata paths: %v", err)
 	}
-	if err := os.WriteFile(path.Join(*distDir, "/esbuild-metadata.json"), metadataBytes, 0666); err != nil {
+	if err := ioutil.WriteFile(path.Join(*distDir, "/esbuild-metadata.json"), metadataBytes, 0666); err != nil {
 		log.Fatalf("Cannot write metadata: %v", err)
 	}
 

cmd/tsconnect/common.go

@@ -6,8 +6,8 @@ package main
 
 import (
 	"fmt"
+	"io/ioutil"
 	"log"
-	"net"
 	"os"
 	"os/exec"
 	"path"
@@ -68,18 +68,6 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 	}, nil
 }
 
-func commonPkgSetup(dev bool) (*esbuild.BuildOptions, error) {
-	buildOptions, err := commonSetup(dev)
-	if err != nil {
-		return nil, err
-	}
-	buildOptions.EntryPoints = []string{"src/pkg/pkg.ts", "src/pkg/pkg.css"}
-	buildOptions.Outdir = *pkgDir
-	buildOptions.Format = esbuild.FormatESModule
-	buildOptions.AssetNames = "[name]"
-	return buildOptions, nil
-}
-
 // cleanDir removes files from dirPath, except the ones specified by
 // preserveFiles.
 func cleanDir(dirPath string, preserveFiles ...string) error {
@@ -102,27 +90,6 @@ func cleanDir(dirPath string, preserveFiles ...string) error {
 	return nil
 }
 
-func runEsbuildServe(buildOptions esbuild.BuildOptions) {
-	host, portStr, err := net.SplitHostPort(*addr)
-	if err != nil {
-		log.Fatalf("Cannot parse addr: %v", err)
-	}
-	port, err := strconv.ParseUint(portStr, 10, 16)
-	if err != nil {
-		log.Fatalf("Cannot parse port: %v", err)
-	}
-	result, err := esbuild.Serve(esbuild.ServeOptions{
-		Port:     uint16(port),
-		Host:     host,
-		Servedir: "./",
-	}, buildOptions)
-	if err != nil {
-		log.Fatalf("Cannot start esbuild server: %v", err)
-	}
-	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
-	result.Wait()
-}
-
 func runEsbuild(buildOptions esbuild.BuildOptions) esbuild.BuildResult {
 	log.Printf("Running esbuild...\n")
 	result := esbuild.Build(buildOptions)
@@ -182,7 +149,7 @@ func setupEsbuildWasm(build esbuild.PluginBuild, dev bool) {
 
 func buildWasm(dev bool) ([]byte, error) {
 	start := time.Now()
-	outputFile, err := os.CreateTemp("", "main.*.wasm")
+	outputFile, err := ioutil.TempFile("", "main.*.wasm")
 	if err != nil {
 		return nil, fmt.Errorf("Cannot create main.wasm output file: %w", err)
 	}

cmd/tsconnect/dev-pkg.go

@@ -1,17 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"log"
-)
-
-func runDevPkg() {
-	buildOptions, err := commonPkgSetup(devMode)
-	if err != nil {
-		log.Fatalf("Cannot setup: %v", err)
-	}
-	runEsbuildServe(*buildOptions)
-}

cmd/tsconnect/dev.go

@@ -6,6 +6,10 @@ package main
 
 import (
 	"log"
+	"net"
+	"strconv"
+
+	esbuild "github.com/evanw/esbuild/pkg/api"
 )
 
 func runDev() {
@@ -13,5 +17,22 @@ func runDev() {
 	if err != nil {
 		log.Fatalf("Cannot setup: %v", err)
 	}
-	runEsbuildServe(*buildOptions)
+	host, portStr, err := net.SplitHostPort(*addr)
+	if err != nil {
+		log.Fatalf("Cannot parse addr: %v", err)
+	}
+	port, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		log.Fatalf("Cannot parse port: %v", err)
+	}
+	result, err := esbuild.Serve(esbuild.ServeOptions{
+		Port:     uint16(port),
+		Host:     host,
+		Servedir: "./",
+	}, *buildOptions)
+	if err != nil {
+		log.Fatalf("Cannot start esbuild server: %v", err)
+	}
+	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
+	result.Wait()
 }

cmd/tsconnect/package.json

@@ -10,9 +10,8 @@
     "qrcode": "^1.5.0",
     "tailwindcss": "^3.1.6",
     "typescript": "^4.7.4",
-    "xterm": "5.0.0-beta.58",
-    "xterm-addon-fit": "^0.5.0",
-    "xterm-addon-web-links": "0.7.0-beta.6"
+    "xterm": "^4.18.0",
+    "xterm-addon-fit": "^0.5.0"
   },
   "scripts": {
     "lint": "tsc --noEmit",

cmd/tsconnect/serve.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -74,7 +75,7 @@ func generateServeIndex(distFS fs.FS) ([]byte, error) {
 		return nil, fmt.Errorf("Could not open esbuild-metadata.json: %w", err)
 	}
 	defer esbuildMetadataFile.Close()
-	esbuildMetadataBytes, err := io.ReadAll(esbuildMetadataFile)
+	esbuildMetadataBytes, err := ioutil.ReadAll(esbuildMetadataFile)
 	if err != nil {
 		return nil, fmt.Errorf("Could not read esbuild-metadata.json: %w", err)
 	}

cmd/tsconnect/src/app/app.tsx

@@ -92,12 +92,6 @@ class App extends Component<{}, AppState> {
   }
 
   handleBrowseToURL = (url: string) => {
-    if (this.state.ipnState === "Running") {
-      // Ignore URL requests if we're already running -- it's most likely an
-      // SSH check mode trigger and we already linkify the displayed URL
-      // in the terminal.
-      return
-    }
     this.setState({ browseToURL: url })
   }
 

cmd/tsconnect/src/app/ssh.tsx

@@ -2,24 +2,16 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-import { useState, useCallback, useMemo, useEffect, useRef } from "preact/hooks"
-import { createPortal } from "preact/compat"
-import type { VNode } from "preact"
+import { useState, useCallback } from "preact/hooks"
 import { runSSHSession, SSHSessionDef } from "../lib/ssh"
 
 export function SSH({ netMap, ipn }: { netMap: IPNNetMap; ipn: IPN }) {
-  const [sshSessionDef, setSSHSessionDef] = useState<SSHFormSessionDef | null>(
-    null
-  )
+  const [sshSessionDef, setSSHSessionDef] = useState<SSHSessionDef | null>(null)
   const clearSSHSessionDef = useCallback(() => setSSHSessionDef(null), [])
   if (sshSessionDef) {
-    const sshSession = (
+    return (
       <SSHSession def={sshSessionDef} ipn={ipn} onDone={clearSSHSessionDef} />
     )
-    if (sshSessionDef.newWindow) {
-      return <NewWindow close={clearSSHSessionDef}>{sshSession}</NewWindow>
-    }
-    return sshSession
   }
   const sshPeers = netMap.peers.filter(
     (p) => p.tailscaleSSHEnabled && p.online !== false
@@ -32,8 +24,6 @@ export function SSH({ netMap, ipn }: { netMap: IPNNetMap; ipn: IPN }) {
   return <SSHForm sshPeers={sshPeers} onSubmit={setSSHSessionDef} />
 }
 
-type SSHFormSessionDef = SSHSessionDef & { newWindow?: boolean }
-
 function SSHSession({
   def,
   ipn,
@@ -43,14 +33,20 @@ function SSHSession({
   ipn: IPN
   onDone: () => void
 }) {
-  const ref = useRef<HTMLDivElement>(null)
-  useEffect(() => {
-    if (ref.current) {
-      runSSHSession(ref.current, def, ipn, onDone, (err) => console.error(err))
-    }
-  }, [ref])
-
-  return <div class="flex-grow bg-black p-2 overflow-hidden" ref={ref} />
+  return (
+    <div
+      class="flex-grow bg-black p-2 overflow-hidden"
+      ref={(node) => {
+        if (node) {
+          // Run the SSH session aysnchronously, so that the React render
+          // loop is complete (otherwise the SSH form may still be visible,
+          // which affects the size of the terminal, leading to a spurious
+          // initial resize).
+          setTimeout(() => runSSHSession(node, def, ipn, onDone), 0)
+        }
+      }}
+    />
+  )
 }
 
 function NoSSHPeers() {
@@ -70,7 +66,7 @@ function SSHForm({
   onSubmit,
 }: {
   sshPeers: IPNNetMapPeerNode[]
-  onSubmit: (def: SSHFormSessionDef) => void
+  onSubmit: (def: SSHSessionDef) => void
 }) {
   sshPeers = sshPeers.slice().sort((a, b) => a.name.localeCompare(b.name))
   const [username, setUsername] = useState("")
@@ -103,51 +99,7 @@ function SSHForm({
         type="submit"
         class="button bg-green-500 border-green-500 text-white hover:bg-green-600 hover:border-green-600"
         value="SSH"
-        onClick={(e) => {
-          if (e.altKey) {
-            e.preventDefault()
-            e.stopPropagation()
-            onSubmit({ username, hostname, newWindow: true })
-          }
-        }}
       />
     </form>
   )
 }
-
-const NewWindow = ({
-  children,
-  close,
-}: {
-  children: VNode
-  close: () => void
-}) => {
-  const newWindow = useMemo(() => {
-    const newWindow = window.open(undefined, undefined, "width=600,height=400")
-    if (newWindow) {
-      const containerNode = newWindow.document.createElement("div")
-      containerNode.className = "h-screen flex flex-col overflow-hidden"
-      newWindow.document.body.appendChild(containerNode)
-
-      for (const linkNode of document.querySelectorAll(
-        "head link[rel=stylesheet]"
-      )) {
-        const newLink = document.createElement("link")
-        newLink.rel = "stylesheet"
-        newLink.href = (linkNode as HTMLLinkElement).href
-        newWindow.document.head.appendChild(newLink)
-      }
-    }
-    return newWindow
-  }, [])
-  if (!newWindow) {
-    console.error("Could not open window")
-    return null
-  }
-  newWindow.onbeforeunload = () => {
-    close()
-  }
-
-  useEffect(() => () => newWindow.close(), [])
-  return createPortal(children, newWindow.document.body.lastChild as Element)
-}

cmd/tsconnect/src/lib/ssh.ts

@@ -1,39 +1,25 @@
-import { Terminal, ITerminalOptions } from "xterm"
+import { Terminal } from "xterm"
 import { FitAddon } from "xterm-addon-fit"
-import { WebLinksAddon } from "xterm-addon-web-links"
 
 export type SSHSessionDef = {
   username: string
   hostname: string
-  /** Defaults to 5 seconds */
-  timeoutSeconds?: number
 }
 
 export function runSSHSession(
   termContainerNode: HTMLDivElement,
   def: SSHSessionDef,
   ipn: IPN,
-  onDone: () => void,
-  onError?: (err: string) => void,
-  terminalOptions?: ITerminalOptions
+  onDone: () => void
 ) {
-  const parentWindow = termContainerNode.ownerDocument.defaultView ?? window
   const term = new Terminal({
     cursorBlink: true,
-    allowProposedApi: true,
-    ...terminalOptions,
   })
-
   const fitAddon = new FitAddon()
   term.loadAddon(fitAddon)
   term.open(termContainerNode)
   fitAddon.fit()
 
-  const webLinksAddon = new WebLinksAddon((event, uri) =>
-    event.view?.open(uri, "_blank", "noopener")
-  )
-  term.loadAddon(webLinksAddon)
-
   let onDataHook: ((data: string) => void) | undefined
   term.onData((e) => {
     onDataHook?.(e)
@@ -44,12 +30,12 @@ export function runSSHSession(
   let resizeObserver: ResizeObserver | undefined
   let handleBeforeUnload: ((e: BeforeUnloadEvent) => void) | undefined
 
-  const sshSession = ipn.ssh(def.hostname, def.username, {
+  const sshSession = ipn.ssh(def.hostname + "2", def.username, {
     writeFn(input) {
       term.write(input)
     },
     writeErrorFn(err) {
-      onError?.(err)
+      console.error(err)
       term.write(err)
     },
     setReadFn(hook) {
@@ -61,20 +47,19 @@ export function runSSHSession(
       resizeObserver?.disconnect()
       term.dispose()
       if (handleBeforeUnload) {
-        parentWindow.removeEventListener("beforeunload", handleBeforeUnload)
+        window.removeEventListener("beforeunload", handleBeforeUnload)
       }
       onDone()
     },
-    timeoutSeconds: def.timeoutSeconds,
   })
 
   // Make terminal and SSH session track the size of the containing DOM node.
-  resizeObserver = new parentWindow.ResizeObserver(() => fitAddon.fit())
+  resizeObserver = new ResizeObserver(() => fitAddon.fit())
   resizeObserver.observe(termContainerNode)
   term.onResize(({ rows, cols }) => sshSession.resize(rows, cols))
 
   // Close the session if the user closes the window without an explicit
   // exit.
   handleBeforeUnload = () => sshSession.close()
-  parentWindow.addEventListener("beforeunload", handleBeforeUnload)
+  window.addEventListener("beforeunload", handleBeforeUnload)
 }

cmd/tsconnect/src/types/wasm_js.d.ts

@@ -23,8 +23,6 @@ declare global {
         setReadFn: (readFn: (data: string) => void) => void
         rows: number
         cols: number
-        /** Defaults to 5 seconds */
-        timeoutSeconds?: number
         onDone: () => void
       }
     ): IPNSSHSession
@@ -49,7 +47,6 @@ declare global {
     stateStorage?: IPNStateStorage
     authKey?: string
     controlURL?: string
-    hostname?: string
   }
 
   type IPNCallbacks = {

cmd/tsconnect/tsconnect.go

@@ -36,8 +36,6 @@ func main() {
 	switch flag.Arg(0) {
 	case "dev":
 		runDev()
-	case "dev-pkg":
-		runDevPkg()
 	case "build":
 		runBuild()
 	case "build-pkg":

cmd/tsconnect/wasm/wasm_js.go

@@ -61,30 +61,26 @@ func main() {
 func newIPN(jsConfig js.Value) map[string]any {
 	netns.SetEnabled(false)
 
+	jsStateStorage := jsConfig.Get("stateStorage")
 	var store ipn.StateStore
-	if jsStateStorage := jsConfig.Get("stateStorage"); !jsStateStorage.IsUndefined() {
-		store = &jsStateStore{jsStateStorage}
-	} else {
+	if jsStateStorage.IsUndefined() {
 		store = new(mem.Store)
+	} else {
+		store = &jsStateStore{jsStateStorage}
 	}
 
+	jsControlURL := jsConfig.Get("controlURL")
 	controlURL := ControlURL
-	if jsControlURL := jsConfig.Get("controlURL"); jsControlURL.Type() == js.TypeString {
+	if jsControlURL.Type() == js.TypeString {
 		controlURL = jsControlURL.String()
 	}
 
+	jsAuthKey := jsConfig.Get("authKey")
 	var authKey string
-	if jsAuthKey := jsConfig.Get("authKey"); jsAuthKey.Type() == js.TypeString {
+	if jsAuthKey.Type() == js.TypeString {
 		authKey = jsAuthKey.String()
 	}
 
-	var hostname string
-	if jsHostname := jsConfig.Get("hostname"); jsHostname.Type() == js.TypeString {
-		hostname = jsHostname.String()
-	} else {
-		hostname = generateHostname()
-	}
-
 	lpc := getOrCreateLogPolicyConfig(store)
 	c := logtail.Config{
 		Collection: lpc.Collection,
@@ -140,7 +136,6 @@ func newIPN(jsConfig js.Value) map[string]any {
 		lb:         lb,
 		controlURL: controlURL,
 		authKey:    authKey,
-		hostname:   hostname,
 	}
 
 	return map[string]any{
@@ -201,7 +196,6 @@ type jsIPN struct {
 	lb         *ipnlocal.LocalBackend
 	controlURL string
 	authKey    string
-	hostname   string
 }
 
 var jsIPNState = map[ipn.State]string{
@@ -290,7 +284,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 				RouteAll:         false,
 				AllowSingleHosts: true,
 				WantRunning:      true,
-				Hostname:         i.hostname,
+				Hostname:         generateHostname(),
 			},
 			AuthKey: i.authKey,
 		})
@@ -349,9 +343,6 @@ type jsSSHSession struct {
 	username   string
 	termConfig js.Value
 	session    *ssh.Session
-
-	pendingResizeRows int
-	pendingResizeCols int
 }
 
 func (s *jsSSHSession) Run() {
@@ -360,18 +351,17 @@ func (s *jsSSHSession) Run() {
 	setReadFn := s.termConfig.Get("setReadFn")
 	rows := s.termConfig.Get("rows").Int()
 	cols := s.termConfig.Get("cols").Int()
-	timeoutSeconds := 5.0
-	if jsTimeoutSeconds := s.termConfig.Get("timeoutSeconds"); jsTimeoutSeconds.Type() == js.TypeNumber {
-		timeoutSeconds = jsTimeoutSeconds.Float()
-	}
 	onDone := s.termConfig.Get("onDone")
 	defer onDone.Invoke()
 
+	write := func(s string) {
+		writeFn.Invoke(s)
+	}
 	writeError := func(label string, err error) {
 		writeErrorFn.Invoke(fmt.Sprintf("%s Error: %v\r\n", label, err))
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeoutSeconds*float64(time.Second)))
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	c, err := s.jsIPN.dialer.UserDial(ctx, "tcp", net.JoinHostPort(s.host, "22"))
 	if err != nil {
@@ -391,6 +381,7 @@ func (s *jsSSHSession) Run() {
 		return
 	}
 	defer sshConn.Close()
+	write("SSH Connected\r\n")
 
 	sshClient := ssh.NewClient(sshConn, nil, nil)
 	defer sshClient.Close()
@@ -401,6 +392,7 @@ func (s *jsSSHSession) Run() {
 		return
 	}
 	s.session = session
+	write("Session Established\r\n")
 	defer session.Close()
 
 	stdin, err := session.StdinPipe()
@@ -421,14 +413,6 @@ func (s *jsSSHSession) Run() {
 		return nil
 	}))
 
-	// We might have gotten a resize notification since we started opening the
-	// session, pick up the latest size.
-	if s.pendingResizeRows != 0 {
-		rows = s.pendingResizeRows
-	}
-	if s.pendingResizeCols != 0 {
-		cols = s.pendingResizeCols
-	}
 	err = session.RequestPty("xterm", rows, cols, ssh.TerminalModes{})
 
 	if err != nil {
@@ -454,11 +438,6 @@ func (s *jsSSHSession) Close() error {
 }
 
 func (s *jsSSHSession) Resize(rows, cols int) error {
-	if s.session == nil {
-		s.pendingResizeRows = rows
-		s.pendingResizeCols = cols
-		return nil
-	}
 	return s.session.WindowChange(rows, cols)
 }
 

cmd/tsconnect/yarn.lock

@@ -644,15 +644,10 @@ xterm-addon-fit@^0.5.0:
   resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.5.0.tgz#2d51b983b786a97dcd6cde805e700c7f913bc596"
   integrity sha512-DsS9fqhXHacEmsPxBJZvfj2la30Iz9xk+UKjhQgnYNkrUIN5CYLbw7WEfz117c7+S86S/tpHPfvNxJsF5/G8wQ==
 
-xterm@5.0.0-beta.58:
-  version "5.0.0-beta.58"
-  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0-beta.58.tgz#e3e96ab9fd24d006ec16cc9351a060cc79e67e80"
-  integrity sha512-gjg39oKdgUKful27+7I1hvSK51lu/LRhdimFhfZyMvdk0iATH0FAfzv1eAvBKWY2UBgYUfxhicTkanYioANdMw==
-
-xterm-addon-web-links@0.7.0-beta.6:
-  version "0.7.0-beta.6"
-  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0-beta.6.tgz#ec63b681b4f0f0135fa039f53664f65fe9d9f43a"
-  integrity sha512-nD/r/GchGTN4c9gAIVLWVoxExTzAUV7E9xZnwsvhuwI4CEE6yqO15ns8g2hdcUrsPyCbNEw05mIrkF6W5Yj8qA==
+xterm@^4.18.0:
+  version "4.18.0"
+  resolved "https://registry.yarnpkg.com/xterm/-/xterm-4.18.0.tgz#a1f6ab2c330c3918fb094ae5f4c2562987398ea1"
+  integrity sha512-JQoc1S0dti6SQfI0bK1AZvGnAxH4MVw45ZPFSO6FHTInAiau3Ix77fSxNx3mX4eh9OL4AYa8+4C8f5UvnSfppQ==
 
 y18n@^4.0.0:
   version "4.0.3"

control/controlclient/auto.go

@@ -114,11 +114,19 @@ func NewNoStart(opts Options) (*Auto, error) {
 	}
 	c.authCtx, c.authCancel = context.WithCancel(context.Background())
 	c.mapCtx, c.mapCancel = context.WithCancel(context.Background())
-	c.unregisterHealthWatch = health.RegisterWatcher(direct.ReportHealthChange)
+	c.unregisterHealthWatch = health.RegisterWatcher(c.onHealthChange)
 	return c, nil
 
 }
 
+func (c *Auto) onHealthChange(sys health.Subsystem, err error) {
+	if sys == health.SysOverall {
+		return
+	}
+	c.logf("controlclient: restarting map request for %q health change to new state: %v", sys, err)
+	c.cancelMapSafely()
+}
+
 // SetPaused controls whether HTTP activity should be paused.
 //
 // The client can be paused and unpaused repeatedly, unlike Start and Shutdown, which can only be used once.

control/controlclient/direct.go

@@ -14,6 +14,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"net/http/httptest"
@@ -76,8 +77,6 @@ type Direct struct {
 	popBrowser             func(url string) // or nil
 	c2nHandler             http.Handler     // or nil
 
-	dialPlan ControlDialPlanner // can be nil
-
 	mu             sync.Mutex        // mutex guards the following fields
 	serverKey      key.MachinePublic // original ("legacy") nacl crypto_box-based public key
 	serverNoiseKey key.MachinePublic
@@ -108,7 +107,6 @@ type Options struct {
 	KeepAlive            bool
 	Logf                 logger.Logf
 	HTTPTestClient       *http.Client     // optional HTTP client to use (for tests only)
-	NoiseTestClient      *http.Client     // optional HTTP client to use for noise RPCs (tests only)
 	DebugFlags           []string         // debug settings to send to control
 	LinkMonitor          *monitor.Mon     // optional link monitor
 	PopBrowserURL        func(url string) // optional func to open browser
@@ -135,34 +133,6 @@ type Options struct {
 	// MapResponse.PingRequest queries from the control plane.
 	// If nil, PingRequest queries are not answered.
 	Pinger Pinger
-
-	// DialPlan contains and stores a previous dial plan that we received
-	// from the control server; if nil, we fall back to using DNS.
-	//
-	// If we receive a new DialPlan from the server, this value will be
-	// updated.
-	DialPlan ControlDialPlanner
-}
-
-// ControlDialPlanner is the interface optionally supplied when creating a
-// control client to control exactly how TCP connections to the control plane
-// are dialed.
-//
-// It is usually implemented by an atomic.Pointer.
-type ControlDialPlanner interface {
-	// Load returns the current plan for how to connect to control.
-	//
-	// The returned plan can be nil. If so, connections should be made by
-	// resolving the control URL using DNS.
-	Load() *tailcfg.ControlDialPlan
-
-	// Store updates the dial plan with new directions from the control
-	// server.
-	//
-	// The dial plan can span multiple connections to the control server.
-	// That is, a dial plan received when connected over Wi-Fi is still
-	// valid for a subsequent connection over LTE after a network switch.
-	Store(*tailcfg.ControlDialPlan)
 }
 
 // Pinger is the LocalBackend.Ping method.
@@ -246,7 +216,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		popBrowser:             opts.PopBrowserURL,
 		c2nHandler:             opts.C2NHandler,
 		dialer:                 opts.Dialer,
-		dialPlan:               opts.DialPlan,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(hostinfo.New())
@@ -258,12 +227,6 @@ func NewDirect(opts Options) (*Direct, error) {
 			c.SetNetInfo(ni)
 		}
 	}
-	if opts.NoiseTestClient != nil {
-		c.noiseClient = &noiseClient{
-			Client: opts.NoiseTestClient,
-		}
-		c.serverNoiseKey = key.NewMachine().Public() // prevent early error before hitting test client
-	}
 	return c, nil
 }
 
@@ -527,7 +490,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			c.logf("RegisterReq sign error: %v", err)
 		}
 	}
-	if debugRegister() {
+	if debugRegister {
 		j, _ := json.MarshalIndent(request, "", "\t")
 		c.logf("RegisterRequest: %s", j)
 	}
@@ -560,7 +523,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		return regen, opt.URL, fmt.Errorf("register request: %w", err)
 	}
 	if res.StatusCode != 200 {
-		msg, _ := io.ReadAll(res.Body)
+		msg, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
 		return regen, opt.URL, fmt.Errorf("register request: http %d: %.200s",
 			res.StatusCode, strings.TrimSpace(string(msg)))
@@ -570,7 +533,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
 		return regen, opt.URL, fmt.Errorf("register request: %v", err)
 	}
-	if debugRegister() {
+	if debugRegister {
 		j, _ := json.MarshalIndent(resp, "", "\t")
 		c.logf("RegisterResponse: %s", j)
 	}
@@ -752,7 +715,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	c.logf("[v1] PollNetMap: stream=%v ep=%v", allowStream, epStrs)
 
 	vlogf := logger.Discard
-	if DevKnob.DumpNetMaps() {
+	if DevKnob.DumpNetMaps {
 		// TODO(bradfitz): update this to use "[v2]" prefix perhaps? but we don't
 		// want to upload it always.
 		vlogf = c.logf
@@ -841,7 +804,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	}
 	vlogf("netmap: Do = %v after %v", res.StatusCode, time.Since(t0).Round(time.Millisecond))
 	if res.StatusCode != 200 {
-		msg, _ := io.ReadAll(res.Body)
+		msg, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
 		return fmt.Errorf("initial fetch failed %d: %.200s",
 			res.StatusCode, strings.TrimSpace(string(msg)))
@@ -851,7 +814,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	health.NoteMapRequestHeard(request)
 
 	if cb == nil {
-		io.Copy(io.Discard, res.Body)
+		io.Copy(ioutil.Discard, res.Body)
 		return nil
 	}
 
@@ -946,14 +909,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		} else {
 			vlogf("netmap: got new map")
 		}
-		if resp.ControlDialPlan != nil {
-			if c.dialPlan != nil {
-				c.logf("netmap: got new dial plan from control")
-				c.dialPlan.Store(resp.ControlDialPlan)
-			} else {
-				c.logf("netmap: [unexpected] new dial plan; nowhere to store it")
-			}
-		}
 
 		select {
 		case timeoutReset <- struct{}{}:
@@ -982,7 +937,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 			}
 			if resp.Debug.DisableLogTail {
 				logtail.Disable()
-				envknob.SetNoLogsNoSupport()
 			}
 			if resp.Debug.LogHeapPprof {
 				go logheap.LogHeap(resp.Debug.LogHeapURL)
@@ -1008,12 +962,12 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 			controlTrimWGConfig.Store(d.TrimWGConfig)
 		}
 
-		if DevKnob.StripEndpoints() {
+		if DevKnob.StripEndpoints {
 			for _, p := range resp.Peers {
 				p.Endpoints = nil
 			}
 		}
-		if DevKnob.StripCaps() {
+		if DevKnob.StripCaps {
 			nm.SelfNode.Capabilities = nil
 		}
 
@@ -1043,7 +997,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 // it uses the serverKey and mkey to decode the message from the NaCl-crypto-box.
 func decode(res *http.Response, v any, serverKey, serverNoiseKey key.MachinePublic, mkey key.MachinePrivate) error {
 	defer res.Body.Close()
-	msg, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	msg, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return err
 	}
@@ -1057,8 +1011,8 @@ func decode(res *http.Response, v any, serverKey, serverNoiseKey key.MachinePubl
 }
 
 var (
-	debugMap      = envknob.RegisterBool("TS_DEBUG_MAP")
-	debugRegister = envknob.RegisterBool("TS_DEBUG_REGISTER")
+	debugMap      = envknob.Bool("TS_DEBUG_MAP")
+	debugRegister = envknob.Bool("TS_DEBUG_REGISTER")
 )
 
 var jsonEscapedZero = []byte(`\u0000`)
@@ -1096,7 +1050,7 @@ func (c *Direct) decodeMsg(msg []byte, v any, mkey key.MachinePrivate) error {
 			return err
 		}
 	}
-	if debugMap() {
+	if debugMap {
 		var buf bytes.Buffer
 		json.Indent(&buf, b, "", "    ")
 		log.Printf("MapResponse: %s", buf.Bytes())
@@ -1133,7 +1087,7 @@ func encode(v any, serverKey, serverNoiseKey key.MachinePublic, mkey key.Machine
 	if err != nil {
 		return nil, err
 	}
-	if debugMap() {
+	if debugMap {
 		if _, ok := v.(*tailcfg.MapRequest); ok {
 			log.Printf("MapRequest: %s", b)
 		}
@@ -1155,7 +1109,7 @@ func loadServerPubKeys(ctx context.Context, httpc *http.Client, serverURL string
 		return nil, fmt.Errorf("fetch control key: %v", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 64<<10))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 64<<10))
 	if err != nil {
 		return nil, fmt.Errorf("fetch control key response: %v", err)
 	}
@@ -1184,18 +1138,18 @@ func loadServerPubKeys(ctx context.Context, httpc *http.Client, serverURL string
 var DevKnob = initDevKnob()
 
 type devKnobs struct {
-	DumpNetMaps    func() bool
-	ForceProxyDNS  func() bool
-	StripEndpoints func() bool // strip endpoints from control (only use disco messages)
-	StripCaps      func() bool // strip all local node's control-provided capabilities
+	DumpNetMaps    bool
+	ForceProxyDNS  bool
+	StripEndpoints bool // strip endpoints from control (only use disco messages)
+	StripCaps      bool // strip all local node's control-provided capabilities
 }
 
 func initDevKnob() devKnobs {
 	return devKnobs{
-		DumpNetMaps:    envknob.RegisterBool("TS_DEBUG_NETMAP"),
-		ForceProxyDNS:  envknob.RegisterBool("TS_DEBUG_PROXY_DNS"),
-		StripEndpoints: envknob.RegisterBool("TS_DEBUG_STRIP_ENDPOINTS"),
-		StripCaps:      envknob.RegisterBool("TS_DEBUG_STRIP_CAPS"),
+		DumpNetMaps:    envknob.Bool("TS_DEBUG_NETMAP"),
+		ForceProxyDNS:  envknob.Bool("TS_DEBUG_PROXY_DNS"),
+		StripEndpoints: envknob.Bool("TS_DEBUG_STRIP_ENDPOINTS"),
+		StripCaps:      envknob.Bool("TS_DEBUG_STRIP_CAPS"),
 	}
 }
 
@@ -1404,17 +1358,12 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 	if nc != nil {
 		return nc, nil
 	}
-	var dp func() *tailcfg.ControlDialPlan
-	if c.dialPlan != nil {
-		dp = c.dialPlan.Load
-	}
 	nc, err, _ := c.sfGroup.Do(struct{}{}, func() (*noiseClient, error) {
 		k, err := c.getMachinePrivKey()
 		if err != nil {
 			return nil, err
 		}
-		c.logf("creating new noise client")
-		nc, err := newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer, dp)
+		nc, err := newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer)
 		if err != nil {
 			return nil, err
 		}
@@ -1434,17 +1383,21 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 func (c *Direct) setDNSNoise(ctx context.Context, req *tailcfg.SetDNSRequest) error {
 	newReq := *req
 	newReq.Version = tailcfg.CurrentCapabilityVersion
-	nc, err := c.getNoiseClient()
+	np, err := c.getNoiseClient()
 	if err != nil {
 		return err
 	}
-	res, err := nc.post(ctx, "/machine/set-dns", req)
+	bodyData, err := json.Marshal(newReq)
+	if err != nil {
+		return err
+	}
+	res, err := np.Post(fmt.Sprintf("https://%v/%v", np.host, "machine/set-dns"), "application/json", bytes.NewReader(bodyData))
 	if err != nil {
 		return err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != 200 {
-		msg, _ := io.ReadAll(res.Body)
+		msg, _ := ioutil.ReadAll(res.Body)
 		return fmt.Errorf("set-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
 	}
 	var setDNSRes tailcfg.SetDNSResponse
@@ -1510,7 +1463,7 @@ func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) (err er
 	}
 	defer res.Body.Close()
 	if res.StatusCode != 200 {
-		msg, _ := io.ReadAll(res.Body)
+		msg, _ := ioutil.ReadAll(res.Body)
 		return fmt.Errorf("set-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
 	}
 	var setDNSRes tailcfg.SetDNSResponse
@@ -1586,38 +1539,6 @@ func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailc
 	return nil
 }
 
-// ReportHealthChange reports to the control plane a change to this node's
-// health.
-func (c *Direct) ReportHealthChange(sys health.Subsystem, sysErr error) {
-	if sys == health.SysOverall {
-		// We don't report these. These include things like the network is down
-		// (in which case we can't report anyway) or the user wanted things
-		// stopped, as opposed to the more unexpected failure types in the other
-		// subsystems.
-		return
-	}
-	np, err := c.getNoiseClient()
-	if err != nil {
-		// Don't report errors to control if the server doesn't support noise.
-		return
-	}
-	req := &tailcfg.HealthChangeRequest{
-		Subsys: string(sys),
-	}
-	if sysErr != nil {
-		req.Error = sysErr.Error()
-	}
-
-	// Best effort, no logging:
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-	res, err := np.post(ctx, "/machine/update-health", req)
-	if err != nil {
-		return
-	}
-	res.Body.Close()
-}
-
 var (
 	metricMapRequestsActive = clientmetric.NewGauge("controlclient_map_requests_active")
 

control/controlclient/map.go

@@ -48,7 +48,6 @@ type mapSession struct {
 	lastHealth             []string
 	lastPopBrowserURL      string
 	stickyDebug            tailcfg.Debug // accumulated opt.Bool values
-	lastTKAInfo            *tailcfg.TKAInfo
 
 	// netMapBuilding is non-nil during a netmapForResponse call,
 	// containing the value to be returned, once fully populated.
@@ -116,9 +115,6 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	if resp.Health != nil {
 		ms.lastHealth = resp.Health
 	}
-	if resp.TKAInfo != nil {
-		ms.lastTKAInfo = resp.TKAInfo
-	}
 
 	debug := resp.Debug
 	if debug != nil {
@@ -156,17 +152,9 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		DERPMap:         ms.lastDERPMap,
 		Debug:           debug,
 		ControlHealth:   ms.lastHealth,
-		TKAEnabled:      ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
 	}
 	ms.netMapBuilding = nm
 
-	if ms.lastTKAInfo != nil && ms.lastTKAInfo.Head != "" {
-		if err := nm.TKAHead.UnmarshalText([]byte(ms.lastTKAInfo.Head)); err != nil {
-			ms.logf("error unmarshalling TKAHead: %v", err)
-			nm.TKAEnabled = false
-		}
-	}
-
 	if resp.Node != nil {
 		ms.lastNode = resp.Node
 	}
@@ -202,7 +190,7 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		}
 		ms.addUserProfile(peer.User)
 	}
-	if DevKnob.ForceProxyDNS() {
+	if DevKnob.ForceProxyDNS {
 		nm.DNS.Proxied = true
 	}
 	ms.netMapBuilding = nil
@@ -368,13 +356,13 @@ func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
 	return v2
 }
 
-var debugSelfIPv6Only = envknob.RegisterBool("TS_DEBUG_SELF_V6_ONLY")
+var debugSelfIPv6Only = envknob.Bool("TS_DEBUG_SELF_V6_ONLY")
 
 func filterSelfAddresses(in []netip.Prefix) (ret []netip.Prefix) {
 	switch {
 	default:
 		return in
-	case debugSelfIPv6Only():
+	case debugSelfIPv6Only:
 		for _, a := range in {
 			if a.Addr().Is6() {
 				ret = append(ret, a)

control/controlclient/noise.go

@@ -5,10 +5,8 @@
 package controlclient
 
 import (
-	"bytes"
 	"context"
 	"crypto/tls"
-	"encoding/json"
 	"math"
 	"net"
 	"net/http"
@@ -55,11 +53,6 @@ type noiseClient struct {
 	httpPort     string // the default port to call
 	httpsPort    string // the fallback Noise-over-https port
 
-	// dialPlan optionally returns a ControlDialPlan previously received
-	// from the control server; either the function or the return value can
-	// be nil.
-	dialPlan func() *tailcfg.ControlDialPlan
-
 	// mu only protects the following variables.
 	mu       sync.Mutex
 	nextID   int
@@ -68,9 +61,7 @@ type noiseClient struct {
 
 // newNoiseClient returns a new noiseClient for the provided server and machine key.
 // serverURL is of the form https://<host>:<port> (no trailing slash).
-//
-// dialPlan may be nil
-func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer, dialPlan func() *tailcfg.ControlDialPlan) (*noiseClient, error) {
+func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer) (*noiseClient, error) {
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		return nil, err
@@ -98,7 +89,6 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 		httpPort:     httpPort,
 		httpsPort:    httpsPort,
 		dialer:       dialer,
-		dialPlan:     dialPlan,
 	}
 
 	// Create the HTTP/2 Transport using a net/http.Transport
@@ -165,61 +155,17 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.nextID++
 	nc.mu.Unlock()
 
+	// Timeout is a little arbitrary, but plenty long enough for even the
+	// highest latency links.
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
 	if tailcfg.CurrentCapabilityVersion > math.MaxUint16 {
 		// Panic, because a test should have started failing several
 		// thousand version numbers before getting to this point.
 		panic("capability version is too high to fit in the wire protocol")
 	}
-
-	var dialPlan *tailcfg.ControlDialPlan
-	if nc.dialPlan != nil {
-		dialPlan = nc.dialPlan()
-	}
-
-	// If we have a dial plan, then set our timeout as slightly longer than
-	// the maximum amount of time contained therein; we assume that
-	// explicit instructions on timeouts are more useful than a single
-	// hard-coded timeout.
-	//
-	// The default value of 5 is chosen so that, when there's no dial plan,
-	// we retain the previous behaviour of 10 seconds end-to-end timeout.
-	timeoutSec := 5.0
-	if dialPlan != nil {
-		for _, c := range dialPlan.Candidates {
-			if v := c.DialStartDelaySec + c.DialTimeoutSec; v > timeoutSec {
-				timeoutSec = v
-			}
-		}
-	}
-
-	// After we establish a connection, we need some time to actually
-	// upgrade it into a Noise connection. With a ballpark worst-case RTT
-	// of 1000ms, give ourselves an extra 5 seconds to complete the
-	// handshake.
-	timeoutSec += 5
-
-	// Be extremely defensive and ensure that the timeout is in the range
-	// [5, 60] seconds (e.g. if we accidentally get a negative number).
-	if timeoutSec > 60 {
-		timeoutSec = 60
-	} else if timeoutSec < 5 {
-		timeoutSec = 5
-	}
-
-	timeout := time.Duration(timeoutSec * float64(time.Second))
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	conn, err := (&controlhttp.Dialer{
-		Hostname:        nc.host,
-		HTTPPort:        nc.httpPort,
-		HTTPSPort:       nc.httpsPort,
-		MachineKey:      nc.privKey,
-		ControlKey:      nc.serverPubKey,
-		ProtocolVersion: uint16(tailcfg.CurrentCapabilityVersion),
-		Dialer:          nc.dialer.SystemDial,
-		DialPlan:        dialPlan,
-	}).Dial(ctx)
+	conn, err := controlhttp.Dial(ctx, nc.host, nc.httpPort, nc.httpsPort, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion), nc.dialer.SystemDial)
 	if err != nil {
 		return nil, err
 	}
@@ -230,16 +176,3 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	mak.Set(&nc.connPool, ncc.id, ncc)
 	return ncc, nil
 }
-
-func (nc *noiseClient) post(ctx context.Context, path string, body any) (*http.Response, error) {
-	jbody, err := json.Marshal(body)
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequestWithContext(ctx, "POST", "https://"+nc.host+path, bytes.NewReader(jbody))
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Content-Type", "application/json")
-	return nc.Do(req)
-}

control/controlhttp/client.go

@@ -28,231 +28,69 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"math"
 	"net"
 	"net/http"
 	"net/http/httptrace"
-	"net/netip"
 	"net/url"
-	"sort"
-	"sync/atomic"
 	"time"
 
 	"tailscale.com/control/controlbase"
-	"tailscale.com/envknob"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/multierr"
+	"tailscale.com/types/key"
 )
 
-var stdDialer net.Dialer
-
-// Dial connects to the HTTP server at this Dialer's Host:HTTPPort, requests to
-// switch to the Tailscale control protocol, and returns an established control
+// Dial connects to the HTTP server at host:httpPort, requests to switch to the
+// Tailscale control protocol, and returns an established control
 // protocol connection.
 //
-// If Dial fails to connect using HTTP, it also tries to tunnel over TLS to the
-// Dialer's Host:HTTPSPort as a compatibility fallback.
+// If Dial fails to connect using addr, it also tries to tunnel over
+// TLS to host:httpsPort as a compatibility fallback.
 //
 // The provided ctx is only used for the initial connection, until
 // Dial returns. It does not affect the connection once established.
-func (a *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
-	if a.Hostname == "" {
-		return nil, errors.New("required Dialer.Hostname empty")
+func Dial(ctx context.Context, host string, httpPort string, httpsPort string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
+	a := &dialParams{
+		host:       host,
+		httpPort:   httpPort,
+		httpsPort:  httpsPort,
+		machineKey: machineKey,
+		controlKey: controlKey,
+		version:    protocolVersion,
+		proxyFunc:  tshttpproxy.ProxyFromEnvironment,
+		dialer:     dialer,
 	}
 	return a.dial(ctx)
 }
 
-func (a *Dialer) logf(format string, args ...any) {
-	if a.Logf != nil {
-		a.Logf(format, args...)
-	}
+type dialParams struct {
+	host       string
+	httpPort   string
+	httpsPort  string
+	machineKey key.MachinePrivate
+	controlKey key.MachinePublic
+	version    uint16
+	proxyFunc  func(*http.Request) (*url.URL, error) // or nil
+	dialer     dnscache.DialContextFunc
+
+	// For tests only
+	insecureTLS       bool
+	testFallbackDelay time.Duration
 }
 
-func (a *Dialer) getProxyFunc() func(*http.Request) (*url.URL, error) {
-	if a.proxyFunc != nil {
-		return a.proxyFunc
-	}
-	return tshttpproxy.ProxyFromEnvironment
-}
-
-// httpsFallbackDelay is how long we'll wait for a.HTTPPort to work before
-// starting to try a.HTTPSPort.
-func (a *Dialer) httpsFallbackDelay() time.Duration {
+// httpsFallbackDelay is how long we'll wait for a.httpPort to work before
+// starting to try a.httpsPort.
+func (a *dialParams) httpsFallbackDelay() time.Duration {
 	if v := a.testFallbackDelay; v != 0 {
 		return v
 	}
 	return 500 * time.Millisecond
 }
 
-var _ = envknob.RegisterBool("TS_USE_CONTROL_DIAL_PLAN") // to record at init time whether it's in use
-
-func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
-	// If we don't have a dial plan, just fall back to dialing the single
-	// host we know about.
-	useDialPlan := envknob.BoolDefaultTrue("TS_USE_CONTROL_DIAL_PLAN")
-	if !useDialPlan || a.DialPlan == nil || len(a.DialPlan.Candidates) == 0 {
-		return a.dialHost(ctx, netip.Addr{})
-	}
-	candidates := a.DialPlan.Candidates
-
-	// Otherwise, we try dialing per the plan. Store the highest priority
-	// in the list, so that if we get a connection to one of those
-	// candidates we can return quickly.
-	var highestPriority int = math.MinInt
-	for _, c := range candidates {
-		if c.Priority > highestPriority {
-			highestPriority = c.Priority
-		}
-	}
-
-	// This context allows us to cancel in-flight connections if we get a
-	// highest-priority connection before we're all done.
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	// Now, for each candidate, kick off a dial in parallel.
-	type dialResult struct {
-		conn     *controlbase.Conn
-		err      error
-		addr     netip.Addr
-		priority int
-	}
-	resultsCh := make(chan dialResult, len(candidates))
-
-	var pending atomic.Int32
-	pending.Store(int32(len(candidates)))
-	for _, c := range candidates {
-		go func(ctx context.Context, c tailcfg.ControlIPCandidate) {
-			var (
-				conn *controlbase.Conn
-				err  error
-			)
-
-			// Always send results back to our channel.
-			defer func() {
-				resultsCh <- dialResult{conn, err, c.IP, c.Priority}
-				if pending.Add(-1) == 0 {
-					close(resultsCh)
-				}
-			}()
-
-			// If non-zero, wait the configured start timeout
-			// before we do anything.
-			if c.DialStartDelaySec > 0 {
-				a.logf("[v2] controlhttp: waiting %.2f seconds before dialing %q @ %v", c.DialStartDelaySec, a.Hostname, c.IP)
-				tmr := time.NewTimer(time.Duration(c.DialStartDelaySec * float64(time.Second)))
-				defer tmr.Stop()
-				select {
-				case <-ctx.Done():
-					err = ctx.Err()
-					return
-				case <-tmr.C:
-				}
-			}
-
-			// Now, create a sub-context with the given timeout and
-			// try dialing the provided host.
-			ctx, cancel := context.WithTimeout(ctx, time.Duration(c.DialTimeoutSec*float64(time.Second)))
-			defer cancel()
-
-			// This will dial, and the defer above sends it back to our parent.
-			a.logf("[v2] controlhttp: trying to dial %q @ %v", a.Hostname, c.IP)
-			conn, err = a.dialHost(ctx, c.IP)
-		}(ctx, c)
-	}
-
-	var results []dialResult
-	for res := range resultsCh {
-		// If we get a response that has the highest priority, we don't
-		// need to wait for any of the other connections to finish; we
-		// can just return this connection.
-		//
-		// TODO(andrew): we could make this better by keeping track of
-		// the highest remaining priority dynamically, instead of just
-		// checking for the highest total
-		if res.priority == highestPriority && res.conn != nil {
-			a.logf("[v1] controlhttp: high-priority success dialing %q @ %v from dial plan", a.Hostname, res.addr)
-
-			// Drain the channel and any existing connections in
-			// the background.
-			go func() {
-				for _, res := range results {
-					if res.conn != nil {
-						res.conn.Close()
-					}
-				}
-				for res := range resultsCh {
-					if res.conn != nil {
-						res.conn.Close()
-					}
-				}
-				if a.drainFinished != nil {
-					close(a.drainFinished)
-				}
-			}()
-			return res.conn, nil
-		}
-
-		// This isn't a highest-priority result, so just store it until
-		// we're done.
-		results = append(results, res)
-	}
-
-	// After we finish this function, close any remaining open connections.
-	defer func() {
-		for _, result := range results {
-			// Note: below, we nil out the returned connection (if
-			// any) in the slice so we don't close it.
-			if result.conn != nil {
-				result.conn.Close()
-			}
-		}
-
-		// We don't drain asynchronously after this point, so notify our
-		// channel when we return.
-		if a.drainFinished != nil {
-			close(a.drainFinished)
-		}
-	}()
-
-	// Sort by priority, then take the first non-error response.
-	sort.Slice(results, func(i, j int) bool {
-		// NOTE: intentionally inverted so that the highest priority
-		// item comes first
-		return results[i].priority > results[j].priority
-	})
-
-	var (
-		conn *controlbase.Conn
-		errs []error
-	)
-	for i, result := range results {
-		if result.err != nil {
-			errs = append(errs, result.err)
-			continue
-		}
-
-		a.logf("[v1] controlhttp: succeeded dialing %q @ %v from dial plan", a.Hostname, result.addr)
-		conn = result.conn
-		results[i].conn = nil // so we don't close it in the defer
-		return conn, nil
-	}
-	merr := multierr.New(errs...)
-
-	// If we get here, then we didn't get anywhere with our dial plan; fall back to just using DNS.
-	a.logf("controlhttp: failed dialing using DialPlan, falling back to DNS; errs=%s", merr.Error())
-	return a.dialHost(ctx, netip.Addr{})
-}
-
-// dialHost connects to the configured Dialer.Hostname and upgrades the
-// connection into a controlbase.Conn. If addr is valid, then no DNS is used
-// and the connection will be made to the provided address.
-func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Conn, error) {
+func (a *dialParams) dial(ctx context.Context) (*controlbase.Conn, error) {
 	// Create one shared context used by both port 80 and port 443 dials.
 	// If port 80 is still in flight when 443 returns, this deferred cancel
 	// will stop the port 80 dial.
@@ -264,12 +102,12 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Co
 	// we'll speak Noise.
 	u80 := &url.URL{
 		Scheme: "http",
-		Host:   net.JoinHostPort(a.Hostname, strDef(a.HTTPPort, "80")),
+		Host:   net.JoinHostPort(a.host, a.httpPort),
 		Path:   serverUpgradePath,
 	}
 	u443 := &url.URL{
 		Scheme: "https",
-		Host:   net.JoinHostPort(a.Hostname, strDef(a.HTTPSPort, "443")),
+		Host:   net.JoinHostPort(a.host, a.httpsPort),
 		Path:   serverUpgradePath,
 	}
 
@@ -280,7 +118,7 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Co
 	}
 	ch := make(chan tryURLRes) // must be unbuffered
 	try := func(u *url.URL) {
-		cbConn, err := a.dialURL(ctx, u, addr)
+		cbConn, err := a.dialURL(ctx, u)
 		select {
 		case ch <- tryURLRes{u, cbConn, err}:
 		case <-ctx.Done():
@@ -331,12 +169,12 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Co
 }
 
 // dialURL attempts to connect to the given URL.
-func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*controlbase.Conn, error) {
-	init, cont, err := controlbase.ClientDeferred(a.MachineKey, a.ControlKey, a.ProtocolVersion)
+func (a *dialParams) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, error) {
+	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
 	if err != nil {
 		return nil, err
 	}
-	netConn, err := a.tryURLUpgrade(ctx, u, addr, init)
+	netConn, err := a.tryURLUpgrade(ctx, u, init)
 	if err != nil {
 		return nil, err
 	}
@@ -348,50 +186,29 @@ func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*con
 	return cbConn, nil
 }
 
-// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn. If addr
-// is valid, then no DNS is used and the connection will be made to the
-// provided address.
+// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn.
 //
 // Only the provided ctx is used, not a.ctx.
-func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr, init []byte) (net.Conn, error) {
-	var dns *dnscache.Resolver
-
-	// If we were provided an address to dial, then create a resolver that just
-	// returns that value; otherwise, fall back to DNS.
-	if addr.IsValid() {
-		dns = &dnscache.Resolver{
-			SingleHostStaticResult: []netip.Addr{addr},
-			SingleHost:             u.Hostname(),
-		}
-	} else {
-		dns = &dnscache.Resolver{
-			Forward:          dnscache.Get().Forward,
-			LookupIPFallback: dnsfallback.Lookup,
-			UseLastGood:      true,
-		}
+func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte) (net.Conn, error) {
+	dns := &dnscache.Resolver{
+		Forward:          dnscache.Get().Forward,
+		LookupIPFallback: dnsfallback.Lookup,
+		UseLastGood:      true,
 	}
-
-	var dialer dnscache.DialContextFunc
-	if a.Dialer != nil {
-		dialer = a.Dialer
-	} else {
-		dialer = stdDialer.DialContext
-	}
-
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	defer tr.CloseIdleConnections()
-	tr.Proxy = a.getProxyFunc()
+	tr.Proxy = a.proxyFunc
 	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
-	tr.DialContext = dnscache.Dialer(dialer, dns)
+	tr.DialContext = dnscache.Dialer(a.dialer, dns)
 	// Disable HTTP2, since h2 can't do protocol switching.
 	tr.TLSClientConfig.NextProtos = []string{}
 	tr.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
-	tr.TLSClientConfig = tlsdial.Config(a.Hostname, tr.TLSClientConfig)
+	tr.TLSClientConfig = tlsdial.Config(a.host, tr.TLSClientConfig)
 	if a.insecureTLS {
 		tr.TLSClientConfig.InsecureSkipVerify = true
 		tr.TLSClientConfig.VerifyConnection = nil
 	}
-	tr.DialTLSContext = dnscache.TLSDialer(dialer, dns, tr.TLSClientConfig)
+	tr.DialTLSContext = dnscache.TLSDialer(a.dialer, dns, tr.TLSClientConfig)
 	tr.DisableCompression = true
 
 	// (mis)use httptrace to extract the underlying net.Conn from the

control/controlhttp/client_js.go

@@ -7,31 +7,27 @@ package controlhttp
 import (
 	"context"
 	"encoding/base64"
-	"errors"
 	"net"
 	"net/url"
 
 	"nhooyr.io/websocket"
 	"tailscale.com/control/controlbase"
+	"tailscale.com/net/dnscache"
+	"tailscale.com/types/key"
 )
 
 // Variant of Dial that tunnels the request over WebSockets, since we cannot do
 // bi-directional communication over an HTTP connection when in JS.
-func (d *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
-	if d.Hostname == "" {
-		return nil, errors.New("required Dialer.Hostname empty")
-	}
-
-	init, cont, err := controlbase.ClientDeferred(d.MachineKey, d.ControlKey, d.ProtocolVersion)
+func Dial(ctx context.Context, host string, httpPort string, httpsPort string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
+	init, cont, err := controlbase.ClientDeferred(machineKey, controlKey, protocolVersion)
 	if err != nil {
 		return nil, err
 	}
 
 	wsScheme := "wss"
-	host := d.Hostname
 	if host == "localhost" {
 		wsScheme = "ws"
-		host = net.JoinHostPort(host, strDef(d.HTTPPort, "80"))
+		host = net.JoinHostPort(host, httpPort)
 	}
 	wsURL := &url.URL{
 		Scheme: wsScheme,
@@ -56,4 +52,5 @@ func (d *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
 		return nil, err
 	}
 	return cbConn, nil
+
 }

control/controlhttp/constants.go

@@ -4,17 +4,6 @@
 
 package controlhttp
 
-import (
-	"net/http"
-	"net/url"
-	"time"
-
-	"tailscale.com/net/dnscache"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
-	"tailscale.com/types/logger"
-)
-
 const (
 	// upgradeHeader is the value of the Upgrade HTTP header used to
 	// indicate the Tailscale control protocol.
@@ -29,64 +18,3 @@ const (
 	// to do the protocol switch is located.
 	serverUpgradePath = "/ts2021"
 )
-
-// Dialer contains configuration on how to dial the Tailscale control server.
-type Dialer struct {
-	// Hostname is the hostname to connect to, with no port number.
-	//
-	// This field is required.
-	Hostname string
-
-	// MachineKey contains the current machine's private key.
-	//
-	// This field is required.
-	MachineKey key.MachinePrivate
-
-	// ControlKey contains the expected public key for the control server.
-	//
-	// This field is required.
-	ControlKey key.MachinePublic
-
-	// ProtocolVersion is the expected protocol version to negotiate.
-	//
-	// This field is required.
-	ProtocolVersion uint16
-
-	// HTTPPort is the port number to use when making a HTTP connection.
-	//
-	// If not specified, this defaults to port 80.
-	HTTPPort string
-
-	// HTTPSPort is the port number to use when making a HTTPS connection.
-	//
-	// If not specified, this defaults to port 443.
-	HTTPSPort string
-
-	// Dialer is the dialer used to make outbound connections.
-	//
-	// If not specified, this defaults to net.Dialer.DialContext.
-	Dialer dnscache.DialContextFunc
-
-	// Logf, if set, is a logging function to use; if unset, logs are
-	// dropped.
-	Logf logger.Logf
-
-	// DialPlan, if set, contains instructions from the control server on
-	// how to connect to it. If present, we will try the methods in this
-	// plan before falling back to DNS.
-	DialPlan *tailcfg.ControlDialPlan
-
-	proxyFunc func(*http.Request) (*url.URL, error) // or nil
-
-	// For tests only
-	drainFinished     chan struct{}
-	insecureTLS       bool
-	testFallbackDelay time.Duration
-}
-
-func strDef(v1, v2 string) string {
-	if v1 != "" {
-		return v1
-	}
-	return v2
-}

control/controlhttp/http_test.go

@@ -13,21 +13,16 @@ import (
 	"net"
 	"net/http"
 	"net/http/httputil"
-	"net/netip"
 	"net/url"
-	"runtime"
 	"strconv"
 	"sync"
 	"testing"
 	"time"
 
 	"tailscale.com/control/controlbase"
-	"tailscale.com/net/dnscache"
 	"tailscale.com/net/socks5"
 	"tailscale.com/net/tsdial"
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/types/logger"
 )
 
 type httpTestParam struct {
@@ -175,16 +170,15 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 		defer cancel()
 	}
 
-	a := &Dialer{
-		Hostname:          "localhost",
-		HTTPPort:          strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
-		HTTPSPort:         strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
-		MachineKey:        client,
-		ControlKey:        server.Public(),
-		ProtocolVersion:   testProtocolVersion,
-		Dialer:            new(tsdial.Dialer).SystemDial,
-		Logf:              t.Logf,
+	a := dialParams{
+		host:              "localhost",
+		httpPort:          strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
+		httpsPort:         strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
+		machineKey:        client,
+		controlKey:        server.Public(),
+		version:           testProtocolVersion,
 		insecureTLS:       true,
+		dialer:            new(tsdial.Dialer).SystemDial,
 		testFallbackDelay: 50 * time.Millisecond,
 	}
 
@@ -449,263 +443,3 @@ func brokenMITMHandler(w http.ResponseWriter, r *http.Request) {
 	w.(http.Flusher).Flush()
 	<-r.Context().Done()
 }
-
-func TestDialPlan(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("only works on Linux due to multiple localhost addresses")
-	}
-
-	client, server := key.NewMachine(), key.NewMachine()
-
-	const (
-		testProtocolVersion = 1
-
-		// We need consistent ports for each address; these are chosen
-		// randomly and we hope that they won't conflict during this test.
-		httpPort  = "40080"
-		httpsPort = "40443"
-	)
-
-	makeHandler := func(t *testing.T, name string, host netip.Addr, wrap func(http.Handler) http.Handler) {
-		done := make(chan struct{})
-		t.Cleanup(func() {
-			close(done)
-		})
-		var handler http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			conn, err := AcceptHTTP(context.Background(), w, r, server)
-			if err != nil {
-				log.Print(err)
-			} else {
-				defer conn.Close()
-			}
-			w.Header().Set("X-Handler-Name", name)
-			<-done
-		})
-		if wrap != nil {
-			handler = wrap(handler)
-		}
-
-		httpLn, err := net.Listen("tcp", host.String()+":"+httpPort)
-		if err != nil {
-			t.Fatalf("HTTP listen: %v", err)
-		}
-		httpsLn, err := net.Listen("tcp", host.String()+":"+httpsPort)
-		if err != nil {
-			t.Fatalf("HTTPS listen: %v", err)
-		}
-
-		httpServer := &http.Server{Handler: handler}
-		go httpServer.Serve(httpLn)
-		t.Cleanup(func() {
-			httpServer.Close()
-		})
-
-		httpsServer := &http.Server{
-			Handler:   handler,
-			TLSConfig: tlsConfig(t),
-			ErrorLog:  logger.StdLogger(logger.WithPrefix(t.Logf, "http.Server.ErrorLog: ")),
-		}
-		go httpsServer.ServeTLS(httpsLn, "", "")
-		t.Cleanup(func() {
-			httpsServer.Close()
-		})
-		return
-	}
-
-	fallbackAddr := netip.MustParseAddr("127.0.0.1")
-	goodAddr := netip.MustParseAddr("127.0.0.2")
-	otherAddr := netip.MustParseAddr("127.0.0.3")
-	other2Addr := netip.MustParseAddr("127.0.0.4")
-	brokenAddr := netip.MustParseAddr("127.0.0.10")
-
-	testCases := []struct {
-		name string
-		plan *tailcfg.ControlDialPlan
-		wrap func(http.Handler) http.Handler
-		want netip.Addr
-
-		allowFallback bool
-	}{
-		{
-			name: "single",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
-			}},
-			want: goodAddr,
-		},
-		{
-			name: "broken-then-good",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				// Dials the broken one, which fails, and then
-				// eventually dials the good one and succeeds
-				{IP: brokenAddr, Priority: 2, DialTimeoutSec: 10},
-				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10, DialStartDelaySec: 1},
-			}},
-			want: goodAddr,
-		},
-		{
-			name: "multiple-priority-fast-path",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				// Dials some good IPs and our bad one (which
-				// hangs forever), which then hits the fast
-				// path where we bail without waiting.
-				{IP: brokenAddr, Priority: 1, DialTimeoutSec: 10},
-				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
-				{IP: other2Addr, Priority: 1, DialTimeoutSec: 10},
-				{IP: otherAddr, Priority: 2, DialTimeoutSec: 10},
-			}},
-			want: otherAddr,
-		},
-		{
-			name: "multiple-priority-slow-path",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				// Our broken address is the highest priority,
-				// so we don't hit our fast path.
-				{IP: brokenAddr, Priority: 10, DialTimeoutSec: 10},
-				{IP: otherAddr, Priority: 2, DialTimeoutSec: 10},
-				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
-			}},
-			want: otherAddr,
-		},
-		{
-			name: "fallback",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				{IP: brokenAddr, Priority: 1, DialTimeoutSec: 1},
-			}},
-			want:          fallbackAddr,
-			allowFallback: true,
-		},
-	}
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			makeHandler(t, "fallback", fallbackAddr, nil)
-			makeHandler(t, "good", goodAddr, nil)
-			makeHandler(t, "other", otherAddr, nil)
-			makeHandler(t, "other2", other2Addr, nil)
-			makeHandler(t, "broken", brokenAddr, func(h http.Handler) http.Handler {
-				return http.HandlerFunc(brokenMITMHandler)
-			})
-
-			dialer := closeTrackDialer{
-				t:     t,
-				inner: new(tsdial.Dialer).SystemDial,
-				conns: make(map[*closeTrackConn]bool),
-			}
-			defer dialer.Done()
-
-			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-			defer cancel()
-
-			// By default, we intentionally point to something that
-			// we know won't connect, since we want a fallback to
-			// DNS to be an error.
-			host := "example.com"
-			if tt.allowFallback {
-				host = "localhost"
-			}
-
-			drained := make(chan struct{})
-			a := &Dialer{
-				Hostname:          host,
-				HTTPPort:          httpPort,
-				HTTPSPort:         httpsPort,
-				MachineKey:        client,
-				ControlKey:        server.Public(),
-				ProtocolVersion:   testProtocolVersion,
-				Dialer:            dialer.Dial,
-				Logf:              t.Logf,
-				DialPlan:          tt.plan,
-				proxyFunc:         func(*http.Request) (*url.URL, error) { return nil, nil },
-				drainFinished:     drained,
-				insecureTLS:       true,
-				testFallbackDelay: 50 * time.Millisecond,
-			}
-
-			conn, err := a.dial(ctx)
-			if err != nil {
-				t.Fatalf("dialing controlhttp: %v", err)
-			}
-			defer conn.Close()
-
-			raddr := conn.RemoteAddr().(*net.TCPAddr)
-
-			got, ok := netip.AddrFromSlice(raddr.IP)
-			if !ok {
-				t.Errorf("invalid remote IP: %v", raddr.IP)
-			} else if got != tt.want {
-				t.Errorf("got connection from %q; want %q", got, tt.want)
-			} else {
-				t.Logf("successfully connected to %q", raddr.String())
-			}
-
-			// Wait until our dialer drains so we can verify that
-			// all connections are closed.
-			<-drained
-		})
-	}
-}
-
-type closeTrackDialer struct {
-	t     testing.TB
-	inner dnscache.DialContextFunc
-	mu    sync.Mutex
-	conns map[*closeTrackConn]bool
-}
-
-func (d *closeTrackDialer) Dial(ctx context.Context, network, addr string) (net.Conn, error) {
-	c, err := d.inner(ctx, network, addr)
-	if err != nil {
-		return nil, err
-	}
-	ct := &closeTrackConn{Conn: c, d: d}
-
-	d.mu.Lock()
-	d.conns[ct] = true
-	d.mu.Unlock()
-	return ct, nil
-}
-
-func (d *closeTrackDialer) Done() {
-	// Unfortunately, tsdial.Dialer.SystemDial closes connections
-	// asynchronously in a goroutine, so we can't assume that everything is
-	// closed by the time we get here.
-	//
-	// Sleep/wait a few times on the assumption that things will close
-	// "eventually".
-	const iters = 100
-	for i := 0; i < iters; i++ {
-		d.mu.Lock()
-		if len(d.conns) == 0 {
-			d.mu.Unlock()
-			return
-		}
-
-		// Only error on last iteration
-		if i != iters-1 {
-			d.mu.Unlock()
-			time.Sleep(100 * time.Millisecond)
-			continue
-		}
-
-		for conn := range d.conns {
-			d.t.Errorf("expected close of conn %p; RemoteAddr=%q", conn, conn.RemoteAddr().String())
-		}
-		d.mu.Unlock()
-	}
-}
-
-func (d *closeTrackDialer) noteClose(c *closeTrackConn) {
-	d.mu.Lock()
-	delete(d.conns, c) // safe if already deleted
-	d.mu.Unlock()
-}
-
-type closeTrackConn struct {
-	net.Conn
-	d *closeTrackDialer
-}
-
-func (c *closeTrackConn) Close() error {
-	c.d.noteClose(c)
-	return c.Conn.Close()
-}

control/controlhttp/server.go

@@ -82,12 +82,6 @@ func acceptWebsocket(ctx context.Context, w http.ResponseWriter, r *http.Request
 	c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
 		Subprotocols:   []string{upgradeHeaderValue},
 		OriginPatterns: []string{"*"},
-		// Disable compression because we transmit Noise messages that are not
-		// compressible.
-		// Additionally, Safari has a broken implementation of compression
-		// (see https://github.com/nhooyr/websocket/issues/218) that makes
-		// enabling it actively harmful.
-		CompressionMode: websocket.CompressionDisabled,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("Could not accept WebSocket connection %v", err)

control/controlknobs/controlknobs.go

@@ -13,18 +13,20 @@ import (
 )
 
 // disableUPnP indicates whether to attempt UPnP mapping.
-var disableUPnPControl atomic.Bool
+var disableUPnP atomic.Bool
 
-var disableUPnpEnv = envknob.RegisterBool("TS_DISABLE_UPNP")
+func init() {
+	SetDisableUPnP(envknob.Bool("TS_DISABLE_UPNP"))
+}
 
 // DisableUPnP reports the last reported value from control
 // whether UPnP portmapping should be disabled.
 func DisableUPnP() bool {
-	return disableUPnPControl.Load() || disableUPnpEnv()
+	return disableUPnP.Load()
 }
 
 // SetDisableUPnP sets whether control says that UPnP should be
 // disabled.
 func SetDisableUPnP(v bool) {
-	disableUPnPControl.Store(v)
+	disableUPnP.Store(v)
 }

derp/derp.go

@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package derp implements the Designated Encrypted Relay for Packets (DERP)
-// protocol.
+// Package derp implements DERP, the Detour Encrypted Routing Protocol.
 //
 // DERP routes packets to clients using curve25519 keys as addresses.
 //
@@ -19,6 +18,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"time"
 )
 
@@ -194,7 +194,7 @@ func readFrame(br *bufio.Reader, maxSize uint32, b []byte) (t frameType, frameLe
 	}
 	remain := frameLen - uint32(n)
 	if remain > 0 {
-		if _, err := io.CopyN(io.Discard, br, int64(remain)); err != nil {
+		if _, err := io.CopyN(ioutil.Discard, br, int64(remain)); err != nil {
 			return 0, 0, err
 		}
 		err = io.ErrShortBuffer

derp/derp_server.go

@@ -18,6 +18,7 @@ import (
 	"expvar"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"math"
 	"math/big"
@@ -46,6 +47,8 @@ import (
 	"tailscale.com/version"
 )
 
+var debug = envknob.Bool("DERP_DEBUG_LOGS")
+
 // verboseDropKeys is the set of destination public keys that should
 // verbosely log whenever DERP drops a packet.
 var verboseDropKeys = map[key.NodePublic]bool{}
@@ -103,7 +106,6 @@ type Server struct {
 	limitedLogf logger.Logf
 	metaCert    []byte // the encoded x509 cert to send after LetsEncrypt cert+intermediate
 	dupPolicy   dupPolicy
-	debug       bool
 
 	// Counters:
 	packetsSent, bytesSent       expvar.Int
@@ -297,7 +299,6 @@ func NewServer(privateKey key.NodePrivate, logf logger.Logf) *Server {
 	runtime.ReadMemStats(&ms)
 
 	s := &Server{
-		debug:                envknob.Bool("DERP_DEBUG_LOGS"),
 		privateKey:           privateKey,
 		publicKey:            privateKey.Public(),
 		logf:                 logf,
@@ -757,7 +758,7 @@ func (c *sclient) run(ctx context.Context) error {
 }
 
 func (c *sclient) handleUnknownFrame(ft frameType, fl uint32) error {
-	_, err := io.CopyN(io.Discard, c.br, int64(fl))
+	_, err := io.CopyN(ioutil.Discard, c.br, int64(fl))
 	return err
 }
 
@@ -800,7 +801,7 @@ func (c *sclient) handleFramePing(ft frameType, fl uint32) error {
 		return err
 	}
 	if extra := int64(fl) - int64(len(m)); extra > 0 {
-		_, err = io.CopyN(io.Discard, c.br, extra)
+		_, err = io.CopyN(ioutil.Discard, c.br, extra)
 	}
 	select {
 	case c.sendPongCh <- [8]byte(m):
@@ -979,7 +980,7 @@ func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.NodePublic, r
 		msg := fmt.Sprintf("drop (%s) %s -> %s", srcKey.ShortString(), reason, dstKey.ShortString())
 		s.limitedLogf(msg)
 	}
-	if s.debug {
+	if debug {
 		s.logf("dropping packet reason=%s dst=%s disco=%v", reason, dstKey, disco.LooksLikeDiscoWrapper(packetBytes))
 	}
 }
@@ -1827,7 +1828,7 @@ func (s *Server) ServeDebugTraffic(w http.ResponseWriter, r *http.Request) {
 
 var bufioWriterPool = &sync.Pool{
 	New: func() any {
-		return bufio.NewWriterSize(io.Discard, 2<<10)
+		return bufio.NewWriterSize(ioutil.Discard, 2<<10)
 	},
 }
 
@@ -1860,7 +1861,7 @@ func (w *lazyBufioWriter) Flush() error {
 	}
 	err := w.lbw.Flush()
 
-	w.lbw.Reset(io.Discard)
+	w.lbw.Reset(ioutil.Discard)
 	bufioWriterPool.Put(w.lbw)
 	w.lbw = nil
 

derp/derp_test.go

@@ -15,9 +15,9 @@ import (
 	"expvar"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
-	"os"
 	"reflect"
 	"sync"
 	"testing"
@@ -1240,7 +1240,7 @@ func benchmarkSendRecvSize(b *testing.B, packetSize int) {
 }
 
 func BenchmarkWriteUint32(b *testing.B) {
-	w := bufio.NewWriter(io.Discard)
+	w := bufio.NewWriter(ioutil.Discard)
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
@@ -1279,9 +1279,9 @@ func waitConnect(t testing.TB, c *Client) {
 }
 
 func TestParseSSOutput(t *testing.T) {
-	contents, err := os.ReadFile("testdata/example_ss.txt")
+	contents, err := ioutil.ReadFile("testdata/example_ss.txt")
 	if err != nil {
-		t.Errorf("os.ReadFile(example_ss.txt) failed: %v", err)
+		t.Errorf("ioutil.Readfile(example_ss.txt) failed: %v", err)
 	}
 	seen := parseSSOutput(string(contents))
 	if len(seen) == 0 {

derp/derphttp/derphttp_client.go

@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/netip"
@@ -431,7 +432,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 			return nil, 0, err
 		}
 		if resp.StatusCode != http.StatusSwitchingProtocols {
-			b, _ := io.ReadAll(resp.Body)
+			b, _ := ioutil.ReadAll(resp.Body)
 			resp.Body.Close()
 			return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
 		}

docs/k8s/proxy.yaml

@@ -37,7 +37,7 @@ spec:
       valueFrom:
         secretKeyRef:
           name: tailscale-auth
-          key: TS_AUTH_KEY
+          key: AUTH_KEY
           optional: true
     - name: TS_DEST_IP
       value: "{{TS_DEST_IP}}"

docs/k8s/run.sh

@@ -17,11 +17,10 @@ TS_KUBE_SECRET="${TS_KUBE_SECRET:-tailscale}"
 TS_SOCKS5_SERVER="${TS_SOCKS5_SERVER:-}"
 TS_OUTBOUND_HTTP_PROXY_LISTEN="${TS_OUTBOUND_HTTP_PROXY_LISTEN:-}"
 TS_TAILSCALED_EXTRA_ARGS="${TS_TAILSCALED_EXTRA_ARGS:-}"
-TS_SOCKET="${TS_SOCKET:-/tmp/tailscaled.sock}"
 
 set -e
 
-TAILSCALED_ARGS="--socket=${TS_SOCKET}"
+TAILSCALED_ARGS="--socket=/tmp/tailscaled.sock"
 
 if [[ ! -z "${KUBERNETES_SERVICE_HOST}" ]]; then
   TAILSCALED_ARGS="${TAILSCALED_ARGS} --state=kube:${TS_KUBE_SECRET} --statedir=${TS_STATE_DIR:-/tmp}"
@@ -82,11 +81,11 @@ if [[ ! -z "${TS_EXTRA_ARGS}" ]]; then
 fi
 
 echo "Running tailscale up"
-tailscale --socket="${TS_SOCKET}" up ${UP_ARGS}
+tailscale --socket=/tmp/tailscaled.sock up ${UP_ARGS}
 
 if [[ ! -z "${TS_DEST_IP}" ]]; then
   echo "Adding iptables rule for DNAT"
-  iptables -t nat -I PREROUTING -d "$(tailscale --socket=${TS_SOCKET} ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
+  iptables -t nat -I PREROUTING -d "$(tailscale --socket=/tmp/tailscaled.sock ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
 fi
 
 echo "Waiting for tailscaled to exit"

docs/k8s/sidecar.yaml

@@ -23,7 +23,7 @@ spec:
       valueFrom:
         secretKeyRef:
           name: tailscale-auth
-          key: TS_AUTH_KEY
+          key: AUTH_KEY
           optional: true
     securityContext:
       capabilities:

docs/k8s/subnet.yaml

@@ -23,7 +23,7 @@ spec:
       valueFrom:
         secretKeyRef:
           name: tailscale-auth
-          key: TS_AUTH_KEY
+          key: AUTH_KEY
           optional: true
     - name: TS_ROUTES
       value: "{{TS_ROUTES}}"

docs/k8s/userspace-sidecar.yaml

@@ -26,5 +26,5 @@ spec:
       valueFrom:
         secretKeyRef:
           name: tailscale-auth
-          key: TS_AUTH_KEY
+          key: AUTH_KEY
           optional: true

envknob/envknob.go

@@ -17,43 +17,30 @@
 package envknob
 
 import (
-	"bufio"
-	"fmt"
-	"io"
 	"log"
 	"os"
-	"path/filepath"
-	"runtime"
-	"sort"
 	"strconv"
-	"strings"
 	"sync"
-	"sync/atomic"
 
 	"tailscale.com/types/opt"
-	"tailscale.com/version/distro"
 )
 
 var (
-	mu         sync.Mutex
-	set        = map[string]string{}
-	regStr     = map[string]*string{}
-	regBool    = map[string]*bool{}
-	regOptBool = map[string]*opt.Bool{}
+	mu   sync.Mutex
+	set  = map[string]string{}
+	list []string
 )
 
 func noteEnv(k, v string) {
+	if v == "" {
+		return
+	}
 	mu.Lock()
 	defer mu.Unlock()
-	noteEnvLocked(k, v)
-}
-
-func noteEnvLocked(k, v string) {
-	if v != "" {
-		set[k] = v
-	} else {
-		delete(set, k)
+	if _, ok := set[k]; !ok {
+		list = append(list, k)
 	}
+	set[k] = v
 }
 
 // logf is logger.Logf, but logger depends on envknob, so for circular
@@ -65,39 +52,11 @@ type logf = func(format string, args ...any)
 func LogCurrent(logf logf) {
 	mu.Lock()
 	defer mu.Unlock()
-
-	list := make([]string, 0, len(set))
-	for k := range set {
-		list = append(list, k)
-	}
-	sort.Strings(list)
 	for _, k := range list {
 		logf("envknob: %s=%q", k, set[k])
 	}
 }
 
-// Setenv changes an environment variable.
-//
-// It is not safe for concurrent reading of environment variables via the
-// Register functions. All Setenv calls are meant to happen early in main before
-// any goroutines are started.
-func Setenv(envVar, val string) {
-	mu.Lock()
-	defer mu.Unlock()
-	os.Setenv(envVar, val)
-	noteEnvLocked(envVar, val)
-
-	if p := regStr[envVar]; p != nil {
-		*p = val
-	}
-	if p := regBool[envVar]; p != nil {
-		setBoolLocked(p, envVar, val)
-	}
-	if p := regOptBool[envVar]; p != nil {
-		setOptBoolLocked(p, envVar, val)
-	}
-}
-
 // String returns the named environment variable, using os.Getenv.
 //
 // If the variable is non-empty, it's also tracked & logged as being
@@ -108,82 +67,6 @@ func String(envVar string) string {
 	return v
 }
 
-// RegisterString returns a func that gets the named environment variable,
-// without a map lookup per call. It assumes that mutations happen via
-// envknob.Setenv.
-func RegisterString(envVar string) func() string {
-	mu.Lock()
-	defer mu.Unlock()
-	p, ok := regStr[envVar]
-	if !ok {
-		val := os.Getenv(envVar)
-		if val != "" {
-			noteEnvLocked(envVar, val)
-		}
-		p = &val
-		regStr[envVar] = p
-	}
-	return func() string { return *p }
-}
-
-// RegisterBool returns a func that gets the named environment variable,
-// without a map lookup per call. It assumes that mutations happen via
-// envknob.Setenv.
-func RegisterBool(envVar string) func() bool {
-	mu.Lock()
-	defer mu.Unlock()
-	p, ok := regBool[envVar]
-	if !ok {
-		var b bool
-		p = &b
-		setBoolLocked(p, envVar, os.Getenv(envVar))
-		regBool[envVar] = p
-	}
-	return func() bool { return *p }
-}
-
-// RegisterOptBool returns a func that gets the named environment variable,
-// without a map lookup per call. It assumes that mutations happen via
-// envknob.Setenv.
-func RegisterOptBool(envVar string) func() opt.Bool {
-	mu.Lock()
-	defer mu.Unlock()
-	p, ok := regOptBool[envVar]
-	if !ok {
-		var b opt.Bool
-		p = &b
-		setOptBoolLocked(p, envVar, os.Getenv(envVar))
-		regOptBool[envVar] = p
-	}
-	return func() opt.Bool { return *p }
-}
-
-func setBoolLocked(p *bool, envVar, val string) {
-	noteEnvLocked(envVar, val)
-	if val == "" {
-		*p = false
-		return
-	}
-	var err error
-	*p, err = strconv.ParseBool(val)
-	if err != nil {
-		log.Fatalf("invalid boolean environment variable %s value %q", envVar, val)
-	}
-}
-
-func setOptBoolLocked(p *opt.Bool, envVar, val string) {
-	noteEnvLocked(envVar, val)
-	if val == "" {
-		*p = ""
-		return
-	}
-	b, err := strconv.ParseBool(val)
-	if err != nil {
-		log.Fatalf("invalid boolean environment variable %s value %q", envVar, val)
-	}
-	p.Set(b)
-}
-
 // Bool returns the boolean value of the named environment variable.
 // If the variable is not set, it returns false.
 // An invalid value exits the binary with a failure.
@@ -198,7 +81,6 @@ func BoolDefaultTrue(envVar string) bool {
 }
 
 func boolOr(envVar string, implicitValue bool) bool {
-	assertNotInInit()
 	val := os.Getenv(envVar)
 	if val == "" {
 		return implicitValue
@@ -216,7 +98,6 @@ func boolOr(envVar string, implicitValue bool) bool {
 // The ok result is whether a value was set.
 // If the value isn't a valid int, it exits the program with a failure.
 func LookupBool(envVar string) (v bool, ok bool) {
-	assertNotInInit()
 	val := os.Getenv(envVar)
 	if val == "" {
 		return false, false
@@ -232,7 +113,6 @@ func LookupBool(envVar string) (v bool, ok bool) {
 // OptBool is like Bool, but returns an opt.Bool, so the caller can
 // distinguish between implicitly and explicitly false.
 func OptBool(envVar string) opt.Bool {
-	assertNotInInit()
 	b, ok := LookupBool(envVar)
 	if !ok {
 		return ""
@@ -246,7 +126,6 @@ func OptBool(envVar string) opt.Bool {
 // The ok result is whether a value was set.
 // If the value isn't a valid int, it exits the program with a failure.
 func LookupInt(envVar string) (v int, ok bool) {
-	assertNotInInit()
 	val := os.Getenv(envVar)
 	if val == "" {
 		return 0, false
@@ -276,151 +155,3 @@ func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }
 
 // SSHIgnoreTailnetPolicy is whether to ignore the Tailnet SSH policy for development.
 func SSHIgnoreTailnetPolicy() bool { return Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") }
-
-// NoLogsNoSupport reports whether the client's opted out of log uploads and
-// technical support.
-func NoLogsNoSupport() bool {
-	return Bool("TS_NO_LOGS_NO_SUPPORT")
-}
-
-// SetNoLogsNoSupport enables no-logs-no-support mode.
-func SetNoLogsNoSupport() {
-	Setenv("TS_NO_LOGS_NO_SUPPORT", "true")
-}
-
-// notInInit is set true the first time we've seen a non-init stack trace.
-var notInInit atomic.Bool
-
-func assertNotInInit() {
-	if notInInit.Load() {
-		return
-	}
-	skip := 0
-	for {
-		pc, _, _, ok := runtime.Caller(skip)
-		if !ok {
-			notInInit.Store(true)
-			return
-		}
-		fu := runtime.FuncForPC(pc)
-		if fu == nil {
-			return
-		}
-		name := fu.Name()
-		name = strings.TrimRightFunc(name, func(r rune) bool { return r >= '0' && r <= '9' })
-		if strings.HasSuffix(name, ".init") || strings.HasSuffix(name, ".init.") {
-			stack := make([]byte, 1<<10)
-			stack = stack[:runtime.Stack(stack, false)]
-			envCheckedInInitStack = stack
-		}
-		skip++
-	}
-}
-
-var envCheckedInInitStack []byte
-
-// PanicIfAnyEnvCheckedInInit panics if environment variables were read during
-// init.
-func PanicIfAnyEnvCheckedInInit() {
-	if envCheckedInInitStack != nil {
-		panic("envknob check of called from init function: " + string(envCheckedInInitStack))
-	}
-}
-
-var applyDiskConfigErr error
-
-// ApplyDiskConfigError returns the most recent result of ApplyDiskConfig.
-func ApplyDiskConfigError() error { return applyDiskConfigErr }
-
-// ApplyDiskConfig returns a platform-specific config file of environment keys/values and
-// applies them. On Linux and Unix operating systems, it's a no-op and always returns nil.
-// If no platform-specific config file is found, it also returns nil.
-//
-// It exists primarily for Windows to make it easy to apply environment variables to
-// a running service in a way similar to modifying /etc/default/tailscaled on Linux.
-// On Windows, you use %ProgramData%\Tailscale\tailscaled-env.txt instead.
-func ApplyDiskConfig() (err error) {
-	var f *os.File
-	defer func() {
-		if err != nil {
-			// Stash away our return error for the healthcheck package to use.
-			applyDiskConfigErr = fmt.Errorf("error parsing %s: %w", f.Name(), err)
-		}
-	}()
-
-	// First try the explicitly-provided value for development testing. Not
-	// useful for users to use on their own. (if they can set this, they can set
-	// any environment variable anyway)
-	if name := os.Getenv("TS_DEBUG_ENV_FILE"); name != "" {
-		f, err = os.Open(name)
-		if err != nil {
-			return fmt.Errorf("error opening explicitly configured TS_DEBUG_ENV_FILE: %w", err)
-		}
-		defer f.Close()
-		return applyKeyValueEnv(f)
-	}
-
-	name := getPlatformEnvFile()
-	if name == "" {
-		return nil
-	}
-	f, err = os.Open(name)
-	if os.IsNotExist(err) {
-		return nil
-	}
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	return applyKeyValueEnv(f)
-}
-
-// getPlatformEnvFile returns the current platform's path to an optional
-// tailscaled-env.txt file. It returns an empty string if none is defined
-// for the platform.
-func getPlatformEnvFile() string {
-	switch runtime.GOOS {
-	case "windows":
-		return filepath.Join(os.Getenv("ProgramData"), "Tailscale", "tailscaled-env.txt")
-	case "linux":
-		if distro.Get() == distro.Synology {
-			return "/etc/tailscale/tailscaled-env.txt"
-		}
-	case "darwin":
-		// TODO(bradfitz): figure this out. There are three ways to run
-		// Tailscale on macOS (tailscaled, GUI App Store, GUI System Extension)
-		// and we should deal with all three.
-	}
-	return ""
-}
-
-// applyKeyValueEnv reads key=value lines r and calls Setenv for each.
-//
-// Empty lines and lines beginning with '#' are skipped.
-//
-// Values can be double quoted, in which case they're unquoted using
-// strconv.Unquote.
-func applyKeyValueEnv(r io.Reader) error {
-	bs := bufio.NewScanner(r)
-	for bs.Scan() {
-		line := strings.TrimSpace(bs.Text())
-		if line == "" || line[0] == '#' {
-			continue
-		}
-		k, v, ok := strings.Cut(line, "=")
-		k = strings.TrimSpace(k)
-		if !ok || k == "" {
-			continue
-		}
-		v = strings.TrimSpace(v)
-		if strings.HasPrefix(v, `"`) {
-			var err error
-			v, err = strconv.Unquote(v)
-			if err != nil {
-				return fmt.Errorf("invalid value in line %q: %v", line, err)
-			}
-		}
-		Setenv(k, v)
-	}
-	return bs.Err()
-}

go.mod

@@ -63,9 +63,9 @@ require (
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11
-	golang.zx2c4.com/wireguard v0.0.0-20220904105730-b51010ba13f0
-	golang.zx2c4.com/wireguard/windows v0.5.3
-	gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5
+	golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478
+	golang.zx2c4.com/wireguard/windows v0.4.10
+	gvisor.dev/gvisor v0.0.0-20220801230058-850e42eb4444
 	honnef.co/go/tools v0.4.0-0.dev.0.20220404092545-59d7a2877f83
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/wf v0.0.0-20220728202103-50d96caab2f6
@@ -266,7 +266,7 @@ require (
 	github.com/yeya24/promlinter v0.1.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 // indirect
+	golang.org/x/text v0.3.7 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect

go.sum

@@ -729,6 +729,8 @@ github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
+github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
+github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
@@ -1350,6 +1352,7 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -1446,6 +1449,7 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201109165425-215b40eba54c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1504,9 +1508,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 h1:GLw7MR8AfAG2GmGcmVgObFOHXYypgGjnGno25RDwn3Y=
-golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1633,10 +1636,11 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220904105730-b51010ba13f0 h1:5ZkdpbduT/g+9OtbSDvbF3KvfQG45CtH/ppO8FUmvCQ=
-golang.zx2c4.com/wireguard v0.0.0-20220904105730-b51010ba13f0/go.mod h1:enML0deDxY1ux+B6ANGiwtg0yAJi1rctkTpcHNAVPyg=
-golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
-golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
+golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
+golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478 h1:vDy//hdR+GnROE3OdYbQKt9rdtNdHkDtONvpRwmls/0=
+golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
+golang.zx2c4.com/wireguard/windows v0.4.10 h1:HmjzJnb+G4NCdX+sfjsQlsxGPuYaThxRbZUZFLyR0/s=
+golang.zx2c4.com/wireguard/windows v0.4.10/go.mod h1:v7w/8FC48tTBm1IzScDVPEEb0/GjLta+T0ybpP9UWRg=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1816,8 +1820,8 @@ gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
-gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5 h1:cv/zaNV0nr1mJzaeo4S5mHIm5va1W0/9J3/5prlsuRM=
-gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
+gvisor.dev/gvisor v0.0.0-20220801230058-850e42eb4444 h1:0d3ygmOM5RgQB8rmsZNeAY/7Q98fKt1HrGO2XIp4pDI=
+gvisor.dev/gvisor v0.0.0-20220801230058-850e42eb4444/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

health/health.go

@@ -325,7 +325,7 @@ func OverallError() error {
 	return overallErrorLocked()
 }
 
-var fakeErrForTesting = envknob.RegisterString("TS_DEBUG_FAKE_HEALTH_ERROR")
+var fakeErrForTesting = envknob.String("TS_DEBUG_FAKE_HEALTH_ERROR")
 
 func overallErrorLocked() error {
 	if !anyInterfaceUp {
@@ -383,10 +383,7 @@ func overallErrorLocked() error {
 	for _, s := range controlHealth {
 		errs = append(errs, errors.New(s))
 	}
-	if err := envknob.ApplyDiskConfigError(); err != nil {
-		errs = append(errs, err)
-	}
-	if e := fakeErrForTesting(); len(errs) == 0 && e != "" {
+	if e := fakeErrForTesting; len(errs) == 0 && e != "" {
 		return errors.New(e)
 	}
 	sort.Slice(errs, func(i, j int) bool {

hostinfo/hostinfo.go

@@ -12,12 +12,10 @@ import (
 	"os"
 	"runtime"
 	"strings"
-	"sync"
 	"sync/atomic"
 	"time"
 
 	"go4.org/mem"
-	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/cloudenv"
@@ -33,69 +31,25 @@ func New() *tailcfg.Hostinfo {
 	hostname, _ := os.Hostname()
 	hostname = dnsname.FirstLabel(hostname)
 	return &tailcfg.Hostinfo{
-		IPNVersion:      version.Long,
-		Hostname:        hostname,
-		OS:              version.OS(),
-		OSVersion:       GetOSVersion(),
-		Container:       lazyInContainer.Get(),
-		Distro:          condCall(distroName),
-		DistroVersion:   condCall(distroVersion),
-		DistroCodeName:  condCall(distroCodeName),
-		Env:             string(GetEnvType()),
-		Desktop:         desktop(),
-		Package:         packageTypeCached(),
-		GoArch:          runtime.GOARCH,
-		GoVersion:       runtime.Version(),
-		DeviceModel:     deviceModel(),
-		Cloud:           string(cloudenv.Get()),
-		NoLogsNoSupport: envknob.NoLogsNoSupport(),
+		IPNVersion:  version.Long,
+		Hostname:    hostname,
+		OS:          version.OS(),
+		OSVersion:   GetOSVersion(),
+		Desktop:     desktop(),
+		Package:     packageTypeCached(),
+		GoArch:      runtime.GOARCH,
+		GoVersion:   runtime.Version(),
+		DeviceModel: deviceModel(),
+		Cloud:       string(cloudenv.Get()),
 	}
 }
 
 // non-nil on some platforms
 var (
-	osVersion      func() string
-	packageType    func() string
-	distroName     func() string
-	distroVersion  func() string
-	distroCodeName func() string
+	osVersion   func() string
+	packageType func() string
 )
 
-func condCall[T any](fn func() T) T {
-	var zero T
-	if fn == nil {
-		return zero
-	}
-	return fn()
-}
-
-var (
-	lazyInContainer = &lazyAtomicValue[opt.Bool]{f: ptrTo(inContainer)}
-)
-
-func ptrTo[T any](v T) *T { return &v }
-
-type lazyAtomicValue[T any] struct {
-	// f is a pointer to a fill function. If it's nil or points
-	// to nil, then Get returns the zero value for T.
-	f *func() T
-
-	once sync.Once
-	v    T
-}
-
-func (v *lazyAtomicValue[T]) Get() T {
-	v.once.Do(v.fill)
-	return v.v
-}
-
-func (v *lazyAtomicValue[T]) fill() {
-	if v.f == nil || *v.f == nil {
-		return
-	}
-	v.v = (*v.f)()
-}
-
 // GetOSVersion returns the OSVersion of current host if available.
 func GetOSVersion() string {
 	if s, _ := osVersionAtomic.Load().(string); s != "" {
@@ -225,32 +179,29 @@ func getEnvType() EnvType {
 }
 
 // inContainer reports whether we're running in a container.
-func inContainer() opt.Bool {
+func inContainer() bool {
 	if runtime.GOOS != "linux" {
-		return ""
+		return false
 	}
-	var ret opt.Bool
-	ret.Set(false)
 	if _, err := os.Stat("/.dockerenv"); err == nil {
-		ret.Set(true)
-		return ret
+		return true
 	}
 	if _, err := os.Stat("/run/.containerenv"); err == nil {
 		// See https://github.com/cri-o/cri-o/issues/5461
-		ret.Set(true)
-		return ret
+		return true
 	}
+	var ret bool
 	lineread.File("/proc/1/cgroup", func(line []byte) error {
 		if mem.Contains(mem.B(line), mem.S("/docker/")) ||
 			mem.Contains(mem.B(line), mem.S("/lxc/")) {
-			ret.Set(true)
+			ret = true
 			return io.EOF // arbitrary non-nil error to stop loop
 		}
 		return nil
 	})
 	lineread.File("/proc/mounts", func(line []byte) error {
 		if mem.Contains(mem.B(line), mem.S("fuse.lxcfs")) {
-			ret.Set(true)
+			ret = true
 			return io.EOF
 		}
 		return nil

hostinfo/hostinfo_freebsd.go

@@ -8,58 +8,48 @@
 package hostinfo
 
 import (
-	"bytes"
+	"fmt"
 	"os"
 	"os/exec"
+	"strings"
 
 	"golang.org/x/sys/unix"
 	"tailscale.com/version/distro"
 )
 
 func init() {
-	osVersion = lazyOSVersion.Get
-	distroName = distroNameFreeBSD
-	distroVersion = distroVersionFreeBSD
+	osVersion = osVersionFreebsd
 }
 
-var (
-	lazyVersionMeta = &lazyAtomicValue[versionMeta]{f: ptrTo(freebsdVersionMeta)}
-	lazyOSVersion   = &lazyAtomicValue[string]{f: ptrTo(osVersionFreeBSD)}
-)
-
-func distroNameFreeBSD() string {
-	return lazyVersionMeta.Get().DistroName
-}
-
-func distroVersionFreeBSD() string {
-	return lazyVersionMeta.Get().DistroVersion
-}
-
-type versionMeta struct {
-	DistroName     string
-	DistroVersion  string
-	DistroCodeName string
-}
-
-func osVersionFreeBSD() string {
-	var un unix.Utsname
+func osVersionFreebsd() string {
+	un := unix.Utsname{}
 	unix.Uname(&un)
-	return unix.ByteSliceToString(un.Release[:])
-}
 
-func freebsdVersionMeta() (meta versionMeta) {
-	d := distro.Get()
-	meta.DistroName = string(d)
-	switch d {
+	var attrBuf strings.Builder
+	attrBuf.WriteString("; version=")
+	attrBuf.WriteString(unix.ByteSliceToString(un.Release[:]))
+	attr := attrBuf.String()
+
+	version := "FreeBSD"
+	switch distro.Get() {
 	case distro.Pfsense:
 		b, _ := os.ReadFile("/etc/version")
-		meta.DistroVersion = string(bytes.TrimSpace(b))
+		version = fmt.Sprintf("pfSense %s", b)
 	case distro.OPNsense:
-		b, _ := exec.Command("opnsense-version").Output()
-		meta.DistroVersion = string(bytes.TrimSpace(b))
+		b, err := exec.Command("opnsense-version").Output()
+		if err == nil {
+			version = string(b)
+		} else {
+			version = "OPNsense"
+		}
 	case distro.TrueNAS:
-		b, _ := os.ReadFile("/etc/version")
-		meta.DistroVersion = string(bytes.TrimSpace(b))
+		b, err := os.ReadFile("/etc/version")
+		if err == nil {
+			version = string(b)
+		} else {
+			version = "TrueNAS"
+		}
 	}
-	return
+	// the /etc/version files end in a newline
+	return fmt.Sprintf("%s%s", strings.TrimSuffix(version, "\n"), attr)
 }

hostinfo/hostinfo_linux.go

@@ -9,6 +9,8 @@ package hostinfo
 
 import (
 	"bytes"
+	"fmt"
+	"io/ioutil"
 	"os"
 	"strings"
 
@@ -19,39 +21,14 @@ import (
 )
 
 func init() {
-	osVersion = lazyOSVersion.Get
+	osVersion = osVersionLinux
 	packageType = packageTypeLinux
-	distroName = distroNameLinux
-	distroVersion = distroVersionLinux
-	distroCodeName = distroCodeNameLinux
+
 	if v := linuxDeviceModel(); v != "" {
 		SetDeviceModel(v)
 	}
 }
 
-var (
-	lazyVersionMeta = &lazyAtomicValue[versionMeta]{f: ptrTo(linuxVersionMeta)}
-	lazyOSVersion   = &lazyAtomicValue[string]{f: ptrTo(osVersionLinux)}
-)
-
-type versionMeta struct {
-	DistroName     string
-	DistroVersion  string
-	DistroCodeName string // "jammy", etc (VERSION_CODENAME from /etc/os-release)
-}
-
-func distroNameLinux() string {
-	return lazyVersionMeta.Get().DistroName
-}
-
-func distroVersionLinux() string {
-	return lazyVersionMeta.Get().DistroVersion
-}
-
-func distroCodeNameLinux() string {
-	return lazyVersionMeta.Get().DistroCodeName
-}
-
 func linuxDeviceModel() string {
 	for _, path := range []string{
 		// First try the Synology-specific location.
@@ -75,22 +52,15 @@ func linuxDeviceModel() string {
 func getQnapQtsVersion(versionInfo string) string {
 	for _, field := range strings.Fields(versionInfo) {
 		if suffix, ok := strs.CutPrefix(field, "QTSFW_"); ok {
-			return suffix
+			return "QTS " + suffix
 		}
 	}
 	return ""
 }
 
 func osVersionLinux() string {
-	var un unix.Utsname
-	unix.Uname(&un)
-	return unix.ByteSliceToString(un.Release[:])
-}
-
-func linuxVersionMeta() (meta versionMeta) {
+	// TODO(bradfitz,dgentry): cache this, or make caller(s) cache it.
 	dist := distro.Get()
-	meta.DistroName = string(dist)
-
 	propFile := "/etc/os-release"
 	switch dist {
 	case distro.Synology:
@@ -98,13 +68,11 @@ func linuxVersionMeta() (meta versionMeta) {
 	case distro.OpenWrt:
 		propFile = "/etc/openwrt_release"
 	case distro.WDMyCloud:
-		slurp, _ := os.ReadFile("/etc/version")
-		meta.DistroVersion = string(bytes.TrimSpace(slurp))
-		return
+		slurp, _ := ioutil.ReadFile("/etc/version")
+		return fmt.Sprintf("%s", string(bytes.TrimSpace(slurp)))
 	case distro.QNAP:
-		slurp, _ := os.ReadFile("/etc/version_info")
-		meta.DistroVersion = getQnapQtsVersion(string(slurp))
-		return
+		slurp, _ := ioutil.ReadFile("/etc/version_info")
+		return getQnapQtsVersion(string(slurp))
 	}
 
 	m := map[string]string{}
@@ -118,45 +86,50 @@ func linuxVersionMeta() (meta versionMeta) {
 		return nil
 	})
 
-	if v := m["VERSION_CODENAME"]; v != "" {
-		meta.DistroCodeName = v
+	var un unix.Utsname
+	unix.Uname(&un)
+
+	var attrBuf strings.Builder
+	attrBuf.WriteString("; kernel=")
+	attrBuf.WriteString(unix.ByteSliceToString(un.Release[:]))
+	if inContainer() {
+		attrBuf.WriteString("; container")
 	}
-	if v := m["VERSION_ID"]; v != "" {
-		meta.DistroVersion = v
+	if env := GetEnvType(); env != "" {
+		fmt.Fprintf(&attrBuf, "; env=%s", env)
 	}
+	attr := attrBuf.String()
+
 	id := m["ID"]
-	if id != "" {
-		meta.DistroName = id
-	}
+
 	switch id {
 	case "debian":
-		// Debian's VERSION_ID is just like "11". But /etc/debian_version has "11.5" normally.
-		// Or "bookworm/sid" on sid/testing.
-		slurp, _ := os.ReadFile("/etc/debian_version")
-		if v := string(bytes.TrimSpace(slurp)); v != "" {
-			if '0' <= v[0] && v[0] <= '9' {
-				meta.DistroVersion = v
-			} else if meta.DistroCodeName == "" {
-				meta.DistroCodeName = v
-			}
-		}
+		slurp, _ := ioutil.ReadFile("/etc/debian_version")
+		return fmt.Sprintf("Debian %s (%s)%s", bytes.TrimSpace(slurp), m["VERSION_CODENAME"], attr)
+	case "ubuntu":
+		return fmt.Sprintf("Ubuntu %s%s", m["VERSION"], attr)
 	case "", "centos": // CentOS 6 has no /etc/os-release, so its id is ""
-		if meta.DistroVersion == "" {
-			if cr, _ := os.ReadFile("/etc/centos-release"); len(cr) > 0 { // "CentOS release 6.10 (Final)
-				meta.DistroVersion = string(bytes.TrimSpace(cr))
-			}
+		if cr, _ := ioutil.ReadFile("/etc/centos-release"); len(cr) > 0 { // "CentOS release 6.10 (Final)
+			return fmt.Sprintf("%s%s", bytes.TrimSpace(cr), attr)
+		}
+		fallthrough
+	case "fedora", "rhel", "alpine", "nixos":
+		// Their PRETTY_NAME is fine as-is for all versions I tested.
+		fallthrough
+	default:
+		if v := m["PRETTY_NAME"]; v != "" {
+			return fmt.Sprintf("%s%s", v, attr)
 		}
-	}
-	if v := m["PRETTY_NAME"]; v != "" && meta.DistroVersion == "" && !strings.HasSuffix(v, "/sid") {
-		meta.DistroVersion = v
 	}
 	switch dist {
 	case distro.Synology:
-		meta.DistroVersion = m["productversion"]
+		return fmt.Sprintf("Synology %s%s", m["productversion"], attr)
 	case distro.OpenWrt:
-		meta.DistroVersion = m["DISTRIB_RELEASE"]
+		return fmt.Sprintf("OpenWrt %s%s", m["DISTRIB_RELEASE"], attr)
+	case distro.Gokrazy:
+		return fmt.Sprintf("Gokrazy%s", attr)
 	}
-	return
+	return fmt.Sprintf("Other%s", attr)
 }
 
 func packageTypeLinux() string {

hostinfo/hostinfo_linux_test.go

@@ -19,7 +19,7 @@ Date:   2022-05-30 16:08:45 +0800
 remotes/origin/QTSFW_5.0.0`
 
 	got := getQnapQtsVersion(version_info)
-	want := "5.0.0"
+	want := "QTS 5.0.0"
 	if got != want {
 		t.Errorf("got %q; want %q", got, want)
 	}

hostinfo/hostinfo_windows.go

@@ -11,20 +11,21 @@ import (
 
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
+	"tailscale.com/syncs"
 	"tailscale.com/util/winutil"
 )
 
 func init() {
-	osVersion = lazyOSVersion.Get
-	packageType = lazyPackageType.Get
+	osVersion = osVersionWindows
+	packageType = packageTypeWindows
 }
 
-var (
-	lazyOSVersion   = &lazyAtomicValue[string]{f: ptrTo(osVersionWindows)}
-	lazyPackageType = &lazyAtomicValue[string]{f: ptrTo(packageTypeWindows)}
-)
+var winVerCache syncs.AtomicValue[string]
 
 func osVersionWindows() string {
+	if s, ok := winVerCache.LoadOk(); ok {
+		return s
+	}
 	major, minor, build := windows.RtlGetNtVersionNumbers()
 	s := fmt.Sprintf("%d.%d.%d", major, minor, build)
 	// Windows 11 still uses 10 as its major number internally
@@ -33,6 +34,9 @@ func osVersionWindows() string {
 			s += fmt.Sprintf(".%d", ubr)
 		}
 	}
+	if s != "" {
+		winVerCache.Store(s)
+	}
 	return s // "10.0.19041.388", ideally
 }
 

ipn/ipn_clone.go

@@ -48,7 +48,6 @@ var _PrefsCloneNeedsRegeneration = Prefs(struct {
 	Hostname               string
 	NotepadURLs            bool
 	ForceDaemon            bool
-	Egg                    bool
 	AdvertiseRoutes        []netip.Prefix
 	NoSNAT                 bool
 	NetfilterMode          preftype.NetfilterMode

ipn/ipnlocal/c2n.go

@@ -5,11 +5,8 @@
 package ipnlocal
 
 import (
-	"encoding/json"
 	"io"
 	"net/http"
-
-	"tailscale.com/tailcfg"
 )
 
 func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
@@ -18,21 +15,6 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 		// Test handler.
 		body, _ := io.ReadAll(r.Body)
 		w.Write(body)
-	case "/ssh/usernames":
-		var req tailcfg.C2NSSHUsernamesRequest
-		if r.Method == "POST" {
-			if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-				http.Error(w, err.Error(), http.StatusBadRequest)
-				return
-			}
-		}
-		res, err := b.getSSHUsernames(&req)
-		if err != nil {
-			http.Error(w, err.Error(), 500)
-			return
-		}
-		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(res)
 	default:
 		http.Error(w, "unknown c2n path", http.StatusBadRequest)
 	}

ipn/ipnlocal/local.go

@@ -24,6 +24,7 @@ import (
 	"time"
 
 	"go4.org/netipx"
+	"golang.org/x/exp/slices"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
@@ -33,7 +34,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
 	"tailscale.com/net/dns"
-	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsaddr"
@@ -67,6 +67,7 @@ import (
 )
 
 var controlDebugFlags = getControlDebugFlags()
+var canSSH = envknob.CanSSHD()
 
 func getControlDebugFlags() []string {
 	if e := envknob.String("TS_DEBUG_CONTROL_FLAGS"); e != "" {
@@ -163,7 +164,6 @@ type LocalBackend struct {
 	authURL          string // cleared on Notify
 	authURLSticky    string // not cleared on Notify
 	interact         bool
-	egg              bool
 	prevIfState      *interfaces.State
 	peerAPIServer    *peerAPIServer // or nil
 	peerAPIListeners []*peerAPIListener
@@ -189,10 +189,6 @@ type LocalBackend struct {
 	// statusChanged.Broadcast().
 	statusLock    sync.Mutex
 	statusChanged *sync.Cond
-
-	// dialPlan is any dial plan that we've received from the control
-	// server during a previous connection; it is cleared on logout.
-	dialPlan atomic.Pointer[tailcfg.ControlDialPlan]
 }
 
 // clientGen is a func that creates a control plane client.
@@ -427,6 +423,7 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 		s.Version = version.Long
 		s.BackendState = b.state.String()
 		s.AuthURL = b.authURLSticky
+
 		if err := health.OverallError(); err != nil {
 			switch e := err.(type) {
 			case multierr.Error:
@@ -577,10 +574,6 @@ func (b *LocalBackend) WhoIs(ipp netip.AddrPort) (n *tailcfg.Node, u tailcfg.Use
 func (b *LocalBackend) PeerCaps(src netip.Addr) []string {
 	b.mu.Lock()
 	defer b.mu.Unlock()
-	return b.peerCapsLocked(src)
-}
-
-func (b *LocalBackend) peerCapsLocked(src netip.Addr) []string {
 	if b.netMap == nil {
 		return nil
 	}
@@ -592,9 +585,9 @@ func (b *LocalBackend) peerCapsLocked(src netip.Addr) []string {
 		if !a.IsSingleIP() {
 			continue
 		}
-		dst := a.Addr()
-		if dst.BitLen() == src.BitLen() { // match on family
-			return filt.AppendCaps(nil, src, dst)
+		dstIP := a.Addr()
+		if dstIP.BitLen() == src.BitLen() {
+			return filt.AppendCaps(nil, src, a.Addr())
 		}
 	}
 	return nil
@@ -688,9 +681,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		}
 	}
 	if st.NetMap != nil {
-		if err := b.tkaSyncIfNeededLocked(st.NetMap); err != nil {
-			b.logf("[v1] TKA sync error: %v", err)
-		}
 		if b.findExitNodeIDLocked(st.NetMap) {
 			prefsChanged = true
 		}
@@ -741,9 +731,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		b.e.SetNetworkMap(st.NetMap)
 		b.e.SetDERPMap(st.NetMap.DERPMap)
 
-		// Update our cached DERP map
-		dnsfallback.UpdateCache(st.NetMap.DERPMap)
-
 		b.send(ipn.Notify{NetMap: st.NetMap})
 	}
 	if st.URL != "" {
@@ -1091,7 +1078,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		Dialer:               b.Dialer(),
 		Status:               b.setClientStatus,
 		C2NHandler:           http.HandlerFunc(b.handleC2N),
-		DialPlan:             &b.dialPlan, // pointer because it can't be copied
 
 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
@@ -1520,12 +1506,12 @@ func (b *LocalBackend) tellClientToBrowseToURL(url string) {
 }
 
 // For testing lazy machine key generation.
-var panicOnMachineKeyGeneration = envknob.RegisterBool("TS_DEBUG_PANIC_MACHINE_KEY")
+var panicOnMachineKeyGeneration = envknob.Bool("TS_DEBUG_PANIC_MACHINE_KEY")
 
 func (b *LocalBackend) createGetMachinePrivateKeyFunc() func() (key.MachinePrivate, error) {
 	var cache syncs.AtomicValue[key.MachinePrivate]
 	return func() (key.MachinePrivate, error) {
-		if panicOnMachineKeyGeneration() {
+		if panicOnMachineKeyGeneration {
 			panic("machine key generated")
 		}
 		if v, ok := cache.LoadOk(); ok {
@@ -1762,7 +1748,7 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 // setAtomicValuesFromPrefs populates sshAtomicBool and containsViaIPFuncAtomic
 // from the prefs p, which may be nil.
 func (b *LocalBackend) setAtomicValuesFromPrefs(p *ipn.Prefs) {
-	b.sshAtomicBool.Store(p != nil && p.RunSSH && envknob.CanSSHD())
+	b.sshAtomicBool.Store(p != nil && p.RunSSH && canSSH)
 
 	if p == nil {
 		b.containsViaIPFuncAtomic.Store(tsaddr.NewContainsIPFunc(nil))
@@ -1977,7 +1963,7 @@ func (b *LocalBackend) checkSSHPrefsLocked(p *ipn.Prefs) error {
 	default:
 		return errors.New("The Tailscale SSH server is not supported on " + runtime.GOOS)
 	}
-	if !envknob.CanSSHD() {
+	if !canSSH {
 		return errors.New("The Tailscale SSH server has been administratively disabled.")
 	}
 	if envknob.SSHIgnoreTailnetPolicy() || envknob.SSHPolicyFile() != "" {
@@ -2029,11 +2015,6 @@ func (b *LocalBackend) isDefaultServerLocked() bool {
 
 func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
 	b.mu.Lock()
-	if mp.EggSet {
-		mp.EggSet = false
-		b.egg = true
-		go b.doSetHostinfoFilterServices(b.hostinfo.Clone())
-	}
 	p0 := b.prefs.Clone()
 	p1 := b.prefs.Clone()
 	p1.ApplyEdits(mp)
@@ -2042,7 +2023,7 @@ func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
 		b.logf("EditPrefs check error: %v", err)
 		return nil, err
 	}
-	if p1.RunSSH && !envknob.CanSSHD() {
+	if p1.RunSSH && !canSSH {
 		b.mu.Unlock()
 		b.logf("EditPrefs requests SSH, but disabled by envknob; returning error")
 		return nil, errors.New("Tailscale SSH server administratively disabled.")
@@ -2230,9 +2211,6 @@ func (b *LocalBackend) doSetHostinfoFilterServices(hi *tailcfg.Hostinfo) {
 		return
 	}
 	peerAPIServices := b.peerAPIServicesLocked()
-	if b.egg {
-		peerAPIServices = append(peerAPIServices, tailcfg.Service{Proto: "egg"})
-	}
 	b.mu.Unlock()
 
 	// Make a shallow copy of hostinfo so we can mutate
@@ -2864,7 +2842,7 @@ func (b *LocalBackend) applyPrefsToHostinfo(hi *tailcfg.Hostinfo, prefs *ipn.Pre
 	hi.ShieldsUp = prefs.ShieldsUp
 
 	var sshHostKeys []string
-	if prefs.RunSSH && envknob.CanSSHD() {
+	if prefs.RunSSH && canSSH {
 		// TODO(bradfitz): this is called with b.mu held. Not ideal.
 		// If the filesystem gets wedged or something we could block for
 		// a long time. But probably fine.
@@ -3083,7 +3061,7 @@ func (b *LocalBackend) ResetForClientDisconnect() {
 	b.setAtomicValuesFromPrefs(nil)
 }
 
-func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() }
+func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && canSSH }
 
 // ShouldHandleViaIP reports whether whether ip is an IPv6 address in the
 // Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
@@ -3117,9 +3095,6 @@ func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 		Prefs:          ipn.Prefs{WantRunning: false, LoggedOut: true},
 	})
 
-	// Clear any previous dial plan(s), if set.
-	b.dialPlan.Store(nil)
-
 	if cc == nil {
 		// Double Logout can happen via repeated IPN
 		// connections to ipnserver making it repeatedly
@@ -3236,17 +3211,6 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	}
 }
 
-// operatorUserName returns the current pref's OperatorUser's name, or the
-// empty string if none.
-func (b *LocalBackend) operatorUserName() string {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.prefs == nil {
-		return ""
-	}
-	return b.prefs.OperatorUser
-}
-
 // OperatorUserID returns the current pref's OperatorUser's ID (in
 // os/user.User.Uid string form), or the empty string if none.
 func (b *LocalBackend) OperatorUserID() string {
@@ -3329,15 +3293,13 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 		return nil, errors.New("file sharing not enabled by Tailscale admin")
 	}
 	for _, p := range nm.Peers {
-		if len(p.Addresses) == 0 {
-			continue
-		}
-		if p.User != nm.User && b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityFileSharing) {
+		if p.User != nm.User && !slices.Contains(p.Capabilities, tailcfg.CapabilityFileSharingTarget) {
 			continue
 		}
 		peerAPI := peerAPIBase(b.netMap, p)
 		if peerAPI == "" {
 			continue
+
 		}
 		ret = append(ret, &apitype.FileTarget{
 			Node:       p,
@@ -3348,15 +3310,6 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 	return ret, nil
 }
 
-func (b *LocalBackend) peerHasCapLocked(addr netip.Addr, wantCap string) bool {
-	for _, hasCap := range b.peerCapsLocked(addr) {
-		if hasCap == wantCap {
-			return true
-		}
-	}
-	return false
-}
-
 // SetDNS adds a DNS record for the given domain name & TXT record
 // value.
 //
@@ -3615,17 +3568,6 @@ func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error)
 	return cc.DoNoiseRequest(req)
 }
 
-// tailscaleSSHEnabled reports whether Tailscale SSH is currently enabled based
-// on prefs. It returns false if there are no prefs set.
-func (b *LocalBackend) tailscaleSSHEnabled() bool {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.prefs == nil {
-		return false
-	}
-	return b.prefs.RunSSH
-}
-
 func (b *LocalBackend) sshServerOrInit() (_ SSHServer, err error) {
 	b.mu.Lock()
 	defer b.mu.Unlock()

ipn/ipnlocal/local_test.go

@@ -478,8 +478,8 @@ func (panicOnUseTransport) RoundTrip(*http.Request) (*http.Response, error) {
 
 // Issue 1573: don't generate a machine key if we don't want to be running.
 func TestLazyMachineKeyGeneration(t *testing.T) {
-	defer func(old func() bool) { panicOnMachineKeyGeneration = old }(panicOnMachineKeyGeneration)
-	panicOnMachineKeyGeneration = func() bool { return true }
+	defer func(old bool) { panicOnMachineKeyGeneration = old }(panicOnMachineKeyGeneration)
+	panicOnMachineKeyGeneration = true
 
 	var logf logger.Logf = logger.Discard
 	store := new(mem.Store)

ipn/ipnlocal/network-lock.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
@@ -12,8 +12,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"os"
-	"path/filepath"
 	"time"
 
 	"tailscale.com/envknob"
@@ -26,125 +24,13 @@ import (
 	"tailscale.com/types/tkatype"
 )
 
-var networkLockAvailable = envknob.RegisterBool("TS_EXPERIMENTAL_NETWORK_LOCK")
+var networkLockAvailable = envknob.Bool("TS_EXPERIMENTAL_NETWORK_LOCK")
 
 type tkaState struct {
 	authority *tka.Authority
 	storage   *tka.FS
 }
 
-// tkaSyncIfNeededLocked examines TKA info reported from the control plane,
-// performing the steps necessary to synchronize local tka state.
-//
-// There are 4 scenarios handled here:
-//   - Enablement: nm.TKAEnabled but b.tka == nil
-//     ∴ reach out to /machine/tka/boostrap to get the genesis AUM, then
-//     initialize TKA.
-//   - Disablement: !nm.TKAEnabled but b.tka != nil
-//     ∴ reach out to /machine/tka/boostrap to read the disablement secret,
-//     then verify and clear tka local state.
-//   - Sync needed: b.tka.Head != nm.TKAHead
-//     ∴ complete multi-step synchronization flow.
-//   - Everything up to date: All other cases.
-//     ∴ no action necessary.
-//
-// b.mu must be held. b.mu will be stepped out of (and back in) during network
-// RPCs.
-func (b *LocalBackend) tkaSyncIfNeededLocked(nm *netmap.NetworkMap) error {
-	if !networkLockAvailable() {
-		// If the feature flag is not enabled, pretend we don't exist.
-		return nil
-	}
-	if nm.SelfNode == nil {
-		return errors.New("SelfNode missing")
-	}
-
-	isEnabled := b.tka != nil
-	wantEnabled := nm.TKAEnabled
-	if isEnabled != wantEnabled {
-		var ourHead tka.AUMHash
-		if b.tka != nil {
-			ourHead = b.tka.authority.Head()
-		}
-
-		// Regardless of whether we are moving to disabled or enabled, we
-		// need information from the tka bootstrap endpoint.
-		b.mu.Unlock()
-		bs, err := b.tkaFetchBootstrap(nm.SelfNode.ID, ourHead)
-		b.mu.Lock()
-		if err != nil {
-			return fmt.Errorf("fetching bootstrap: %v", err)
-		}
-
-		if wantEnabled && !isEnabled {
-			if err := b.tkaBootstrapFromGenesisLocked(bs.GenesisAUM); err != nil {
-				return fmt.Errorf("bootstrap: %v", err)
-			}
-			isEnabled = true
-		} else if !wantEnabled && isEnabled {
-			if b.tka.authority.ValidDisablement(bs.DisablementSecret) {
-				b.tka = nil
-				isEnabled = false
-
-				if err := os.RemoveAll(b.chonkPath()); err != nil {
-					return fmt.Errorf("os.RemoveAll: %v", err)
-				}
-			} else {
-				b.logf("Disablement secret did not verify, leaving TKA enabled.")
-			}
-		} else {
-			return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled")
-		}
-	}
-
-	if isEnabled && b.tka.authority.Head() != nm.TKAHead {
-		// TODO(tom): Implement sync
-	}
-
-	return nil
-}
-
-// chonkPath returns the absolute path to the directory in which TKA
-// state (the 'tailchonk') is stored.
-func (b *LocalBackend) chonkPath() string {
-	return filepath.Join(b.TailscaleVarRoot(), "tka")
-}
-
-// tkaBootstrapFromGenesisLocked initializes the local (on-disk) state of the
-// tailnet key authority, based on the given genesis AUM.
-//
-// b.mu must be held.
-func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM) error {
-	if !b.CanSupportNetworkLock() {
-		return errors.New("network lock not supported in this configuration")
-	}
-
-	var genesis tka.AUM
-	if err := genesis.Unserialize(g); err != nil {
-		return fmt.Errorf("reading genesis: %v", err)
-	}
-
-	chonkDir := b.chonkPath()
-	if err := os.Mkdir(chonkDir, 0755); err != nil && !os.IsExist(err) {
-		return fmt.Errorf("mkdir: %v", err)
-	}
-
-	chonk, err := tka.ChonkDir(chonkDir)
-	if err != nil {
-		return fmt.Errorf("chonk: %v", err)
-	}
-	authority, err := tka.Bootstrap(chonk, genesis)
-	if err != nil {
-		return fmt.Errorf("tka bootstrap: %v", err)
-	}
-
-	b.tka = &tkaState{
-		authority: authority,
-		storage:   chonk,
-	}
-	return nil
-}
-
 // CanSupportNetworkLock returns true if tailscaled is able to operate
 // a local tailnet key authority (and hence enforce network lock).
 func (b *LocalBackend) CanSupportNetworkLock() bool {
@@ -196,7 +82,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	if b.tka != nil {
 		return errors.New("network-lock is already initialized")
 	}
-	if !networkLockAvailable() {
+	if !networkLockAvailable {
 		return errors.New("this is an experimental feature in your version of tailscale - Please upgrade to the latest to use this.")
 	}
 	if !b.CanSupportNetworkLock() {
@@ -261,7 +147,7 @@ func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeK
 		SigKind:        tka.SigDirect,
 		KeyID:          signer.KeyID(),
 		Pubkey:         p,
-		WrappingPubkey: nodeInfo.RotationPubkey,
+		RotationPubkey: nodeInfo.RotationPubkey,
 	}
 	sig.Signature, err = signer.SignNKS(sig.SigHash())
 	if err != nil {
@@ -351,50 +237,3 @@ func (b *LocalBackend) tkaInitFinish(nm *netmap.NetworkMap, nks map[tailcfg.Node
 		return a, nil
 	}
 }
-
-// tkaFetchBootstrap sends a /machine/tka/bootstrap RPC to the control plane
-// over noise. This is used to get values necessary to enable or disable TKA.
-func (b *LocalBackend) tkaFetchBootstrap(nodeID tailcfg.NodeID, head tka.AUMHash) (*tailcfg.TKABootstrapResponse, error) {
-	bootstrapReq := tailcfg.TKABootstrapRequest{
-		NodeID: nodeID,
-	}
-	if !head.IsZero() {
-		head, err := head.MarshalText()
-		if err != nil {
-			return nil, fmt.Errorf("head.MarshalText failed: %v", err)
-		}
-		bootstrapReq.Head = string(head)
-	}
-
-	var req bytes.Buffer
-	if err := json.NewEncoder(&req).Encode(bootstrapReq); err != nil {
-		return nil, fmt.Errorf("encoding request: %v", err)
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-	if err := ctx.Err(); err != nil {
-		return nil, fmt.Errorf("ctx: %w", err)
-	}
-	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/bootstrap", &req)
-	if err != nil {
-		return nil, fmt.Errorf("req: %w", err)
-	}
-	res, err := b.DoNoiseRequest(req2)
-	if err != nil {
-		return nil, fmt.Errorf("resp: %w", err)
-	}
-	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-	}
-	a := new(tailcfg.TKABootstrapResponse)
-	err = json.NewDecoder(res.Body).Decode(a)
-	res.Body.Close()
-	if err != nil {
-		return nil, fmt.Errorf("decoding JSON: %w", err)
-	}
-
-	return a, nil
-}

ipn/ipnlocal/network-lock_test.go

@@ -1,243 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ipnlocal
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"tailscale.com/control/controlclient"
-	"tailscale.com/hostinfo"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tka"
-	"tailscale.com/types/key"
-	"tailscale.com/types/netmap"
-)
-
-func fakeControlClient(t *testing.T, c *http.Client) *controlclient.Auto {
-	hi := hostinfo.New()
-	ni := tailcfg.NetInfo{LinkType: "wired"}
-	hi.NetInfo = &ni
-
-	k := key.NewMachine()
-	opts := controlclient.Options{
-		ServerURL: "https://example.com",
-		Hostinfo:  hi,
-		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
-			return k, nil
-		},
-		HTTPTestClient:  c,
-		NoiseTestClient: c,
-		Status:          func(controlclient.Status) {},
-	}
-
-	cc, err := controlclient.NewNoStart(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return cc
-}
-
-// NOTE: URLs must have a https scheme and example.com domain to work with the underlying
-// httptest plumbing, despite the domain being unused in the actual noise request transport.
-func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server, *http.Client) {
-	ts := httptest.NewUnstartedServer(handler)
-	ts.StartTLS()
-	client := ts.Client()
-	client.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify = true
-	client.Transport.(*http.Transport).DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
-		return (&net.Dialer{}).DialContext(ctx, network, ts.Listener.Addr().String())
-	}
-	return ts, client
-}
-
-func TestTKAEnablementFlow(t *testing.T) {
-	networkLockAvailable = func() bool { return true } // Enable the feature flag
-
-	// Make a fake TKA authority, getting a usable genesis AUM which
-	// our mock server can communicate.
-	nlPriv := key.NewNLPrivate()
-	key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
-	a1, genesisAUM, err := tka.Create(&tka.Mem{}, tka.State{
-		Keys:               []tka.Key{key},
-		DisablementSecrets: [][]byte{bytes.Repeat([]byte{0xa5}, 32)},
-	}, nlPriv)
-	if err != nil {
-		t.Fatalf("tka.Create() failed: %v", err)
-	}
-
-	ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		defer r.Body.Close()
-		switch r.URL.Path {
-		case "/machine/tka/bootstrap":
-			body := new(tailcfg.TKABootstrapRequest)
-			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-				t.Fatal(err)
-			}
-			if body.NodeID != 420 {
-				t.Errorf("bootstrap nodeID=%v, want 420", body.NodeID)
-			}
-			if body.Head != "" {
-				t.Errorf("bootstrap head=%s, want empty hash", body.Head)
-			}
-
-			w.WriteHeader(200)
-			out := tailcfg.TKABootstrapResponse{
-				GenesisAUM: genesisAUM.Serialize(),
-			}
-			if err := json.NewEncoder(w).Encode(out); err != nil {
-				t.Fatal(err)
-			}
-
-		default:
-			t.Errorf("unhandled endpoint path: %v", r.URL.Path)
-			w.WriteHeader(404)
-		}
-	}))
-	defer ts.Close()
-	temp := t.TempDir()
-
-	cc := fakeControlClient(t, client)
-	b := LocalBackend{
-		varRoot: temp,
-		cc:      cc,
-		ccAuto:  cc,
-		logf:    t.Logf,
-	}
-
-	b.mu.Lock()
-	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
-		SelfNode:   &tailcfg.Node{ID: 420},
-		TKAEnabled: true,
-		TKAHead:    tka.AUMHash{},
-	})
-	b.mu.Unlock()
-	if err != nil {
-		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
-	}
-	if b.tka == nil {
-		t.Fatal("tka was not initialized")
-	}
-	if b.tka.authority.Head() != a1.Head() {
-		t.Errorf("authority.Head() = %x, want %x", b.tka.authority.Head(), a1.Head())
-	}
-}
-
-func TestTKADisablementFlow(t *testing.T) {
-	networkLockAvailable = func() bool { return true } // Enable the feature flag
-	temp := t.TempDir()
-	os.Mkdir(filepath.Join(temp, "tka"), 0755)
-
-	// Make a fake TKA authority, to seed local state.
-	disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
-	nlPriv := key.NewNLPrivate()
-	key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
-	chonk, err := tka.ChonkDir(filepath.Join(temp, "tka"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	authority, _, err := tka.Create(chonk, tka.State{
-		Keys:               []tka.Key{key},
-		DisablementSecrets: [][]byte{tka.DisablementKDF(disablementSecret)},
-	}, nlPriv)
-	if err != nil {
-		t.Fatalf("tka.Create() failed: %v", err)
-	}
-
-	ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		defer r.Body.Close()
-		switch r.URL.Path {
-		case "/machine/tka/bootstrap":
-			body := new(tailcfg.TKABootstrapRequest)
-			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-				t.Fatal(err)
-			}
-			var disablement []byte
-			switch body.NodeID {
-			case 42:
-				disablement = bytes.Repeat([]byte{0x42}, 32) // wrong secret
-			case 420:
-				disablement = disablementSecret
-			default:
-				t.Errorf("bootstrap nodeID=%v, wanted 42 or 420", body.NodeID)
-			}
-			var head tka.AUMHash
-			if err := head.UnmarshalText([]byte(body.Head)); err != nil {
-				t.Fatalf("failed unmarshal of body.Head: %v", err)
-			}
-			if head != authority.Head() {
-				t.Errorf("reported head = %x, want %x", head, authority.Head())
-			}
-
-			w.WriteHeader(200)
-			out := tailcfg.TKABootstrapResponse{
-				DisablementSecret: disablement,
-			}
-			if err := json.NewEncoder(w).Encode(out); err != nil {
-				t.Fatal(err)
-			}
-
-		default:
-			t.Errorf("unhandled endpoint path: %v", r.URL.Path)
-			w.WriteHeader(404)
-		}
-	}))
-	defer ts.Close()
-
-	cc := fakeControlClient(t, client)
-	b := LocalBackend{
-		varRoot: temp,
-		cc:      cc,
-		ccAuto:  cc,
-		logf:    t.Logf,
-		tka: &tkaState{
-			authority: authority,
-			storage:   chonk,
-		},
-	}
-
-	// Test that the wrong disablement secret does not shut down the authority.
-	// NodeID == 42 indicates this scenario to our mock server.
-	b.mu.Lock()
-	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
-		SelfNode:   &tailcfg.Node{ID: 42},
-		TKAEnabled: false,
-		TKAHead:    authority.Head(),
-	})
-	b.mu.Unlock()
-	if err != nil {
-		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
-	}
-	if b.tka == nil {
-		t.Error("TKA was disabled despite incorrect disablement secret")
-	}
-
-	// Test the correct disablement secret shuts down the authority.
-	// NodeID == 420 indicates this scenario to our mock server.
-	b.mu.Lock()
-	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
-		SelfNode:   &tailcfg.Node{ID: 420},
-		TKAEnabled: false,
-		TKAHead:    authority.Head(),
-	})
-	b.mu.Unlock()
-	if err != nil {
-		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
-	}
-
-	if b.tka != nil {
-		t.Fatal("tka was not shut down")
-	}
-	if _, err := os.Stat(b.chonkPath()); err == nil || !os.IsNotExist(err) {
-		t.Errorf("os.Stat(chonkDir) = %v, want ErrNotExist", err)
-	}
-}

ipn/ipnlocal/peerapi.go

@@ -44,7 +44,6 @@ import (
 	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/strs"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 )
@@ -721,8 +720,8 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	rawPath := r.URL.EscapedPath()
-	suffix, ok := strs.CutPrefix(rawPath, "/v0/put/")
-	if !ok {
+	suffix := strings.TrimPrefix(rawPath, "/v0/put/")
+	if suffix == rawPath {
 		http.Error(w, "misconfigured internals", 500)
 		return
 	}

ipn/ipnlocal/peerapi_test.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"io/ioutil"
 	"math/rand"
 	"net/http"
 	"net/http/httptest"
@@ -86,7 +87,7 @@ func fileHasContents(name string, want string) check {
 			return
 		}
 		path := filepath.Join(root, name)
-		got, err := os.ReadFile(path)
+		got, err := ioutil.ReadFile(path)
 		if err != nil {
 			t.Errorf("fileHasContents: %v", err)
 			return
@@ -516,7 +517,7 @@ func TestDeletedMarkers(t *testing.T) {
 	}
 	wantEmptyTempDir := func() {
 		t.Helper()
-		if fis, err := os.ReadDir(dir); err != nil {
+		if fis, err := ioutil.ReadDir(dir); err != nil {
 			t.Fatal(err)
 		} else if len(fis) > 0 && runtime.GOOS != "windows" {
 			for _, fi := range fis {

ipn/ipnlocal/ssh.go

@@ -18,98 +18,24 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
-	"runtime"
 	"strings"
 	"sync"
 
 	"github.com/tailscale/golang-x-crypto/ssh"
-	"go4.org/mem"
-	"golang.org/x/exp/slices"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/lineread"
+	"tailscale.com/envknob"
 	"tailscale.com/util/mak"
 )
 
+var useHostKeys = envknob.Bool("TS_USE_SYSTEM_SSH_HOST_KEYS")
+
 // keyTypes are the SSH key types that we either try to read from the
 // system's OpenSSH keys or try to generate for ourselves when not
 // running as root.
 var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
 
-// getSSHUsernames discovers and returns the list of usernames that are
-// potential Tailscale SSH user targets.
-//
-// Invariant: must not be called with b.mu held.
-func (b *LocalBackend) getSSHUsernames(req *tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
-	res := new(tailcfg.C2NSSHUsernamesResponse)
-	if !b.tailscaleSSHEnabled() {
-		return res, nil
-	}
-
-	max := 10
-	if req != nil && req.Max != 0 {
-		max = req.Max
-	}
-
-	add := func(u string) {
-		if req != nil && req.Exclude[u] {
-			return
-		}
-		switch u {
-		case "nobody", "daemon", "sync":
-			return
-		}
-		if slices.Contains(res.Usernames, u) {
-			return
-		}
-		if len(res.Usernames) > max {
-			// Enough for a hint.
-			return
-		}
-		res.Usernames = append(res.Usernames, u)
-	}
-
-	if opUser := b.operatorUserName(); opUser != "" {
-		add(opUser)
-	}
-
-	// Check popular usernames and see if they exist with a real shell.
-	switch runtime.GOOS {
-	case "darwin":
-		out, err := exec.Command("dscl", ".", "list", "/Users").Output()
-		if err != nil {
-			return nil, err
-		}
-		lineread.Reader(bytes.NewReader(out), func(line []byte) error {
-			line = bytes.TrimSpace(line)
-			if len(line) == 0 || line[0] == '_' {
-				return nil
-			}
-			add(string(line))
-			return nil
-		})
-	default:
-		lineread.File("/etc/passwd", func(line []byte) error {
-			line = bytes.TrimSpace(line)
-			if len(line) == 0 || line[0] == '#' || line[0] == '_' {
-				return nil
-			}
-			if mem.HasSuffix(mem.B(line), mem.S("/nologin")) ||
-				mem.HasSuffix(mem.B(line), mem.S("/false")) {
-				return nil
-			}
-			colon := bytes.IndexByte(line, ':')
-			if colon != -1 {
-				add(string(line[:colon]))
-			}
-			return nil
-		})
-	}
-	return res, nil
-}
-
 func (b *LocalBackend) GetSSH_HostKeys() (keys []ssh.Signer, err error) {
 	var existing map[string]ssh.Signer
 	if os.Geteuid() == 0 {
@@ -157,7 +83,7 @@ func (b *LocalBackend) hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
 	defer keyGenMu.Unlock()
 
 	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
-	v, err := os.ReadFile(path)
+	v, err := ioutil.ReadFile(path)
 	if err == nil {
 		return v, nil
 	}
@@ -198,7 +124,7 @@ func (b *LocalBackend) hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
 func (b *LocalBackend) getSystemSSH_HostKeys() (ret map[string]ssh.Signer) {
 	for _, typ := range keyTypes {
 		filename := "/etc/ssh/ssh_host_" + typ + "_key"
-		hostKey, err := os.ReadFile(filename)
+		hostKey, err := ioutil.ReadFile(filename)
 		if err != nil || len(bytes.TrimSpace(hostKey)) == 0 {
 			continue
 		}

ipn/ipnlocal/ssh_stub.go

@@ -6,16 +6,6 @@
 
 package ipnlocal
 
-import (
-	"errors"
-
-	"tailscale.com/tailcfg"
-)
-
 func (b *LocalBackend) getSSHHostKeyPublicStrings() []string {
 	return nil
 }
-
-func (b *LocalBackend) getSSHUsernames(*tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
-	return nil, errors.New("not implemented")
-}

ipn/ipnlocal/ssh_test.go

@@ -2,18 +2,14 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux || (darwin && !ios)
-// +build linux darwin,!ios
+//go:build linux
+// +build linux
 
 package ipnlocal
 
 import (
-	"encoding/json"
 	"reflect"
 	"testing"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/must"
 )
 
 func TestSSHKeyGen(t *testing.T) {
@@ -44,17 +40,3 @@ func TestSSHKeyGen(t *testing.T) {
 		t.Errorf("got different keys on second call")
 	}
 }
-
-type fakeSSHServer struct {
-	SSHServer
-}
-
-func TestGetSSHUsernames(t *testing.T) {
-	b := new(LocalBackend)
-	b.sshServer = fakeSSHServer{}
-	res, err := b.getSSHUsernames(new(tailcfg.C2NSSHUsernamesRequest))
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Logf("Got: %s", must.Get(json.Marshal(res)))
-}

ipn/ipnserver/server.go

@@ -12,6 +12,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -36,7 +37,6 @@ import (
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/localapi"
 	"tailscale.com/logtail/backoff"
-	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/netstat"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsdial"
@@ -214,7 +214,7 @@ func (s *Server) blockWhileInUse(conn io.Reader, ci connIdentity) {
 	s.logf("blocking client while server in use; connIdentity=%v", ci)
 	connDone := make(chan struct{})
 	go func() {
-		io.Copy(io.Discard, conn)
+		io.Copy(ioutil.Discard, conn)
 		close(connDone)
 	}()
 	ch := make(chan struct{}, 1)
@@ -772,7 +772,7 @@ func New(logf logger.Logf, logid string, store ipn.StateStore, eng wgengine.Engi
 	})
 
 	if root := b.TailscaleVarRoot(); root != "" {
-		chonkDir := filepath.Join(root, "tka")
+		chonkDir := filepath.Join(root, "chonk")
 		if _, err := os.Stat(chonkDir); err == nil {
 			// The directory exists, which means network-lock has been initialized.
 			storage, err := tka.ChonkDir(chonkDir)
@@ -786,8 +786,6 @@ func New(logf logger.Logf, logid string, store ipn.StateStore, eng wgengine.Engi
 			b.SetTailnetKeyAuthority(authority, storage)
 			logf("tka initialized at head %x", authority.Head())
 		}
-
-		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"))
 	} else {
 		logf("network-lock unavailable; no state directory")
 	}
@@ -932,6 +930,14 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		startTime := time.Now()
 		log.Printf("exec: %#v %v", executable, args)
 		cmd := exec.Command(executable, args...)
+		if runtime.GOOS == "windows" {
+			extraEnv, err := loadExtraEnv()
+			if err != nil {
+				logf("errors loading extra env file; ignoring: %v", err)
+			} else {
+				cmd.Env = append(os.Environ(), extraEnv...)
+			}
+		}
 
 		// Create a pipe object to use as the subproc's stdin.
 		// When the writer goes away, the reader gets EOF.
@@ -1166,7 +1172,7 @@ func findTrueNASTaildropDir(name string) (dir string, err error) {
 	}
 
 	// but if running on the host, it may be something like /mnt/Primary/Taildrop
-	fis, err := os.ReadDir("/mnt")
+	fis, err := ioutil.ReadDir("/mnt")
 	if err != nil {
 		return "", fmt.Errorf("error reading /mnt: %w", err)
 	}
@@ -1200,3 +1206,38 @@ func findQnapTaildropDir(name string) (string, error) {
 	}
 	return "", fmt.Errorf("shared folder %q not found", name)
 }
+
+func loadExtraEnv() (env []string, err error) {
+	if runtime.GOOS != "windows" {
+		return nil, nil
+	}
+	name := filepath.Join(os.Getenv("ProgramData"), "Tailscale", "tailscaled-env.txt")
+	contents, err := os.ReadFile(name)
+	if os.IsNotExist(err) {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	for _, line := range strings.Split(string(contents), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" || line[0] == '#' {
+			continue
+		}
+		k, v, ok := strings.Cut(line, "=")
+		if !ok || k == "" {
+			continue
+		}
+		if strings.HasPrefix(v, `"`) {
+			var err error
+			v, err = strconv.Unquote(v)
+			if err != nil {
+				return nil, fmt.Errorf("invalid value in line %q: %v", line, err)
+			}
+			env = append(env, k+"="+v)
+		} else {
+			env = append(env, line)
+		}
+	}
+	return env, nil
+}

ipn/localapi/cert.go

@@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -37,7 +38,6 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/strs"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -73,7 +73,7 @@ func (h *Handler) certDir() (string, error) {
 	return full, nil
 }
 
-var acmeDebug = envknob.RegisterBool("TS_DEBUG_ACME")
+var acmeDebug = envknob.Bool("TS_DEBUG_ACME")
 
 func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite && !h.PermitCert {
@@ -87,19 +87,16 @@ func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	domain, ok := strs.CutPrefix(r.URL.Path, "/localapi/v0/cert/")
-	if !ok {
+	domain := strings.TrimPrefix(r.URL.Path, "/localapi/v0/cert/")
+	if domain == r.URL.Path {
 		http.Error(w, "internal handler config wired wrong", 500)
 		return
 	}
-	if !validLookingCertDomain(domain) {
-		http.Error(w, "invalid domain", 400)
-		return
-	}
+
 	now := time.Now()
 	logf := logger.WithPrefix(h.logf, fmt.Sprintf("cert(%q): ", domain))
 	traceACME := func(v any) {
-		if !acmeDebug() {
+		if !acmeDebug {
 			return
 		}
 		j, _ := json.MarshalIndent(v, "", "\t")
@@ -168,11 +165,6 @@ func certFile(dir, domain string) string { return filepath.Join(dir, domain+".cr
 // keypair for domain exists on disk in dir that is valid at the
 // provided now time.
 func (h *Handler) getCertPEMCached(dir, domain string, now time.Time) (p *keyPair, ok bool) {
-	if !validLookingCertDomain(domain) {
-		// Before we read files from disk using it, validate it's halfway
-		// reasonable looking.
-		return nil, false
-	}
 	if keyPEM, err := os.ReadFile(keyFile(dir, domain)); err == nil {
 		certPEM, _ := os.ReadFile(certFile(dir, domain))
 		if validCertPEM(domain, keyPEM, certPEM, now) {
@@ -301,7 +293,7 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 	if err := encodeECDSAKey(&privPEM, certPrivKey); err != nil {
 		return nil, err
 	}
-	if err := os.WriteFile(keyFile(dir, domain), privPEM.Bytes(), 0600); err != nil {
+	if err := ioutil.WriteFile(keyFile(dir, domain), privPEM.Bytes(), 0600); err != nil {
 		return nil, err
 	}
 
@@ -324,7 +316,7 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 			return nil, err
 		}
 	}
-	if err := os.WriteFile(certFile(dir, domain), certPEM.Bytes(), 0644); err != nil {
+	if err := ioutil.WriteFile(certFile(dir, domain), certPEM.Bytes(), 0644); err != nil {
 		return nil, err
 	}
 
@@ -380,7 +372,7 @@ func parsePrivateKey(der []byte) (crypto.Signer, error) {
 
 func acmeKey(dir string) (crypto.Signer, error) {
 	pemName := filepath.Join(dir, "acme-account.key.pem")
-	if v, err := os.ReadFile(pemName); err == nil {
+	if v, err := ioutil.ReadFile(pemName); err == nil {
 		priv, _ := pem.Decode(v)
 		if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
 			return nil, errors.New("acme/autocert: invalid account key found in cache")
@@ -396,7 +388,7 @@ func acmeKey(dir string) (crypto.Signer, error) {
 	if err := encodeECDSAKey(&pemBuf, privKey); err != nil {
 		return nil, err
 	}
-	if err := os.WriteFile(pemName, pemBuf.Bytes(), 0600); err != nil {
+	if err := ioutil.WriteFile(pemName, pemBuf.Bytes(), 0600); err != nil {
 		return nil, err
 	}
 	return privKey, nil
@@ -434,21 +426,6 @@ func validCertPEM(domain string, keyPEM, certPEM []byte, now time.Time) bool {
 	return err == nil
 }
 
-// validLookingCertDomain reports whether name looks like a valid domain name that
-// we might be able to get a cert for.
-//
-// It's a light check primarily for double checking before it's used
-// as part of a filesystem path. The actual validation happens in checkCertDomain.
-func validLookingCertDomain(name string) bool {
-	if name == "" ||
-		strings.Contains(name, "..") ||
-		strings.ContainsAny(name, ":/\\\x00") ||
-		!strings.Contains(name, ".") {
-		return false
-	}
-	return true
-}
-
 func checkCertDomain(st *ipnstate.Status, domain string) error {
 	if domain == "" {
 		return errors.New("missing domain name")

ipn/localapi/cert_test.go

@@ -1,30 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !ios && !android && !js
-// +build !ios,!android,!js
-
-package localapi
-
-import "testing"
-
-func TestValidLookingCertDomain(t *testing.T) {
-	tests := []struct {
-		in   string
-		want bool
-	}{
-		{"foo.com", true},
-		{"foo..com", false},
-		{"foo/com.com", false},
-		{"NUL", false},
-		{"", false},
-		{"foo\\bar.com", false},
-		{"foo\x00bar.com", false},
-	}
-	for _, tt := range tests {
-		if got := validLookingCertDomain(tt.in); got != tt.want {
-			t.Errorf("validLookingCertDomain(%q) = %v, want %v", tt.in, got, tt.want)
-		}
-	}
-}

ipn/localapi/localapi.go

@@ -18,6 +18,7 @@ import (
 	"net/http/httputil"
 	"net/netip"
 	"net/url"
+	"reflect"
 	"runtime"
 	"strconv"
 	"strings"
@@ -25,7 +26,6 @@ import (
 	"time"
 
 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnstate"
@@ -34,7 +34,6 @@ import (
 	"tailscale.com/tka"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/mak"
 	"tailscale.com/version"
 )
 
@@ -214,9 +213,6 @@ func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
 	}
 
 	logMarker := fmt.Sprintf("BUG-%v-%v-%v", h.backendLogID, time.Now().UTC().Format("20060102150405Z"), randHex(8))
-	if envknob.NoLogsNoSupport() {
-		logMarker = "BUG-NO-LOGS-NO-SUPPORT-this-node-has-had-its-logging-disabled"
-	}
 	h.logf("user bugreport: %s", logMarker)
 	if note := r.FormValue("note"); len(note) > 0 {
 		h.logf("user bugreport note: %s", note)
@@ -531,7 +527,7 @@ func (h *Handler) serveFileTargets(w http.ResponseWriter, r *http.Request) {
 		writeErrorJSON(w, err)
 		return
 	}
-	mak.NonNilSliceForJSON(&fts)
+	makeNonNil(&fts)
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(fts)
 }
@@ -862,3 +858,30 @@ func defBool(a string, def bool) bool {
 	}
 	return v
 }
+
+// makeNonNil takes a pointer to a Go data structure
+// (currently only a slice or a map) and makes sure it's non-nil for
+// JSON serialization. (In particular, JavaScript clients usually want
+// the field to be defined after they decode the JSON.)
+func makeNonNil(ptr any) {
+	if ptr == nil {
+		panic("nil interface")
+	}
+	rv := reflect.ValueOf(ptr)
+	if rv.Kind() != reflect.Ptr {
+		panic(fmt.Sprintf("kind %v, not Ptr", rv.Kind()))
+	}
+	if rv.Pointer() == 0 {
+		panic("nil pointer")
+	}
+	rv = rv.Elem()
+	if rv.Pointer() != 0 {
+		return
+	}
+	switch rv.Type().Kind() {
+	case reflect.Slice:
+		rv.Set(reflect.MakeSlice(rv.Type(), 0, 0))
+	case reflect.Map:
+		rv.Set(reflect.MakeMap(rv.Type()))
+	}
+}