cmd/containerboot: add TS_WEBUI var to run web UI

Because the --webclient flag is only defined as part of 'tailscale set', and containerboot only calls 'tailscale set' if TS_AUTH_ONCE is set, this requires both TS_AUTH_ONCE and TS_WEBUI to be set to true in order to activate the web client. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>
ipnlocal: log failure to get ssh host keys
2024-01-31 12:48:56 -08:00 · 2024-01-30 16:57:16 -06:00 · 2024-01-29 14:18:49 -08:00
5 changed files with 28 additions and 11 deletions
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -123,6 +123,7 @@ func main() {
 		UserspaceMode:            defaultBool("TS_USERSPACE", true),
 		StateDir:                 defaultEnv("TS_STATE_DIR", ""),
 		AcceptDNS:                defaultEnvBoolPointer("TS_ACCEPT_DNS"),
+		WebUI:                    defaultEnvBoolPointer("TS_WEBUI"),
 		KubeSecret:               defaultEnv("TS_KUBE_SECRET", "tailscale"),
 		SOCKSProxyAddr:           defaultEnv("TS_SOCKS5_SERVER", ""),
 		HTTPProxyAddr:            defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
@@ -703,6 +704,11 @@ func tailscaleSet(ctx context.Context, cfg *settings) error {
 	if cfg.Hostname != "" {
 		args = append(args, "--hostname="+cfg.Hostname)
 	}
+	if cfg.WebUI != nil && *cfg.WebUI {
+		args = append(args, "--webclient=true")
+	} else {
+		args = append(args, "--webclient=false")
+	}
 	log.Printf("Running 'tailscale set'")
 	cmd := exec.CommandContext(ctx, "tailscale", args...)
 	cmd.Stdout = os.Stdout
@@ -889,6 +895,7 @@ type settings struct {
 	UserspaceMode            bool
 	StateDir                 string
 	AcceptDNS                *bool
+	WebUI                    *bool
 	KubeSecret               string
 	SOCKSProxyAddr           string
 	HTTPProxyAddr            string
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -31,10 +31,12 @@ var (
 //go:embed hello.tmpl.html
 var embeddedTemplate string

+var localClient tailscale.LocalClient
+
 func main() {
 	flag.Parse()
 	if *testIP != "" {
-		res, err := tailscale.WhoIs(context.Background(), *testIP)
+		res, err := localClient.WhoIs(context.Background(), *testIP)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -76,7 +78,7 @@ func main() {
 					GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
 						switch hi.ServerName {
 						case "hello.ts.net":
-							return tailscale.GetCertificate(hi)
+							return localClient.GetCertificate(hi)
 						case "hello.ipn.dev":
 							c, err := tls.LoadX509KeyPair(
 								"/etc/hello/hello.ipn.dev.crt",
@@ -170,7 +172,7 @@ func root(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	who, err := tailscale.WhoIs(r.Context(), r.RemoteAddr)
+	who, err := localClient.WhoIs(r.Context(), r.RemoteAddr)
 	var data tmplData
 	if err != nil {
 		if devMode() {
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -4125,7 +4125,11 @@ func (b *LocalBackend) applyPrefsToHostinfoLocked(hi *tailcfg.Hostinfo, prefs ip
 		// TODO(bradfitz): this is called with b.mu held. Not ideal.
 		// If the filesystem gets wedged or something we could block for
 		// a long time. But probably fine.
-		sshHostKeys = b.getSSHHostKeyPublicStrings()
+		var err error
+		sshHostKeys, err = b.getSSHHostKeyPublicStrings()
+		if err != nil {
+			b.logf("warning: unable to get SSH host keys, SSH will appear as disabled for this node: %v", err)
+		}
 	}
 	hi.SSH_HostKeys = sshHostKeys

--- a/ipn/ipnlocal/ssh.go
+++ b/ipn/ipnlocal/ssh.go
@@ -210,12 +210,16 @@ func (b *LocalBackend) getSystemSSH_HostKeys() (ret map[string]ssh.Signer) {
 	return ret
 }

-func (b *LocalBackend) getSSHHostKeyPublicStrings() (ret []string) {
-	signers, _ := b.GetSSH_HostKeys()
-	for _, signer := range signers {
-		ret = append(ret, strings.TrimSpace(string(ssh.MarshalAuthorizedKey(signer.PublicKey()))))
+func (b *LocalBackend) getSSHHostKeyPublicStrings() ([]string, error) {
+	signers, err := b.GetSSH_HostKeys()
+	if err != nil {
+		return nil, err
 	}
-	return ret
+	var keyStrings []string
+	for _, signer := range signers {
+		keyStrings = append(keyStrings, strings.TrimSpace(string(ssh.MarshalAuthorizedKey(signer.PublicKey()))))
+	}
+	return keyStrings, nil
 }

 // tailscaleSSHEnabled reports whether Tailscale SSH is currently enabled based
--- a/ipn/ipnlocal/ssh_stub.go
+++ b/ipn/ipnlocal/ssh_stub.go
@@ -11,8 +11,8 @@ import (
 	"tailscale.com/tailcfg"
 )

-func (b *LocalBackend) getSSHHostKeyPublicStrings() []string {
-	return nil
+func (b *LocalBackend) getSSHHostKeyPublicStrings() ([]string, error) {
+	return nil, nil
 }

 func (b *LocalBackend) getSSHUsernames(*tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {