exit node dst wip

.github/workflows/checklocks.yml

@@ -18,17 +18,11 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
 
       - name: Build checklocks
         run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks
 
       - name: Run checklocks vet
-        # TODO(#12625): add more packages as we add annotations
-        run: |-
-          ./tool/go vet -vettool=/tmp/checklocks \
-            ./envknob           \
-            ./ipn/store/mem     \
-            ./net/stun/stuntest \
-            ./net/wsconn        \
-            ./proxymap
+        # TODO: remove || true once we have applied checklocks annotations everywhere.
+        run: ./tool/go vet -vettool=/tmp/checklocks ./... || true

.github/workflows/codeql-analysis.yml

@@ -45,17 +45,17 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
 
     # Install a more recent Go that understands modern go.mod content.
     - name: Install Go
-      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      uses: actions/setup-go@v4
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -80,4 +80,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      uses: github/codeql-action/analyze@v2

.github/workflows/docker-file-build.yml

@@ -10,6 +10,6 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4
     - name: "Build Docker image"
       run: docker build .

.github/workflows/flakehub-publish-tagged.yml

@@ -17,7 +17,7 @@ jobs:
       id-token: "write"
       contents: "read"
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: "actions/checkout@v4"
         with:
           ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
       - uses: "DeterminateSystems/nix-installer-action@main"

.github/workflows/golangci-lint.yml

@@ -23,17 +23,18 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
 
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      - uses: actions/setup-go@v4
         with:
           go-version-file: go.mod
           cache: false
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
+        # Note: this is the 'v3' tag as of 2023-08-14
+        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
         with:
-          version: v1.64
+          version: v1.56
 
           # Show only new issues if it's a pull request.
           only-new-issues: true

.github/workflows/govulncheck.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
 
       - name: Install govulncheck
         run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
@@ -24,13 +24,13 @@ jobs:
 
       - name: Post to slack
         if: failure() && github.event_name == 'schedule'
-        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        uses: slackapi/slack-github-action@v1.24.0
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
         with:
-          method: chat.postMessage
-          token: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
+          channel-id: 'C05PXRM304B'
           payload: |
             {
-              "channel": "C08FGKZCQTW",
               "blocks": [
                 {
                   "type": "section",

.github/workflows/installer.yml

@@ -6,13 +6,11 @@ on:
       - "main"
     paths:
       - scripts/installer.sh
-      - .github/workflows/installer.yml
   pull_request:
     branches:
       - "*"
     paths:
       - scripts/installer.sh
-      - .github/workflows/installer.yml
 
 jobs:
   test:
@@ -31,11 +29,14 @@ jobs:
           - "debian:stable-slim"
           - "debian:testing-slim"
           - "debian:sid-slim"
+          - "ubuntu:18.04"
           - "ubuntu:20.04"
           - "ubuntu:22.04"
-          - "ubuntu:24.04"
+          - "ubuntu:22.10"
+          - "ubuntu:23.04"
           - "elementary/docker:stable"
           - "elementary/docker:unstable"
+          - "parrotsec/core:lts-amd64"
           - "parrotsec/core:latest"
           - "kalilinux/kali-rolling"
           - "kalilinux/kali-dev"
@@ -48,7 +49,7 @@ jobs:
           - "opensuse/leap:latest"
           - "opensuse/tumbleweed:latest"
           - "archlinux:latest"
-          - "alpine:3.21"
+          - "alpine:3.14"
           - "alpine:latest"
           - "alpine:edge"
         deps:
@@ -58,16 +59,15 @@ jobs:
           # Check a few images with wget rather than curl.
           - { image: "debian:oldstable-slim", deps: "wget" }
           - { image: "debian:sid-slim", deps: "wget" }
+          - { image: "ubuntu:23.04", deps: "wget" }
+          # Ubuntu 16.04 also needs apt-transport-https installed.
+          - { image: "ubuntu:16.04", deps: "curl apt-transport-https" }
+          - { image: "ubuntu:16.04", deps: "wget apt-transport-https" }
     runs-on: ubuntu-latest
     container:
       image: ${{ matrix.image }}
       options: --user root
     steps:
-    - name: install dependencies (pacman)
-      # Refresh the package databases to ensure that the tailscale package is
-      # defined.
-      run: pacman -Sy
-      if: contains(matrix.image, 'archlinux')
     - name: install dependencies (yum)
       # tar and gzip are needed by the actions/checkout below.
       run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
@@ -91,7 +91,7 @@ jobs:
         || contains(matrix.image, 'parrotsec')
         || contains(matrix.image, 'kalilinux')
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: run installer
       run: scripts/installer.sh
       # Package installation can fail in docker because systemd is not running

.github/workflows/kubemanifests.yaml

@@ -17,7 +17,7 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
     - name: Check out code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: Build and lint Helm chart
       run: |
         eval `./tool/go run ./cmd/mkversion`

.github/workflows/natlab-integrationtest.yml

@@ -1,27 +0,0 @@
-# Run some natlab integration tests.
-# See https://github.com/tailscale/tailscale/issues/13038
-name: "natlab-integrationtest"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-    paths:
-      - "tstest/integration/nat/nat_test.go"
-jobs:
-  natlab-integrationtest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Install qemu
-        run: |
-          sudo rm /var/lib/man-db/auto-update
-          sudo apt-get -y update
-          sudo apt-get -y remove man-db
-          sudo apt-get install -y qemu-system-x86 qemu-utils
-      - name: Run natlab integration tests
-        run: |
-          ./tool/go test -v -run=^TestEasyEasy$ -timeout=3m -count=1 ./tstest/integration/nat  --run-vm-tests

.github/workflows/ssh-integrationtest.yml

@@ -1,23 +0,0 @@
-# Run the ssh integration tests with `make sshintegrationtest`.
-# These tests can also be running locally.
-name: "ssh-integrationtest"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-    paths:
-      - "ssh/**"
-      - "tempfork/gliderlabs/ssh/**"
-      - ".github/workflows/ssh-integrationtest"
-jobs:
-  ssh-integrationtest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Run SSH integration tests
-        run: |
-          make sshintegrationtest

.github/workflows/test.yml

@@ -50,7 +50,7 @@ jobs:
           - shard: '4/4'
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: build test wrapper
       run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
     - name: integration tests as root
@@ -64,6 +64,7 @@ jobs:
       matrix:
         include:
           - goarch: amd64
+            coverflags: "-coverprofile=/tmp/coverage.out"
           - goarch: amd64
             buildflags: "-race"
             shard: '1/3'
@@ -77,9 +78,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@v3
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -118,10 +119,15 @@ jobs:
     - name: build test wrapper
       run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
     - name: test all
-      run: NOBASHDEBUG=true PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}}
+      run: NOBASHDEBUG=true PATH=$PWD/tool:$PATH /tmp/testwrapper ${{matrix.coverflags}} ./... ${{matrix.buildflags}}
       env:
         GOARCH: ${{ matrix.goarch }}
         TS_TEST_SHARD: ${{ matrix.shard }}
+    - name: Publish to coveralls.io
+      if: matrix.coverflags != '' # only publish results if we've tracked coverage
+      uses: shogo82148/actions-goveralls@v1
+      with:
+        path-to-profile: /tmp/coverage.out
     - name: bench all
       run: ./tool/go test ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ $(for x in $(git grep -l "^func Benchmark" | xargs dirname | sort | uniq); do echo "./$x"; done)
       env:
@@ -139,25 +145,21 @@ jobs:
           echo "Build/test created untracked files in the repo (file names above)."
           exit 1
         fi
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
+
   windows:
     runs-on: windows-2022
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
 
     - name: Install Go
-      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      uses: actions/setup-go@v4
       with:
         go-version-file: go.mod
         cache: false
 
     - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@v3
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -180,11 +182,6 @@ jobs:
       # Somewhere in the layers (powershell?)
       # the equals signs cause great confusion.
       run: go test ./... -bench . -benchtime 1x -run "^$"
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
 
   privileged:
     runs-on: ubuntu-22.04
@@ -193,11 +190,11 @@ jobs:
       options: --privileged
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: chown
       run: chown -R $(id -u):$(id -g) $PWD
     - name: privileged tests
-      run: ./tool/go test ./util/linuxfw ./derp/xdp
+      run: ./tool/go test ./util/linuxfw
 
   vm:
     runs-on: ["self-hosted", "linux", "vm"]
@@ -205,7 +202,7 @@ jobs:
     if: github.repository == 'tailscale/tailscale'
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: Run VM tests
       run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
       env:
@@ -217,7 +214,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: build all
       run: ./tool/go install -race ./cmd/...
     - name: build tests
@@ -257,13 +254,16 @@ jobs:
             goarch: amd64
           - goos: openbsd
             goarch: amd64
+          # Plan9 (disabled until 3p dependencies are fixed)
+          # - goos: plan9
+          #   goarch: amd64
 
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@v3
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -292,76 +292,19 @@ jobs:
         GOOS: ${{ matrix.goos }}
         GOARCH: ${{ matrix.goarch }}
         CGO_ENABLED: "0"
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
 
   ios: # similar to cross above, but iOS can't build most of the repo. So, just
        #make it build a few smoke packages.
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: build some
       run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
       env:
         GOOS: ios
         GOARCH: arm64
 
-  crossmin: # cross-compile for platforms where we only check cmd/tailscale{,d}
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          # Plan9
-          - goos: plan9
-            goarch: amd64
-          # AIX
-          - goos: aix
-            goarch: ppc64
-          # Solaris
-          - goos: solaris
-            goarch: amd64
-          # illumos
-          - goos: illumos
-            goarch: amd64
-
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
-    - name: build core
-      run: ./tool/go build ./cmd/tailscale ./cmd/tailscaled
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        GOARM: ${{ matrix.goarm }}
-        CGO_ENABLED: "0"
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
-
   android:
     # similar to cross above, but android fails to build a few pieces of the
     # repo. We should fix those pieces, they're small, but as a stepping stone,
@@ -369,13 +312,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
       # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
       # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
       # some Android breakages early.
       # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
     - name: build some
-      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/netmon ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
+      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
       env:
         GOOS: android
         GOARCH: arm64
@@ -384,9 +327,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@v3
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -413,17 +356,12 @@ jobs:
       run: |
         ./tool/go run ./cmd/tsconnect --fast-compression build
         ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
 
   tailscale_go: # Subset of tests that depend on our custom Go toolchain.
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: test tailscale_go
       run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
 
@@ -480,35 +418,31 @@ jobs:
         fuzz-seconds: 300
         dry-run: false
         language: go
-    - name: Set artifacts_path in env (workaround for actions/upload-artifact#176)
-      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
-      run: |
-        echo "artifacts_path=$(realpath .)" >> $GITHUB_ENV
     - name: upload crash
-      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+      uses: actions/upload-artifact@v3
       if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
       with:
         name: artifacts
-        path: ${{ env.artifacts_path }}/out/artifacts
+        path: ./out/artifacts
 
   depaware:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: check depaware
       run: |
         export PATH=$(./tool/go env GOROOT)/bin:$PATH
-        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check --internal
+        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check
 
   go_generate:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: check that 'go generate' is clean
       run: |
-        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator|xdp')
+        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator')
         ./tool/go generate $pkgs
         echo
         echo
@@ -518,7 +452,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: check that 'go mod tidy' is clean
       run: |
         ./tool/go mod tidy
@@ -530,7 +464,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: check licenses
       run: ./scripts/check_license_headers.sh .
 
@@ -546,7 +480,7 @@ jobs:
             goarch: "386"
     steps:
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v4
     - name: install staticcheck
       run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
     - name: run staticcheck
@@ -587,10 +521,8 @@ jobs:
       # By having the job always run, but skipping its only step as needed, we
       # let the CI output collapse nicely in PRs.
       if: failure() && github.event_name == 'push'
-      uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+      uses: ruby/action-slack@v3.2.1
       with:
-        webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
-        webhook-type: incoming-webhook
         payload: |
           {
             "attachments": [{
@@ -602,6 +534,8 @@ jobs:
               "color": "danger"
             }]
           }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 
   check_mergeability:
     if: always()
@@ -624,6 +558,6 @@ jobs:
     steps:
     - name: Decide if change is okay to merge
       if: github.event_name != 'push'
-      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+      uses: re-actors/alls-green@release/v1
       with:
         jobs: ${{ toJSON(needs) }}

.github/workflows/update-flake.yml

@@ -21,22 +21,21 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
 
       - name: Run update-flakes
         run: ./update-flake.sh
 
       - name: Get access token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
         id: generate-token
         with:
           app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_retrieval_mode: "id"
-          installation_retrieval_payload: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
+          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           author: Flakes Updater <noreply+flakes-updater@tailscale.com>

.github/workflows/update-webclient-prebuilt.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
 
       - name: Run go get
         run: |
@@ -23,19 +23,18 @@ jobs:
           ./tool/go mod tidy
 
       - name: Get access token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
         id: generate-token
         with:
           # TODO(will): this should use the code updater app rather than licensing.
           # It has the same permissions, so not a big deal, but still.
           app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_retrieval_mode: "id"
-          installation_retrieval_payload: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
+          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
         id: pull-request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           author: OSS Updater <noreply+oss-updater@tailscale.com>

.github/workflows/webclient.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
       - name: Install deps
         run: ./tool/yarn --cwd client/web
       - name: Run lint

.gitignore

@@ -9,7 +9,6 @@
 
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled
-ssh/tailssh/testcontainers/tailscaled
 
 # Test binary, built with `go test -c`
 *.test
@@ -43,9 +42,3 @@ client/web/build/assets
 
 /gocross
 /dist
-
-# Ignore xcode userstate and workspace data
-*.xcuserstate
-*.xcworkspacedata
-/tstest/tailmac/bin
-/tstest/tailmac/build

.golangci.yml

@@ -26,11 +26,16 @@ issues:
 
 # Per-linter settings are contained in this top-level key
 linters-settings:
+  # Enable all rules by default; we don't use invisible unicode runes.
+  bidichk:
+
   gofmt:
     rewrite-rules:
       - pattern: 'interface{}'
         replacement: 'any'
 
+  goimports:
+
   govet:
     # Matches what we use in corp as of 2023-12-07
     enable:
@@ -73,6 +78,8 @@ linters-settings:
           # analyzer doesn't support type declarations
           #- github.com/tailscale/tailscale/types/logger.Logf
 
+  misspell:
+
   revive:
     enable-all-rules: false
     ignore-generated-header: true

Dockerfile

@@ -1,13 +1,17 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
 
-# Note that this Dockerfile is currently NOT used to build any of the published
-# Tailscale container images and may have drifted from the image build mechanism
-# we use.
-# Tailscale images are currently built using https://github.com/tailscale/mkctr,
-# and the build script can be found in ./build_docker.sh.
+############################################################################
 #
+# WARNING: Tailscale is not yet officially supported in container
+# environments, such as Docker and Kubernetes. Though it should work, we
+# don't regularly test it, and we know there are some feature limitations.
 #
+# See current bugs tagged "containers":
+#    https://github.com/tailscale/tailscale/labels/containers
+#
+############################################################################
+
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:
@@ -27,7 +31,7 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.24-alpine AS build-env
+FROM golang:1.22-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 
@@ -42,7 +46,7 @@ RUN go install \
     gvisor.dev/gvisor/pkg/tcpip/stack \
     golang.org/x/crypto/ssh \
     golang.org/x/crypto/acme \
-    github.com/coder/websocket \
+    nhooyr.io/websocket \
     github.com/mdlayher/netlink
 
 COPY . .

Makefile

@@ -1,5 +1,5 @@
 IMAGE_REPO ?= tailscale/tailscale
-SYNO_ARCH ?= "x86_64"
+SYNO_ARCH ?= "amd64"
 SYNO_DSM ?= "7"
 TAGS ?= "latest"
 
@@ -17,21 +17,19 @@ lint: ## Run golangci-lint
 updatedeps: ## Update depaware deps
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
 	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update --internal \
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
-		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund
 
 depaware: ## Run depaware checks
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
 	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check --internal \
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
-		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund
 
 buildwindows: ## Build tailscale CLI for windows/amd64
@@ -100,7 +98,7 @@ publishdevoperator: ## Build and publish k8s-operator image to location specifie
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-operator ./build_docker.sh
+	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=operator ./build_docker.sh
 
 publishdevnameserver: ## Build and publish k8s-nameserver image to location specified by ${REPO}
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
@@ -110,15 +108,6 @@ publishdevnameserver: ## Build and publish k8s-nameserver image to location spec
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-nameserver" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-nameserver" && exit 1)
 	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-nameserver ./build_docker.sh
 
-.PHONY: sshintegrationtest
-sshintegrationtest: ## Run the SSH integration tests in various Docker containers
-	@GOOS=linux GOARCH=amd64 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
-	GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
-	echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \
-	echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers
-
 help: ## Show this help
 	@echo "\nSpecify a command. The choices are:\n"
 	@grep -hE '^[0-9a-zA-Z_-]+:.*?## .*$$' ${MAKEFILE_LIST} | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[0;36m%-20s\033[m %s\n", $$1, $$2}'

README.md

@@ -37,7 +37,7 @@ not open source.
 
 ## Building
 
-We always require the latest Go release, currently Go 1.23. (While we build
+We always require the latest Go release, currently Go 1.22. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)
 
@@ -72,7 +72,7 @@ Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
 `Signed-off-by` lines in commits.
 
 See `git log` for our commit message style. It's basically the same as
-[Go's style](https://go.dev/wiki/CommitMessage).
+[Go's style](https://github.com/golang/go/wiki/CommitMessage).
 
 ## About Us
 

VERSION.txt

@@ -1 +1 @@
-1.81.0
+1.63.0

appc/appconnector.go

@@ -11,63 +11,20 @@ package appc
 
 import (
 	"context"
-	"fmt"
 	"net/netip"
 	"slices"
 	"strings"
 	"sync"
-	"time"
 
+	xmaps "golang.org/x/exp/maps"
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/views"
-	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/execqueue"
 	"tailscale.com/util/mak"
-	"tailscale.com/util/slicesx"
 )
 
-// rateLogger responds to calls to update by adding a count for the current period and
-// calling the callback if any previous period has finished since update was last called
-type rateLogger struct {
-	interval    time.Duration
-	start       time.Time
-	periodStart time.Time
-	periodCount int64
-	now         func() time.Time
-	callback    func(int64, time.Time, int64)
-}
-
-func (rl *rateLogger) currentIntervalStart(now time.Time) time.Time {
-	millisSince := now.Sub(rl.start).Milliseconds() % rl.interval.Milliseconds()
-	return now.Add(-(time.Duration(millisSince)) * time.Millisecond)
-}
-
-func (rl *rateLogger) update(numRoutes int64) {
-	now := rl.now()
-	periodEnd := rl.periodStart.Add(rl.interval)
-	if periodEnd.Before(now) {
-		if rl.periodCount != 0 {
-			rl.callback(rl.periodCount, rl.periodStart, numRoutes)
-		}
-		rl.periodCount = 0
-		rl.periodStart = rl.currentIntervalStart(now)
-	}
-	rl.periodCount++
-}
-
-func newRateLogger(now func() time.Time, interval time.Duration, callback func(int64, time.Time, int64)) *rateLogger {
-	nowTime := now()
-	return &rateLogger{
-		callback:    callback,
-		now:         now,
-		interval:    interval,
-		start:       nowTime,
-		periodStart: nowTime,
-	}
-}
-
 // RouteAdvertiser is an interface that allows the AppConnector to advertise
 // newly discovered routes that need to be served through the AppConnector.
 type RouteAdvertiser interface {
@@ -79,55 +36,6 @@ type RouteAdvertiser interface {
 	UnadvertiseRoute(...netip.Prefix) error
 }
 
-var (
-	metricStoreRoutesRateBuckets = []int64{1, 2, 3, 4, 5, 10, 100, 1000}
-	metricStoreRoutesNBuckets    = []int64{1, 2, 3, 4, 5, 10, 100, 1000, 10000}
-	metricStoreRoutesRate        []*clientmetric.Metric
-	metricStoreRoutesN           []*clientmetric.Metric
-)
-
-func initMetricStoreRoutes() {
-	for _, n := range metricStoreRoutesRateBuckets {
-		metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_rate_%d", n)))
-	}
-	metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter("appc_store_routes_rate_over"))
-	for _, n := range metricStoreRoutesNBuckets {
-		metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_n_routes_%d", n)))
-	}
-	metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter("appc_store_routes_n_routes_over"))
-}
-
-func recordMetric(val int64, buckets []int64, metrics []*clientmetric.Metric) {
-	if len(buckets) < 1 {
-		return
-	}
-	// finds the first bucket where val <=, or len(buckets) if none match
-	// for bucket values of 1, 10, 100; 0-1 goes to [0], 2-10 goes to [1], 11-100 goes to [2], 101+ goes to [3]
-	bucket, _ := slices.BinarySearch(buckets, val)
-	metrics[bucket].Add(1)
-}
-
-func metricStoreRoutes(rate, nRoutes int64) {
-	if len(metricStoreRoutesRate) == 0 {
-		initMetricStoreRoutes()
-	}
-	recordMetric(rate, metricStoreRoutesRateBuckets, metricStoreRoutesRate)
-	recordMetric(nRoutes, metricStoreRoutesNBuckets, metricStoreRoutesN)
-}
-
-// RouteInfo is a data structure used to persist the in memory state of an AppConnector
-// so that we can know, even after a restart, which routes came from ACLs and which were
-// learned from domains.
-type RouteInfo struct {
-	// Control is the routes from the 'routes' section of an app connector acl.
-	Control []netip.Prefix `json:",omitempty"`
-	// Domains are the routes discovered by observing DNS lookups for configured domains.
-	Domains map[string][]netip.Addr `json:",omitempty"`
-	// Wildcards are the configured DNS lookup domains to observe. When a DNS query matches Wildcards,
-	// its result is added to Domains.
-	Wildcards []string `json:",omitempty"`
-}
-
 // AppConnector is an implementation of an AppConnector that performs
 // its function as a subsystem inside of a tailscale node. At the control plane
 // side App Connector routing is configured in terms of domains rather than IP
@@ -141,9 +49,6 @@ type AppConnector struct {
 	logf            logger.Logf
 	routeAdvertiser RouteAdvertiser
 
-	// storeRoutesFunc will be called to persist routes if it is not nil.
-	storeRoutesFunc func(*RouteInfo) error
-
 	// mu guards the fields that follow
 	mu sync.Mutex
 
@@ -159,68 +64,14 @@ type AppConnector struct {
 
 	// queue provides ordering for update operations
 	queue execqueue.ExecQueue
-
-	writeRateMinute *rateLogger
-	writeRateDay    *rateLogger
 }
 
 // NewAppConnector creates a new AppConnector.
-func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser, routeInfo *RouteInfo, storeRoutesFunc func(*RouteInfo) error) *AppConnector {
-	ac := &AppConnector{
+func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser) *AppConnector {
+	return &AppConnector{
 		logf:            logger.WithPrefix(logf, "appc: "),
 		routeAdvertiser: routeAdvertiser,
-		storeRoutesFunc: storeRoutesFunc,
 	}
-	if routeInfo != nil {
-		ac.domains = routeInfo.Domains
-		ac.wildcards = routeInfo.Wildcards
-		ac.controlRoutes = routeInfo.Control
-	}
-	ac.writeRateMinute = newRateLogger(time.Now, time.Minute, func(c int64, s time.Time, l int64) {
-		ac.logf("routeInfo write rate: %d in minute starting at %v (%d routes)", c, s, l)
-		metricStoreRoutes(c, l)
-	})
-	ac.writeRateDay = newRateLogger(time.Now, 24*time.Hour, func(c int64, s time.Time, l int64) {
-		ac.logf("routeInfo write rate: %d in 24 hours starting at %v (%d routes)", c, s, l)
-	})
-	return ac
-}
-
-// ShouldStoreRoutes returns true if the appconnector was created with the controlknob on
-// and is storing its discovered routes persistently.
-func (e *AppConnector) ShouldStoreRoutes() bool {
-	return e.storeRoutesFunc != nil
-}
-
-// storeRoutesLocked takes the current state of the AppConnector and persists it
-func (e *AppConnector) storeRoutesLocked() error {
-	if !e.ShouldStoreRoutes() {
-		return nil
-	}
-
-	// log write rate and write size
-	numRoutes := int64(len(e.controlRoutes))
-	for _, rs := range e.domains {
-		numRoutes += int64(len(rs))
-	}
-	e.writeRateMinute.update(numRoutes)
-	e.writeRateDay.update(numRoutes)
-
-	return e.storeRoutesFunc(&RouteInfo{
-		Control:   e.controlRoutes,
-		Domains:   e.domains,
-		Wildcards: e.wildcards,
-	})
-}
-
-// ClearRoutes removes all route state from the AppConnector.
-func (e *AppConnector) ClearRoutes() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-	e.controlRoutes = nil
-	e.domains = nil
-	e.wildcards = nil
-	return e.storeRoutesLocked()
 }
 
 // UpdateDomainsAndRoutes starts an asynchronous update of the configuration
@@ -274,29 +125,11 @@ func (e *AppConnector) updateDomains(domains []string) {
 		for _, wc := range e.wildcards {
 			if dnsname.HasSuffix(d, wc) {
 				e.domains[d] = addrs
-				delete(oldDomains, d)
 				break
 			}
 		}
 	}
-
-	// Everything left in oldDomains is a domain we're no longer tracking
-	// and if we are storing route info we can unadvertise the routes
-	if e.ShouldStoreRoutes() {
-		toRemove := []netip.Prefix{}
-		for _, addrs := range oldDomains {
-			for _, a := range addrs {
-				toRemove = append(toRemove, netip.PrefixFrom(a, a.BitLen()))
-			}
-		}
-		e.queue.Add(func() {
-			if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-				e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", slicesx.MapKeys(oldDomains), toRemove, err)
-			}
-		})
-	}
-
-	e.logf("handling domains: %v and wildcards: %v", slicesx.MapKeys(e.domains), e.wildcards)
+	e.logf("handling domains: %v and wildcards: %v", xmaps.Keys(e.domains), e.wildcards)
 }
 
 // updateRoutes merges the supplied routes into the currently configured routes. The routes supplied
@@ -312,16 +145,13 @@ func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
 		return
 	}
 
-	var toRemove []netip.Prefix
-
-	// If we're storing routes and know e.controlRoutes is a good
-	// representation of what should be in AdvertisedRoutes we can stop
-	// advertising routes that used to be in e.controlRoutes but are not
-	// in routes.
-	if e.ShouldStoreRoutes() {
-		toRemove = routesWithout(e.controlRoutes, routes)
+	if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
+		e.logf("failed to advertise routes: %v: %v", routes, err)
+		return
 	}
 
+	var toRemove []netip.Prefix
+
 nextRoute:
 	for _, r := range routes {
 		for _, addr := range e.domains {
@@ -335,19 +165,11 @@ nextRoute:
 		}
 	}
 
-	e.queue.Add(func() {
-		if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
-			e.logf("failed to advertise routes: %v: %v", routes, err)
-		}
-		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-			e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
-		}
-	})
+	if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+		e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
+	}
 
 	e.controlRoutes = routes
-	if err := e.storeRoutesLocked(); err != nil {
-		e.logf("failed to store route info: %v", err)
-	}
 }
 
 // Domains returns the currently configured domain list.
@@ -355,7 +177,7 @@ func (e *AppConnector) Domains() views.Slice[string] {
 	e.mu.Lock()
 	defer e.mu.Unlock()
 
-	return views.SliceOf(slicesx.MapKeys(e.domains))
+	return views.SliceOf(xmaps.Keys(e.domains))
 }
 
 // DomainRoutes returns a map of domains to resolved IP
@@ -376,13 +198,13 @@ func (e *AppConnector) DomainRoutes() map[string][]netip.Addr {
 // response is being returned over the PeerAPI. The response is parsed and
 // matched against the configured domains, if matched the routeAdvertiser is
 // advised to advertise the discovered route.
-func (e *AppConnector) ObserveDNSResponse(res []byte) error {
+func (e *AppConnector) ObserveDNSResponse(res []byte) {
 	var p dnsmessage.Parser
 	if _, err := p.Start(res); err != nil {
-		return err
+		return
 	}
 	if err := p.SkipAllQuestions(); err != nil {
-		return err
+		return
 	}
 
 	// cnameChain tracks a chain of CNAMEs for a given query in order to reverse
@@ -401,12 +223,12 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) error {
 			break
 		}
 		if err != nil {
-			return err
+			return
 		}
 
 		if h.Class != dnsmessage.ClassINET {
 			if err := p.SkipAnswer(); err != nil {
-				return err
+				return
 			}
 			continue
 		}
@@ -415,7 +237,7 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) error {
 		case dnsmessage.TypeCNAME, dnsmessage.TypeA, dnsmessage.TypeAAAA:
 		default:
 			if err := p.SkipAnswer(); err != nil {
-				return err
+				return
 			}
 			continue
 
@@ -429,7 +251,7 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) error {
 		if h.Type == dnsmessage.TypeCNAME {
 			res, err := p.CNAMEResource()
 			if err != nil {
-				return err
+				return
 			}
 			cname := strings.TrimSuffix(strings.ToLower(res.CNAME.String()), ".")
 			if len(cname) == 0 {
@@ -443,20 +265,20 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) error {
 		case dnsmessage.TypeA:
 			r, err := p.AResource()
 			if err != nil {
-				return err
+				return
 			}
 			addr := netip.AddrFrom4(r.A)
 			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
 		case dnsmessage.TypeAAAA:
 			r, err := p.AAAAResource()
 			if err != nil {
-				return err
+				return
 			}
 			addr := netip.AddrFrom16(r.AAAA)
 			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
 		default:
 			if err := p.SkipAnswer(); err != nil {
-				return err
+				return
 			}
 			continue
 		}
@@ -482,12 +304,9 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) error {
 			}
 		}
 
-		if len(toAdvertise) > 0 {
-			e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
-			e.scheduleAdvertisement(domain, toAdvertise...)
-		}
+		e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
+		e.scheduleAdvertisement(domain, toAdvertise...)
 	}
-	return nil
 }
 
 // starting from the given domain that resolved to an address, find it, or any
@@ -561,9 +380,6 @@ func (e *AppConnector) scheduleAdvertisement(domain string, routes ...netip.Pref
 				e.logf("[v2] advertised route for %v: %v", domain, addr)
 			}
 		}
-		if err := e.storeRoutesLocked(); err != nil {
-			e.logf("failed to store route info: %v", err)
-		}
 	})
 }
 
@@ -584,15 +400,3 @@ func (e *AppConnector) addDomainAddrLocked(domain string, addr netip.Addr) {
 func compareAddr(l, r netip.Addr) int {
 	return l.Compare(r)
 }
-
-// routesWithout returns a without b where a and b
-// are unsorted slices of netip.Prefix
-func routesWithout(a, b []netip.Prefix) []netip.Prefix {
-	m := make(map[netip.Prefix]bool, len(b))
-	for _, p := range b {
-		m[p] = true
-	}
-	return slicesx.Filter(make([]netip.Prefix, 0, len(a)), a, func(p netip.Prefix) bool {
-		return !m[p]
-	})
-}

appc/appconnector_test.go

@@ -8,276 +8,203 @@ import (
 	"net/netip"
 	"reflect"
 	"slices"
-	"sync/atomic"
 	"testing"
-	"time"
 
+	xmaps "golang.org/x/exp/maps"
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/appc/appctest"
-	"tailscale.com/tstest"
-	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/mak"
 	"tailscale.com/util/must"
-	"tailscale.com/util/slicesx"
 )
 
-func fakeStoreRoutes(*RouteInfo) error { return nil }
-
 func TestUpdateDomains(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, &appctest.RouteCollector{}, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, &appctest.RouteCollector{}, nil, nil)
-		}
-		a.UpdateDomains([]string{"example.com"})
+	ctx := context.Background()
+	a := NewAppConnector(t.Logf, nil)
+	a.UpdateDomains([]string{"example.com"})
 
-		a.Wait(ctx)
-		if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	a.Wait(ctx)
+	if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		addr := netip.MustParseAddr("192.0.0.8")
-		a.domains["example.com"] = append(a.domains["example.com"], addr)
-		a.UpdateDomains([]string{"example.com"})
-		a.Wait(ctx)
+	addr := netip.MustParseAddr("192.0.0.8")
+	a.domains["example.com"] = append(a.domains["example.com"], addr)
+	a.UpdateDomains([]string{"example.com"})
+	a.Wait(ctx)
 
-		if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		// domains are explicitly downcased on set.
-		a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
-		a.Wait(ctx)
-		if got, want := slicesx.MapKeys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	// domains are explicitly downcased on set.
+	a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
+	a.Wait(ctx)
+	if got, want := xmaps.Keys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
 	}
 }
 
 func TestUpdateRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		a.updateDomains([]string{"*.example.com"})
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	a.updateDomains([]string{"*.example.com"})
 
-		// This route should be collapsed into the range
-		if err := a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(ctx)
+	// This route should be collapsed into the range
+	a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1"))
+	a.Wait(ctx)
 
-		if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
-			t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-		}
+	if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
+		t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+	}
 
-		// This route should not be collapsed or removed
-		if err := a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(ctx)
+	// This route should not be collapsed or removed
+	a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1"))
+	a.Wait(ctx)
 
-		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
-		a.updateRoutes(routes)
-		a.Wait(ctx)
+	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
+	a.updateRoutes(routes)
 
-		slices.SortFunc(rc.Routes(), prefixCompare)
-		rc.SetRoutes(slices.Compact(rc.Routes()))
-		slices.SortFunc(routes, prefixCompare)
+	slices.SortFunc(rc.Routes(), prefixCompare)
+	rc.SetRoutes(slices.Compact(rc.Routes()))
+	slices.SortFunc(routes, prefixCompare)
 
-		// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
-		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-			t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
-		}
+	// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
+	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+		t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
+	}
 
-		// Ensure that the contained /32 is removed, replaced by the /24.
-		wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
-		if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
-			t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
-		}
+	// Ensure that the contained /32 is removed, replaced by the /24.
+	wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
+	if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
+		t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
 	}
 }
 
 func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
-	ctx := context.Background()
-	for _, shouldStore := range []bool{false, true} {
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
-		rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
-		a.updateRoutes(routes)
-		a.Wait(ctx)
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
+	rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
+	a.updateRoutes(routes)
 
-		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-			t.Fatalf("got %v, want %v", rc.Routes(), routes)
-		}
+	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+		t.Fatalf("got %v, want %v", rc.Routes(), routes)
 	}
 }
 
 func TestDomainRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		a.updateDomains([]string{"example.com"})
-		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(context.Background())
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	a.updateDomains([]string{"example.com"})
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	a.Wait(context.Background())
 
-		want := map[string][]netip.Addr{
-			"example.com": {netip.MustParseAddr("192.0.0.8")},
-		}
+	want := map[string][]netip.Addr{
+		"example.com": {netip.MustParseAddr("192.0.0.8")},
+	}
 
-		if got := a.DomainRoutes(); !reflect.DeepEqual(got, want) {
-			t.Fatalf("DomainRoutes: got %v, want %v", got, want)
-		}
+	if got := a.DomainRoutes(); !reflect.DeepEqual(got, want) {
+		t.Fatalf("DomainRoutes: got %v, want %v", got, want)
 	}
 }
 
 func TestObserveDNSResponse(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
 
-		// a has no domains configured, so it should not advertise any routes
-		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	// a has no domains configured, so it should not advertise any routes
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
+	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
 
-		a.updateDomains([]string{"example.com"})
-		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(ctx)
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	a.updateDomains([]string{"example.com"})
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	a.Wait(ctx)
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		// a CNAME record chain should result in a route being added if the chain
-		// matches a routed domain.
-		a.updateDomains([]string{"www.example.com", "example.com"})
-		if err := a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com.")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(ctx)
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.9/32"))
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	// a CNAME record chain should result in a route being added if the chain
+	// matches a routed domain.
+	a.updateDomains([]string{"www.example.com", "example.com"})
+	a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com."))
+	a.Wait(ctx)
+	wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.9/32"))
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		// a CNAME record chain should result in a route being added if the chain
-		// even if only found in the middle of the chain
-		if err := a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org.")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(ctx)
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.10/32"))
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	// a CNAME record chain should result in a route being added if the chain
+	// even if only found in the middle of the chain
+	a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org."))
+	a.Wait(ctx)
+	wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.10/32"))
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))
+	wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))
 
-		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(ctx)
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
+	a.Wait(ctx)
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		// don't re-advertise routes that have already been advertised
-		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(ctx)
-		if !slices.Equal(rc.Routes(), wantRoutes) {
-			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-		}
+	// don't re-advertise routes that have already been advertised
+	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
+	a.Wait(ctx)
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+	}
 
-		// don't advertise addresses that are already in a control provided route
-		pfx := netip.MustParsePrefix("192.0.2.0/24")
-		a.updateRoutes([]netip.Prefix{pfx})
-		wantRoutes = append(wantRoutes, pfx)
-		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(ctx)
-		if !slices.Equal(rc.Routes(), wantRoutes) {
-			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-		}
-		if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
-			t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
-		}
+	// don't advertise addresses that are already in a control provided route
+	pfx := netip.MustParsePrefix("192.0.2.0/24")
+	a.updateRoutes([]netip.Prefix{pfx})
+	wantRoutes = append(wantRoutes, pfx)
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1"))
+	a.Wait(ctx)
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+	}
+	if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
+		t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
 	}
 }
 
 func TestWildcardDomains(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
 
-		a.updateDomains([]string{"*.example.com"})
-		if err := a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8")); err != nil {
-			t.Errorf("ObserveDNSResponse: %v", err)
-		}
-		a.Wait(ctx)
-		if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
-			t.Errorf("routes: got %v; want %v", got, want)
-		}
-		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("wildcards: got %v; want %v", got, want)
-		}
+	a.updateDomains([]string{"*.example.com"})
+	a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
+	a.Wait(ctx)
+	if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
+		t.Errorf("routes: got %v; want %v", got, want)
+	}
+	if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
+		t.Errorf("wildcards: got %v; want %v", got, want)
+	}
 
-		a.updateDomains([]string{"*.example.com", "example.com"})
-		if _, ok := a.domains["foo.example.com"]; !ok {
-			t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
-		}
-		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("wildcards: got %v; want %v", got, want)
-		}
+	a.updateDomains([]string{"*.example.com", "example.com"})
+	if _, ok := a.domains["foo.example.com"]; !ok {
+		t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
+	}
+	if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
+		t.Errorf("wildcards: got %v; want %v", got, want)
+	}
 
-		// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
-		a.updateDomains([]string{"*.example.com", "example.com"})
-		if len(a.wildcards) != 1 {
-			t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
-		}
+	// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
+	a.updateDomains([]string{"*.example.com", "example.com"})
+	if len(a.wildcards) != 1 {
+		t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
 	}
 }
 
@@ -383,314 +310,3 @@ func prefixCompare(a, b netip.Prefix) int {
 	}
 	return a.Addr().Compare(b.Addr())
 }
-
-func prefixes(in ...string) []netip.Prefix {
-	toRet := make([]netip.Prefix, len(in))
-	for i, s := range in {
-		toRet[i] = netip.MustParsePrefix(s)
-	}
-	return toRet
-}
-
-func TestUpdateRouteRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		// nothing has yet been advertised
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.2/32"))
-		a.Wait(ctx)
-		// the routes passed to UpdateDomainsAndRoutes have been advertised
-		assertRoutes("simple update", prefixes("1.2.3.1/32", "1.2.3.2/32"), []netip.Prefix{})
-
-		// one route the same, one different
-		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.3/32"))
-		a.Wait(ctx)
-		// old behavior: routes are not removed, resulting routes are both old and new
-		// (we have dupe 1.2.3.1 routes because the test RouteAdvertiser doesn't have the deduplication
-		// the real one does)
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.1/32", "1.2.3.3/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior: routes are removed, resulting routes are new only
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.1/32", "1.2.3.3/32")
-			wantRemovedRoutes = prefixes("1.2.3.2/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestUpdateDomainRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com", "b.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// adding domains doesn't immediately cause any routes to be advertised
-		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
-
-		for _, res := range [][]byte{
-			dnsResponse("a.example.com.", "1.2.3.1"),
-			dnsResponse("a.example.com.", "1.2.3.2"),
-			dnsResponse("b.example.com.", "1.2.3.3"),
-			dnsResponse("b.example.com.", "1.2.3.4"),
-		} {
-			if err := a.ObserveDNSResponse(res); err != nil {
-				t.Errorf("ObserveDNSResponse: %v", err)
-			}
-		}
-		a.Wait(ctx)
-		// observing dns responses causes routes to be advertised
-		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// old behavior, routes are not removed
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior, routes are removed for b.example.com
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
-			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestUpdateWildcardRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com", "*.b.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// adding domains doesn't immediately cause any routes to be advertised
-		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
-
-		for _, res := range [][]byte{
-			dnsResponse("a.example.com.", "1.2.3.1"),
-			dnsResponse("a.example.com.", "1.2.3.2"),
-			dnsResponse("1.b.example.com.", "1.2.3.3"),
-			dnsResponse("2.b.example.com.", "1.2.3.4"),
-		} {
-			if err := a.ObserveDNSResponse(res); err != nil {
-				t.Errorf("ObserveDNSResponse: %v", err)
-			}
-		}
-		a.Wait(ctx)
-		// observing dns responses causes routes to be advertised
-		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// old behavior, routes are not removed
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior, routes are removed for *.b.example.com
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
-			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestRoutesWithout(t *testing.T) {
-	assert := func(msg string, got, want []netip.Prefix) {
-		if !slices.Equal(want, got) {
-			t.Errorf("%s: want %v, got %v", msg, want, got)
-		}
-	}
-
-	assert("empty routes", routesWithout([]netip.Prefix{}, []netip.Prefix{}), []netip.Prefix{})
-	assert("a empty", routesWithout([]netip.Prefix{}, prefixes("1.1.1.1/32", "1.1.1.2/32")), []netip.Prefix{})
-	assert("b empty", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), []netip.Prefix{}), prefixes("1.1.1.1/32", "1.1.1.2/32"))
-	assert("no overlap", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.3/32", "1.1.1.4/32")), prefixes("1.1.1.1/32", "1.1.1.2/32"))
-	assert("a has fewer", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32")), []netip.Prefix{})
-	assert("a has more", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32"), prefixes("1.1.1.1/32", "1.1.1.3/32")), prefixes("1.1.1.2/32", "1.1.1.4/32"))
-}
-
-func TestRateLogger(t *testing.T) {
-	clock := tstest.Clock{}
-	wasCalled := false
-	rl := newRateLogger(func() time.Time { return clock.Now() }, 1*time.Second, func(count int64, _ time.Time, _ int64) {
-		if count != 3 {
-			t.Fatalf("count for prev period: got %d, want 3", count)
-		}
-		wasCalled = true
-	})
-
-	for i := 0; i < 3; i++ {
-		clock.Advance(1 * time.Millisecond)
-		rl.update(0)
-		if wasCalled {
-			t.Fatalf("wasCalled: got true, want false")
-		}
-	}
-
-	clock.Advance(1 * time.Second)
-	rl.update(0)
-	if !wasCalled {
-		t.Fatalf("wasCalled: got false, want true")
-	}
-
-	wasCalled = false
-	rl = newRateLogger(func() time.Time { return clock.Now() }, 1*time.Hour, func(count int64, _ time.Time, _ int64) {
-		if count != 3 {
-			t.Fatalf("count for prev period: got %d, want 3", count)
-		}
-		wasCalled = true
-	})
-
-	for i := 0; i < 3; i++ {
-		clock.Advance(1 * time.Minute)
-		rl.update(0)
-		if wasCalled {
-			t.Fatalf("wasCalled: got true, want false")
-		}
-	}
-
-	clock.Advance(1 * time.Hour)
-	rl.update(0)
-	if !wasCalled {
-		t.Fatalf("wasCalled: got false, want true")
-	}
-}
-
-func TestRouteStoreMetrics(t *testing.T) {
-	metricStoreRoutes(1, 1)
-	metricStoreRoutes(1, 1)         // the 1 buckets value should be 2
-	metricStoreRoutes(5, 5)         // the 5 buckets value should be 1
-	metricStoreRoutes(6, 6)         // the 10 buckets value should be 1
-	metricStoreRoutes(10001, 10001) // the over buckets value should be 1
-	wanted := map[string]int64{
-		"appc_store_routes_n_routes_1":    2,
-		"appc_store_routes_rate_1":        2,
-		"appc_store_routes_n_routes_5":    1,
-		"appc_store_routes_rate_5":        1,
-		"appc_store_routes_n_routes_10":   1,
-		"appc_store_routes_rate_10":       1,
-		"appc_store_routes_n_routes_over": 1,
-		"appc_store_routes_rate_over":     1,
-	}
-	for _, x := range clientmetric.Metrics() {
-		if x.Value() != wanted[x.Name()] {
-			t.Errorf("%s: want: %d, got: %d", x.Name(), wanted[x.Name()], x.Value())
-		}
-	}
-}
-
-func TestMetricBucketsAreSorted(t *testing.T) {
-	if !slices.IsSorted(metricStoreRoutesRateBuckets) {
-		t.Errorf("metricStoreRoutesRateBuckets must be in order")
-	}
-	if !slices.IsSorted(metricStoreRoutesNBuckets) {
-		t.Errorf("metricStoreRoutesNBuckets must be in order")
-	}
-}
-
-// TestUpdateRoutesDeadlock is a regression test for a deadlock in
-// LocalBackend<->AppConnector interaction. When using real LocalBackend as the
-// routeAdvertiser, calls to Advertise/UnadvertiseRoutes can end up calling
-// back into AppConnector via authReconfig. If everything is called
-// synchronously, this results in a deadlock on AppConnector.mu.
-func TestUpdateRoutesDeadlock(t *testing.T) {
-	ctx := context.Background()
-	rc := &appctest.RouteCollector{}
-	a := NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-
-	advertiseCalled := new(atomic.Bool)
-	unadvertiseCalled := new(atomic.Bool)
-	rc.AdvertiseCallback = func() {
-		// Call something that requires a.mu to be held.
-		a.DomainRoutes()
-		advertiseCalled.Store(true)
-	}
-	rc.UnadvertiseCallback = func() {
-		// Call something that requires a.mu to be held.
-		a.DomainRoutes()
-		unadvertiseCalled.Store(true)
-	}
-
-	a.updateDomains([]string{"example.com"})
-	a.Wait(ctx)
-
-	// Trigger rc.AdveriseRoute.
-	a.updateRoutes(
-		[]netip.Prefix{
-			netip.MustParsePrefix("127.0.0.1/32"),
-			netip.MustParsePrefix("127.0.0.2/32"),
-		},
-	)
-	a.Wait(ctx)
-	// Trigger rc.UnadveriseRoute.
-	a.updateRoutes(
-		[]netip.Prefix{
-			netip.MustParsePrefix("127.0.0.1/32"),
-		},
-	)
-	a.Wait(ctx)
-
-	if !advertiseCalled.Load() {
-		t.Error("AdvertiseRoute was not called")
-	}
-	if !unadvertiseCalled.Load() {
-		t.Error("UnadvertiseRoute was not called")
-	}
-
-	if want := []netip.Prefix{netip.MustParsePrefix("127.0.0.1/32")}; !slices.Equal(slices.Compact(rc.Routes()), want) {
-		t.Fatalf("got %v, want %v", rc.Routes(), want)
-	}
-}

appc/appctest/appctest.go

@@ -1,7 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-// Package appctest contains code to help test App Connectors.
 package appctest
 
 import (
@@ -11,22 +10,12 @@ import (
 
 // RouteCollector is a test helper that collects the list of routes advertised
 type RouteCollector struct {
-	// AdvertiseCallback (optional) is called synchronously from
-	// AdvertiseRoute.
-	AdvertiseCallback func()
-	// UnadvertiseCallback (optional) is called synchronously from
-	// UnadvertiseRoute.
-	UnadvertiseCallback func()
-
 	routes        []netip.Prefix
 	removedRoutes []netip.Prefix
 }
 
 func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
 	rc.routes = append(rc.routes, pfx...)
-	if rc.AdvertiseCallback != nil {
-		rc.AdvertiseCallback()
-	}
 	return nil
 }
 
@@ -40,9 +29,6 @@ func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
 			rc.removedRoutes = append(rc.removedRoutes, r)
 		}
 	}
-	if rc.UnadvertiseCallback != nil {
-		rc.UnadvertiseCallback()
-	}
 	return nil
 }
 

assert_ts_toolchain_match.go

@@ -1,27 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build tailscale_go
-
-package tailscaleroot
-
-import (
-	"fmt"
-	"os"
-	"strings"
-)
-
-func init() {
-	tsRev, ok := tailscaleToolchainRev()
-	if !ok {
-		panic("binary built with tailscale_go build tag but failed to read build info or find tailscale.toolchain.rev in build info")
-	}
-	want := strings.TrimSpace(GoToolchainRev)
-	if tsRev != want {
-		if os.Getenv("TS_PERMIT_TOOLCHAIN_MISMATCH") == "1" {
-			fmt.Fprintf(os.Stderr, "tailscale.toolchain.rev = %q, want %q; but ignoring due to TS_PERMIT_TOOLCHAIN_MISMATCH=1\n", tsRev, want)
-			return
-		}
-		panic(fmt.Sprintf("binary built with tailscale_go build tag but Go toolchain %q doesn't match github.com/tailscale/tailscale expected value %q; override this failure with TS_PERMIT_TOOLCHAIN_MISMATCH=1", tsRev, want))
-	}
-}

atomicfile/atomicfile.go

@@ -15,9 +15,8 @@ import (
 )
 
 // WriteFile writes data to filename+some suffix, then renames it into filename.
-// The perm argument is ignored on Windows, but if the target filename already
-// exists then the target file's attributes and ACLs are preserved. If the target
-// filename already exists but is not a regular file, WriteFile returns an error.
+// The perm argument is ignored on Windows. If the target filename already
+// exists but is not a regular file, WriteFile returns an error.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
 	fi, err := os.Stat(filename)
 	if err == nil && !fi.Mode().IsRegular() {
@@ -48,5 +47,5 @@ func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
 	if err := f.Close(); err != nil {
 		return err
 	}
-	return rename(tmpName, filename)
+	return os.Rename(tmpName, filename)
 }

atomicfile/atomicfile_notwindows.go

@@ -1,14 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !windows
-
-package atomicfile
-
-import (
-	"os"
-)
-
-func rename(srcFile, destFile string) error {
-	return os.Rename(srcFile, destFile)
-}

atomicfile/atomicfile_windows.go

@@ -1,33 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package atomicfile
-
-import (
-	"os"
-
-	"golang.org/x/sys/windows"
-)
-
-func rename(srcFile, destFile string) error {
-	// Use replaceFile when possible to preserve the original file's attributes and ACLs.
-	if err := replaceFile(destFile, srcFile); err == nil || err != windows.ERROR_FILE_NOT_FOUND {
-		return err
-	}
-	// destFile doesn't exist. Just do a normal rename.
-	return os.Rename(srcFile, destFile)
-}
-
-func replaceFile(destFile, srcFile string) error {
-	destFile16, err := windows.UTF16PtrFromString(destFile)
-	if err != nil {
-		return err
-	}
-
-	srcFile16, err := windows.UTF16PtrFromString(srcFile)
-	if err != nil {
-		return err
-	}
-
-	return replaceFileW(destFile16, srcFile16, nil, 0, nil, nil)
-}

atomicfile/atomicfile_windows_test.go

@@ -1,146 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package atomicfile
-
-import (
-	"os"
-	"testing"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _SECURITY_RESOURCE_MANAGER_AUTHORITY = windows.SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 9}}
-
-// makeRandomSID generates a SID derived from a v4 GUID.
-// This is basically the same algorithm used by browser sandboxes for generating
-// random SIDs.
-func makeRandomSID() (*windows.SID, error) {
-	guid, err := windows.GenerateGUID()
-	if err != nil {
-		return nil, err
-	}
-
-	rids := *((*[4]uint32)(unsafe.Pointer(&guid)))
-
-	var pSID *windows.SID
-	if err := windows.AllocateAndInitializeSid(&_SECURITY_RESOURCE_MANAGER_AUTHORITY, 4, rids[0], rids[1], rids[2], rids[3], 0, 0, 0, 0, &pSID); err != nil {
-		return nil, err
-	}
-	defer windows.FreeSid(pSID)
-
-	// Make a copy that lives on the Go heap
-	return pSID.Copy()
-}
-
-func getExistingFileSD(name string) (*windows.SECURITY_DESCRIPTOR, error) {
-	const infoFlags = windows.DACL_SECURITY_INFORMATION
-	return windows.GetNamedSecurityInfo(name, windows.SE_FILE_OBJECT, infoFlags)
-}
-
-func getExistingFileDACL(name string) (*windows.ACL, error) {
-	sd, err := getExistingFileSD(name)
-	if err != nil {
-		return nil, err
-	}
-
-	dacl, _, err := sd.DACL()
-	return dacl, err
-}
-
-func addDenyACEForRandomSID(dacl *windows.ACL) (*windows.ACL, error) {
-	randomSID, err := makeRandomSID()
-	if err != nil {
-		return nil, err
-	}
-
-	randomSIDTrustee := windows.TRUSTEE{nil, windows.NO_MULTIPLE_TRUSTEE,
-		windows.TRUSTEE_IS_SID, windows.TRUSTEE_IS_UNKNOWN,
-		windows.TrusteeValueFromSID(randomSID)}
-
-	entries := []windows.EXPLICIT_ACCESS{
-		{
-			windows.GENERIC_ALL,
-			windows.DENY_ACCESS,
-			windows.NO_INHERITANCE,
-			randomSIDTrustee,
-		},
-	}
-
-	return windows.ACLFromEntries(entries, dacl)
-}
-
-func setExistingFileDACL(name string, dacl *windows.ACL) error {
-	return windows.SetNamedSecurityInfo(name, windows.SE_FILE_OBJECT,
-		windows.DACL_SECURITY_INFORMATION, nil, nil, dacl, nil)
-}
-
-// makeOrigFileWithCustomDACL creates a new, temporary file with a custom
-// DACL that we can check for later. It returns the name of the temporary
-// file and the security descriptor for the file in SDDL format.
-func makeOrigFileWithCustomDACL() (name, sddl string, err error) {
-	f, err := os.CreateTemp("", "foo*.tmp")
-	if err != nil {
-		return "", "", err
-	}
-	name = f.Name()
-	if err := f.Close(); err != nil {
-		return "", "", err
-	}
-	f = nil
-	defer func() {
-		if err != nil {
-			os.Remove(name)
-		}
-	}()
-
-	dacl, err := getExistingFileDACL(name)
-	if err != nil {
-		return "", "", err
-	}
-
-	// Add a harmless, deny-only ACE for a random SID that isn't used for anything
-	// (but that we can check for later).
-	dacl, err = addDenyACEForRandomSID(dacl)
-	if err != nil {
-		return "", "", err
-	}
-
-	if err := setExistingFileDACL(name, dacl); err != nil {
-		return "", "", err
-	}
-
-	sd, err := getExistingFileSD(name)
-	if err != nil {
-		return "", "", err
-	}
-
-	return name, sd.String(), nil
-}
-
-func TestPreserveSecurityInfo(t *testing.T) {
-	// Make a test file with a custom ACL.
-	origFileName, want, err := makeOrigFileWithCustomDACL()
-	if err != nil {
-		t.Fatalf("makeOrigFileWithCustomDACL returned %v", err)
-	}
-	t.Cleanup(func() {
-		os.Remove(origFileName)
-	})
-
-	if err := WriteFile(origFileName, []byte{}, 0); err != nil {
-		t.Fatalf("WriteFile returned %v", err)
-	}
-
-	// We expect origFileName's security descriptor to be unchanged despite
-	// the WriteFile call.
-	sd, err := getExistingFileSD(origFileName)
-	if err != nil {
-		t.Fatalf("getExistingFileSD(%q) returned %v", origFileName, err)
-	}
-
-	if got := sd.String(); got != want {
-		t.Errorf("security descriptor comparison failed: got %q, want %q", got, want)
-	}
-}

atomicfile/mksyscall.go

@@ -1,8 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package atomicfile
-
-//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go mksyscall.go
-
-//sys replaceFileW(replaced *uint16, replacement *uint16, backup *uint16, flags uint32, exclude unsafe.Pointer, reserved unsafe.Pointer) (err error) [int32(failretval)==0] = kernel32.ReplaceFileW

atomicfile/zsyscall_windows.go

@@ -1,52 +0,0 @@
-// Code generated by 'go generate'; DO NOT EDIT.
-
-package atomicfile
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-	errERROR_EINVAL     error = syscall.EINVAL
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return errERROR_EINVAL
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
-
-	procReplaceFileW = modkernel32.NewProc("ReplaceFileW")
-)
-
-func replaceFileW(replaced *uint16, replacement *uint16, backup *uint16, flags uint32, exclude unsafe.Pointer, reserved unsafe.Pointer) (err error) {
-	r1, _, e1 := syscall.Syscall6(procReplaceFileW.Addr(), 6, uintptr(unsafe.Pointer(replaced)), uintptr(unsafe.Pointer(replacement)), uintptr(unsafe.Pointer(backup)), uintptr(flags), uintptr(exclude), uintptr(reserved))
-	if int32(r1) == 0 {
-		err = errnoErr(e1)
-	}
-	return
-}

build_dist.sh

@@ -37,7 +37,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion,ts_omit_ssh,ts_omit_wakeonlan,ts_omit_capture"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"
 		;;
 	--box)
 		shift

build_docker.sh

@@ -1,11 +1,21 @@
 #!/usr/bin/env sh
+
 #
-# This script builds Tailscale container images using
-# github.com/tailscale/mkctr.
-# By default the images will be tagged with the current version and git
-# hash of this repository as produced by ./cmd/mkversion.
-# This is the image build mechanim used to build the official Tailscale
-# container images.
+# Runs `go build` with flags configured for docker distribution. All
+# it does differently from `go build` is burn git commit and version
+# information into the binaries inside docker, so that we can track down user
+# issues.
+#
+############################################################################
+#
+# WARNING: Tailscale is not yet officially supported in container
+# environments, such as Docker and Kubernetes. Though it should work, we
+# don't regularly test it, and we know there are some feature limitations.
+#
+# See current bugs tagged "containers":
+#    https://github.com/tailscale/tailscale/labels/containers
+#
+############################################################################
 
 set -eu
 
@@ -17,20 +27,12 @@ eval "$(./build_dist.sh shellvars)"
 DEFAULT_TARGET="client"
 DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
 DEFAULT_BASE="tailscale/alpine-base:3.18"
-# Set a few pre-defined OCI annotations. The source annotation is used by tools such as Renovate that scan the linked
-# Github repo to find release notes for any new image tags. Note that for official Tailscale images the default
-# annotations defined here will be overriden by release scripts that call this script.
-# https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
-DEFAULT_ANNOTATIONS="org.opencontainers.image.source=https://github.com/tailscale/tailscale/blob/main/build_docker.sh,org.opencontainers.image.vendor=Tailscale"
 
 PUSH="${PUSH:-false}"
 TARGET="${TARGET:-${DEFAULT_TARGET}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"
 PLATFORM="${PLATFORM:-}" # default to all platforms
-# OCI annotations that will be added to the image.
-# https://github.com/opencontainers/image-spec/blob/main/annotations.md
-ANNOTATIONS="${ANNOTATIONS:-${DEFAULT_ANNOTATIONS}}"
 
 case "$TARGET" in
   client)
@@ -47,14 +49,12 @@ case "$TARGET" in
         -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
       --base="${BASE}" \
       --tags="${TAGS}" \
-      --gotags="ts_kube,ts_package_container" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
       --target="${PLATFORM}" \
-      --annotations="${ANNOTATIONS}" \
       /usr/local/bin/containerboot
     ;;
-  k8s-operator)
+  operator)
     DEFAULT_REPOS="tailscale/k8s-operator"
     REPOS="${REPOS:-${DEFAULT_REPOS}}"
     go run github.com/tailscale/mkctr \
@@ -65,11 +65,9 @@ case "$TARGET" in
         -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
       --base="${BASE}" \
       --tags="${TAGS}" \
-      --gotags="ts_kube,ts_package_container" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
       --target="${PLATFORM}" \
-      --annotations="${ANNOTATIONS}" \
       /usr/local/bin/operator
     ;;
   k8s-nameserver)
@@ -83,11 +81,9 @@ case "$TARGET" in
         -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
       --base="${BASE}" \
       --tags="${TAGS}" \
-      --gotags="ts_kube,ts_package_container" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
       --target="${PLATFORM}" \
-      --annotations="${ANNOTATIONS}" \
       /usr/local/bin/k8s-nameserver
     ;;
   *)

client/local/local_test.go

@@ -1,74 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package local
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"tailscale.com/tstest/deptest"
-	"tailscale.com/types/key"
-)
-
-func TestGetServeConfigFromJSON(t *testing.T) {
-	sc, err := getServeConfigFromJSON([]byte("null"))
-	if sc != nil {
-		t.Errorf("want nil for null")
-	}
-	if err != nil {
-		t.Errorf("reading null: %v", err)
-	}
-
-	sc, err = getServeConfigFromJSON([]byte(`{"TCP":{}}`))
-	if err != nil {
-		t.Errorf("reading object: %v", err)
-	} else if sc == nil {
-		t.Errorf("want non-nil for object")
-	} else if sc.TCP == nil {
-		t.Errorf("want non-nil TCP for object")
-	}
-}
-
-func TestWhoIsPeerNotFound(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(404)
-	}))
-	defer ts.Close()
-
-	lc := &Client{
-		Dial: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			var std net.Dialer
-			return std.DialContext(ctx, network, ts.Listener.Addr().(*net.TCPAddr).String())
-		},
-	}
-	var k key.NodePublic
-	if err := k.UnmarshalText([]byte("nodekey:5c8f86d5fc70d924e55f02446165a5dae8f822994ad26bcf4b08fd841f9bf261")); err != nil {
-		t.Fatal(err)
-	}
-	res, err := lc.WhoIsNodeKey(context.Background(), k)
-	if err != ErrPeerNotFound {
-		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
-	}
-	res, err = lc.WhoIs(context.Background(), "1.2.3.4:5678")
-	if err != ErrPeerNotFound {
-		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
-	}
-}
-
-func TestDeps(t *testing.T) {
-	deptest.DepChecker{
-		BadDeps: map[string]string{
-			// Make sure we don't again accidentally bring in a dependency on
-			// drive or its transitive dependencies
-			"testing":                        "do not use testing package in production code",
-			"tailscale.com/drive/driveimpl":  "https://github.com/tailscale/tailscale/pull/10631",
-			"github.com/studio-b12/gowebdav": "https://github.com/tailscale/tailscale/pull/10631",
-		},
-	}.Check(t)
-}

client/systray/logo.go

@@ -1,319 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build cgo || !darwin
-
-package systray
-
-import (
-	"bytes"
-	"context"
-	"image"
-	"image/color"
-	"image/png"
-	"sync"
-	"time"
-
-	"fyne.io/systray"
-	"github.com/fogleman/gg"
-)
-
-// tsLogo represents the Tailscale logo displayed as the systray icon.
-type tsLogo struct {
-	// dots represents the state of the 3x3 dot grid in the logo.
-	// A 0 represents a gray dot, any other value is a white dot.
-	dots [9]byte
-
-	// dotMask returns an image mask to be used when rendering the logo dots.
-	dotMask func(dc *gg.Context, borderUnits int, radius int) *image.Alpha
-
-	// overlay is called after the dots are rendered to draw an additional overlay.
-	overlay func(dc *gg.Context, borderUnits int, radius int)
-}
-
-var (
-	// disconnected is all gray dots
-	disconnected = tsLogo{dots: [9]byte{
-		0, 0, 0,
-		0, 0, 0,
-		0, 0, 0,
-	}}
-
-	// connected is the normal Tailscale logo
-	connected = tsLogo{dots: [9]byte{
-		0, 0, 0,
-		1, 1, 1,
-		0, 1, 0,
-	}}
-
-	// loading is a special tsLogo value that is not meant to be rendered directly,
-	// but indicates that the loading animation should be shown.
-	loading = tsLogo{dots: [9]byte{'l', 'o', 'a', 'd', 'i', 'n', 'g'}}
-
-	// loadingIcons are shown in sequence as an animated loading icon.
-	loadingLogos = []tsLogo{
-		{dots: [9]byte{
-			0, 1, 1,
-			1, 0, 1,
-			0, 0, 1,
-		}},
-		{dots: [9]byte{
-			0, 1, 1,
-			0, 0, 1,
-			0, 1, 0,
-		}},
-		{dots: [9]byte{
-			0, 1, 1,
-			0, 0, 0,
-			0, 0, 1,
-		}},
-		{dots: [9]byte{
-			0, 0, 1,
-			0, 1, 0,
-			0, 0, 0,
-		}},
-		{dots: [9]byte{
-			0, 1, 0,
-			0, 0, 0,
-			0, 0, 0,
-		}},
-		{dots: [9]byte{
-			0, 0, 0,
-			0, 0, 1,
-			0, 0, 0,
-		}},
-		{dots: [9]byte{
-			0, 0, 0,
-			0, 0, 0,
-			0, 0, 0,
-		}},
-		{dots: [9]byte{
-			0, 0, 1,
-			0, 0, 0,
-			0, 0, 0,
-		}},
-		{dots: [9]byte{
-			0, 0, 0,
-			0, 0, 0,
-			1, 0, 0,
-		}},
-		{dots: [9]byte{
-			0, 0, 0,
-			0, 0, 0,
-			1, 1, 0,
-		}},
-		{dots: [9]byte{
-			0, 0, 0,
-			1, 0, 0,
-			1, 1, 0,
-		}},
-		{dots: [9]byte{
-			0, 0, 0,
-			1, 1, 0,
-			0, 1, 0,
-		}},
-		{dots: [9]byte{
-			0, 0, 0,
-			1, 1, 0,
-			0, 1, 1,
-		}},
-		{dots: [9]byte{
-			0, 0, 0,
-			1, 1, 1,
-			0, 0, 1,
-		}},
-		{dots: [9]byte{
-			0, 1, 0,
-			0, 1, 1,
-			1, 0, 1,
-		}},
-	}
-
-	// exitNodeOnline is the Tailscale logo with an additional arrow overlay in the corner.
-	exitNodeOnline = tsLogo{
-		dots: [9]byte{
-			0, 0, 0,
-			1, 1, 1,
-			0, 1, 0,
-		},
-		// draw an arrow mask in the bottom right corner with a reasonably thick line width.
-		dotMask: func(dc *gg.Context, borderUnits int, radius int) *image.Alpha {
-			bu, r := float64(borderUnits), float64(radius)
-
-			x1 := r * (bu + 3.5)
-			y := r * (bu + 7)
-			x2 := x1 + (r * 5)
-
-			mc := gg.NewContext(dc.Width(), dc.Height())
-			mc.DrawLine(x1, y, x2, y)                 // arrow center line
-			mc.DrawLine(x2-(1.5*r), y-(1.5*r), x2, y) // top of arrow tip
-			mc.DrawLine(x2-(1.5*r), y+(1.5*r), x2, y) // bottom of arrow tip
-			mc.SetLineWidth(r * 3)
-			mc.Stroke()
-			return mc.AsMask()
-		},
-		// draw an arrow in the bottom right corner over the masked area.
-		overlay: func(dc *gg.Context, borderUnits int, radius int) {
-			bu, r := float64(borderUnits), float64(radius)
-
-			x1 := r * (bu + 3.5)
-			y := r * (bu + 7)
-			x2 := x1 + (r * 5)
-
-			dc.DrawLine(x1, y, x2, y)                 // arrow center line
-			dc.DrawLine(x2-(1.5*r), y-(1.5*r), x2, y) // top of arrow tip
-			dc.DrawLine(x2-(1.5*r), y+(1.5*r), x2, y) // bottom of arrow tip
-			dc.SetColor(fg)
-			dc.SetLineWidth(r)
-			dc.Stroke()
-		},
-	}
-
-	// exitNodeOffline is the Tailscale logo with a red "x" in the corner.
-	exitNodeOffline = tsLogo{
-		dots: [9]byte{
-			0, 0, 0,
-			1, 1, 1,
-			0, 1, 0,
-		},
-		// Draw a square that hides the four dots in the bottom right corner,
-		dotMask: func(dc *gg.Context, borderUnits int, radius int) *image.Alpha {
-			bu, r := float64(borderUnits), float64(radius)
-			x := r * (bu + 3)
-
-			mc := gg.NewContext(dc.Width(), dc.Height())
-			mc.DrawRectangle(x, x, r*6, r*6)
-			mc.Fill()
-			return mc.AsMask()
-		},
-		// draw a red "x" over the bottom right corner.
-		overlay: func(dc *gg.Context, borderUnits int, radius int) {
-			bu, r := float64(borderUnits), float64(radius)
-
-			x1 := r * (bu + 4)
-			x2 := x1 + (r * 3.5)
-			dc.DrawLine(x1, x1, x2, x2) // top-left to bottom-right stroke
-			dc.DrawLine(x1, x2, x2, x1) // bottom-left to top-right stroke
-			dc.SetColor(red)
-			dc.SetLineWidth(r)
-			dc.Stroke()
-		},
-	}
-)
-
-var (
-	bg   = color.NRGBA{0, 0, 0, 255}
-	fg   = color.NRGBA{255, 255, 255, 255}
-	gray = color.NRGBA{255, 255, 255, 102}
-	red  = color.NRGBA{229, 111, 74, 255}
-)
-
-// render returns a PNG image of the logo.
-func (logo tsLogo) render() *bytes.Buffer {
-	const borderUnits = 1
-	return logo.renderWithBorder(borderUnits)
-}
-
-// renderWithBorder returns a PNG image of the logo with the specified border width.
-// One border unit is equal to the radius of a tailscale logo dot.
-func (logo tsLogo) renderWithBorder(borderUnits int) *bytes.Buffer {
-	const radius = 25
-	dim := radius * (8 + borderUnits*2)
-
-	dc := gg.NewContext(dim, dim)
-	dc.DrawRectangle(0, 0, float64(dim), float64(dim))
-	dc.SetColor(bg)
-	dc.Fill()
-
-	if logo.dotMask != nil {
-		mask := logo.dotMask(dc, borderUnits, radius)
-		dc.SetMask(mask)
-		dc.InvertMask()
-	}
-
-	for y := 0; y < 3; y++ {
-		for x := 0; x < 3; x++ {
-			px := (borderUnits + 1 + 3*x) * radius
-			py := (borderUnits + 1 + 3*y) * radius
-			col := fg
-			if logo.dots[y*3+x] == 0 {
-				col = gray
-			}
-			dc.DrawCircle(float64(px), float64(py), radius)
-			dc.SetColor(col)
-			dc.Fill()
-		}
-	}
-
-	if logo.overlay != nil {
-		dc.ResetClip()
-		logo.overlay(dc, borderUnits, radius)
-	}
-
-	b := bytes.NewBuffer(nil)
-	png.Encode(b, dc.Image())
-	return b
-}
-
-// setAppIcon renders logo and sets it as the systray icon.
-func setAppIcon(icon tsLogo) {
-	if icon.dots == loading.dots {
-		startLoadingAnimation()
-	} else {
-		stopLoadingAnimation()
-		systray.SetIcon(icon.render().Bytes())
-	}
-}
-
-var (
-	loadingMu sync.Mutex // protects loadingCancel
-
-	// loadingCancel stops the loading animation in the systray icon.
-	// This is nil if the animation is not currently active.
-	loadingCancel func()
-)
-
-// startLoadingAnimation starts the animated loading icon in the system tray.
-// The animation continues until [stopLoadingAnimation] is called.
-// If the loading animation is already active, this func does nothing.
-func startLoadingAnimation() {
-	loadingMu.Lock()
-	defer loadingMu.Unlock()
-
-	if loadingCancel != nil {
-		// loading icon already displayed
-		return
-	}
-
-	ctx := context.Background()
-	ctx, loadingCancel = context.WithCancel(ctx)
-
-	go func() {
-		t := time.NewTicker(500 * time.Millisecond)
-		var i int
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-t.C:
-				systray.SetIcon(loadingLogos[i].render().Bytes())
-				i++
-				if i >= len(loadingLogos) {
-					i = 0
-				}
-			}
-		}
-	}()
-}
-
-// stopLoadingAnimation stops the animated loading icon in the system tray.
-// If the loading animation is not currently active, this func does nothing.
-func stopLoadingAnimation() {
-	loadingMu.Lock()
-	defer loadingMu.Unlock()
-
-	if loadingCancel != nil {
-		loadingCancel()
-		loadingCancel = nil
-	}
-}

client/systray/systray.go

@@ -1,740 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build cgo || !darwin
-
-// Package systray provides a minimal Tailscale systray application.
-package systray
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"os"
-	"os/signal"
-	"runtime"
-	"slices"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-
-	"fyne.io/systray"
-	"github.com/atotto/clipboard"
-	dbus "github.com/godbus/dbus/v5"
-	"github.com/toqueteos/webbrowser"
-	"tailscale.com/client/local"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/slicesx"
-	"tailscale.com/util/stringsx"
-)
-
-var (
-	// newMenuDelay is the amount of time to sleep after creating a new menu,
-	// but before adding items to it. This works around a bug in some dbus implementations.
-	newMenuDelay time.Duration
-
-	// if true, treat all mullvad exit node countries as single-city.
-	// Instead of rendering a submenu with cities, just select the highest-priority peer.
-	hideMullvadCities bool
-)
-
-// Run starts the systray menu and blocks until the menu exits.
-func (menu *Menu) Run() {
-	menu.updateState()
-
-	// exit cleanly on SIGINT and SIGTERM
-	go func() {
-		interrupt := make(chan os.Signal, 1)
-		signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
-		select {
-		case <-interrupt:
-			menu.onExit()
-		case <-menu.bgCtx.Done():
-		}
-	}()
-	go menu.lc.IncrementCounter(menu.bgCtx, "systray_start", 1)
-
-	systray.Run(menu.onReady, menu.onExit)
-}
-
-// Menu represents the systray menu, its items, and the current Tailscale state.
-type Menu struct {
-	mu sync.Mutex // protects the entire Menu
-
-	lc          local.Client
-	status      *ipnstate.Status
-	curProfile  ipn.LoginProfile
-	allProfiles []ipn.LoginProfile
-
-	// readonly is whether the systray app is running in read-only mode.
-	// This is set if LocalAPI returns a permission error,
-	// typically because the user needs to run `tailscale set --operator=$USER`.
-	readonly bool
-
-	bgCtx    context.Context // ctx for background tasks not involving menu item clicks
-	bgCancel context.CancelFunc
-
-	// Top-level menu items
-	connect    *systray.MenuItem
-	disconnect *systray.MenuItem
-	self       *systray.MenuItem
-	exitNodes  *systray.MenuItem
-	more       *systray.MenuItem
-	quit       *systray.MenuItem
-
-	rebuildCh  chan struct{} // triggers a menu rebuild
-	accountsCh chan ipn.ProfileID
-	exitNodeCh chan tailcfg.StableNodeID // ID of selected exit node
-
-	eventCancel context.CancelFunc // cancel eventLoop
-
-	notificationIcon *os.File // icon used for desktop notifications
-}
-
-func (menu *Menu) init() {
-	if menu.bgCtx != nil {
-		// already initialized
-		return
-	}
-
-	menu.rebuildCh = make(chan struct{}, 1)
-	menu.accountsCh = make(chan ipn.ProfileID)
-	menu.exitNodeCh = make(chan tailcfg.StableNodeID)
-
-	// dbus wants a file path for notification icons, so copy to a temp file.
-	menu.notificationIcon, _ = os.CreateTemp("", "tailscale-systray.png")
-	io.Copy(menu.notificationIcon, connected.renderWithBorder(3))
-
-	menu.bgCtx, menu.bgCancel = context.WithCancel(context.Background())
-	go menu.watchIPNBus()
-}
-
-func init() {
-	if runtime.GOOS != "linux" {
-		// so far, these tweaks are only needed on Linux
-		return
-	}
-
-	desktop := strings.ToLower(os.Getenv("XDG_CURRENT_DESKTOP"))
-	switch desktop {
-	case "gnome":
-		// GNOME expands submenus downward in the main menu, rather than flyouts to the side.
-		// Either as a result of that or another limitation, there seems to be a maximum depth of submenus.
-		// Mullvad countries that have a city submenu are not being rendered, and so can't be selected.
-		// Handle this by simply treating all mullvad countries as single-city and select the best peer.
-		hideMullvadCities = true
-	case "kde":
-		// KDE doesn't need a delay, and actually won't render submenus
-		// if we delay for more than about 400µs.
-		newMenuDelay = 0
-	default:
-		// Add a slight delay to ensure the menu is created before adding items.
-		//
-		// Systray implementations that use libdbusmenu sometimes process messages out of order,
-		// resulting in errors such as:
-		//    (waybar:153009): LIBDBUSMENU-GTK-WARNING **: 18:07:11.551: Children but no menu, someone's been naughty with their 'children-display' property: 'submenu'
-		//
-		// See also: https://github.com/fyne-io/systray/issues/12
-		newMenuDelay = 10 * time.Millisecond
-	}
-}
-
-// onReady is called by the systray package when the menu is ready to be built.
-func (menu *Menu) onReady() {
-	log.Printf("starting")
-	setAppIcon(disconnected)
-	menu.rebuild()
-}
-
-// updateState updates the Menu state from the Tailscale local client.
-func (menu *Menu) updateState() {
-	menu.mu.Lock()
-	defer menu.mu.Unlock()
-	menu.init()
-
-	menu.readonly = false
-
-	var err error
-	menu.status, err = menu.lc.Status(menu.bgCtx)
-	if err != nil {
-		log.Print(err)
-	}
-	menu.curProfile, menu.allProfiles, err = menu.lc.ProfileStatus(menu.bgCtx)
-	if err != nil {
-		if local.IsAccessDeniedError(err) {
-			menu.readonly = true
-		}
-		log.Print(err)
-	}
-}
-
-// rebuild the systray menu based on the current Tailscale state.
-//
-// We currently rebuild the entire menu because it is not easy to update the existing menu.
-// You cannot iterate over the items in a menu, nor can you remove some items like separators.
-// So for now we rebuild the whole thing, and can optimize this later if needed.
-func (menu *Menu) rebuild() {
-	menu.mu.Lock()
-	defer menu.mu.Unlock()
-	menu.init()
-
-	if menu.eventCancel != nil {
-		menu.eventCancel()
-	}
-	ctx := context.Background()
-	ctx, menu.eventCancel = context.WithCancel(ctx)
-
-	systray.ResetMenu()
-
-	if menu.readonly {
-		const readonlyMsg = "No permission to manage Tailscale.\nSee tailscale.com/s/cli-operator"
-		m := systray.AddMenuItem(readonlyMsg, "")
-		onClick(ctx, m, func(_ context.Context) {
-			webbrowser.Open("https://tailscale.com/s/cli-operator")
-		})
-		systray.AddSeparator()
-	}
-
-	menu.connect = systray.AddMenuItem("Connect", "")
-	menu.disconnect = systray.AddMenuItem("Disconnect", "")
-	menu.disconnect.Hide()
-	systray.AddSeparator()
-
-	// delay to prevent race setting icon on first start
-	time.Sleep(newMenuDelay)
-
-	// Set systray menu icon and title.
-	// Also adjust connect/disconnect menu items if needed.
-	var backendState string
-	if menu.status != nil {
-		backendState = menu.status.BackendState
-	}
-	switch backendState {
-	case ipn.Running.String():
-		if menu.status.ExitNodeStatus != nil && !menu.status.ExitNodeStatus.ID.IsZero() {
-			if menu.status.ExitNodeStatus.Online {
-				setTooltip("Using exit node")
-				setAppIcon(exitNodeOnline)
-			} else {
-				setTooltip("Exit node offline")
-				setAppIcon(exitNodeOffline)
-			}
-		} else {
-			setTooltip(fmt.Sprintf("Connected to %s", menu.status.CurrentTailnet.Name))
-			setAppIcon(connected)
-		}
-		menu.connect.SetTitle("Connected")
-		menu.connect.Disable()
-		menu.disconnect.Show()
-		menu.disconnect.Enable()
-	case ipn.Starting.String():
-		setTooltip("Connecting")
-		setAppIcon(loading)
-	default:
-		setTooltip("Disconnected")
-		setAppIcon(disconnected)
-	}
-
-	if menu.readonly {
-		menu.connect.Disable()
-		menu.disconnect.Disable()
-	}
-
-	account := "Account"
-	if pt := profileTitle(menu.curProfile); pt != "" {
-		account = pt
-	}
-	if !menu.readonly {
-		accounts := systray.AddMenuItem(account, "")
-		setRemoteIcon(accounts, menu.curProfile.UserProfile.ProfilePicURL)
-		time.Sleep(newMenuDelay)
-		for _, profile := range menu.allProfiles {
-			title := profileTitle(profile)
-			var item *systray.MenuItem
-			if profile.ID == menu.curProfile.ID {
-				item = accounts.AddSubMenuItemCheckbox(title, "", true)
-			} else {
-				item = accounts.AddSubMenuItem(title, "")
-			}
-			setRemoteIcon(item, profile.UserProfile.ProfilePicURL)
-			onClick(ctx, item, func(ctx context.Context) {
-				select {
-				case <-ctx.Done():
-				case menu.accountsCh <- profile.ID:
-				}
-			})
-		}
-	}
-
-	if menu.status != nil && menu.status.Self != nil && len(menu.status.Self.TailscaleIPs) > 0 {
-		title := fmt.Sprintf("This Device: %s (%s)", menu.status.Self.HostName, menu.status.Self.TailscaleIPs[0])
-		menu.self = systray.AddMenuItem(title, "")
-	} else {
-		menu.self = systray.AddMenuItem("This Device: not connected", "")
-		menu.self.Disable()
-	}
-	systray.AddSeparator()
-
-	if !menu.readonly {
-		menu.rebuildExitNodeMenu(ctx)
-	}
-
-	if menu.status != nil {
-		menu.more = systray.AddMenuItem("More settings", "")
-		onClick(ctx, menu.more, func(_ context.Context) {
-			webbrowser.Open("http://100.100.100.100/")
-		})
-	}
-
-	menu.quit = systray.AddMenuItem("Quit", "Quit the app")
-	menu.quit.Enable()
-
-	go menu.eventLoop(ctx)
-}
-
-// profileTitle returns the title string for a profile menu item.
-func profileTitle(profile ipn.LoginProfile) string {
-	title := profile.Name
-	if profile.NetworkProfile.DomainName != "" {
-		if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
-			// windows and mac don't support multi-line menu
-			title += " (" + profile.NetworkProfile.DomainName + ")"
-		} else {
-			title += "\n" + profile.NetworkProfile.DomainName
-		}
-	}
-	return title
-}
-
-var (
-	cacheMu   sync.Mutex
-	httpCache = map[string][]byte{} // URL => response body
-)
-
-// setRemoteIcon sets the icon for menu to the specified remote image.
-// Remote images are fetched as needed and cached.
-func setRemoteIcon(menu *systray.MenuItem, urlStr string) {
-	if menu == nil || urlStr == "" {
-		return
-	}
-
-	cacheMu.Lock()
-	b, ok := httpCache[urlStr]
-	if !ok {
-		resp, err := http.Get(urlStr)
-		if err == nil && resp.StatusCode == http.StatusOK {
-			b, _ = io.ReadAll(resp.Body)
-			httpCache[urlStr] = b
-			resp.Body.Close()
-		}
-	}
-	cacheMu.Unlock()
-
-	if len(b) > 0 {
-		menu.SetIcon(b)
-	}
-}
-
-// setTooltip sets the tooltip text for the systray icon.
-func setTooltip(text string) {
-	if runtime.GOOS == "darwin" || runtime.GOOS == "windows" {
-		systray.SetTooltip(text)
-	} else {
-		// on Linux, SetTitle actually sets the tooltip
-		systray.SetTitle(text)
-	}
-}
-
-// eventLoop is the main event loop for handling click events on menu items
-// and responding to Tailscale state changes.
-// This method does not return until ctx.Done is closed.
-func (menu *Menu) eventLoop(ctx context.Context) {
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-menu.rebuildCh:
-			menu.updateState()
-			menu.rebuild()
-		case <-menu.connect.ClickedCh:
-			_, err := menu.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
-				Prefs: ipn.Prefs{
-					WantRunning: true,
-				},
-				WantRunningSet: true,
-			})
-			if err != nil {
-				log.Printf("error connecting: %v", err)
-			}
-
-		case <-menu.disconnect.ClickedCh:
-			_, err := menu.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
-				Prefs: ipn.Prefs{
-					WantRunning: false,
-				},
-				WantRunningSet: true,
-			})
-			if err != nil {
-				log.Printf("error disconnecting: %v", err)
-			}
-
-		case <-menu.self.ClickedCh:
-			menu.copyTailscaleIP(menu.status.Self)
-
-		case id := <-menu.accountsCh:
-			if err := menu.lc.SwitchProfile(ctx, id); err != nil {
-				log.Printf("error switching to profile ID %v: %v", id, err)
-			}
-
-		case exitNode := <-menu.exitNodeCh:
-			if exitNode.IsZero() {
-				log.Print("disable exit node")
-				if err := menu.lc.SetUseExitNode(ctx, false); err != nil {
-					log.Printf("error disabling exit node: %v", err)
-				}
-			} else {
-				log.Printf("enable exit node: %v", exitNode)
-				mp := &ipn.MaskedPrefs{
-					Prefs: ipn.Prefs{
-						ExitNodeID: exitNode,
-					},
-					ExitNodeIDSet: true,
-				}
-				if _, err := menu.lc.EditPrefs(ctx, mp); err != nil {
-					log.Printf("error setting exit node: %v", err)
-				}
-			}
-
-		case <-menu.quit.ClickedCh:
-			systray.Quit()
-		}
-	}
-}
-
-// onClick registers a click handler for a menu item.
-func onClick(ctx context.Context, item *systray.MenuItem, fn func(ctx context.Context)) {
-	go func() {
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-item.ClickedCh:
-				fn(ctx)
-			}
-		}
-	}()
-}
-
-// watchIPNBus subscribes to the tailscale event bus and sends state updates to chState.
-// This method does not return.
-func (menu *Menu) watchIPNBus() {
-	for {
-		if err := menu.watchIPNBusInner(); err != nil {
-			log.Println(err)
-			if errors.Is(err, context.Canceled) {
-				// If the context got canceled, we will never be able to
-				// reconnect to IPN bus, so exit the process.
-				log.Fatalf("watchIPNBus: %v", err)
-			}
-		}
-		// If our watch connection breaks, wait a bit before reconnecting. No
-		// reason to spam the logs if e.g. tailscaled is restarting or goes
-		// down.
-		time.Sleep(3 * time.Second)
-	}
-}
-
-func (menu *Menu) watchIPNBusInner() error {
-	watcher, err := menu.lc.WatchIPNBus(menu.bgCtx, ipn.NotifyNoPrivateKeys)
-	if err != nil {
-		return fmt.Errorf("watching ipn bus: %w", err)
-	}
-	defer watcher.Close()
-	for {
-		select {
-		case <-menu.bgCtx.Done():
-			return nil
-		default:
-			n, err := watcher.Next()
-			if err != nil {
-				return fmt.Errorf("ipnbus error: %w", err)
-			}
-			var rebuild bool
-			if n.State != nil {
-				log.Printf("new state: %v", n.State)
-				rebuild = true
-			}
-			if n.Prefs != nil {
-				rebuild = true
-			}
-			if rebuild {
-				menu.rebuildCh <- struct{}{}
-			}
-		}
-	}
-}
-
-// copyTailscaleIP copies the first Tailscale IP of the given device to the clipboard
-// and sends a notification with the copied value.
-func (menu *Menu) copyTailscaleIP(device *ipnstate.PeerStatus) {
-	if device == nil || len(device.TailscaleIPs) == 0 {
-		return
-	}
-	name := strings.Split(device.DNSName, ".")[0]
-	ip := device.TailscaleIPs[0].String()
-	err := clipboard.WriteAll(ip)
-	if err != nil {
-		log.Printf("clipboard error: %v", err)
-	}
-
-	menu.sendNotification(fmt.Sprintf("Copied Address for %v", name), ip)
-}
-
-// sendNotification sends a desktop notification with the given title and content.
-func (menu *Menu) sendNotification(title, content string) {
-	conn, err := dbus.SessionBus()
-	if err != nil {
-		log.Printf("dbus: %v", err)
-		return
-	}
-	timeout := 3 * time.Second
-	obj := conn.Object("org.freedesktop.Notifications", "/org/freedesktop/Notifications")
-	call := obj.Call("org.freedesktop.Notifications.Notify", 0, "Tailscale", uint32(0),
-		menu.notificationIcon.Name(), title, content, []string{}, map[string]dbus.Variant{}, int32(timeout.Milliseconds()))
-	if call.Err != nil {
-		log.Printf("dbus: %v", call.Err)
-	}
-}
-
-func (menu *Menu) rebuildExitNodeMenu(ctx context.Context) {
-	if menu.status == nil {
-		return
-	}
-
-	status := menu.status
-	menu.exitNodes = systray.AddMenuItem("Exit Nodes", "")
-	time.Sleep(newMenuDelay)
-
-	// register a click handler for a menu item to set nodeID as the exit node.
-	setExitNodeOnClick := func(item *systray.MenuItem, nodeID tailcfg.StableNodeID) {
-		onClick(ctx, item, func(ctx context.Context) {
-			select {
-			case <-ctx.Done():
-			case menu.exitNodeCh <- nodeID:
-			}
-		})
-	}
-
-	noExitNodeMenu := menu.exitNodes.AddSubMenuItemCheckbox("None", "", status.ExitNodeStatus == nil)
-	setExitNodeOnClick(noExitNodeMenu, "")
-
-	// Show recommended exit node if available.
-	if status.Self.CapMap.Contains(tailcfg.NodeAttrSuggestExitNodeUI) {
-		sugg, err := menu.lc.SuggestExitNode(ctx)
-		if err == nil {
-			title := "Recommended: "
-			if loc := sugg.Location; loc.Valid() && loc.Country() != "" {
-				flag := countryFlag(loc.CountryCode())
-				title += fmt.Sprintf("%s %s: %s", flag, loc.Country(), loc.City())
-			} else {
-				title += strings.Split(sugg.Name, ".")[0]
-			}
-			menu.exitNodes.AddSeparator()
-			rm := menu.exitNodes.AddSubMenuItemCheckbox(title, "", false)
-			setExitNodeOnClick(rm, sugg.ID)
-			if status.ExitNodeStatus != nil && sugg.ID == status.ExitNodeStatus.ID {
-				rm.Check()
-			}
-		}
-	}
-
-	// Add tailnet exit nodes if present.
-	var tailnetExitNodes []*ipnstate.PeerStatus
-	for _, ps := range status.Peer {
-		if ps.ExitNodeOption && ps.Location == nil {
-			tailnetExitNodes = append(tailnetExitNodes, ps)
-		}
-	}
-	if len(tailnetExitNodes) > 0 {
-		menu.exitNodes.AddSeparator()
-		menu.exitNodes.AddSubMenuItem("Tailnet Exit Nodes", "").Disable()
-		for _, ps := range status.Peer {
-			if !ps.ExitNodeOption || ps.Location != nil {
-				continue
-			}
-			name := strings.Split(ps.DNSName, ".")[0]
-			if !ps.Online {
-				name += " (offline)"
-			}
-			sm := menu.exitNodes.AddSubMenuItemCheckbox(name, "", false)
-			if !ps.Online {
-				sm.Disable()
-			}
-			if status.ExitNodeStatus != nil && ps.ID == status.ExitNodeStatus.ID {
-				sm.Check()
-			}
-			setExitNodeOnClick(sm, ps.ID)
-		}
-	}
-
-	// Add mullvad exit nodes if present.
-	var mullvadExitNodes mullvadPeers
-	if status.Self.CapMap.Contains("mullvad") {
-		mullvadExitNodes = newMullvadPeers(status)
-	}
-	if len(mullvadExitNodes.countries) > 0 {
-		menu.exitNodes.AddSeparator()
-		menu.exitNodes.AddSubMenuItem("Location-based Exit Nodes", "").Disable()
-		mullvadMenu := menu.exitNodes.AddSubMenuItemCheckbox("Mullvad VPN", "", false)
-
-		for _, country := range mullvadExitNodes.sortedCountries() {
-			flag := countryFlag(country.code)
-			countryMenu := mullvadMenu.AddSubMenuItemCheckbox(flag+" "+country.name, "", false)
-
-			// single-city country, no submenu
-			if len(country.cities) == 1 || hideMullvadCities {
-				setExitNodeOnClick(countryMenu, country.best.ID)
-				if status.ExitNodeStatus != nil {
-					for _, city := range country.cities {
-						for _, ps := range city.peers {
-							if status.ExitNodeStatus.ID == ps.ID {
-								mullvadMenu.Check()
-								countryMenu.Check()
-							}
-						}
-					}
-				}
-				continue
-			}
-
-			// multi-city country, build submenu with "best available" option and cities.
-			time.Sleep(newMenuDelay)
-			bm := countryMenu.AddSubMenuItemCheckbox("Best Available", "", false)
-			setExitNodeOnClick(bm, country.best.ID)
-			countryMenu.AddSeparator()
-
-			for _, city := range country.sortedCities() {
-				cityMenu := countryMenu.AddSubMenuItemCheckbox(city.name, "", false)
-				setExitNodeOnClick(cityMenu, city.best.ID)
-				if status.ExitNodeStatus != nil {
-					for _, ps := range city.peers {
-						if status.ExitNodeStatus.ID == ps.ID {
-							mullvadMenu.Check()
-							countryMenu.Check()
-							cityMenu.Check()
-						}
-					}
-				}
-			}
-		}
-	}
-
-	// TODO: "Allow Local Network Access" and "Run Exit Node" menu items
-}
-
-// mullvadPeers contains all mullvad peer nodes, sorted by country and city.
-type mullvadPeers struct {
-	countries map[string]*mvCountry // country code (uppercase) => country
-}
-
-// sortedCountries returns countries containing mullvad nodes, sorted by name.
-func (mp mullvadPeers) sortedCountries() []*mvCountry {
-	countries := slicesx.MapValues(mp.countries)
-	slices.SortFunc(countries, func(a, b *mvCountry) int {
-		return stringsx.CompareFold(a.name, b.name)
-	})
-	return countries
-}
-
-type mvCountry struct {
-	code   string
-	name   string
-	best   *ipnstate.PeerStatus // highest priority peer in the country
-	cities map[string]*mvCity   // city code => city
-}
-
-// sortedCities returns cities containing mullvad nodes, sorted by name.
-func (mc *mvCountry) sortedCities() []*mvCity {
-	cities := slicesx.MapValues(mc.cities)
-	slices.SortFunc(cities, func(a, b *mvCity) int {
-		return stringsx.CompareFold(a.name, b.name)
-	})
-	return cities
-}
-
-// countryFlag takes a 2-character ASCII string and returns the corresponding emoji flag.
-// It returns the empty string on error.
-func countryFlag(code string) string {
-	if len(code) != 2 {
-		return ""
-	}
-	runes := make([]rune, 0, 2)
-	for i := range 2 {
-		b := code[i] | 32 // lowercase
-		if b < 'a' || b > 'z' {
-			return ""
-		}
-		// https://en.wikipedia.org/wiki/Regional_indicator_symbol
-		runes = append(runes, 0x1F1E6+rune(b-'a'))
-	}
-	return string(runes)
-}
-
-type mvCity struct {
-	name  string
-	best  *ipnstate.PeerStatus // highest priority peer in the city
-	peers []*ipnstate.PeerStatus
-}
-
-func newMullvadPeers(status *ipnstate.Status) mullvadPeers {
-	countries := make(map[string]*mvCountry)
-	for _, ps := range status.Peer {
-		if !ps.ExitNodeOption || ps.Location == nil {
-			continue
-		}
-		loc := ps.Location
-		country, ok := countries[loc.CountryCode]
-		if !ok {
-			country = &mvCountry{
-				code:   loc.CountryCode,
-				name:   loc.Country,
-				cities: make(map[string]*mvCity),
-			}
-			countries[loc.CountryCode] = country
-		}
-		city, ok := countries[loc.CountryCode].cities[loc.CityCode]
-		if !ok {
-			city = &mvCity{
-				name: loc.City,
-			}
-			countries[loc.CountryCode].cities[loc.CityCode] = city
-		}
-		city.peers = append(city.peers, ps)
-		if city.best == nil || ps.Location.Priority > city.best.Location.Priority {
-			city.best = ps
-		}
-		if country.best == nil || ps.Location.Priority > country.best.Location.Priority {
-			country.best = ps
-		}
-	}
-	return mullvadPeers{countries}
-}
-
-// onExit is called by the systray package when the menu is exiting.
-func (menu *Menu) onExit() {
-	log.Printf("exiting")
-	if menu.bgCancel != nil {
-		menu.bgCancel()
-	}
-	if menu.eventCancel != nil {
-		menu.eventCancel()
-	}
-
-	os.Remove(menu.notificationIcon.Name())
-}

client/tailscale/acl.go

@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
-	"net/url"
 )
 
 // ACLRow defines a rule that grants access by a set of users or groups to a set
@@ -20,7 +19,6 @@ import (
 // Only one of Src/Dst or Users/Ports may be specified.
 type ACLRow struct {
 	Action string   `json:"action,omitempty"` // valid values: "accept"
-	Proto  string   `json:"proto,omitempty"`  // protocol
 	Users  []string `json:"users,omitempty"`  // old name for src
 	Ports  []string `json:"ports,omitempty"`  // old name for dst
 	Src    []string `json:"src,omitempty"`
@@ -33,23 +31,12 @@ type ACLRow struct {
 type ACLTest struct {
 	Src    string   `json:"src,omitempty"`    // source
 	User   string   `json:"user,omitempty"`   // old name for source
-	Proto  string   `json:"proto,omitempty"`  // protocol
 	Accept []string `json:"accept,omitempty"` // expected destination ip:port that user can access
 	Deny   []string `json:"deny,omitempty"`   // expected destination ip:port that user cannot access
 
 	Allow []string `json:"allow,omitempty"` // old name for accept
 }
 
-// NodeAttrGrant defines additional string attributes that apply to specific devices.
-type NodeAttrGrant struct {
-	// Target specifies which nodes the attributes apply to. The nodes can be a
-	// tag (tag:server), user (alice@example.com), group (group:kids), or *.
-	Target []string `json:"target,omitempty"`
-
-	// Attr are the attributes to set on Target(s).
-	Attr []string `json:"attr,omitempty"`
-}
-
 // ACLDetails contains all the details for an ACL.
 type ACLDetails struct {
 	Tests     []ACLTest           `json:"tests,omitempty"`
@@ -57,7 +44,6 @@ type ACLDetails struct {
 	Groups    map[string][]string `json:"groups,omitempty"`
 	TagOwners map[string][]string `json:"tagowners,omitempty"`
 	Hosts     map[string]string   `json:"hosts,omitempty"`
-	NodeAttrs []NodeAttrGrant     `json:"nodeAttrs,omitempty"`
 }
 
 // ACL contains an ACLDetails and metadata.
@@ -84,7 +70,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 		}
 	}()
 
-	path := c.BuildTailnetURL("acl")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -98,7 +84,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	// Otherwise, try to decode the response.
@@ -127,7 +113,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		}
 	}()
 
-	path := c.BuildTailnetURL("acl", url.Values{"details": {"1"}})
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -139,7 +125,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	data := struct {
@@ -147,7 +133,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		Warnings []string `json:"warnings"`
 	}{}
 	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, fmt.Errorf("json.Unmarshal %q: %w", b, err)
+		return nil, err
 	}
 
 	acl = &ACLHuJSON{
@@ -164,12 +150,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 // ACLTestFailureSummary specifies the JSON format sent to the
 // JavaScript client to be rendered in the HTML.
 type ACLTestFailureSummary struct {
-	// User is the source ("src") value of the ACL test that failed.
-	// The name "user" is a legacy holdover from the original naming and
-	// is kept for compatibility but it may also contain any value
-	// that's valid in a ACL test "src" field.
-	User string `json:"user,omitempty"`
-
+	User     string   `json:"user,omitempty"`
 	Errors   []string `json:"errors,omitempty"`
 	Warnings []string `json:"warnings,omitempty"`
 }
@@ -185,7 +166,7 @@ func (e ACLTestError) Error() string {
 }
 
 func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := c.BuildTailnetURL("acl")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, "", err
@@ -289,9 +270,6 @@ type UserRuleMatch struct {
 	Users      []string `json:"users"`
 	Ports      []string `json:"ports"`
 	LineNumber int      `json:"lineNumber"`
-	// Via is the list of targets through which Users can access Ports.
-	// See https://tailscale.com/kb/1378/via for more information.
-	Via []string `json:"via,omitempty"`
 
 	// Postures is a list of posture policies that are
 	// associated with this match. The rules can be looked
@@ -329,7 +307,7 @@ type ACLPreview struct {
 }
 
 func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := c.BuildTailnetURL("acl", "preview")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, err
@@ -351,7 +329,7 @@ func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, preview
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 	if err = json.Unmarshal(b, &res); err != nil {
 		return nil, err
@@ -489,7 +467,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 		return nil, err
 	}
 
-	path := c.BuildTailnetURL("acl", "validate")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
 	if err != nil {
 		return nil, err

client/tailscale/apitype/apitype.go

@@ -4,32 +4,11 @@
 // Package apitype contains types for the Tailscale LocalAPI and control plane API.
 package apitype
 
-import (
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
-	"tailscale.com/util/ctxkey"
-)
+import "tailscale.com/tailcfg"
 
 // LocalAPIHost is the Host header value used by the LocalAPI.
 const LocalAPIHost = "local-tailscaled.sock"
 
-// RequestReasonHeader is the header used to pass justification for a LocalAPI request,
-// such as when a user wants to perform an action they don't have permission for,
-// and a policy allows it with justification. As of 2025-01-29, it is only used to
-// allow a user to disconnect Tailscale when the "always-on" mode is enabled.
-//
-// The header value is base64-encoded using the standard encoding defined in RFC 4648.
-//
-// See tailscale/corp#26146.
-const RequestReasonHeader = "X-Tailscale-Reason"
-
-// RequestReasonKey is the context key used to pass the request reason
-// when making a LocalAPI request via [local.Client].
-// It's value is a raw string. An empty string means no reason was provided.
-//
-// See tailscale/corp#26146.
-var RequestReasonKey = ctxkey.New(RequestReasonHeader, "")
-
 // WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
 // In successful whois responses, Node and UserProfile are never nil.
 type WhoIsResponse struct {
@@ -70,27 +49,3 @@ type ReloadConfigResponse struct {
 	Reloaded bool   // whether the config was reloaded
 	Err      string // any error message
 }
-
-// ExitNodeSuggestionResponse is the response to a LocalAPI suggest-exit-node GET request.
-// It returns the StableNodeID, name, and location of a suggested exit node for the client making the request.
-type ExitNodeSuggestionResponse struct {
-	ID       tailcfg.StableNodeID
-	Name     string
-	Location tailcfg.LocationView `json:",omitempty"`
-}
-
-// DNSOSConfig mimics dns.OSConfig without forcing us to import the entire dns package
-// into the CLI.
-type DNSOSConfig struct {
-	Nameservers   []string
-	SearchDomains []string
-	MatchDomains  []string
-}
-
-// DNSQueryResponse is the response to a DNS query request sent via LocalAPI.
-type DNSQueryResponse struct {
-	// Bytes is the raw DNS response bytes.
-	Bytes []byte
-	// Resolvers is the list of resolvers that the forwarder deemed able to resolve the query.
-	Resolvers []*dnstype.Resolver
-}

client/tailscale/devices.go

@@ -10,7 +10,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"log"
 	"net/http"
 	"net/url"
 
@@ -40,7 +39,6 @@ type Device struct {
 	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
 	Addresses []string `json:"addresses"`
 	DeviceID  string   `json:"id"`
-	NodeID    string   `json:"nodeId"`
 	User      string   `json:"user"`
 	Name      string   `json:"name"`
 	Hostname  string   `json:"hostname"`
@@ -79,13 +77,6 @@ type Device struct {
 	// Tailscale have attempted to collect this from the device but it has not
 	// opted in, PostureIdentity will have Disabled=true.
 	PostureIdentity *DevicePostureIdentity `json:"postureIdentity"`
-
-	// TailnetLockKey is the tailnet lock public key of the node as a hex string.
-	TailnetLockKey string `json:"tailnetLockKey,omitempty"`
-
-	// TailnetLockErr indicates an issue with the tailnet lock node-key signature
-	// on this device. This field is only populated when tailnet lock is enabled.
-	TailnetLockErr string `json:"tailnetLockError,omitempty"`
 }
 
 type DevicePostureIdentity struct {
@@ -138,7 +129,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 		}
 	}()
 
-	path := c.BuildTailnetURL("devices")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -156,7 +147,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var devices GetDevicesResponse
@@ -195,7 +186,7 @@ func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFiel
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	err = json.Unmarshal(b, &device)
@@ -222,13 +213,10 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 	if err != nil {
 		return err
 	}
-
-	log.Printf("RESP: %di, path: %s", resp.StatusCode, path)
-
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 	return nil
 }
@@ -260,7 +248,7 @@ func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 
 	return nil
@@ -288,7 +276,7 @@ func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 
 	return nil

client/tailscale/dns.go

@@ -44,7 +44,7 @@ type DNSPreferences struct {
 }
 
 func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := c.BuildTailnetURL("dns", endpoint)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -57,14 +57,14 @@ func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	return b, nil
 }
 
 func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
-	path := c.BuildTailnetURL("dns", endpoint)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
 	data, err := json.Marshal(&postData)
 	if err != nil {
 		return nil, err
@@ -84,7 +84,7 @@ func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData a
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	return b, nil

client/tailscale/example/servetls/servetls.go

@@ -11,14 +11,13 @@ import (
 	"log"
 	"net/http"
 
-	"tailscale.com/client/local"
+	"tailscale.com/client/tailscale"
 )
 
 func main() {
-	var lc local.Client
 	s := &http.Server{
 		TLSConfig: &tls.Config{
-			GetCertificate: lc.GetCertificate,
+			GetCertificate: tailscale.GetCertificate,
 		},
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")

client/tailscale/keys.go

@@ -40,7 +40,7 @@ type KeyDeviceCreateCapabilities struct {
 
 // Keys returns the list of keys for the current user.
 func (c *Client) Keys(ctx context.Context) ([]string, error) {
-	path := c.BuildTailnetURL("keys")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -51,7 +51,7 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var keys struct {
@@ -99,7 +99,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 		return "", nil, err
 	}
 
-	path := c.BuildTailnetURL("keys")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
 	if err != nil {
 		return "", nil, err
@@ -110,7 +110,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 		return "", nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return "", nil, HandleErrorResponse(b, resp)
+		return "", nil, handleErrorResponse(b, resp)
 	}
 
 	var key struct {
@@ -126,7 +126,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 // Key returns the metadata for the given key ID. Currently, capabilities are
 // only returned for auth keys, API keys only return general metadata.
 func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
-	path := c.BuildTailnetURL("keys", id)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -137,7 +137,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var key Key
@@ -149,7 +149,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
 
 // DeleteKey deletes the key with the given ID.
 func (c *Client) DeleteKey(ctx context.Context, id string) error {
-	path := c.BuildTailnetURL("keys", id)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
 	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
 	if err != nil {
 		return err
@@ -160,7 +160,7 @@ func (c *Client) DeleteKey(ctx context.Context, id string) error {
 		return err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 	return nil
 }

client/tailscale/localclient_aliases.go

@@ -1,106 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tailscale
-
-import (
-	"context"
-	"crypto/tls"
-
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn/ipnstate"
-)
-
-// ErrPeerNotFound is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-var ErrPeerNotFound = local.ErrPeerNotFound
-
-// LocalClient is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type LocalClient = local.Client
-
-// IPNBusWatcher is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type IPNBusWatcher = local.IPNBusWatcher
-
-// BugReportOpts is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type BugReportOpts = local.BugReportOpts
-
-// DebugPortMapOpts is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type DebugPortmapOpts = local.DebugPortmapOpts
-
-// PingOpts is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type PingOpts = local.PingOpts
-
-// GetCertificate is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return local.GetCertificate(hi)
-}
-
-// SetVersionMismatchHandler is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
-	local.SetVersionMismatchHandler(f)
-}
-
-// IsAccessDeniedError is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func IsAccessDeniedError(err error) bool {
-	return local.IsAccessDeniedError(err)
-}
-
-// IsPreconditionsFailedError is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func IsPreconditionsFailedError(err error) bool {
-	return local.IsPreconditionsFailedError(err)
-}
-
-// WhoIs is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	return local.WhoIs(ctx, remoteAddr)
-}
-
-// Status is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func Status(ctx context.Context) (*ipnstate.Status, error) {
-	return local.Status(ctx)
-}
-
-// StatusWithoutPeers is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return local.StatusWithoutPeers(ctx)
-}
-
-// CertPair is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return local.CertPair(ctx, domain)
-}
-
-// ExpandSNIName is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	return local.ExpandSNIName(ctx, name)
-}

client/tailscale/localclient_test.go

@@ -0,0 +1,42 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build go1.19
+
+package tailscale
+
+import (
+	"testing"
+
+	"tailscale.com/tstest/deptest"
+)
+
+func TestGetServeConfigFromJSON(t *testing.T) {
+	sc, err := getServeConfigFromJSON([]byte("null"))
+	if sc != nil {
+		t.Errorf("want nil for null")
+	}
+	if err != nil {
+		t.Errorf("reading null: %v", err)
+	}
+
+	sc, err = getServeConfigFromJSON([]byte(`{"TCP":{}}`))
+	if err != nil {
+		t.Errorf("reading object: %v", err)
+	} else if sc == nil {
+		t.Errorf("want non-nil for object")
+	} else if sc.TCP == nil {
+		t.Errorf("want non-nil TCP for object")
+	}
+}
+
+func TestDeps(t *testing.T) {
+	deptest.DepChecker{
+		BadDeps: map[string]string{
+			// Make sure we don't again accidentally bring in a dependency on
+			// drive or its transitive dependencies
+			"tailscale.com/drive/driveimpl":  "https://github.com/tailscale/tailscale/pull/10631",
+			"github.com/studio-b12/gowebdav": "https://github.com/tailscale/tailscale/pull/10631",
+		},
+	}.Check(t)
+}

client/tailscale/required_version.go

@@ -1,10 +1,10 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !go1.23
+//go:build !go1.21
 
 package tailscale
 
 func init() {
-	you_need_Go_1_23_to_compile_Tailscale()
+	you_need_Go_1_21_to_compile_Tailscale()
 }

client/tailscale/routes.go

@@ -44,7 +44,7 @@ func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, e
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var sr Routes
@@ -84,7 +84,7 @@ func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var srr *Routes

client/tailscale/tailnet.go

@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"tailscale.com/util/httpm"
 )
@@ -21,7 +22,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 		}
 	}()
 
-	path := c.BuildTailnetURL("tailnet")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
 	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
 	if err != nil {
 		return err
@@ -34,7 +35,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 
 	return nil

client/tailscale/tailscale.go

@@ -3,12 +3,11 @@
 
 //go:build go1.19
 
-// Package tailscale contains a Go client for the Tailscale control plane API.
+// Package tailscale contains Go clients for the Tailscale LocalAPI and
+// Tailscale control plane API.
 //
-// This package is only intended for internal and transitional use.
-//
-// Deprecated: the official control plane client is available at
-// tailscale.com/client/tailscale/v2.
+// Warning: this package is in development and makes no API compatibility
+// promises as of 2022-04-29. It is subject to change at any time.
 package tailscale
 
 import (
@@ -17,12 +16,13 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"net/url"
-	"path"
 )
 
 // I_Acknowledge_This_API_Is_Unstable must be set true to use this package
-// for now. This package is being replaced by tailscale.com/client/tailscale/v2.
+// for now. It was added 2022-04-29 when it was moved to this git repo
+// and will be removed when the public API has settled.
+//
+// TODO(bradfitz): remove this after the we're happy with the public API.
 var I_Acknowledge_This_API_Is_Unstable = false
 
 // TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
@@ -36,8 +36,6 @@ const maxReadSize = 10 << 20
 //
 // Use NewClient to instantiate one. Exported fields should be set before
 // the client is used and not changed thereafter.
-//
-// Deprecated: use tailscale.com/client/tailscale/v2 instead.
 type Client struct {
 	// tailnet is the globally unique identifier for a Tailscale network, such
 	// as "example.com" or "user@gmail.com".
@@ -53,9 +51,6 @@ type Client struct {
 	// HTTPClient optionally specifies an alternate HTTP client to use.
 	// If nil, http.DefaultClient is used.
 	HTTPClient *http.Client
-
-	// UserAgent optionally specifies an alternate User-Agent header
-	UserAgent string
 }
 
 func (c *Client) httpClient() *http.Client {
@@ -65,46 +60,6 @@ func (c *Client) httpClient() *http.Client {
 	return http.DefaultClient
 }
 
-// BuildURL builds a url to http(s)://<apiserver>/api/v2/<slash-separated-pathElements>
-// using the given pathElements. It url escapes each path element, so the
-// caller doesn't need to worry about that. The last item of pathElements can
-// be of type url.Values to add a query string to the URL.
-//
-// For example, BuildURL(devices, 5) with the default server URL would result in
-// https://api.tailscale.com/api/v2/devices/5.
-func (c *Client) BuildURL(pathElements ...any) string {
-	elem := make([]string, 1, len(pathElements)+1)
-	elem[0] = "/api/v2"
-	var query string
-	for i, pathElement := range pathElements {
-		if uv, ok := pathElement.(url.Values); ok && i == len(pathElements)-1 {
-			query = uv.Encode()
-		} else {
-			elem = append(elem, url.PathEscape(fmt.Sprint(pathElement)))
-		}
-	}
-	url := c.baseURL() + path.Join(elem...)
-	if query != "" {
-		url += "?" + query
-	}
-	return url
-}
-
-// BuildTailnetURL builds a url to http(s)://<apiserver>/api/v2/tailnet/<tailnet>/<slash-separated-pathElements>
-// using the given pathElements. It url escapes each path element, so the
-// caller doesn't need to worry about that. The last item of pathElements can
-// be of type url.Values to add a query string to the URL.
-//
-// For example, BuildTailnetURL(policy, validate) with the default server URL and a tailnet of "example.com"
-// would result in https://api.tailscale.com/api/v2/tailnet/example.com/policy/validate.
-func (c *Client) BuildTailnetURL(pathElements ...any) string {
-	allElements := make([]any, 2, len(pathElements)+2)
-	allElements[0] = "tailnet"
-	allElements[1] = c.tailnet
-	allElements = append(allElements, pathElements...)
-	return c.BuildURL(allElements...)
-}
-
 func (c *Client) baseURL() string {
 	if c.BaseURL != "" {
 		return c.BaseURL
@@ -140,13 +95,10 @@ func (c *Client) setAuth(r *http.Request) {
 // If httpClient is nil, then http.DefaultClient is used.
 // "api.tailscale.com" is set as the BaseURL for the returned client
 // and can be changed manually by the user.
-//
-// Deprecated: use tailscale.com/client/tailscale/v2 instead.
 func NewClient(tailnet string, auth AuthMethod) *Client {
 	return &Client{
-		tailnet:   tailnet,
-		auth:      auth,
-		UserAgent: "tailscale-client-oss",
+		tailnet: tailnet,
+		auth:    auth,
 	}
 }
 
@@ -158,16 +110,17 @@ func (c *Client) Do(req *http.Request) (*http.Response, error) {
 		return nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
 	}
 	c.setAuth(req)
-	if c.UserAgent != "" {
-		req.Header.Set("User-Agent", c.UserAgent)
-	}
 	return c.httpClient().Do(req)
 }
 
 // sendRequest add the authentication key to the request and sends it. It
 // receives the response and reads up to 10MB of it.
 func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
-	resp, err := c.Do(req)
+	if !I_Acknowledge_This_API_Is_Unstable {
+		return nil, nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
+	}
+	c.setAuth(req)
+	resp, err := c.httpClient().Do(req)
 	if err != nil {
 		return nil, resp, err
 	}
@@ -192,14 +145,12 @@ func (e ErrResponse) Error() string {
 	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
 }
 
-// HandleErrorResponse decodes the error message from the server and returns
+// handleErrorResponse decodes the error message from the server and returns
 // an ErrResponse from it.
-//
-// Deprecated: use tailscale.com/client/tailscale/v2 instead.
-func HandleErrorResponse(b []byte, resp *http.Response) error {
+func handleErrorResponse(b []byte, resp *http.Response) error {
 	var errResp ErrResponse
 	if err := json.Unmarshal(b, &errResp); err != nil {
-		return fmt.Errorf("json.Unmarshal %q: %w", b, err)
+		return err
 	}
 	errResp.Status = resp.StatusCode
 	return errResp

client/tailscale/tailscale_test.go

@@ -1,86 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tailscale
-
-import (
-	"net/url"
-	"testing"
-)
-
-func TestClientBuildURL(t *testing.T) {
-	c := Client{BaseURL: "http://127.0.0.1:1234"}
-	for _, tt := range []struct {
-		desc     string
-		elements []any
-		want     string
-	}{
-		{
-			desc:     "single-element",
-			elements: []any{"devices"},
-			want:     "http://127.0.0.1:1234/api/v2/devices",
-		},
-		{
-			desc:     "multiple-elements",
-			elements: []any{"tailnet", "example.com"},
-			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com",
-		},
-		{
-			desc:     "escape-element",
-			elements: []any{"tailnet", "example dot com?foo=bar"},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example%20dot%20com%3Ffoo=bar`,
-		},
-		{
-			desc:     "url.Values",
-			elements: []any{"tailnet", "example.com", "acl", url.Values{"details": {"1"}}},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/acl?details=1`,
-		},
-	} {
-		t.Run(tt.desc, func(t *testing.T) {
-			got := c.BuildURL(tt.elements...)
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestClientBuildTailnetURL(t *testing.T) {
-	c := Client{
-		BaseURL: "http://127.0.0.1:1234",
-		tailnet: "example.com",
-	}
-	for _, tt := range []struct {
-		desc     string
-		elements []any
-		want     string
-	}{
-		{
-			desc:     "single-element",
-			elements: []any{"devices"},
-			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com/devices",
-		},
-		{
-			desc:     "multiple-elements",
-			elements: []any{"devices", 123},
-			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com/devices/123",
-		},
-		{
-			desc:     "escape-element",
-			elements: []any{"foo bar?baz=qux"},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/foo%20bar%3Fbaz=qux`,
-		},
-		{
-			desc:     "url.Values",
-			elements: []any{"acl", url.Values{"details": {"1"}}},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/acl?details=1`,
-		},
-	} {
-		t.Run(tt.desc, func(t *testing.T) {
-			got := c.BuildTailnetURL(tt.elements...)
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}

client/web/auth.go

@@ -223,7 +223,7 @@ func (s *Server) awaitUserAuth(ctx context.Context, session *browserSession) err
 
 func (s *Server) newSessionID() (string, error) {
 	raw := make([]byte, 16)
-	for range 5 {
+	for i := 0; i < 5; i++ {
 		if _, err := rand.Read(raw); err != nil {
 			return "", err
 		}

client/web/package.json

@@ -3,7 +3,7 @@
   "version": "0.0.1",
   "license": "BSD-3-Clause",
   "engines": {
-    "node": "18.20.4",
+    "node": "18.16.1",
     "yarn": "1.22.19"
   },
   "type": "module",
@@ -34,7 +34,7 @@
     "prettier-plugin-organize-imports": "^3.2.2",
     "tailwindcss": "^3.3.3",
     "typescript": "^5.3.3",
-    "vite": "^5.1.7",
+    "vite": "^5.1.4",
     "vite-plugin-svgr": "^4.2.0",
     "vite-tsconfig-paths": "^3.5.0",
     "vitest": "^1.3.1"

client/web/src/components/views/login-view.tsx

@@ -1,11 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-import React from "react"
+import React, { useState } from "react"
 import { useAPI } from "src/api"
 import TailscaleIcon from "src/assets/icons/tailscale-icon.svg?react"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
+import Collapsible from "src/ui/collapsible"
+import Input from "src/ui/input"
 
 /**
  * LoginView is rendered when the client is not authenticated
@@ -13,6 +15,8 @@ import Button from "src/ui/button"
  */
 export default function LoginView({ data }: { data: NodeData }) {
   const api = useAPI()
+  const [controlURL, setControlURL] = useState<string>("")
+  const [authKey, setAuthKey] = useState<string>("")
 
   return (
     <div className="mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
@@ -84,6 +88,8 @@ export default function LoginView({ data }: { data: NodeData }) {
                 action: "up",
                 data: {
                   Reauthenticate: true,
+                  ControlURL: controlURL,
+                  AuthKey: authKey,
                 },
               })
             }
@@ -92,6 +98,34 @@ export default function LoginView({ data }: { data: NodeData }) {
           >
             Log In
           </Button>
+          <Collapsible trigger="Advanced options">
+            <h4 className="font-medium mb-1 mt-2">Auth Key</h4>
+            <p className="text-sm text-gray-500">
+              Connect with a pre-authenticated key.{" "}
+              <a
+                href="https://tailscale.com/kb/1085/auth-keys/"
+                className="link"
+                target="_blank"
+                rel="noreferrer"
+              >
+                Learn more &rarr;
+              </a>
+            </p>
+            <Input
+              className="mt-2"
+              value={authKey}
+              onChange={(e) => setAuthKey(e.target.value)}
+              placeholder="tskey-auth-XXX"
+            />
+            <h4 className="font-medium mt-3 mb-1">Server URL</h4>
+            <p className="text-sm text-gray-500">Base URL of control server.</p>
+            <Input
+              className="mt-2"
+              value={controlURL}
+              onChange={(e) => setControlURL(e.target.value)}
+              placeholder="https://login.tailscale.com/"
+            />
+          </Collapsible>
         </>
       )}
     </div>

client/web/web.go

@@ -17,16 +17,16 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/gorilla/csrf"
-	"tailscale.com/client/local"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/clientupdate"
 	"tailscale.com/envknob"
-	"tailscale.com/envknob/featureknob"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -35,7 +35,6 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/views"
 	"tailscale.com/util/httpm"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
@@ -50,7 +49,7 @@ type Server struct {
 	mode ServerMode
 
 	logf    logger.Logf
-	lc      *local.Client
+	lc      *tailscale.LocalClient
 	timeNow func() time.Time
 
 	// devMode indicates that the server run with frontend assets
@@ -89,8 +88,8 @@ type Server struct {
 type ServerMode string
 
 const (
-	// LoginServerMode serves a read-only login client for logging a
-	// node into a tailnet, and viewing a read-only interface of the
+	// LoginServerMode serves a readonly login client for logging a
+	// node into a tailnet, and viewing a readonly interface of the
 	// node's current Tailscale settings.
 	//
 	// In this mode, API calls are authenticated via platform auth.
@@ -110,10 +109,15 @@ const (
 	// This mode restricts the app to only being assessible over Tailscale,
 	// and API calls are authenticated via browser sessions associated with
 	// the source's Tailscale identity. If the source browser does not have
-	// a valid session, a read-only version of the app is displayed.
+	// a valid session, a readonly version of the app is displayed.
 	ManageServerMode ServerMode = "manage"
 )
 
+var (
+	exitNodeRouteV4 = netip.MustParsePrefix("0.0.0.0/0")
+	exitNodeRouteV6 = netip.MustParsePrefix("::/0")
+)
+
 // ServerOpts contains options for constructing a new Server.
 type ServerOpts struct {
 	// Mode specifies the mode of web client being constructed.
@@ -125,9 +129,9 @@ type ServerOpts struct {
 	// PathPrefix is the URL prefix added to requests by CGI or reverse proxy.
 	PathPrefix string
 
-	// LocalClient is the local.Client to use for this web server.
+	// LocalClient is the tailscale.LocalClient to use for this web server.
 	// If nil, a new one will be created.
-	LocalClient *local.Client
+	LocalClient *tailscale.LocalClient
 
 	// TimeNow optionally provides a time function.
 	// time.Now is used as default.
@@ -166,7 +170,7 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 		return nil, fmt.Errorf("invalid Mode provided")
 	}
 	if opts.LocalClient == nil {
-		opts.LocalClient = &local.Client{}
+		opts.LocalClient = &tailscale.LocalClient{}
 	}
 	s = &Server{
 		mode:        opts.Mode,
@@ -203,9 +207,25 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 	}
 	s.assetsHandler, s.assetsCleanup = assetsHandler(s.devMode)
 
-	var metric string
-	s.apiHandler, metric = s.modeAPIHandler(s.mode)
-	s.apiHandler = s.withCSRF(s.apiHandler)
+	var metric string // clientmetric to report on startup
+
+	// Create handler for "/api" requests with CSRF protection.
+	// We don't require secure cookies, since the web client is regularly used
+	// on network appliances that are served on local non-https URLs.
+	// The client is secured by limiting the interface it listens on,
+	// or by authenticating requests before they reach the web client.
+	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
+	switch s.mode {
+	case LoginServerMode:
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
+		metric = "web_login_client_initialization"
+	case ReadOnlyServerMode:
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
+		metric = "web_readonly_client_initialization"
+	case ManageServerMode:
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
+		metric = "web_client_initialization"
+	}
 
 	// Don't block startup on reporting metric.
 	// Report in separate go routine with 5 second timeout.
@@ -218,39 +238,6 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 	return s, nil
 }
 
-func (s *Server) withCSRF(h http.Handler) http.Handler {
-	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-
-	// ref https://github.com/tailscale/tailscale/pull/14822
-	// signal to the CSRF middleware that the request is being served over
-	// plaintext HTTP to skip TLS-only header checks.
-	withSetPlaintext := func(h http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			r = csrf.PlaintextHTTPRequest(r)
-			h.ServeHTTP(w, r)
-		})
-	}
-
-	// NB: the order of the withSetPlaintext and csrfProtect calls is important
-	// to ensure that we signal to the CSRF middleware that the request is being
-	// served over plaintext HTTP and not over TLS as it presumes by default.
-	return withSetPlaintext(csrfProtect(h))
-}
-
-func (s *Server) modeAPIHandler(mode ServerMode) (http.Handler, string) {
-	switch mode {
-	case LoginServerMode:
-		return http.HandlerFunc(s.serveLoginAPI), "web_login_client_initialization"
-	case ReadOnlyServerMode:
-		return http.HandlerFunc(s.serveLoginAPI), "web_readonly_client_initialization"
-	case ManageServerMode:
-		return http.HandlerFunc(s.serveAPI), "web_client_initialization"
-	default: // invalid mode
-		log.Fatalf("invalid mode: %v", mode)
-	}
-	return nil, ""
-}
-
 func (s *Server) Shutdown() {
 	s.logf("web.Server: shutting down")
 	if s.assetsCleanup != nil {
@@ -296,12 +283,6 @@ func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if r.URL.Path == "/metrics" {
-		r.URL.Path = "/api/local/v0/usermetrics"
-		s.proxyRequestToLocalAPI(w, r)
-		return
-	}
-
 	if strings.HasPrefix(r.URL.Path, "/api/") {
 		switch {
 		case r.URL.Path == "/api/auth" && r.Method == httpm.GET:
@@ -335,8 +316,7 @@ func (s *Server) requireTailscaleIP(w http.ResponseWriter, r *http.Request) (han
 		ipv6ServiceHost = "[" + tsaddr.TailscaleServiceIPv6String + "]"
 	)
 	// allow requests on quad-100 (or ipv6 equivalent)
-	host := strings.TrimSuffix(r.Host, ":80")
-	if host == ipv4ServiceHost || host == ipv6ServiceHost {
+	if r.Host == ipv4ServiceHost || r.Host == ipv6ServiceHost {
 		return false
 	}
 
@@ -713,16 +693,16 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 	switch {
 	case sErr != nil && errors.Is(sErr, errNotUsingTailscale):
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local", 1)
-		resp.Authorized = false // restricted to the read-only view
+		resp.Authorized = false // restricted to the readonly view
 	case sErr != nil && errors.Is(sErr, errNotOwner):
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_not_owner", 1)
-		resp.Authorized = false // restricted to the read-only view
+		resp.Authorized = false // restricted to the readonly view
 	case sErr != nil && errors.Is(sErr, errTaggedLocalSource):
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local_tag", 1)
-		resp.Authorized = false // restricted to the read-only view
+		resp.Authorized = false // restricted to the readonly view
 	case sErr != nil && errors.Is(sErr, errTaggedRemoteSource):
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_remote_tag", 1)
-		resp.Authorized = false // restricted to the read-only view
+		resp.Authorized = false // restricted to the readonly view
 	case sErr != nil && !errors.Is(sErr, errNoSession):
 		// Any other error.
 		http.Error(w, sErr.Error(), http.StatusInternalServerError)
@@ -822,8 +802,8 @@ type nodeData struct {
 	DeviceName  string
 	TailnetName string // TLS cert name
 	DomainName  string
-	IPv4        netip.Addr
-	IPv6        netip.Addr
+	IPv4        string
+	IPv6        string
 	OS          string
 	IPNVersion  string
 
@@ -882,14 +862,10 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	filterRules, _ := s.lc.DebugPacketFilterRules(r.Context())
-	ipv4, ipv6 := s.selfNodeAddresses(r, st)
-
 	data := &nodeData{
 		ID:               st.Self.ID,
 		Status:           st.BackendState,
 		DeviceName:       strings.Split(st.Self.DNSName, ".")[0],
-		IPv4:             ipv4,
-		IPv6:             ipv6,
 		OS:               st.Self.OS,
 		IPNVersion:       strings.Split(st.Version, "-")[0],
 		Profile:          st.User[st.Self.UserID],
@@ -909,6 +885,10 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
 		ACLAllowsAnyIncomingTraffic: s.aclsAllowAccess(filterRules),
 	}
 
+	ipv4, ipv6 := s.selfNodeAddresses(r, st)
+	data.IPv4 = ipv4.String()
+	data.IPv6 = ipv6.String()
+
 	if hostinfo.GetEnvType() == hostinfo.HomeAssistantAddOn && data.URLPrefix == "" {
 		// X-Ingress-Path is the path prefix in use for Home Assistant
 		// https://developers.home-assistant.io/docs/add-ons/presentation#ingress
@@ -941,10 +921,10 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
 			return p == route
 		})
 	}
-	data.AdvertisingExitNodeApproved = routeApproved(tsaddr.AllIPv4()) || routeApproved(tsaddr.AllIPv6())
+	data.AdvertisingExitNodeApproved = routeApproved(exitNodeRouteV4) || routeApproved(exitNodeRouteV6)
 
 	for _, r := range prefs.AdvertiseRoutes {
-		if tsaddr.IsExitRoute(r) {
+		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
 			data.AdvertisingExitNode = true
 		} else {
 			data.AdvertisedRoutes = append(data.AdvertisedRoutes, subnetRoute{
@@ -979,16 +959,37 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
 }
 
 func availableFeatures() map[string]bool {
+	env := hostinfo.GetEnvType()
 	features := map[string]bool{
 		"advertise-exit-node": true, // available on all platforms
 		"advertise-routes":    true, // available on all platforms
-		"use-exit-node":       featureknob.CanUseExitNode() == nil,
-		"ssh":                 featureknob.CanRunTailscaleSSH() == nil,
+		"use-exit-node":       canUseExitNode(env) == nil,
+		"ssh":                 envknob.CanRunTailscaleSSH() == nil,
 		"auto-update":         version.IsUnstableBuild() && clientupdate.CanAutoUpdate(),
 	}
+	if env == hostinfo.HomeAssistantAddOn {
+		// Setting SSH on Home Assistant causes trouble on startup
+		// (since the flag is not being passed to `tailscale up`).
+		// Although Tailscale SSH does work here,
+		// it's not terribly useful since it's running in a separate container.
+		features["ssh"] = false
+	}
 	return features
 }
 
+func canUseExitNode(env hostinfo.EnvType) error {
+	switch dist := distro.Get(); dist {
+	case distro.Synology, // see https://github.com/tailscale/tailscale/issues/1995
+		distro.QNAP,
+		distro.Unraid:
+		return fmt.Errorf("Tailscale exit nodes cannot be used on %s.", dist)
+	}
+	if env == hostinfo.HomeAssistantAddOn {
+		return errors.New("Tailscale exit nodes cannot be used on Home Assistant.")
+	}
+	return nil
+}
+
 // aclsAllowAccess returns whether tailnet ACLs (as expressed in the provided filter rules)
 // permit any devices to access the local web client.
 // This does not currently check whether a specific device can connect, just any device.
@@ -1064,7 +1065,7 @@ func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) er
 	var currNonExitRoutes []string
 	var currAdvertisingExitNode bool
 	for _, r := range prefs.AdvertiseRoutes {
-		if tsaddr.IsExitRoute(r) {
+		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
 			currAdvertisingExitNode = true
 			continue
 		}
@@ -1085,7 +1086,12 @@ func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) er
 		return err
 	}
 
-	if !data.UseExitNode.IsZero() && tsaddr.ContainsExitRoutes(views.SliceOf(routes)) {
+	hasExitNodeRoute := func(all []netip.Prefix) bool {
+		return slices.Contains(all, exitNodeRouteV4) ||
+			slices.Contains(all, exitNodeRouteV6)
+	}
+
+	if !data.UseExitNode.IsZero() && hasExitNodeRoute(routes) {
 		return errors.New("cannot use and advertise exit node at same time")
 	}
 
@@ -1144,15 +1150,7 @@ func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, opt tails
 		if !isRunning {
 			ipnOptions := ipn.Options{AuthKey: opt.AuthKey}
 			if opt.ControlURL != "" {
-				_, err := s.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
-					Prefs: ipn.Prefs{
-						ControlURL: opt.ControlURL,
-					},
-					ControlURLSet: true,
-				})
-				if err != nil {
-					s.logf("edit prefs: %v", err)
-				}
+				ipnOptions.UpdatePrefs = &ipn.Prefs{ControlURL: opt.ControlURL}
 			}
 			if err := s.lc.Start(ctx, ipnOptions); err != nil {
 				s.logf("start: %v", err)

client/web/web_test.go

@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"net/http/cookiejar"
 	"net/http/httptest"
 	"net/netip"
 	"net/url"
@@ -21,8 +20,7 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/gorilla/csrf"
-	"tailscale.com/client/local"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -122,7 +120,7 @@ func TestServeAPI(t *testing.T) {
 
 	s := &Server{
 		mode:    ManageServerMode,
-		lc:      &local.Client{Dial: lal.Dial},
+		lc:      &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow: time.Now,
 	}
 
@@ -290,7 +288,7 @@ func TestGetTailscaleBrowserSession(t *testing.T) {
 
 	s := &Server{
 		timeNow: time.Now,
-		lc:      &local.Client{Dial: lal.Dial},
+		lc:      &tailscale.LocalClient{Dial: lal.Dial},
 	}
 
 	// Add some browser sessions to cache state.
@@ -459,7 +457,7 @@ func TestAuthorizeRequest(t *testing.T) {
 
 	s := &Server{
 		mode:    ManageServerMode,
-		lc:      &local.Client{Dial: lal.Dial},
+		lc:      &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow: time.Now,
 	}
 	validCookie := "ts-cookie"
@@ -574,7 +572,7 @@ func TestServeAuth(t *testing.T) {
 
 	s := &Server{
 		mode:        ManageServerMode,
-		lc:          &local.Client{Dial: lal.Dial},
+		lc:          &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow:     func() time.Time { return timeNow },
 		newAuthURL:  mockNewAuthURL,
 		waitAuthURL: mockWaitAuthURL,
@@ -916,7 +914,7 @@ func TestServeAPIAuthMetricLogging(t *testing.T) {
 
 	s := &Server{
 		mode:        ManageServerMode,
-		lc:          &local.Client{Dial: lal.Dial},
+		lc:          &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow:     func() time.Time { return timeNow },
 		newAuthURL:  mockNewAuthURL,
 		waitAuthURL: mockWaitAuthURL,
@@ -1128,7 +1126,7 @@ func TestRequireTailscaleIP(t *testing.T) {
 
 	s := &Server{
 		mode:    ManageServerMode,
-		lc:      &local.Client{Dial: lal.Dial},
+		lc:      &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow: time.Now,
 		logf:    t.Logf,
 	}
@@ -1177,16 +1175,6 @@ func TestRequireTailscaleIP(t *testing.T) {
 			target:      "http://[fd7a:115c:a1e0::53]/",
 			wantHandled: false,
 		},
-		{
-			name:        "quad-100:80",
-			target:      "http://100.100.100.100:80/",
-			wantHandled: false,
-		},
-		{
-			name:        "ipv6-service-addr:80",
-			target:      "http://[fd7a:115c:a1e0::53]:80/",
-			wantHandled: false,
-		},
 	}
 
 	for _, tt := range tests {
@@ -1489,83 +1477,3 @@ func mockWaitAuthURL(_ context.Context, id string, src tailcfg.NodeID) (*tailcfg
 		return nil, errors.New("unknown id")
 	}
 }
-
-func TestCSRFProtect(t *testing.T) {
-	s := &Server{}
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("GET /test/csrf-token", func(w http.ResponseWriter, r *http.Request) {
-		token := csrf.Token(r)
-		_, err := io.WriteString(w, token)
-		if err != nil {
-			t.Fatal(err)
-		}
-	})
-	mux.HandleFunc("POST /test/csrf-protected", func(w http.ResponseWriter, r *http.Request) {
-		_, err := io.WriteString(w, "ok")
-		if err != nil {
-			t.Fatal(err)
-		}
-	})
-	h := s.withCSRF(mux)
-	ser := httptest.NewServer(h)
-	defer ser.Close()
-
-	jar, err := cookiejar.New(nil)
-	if err != nil {
-		t.Fatalf("unable to construct cookie jar: %v", err)
-	}
-
-	client := ser.Client()
-	client.Jar = jar
-
-	// make GET request to populate cookie jar
-	resp, err := client.Get(ser.URL + "/test/csrf-token")
-	if err != nil {
-		t.Fatalf("unable to make request: %v", err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		t.Fatalf("unexpected status: %v", resp.Status)
-	}
-	tokenBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatalf("unable to read body: %v", err)
-	}
-
-	csrfToken := strings.TrimSpace(string(tokenBytes))
-	if csrfToken == "" {
-		t.Fatal("empty csrf token")
-	}
-
-	// make a POST request without the CSRF header; ensure it fails
-	resp, err = client.Post(ser.URL+"/test/csrf-protected", "text/plain", nil)
-	if err != nil {
-		t.Fatalf("unable to make request: %v", err)
-	}
-	if resp.StatusCode != http.StatusForbidden {
-		t.Fatalf("unexpected status: %v", resp.Status)
-	}
-
-	// make a POST request with the CSRF header; ensure it succeeds
-	req, err := http.NewRequest("POST", ser.URL+"/test/csrf-protected", nil)
-	if err != nil {
-		t.Fatalf("error building request: %v", err)
-	}
-	req.Header.Set("X-CSRF-Token", csrfToken)
-	resp, err = client.Do(req)
-	if err != nil {
-		t.Fatalf("unable to make request: %v", err)
-	}
-	if resp.StatusCode != http.StatusOK {
-		t.Fatalf("unexpected status: %v", resp.Status)
-	}
-	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatalf("unable to read body: %v", err)
-	}
-	if string(out) != "ok" {
-		t.Fatalf("unexpected body: %q", out)
-	}
-}

client/web/yarn.lock

@@ -20,7 +20,7 @@
     "@jridgewell/gen-mapping" "^0.3.0"
     "@jridgewell/trace-mapping" "^0.3.9"
 
-"@babel/code-frame@^7.0.0", "@babel/code-frame@^7.22.13", "@babel/code-frame@^7.23.4":
+"@babel/code-frame@^7.0.0", "@babel/code-frame@^7.22.10", "@babel/code-frame@^7.22.13", "@babel/code-frame@^7.22.5", "@babel/code-frame@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.23.4.tgz#03ae5af150be94392cb5c7ccd97db5a19a5da6aa"
   integrity sha512-r1IONyb6Ia+jYR2vvIDhdWdlTGhqbBoFqLTQidzZ4kepUFH15ejXvFHxCVbtl7BOXIudsIubf4E81xeA3h3IXA==
@@ -63,7 +63,7 @@
     eslint-visitor-keys "^2.1.0"
     semver "^6.3.1"
 
-"@babel/generator@^7.23.3", "@babel/generator@^7.23.4":
+"@babel/generator@^7.22.10", "@babel/generator@^7.23.0", "@babel/generator@^7.23.3", "@babel/generator@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.4.tgz#4a41377d8566ec18f807f42962a7f3551de83d1c"
   integrity sha512-esuS49Cga3HcThFNebGhlgsrVLkvhqvYDTzgjfFFlHJcIfLe5jFmRRfCQ1KuBfc4Jrtn3ndLgKWAKjBE+IraYQ==
@@ -87,7 +87,7 @@
   dependencies:
     "@babel/types" "^7.22.15"
 
-"@babel/helper-compilation-targets@^7.22.15", "@babel/helper-compilation-targets@^7.22.6":
+"@babel/helper-compilation-targets@^7.22.10", "@babel/helper-compilation-targets@^7.22.15", "@babel/helper-compilation-targets@^7.22.6":
   version "7.22.15"
   resolved "https://registry.yarnpkg.com/@babel/helper-compilation-targets/-/helper-compilation-targets-7.22.15.tgz#0698fc44551a26cf29f18d4662d5bf545a6cfc52"
   integrity sha512-y6EEzULok0Qvz8yyLkCvVX+02ic+By2UdOhylwUOvOn9dvYc9mKICJuuU1n1XBI02YWsNsnrY1kc6DVbjcXbtw==
@@ -160,14 +160,14 @@
   dependencies:
     "@babel/types" "^7.23.0"
 
-"@babel/helper-module-imports@^7.22.15":
+"@babel/helper-module-imports@^7.22.15", "@babel/helper-module-imports@^7.22.5":
   version "7.22.15"
   resolved "https://registry.yarnpkg.com/@babel/helper-module-imports/-/helper-module-imports-7.22.15.tgz#16146307acdc40cc00c3b2c647713076464bdbf0"
   integrity sha512-0pYVBnDKZO2fnSPCrgM/6WMc7eS20Fbok+0r88fp+YtWVLZrp4CkafFGIp+W0VKw4a22sgebPT99y+FDNMdP4w==
   dependencies:
     "@babel/types" "^7.22.15"
 
-"@babel/helper-module-transforms@^7.23.3":
+"@babel/helper-module-transforms@^7.22.9", "@babel/helper-module-transforms@^7.23.3":
   version "7.23.3"
   resolved "https://registry.yarnpkg.com/@babel/helper-module-transforms/-/helper-module-transforms-7.23.3.tgz#d7d12c3c5d30af5b3c0fcab2a6d5217773e2d0f1"
   integrity sha512-7bBs4ED9OmswdfDzpz4MpWgSrV7FXlc3zIagvLFjS5H+Mk7Snr21vQ6QwrsoCGMfNC4e4LQPdoULEt4ykz0SRQ==
@@ -229,17 +229,17 @@
   dependencies:
     "@babel/types" "^7.22.5"
 
-"@babel/helper-string-parser@^7.23.4":
+"@babel/helper-string-parser@^7.22.5", "@babel/helper-string-parser@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/helper-string-parser/-/helper-string-parser-7.23.4.tgz#9478c707febcbbe1ddb38a3d91a2e054ae622d83"
   integrity sha512-803gmbQdqwdf4olxrX4AJyFBV/RTr3rSmOj0rKwesmzlfhYNDEs+/iOcznzpNWlJlIlTJC2QfPFcHB6DlzdVLQ==
 
-"@babel/helper-validator-identifier@^7.22.20":
+"@babel/helper-validator-identifier@^7.22.20", "@babel/helper-validator-identifier@^7.22.5":
   version "7.22.20"
   resolved "https://registry.yarnpkg.com/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz#c4ae002c61d2879e724581d96665583dbc1dc0e0"
   integrity sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==
 
-"@babel/helper-validator-option@^7.22.15":
+"@babel/helper-validator-option@^7.22.15", "@babel/helper-validator-option@^7.22.5":
   version "7.22.15"
   resolved "https://registry.yarnpkg.com/@babel/helper-validator-option/-/helper-validator-option-7.22.15.tgz#694c30dfa1d09a6534cdfcafbe56789d36aba040"
   integrity sha512-bMn7RmyFjY/mdECUbgn9eoSY4vqvacUnS9i9vGAGttgFWesO6B4CYWA7XlpbWgBt71iv/hfbPlynohStqnu5hA==
@@ -253,7 +253,7 @@
     "@babel/template" "^7.22.15"
     "@babel/types" "^7.22.19"
 
-"@babel/helpers@^7.23.2":
+"@babel/helpers@^7.22.10", "@babel/helpers@^7.23.2":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/helpers/-/helpers-7.23.4.tgz#7d2cfb969aa43222032193accd7329851facf3c1"
   integrity sha512-HfcMizYz10cr3h29VqyfGL6ZWIjTwWfvYBMsBVGwpcbhNGe3wQ1ZXZRPzZoAHhd9OqHadHqjQ89iVKINXnbzuw==
@@ -262,7 +262,7 @@
     "@babel/traverse" "^7.23.4"
     "@babel/types" "^7.23.4"
 
-"@babel/highlight@^7.23.4":
+"@babel/highlight@^7.22.10", "@babel/highlight@^7.22.13", "@babel/highlight@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/highlight/-/highlight-7.23.4.tgz#edaadf4d8232e1a961432db785091207ead0621b"
   integrity sha512-acGdbYSfp2WheJoJm/EBBBLh/ID8KDc64ISZ9DYtBmC8/Q204PZJLHyzeB5qMzJ5trcOkybd78M4x2KWsUq++A==
@@ -271,7 +271,7 @@
     chalk "^2.4.2"
     js-tokens "^4.0.0"
 
-"@babel/parser@^7.22.15", "@babel/parser@^7.23.3", "@babel/parser@^7.23.4":
+"@babel/parser@^7.22.10", "@babel/parser@^7.22.15", "@babel/parser@^7.22.5", "@babel/parser@^7.23.0", "@babel/parser@^7.23.3", "@babel/parser@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/parser/-/parser-7.23.4.tgz#409fbe690c333bb70187e2de4021e1e47a026661"
   integrity sha512-vf3Xna6UEprW+7t6EtOmFpHNAuxw3xqPZghy+brsnusscJRW5BMUzzHZc5ICjULee81WeUV2jjakG09MDglJXQ==
@@ -1093,7 +1093,7 @@
   dependencies:
     regenerator-runtime "^0.14.0"
 
-"@babel/template@^7.22.15":
+"@babel/template@^7.22.15", "@babel/template@^7.22.5":
   version "7.22.15"
   resolved "https://registry.yarnpkg.com/@babel/template/-/template-7.22.15.tgz#09576efc3830f0430f4548ef971dde1350ef2f38"
   integrity sha512-QPErUVm4uyJa60rkI73qneDacvdvzxshT3kksGqlGWYdOTIUOwJ7RDUL8sGqslY1uXWSL6xMFKEXDS3ox2uF0w==
@@ -1102,7 +1102,7 @@
     "@babel/parser" "^7.22.15"
     "@babel/types" "^7.22.15"
 
-"@babel/traverse@^7.23.3", "@babel/traverse@^7.23.4":
+"@babel/traverse@^7.22.10", "@babel/traverse@^7.23.3", "@babel/traverse@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/traverse/-/traverse-7.23.4.tgz#c2790f7edf106d059a0098770fe70801417f3f85"
   integrity sha512-IYM8wSUwunWTB6tFC2dkKZhxbIjHoWemdK+3f8/wq8aKhbUscxD5MX72ubd90fxvFknaLPeGw5ycU84V1obHJg==
@@ -1118,7 +1118,7 @@
     debug "^4.1.0"
     globals "^11.1.0"
 
-"@babel/types@^7.21.3", "@babel/types@^7.22.15", "@babel/types@^7.22.19", "@babel/types@^7.22.5", "@babel/types@^7.23.0", "@babel/types@^7.23.3", "@babel/types@^7.23.4", "@babel/types@^7.4.4":
+"@babel/types@^7.21.3", "@babel/types@^7.22.10", "@babel/types@^7.22.15", "@babel/types@^7.22.19", "@babel/types@^7.22.5", "@babel/types@^7.23.0", "@babel/types@^7.23.3", "@babel/types@^7.23.4", "@babel/types@^7.4.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/types/-/types-7.23.4.tgz#7206a1810fc512a7f7f7d4dace4cb4c1c9dbfb8e"
   integrity sha512-7uIFwVYpoplT5jp/kVv6EF93VaJ8H+Yn5IczYiaAi98ajzjfoZfslet/e0sLh+wVBjb2qqIut1b0S26VSafsSQ==
@@ -2474,7 +2474,7 @@ camelcase@^6.2.0:
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-6.3.0.tgz#5685b95eb209ac9c0c177467778c9c84df58ba9a"
   integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==
 
-caniuse-lite@^1.0.30001520, caniuse-lite@^1.0.30001541:
+caniuse-lite@^1.0.30001517, caniuse-lite@^1.0.30001520, caniuse-lite@^1.0.30001541:
   version "1.0.30001565"
   resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001565.tgz#a528b253c8a2d95d2b415e11d8b9942acc100c4f"
   integrity sha512-xrE//a3O7TP0vaJ8ikzkD2c2NgcVUvsEe2IvFTntV4Yd1Z9FVzh+gW+enX96L0psrbaFMcVcH2l90xNuGDWc8w==
@@ -2587,6 +2587,11 @@ confusing-browser-globals@^1.0.11:
   resolved "https://registry.yarnpkg.com/confusing-browser-globals/-/confusing-browser-globals-1.0.11.tgz#ae40e9b57cdd3915408a2805ebd3a5585608dc81"
   integrity sha512-JsPKdmh8ZkmnHxDk55FZ1TqVLvEQTvoByJZRN9jzI0UjxK/QgAmsphz7PGtqgPieQZ/CQcHWXCR7ATDNhGe+YA==
 
+convert-source-map@^1.7.0:
+  version "1.9.0"
+  resolved "https://registry.yarnpkg.com/convert-source-map/-/convert-source-map-1.9.0.tgz#7faae62353fb4213366d0ca98358d22e8368b05f"
+  integrity sha512-ASFBup0Mz1uyiIjANan1jzLQami9z1PoYSZCiiYW2FczPbenXc45FZdBZLzOT+r6+iciuEModtmCti+hjaAk0A==
+
 convert-source-map@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/convert-source-map/-/convert-source-map-2.0.0.tgz#4b560f649fc4e918dd0ab75cf4961e8bc882d82a"
@@ -2767,7 +2772,7 @@ dot-case@^3.0.4:
     no-case "^3.0.4"
     tslib "^2.0.3"
 
-electron-to-chromium@^1.4.535:
+electron-to-chromium@^1.4.477, electron-to-chromium@^1.4.535:
   version "1.4.596"
   resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.596.tgz#6752d1aa795d942d49dfc5d3764d6ea283fab1d7"
   integrity sha512-zW3zbZ40Icb2BCWjm47nxwcFGYlIgdXkAx85XDO7cyky9J4QQfq8t0W19/TLZqq3JPQXtlv8BPIGmfa9Jb4scg==
@@ -3318,7 +3323,7 @@ gensync@^1.0.0-beta.2:
   resolved "https://registry.yarnpkg.com/gensync/-/gensync-1.0.0-beta.2.tgz#32a6ee76c3d7f52d46b2b1ae5d93fea8580a25e0"
   integrity sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==
 
-get-func-name@^2.0.1, get-func-name@^2.0.2:
+get-func-name@^2.0.0, get-func-name@^2.0.1, get-func-name@^2.0.2:
   version "2.0.2"
   resolved "https://registry.yarnpkg.com/get-func-name/-/get-func-name-2.0.2.tgz#0d7cf20cd13fda808669ffa88f4ffc7a3943fc41"
   integrity sha512-8vXOvuE167CtIc3OyItco7N/dpRtBbYOsPsXCz7X/PMnlGjYjSGuZJgM1Y7mmew7BKf9BqvLX2tnOVy1BBUsxQ==
@@ -3481,6 +3486,13 @@ has-tostringtag@^1.0.0:
   dependencies:
     has-symbols "^1.0.2"
 
+has@^1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/has/-/has-1.0.3.tgz#722d7cbfc1f6aa8241f16dd814e011e1f41e8796"
+  integrity sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==
+  dependencies:
+    function-bind "^1.1.1"
+
 hasown@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/hasown/-/hasown-2.0.0.tgz#f4c513d454a57b7c7e1650778de226b11700546c"
@@ -4075,7 +4087,7 @@ mz@^2.7.0:
     object-assign "^4.0.1"
     thenify-all "^1.0.0"
 
-nanoid@^3.3.7:
+nanoid@^3.3.6, nanoid@^3.3.7:
   version "3.3.7"
   resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.7.tgz#d0c301a691bc8d54efa0a2226ccf3fe2fd656bd8"
   integrity sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==
@@ -5109,7 +5121,7 @@ typescript@^5.3.3:
   resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.3.3.tgz#b3ce6ba258e72e6305ba66f5c9b452aaee3ffe37"
   integrity sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==
 
-ufo@^1.3.2:
+ufo@^1.1.2, ufo@^1.3.2:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/ufo/-/ufo-1.4.0.tgz#39845b31be81b4f319ab1d99fd20c56cac528d32"
   integrity sha512-Hhy+BhRBleFjpJ2vchUNN40qgkh0366FWJGqVLYBHev0vpHTrXSA0ryT+74UiW6KWsldNurQMKGqCm1M2zBciQ==
@@ -5157,7 +5169,7 @@ universalify@^0.2.0:
   resolved "https://registry.yarnpkg.com/universalify/-/universalify-0.2.0.tgz#6451760566fa857534745ab1dde952d1b1761be0"
   integrity sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==
 
-update-browserslist-db@^1.0.13:
+update-browserslist-db@^1.0.11, update-browserslist-db@^1.0.13:
   version "1.0.13"
   resolved "https://registry.yarnpkg.com/update-browserslist-db/-/update-browserslist-db-1.0.13.tgz#3c5e4f5c083661bd38ef64b6328c26ed6c8248c4"
   integrity sha512-xebP81SNcPuNpPP3uzeW1NYXxI3rxyJzF3pD6sH4jE7o/IX+WtSpwnVU+qIsDPyk0d3hmFQ7mjqc6AtV604hbg==
@@ -5235,10 +5247,10 @@ vite-tsconfig-paths@^3.5.0:
     recrawl-sync "^2.0.3"
     tsconfig-paths "^4.0.0"
 
-vite@^5.0.0, vite@^5.1.7:
-  version "5.1.7"
-  resolved "https://registry.yarnpkg.com/vite/-/vite-5.1.7.tgz#9f685a2c4c70707fef6d37341b0e809c366da619"
-  integrity sha512-sgnEEFTZYMui/sTlH1/XEnVNHMujOahPLGMxn1+5sIT45Xjng1Ec1K78jRP15dSmVgg5WBin9yO81j3o9OxofA==
+vite@^5.0.0, vite@^5.1.4:
+  version "5.1.4"
+  resolved "https://registry.yarnpkg.com/vite/-/vite-5.1.4.tgz#14e9d3e7a6e488f36284ef13cebe149f060bcfb6"
+  integrity sha512-n+MPqzq+d9nMVTKyewqw6kSt+R3CkvF9QAKY8obiQn8g1fwTscKxyfaYnC632HtBXAQGc1Yjomphwn1dtwGAHg==
   dependencies:
     esbuild "^0.19.3"
     postcss "^8.4.35"
@@ -5382,9 +5394,9 @@ wrappy@1:
   integrity sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==
 
 ws@^8.14.2:
-  version "8.17.1"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-8.17.1.tgz#9293da530bb548febc95371d90f9c878727d919b"
-  integrity sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==
+  version "8.14.2"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-8.14.2.tgz#6c249a806eb2db7a20d26d51e7709eab7b2e6c7f"
+  integrity sha512-wEBG1ftX4jcglPxgFCMJmZ2PLtSbJ2Peg6TmpJFTbe9GZYOQCDPdMYu/Tm0/bGZkw8paZnJY45J4K2PZrLYq8g==
 
 xml-name-validator@^5.0.0:
   version "5.0.0"

clientupdate/clientupdate.go

@@ -27,27 +27,21 @@ import (
 	"strconv"
 	"strings"
 
-	"tailscale.com/hostinfo"
-	"tailscale.com/types/lazy"
+	"github.com/google/uuid"
+	"tailscale.com/clientupdate/distsign"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/cmpver"
+	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
 
 const (
+	CurrentTrack  = ""
 	StableTrack   = "stable"
 	UnstableTrack = "unstable"
 )
 
-var CurrentTrack = func() string {
-	if version.IsUnstableBuild() {
-		return UnstableTrack
-	} else {
-		return StableTrack
-	}
-}()
-
 func versionToTrack(v string) (string, error) {
 	_, rest, ok := strings.Cut(v, ".")
 	if !ok {
@@ -112,7 +106,7 @@ func (args Arguments) validate() error {
 		return fmt.Errorf("only one of Version(%q) or Track(%q) can be set", args.Version, args.Track)
 	}
 	switch args.Track {
-	case StableTrack, UnstableTrack, "":
+	case StableTrack, UnstableTrack, CurrentTrack:
 		// All valid values.
 	default:
 		return fmt.Errorf("unsupported track %q", args.Track)
@@ -125,17 +119,11 @@ type Updater struct {
 	// Update is a platform-specific method that updates the installation. May be
 	// nil (not all platforms support updates from within Tailscale).
 	Update func() error
-
-	// currentVersion is the short form of the current client version as
-	// returned by version.Short(), typically "x.y.z". Used for tests to
-	// override the actual current version.
-	currentVersion string
 }
 
 func NewUpdater(args Arguments) (*Updater, error) {
 	up := Updater{
-		Arguments:      args,
-		currentVersion: version.Short(),
+		Arguments: args,
 	}
 	if up.Stdout == nil {
 		up.Stdout = os.Stdout
@@ -151,15 +139,18 @@ func NewUpdater(args Arguments) (*Updater, error) {
 	if args.ForAutoUpdate && !canAutoUpdate {
 		return nil, errors.ErrUnsupported
 	}
-	if up.Track == "" {
-		if up.Version != "" {
+	if up.Track == CurrentTrack {
+		switch {
+		case up.Version != "":
 			var err error
 			up.Track, err = versionToTrack(args.Version)
 			if err != nil {
 				return nil, err
 			}
-		} else {
-			up.Track = CurrentTrack
+		case version.IsUnstableBuild():
+			up.Track = UnstableTrack
+		default:
+			up.Track = StableTrack
 		}
 	}
 	if up.Arguments.PkgsAddr == "" {
@@ -171,12 +162,6 @@ func NewUpdater(args Arguments) (*Updater, error) {
 type updateFunction func() error
 
 func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
-	hi := hostinfo.New()
-	// We don't know how to update custom tsnet binaries, it's up to the user.
-	if hi.Package == "tsnet" {
-		return nil, false
-	}
-
 	switch runtime.GOOS {
 	case "windows":
 		return up.updateWindows, true
@@ -250,18 +235,9 @@ func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
 	return nil, false
 }
 
-var canAutoUpdateCache lazy.SyncValue[bool]
-
 // CanAutoUpdate reports whether auto-updating via the clientupdate package
 // is supported for the current os/distro.
-func CanAutoUpdate() bool { return canAutoUpdateCache.Get(canAutoUpdateUncached) }
-
-func canAutoUpdateUncached() bool {
-	if version.IsMacSysExt() {
-		// Macsys uses Sparkle for auto-updates, which doesn't have an update
-		// function in this package.
-		return true
-	}
+func CanAutoUpdate() bool {
 	_, canAutoUpdate := (&Updater{}).getUpdateFunction()
 	return canAutoUpdate
 }
@@ -283,16 +259,13 @@ func Update(args Arguments) error {
 }
 
 func (up *Updater) confirm(ver string) bool {
-	// Only check version when we're not switching tracks.
-	if up.Track == "" || up.Track == CurrentTrack {
-		switch c := cmpver.Compare(up.currentVersion, ver); {
-		case c == 0:
-			up.Logf("already running %v version %v; no update needed", up.Track, ver)
-			return false
-		case c > 0:
-			up.Logf("installed %v version %v is newer than the latest available version %v; no update needed", up.Track, up.currentVersion, ver)
-			return false
-		}
+	switch cmpver.Compare(version.Short(), ver) {
+	case 0:
+		up.Logf("already running %v version %v; no update needed", up.Track, ver)
+		return false
+	case 1:
+		up.Logf("installed %v version %v is newer than the latest available version %v; no update needed", up.Track, version.Short(), ver)
+		return false
 	}
 	if up.Confirm != nil {
 		return up.Confirm(ver)
@@ -463,7 +436,7 @@ func (up *Updater) updateDebLike() error {
 		return fmt.Errorf("apt-get update failed: %w; output:\n%s", err, out)
 	}
 
-	for range 2 {
+	for i := 0; i < 2; i++ {
 		out, err := exec.Command("apt-get", "install", "--yes", "--allow-downgrades", "tailscale="+ver).CombinedOutput()
 		if err != nil {
 			if !bytes.Contains(out, []byte(`dpkg was interrupted`)) {
@@ -678,9 +651,6 @@ func (up *Updater) updateAlpineLike() (err error) {
 		return fmt.Errorf(`failed to parse latest version from "apk info tailscale": %w`, err)
 	}
 	if !up.confirm(ver) {
-		if err := checkOutdatedAlpineRepo(up.Logf, ver, up.Track); err != nil {
-			up.Logf("failed to check whether Alpine release is outdated: %v", err)
-		}
 		return nil
 	}
 
@@ -708,7 +678,7 @@ func parseAlpinePackageVersion(out []byte) (string, error) {
 			return "", fmt.Errorf("malformed info line: %q", line)
 		}
 		ver := parts[1]
-		if cmpver.Compare(ver, maxVer) > 0 {
+		if cmpver.Compare(ver, maxVer) == 1 {
 			maxVer = ver
 		}
 	}
@@ -718,37 +688,6 @@ func parseAlpinePackageVersion(out []byte) (string, error) {
 	return "", errors.New("tailscale version not found in output")
 }
 
-var apkRepoVersionRE = regexp.MustCompile(`v[0-9]+\.[0-9]+`)
-
-func checkOutdatedAlpineRepo(logf logger.Logf, apkVer, track string) error {
-	latest, err := LatestTailscaleVersion(track)
-	if err != nil {
-		return err
-	}
-	if latest == apkVer {
-		// Actually on latest release.
-		return nil
-	}
-	f, err := os.Open("/etc/apk/repositories")
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	// Read the first repo line. Typically, there are multiple repos that all
-	// contain the same version in the path, like:
-	//   https://dl-cdn.alpinelinux.org/alpine/v3.20/main
-	//   https://dl-cdn.alpinelinux.org/alpine/v3.20/community
-	s := bufio.NewScanner(f)
-	if !s.Scan() {
-		return s.Err()
-	}
-	alpineVer := apkRepoVersionRE.FindString(s.Text())
-	if alpineVer != "" {
-		logf("The latest Tailscale release for Linux is %q, but your apk repository only provides %q.\nYour Alpine version is %q, you may need to upgrade the system to get the latest Tailscale version: https://wiki.alpinelinux.org/wiki/Upgrading_Alpine", latest, apkVer, alpineVer)
-	}
-	return nil
-}
-
 func (up *Updater) updateMacSys() error {
 	return errors.New("NOTREACHED: On MacSys builds, `tailscale update` is handled in Swift to launch the GUI updater")
 }
@@ -765,6 +704,164 @@ func (up *Updater) updateMacAppStore() error {
 	return nil
 }
 
+const (
+	// winMSIEnv is the environment variable that, if set, is the MSI file for
+	// the update command to install. It's passed like this so we can stop the
+	// tailscale.exe process from running before the msiexec process runs and
+	// tries to overwrite ourselves.
+	winMSIEnv = "TS_UPDATE_WIN_MSI"
+	// winExePathEnv is the environment variable that is set along with
+	// winMSIEnv and carries the full path of the calling tailscale.exe binary.
+	// It is used to re-launch the GUI process (tailscale-ipn.exe) after
+	// install is complete.
+	winExePathEnv = "TS_UPDATE_WIN_EXE_PATH"
+)
+
+var (
+	verifyAuthenticode func(string) error // set non-nil only on Windows
+	markTempFileFunc   func(string) error // set non-nil only on Windows
+)
+
+func (up *Updater) updateWindows() error {
+	if msi := os.Getenv(winMSIEnv); msi != "" {
+		// stdout/stderr from this part of the install could be lost since the
+		// parent tailscaled is replaced. Create a temp log file to have some
+		// output to debug with in case update fails.
+		close, err := up.switchOutputToFile()
+		if err != nil {
+			up.Logf("failed to create log file for installation: %v; proceeding with existing outputs", err)
+		} else {
+			defer close.Close()
+		}
+
+		up.Logf("installing %v ...", msi)
+		if err := up.installMSI(msi); err != nil {
+			up.Logf("MSI install failed: %v", err)
+			return err
+		}
+
+		up.Logf("success.")
+		return nil
+	}
+
+	if !winutil.IsCurrentProcessElevated() {
+		return errors.New(`update must be run as Administrator
+
+you can run the command prompt as Administrator one of these ways:
+* right-click cmd.exe, select 'Run as administrator'
+* press Windows+x, then press a
+* press Windows+r, type in "cmd", then press Ctrl+Shift+Enter`)
+	}
+	ver, err := requestedTailscaleVersion(up.Version, up.Track)
+	if err != nil {
+		return err
+	}
+	arch := runtime.GOARCH
+	if arch == "386" {
+		arch = "x86"
+	}
+	if !up.confirm(ver) {
+		return nil
+	}
+
+	tsDir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
+	msiDir := filepath.Join(tsDir, "MSICache")
+	if fi, err := os.Stat(tsDir); err != nil {
+		return fmt.Errorf("expected %s to exist, got stat error: %w", tsDir, err)
+	} else if !fi.IsDir() {
+		return fmt.Errorf("expected %s to be a directory; got %v", tsDir, fi.Mode())
+	}
+	if err := os.MkdirAll(msiDir, 0700); err != nil {
+		return err
+	}
+	up.cleanupOldDownloads(filepath.Join(msiDir, "*.msi"))
+	pkgsPath := fmt.Sprintf("%s/tailscale-setup-%s-%s.msi", up.Track, ver, arch)
+	msiTarget := filepath.Join(msiDir, path.Base(pkgsPath))
+	if err := up.downloadURLToFile(pkgsPath, msiTarget); err != nil {
+		return err
+	}
+
+	up.Logf("verifying MSI authenticode...")
+	if err := verifyAuthenticode(msiTarget); err != nil {
+		return fmt.Errorf("authenticode verification of %s failed: %w", msiTarget, err)
+	}
+	up.Logf("authenticode verification succeeded")
+
+	up.Logf("making tailscale.exe copy to switch to...")
+	up.cleanupOldDownloads(filepath.Join(os.TempDir(), "tailscale-updater-*.exe"))
+	selfOrig, selfCopy, err := makeSelfCopy()
+	if err != nil {
+		return err
+	}
+	defer os.Remove(selfCopy)
+	up.Logf("running tailscale.exe copy for final install...")
+
+	cmd := exec.Command(selfCopy, "update")
+	cmd.Env = append(os.Environ(), winMSIEnv+"="+msiTarget, winExePathEnv+"="+selfOrig)
+	cmd.Stdout = up.Stderr
+	cmd.Stderr = up.Stderr
+	cmd.Stdin = os.Stdin
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	// Once it's started, exit ourselves, so the binary is free
+	// to be replaced.
+	os.Exit(0)
+	panic("unreachable")
+}
+
+func (up *Updater) switchOutputToFile() (io.Closer, error) {
+	var logFilePath string
+	exePath, err := os.Executable()
+	if err != nil {
+		logFilePath = filepath.Join(os.TempDir(), "tailscale-updater.log")
+	} else {
+		logFilePath = strings.TrimSuffix(exePath, ".exe") + ".log"
+	}
+
+	up.Logf("writing update output to %q", logFilePath)
+	logFile, err := os.Create(logFilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	up.Logf = func(m string, args ...any) {
+		fmt.Fprintf(logFile, m+"\n", args...)
+	}
+	up.Stdout = logFile
+	up.Stderr = logFile
+	return logFile, nil
+}
+
+func (up *Updater) installMSI(msi string) error {
+	var err error
+	for tries := 0; tries < 2; tries++ {
+		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/norestart", "/qn")
+		cmd.Dir = filepath.Dir(msi)
+		cmd.Stdout = up.Stdout
+		cmd.Stderr = up.Stderr
+		cmd.Stdin = os.Stdin
+		err = cmd.Run()
+		if err == nil {
+			break
+		}
+		up.Logf("Install attempt failed: %v", err)
+		uninstallVersion := version.Short()
+		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
+			uninstallVersion = v
+		}
+		// Assume it's a downgrade, which msiexec won't permit. Uninstall our current version first.
+		up.Logf("Uninstalling current version %q for downgrade...", uninstallVersion)
+		cmd = exec.Command("msiexec.exe", "/x", msiUUIDForVersion(uninstallVersion), "/norestart", "/qn")
+		cmd.Stdout = up.Stdout
+		cmd.Stderr = up.Stderr
+		cmd.Stdin = os.Stdin
+		err = cmd.Run()
+		up.Logf("msiexec uninstall: %v", err)
+	}
+	return err
+}
+
 // cleanupOldDownloads removes all files matching glob (see filepath.Glob).
 // Only regular files are removed, so the glob must match specific files and
 // not directories.
@@ -789,6 +886,53 @@ func (up *Updater) cleanupOldDownloads(glob string) {
 	}
 }
 
+func msiUUIDForVersion(ver string) string {
+	arch := runtime.GOARCH
+	if arch == "386" {
+		arch = "x86"
+	}
+	track, err := versionToTrack(ver)
+	if err != nil {
+		track = UnstableTrack
+	}
+	msiURL := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", track, ver, arch)
+	return "{" + strings.ToUpper(uuid.NewSHA1(uuid.NameSpaceURL, []byte(msiURL)).String()) + "}"
+}
+
+func makeSelfCopy() (origPathExe, tmpPathExe string, err error) {
+	selfExe, err := os.Executable()
+	if err != nil {
+		return "", "", err
+	}
+	f, err := os.Open(selfExe)
+	if err != nil {
+		return "", "", err
+	}
+	defer f.Close()
+	f2, err := os.CreateTemp("", "tailscale-updater-*.exe")
+	if err != nil {
+		return "", "", err
+	}
+	if f := markTempFileFunc; f != nil {
+		if err := f(f2.Name()); err != nil {
+			return "", "", err
+		}
+	}
+	if _, err := io.Copy(f2, f); err != nil {
+		f2.Close()
+		return "", "", err
+	}
+	return selfExe, f2.Name(), f2.Close()
+}
+
+func (up *Updater) downloadURLToFile(pathSrc, fileDst string) (ret error) {
+	c, err := distsign.NewClient(up.Logf, up.PkgsAddr)
+	if err != nil {
+		return err
+	}
+	return c.Download(context.Background(), pathSrc, fileDst)
+}
+
 func (up *Updater) updateFreeBSD() (err error) {
 	if up.Version != "" {
 		return errors.New("installing a specific version on FreeBSD is not supported")
@@ -873,20 +1017,6 @@ func (up *Updater) updateLinuxBinary() error {
 	return nil
 }
 
-func restartSystemdUnit(ctx context.Context) error {
-	if _, err := exec.LookPath("systemctl"); err != nil {
-		// Likely not a systemd-managed distro.
-		return errors.ErrUnsupported
-	}
-	if out, err := exec.Command("systemctl", "daemon-reload").CombinedOutput(); err != nil {
-		return fmt.Errorf("systemctl daemon-reload failed: %w\noutput: %s", err, out)
-	}
-	if out, err := exec.Command("systemctl", "restart", "tailscaled.service").CombinedOutput(); err != nil {
-		return fmt.Errorf("systemctl restart failed: %w\noutput: %s", err, out)
-	}
-	return nil
-}
-
 func (up *Updater) downloadLinuxTarball(ver string) (string, error) {
 	dlDir, err := os.UserCacheDir()
 	if err != nil {
@@ -1153,31 +1283,22 @@ func requestedTailscaleVersion(ver, track string) (string, error) {
 // LatestTailscaleVersion returns the latest released version for the given
 // track from pkgs.tailscale.com.
 func LatestTailscaleVersion(track string) (string, error) {
-	if track == "" {
-		track = CurrentTrack
+	if track == CurrentTrack {
+		if version.IsUnstableBuild() {
+			track = UnstableTrack
+		} else {
+			track = StableTrack
+		}
 	}
 
 	latest, err := latestPackages(track)
 	if err != nil {
 		return "", err
 	}
-	ver := latest.Version
-	switch runtime.GOOS {
-	case "windows":
-		ver = latest.MSIsVersion
-	case "darwin":
-		ver = latest.MacZipsVersion
-	case "linux":
-		ver = latest.TarballsVersion
-		if distro.Get() == distro.Synology {
-			ver = latest.SPKsVersion
-		}
+	if latest.Version == "" {
+		return "", fmt.Errorf("no latest version found for %q track", track)
 	}
-
-	if ver == "" {
-		return "", fmt.Errorf("no latest version found for OS %q on %q track", runtime.GOOS, track)
-	}
-	return ver, nil
+	return latest.Version, nil
 }
 
 type trackPackages struct {

clientupdate/clientupdate_downloads.go

@@ -1,20 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build (linux && !android) || windows
-
-package clientupdate
-
-import (
-	"context"
-
-	"tailscale.com/clientupdate/distsign"
-)
-
-func (up *Updater) downloadURLToFile(pathSrc, fileDst string) (ret error) {
-	c, err := distsign.NewClient(up.Logf, up.PkgsAddr)
-	if err != nil {
-		return err
-	}
-	return c.Download(context.Background(), pathSrc, fileDst)
-}

clientupdate/clientupdate_not_downloads.go

@@ -1,10 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !((linux && !android) || windows)
-
-package clientupdate
-
-func (up *Updater) downloadURLToFile(pathSrc, fileDst string) (ret error) {
-	panic("unreachable")
-}

clientupdate/clientupdate_notwindows.go

@@ -1,10 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !windows
-
-package clientupdate
-
-func (up *Updater) updateWindows() error {
-	panic("unreachable")
-}

clientupdate/clientupdate_test.go

@@ -663,7 +663,7 @@ func genTarball(t *testing.T, path string, files map[string]string) {
 
 func TestWriteFileOverwrite(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "test")
-	for i := range 2 {
+	for i := 0; i < 2; i++ {
 		content := fmt.Sprintf("content %d", i)
 		if err := writeFile(strings.NewReader(content), path, 0600); err != nil {
 			t.Fatal(err)
@@ -846,107 +846,3 @@ func TestParseUnraidPluginVersion(t *testing.T) {
 		})
 	}
 }
-
-func TestConfirm(t *testing.T) {
-	curTrack := CurrentTrack
-	defer func() { CurrentTrack = curTrack }()
-
-	tests := []struct {
-		desc      string
-		fromTrack string
-		toTrack   string
-		fromVer   string
-		toVer     string
-		confirm   func(string) bool
-		want      bool
-	}{
-		{
-			desc:      "on latest stable",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.66.0",
-			want:      false,
-		},
-		{
-			desc:      "stable upgrade",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.68.0",
-			want:      true,
-		},
-		{
-			desc:      "unstable upgrade",
-			fromTrack: UnstableTrack,
-			toTrack:   UnstableTrack,
-			fromVer:   "1.67.1",
-			toVer:     "1.67.2",
-			want:      true,
-		},
-		{
-			desc:      "from stable to unstable",
-			fromTrack: StableTrack,
-			toTrack:   UnstableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.67.1",
-			want:      true,
-		},
-		{
-			desc:      "from unstable to stable",
-			fromTrack: UnstableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.67.1",
-			toVer:     "1.66.0",
-			want:      true,
-		},
-		{
-			desc:      "confirm callback rejects",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.66.1",
-			confirm: func(string) bool {
-				return false
-			},
-			want: false,
-		},
-		{
-			desc:      "confirm callback allows",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.66.1",
-			confirm: func(string) bool {
-				return true
-			},
-			want: true,
-		},
-		{
-			desc:      "downgrade",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.1",
-			toVer:     "1.66.0",
-			want:      false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			CurrentTrack = tt.fromTrack
-			up := Updater{
-				currentVersion: tt.fromVer,
-				Arguments: Arguments{
-					Track:   tt.toTrack,
-					Confirm: tt.confirm,
-					Logf:    t.Logf,
-				},
-			}
-
-			if got := up.confirm(tt.toVer); got != tt.want {
-				t.Errorf("got %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

clientupdate/clientupdate_windows.go

@@ -7,57 +7,13 @@
 package clientupdate
 
 import (
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"runtime"
-	"strings"
-
-	"github.com/google/uuid"
 	"golang.org/x/sys/windows"
-	"tailscale.com/util/winutil"
 	"tailscale.com/util/winutil/authenticode"
 )
 
-const (
-	// winMSIEnv is the environment variable that, if set, is the MSI file for
-	// the update command to install. It's passed like this so we can stop the
-	// tailscale.exe process from running before the msiexec process runs and
-	// tries to overwrite ourselves.
-	winMSIEnv = "TS_UPDATE_WIN_MSI"
-	// winExePathEnv is the environment variable that is set along with
-	// winMSIEnv and carries the full path of the calling tailscale.exe binary.
-	// It is used to re-launch the GUI process (tailscale-ipn.exe) after
-	// install is complete.
-	winExePathEnv = "TS_UPDATE_WIN_EXE_PATH"
-)
-
-func makeSelfCopy() (origPathExe, tmpPathExe string, err error) {
-	selfExe, err := os.Executable()
-	if err != nil {
-		return "", "", err
-	}
-	f, err := os.Open(selfExe)
-	if err != nil {
-		return "", "", err
-	}
-	defer f.Close()
-	f2, err := os.CreateTemp("", "tailscale-updater-*.exe")
-	if err != nil {
-		return "", "", err
-	}
-	if err := markTempFileWindows(f2.Name()); err != nil {
-		return "", "", err
-	}
-	if _, err := io.Copy(f2, f); err != nil {
-		f2.Close()
-		return "", "", err
-	}
-	return selfExe, f2.Name(), f2.Close()
+func init() {
+	markTempFileFunc = markTempFileWindows
+	verifyAuthenticode = verifyTailscale
 }
 
 func markTempFileWindows(name string) error {
@@ -67,159 +23,6 @@ func markTempFileWindows(name string) error {
 
 const certSubjectTailscale = "Tailscale Inc."
 
-func verifyAuthenticode(path string) error {
+func verifyTailscale(path string) error {
 	return authenticode.Verify(path, certSubjectTailscale)
 }
-
-func (up *Updater) updateWindows() error {
-	if msi := os.Getenv(winMSIEnv); msi != "" {
-		// stdout/stderr from this part of the install could be lost since the
-		// parent tailscaled is replaced. Create a temp log file to have some
-		// output to debug with in case update fails.
-		close, err := up.switchOutputToFile()
-		if err != nil {
-			up.Logf("failed to create log file for installation: %v; proceeding with existing outputs", err)
-		} else {
-			defer close.Close()
-		}
-
-		up.Logf("installing %v ...", msi)
-		if err := up.installMSI(msi); err != nil {
-			up.Logf("MSI install failed: %v", err)
-			return err
-		}
-
-		up.Logf("success.")
-		return nil
-	}
-
-	if !winutil.IsCurrentProcessElevated() {
-		return errors.New(`update must be run as Administrator
-
-you can run the command prompt as Administrator one of these ways:
-* right-click cmd.exe, select 'Run as administrator'
-* press Windows+x, then press a
-* press Windows+r, type in "cmd", then press Ctrl+Shift+Enter`)
-	}
-	ver, err := requestedTailscaleVersion(up.Version, up.Track)
-	if err != nil {
-		return err
-	}
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-	if !up.confirm(ver) {
-		return nil
-	}
-
-	tsDir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
-	msiDir := filepath.Join(tsDir, "MSICache")
-	if fi, err := os.Stat(tsDir); err != nil {
-		return fmt.Errorf("expected %s to exist, got stat error: %w", tsDir, err)
-	} else if !fi.IsDir() {
-		return fmt.Errorf("expected %s to be a directory; got %v", tsDir, fi.Mode())
-	}
-	if err := os.MkdirAll(msiDir, 0700); err != nil {
-		return err
-	}
-	up.cleanupOldDownloads(filepath.Join(msiDir, "*.msi"))
-	pkgsPath := fmt.Sprintf("%s/tailscale-setup-%s-%s.msi", up.Track, ver, arch)
-	msiTarget := filepath.Join(msiDir, path.Base(pkgsPath))
-	if err := up.downloadURLToFile(pkgsPath, msiTarget); err != nil {
-		return err
-	}
-
-	up.Logf("verifying MSI authenticode...")
-	if err := verifyAuthenticode(msiTarget); err != nil {
-		return fmt.Errorf("authenticode verification of %s failed: %w", msiTarget, err)
-	}
-	up.Logf("authenticode verification succeeded")
-
-	up.Logf("making tailscale.exe copy to switch to...")
-	up.cleanupOldDownloads(filepath.Join(os.TempDir(), "tailscale-updater-*.exe"))
-	selfOrig, selfCopy, err := makeSelfCopy()
-	if err != nil {
-		return err
-	}
-	defer os.Remove(selfCopy)
-	up.Logf("running tailscale.exe copy for final install...")
-
-	cmd := exec.Command(selfCopy, "update")
-	cmd.Env = append(os.Environ(), winMSIEnv+"="+msiTarget, winExePathEnv+"="+selfOrig)
-	cmd.Stdout = up.Stderr
-	cmd.Stderr = up.Stderr
-	cmd.Stdin = os.Stdin
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-	// Once it's started, exit ourselves, so the binary is free
-	// to be replaced.
-	os.Exit(0)
-	panic("unreachable")
-}
-
-func (up *Updater) installMSI(msi string) error {
-	var err error
-	for tries := 0; tries < 2; tries++ {
-		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/norestart", "/qn")
-		cmd.Dir = filepath.Dir(msi)
-		cmd.Stdout = up.Stdout
-		cmd.Stderr = up.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		if err == nil {
-			break
-		}
-		up.Logf("Install attempt failed: %v", err)
-		uninstallVersion := up.currentVersion
-		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
-			uninstallVersion = v
-		}
-		// Assume it's a downgrade, which msiexec won't permit. Uninstall our current version first.
-		up.Logf("Uninstalling current version %q for downgrade...", uninstallVersion)
-		cmd = exec.Command("msiexec.exe", "/x", msiUUIDForVersion(uninstallVersion), "/norestart", "/qn")
-		cmd.Stdout = up.Stdout
-		cmd.Stderr = up.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		up.Logf("msiexec uninstall: %v", err)
-	}
-	return err
-}
-
-func msiUUIDForVersion(ver string) string {
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-	track, err := versionToTrack(ver)
-	if err != nil {
-		track = UnstableTrack
-	}
-	msiURL := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", track, ver, arch)
-	return "{" + strings.ToUpper(uuid.NewSHA1(uuid.NameSpaceURL, []byte(msiURL)).String()) + "}"
-}
-
-func (up *Updater) switchOutputToFile() (io.Closer, error) {
-	var logFilePath string
-	exePath, err := os.Executable()
-	if err != nil {
-		logFilePath = filepath.Join(os.TempDir(), "tailscale-updater.log")
-	} else {
-		logFilePath = strings.TrimSuffix(exePath, ".exe") + ".log"
-	}
-
-	up.Logf("writing update output to %q", logFilePath)
-	logFile, err := os.Create(logFilePath)
-	if err != nil {
-		return nil, err
-	}
-
-	up.Logf = func(m string, args ...any) {
-		fmt.Fprintf(logFile, m+"\n", args...)
-	}
-	up.Stdout = logFile
-	up.Stderr = logFile
-	return logFile, nil
-}

clientupdate/distsign/distsign_test.go

@@ -445,7 +445,7 @@ type testServer struct {
 
 func newTestServer(t *testing.T) *testServer {
 	var roots []rootKeyPair
-	for range 3 {
+	for i := 0; i < 3; i++ {
 		roots = append(roots, newRootKeyPair(t))
 	}
 

clientupdate/systemd_linux.go

@@ -0,0 +1,37 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package clientupdate
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/coreos/go-systemd/v22/dbus"
+)
+
+func restartSystemdUnit(ctx context.Context) error {
+	c, err := dbus.NewWithContext(ctx)
+	if err != nil {
+		// Likely not a systemd-managed distro.
+		return errors.ErrUnsupported
+	}
+	defer c.Close()
+	if err := c.ReloadContext(ctx); err != nil {
+		return fmt.Errorf("failed to reload tailsacled.service: %w", err)
+	}
+	ch := make(chan string, 1)
+	if _, err := c.RestartUnitContext(ctx, "tailscaled.service", "replace", ch); err != nil {
+		return fmt.Errorf("failed to restart tailsacled.service: %w", err)
+	}
+	select {
+	case res := <-ch:
+		if res != "done" {
+			return fmt.Errorf("systemd service restart failed with result %q", res)
+		}
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+	return nil
+}

clientupdate/systemd_other.go

@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !linux
+
+package clientupdate
+
+import (
+	"context"
+	"errors"
+)
+
+func restartSystemdUnit(ctx context.Context) error {
+	return errors.ErrUnsupported
+}

cmd/addlicense/main.go

@@ -18,12 +18,12 @@ var (
 )
 
 func usage() {
-	fmt.Fprint(os.Stderr, `
+	fmt.Fprintf(os.Stderr, `
 usage: addlicense -file FILE <subcommand args...>
 `[1:])
 
 	flag.PrintDefaults()
-	fmt.Fprint(os.Stderr, `
+	fmt.Fprintf(os.Stderr, `
 addlicense adds a Tailscale license to the beginning of file.
 
 It is intended for use with 'go generate', so it also runs a subcommand,

cmd/checkmetrics/checkmetrics.go

@@ -1,131 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// checkmetrics validates that all metrics in the tailscale client-metrics
-// are documented in a given path or URL.
-package main
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"strings"
-	"time"
-
-	"tailscale.com/ipn/store/mem"
-	"tailscale.com/tsnet"
-	"tailscale.com/tstest/integration/testcontrol"
-	"tailscale.com/util/httpm"
-)
-
-var (
-	kbPath = flag.String("kb-path", "", "filepath to the client-metrics knowledge base")
-	kbUrl  = flag.String("kb-url", "", "URL to the client-metrics knowledge base page")
-)
-
-func main() {
-	flag.Parse()
-	if *kbPath == "" && *kbUrl == "" {
-		log.Fatalf("either -kb-path or -kb-url must be set")
-	}
-
-	var control testcontrol.Server
-	ts := httptest.NewServer(&control)
-	defer ts.Close()
-
-	td, err := os.MkdirTemp("", "testcontrol")
-	if err != nil {
-		log.Fatal(err)
-	}
-	defer os.RemoveAll(td)
-
-	// tsnet is used not used as a Tailscale client, but as a way to
-	// boot up Tailscale, have all the metrics registered, and then
-	// verifiy that all the metrics are documented.
-	tsn := &tsnet.Server{
-		Dir:        td,
-		Store:      new(mem.Store),
-		UserLogf:   log.Printf,
-		Ephemeral:  true,
-		ControlURL: ts.URL,
-	}
-	if err := tsn.Start(); err != nil {
-		log.Fatal(err)
-	}
-	defer tsn.Close()
-
-	log.Printf("checking that all metrics are documented, looking for: %s", tsn.Sys().UserMetricsRegistry().MetricNames())
-
-	if *kbPath != "" {
-		kb, err := readKB(*kbPath)
-		if err != nil {
-			log.Fatalf("reading kb: %v", err)
-		}
-		missing := undocumentedMetrics(kb, tsn.Sys().UserMetricsRegistry().MetricNames())
-
-		if len(missing) > 0 {
-			log.Fatalf("found undocumented metrics in %q: %v", *kbPath, missing)
-		}
-	}
-
-	if *kbUrl != "" {
-		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-		defer cancel()
-
-		kb, err := getKB(ctx, *kbUrl)
-		if err != nil {
-			log.Fatalf("getting kb: %v", err)
-		}
-		missing := undocumentedMetrics(kb, tsn.Sys().UserMetricsRegistry().MetricNames())
-
-		if len(missing) > 0 {
-			log.Fatalf("found undocumented metrics in %q: %v", *kbUrl, missing)
-		}
-	}
-}
-
-func readKB(path string) (string, error) {
-	b, err := os.ReadFile(path)
-	if err != nil {
-		return "", fmt.Errorf("reading file: %w", err)
-	}
-
-	return string(b), nil
-}
-
-func getKB(ctx context.Context, url string) (string, error) {
-	req, err := http.NewRequestWithContext(ctx, httpm.GET, url, nil)
-	if err != nil {
-		return "", fmt.Errorf("creating request: %w", err)
-	}
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return "", fmt.Errorf("getting kb page: %w", err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("unexpected status code: %d", resp.StatusCode)
-	}
-
-	b, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", fmt.Errorf("reading body: %w", err)
-	}
-	return string(b), nil
-}
-
-func undocumentedMetrics(b string, metrics []string) []string {
-	var missing []string
-	for _, metric := range metrics {
-		if !strings.Contains(b, metric) {
-			missing = append(missing, metric)
-		}
-	}
-	return missing
-}

cmd/cloner/cloner.go

@@ -47,7 +47,7 @@ func main() {
 	it := codegen.NewImportTracker(pkg.Types)
 	buf := new(bytes.Buffer)
 	for _, typeName := range typeNames {
-		typ, ok := namedTypes[typeName].(*types.Named)
+		typ, ok := namedTypes[typeName]
 		if !ok {
 			log.Fatalf("could not find type %s", typeName)
 		}
@@ -78,11 +78,7 @@ func main() {
 		w("	return false")
 		w("}")
 	}
-	cloneOutput := pkg.Name + "_clone"
-	if *flagBuildTags == "test" {
-		cloneOutput += "_test"
-	}
-	cloneOutput += ".go"
+	cloneOutput := pkg.Name + "_clone.go"
 	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
 		log.Fatal(err)
 	}
@@ -95,27 +91,24 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	}
 
 	name := typ.Obj().Name()
-	typeParams := typ.Origin().TypeParams()
-	_, typeParamNames := codegen.FormatTypeParams(typeParams, it)
-	nameWithParams := name + typeParamNames
 	fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
 	fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
-	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", nameWithParams, nameWithParams)
+	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
 	writef := func(format string, args ...any) {
 		fmt.Fprintf(buf, "\t"+format+"\n", args...)
 	}
 	writef("if src == nil {")
 	writef("\treturn nil")
 	writef("}")
-	writef("dst := new(%s)", nameWithParams)
+	writef("dst := new(%s)", name)
 	writef("*dst = *src")
-	for i := range t.NumFields() {
+	for i := 0; i < t.NumFields(); i++ {
 		fname := t.Field(i).Name()
 		ft := t.Field(i).Type()
 		if !codegen.ContainsPointers(ft) || codegen.HasNoClone(t.Tag(i)) {
 			continue
 		}
-		if named, _ := codegen.NamedTypeOf(ft); named != nil {
+		if named, _ := ft.(*types.Named); named != nil {
 			if codegen.IsViewType(ft) {
 				writef("dst.%s = src.%s", fname, fname)
 				continue
@@ -133,23 +126,16 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
 				writef("for i := range dst.%s {", fname)
 				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
-					if codegen.ContainsPointers(ptr.Elem()) {
-						if _, isIface := ptr.Elem().Underlying().(*types.Interface); isIface {
-							it.Import("tailscale.com/types/ptr")
-							writef("\tdst.%s[i] = ptr.To((*src.%s[i]).Clone())", fname, fname)
-						} else {
-							writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
-						}
-					} else {
+					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
 						it.Import("tailscale.com/types/ptr")
+						writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
 						writef("\tdst.%s[i] = ptr.To(*src.%s[i])", fname, fname)
+						writef("}")
+					} else {
+						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 					}
-					writef("}")
 				} else if ft.Elem().String() == "encoding/json.RawMessage" {
 					writef("\tdst.%s[i] = append(src.%s[i][:0:0], src.%s[i]...)", fname, fname, fname)
-				} else if _, isIface := ft.Elem().Underlying().(*types.Interface); isIface {
-					writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
@@ -159,19 +145,14 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
 			}
 		case *types.Pointer:
-			base := ft.Elem()
-			hasPtrs := codegen.ContainsPointers(base)
-			if named, _ := codegen.NamedTypeOf(base); named != nil && hasPtrs {
+			if named, _ := ft.Elem().(*types.Named); named != nil && codegen.ContainsPointers(ft.Elem()) {
 				writef("dst.%s = src.%s.Clone()", fname, fname)
 				continue
 			}
 			it.Import("tailscale.com/types/ptr")
 			writef("if dst.%s != nil {", fname)
-			if _, isIface := base.Underlying().(*types.Interface); isIface && hasPtrs {
-				writef("\tdst.%s = ptr.To((*src.%s).Clone())", fname, fname)
-			} else if !hasPtrs {
-				writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
-			} else {
+			writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
+			if codegen.ContainsPointers(ft.Elem()) {
 				writef("\t" + `panic("TODO pointers in pointers")`)
 			}
 			writef("}")
@@ -191,50 +172,18 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("if dst.%s != nil {", fname)
 				writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
 				writef("\tfor k, v := range src.%s {", fname)
-
-				switch elem := elem.Underlying().(type) {
+				switch elem.(type) {
 				case *types.Pointer:
-					writef("\t\tif v == nil { dst.%s[k] = nil } else {", fname)
-					if base := elem.Elem().Underlying(); codegen.ContainsPointers(base) {
-						if _, isIface := base.(*types.Interface); isIface {
-							it.Import("tailscale.com/types/ptr")
-							writef("\t\t\tdst.%s[k] = ptr.To((*v).Clone())", fname)
-						} else {
-							writef("\t\t\tdst.%s[k] = v.Clone()", fname)
-						}
-					} else {
-						it.Import("tailscale.com/types/ptr")
-						writef("\t\t\tdst.%s[k] = ptr.To(*v)", fname)
-					}
-					writef("}")
-				case *types.Interface:
-					if cloneResultType := methodResultType(elem, "Clone"); cloneResultType != nil {
-						if _, isPtr := cloneResultType.(*types.Pointer); isPtr {
-							writef("\t\tdst.%s[k] = *(v.Clone())", fname)
-						} else {
-							writef("\t\tdst.%s[k] = v.Clone()", fname)
-						}
-					} else {
-						writef(`panic("%s (%v) does not have a Clone method")`, fname, elem)
-					}
+					writef("\t\tdst.%s[k] = v.Clone()", fname)
 				default:
 					writef("\t\tdst.%s[k] = *(v.Clone())", fname)
 				}
-
 				writef("\t}")
 				writef("}")
 			} else {
 				it.Import("maps")
 				writef("\tdst.%s = maps.Clone(src.%s)", fname, fname)
 			}
-		case *types.Interface:
-			// If ft is an interface with a "Clone() ft" method, it can be used to clone the field.
-			// This includes scenarios where ft is a constrained type parameter.
-			if cloneResultType := methodResultType(ft, "Clone"); cloneResultType.Underlying() == ft {
-				writef("dst.%s = src.%s.Clone()", fname, fname)
-				continue
-			}
-			writef(`panic("%s (%v) does not have a compatible Clone method")`, fname, ft)
 		default:
 			writef(`panic("TODO: %s (%T)")`, fname, ft)
 		}
@@ -242,7 +191,7 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	writef("return dst")
 	fmt.Fprintf(buf, "}\n\n")
 
-	buf.Write(codegen.AssertStructUnchanged(t, name, typeParams, "Clone", it))
+	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
 }
 
 // hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
@@ -254,15 +203,3 @@ func hasBasicUnderlying(typ types.Type) bool {
 		return false
 	}
 }
-
-func methodResultType(typ types.Type, method string) types.Type {
-	viewMethod := codegen.LookupMethod(typ, method)
-	if viewMethod == nil {
-		return nil
-	}
-	sig, ok := viewMethod.Type().(*types.Signature)
-	if !ok || sig.Results().Len() != 1 {
-		return nil
-	}
-	return sig.Results().At(0).Type()
-}

cmd/cloner/clonerex/clonerex.go

@@ -3,7 +3,6 @@
 
 //go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type SliceContainer
 
-// Package clonerex is an example package for the cloner tool.
 package clonerex
 
 type SliceContainer struct {

cmd/containerboot/certs.go

@@ -1,147 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"net"
-	"sync"
-	"time"
-
-	"tailscale.com/ipn"
-	"tailscale.com/util/goroutines"
-	"tailscale.com/util/mak"
-)
-
-// certManager is responsible for issuing certificates for known domains and for
-// maintaining a loop that re-attempts issuance daily.
-// Currently cert manager logic is only run on ingress ProxyGroup replicas that are responsible for managing certs for
-// HA Ingress HTTPS endpoints ('write' replicas).
-type certManager struct {
-	lc      localClient
-	tracker goroutines.Tracker // tracks running goroutines
-	mu      sync.Mutex         // guards the following
-	// certLoops contains a map of DNS names, for which we currently need to
-	// manage certs to cancel functions that allow stopping a goroutine when
-	// we no longer need to manage certs for the DNS name.
-	certLoops map[string]context.CancelFunc
-}
-
-// ensureCertLoops ensures that, for all currently managed Service HTTPS
-// endpoints, there is a cert loop responsible for issuing and ensuring the
-// renewal of the TLS certs.
-// ServeConfig must not be nil.
-func (cm *certManager) ensureCertLoops(ctx context.Context, sc *ipn.ServeConfig) error {
-	if sc == nil {
-		return fmt.Errorf("[unexpected] ensureCertLoops called with nil ServeConfig")
-	}
-	currentDomains := make(map[string]bool)
-	const httpsPort = "443"
-	for _, service := range sc.Services {
-		for hostPort := range service.Web {
-			domain, port, err := net.SplitHostPort(string(hostPort))
-			if err != nil {
-				return fmt.Errorf("[unexpected] unable to parse HostPort %s", hostPort)
-			}
-			if port != httpsPort { // HA Ingress' HTTP endpoint
-				continue
-			}
-			currentDomains[domain] = true
-		}
-	}
-	cm.mu.Lock()
-	defer cm.mu.Unlock()
-	for domain := range currentDomains {
-		if _, exists := cm.certLoops[domain]; !exists {
-			cancelCtx, cancel := context.WithCancel(ctx)
-			mak.Set(&cm.certLoops, domain, cancel)
-			cm.tracker.Go(func() { cm.runCertLoop(cancelCtx, domain) })
-		}
-	}
-
-	// Stop goroutines for domain names that are no longer in the config.
-	for domain, cancel := range cm.certLoops {
-		if !currentDomains[domain] {
-			cancel()
-			delete(cm.certLoops, domain)
-		}
-	}
-	return nil
-}
-
-// runCertLoop:
-// - calls localAPI certificate endpoint to ensure that certs are issued for the
-// given domain name
-// - calls localAPI certificate endpoint daily to ensure that certs are renewed
-// - if certificate issuance failed retries after an exponential backoff period
-// starting at 1 minute and capped at 24 hours. Reset the backoff once issuance succeeds.
-// Note that renewal check also happens when the node receives an HTTPS request and it is possible that certs get
-// renewed at that point. Renewal here is needed to prevent the shared certs from expiry in edge cases where the 'write'
-// replica does not get any HTTPS requests.
-// https://letsencrypt.org/docs/integration-guide/#retrying-failures
-func (cm *certManager) runCertLoop(ctx context.Context, domain string) {
-	const (
-		normalInterval   = 24 * time.Hour  // regular renewal check
-		initialRetry     = 1 * time.Minute // initial backoff after a failure
-		maxRetryInterval = 24 * time.Hour  // max backoff period
-	)
-	timer := time.NewTimer(0) // fire off timer immediately
-	defer timer.Stop()
-	retryCount := 0
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-timer.C:
-			// We call the certificate endpoint, but don't do anything
-			// with the returned certs here.
-			// The call to the certificate endpoint will ensure that
-			// certs are issued/renewed as needed and stored in the
-			// relevant state store. For example, for HA Ingress
-			// 'write' replica, the cert and key will be stored in a
-			// Kubernetes Secret named after the domain for which we
-			// are issuing.
-			// Note that renewals triggered by the call to the
-			// certificates endpoint here and by renewal check
-			// triggered during a call to node's HTTPS endpoint
-			// share the same state/renewal lock mechanism, so we
-			// should not run into redundant issuances during
-			// concurrent renewal checks.
-			// TODO(irbekrm): maybe it is worth adding a new
-			// issuance endpoint that explicitly only triggers
-			// issuance and stores certs in the relevant store, but
-			// does not return certs to the caller?
-			_, _, err := cm.lc.CertPair(ctx, domain)
-			if err != nil {
-				log.Printf("error refreshing certificate for %s: %v", domain, err)
-			}
-			var nextInterval time.Duration
-			// TODO(irbekrm): distinguish between LE rate limit
-			// errors and other error types like transient network
-			// errors.
-			if err == nil {
-				retryCount = 0
-				nextInterval = normalInterval
-			} else {
-				retryCount++
-				// Calculate backoff: initialRetry * 2^(retryCount-1)
-				// For retryCount=1: 1min * 2^0 = 1min
-				// For retryCount=2: 1min * 2^1 = 2min
-				// For retryCount=3: 1min * 2^2 = 4min
-				backoff := initialRetry * time.Duration(1<<(retryCount-1))
-				if backoff > maxRetryInterval {
-					backoff = maxRetryInterval
-				}
-				nextInterval = backoff
-				log.Printf("Error refreshing certificate for %s (retry %d): %v. Will retry in %v\n",
-					domain, retryCount, err, nextInterval)
-			}
-			timer.Reset(nextInterval)
-		}
-	}
-}

cmd/containerboot/certs_test.go

@@ -1,229 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"tailscale.com/ipn"
-	"tailscale.com/tailcfg"
-)
-
-// TestEnsureCertLoops tests that the certManager correctly starts and stops
-// update loops for certs when the serve config changes. It tracks goroutine
-// count and uses that as a validator that the expected number of cert loops are
-// running.
-func TestEnsureCertLoops(t *testing.T) {
-	tests := []struct {
-		name              string
-		initialConfig     *ipn.ServeConfig
-		updatedConfig     *ipn.ServeConfig
-		initialGoroutines int64 // after initial serve config is applied
-		updatedGoroutines int64 // after updated serve config is applied
-		wantErr           bool
-	}{
-		{
-			name:              "empty_serve_config",
-			initialConfig:     &ipn.ServeConfig{},
-			initialGoroutines: 0,
-		},
-		{
-			name:              "nil_serve_config",
-			initialConfig:     nil,
-			initialGoroutines: 0,
-			wantErr:           true,
-		},
-		{
-			name:          "empty_to_one_service",
-			initialConfig: &ipn.ServeConfig{},
-			updatedConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 0,
-			updatedGoroutines: 1,
-		},
-		{
-			name: "single_service",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 1,
-		},
-		{
-			name: "multiple_services",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-					"svc:my-other-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-other-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 2, // one loop per domain across all services
-		},
-		{
-			name: "ignore_non_https_ports",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-							"my-app.tailnetxyz.ts.net:80":  {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 1, // only one loop for the 443 endpoint
-		},
-		{
-			name: "remove_domain",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-					"svc:my-other-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-other-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			updatedConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 2, // initially two loops (one per service)
-			updatedGoroutines: 1, // one loop after removing service2
-		},
-		{
-			name: "add_domain",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			updatedConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-					"svc:my-other-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-other-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 1,
-			updatedGoroutines: 2,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			cm := &certManager{
-				lc:        &fakeLocalClient{},
-				certLoops: make(map[string]context.CancelFunc),
-			}
-
-			allDone := make(chan bool, 1)
-			defer cm.tracker.AddDoneCallback(func() {
-				cm.mu.Lock()
-				defer cm.mu.Unlock()
-				if cm.tracker.RunningGoroutines() > 0 {
-					return
-				}
-				select {
-				case allDone <- true:
-				default:
-				}
-			})()
-
-			err := cm.ensureCertLoops(ctx, tt.initialConfig)
-			if (err != nil) != tt.wantErr {
-				t.Fatalf("ensureCertLoops() error = %v", err)
-			}
-
-			if got := cm.tracker.RunningGoroutines(); got != tt.initialGoroutines {
-				t.Errorf("after initial config: got %d running goroutines, want %d", got, tt.initialGoroutines)
-			}
-
-			if tt.updatedConfig != nil {
-				if err := cm.ensureCertLoops(ctx, tt.updatedConfig); err != nil {
-					t.Fatalf("ensureCertLoops() error on update = %v", err)
-				}
-
-				// Although starting goroutines and cancelling
-				// the context happens in the main goroutine, it
-				// the actual goroutine exit when a context is
-				// cancelled does not- so wait for a bit for the
-				// running goroutine count to reach the expected
-				// number.
-				deadline := time.After(5 * time.Second)
-				for {
-					if got := cm.tracker.RunningGoroutines(); got == tt.updatedGoroutines {
-						break
-					}
-					select {
-					case <-deadline:
-						t.Fatalf("timed out waiting for goroutine count to reach %d, currently at %d",
-							tt.updatedGoroutines, cm.tracker.RunningGoroutines())
-					case <-time.After(10 * time.Millisecond):
-						continue
-					}
-				}
-			}
-
-			if tt.updatedGoroutines == 0 {
-				return // no goroutines to wait for
-			}
-			// cancel context to make goroutines exit
-			cancel()
-			select {
-			case <-time.After(5 * time.Second):
-				t.Fatal("timed out waiting for goroutine to finish")
-			case <-allDone:
-			}
-		})
-	}
-}

cmd/containerboot/forwarding.go

@@ -1,262 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"net"
-	"net/netip"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"tailscale.com/util/linuxfw"
-)
-
-// ensureIPForwarding enables IPv4/IPv6 forwarding for the container.
-func ensureIPForwarding(root, clusterProxyTargetIP, tailnetTargetIP, tailnetTargetFQDN string, routes *string) error {
-	var (
-		v4Forwarding, v6Forwarding bool
-	)
-	if clusterProxyTargetIP != "" {
-		proxyIP, err := netip.ParseAddr(clusterProxyTargetIP)
-		if err != nil {
-			return fmt.Errorf("invalid cluster destination IP: %v", err)
-		}
-		if proxyIP.Is4() {
-			v4Forwarding = true
-		} else {
-			v6Forwarding = true
-		}
-	}
-	if tailnetTargetIP != "" {
-		proxyIP, err := netip.ParseAddr(tailnetTargetIP)
-		if err != nil {
-			return fmt.Errorf("invalid tailnet destination IP: %v", err)
-		}
-		if proxyIP.Is4() {
-			v4Forwarding = true
-		} else {
-			v6Forwarding = true
-		}
-	}
-	// Currently we only proxy traffic to the IPv4 address of the tailnet
-	// target.
-	if tailnetTargetFQDN != "" {
-		v4Forwarding = true
-	}
-	if routes != nil && *routes != "" {
-		for _, route := range strings.Split(*routes, ",") {
-			cidr, err := netip.ParsePrefix(route)
-			if err != nil {
-				return fmt.Errorf("invalid subnet route: %v", err)
-			}
-			if cidr.Addr().Is4() {
-				v4Forwarding = true
-			} else {
-				v6Forwarding = true
-			}
-		}
-	}
-	return enableIPForwarding(v4Forwarding, v6Forwarding, root)
-}
-
-func enableIPForwarding(v4Forwarding, v6Forwarding bool, root string) error {
-	var paths []string
-	if v4Forwarding {
-		paths = append(paths, filepath.Join(root, "proc/sys/net/ipv4/ip_forward"))
-	}
-	if v6Forwarding {
-		paths = append(paths, filepath.Join(root, "proc/sys/net/ipv6/conf/all/forwarding"))
-	}
-
-	// In some common configurations (e.g. default docker,
-	// kubernetes), the container environment denies write access to
-	// most sysctls, including IP forwarding controls. Check the
-	// sysctl values before trying to change them, so that we
-	// gracefully do nothing if the container's already been set up
-	// properly by e.g. a k8s initContainer.
-	for _, path := range paths {
-		bs, err := os.ReadFile(path)
-		if err != nil {
-			return fmt.Errorf("reading %q: %w", path, err)
-		}
-		if v := strings.TrimSpace(string(bs)); v != "1" {
-			if err := os.WriteFile(path, []byte("1"), 0644); err != nil {
-				return fmt.Errorf("enabling %q: %w", path, err)
-			}
-		}
-	}
-	return nil
-}
-
-func installEgressForwardingRule(_ context.Context, dstStr string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
-	dst, err := netip.ParseAddr(dstStr)
-	if err != nil {
-		return err
-	}
-	var local netip.Addr
-	for _, pfx := range tsIPs {
-		if !pfx.IsSingleIP() {
-			continue
-		}
-		if pfx.Addr().Is4() != dst.Is4() {
-			continue
-		}
-		local = pfx.Addr()
-		break
-	}
-	if !local.IsValid() {
-		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstStr, tsIPs)
-	}
-	if err := nfr.DNATNonTailscaleTraffic("tailscale0", dst); err != nil {
-		return fmt.Errorf("installing egress proxy rules: %w", err)
-	}
-	if err := nfr.EnsureSNATForDst(local, dst); err != nil {
-		return fmt.Errorf("installing egress proxy rules: %w", err)
-	}
-	if err := nfr.ClampMSSToPMTU("tailscale0", dst); err != nil {
-		return fmt.Errorf("installing egress proxy rules: %w", err)
-	}
-	return nil
-}
-
-// installTSForwardingRuleForDestination accepts a destination address and a
-// list of node's tailnet addresses, sets up rules to forward traffic for
-// destination to the tailnet IP matching the destination IP family.
-// Destination can be Pod IP of this node.
-func installTSForwardingRuleForDestination(_ context.Context, dstFilter string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
-	dst, err := netip.ParseAddr(dstFilter)
-	if err != nil {
-		return err
-	}
-	var local netip.Addr
-	for _, pfx := range tsIPs {
-		if !pfx.IsSingleIP() {
-			continue
-		}
-		if pfx.Addr().Is4() != dst.Is4() {
-			continue
-		}
-		local = pfx.Addr()
-		break
-	}
-	if !local.IsValid() {
-		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstFilter, tsIPs)
-	}
-	if err := nfr.AddDNATRule(dst, local); err != nil {
-		return fmt.Errorf("installing rule for forwarding traffic to tailnet IP: %w", err)
-	}
-	return nil
-}
-
-func installIngressForwardingRule(_ context.Context, dstStr string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
-	dst, err := netip.ParseAddr(dstStr)
-	if err != nil {
-		return err
-	}
-	var local netip.Addr
-	proxyHasIPv4Address := false
-	for _, pfx := range tsIPs {
-		if !pfx.IsSingleIP() {
-			continue
-		}
-		if pfx.Addr().Is4() {
-			proxyHasIPv4Address = true
-		}
-		if pfx.Addr().Is4() != dst.Is4() {
-			continue
-		}
-		local = pfx.Addr()
-		break
-	}
-	if proxyHasIPv4Address && dst.Is6() {
-		log.Printf("Warning: proxy backend ClusterIP is an IPv6 address and the proxy has a IPv4 tailnet address. You might need to disable IPv4 address allocation for the proxy for forwarding to work. See https://github.com/tailscale/tailscale/issues/12156")
-	}
-	if !local.IsValid() {
-		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstStr, tsIPs)
-	}
-	if err := nfr.AddDNATRule(local, dst); err != nil {
-		return fmt.Errorf("installing ingress proxy rules: %w", err)
-	}
-	if err := nfr.ClampMSSToPMTU("tailscale0", dst); err != nil {
-		return fmt.Errorf("installing ingress proxy rules: %w", err)
-	}
-	return nil
-}
-
-func installIngressForwardingRuleForDNSTarget(_ context.Context, backendAddrs []net.IP, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
-	var (
-		tsv4       netip.Addr
-		tsv6       netip.Addr
-		v4Backends []netip.Addr
-		v6Backends []netip.Addr
-	)
-	for _, pfx := range tsIPs {
-		if pfx.IsSingleIP() && pfx.Addr().Is4() {
-			tsv4 = pfx.Addr()
-			continue
-		}
-		if pfx.IsSingleIP() && pfx.Addr().Is6() {
-			tsv6 = pfx.Addr()
-			continue
-		}
-	}
-	// TODO: log if more than one backend address is found and firewall is
-	// in nftables mode that only the first IP will be used.
-	for _, ip := range backendAddrs {
-		if ip.To4() != nil {
-			v4Backends = append(v4Backends, netip.AddrFrom4([4]byte(ip.To4())))
-		}
-		if ip.To16() != nil {
-			v6Backends = append(v6Backends, netip.AddrFrom16([16]byte(ip.To16())))
-		}
-	}
-
-	// Enable IP forwarding here as opposed to at the start of containerboot
-	// as the IPv4/IPv6 requirements might have changed.
-	// For Kubernetes operator proxies, forwarding for both IPv4 and IPv6 is
-	// enabled by an init container, so in practice enabling forwarding here
-	// is only needed if this proxy has been configured by manually setting
-	// TS_EXPERIMENTAL_DEST_DNS_NAME env var for a containerboot instance.
-	if err := enableIPForwarding(len(v4Backends) != 0, len(v6Backends) != 0, ""); err != nil {
-		log.Printf("[unexpected] failed to ensure IP forwarding: %v", err)
-	}
-
-	updateFirewall := func(dst netip.Addr, backendTargets []netip.Addr) error {
-		if err := nfr.DNATWithLoadBalancer(dst, backendTargets); err != nil {
-			return fmt.Errorf("installing DNAT rules for ingress backends %+#v: %w", backendTargets, err)
-		}
-		// The backend might advertize MSS higher than that of the
-		// tailscale interfaces. Clamp MSS of packets going out via
-		// tailscale0 interface to its MTU to prevent broken connections
-		// in environments where path MTU discovery is not working.
-		if err := nfr.ClampMSSToPMTU("tailscale0", dst); err != nil {
-			return fmt.Errorf("adding rule to clamp traffic via tailscale0: %v", err)
-		}
-		return nil
-	}
-
-	if len(v4Backends) != 0 {
-		if !tsv4.IsValid() {
-			log.Printf("backend targets %v contain at least one IPv4 address, but this node's Tailscale IPs do not contain a valid IPv4 address: %v", backendAddrs, tsIPs)
-		} else if err := updateFirewall(tsv4, v4Backends); err != nil {
-			return fmt.Errorf("Installing IPv4 firewall rules: %w", err)
-		}
-	}
-	if len(v6Backends) != 0 && !tsv6.IsValid() {
-		if !tsv6.IsValid() {
-			log.Printf("backend targets %v contain at least one IPv6 address, but this node's Tailscale IPs do not contain a valid IPv6 address: %v", backendAddrs, tsIPs)
-		} else if !nfr.HasIPV6NAT() {
-			log.Printf("backend targets %v contain at least one IPv6 address, but the chosen firewall mode does not support IPv6 NAT", backendAddrs)
-		} else if err := updateFirewall(tsv6, v6Backends); err != nil {
-			return fmt.Errorf("Installing IPv6 firewall rules: %w", err)
-		}
-	}
-	return nil
-}

cmd/containerboot/healthz.go

@@ -1,57 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"fmt"
-	"log"
-	"net/http"
-	"sync"
-
-	"tailscale.com/kube/kubetypes"
-)
-
-// healthz is a simple health check server, if enabled it returns 200 OK if
-// this tailscale node currently has at least one tailnet IP address else
-// returns 503.
-type healthz struct {
-	sync.Mutex
-	hasAddrs bool
-	podIPv4  string
-}
-
-func (h *healthz) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	h.Lock()
-	defer h.Unlock()
-
-	if h.hasAddrs {
-		w.Header().Add(kubetypes.PodIPv4Header, h.podIPv4)
-		if _, err := w.Write([]byte("ok")); err != nil {
-			http.Error(w, fmt.Sprintf("error writing status: %v", err), http.StatusInternalServerError)
-		}
-	} else {
-		http.Error(w, "node currently has no tailscale IPs", http.StatusServiceUnavailable)
-	}
-}
-
-func (h *healthz) update(healthy bool) {
-	h.Lock()
-	defer h.Unlock()
-
-	if h.hasAddrs != healthy {
-		log.Println("Setting healthy", healthy)
-	}
-	h.hasAddrs = healthy
-}
-
-// healthHandlers registers a simple health handler at /healthz.
-// A containerized tailscale instance is considered healthy if
-// it has at least one tailnet IP address.
-func healthHandlers(mux *http.ServeMux, podIPv4 string) *healthz {
-	h := &healthz{podIPv4: podIPv4}
-	mux.Handle("GET /healthz", h)
-	return h
-}

cmd/containerboot/kube.go

@@ -8,64 +8,46 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"log"
 	"net/http"
 	"net/netip"
 	"os"
-	"strings"
-	"time"
 
-	"tailscale.com/ipn"
-	"tailscale.com/kube/kubeapi"
-	"tailscale.com/kube/kubeclient"
-	"tailscale.com/kube/kubetypes"
-	"tailscale.com/logtail/backoff"
+	"tailscale.com/kube"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
 )
 
-// kubeClient is a wrapper around Tailscale's internal kube client that knows how to talk to the kube API server. We use
-// this rather than any of the upstream Kubernetes client libaries to avoid extra imports.
-type kubeClient struct {
-	kubeclient.Client
-	stateSecret string
-	canPatch    bool // whether the client has permissions to patch Kubernetes Secrets
-}
-
-func newKubeClient(root string, stateSecret string) (*kubeClient, error) {
-	if root != "/" {
-		// If we are running in a test, we need to set the root path to the fake
-		// service account directory.
-		kubeclient.SetRootPathForTesting(root)
-	}
-	var err error
-	kc, err := kubeclient.New("tailscale-container")
+// findKeyInKubeSecret inspects the kube secret secretName for a data
+// field called "authkey", and returns its value if present.
+func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error) {
+	s, err := kc.GetSecret(ctx, secretName)
 	if err != nil {
-		return nil, fmt.Errorf("Error creating kube client: %w", err)
+		return "", err
 	}
-	if (root != "/") || os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") == "true" {
-		// Derive the API server address from the environment variables
-		// Used to set http server in tests, or optionally enabled by flag
-		kc.SetURL(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
+	ak, ok := s.Data["authkey"]
+	if !ok {
+		return "", nil
 	}
-	return &kubeClient{Client: kc, stateSecret: stateSecret}, nil
+	return string(ak), nil
 }
 
-// storeDeviceID writes deviceID to 'device_id' data field of the client's state Secret.
-func (kc *kubeClient) storeDeviceID(ctx context.Context, deviceID tailcfg.StableNodeID) error {
-	s := &kubeapi.Secret{
-		Data: map[string][]byte{
-			kubetypes.KeyDeviceID: []byte(deviceID),
-		},
+// storeDeviceInfo writes deviceID into the "device_id" data field of the kube
+// secret secretName.
+func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string, addresses []netip.Prefix) error {
+	// First check if the secret exists at all. Even if running on
+	// kubernetes, we do not necessarily store state in a k8s secret.
+	if _, err := kc.GetSecret(ctx, secretName); err != nil {
+		if s, ok := err.(*kube.Status); ok {
+			if s.Code >= 400 && s.Code <= 499 {
+				// Assume the secret doesn't exist, or we don't have
+				// permission to access it.
+				return nil
+			}
+		}
+		return err
 	}
-	return kc.StrategicMergePatchSecret(ctx, kc.stateSecret, s, "tailscale-container")
-}
 
-// storeDeviceEndpoints writes device's tailnet IPs and MagicDNS name to fields 'device_ips', 'device_fqdn' of client's
-// state Secret.
-func (kc *kubeClient) storeDeviceEndpoints(ctx context.Context, fqdn string, addresses []netip.Prefix) error {
 	var ips []string
 	for _, addr := range addresses {
 		ips = append(ips, addr.Addr().String())
@@ -75,39 +57,28 @@ func (kc *kubeClient) storeDeviceEndpoints(ctx context.Context, fqdn string, add
 		return err
 	}
 
-	s := &kubeapi.Secret{
+	m := &kube.Secret{
 		Data: map[string][]byte{
-			kubetypes.KeyDeviceFQDN: []byte(fqdn),
-			kubetypes.KeyDeviceIPs:  deviceIPs,
+			"device_id":   []byte(deviceID),
+			"device_fqdn": []byte(fqdn),
+			"device_ips":  deviceIPs,
 		},
 	}
-	return kc.StrategicMergePatchSecret(ctx, kc.stateSecret, s, "tailscale-container")
-}
-
-// storeHTTPSEndpoint writes an HTTPS endpoint exposed by this device via 'tailscale serve' to the client's state
-// Secret. In practice this will be the same value that gets written to 'device_fqdn', but this should only be called
-// when the serve config has been successfully set up.
-func (kc *kubeClient) storeHTTPSEndpoint(ctx context.Context, ep string) error {
-	s := &kubeapi.Secret{
-		Data: map[string][]byte{
-			kubetypes.KeyHTTPSEndpoint: []byte(ep),
-		},
-	}
-	return kc.StrategicMergePatchSecret(ctx, kc.stateSecret, s, "tailscale-container")
+	return kc.StrategicMergePatchSecret(ctx, secretName, m, "tailscale-container")
 }
 
 // deleteAuthKey deletes the 'authkey' field of the given kube
 // secret. No-op if there is no authkey in the secret.
-func (kc *kubeClient) deleteAuthKey(ctx context.Context) error {
+func deleteAuthKey(ctx context.Context, secretName string) error {
 	// m is a JSON Patch data structure, see https://jsonpatch.com/ or RFC 6902.
-	m := []kubeclient.JSONPatch{
+	m := []kube.JSONPatch{
 		{
 			Op:   "remove",
 			Path: "/data/authkey",
 		},
 	}
-	if err := kc.JSONPatchResource(ctx, kc.stateSecret, kubeclient.TypeSecrets, m); err != nil {
-		if s, ok := err.(*kubeapi.Status); ok && s.Code == http.StatusUnprocessableEntity {
+	if err := kc.JSONPatchSecret(ctx, secretName, m); err != nil {
+		if s, ok := err.(*kube.Status); ok && s.Code == http.StatusUnprocessableEntity {
 			// This is kubernetes-ese for "the field you asked to
 			// delete already doesn't exist", aka no-op.
 			return nil
@@ -117,78 +88,22 @@ func (kc *kubeClient) deleteAuthKey(ctx context.Context) error {
 	return nil
 }
 
-// storeCapVerUID stores the current capability version of tailscale and, if provided, UID of the Pod in the tailscale
-// state Secret.
-// These two fields are used by the Kubernetes Operator to observe the current capability version of tailscaled running in this container.
-func (kc *kubeClient) storeCapVerUID(ctx context.Context, podUID string) error {
-	capVerS := fmt.Sprintf("%d", tailcfg.CurrentCapabilityVersion)
-	d := map[string][]byte{
-		kubetypes.KeyCapVer: []byte(capVerS),
+var kc *kube.Client
+
+func initKube(root string) {
+	if root != "/" {
+		// If we are running in a test, we need to set the root path to the fake
+		// service account directory.
+		kube.SetRootPathForTesting(root)
 	}
-	if podUID != "" {
-		d[kubetypes.KeyPodUID] = []byte(podUID)
+	var err error
+	kc, err = kube.New()
+	if err != nil {
+		log.Fatalf("Error creating kube client: %v", err)
 	}
-	s := &kubeapi.Secret{
-		Data: d,
-	}
-	return kc.StrategicMergePatchSecret(ctx, kc.stateSecret, s, "tailscale-container")
-}
-
-// waitForConsistentState waits for tailscaled to finish writing state if it
-// looks like it's started. It is designed to reduce the likelihood that
-// tailscaled gets shut down in the window between authenticating to control
-// and finishing writing state. However, it's not bullet proof because we can't
-// atomically authenticate and write state.
-func (kc *kubeClient) waitForConsistentState(ctx context.Context) error {
-	var logged bool
-
-	bo := backoff.NewBackoff("", logger.Discard, 2*time.Second)
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-		}
-		secret, err := kc.GetSecret(ctx, kc.stateSecret)
-		if ctx.Err() != nil || kubeclient.IsNotFoundErr(err) {
-			return nil
-		}
-		if err != nil {
-			return fmt.Errorf("getting Secret %q: %v", kc.stateSecret, err)
-		}
-
-		if hasConsistentState(secret.Data) {
-			return nil
-		}
-
-		if !logged {
-			log.Printf("Waiting for tailscaled to finish writing state to Secret %q", kc.stateSecret)
-			logged = true
-		}
-		bo.BackOff(ctx, errors.New("")) // Fake error to trigger actual sleep.
+	if root != "/" {
+		// If we are running in a test, we need to set the URL to the
+		// httptest server.
+		kc.SetURL(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
 	}
 }
-
-// hasConsistentState returns true is there is either no state or the full set
-// of expected keys are present.
-func hasConsistentState(d map[string][]byte) bool {
-	var (
-		_, hasCurrent = d[string(ipn.CurrentProfileStateKey)]
-		_, hasKnown   = d[string(ipn.KnownProfilesStateKey)]
-		_, hasMachine = d[string(ipn.MachineKeyStateKey)]
-		hasProfile    bool
-	)
-
-	for k := range d {
-		if strings.HasPrefix(k, "profile-") {
-			if hasProfile {
-				return false // We only expect one profile.
-			}
-			hasProfile = true
-		}
-	}
-
-	// Approximate check, we don't want to reimplement all of profileManager.
-	return (hasCurrent && hasKnown && hasMachine && hasProfile) ||
-		(!hasCurrent && !hasKnown && !hasMachine && !hasProfile)
-}

cmd/containerboot/kube_test.go

@@ -1,240 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"errors"
-	"testing"
-	"time"
-
-	"github.com/google/go-cmp/cmp"
-	"tailscale.com/ipn"
-	"tailscale.com/kube/kubeapi"
-	"tailscale.com/kube/kubeclient"
-)
-
-func TestSetupKube(t *testing.T) {
-	tests := []struct {
-		name    string
-		cfg     *settings
-		wantErr bool
-		wantCfg *settings
-		kc      *kubeClient
-	}{
-		{
-			name: "TS_AUTHKEY set, state Secret exists",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-					return nil, nil
-				},
-			}},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-		},
-		{
-			name: "TS_AUTHKEY set, state Secret does not exist, we have permissions to create it",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, true, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-					return nil, &kubeapi.Status{Code: 404}
-				},
-			}},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-		},
-		{
-			name: "TS_AUTHKEY set, state Secret does not exist, we do not have permissions to create it",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-					return nil, &kubeapi.Status{Code: 404}
-				},
-			}},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			wantErr: true,
-		},
-		{
-			name: "TS_AUTHKEY set, we encounter a non-404 error when trying to retrieve the state Secret",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-					return nil, &kubeapi.Status{Code: 403}
-				},
-			}},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			wantErr: true,
-		},
-		{
-			name: "TS_AUTHKEY set, we encounter a non-404 error when trying to check Secret permissions",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, errors.New("broken")
-				},
-			}},
-			wantErr: true,
-		},
-		{
-			// Interactive login using URL in Pod logs
-			name: "TS_AUTHKEY not set, state Secret does not exist, we have permissions to create it",
-			cfg: &settings{
-				KubeSecret: "foo",
-			},
-			wantCfg: &settings{
-				KubeSecret: "foo",
-			},
-			kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, true, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-					return nil, &kubeapi.Status{Code: 404}
-				},
-			}},
-		},
-		{
-			// Interactive login using URL in Pod logs
-			name: "TS_AUTHKEY not set, state Secret exists, but does not contain auth key",
-			cfg: &settings{
-				KubeSecret: "foo",
-			},
-			wantCfg: &settings{
-				KubeSecret: "foo",
-			},
-			kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-					return &kubeapi.Secret{}, nil
-				},
-			}},
-		},
-		{
-			name: "TS_AUTHKEY not set, state Secret contains auth key, we do not have RBAC to patch it",
-			cfg: &settings{
-				KubeSecret: "foo",
-			},
-			kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-					return &kubeapi.Secret{Data: map[string][]byte{"authkey": []byte("foo")}}, nil
-				},
-			}},
-			wantCfg: &settings{
-				KubeSecret: "foo",
-			},
-			wantErr: true,
-		},
-		{
-			name: "TS_AUTHKEY not set, state Secret contains auth key, we have RBAC to patch it",
-			cfg: &settings{
-				KubeSecret: "foo",
-			},
-			kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return true, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-					return &kubeapi.Secret{Data: map[string][]byte{"authkey": []byte("foo")}}, nil
-				},
-			}},
-			wantCfg: &settings{
-				KubeSecret:         "foo",
-				AuthKey:            "foo",
-				KubernetesCanPatch: true,
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		kc := tt.kc
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.cfg.setupKube(context.Background(), kc); (err != nil) != tt.wantErr {
-				t.Errorf("settings.setupKube() error = %v, wantErr %v", err, tt.wantErr)
-			}
-			if diff := cmp.Diff(*tt.cfg, *tt.wantCfg); diff != "" {
-				t.Errorf("unexpected contents of settings after running settings.setupKube()\n(-got +want):\n%s", diff)
-			}
-		})
-	}
-}
-
-func TestWaitForConsistentState(t *testing.T) {
-	data := map[string][]byte{
-		// Missing _current-profile.
-		string(ipn.KnownProfilesStateKey): []byte(""),
-		string(ipn.MachineKeyStateKey):    []byte(""),
-		"profile-foo":                     []byte(""),
-	}
-	kc := &kubeClient{
-		Client: &kubeclient.FakeClient{
-			GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-				return &kubeapi.Secret{
-					Data: data,
-				}, nil
-			},
-		},
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	if err := kc.waitForConsistentState(ctx); err != context.DeadlineExceeded {
-		t.Fatalf("expected DeadlineExceeded, got %v", err)
-	}
-
-	ctx, cancel = context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	data[string(ipn.CurrentProfileStateKey)] = []byte("")
-	if err := kc.waitForConsistentState(ctx); err != nil {
-		t.Fatalf("expected nil, got %v", err)
-	}
-}

cmd/containerboot/main_test.go

@@ -25,16 +25,12 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
 	"testing"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
 	"golang.org/x/sys/unix"
 	"tailscale.com/ipn"
-	"tailscale.com/kube/egressservices"
-	"tailscale.com/kube/kubeclient"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
 	"tailscale.com/types/netmap"
@@ -51,13 +47,16 @@ func TestContainerBoot(t *testing.T) {
 	defer lapi.Close()
 
 	kube := kubeServer{FSRoot: d}
-	kube.Start(t)
+	if err := kube.Start(); err != nil {
+		t.Fatal(err)
+	}
 	defer kube.Close()
 
-	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: ptr.To("foo"), Version: "alpha0"}
-	serveConf := ipn.ServeConfig{TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}}}
-	egressCfg := egressSvcConfig("foo", "foo.tailnetxyz.ts.net")
-	egressStatus := egressSvcStatus("foo", "foo.tailnetxyz.ts.net")
+	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: func(s string) *string { return &s }("foo"), Version: "alpha0"}
+	tailscaledConfBytes, err := json.Marshal(tailscaledConf)
+	if err != nil {
+		t.Fatalf("error unmarshaling tailscaled config: %v", err)
+	}
 
 	dirs := []string{
 		"var/lib",
@@ -66,7 +65,7 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net",
 		"proc/sys/net/ipv4",
 		"proc/sys/net/ipv6/conf/all",
-		"etc/tailscaled",
+		"etc",
 	}
 	for _, path := range dirs {
 		if err := os.MkdirAll(filepath.Join(d, path), 0700); err != nil {
@@ -81,10 +80,7 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net/tun":                           []byte(""),
 		"proc/sys/net/ipv4/ip_forward":          []byte("0"),
 		"proc/sys/net/ipv6/conf/all/forwarding": []byte("0"),
-		"etc/tailscaled/cap-95.hujson":          mustJSON(t, tailscaledConf),
-		"etc/tailscaled/serve-config.json":      mustJSON(t, serveConf),
-		filepath.Join("etc/tailscaled/", egressservices.KeyEgressServices): mustJSON(t, egressCfg),
-		filepath.Join("etc/tailscaled/", egressservices.KeyHEPPings):       []byte("4"),
+		"etc/tailscaled":                        tailscaledConfBytes,
 	}
 	resetFiles := func() {
 		for path, content := range files {
@@ -105,29 +101,6 @@ func TestContainerBoot(t *testing.T) {
 
 	argFile := filepath.Join(d, "args")
 	runningSockPath := filepath.Join(d, "tmp/tailscaled.sock")
-	var localAddrPort, healthAddrPort int
-	for _, p := range []*int{&localAddrPort, &healthAddrPort} {
-		ln, err := net.Listen("tcp", ":0")
-		if err != nil {
-			t.Fatalf("Failed to open listener: %v", err)
-		}
-		if err := ln.Close(); err != nil {
-			t.Fatalf("Failed to close listener: %v", err)
-		}
-		port := ln.Addr().(*net.TCPAddr).Port
-		*p = port
-	}
-	metricsURL := func(port int) string {
-		return fmt.Sprintf("http://127.0.0.1:%d/metrics", port)
-	}
-	healthURL := func(port int) string {
-		return fmt.Sprintf("http://127.0.0.1:%d/healthz", port)
-	}
-	egressSvcTerminateURL := func(port int) string {
-		return fmt.Sprintf("http://127.0.0.1:%d%s", port, kubetypes.EgessServicesPreshutdownEP)
-	}
-
-	capver := fmt.Sprintf("%d", tailcfg.CurrentCapabilityVersion)
 
 	type phase struct {
 		// If non-nil, send this IPN bus notification (and remember it as the
@@ -137,31 +110,12 @@ func TestContainerBoot(t *testing.T) {
 
 		// WantCmds is the commands that containerboot should run in this phase.
 		WantCmds []string
-
 		// WantKubeSecret is the secret keys/values that should exist in the
 		// kube secret.
 		WantKubeSecret map[string]string
-
-		// Update the kube secret with these keys/values at the beginning of the
-		// phase (simulates our fake tailscaled doing it).
-		UpdateKubeSecret map[string]string
-
 		// WantFiles files that should exist in the container and their
 		// contents.
 		WantFiles map[string]string
-
-		// WantLog is a log message we expect from containerboot.
-		WantLog string
-
-		// If set for a phase, the test will expect containerboot to exit with
-		// this error code, and the test will finish on that phase without
-		// waiting for the successful startup log message.
-		WantExitCode *int
-
-		// The signal to send to containerboot at the start of the phase.
-		Signal *syscall.Signal
-
-		EndpointStatuses map[string]int
 	}
 	runningNotify := &ipn.Notify{
 		State: ptr.To(ipn.Running),
@@ -190,11 +144,6 @@ func TestContainerBoot(t *testing.T) {
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
 						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
 					},
-					// No metrics or health by default.
-					EndpointStatuses: map[string]int{
-						metricsURL(9002): -1,
-						healthURL(9002):  -1,
-					},
 				},
 				{
 					Notify: runningNotify,
@@ -400,58 +349,12 @@ func TestContainerBoot(t *testing.T) {
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
 						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
-					WantFiles: map[string]string{
-						"proc/sys/net/ipv4/ip_forward":          "1",
-						"proc/sys/net/ipv6/conf/all/forwarding": "0",
-					},
 				},
 				{
 					Notify: runningNotify,
 				},
 			},
 		},
-		{
-			Name: "egress_proxy_fqdn_ipv6_target_on_ipv4_host",
-			Env: map[string]string{
-				"TS_AUTHKEY":               "tskey-key",
-				"TS_TAILNET_TARGET_FQDN":   "ipv6-node.test.ts.net", // resolves to IPv6 address
-				"TS_USERSPACE":             "false",
-				"TS_TEST_FAKE_NETFILTER_6": "false",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-					WantFiles: map[string]string{
-						"proc/sys/net/ipv4/ip_forward":          "1",
-						"proc/sys/net/ipv6/conf/all/forwarding": "0",
-					},
-				},
-				{
-					Notify: &ipn.Notify{
-						State: ptr.To(ipn.Running),
-						NetMap: &netmap.NetworkMap{
-							SelfNode: (&tailcfg.Node{
-								StableID:  tailcfg.StableNodeID("myID"),
-								Name:      "test-node.test.ts.net",
-								Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
-							}).View(),
-							Peers: []tailcfg.NodeView{
-								(&tailcfg.Node{
-									StableID:  tailcfg.StableNodeID("ipv6ID"),
-									Name:      "ipv6-node.test.ts.net",
-									Addresses: []netip.Prefix{netip.MustParsePrefix("::1/128")},
-								}).View(),
-							},
-						},
-					},
-					WantLog:      "no forwarding rules for egress addresses [::1/128], host supports IPv6: false",
-					WantExitCode: ptr.To(1),
-				},
-			},
-		},
 		{
 			Name: "authkey_once",
 			Env: map[string]string{
@@ -502,11 +405,10 @@ func TestContainerBoot(t *testing.T) {
 				{
 					Notify: runningNotify,
 					WantKubeSecret: map[string]string{
-						"authkey":          "tskey-key",
-						"device_fqdn":      "test-node.test.ts.net",
-						"device_id":        "myID",
-						"device_ips":       `["100.64.0.1"]`,
-						"tailscale_capver": capver,
+						"authkey":     "tskey-key",
+						"device_fqdn": "test-node.test.ts.net",
+						"device_id":   "myID",
+						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 			},
@@ -596,10 +498,9 @@ func TestContainerBoot(t *testing.T) {
 						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
 					},
 					WantKubeSecret: map[string]string{
-						"device_fqdn":      "test-node.test.ts.net",
-						"device_id":        "myID",
-						"device_ips":       `["100.64.0.1"]`,
-						"tailscale_capver": capver,
+						"device_fqdn": "test-node.test.ts.net",
+						"device_id":   "myID",
+						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 			},
@@ -626,11 +527,10 @@ func TestContainerBoot(t *testing.T) {
 				{
 					Notify: runningNotify,
 					WantKubeSecret: map[string]string{
-						"authkey":          "tskey-key",
-						"device_fqdn":      "test-node.test.ts.net",
-						"device_id":        "myID",
-						"device_ips":       `["100.64.0.1"]`,
-						"tailscale_capver": capver,
+						"authkey":     "tskey-key",
+						"device_fqdn": "test-node.test.ts.net",
+						"device_id":   "myID",
+						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 				{
@@ -645,11 +545,10 @@ func TestContainerBoot(t *testing.T) {
 						},
 					},
 					WantKubeSecret: map[string]string{
-						"authkey":          "tskey-key",
-						"device_fqdn":      "new-name.test.ts.net",
-						"device_id":        "newID",
-						"device_ips":       `["100.64.0.1"]`,
-						"tailscale_capver": capver,
+						"authkey":     "tskey-key",
+						"device_fqdn": "new-name.test.ts.net",
+						"device_id":   "newID",
+						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 			},
@@ -739,278 +638,20 @@ func TestContainerBoot(t *testing.T) {
 			},
 		},
 		{
-			Name: "experimental tailscaled config path",
+			Name: "experimental tailscaled configfile",
 			Env: map[string]string{
-				"TS_EXPERIMENTAL_VERSIONED_CONFIG_DIR": filepath.Join(d, "etc/tailscaled/"),
+				"EXPERIMENTAL_TS_CONFIGFILE_PATH": filepath.Join(d, "etc/tailscaled"),
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --config=/etc/tailscaled/cap-95.hujson",
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --config=/etc/tailscaled",
 					},
 				}, {
 					Notify: runningNotify,
 				},
 			},
 		},
-		{
-			Name: "metrics_enabled",
-			Env: map[string]string{
-				"TS_LOCAL_ADDR_PORT": fmt.Sprintf("[::]:%d", localAddrPort),
-				"TS_ENABLE_METRICS":  "true",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
-					},
-					EndpointStatuses: map[string]int{
-						metricsURL(localAddrPort): 200,
-						healthURL(localAddrPort):  -1,
-					},
-				}, {
-					Notify: runningNotify,
-				},
-			},
-		},
-		{
-			Name: "health_enabled",
-			Env: map[string]string{
-				"TS_LOCAL_ADDR_PORT":     fmt.Sprintf("[::]:%d", localAddrPort),
-				"TS_ENABLE_HEALTH_CHECK": "true",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
-					},
-					EndpointStatuses: map[string]int{
-						metricsURL(localAddrPort): -1,
-						healthURL(localAddrPort):  503, // Doesn't start passing until the next phase.
-					},
-				}, {
-					Notify: runningNotify,
-					EndpointStatuses: map[string]int{
-						metricsURL(localAddrPort): -1,
-						healthURL(localAddrPort):  200,
-					},
-				},
-			},
-		},
-		{
-			Name: "metrics_and_health_on_same_port",
-			Env: map[string]string{
-				"TS_LOCAL_ADDR_PORT":     fmt.Sprintf("[::]:%d", localAddrPort),
-				"TS_ENABLE_METRICS":      "true",
-				"TS_ENABLE_HEALTH_CHECK": "true",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
-					},
-					EndpointStatuses: map[string]int{
-						metricsURL(localAddrPort): 200,
-						healthURL(localAddrPort):  503, // Doesn't start passing until the next phase.
-					},
-				}, {
-					Notify: runningNotify,
-					EndpointStatuses: map[string]int{
-						metricsURL(localAddrPort): 200,
-						healthURL(localAddrPort):  200,
-					},
-				},
-			},
-		},
-		{
-			Name: "local_metrics_and_deprecated_health",
-			Env: map[string]string{
-				"TS_LOCAL_ADDR_PORT":       fmt.Sprintf("[::]:%d", localAddrPort),
-				"TS_ENABLE_METRICS":        "true",
-				"TS_HEALTHCHECK_ADDR_PORT": fmt.Sprintf("[::]:%d", healthAddrPort),
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
-					},
-					EndpointStatuses: map[string]int{
-						metricsURL(localAddrPort): 200,
-						healthURL(healthAddrPort): 503, // Doesn't start passing until the next phase.
-					},
-				}, {
-					Notify: runningNotify,
-					EndpointStatuses: map[string]int{
-						metricsURL(localAddrPort): 200,
-						healthURL(healthAddrPort): 200,
-					},
-				},
-			},
-		},
-		{
-			Name: "serve_config_no_kube",
-			Env: map[string]string{
-				"TS_SERVE_CONFIG": filepath.Join(d, "etc/tailscaled/serve-config.json"),
-				"TS_AUTHKEY":      "tskey-key",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-				},
-				{
-					Notify: runningNotify,
-				},
-			},
-		},
-		{
-			Name: "serve_config_kube",
-			Env: map[string]string{
-				"KUBERNETES_SERVICE_HOST":       kube.Host,
-				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-				"TS_SERVE_CONFIG":               filepath.Join(d, "etc/tailscaled/serve-config.json"),
-			},
-			KubeSecret: map[string]string{
-				"authkey": "tskey-key",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-					WantKubeSecret: map[string]string{
-						"authkey": "tskey-key",
-					},
-				},
-				{
-					Notify: runningNotify,
-					WantKubeSecret: map[string]string{
-						"authkey":          "tskey-key",
-						"device_fqdn":      "test-node.test.ts.net",
-						"device_id":        "myID",
-						"device_ips":       `["100.64.0.1"]`,
-						"https_endpoint":   "no-https",
-						"tailscale_capver": capver,
-					},
-				},
-			},
-		},
-		{
-			Name: "egress_svcs_config_kube",
-			Env: map[string]string{
-				"KUBERNETES_SERVICE_HOST":       kube.Host,
-				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-				"TS_EGRESS_PROXIES_CONFIG_PATH": filepath.Join(d, "etc/tailscaled"),
-				"TS_LOCAL_ADDR_PORT":            fmt.Sprintf("[::]:%d", localAddrPort),
-			},
-			KubeSecret: map[string]string{
-				"authkey": "tskey-key",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-					WantKubeSecret: map[string]string{
-						"authkey": "tskey-key",
-					},
-					EndpointStatuses: map[string]int{
-						egressSvcTerminateURL(localAddrPort): 200,
-					},
-				},
-				{
-					Notify: runningNotify,
-					WantKubeSecret: map[string]string{
-						"egress-services":  mustBase64(t, egressStatus),
-						"authkey":          "tskey-key",
-						"device_fqdn":      "test-node.test.ts.net",
-						"device_id":        "myID",
-						"device_ips":       `["100.64.0.1"]`,
-						"tailscale_capver": capver,
-					},
-					EndpointStatuses: map[string]int{
-						egressSvcTerminateURL(localAddrPort): 200,
-					},
-				},
-			},
-		},
-		{
-			Name: "egress_svcs_config_no_kube",
-			Env: map[string]string{
-				"TS_EGRESS_PROXIES_CONFIG_PATH": filepath.Join(d, "etc/tailscaled"),
-				"TS_AUTHKEY":                    "tskey-key",
-			},
-			Phases: []phase{
-				{
-					WantLog:      "TS_EGRESS_PROXIES_CONFIG_PATH is only supported for Tailscale running on Kubernetes",
-					WantExitCode: ptr.To(1),
-				},
-			},
-		},
-		{
-			Name: "kube_shutdown_during_state_write",
-			Env: map[string]string{
-				"KUBERNETES_SERVICE_HOST":       kube.Host,
-				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-				"TS_ENABLE_HEALTH_CHECK":        "true",
-			},
-			KubeSecret: map[string]string{
-				"authkey": "tskey-key",
-			},
-			Phases: []phase{
-				{
-					// Normal startup.
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-					WantKubeSecret: map[string]string{
-						"authkey": "tskey-key",
-					},
-				},
-				{
-					// SIGTERM before state is finished writing, should wait for
-					// consistent state before propagating SIGTERM to tailscaled.
-					Signal: ptr.To(unix.SIGTERM),
-					UpdateKubeSecret: map[string]string{
-						"_machinekey":  "foo",
-						"_profiles":    "foo",
-						"profile-baff": "foo",
-						// Missing "_current-profile" key.
-					},
-					WantKubeSecret: map[string]string{
-						"authkey":      "tskey-key",
-						"_machinekey":  "foo",
-						"_profiles":    "foo",
-						"profile-baff": "foo",
-					},
-					WantLog: "Waiting for tailscaled to finish writing state to Secret \"tailscale\"",
-				},
-				{
-					// tailscaled has finished writing state, should propagate SIGTERM.
-					UpdateKubeSecret: map[string]string{
-						"_current-profile": "foo",
-					},
-					WantKubeSecret: map[string]string{
-						"authkey":          "tskey-key",
-						"_machinekey":      "foo",
-						"_profiles":        "foo",
-						"profile-baff":     "foo",
-						"_current-profile": "foo",
-					},
-					WantLog:      "HTTP server at [::]:9002 closed",
-					WantExitCode: ptr.To(0),
-				},
-			},
-		},
 	}
 
 	for _, test := range tests {
@@ -1055,36 +696,7 @@ func TestContainerBoot(t *testing.T) {
 
 			var wantCmds []string
 			for i, p := range test.Phases {
-				for k, v := range p.UpdateKubeSecret {
-					kube.SetSecret(k, v)
-				}
 				lapi.Notify(p.Notify)
-				if p.Signal != nil {
-					cmd.Process.Signal(*p.Signal)
-				}
-				if p.WantLog != "" {
-					err := tstest.WaitFor(2*time.Second, func() error {
-						waitLogLine(t, time.Second, cbOut, p.WantLog)
-						return nil
-					})
-					if err != nil {
-						t.Fatal(err)
-					}
-				}
-
-				if p.WantExitCode != nil {
-					state, err := cmd.Process.Wait()
-					if err != nil {
-						t.Fatal(err)
-					}
-					if state.ExitCode() != *p.WantExitCode {
-						t.Fatalf("phase %d: want exit code %d, got %d", i, *p.WantExitCode, state.ExitCode())
-					}
-
-					// Early test return, we don't expect the successful startup log message.
-					return
-				}
-
 				wantCmds = append(wantCmds, p.WantCmds...)
 				waitArgs(t, 2*time.Second, d, argFile, strings.Join(wantCmds, "\n"))
 				err := tstest.WaitFor(2*time.Second, func() error {
@@ -1117,32 +729,10 @@ func TestContainerBoot(t *testing.T) {
 					return nil
 				})
 				if err != nil {
-					t.Fatalf("phase %d: %v", i, err)
-				}
-
-				for url, want := range p.EndpointStatuses {
-					err := tstest.WaitFor(2*time.Second, func() error {
-						resp, err := http.Get(url)
-						if err != nil && want != -1 {
-							return fmt.Errorf("GET %s: %v", url, err)
-						}
-						if want > 0 && resp.StatusCode != want {
-							defer resp.Body.Close()
-							body, _ := io.ReadAll(resp.Body)
-							return fmt.Errorf("GET %s, want %d, got %d\n%s", url, want, resp.StatusCode, string(body))
-						}
-
-						return nil
-					})
-					if err != nil {
-						t.Fatalf("phase %d: %v", i, err)
-					}
+					t.Fatal(err)
 				}
 			}
 			waitLogLine(t, 2*time.Second, cbOut, "Startup complete, waiting for shutdown signal")
-			if cmd.ProcessState != nil {
-				t.Fatalf("containerboot should be running but exited with exit code %d", cmd.ProcessState.ExitCode())
-			}
 		})
 	}
 }
@@ -1298,12 +888,6 @@ func (l *localAPI) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		if r.Method != "GET" {
 			panic(fmt.Sprintf("unsupported method %q", r.Method))
 		}
-	case "/localapi/v0/usermetrics":
-		if r.Method != "GET" {
-			panic(fmt.Sprintf("unsupported method %q", r.Method))
-		}
-		w.Write([]byte("fake metrics"))
-		return
 	default:
 		panic(fmt.Sprintf("unsupported path %q", r.URL.Path))
 	}
@@ -1374,18 +958,18 @@ func (k *kubeServer) Reset() {
 	k.secret = map[string]string{}
 }
 
-func (k *kubeServer) Start(t *testing.T) {
+func (k *kubeServer) Start() error {
 	root := filepath.Join(k.FSRoot, "var/run/secrets/kubernetes.io/serviceaccount")
 
 	if err := os.MkdirAll(root, 0700); err != nil {
-		t.Fatal(err)
+		return err
 	}
 
 	if err := os.WriteFile(filepath.Join(root, "namespace"), []byte("default"), 0600); err != nil {
-		t.Fatal(err)
+		return err
 	}
 	if err := os.WriteFile(filepath.Join(root, "token"), []byte("bearer_token"), 0600); err != nil {
-		t.Fatal(err)
+		return err
 	}
 
 	k.srv = httptest.NewTLSServer(k)
@@ -1394,11 +978,13 @@ func (k *kubeServer) Start(t *testing.T) {
 
 	var cert bytes.Buffer
 	if err := pem.Encode(&cert, &pem.Block{Type: "CERTIFICATE", Bytes: k.srv.Certificate().Raw}); err != nil {
-		t.Fatal(err)
+		return err
 	}
 	if err := os.WriteFile(filepath.Join(root, "ca.crt"), cert.Bytes(), 0600); err != nil {
-		t.Fatal(err)
+		return err
 	}
+
+	return nil
 }
 
 func (k *kubeServer) Close() {
@@ -1447,7 +1033,6 @@ func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, fmt.Sprintf("reading request body: %v", err), http.StatusInternalServerError)
 		return
 	}
-	defer r.Body.Close()
 
 	switch r.Method {
 	case "GET":
@@ -1480,32 +1065,13 @@ func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
 				panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
 			}
 			for _, op := range req {
-				switch op.Op {
-				case "remove":
-					if !strings.HasPrefix(op.Path, "/data/") {
-						panic(fmt.Sprintf("unsupported json-patch path %q", op.Path))
-					}
-					delete(k.secret, strings.TrimPrefix(op.Path, "/data/"))
-				case "replace":
-					path, ok := strings.CutPrefix(op.Path, "/data/")
-					if !ok {
-						panic(fmt.Sprintf("unsupported json-patch path %q", op.Path))
-					}
-					req := make([]kubeclient.JSONPatch, 0)
-					if err := json.Unmarshal(bs, &req); err != nil {
-						panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
-					}
-
-					for _, patch := range req {
-						val, ok := patch.Value.(string)
-						if !ok {
-							panic(fmt.Sprintf("unsupported json patch value %v: cannot be converted to string", patch.Value))
-						}
-						k.secret[path] = val
-					}
-				default:
+				if op.Op != "remove" {
 					panic(fmt.Sprintf("unsupported json-patch op %q", op.Op))
 				}
+				if !strings.HasPrefix(op.Path, "/data/") {
+					panic(fmt.Sprintf("unsupported json-patch path %q", op.Path))
+				}
+				delete(k.secret, strings.TrimPrefix(op.Path, "/data/"))
 			}
 		case "application/strategic-merge-patch+json":
 			req := struct {
@@ -1521,44 +1087,6 @@ func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
 			panic(fmt.Sprintf("unknown content type %q", r.Header.Get("Content-Type")))
 		}
 	default:
-		panic(fmt.Sprintf("unhandled HTTP request %s %s", r.Method, r.URL))
-	}
-}
-
-func mustBase64(t *testing.T, v any) string {
-	b := mustJSON(t, v)
-	s := base64.StdEncoding.WithPadding('=').EncodeToString(b)
-	return s
-}
-
-func mustJSON(t *testing.T, v any) []byte {
-	b, err := json.Marshal(v)
-	if err != nil {
-		t.Fatalf("error converting %v to json: %v", v, err)
-	}
-	return b
-}
-
-// egress services status given one named tailnet target specified by FQDN. As written by the proxy to its state Secret.
-func egressSvcStatus(name, fqdn string) egressservices.Status {
-	return egressservices.Status{
-		Services: map[string]*egressservices.ServiceStatus{
-			name: {
-				TailnetTarget: egressservices.TailnetTarget{
-					FQDN: fqdn,
-				},
-			},
-		},
-	}
-}
-
-// egress config given one named tailnet target specified by FQDN.
-func egressSvcConfig(name, fqdn string) egressservices.Configs {
-	return egressservices.Configs{
-		name: egressservices.Config{
-			TailnetTarget: egressservices.TailnetTarget{
-				FQDN: fqdn,
-			},
-		},
+		panic(fmt.Sprintf("unhandled HTTP method %q", r.Method))
 	}
 }

cmd/containerboot/metrics.go

@@ -1,79 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"fmt"
-	"io"
-	"net/http"
-
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale/apitype"
-)
-
-// metrics is a simple metrics HTTP server, if enabled it forwards requests to
-// the tailscaled's LocalAPI usermetrics endpoint at /localapi/v0/usermetrics.
-type metrics struct {
-	debugEndpoint string
-	lc            *local.Client
-}
-
-func proxy(w http.ResponseWriter, r *http.Request, url string, do func(*http.Request) (*http.Response, error)) {
-	req, err := http.NewRequestWithContext(r.Context(), r.Method, url, r.Body)
-	if err != nil {
-		http.Error(w, fmt.Sprintf("failed to construct request: %s", err), http.StatusInternalServerError)
-		return
-	}
-	req.Header = r.Header.Clone()
-
-	resp, err := do(req)
-	if err != nil {
-		http.Error(w, fmt.Sprintf("failed to proxy request: %s", err), http.StatusInternalServerError)
-		return
-	}
-	defer resp.Body.Close()
-
-	for key, val := range resp.Header {
-		for _, v := range val {
-			w.Header().Add(key, v)
-		}
-	}
-	w.WriteHeader(resp.StatusCode)
-	if _, err := io.Copy(w, resp.Body); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-	}
-}
-
-func (m *metrics) handleMetrics(w http.ResponseWriter, r *http.Request) {
-	localAPIURL := "http://" + apitype.LocalAPIHost + "/localapi/v0/usermetrics"
-	proxy(w, r, localAPIURL, m.lc.DoLocalRequest)
-}
-
-func (m *metrics) handleDebug(w http.ResponseWriter, r *http.Request) {
-	if m.debugEndpoint == "" {
-		http.Error(w, "debug endpoint not configured", http.StatusNotFound)
-		return
-	}
-
-	debugURL := "http://" + m.debugEndpoint + r.URL.Path
-	proxy(w, r, debugURL, http.DefaultClient.Do)
-}
-
-// metricsHandlers registers a simple HTTP metrics handler at /metrics, forwarding
-// requests to tailscaled's /localapi/v0/usermetrics API.
-//
-// In 1.78.x and 1.80.x, it also proxies debug paths to tailscaled's debug
-// endpoint if configured to ease migration for a breaking change serving user
-// metrics instead of debug metrics on the "metrics" port.
-func metricsHandlers(mux *http.ServeMux, lc *local.Client, debugAddrPort string) {
-	m := &metrics{
-		lc:            lc,
-		debugEndpoint: debugAddrPort,
-	}
-
-	mux.HandleFunc("GET /metrics", m.handleMetrics)
-	mux.HandleFunc("/debug/", m.handleDebug) // TODO(tomhjp): Remove for 1.82.0 release.
-}

cmd/containerboot/serve.go

@@ -1,171 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"log"
-	"os"
-	"path/filepath"
-	"reflect"
-	"sync/atomic"
-	"time"
-
-	"github.com/fsnotify/fsnotify"
-	"tailscale.com/client/local"
-	"tailscale.com/ipn"
-	"tailscale.com/kube/kubetypes"
-	"tailscale.com/types/netmap"
-)
-
-// watchServeConfigChanges watches path for changes, and when it sees one, reads
-// the serve config from it, replacing ${TS_CERT_DOMAIN} with certDomain, and
-// applies it to lc. It exits when ctx is canceled. cdChanged is a channel that
-// is written to when the certDomain changes, causing the serve config to be
-// re-read and applied.
-func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDomainAtomic *atomic.Pointer[string], lc *local.Client, kc *kubeClient, cfg *settings) {
-	if certDomainAtomic == nil {
-		panic("certDomainAtomic must not be nil")
-	}
-
-	var tickChan <-chan time.Time
-	var eventChan <-chan fsnotify.Event
-	if w, err := fsnotify.NewWatcher(); err != nil {
-		// Creating a new fsnotify watcher would fail for example if inotify was not able to create a new file descriptor.
-		// See https://github.com/tailscale/tailscale/issues/15081
-		log.Printf("serve proxy: failed to create fsnotify watcher, timer-only mode: %v", err)
-		ticker := time.NewTicker(5 * time.Second)
-		defer ticker.Stop()
-		tickChan = ticker.C
-	} else {
-		defer w.Close()
-		if err := w.Add(filepath.Dir(cfg.ServeConfigPath)); err != nil {
-			log.Fatalf("serve proxy: failed to add fsnotify watch: %v", err)
-		}
-		eventChan = w.Events
-	}
-
-	var certDomain string
-	var prevServeConfig *ipn.ServeConfig
-	var cm certManager
-	if cfg.CertShareMode == "rw" {
-		cm = certManager{
-			lc: lc,
-		}
-	}
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-cdChanged:
-			certDomain = *certDomainAtomic.Load()
-		case <-tickChan:
-		case <-eventChan:
-			// We can't do any reasonable filtering on the event because of how
-			// k8s handles these mounts. So just re-read the file and apply it
-			// if it's changed.
-		}
-		sc, err := readServeConfig(cfg.ServeConfigPath, certDomain)
-		if err != nil {
-			log.Fatalf("serve proxy: failed to read serve config: %v", err)
-		}
-		if sc == nil {
-			log.Printf("serve proxy: no serve config at %q, skipping", cfg.ServeConfigPath)
-			continue
-		}
-		if prevServeConfig != nil && reflect.DeepEqual(sc, prevServeConfig) {
-			continue
-		}
-		if err := updateServeConfig(ctx, sc, certDomain, lc); err != nil {
-			log.Fatalf("serve proxy: error updating serve config: %v", err)
-		}
-		if kc != nil && kc.canPatch {
-			if err := kc.storeHTTPSEndpoint(ctx, certDomain); err != nil {
-				log.Fatalf("serve proxy: error storing HTTPS endpoint: %v", err)
-			}
-		}
-		prevServeConfig = sc
-		if cfg.CertShareMode != "rw" {
-			continue
-		}
-		if err := cm.ensureCertLoops(ctx, sc); err != nil {
-			log.Fatalf("serve proxy: error ensuring cert loops: %v", err)
-		}
-	}
-}
-
-func certDomainFromNetmap(nm *netmap.NetworkMap) string {
-	if len(nm.DNS.CertDomains) == 0 {
-		return ""
-	}
-	return nm.DNS.CertDomains[0]
-}
-
-// localClient is a subset of [local.Client] that can be mocked for testing.
-type localClient interface {
-	SetServeConfig(context.Context, *ipn.ServeConfig) error
-	CertPair(context.Context, string) ([]byte, []byte, error)
-}
-
-func updateServeConfig(ctx context.Context, sc *ipn.ServeConfig, certDomain string, lc localClient) error {
-	if !isValidHTTPSConfig(certDomain, sc) {
-		return nil
-	}
-	log.Printf("serve proxy: applying serve config")
-	return lc.SetServeConfig(ctx, sc)
-}
-
-func isValidHTTPSConfig(certDomain string, sc *ipn.ServeConfig) bool {
-	if certDomain == kubetypes.ValueNoHTTPS && hasHTTPSEndpoint(sc) {
-		log.Printf(
-			`serve proxy: this node is configured as a proxy that exposes an HTTPS endpoint to tailnet,
-		(perhaps a Kubernetes operator Ingress proxy) but it is not able to issue TLS certs, so this will likely not work.
-		To make it work, ensure that HTTPS is enabled for your tailnet, see https://tailscale.com/kb/1153/enabling-https for more details.`)
-		return false
-	}
-	return true
-}
-
-func hasHTTPSEndpoint(cfg *ipn.ServeConfig) bool {
-	if cfg == nil {
-		return false
-	}
-	for _, tcpCfg := range cfg.TCP {
-		if tcpCfg.HTTPS {
-			return true
-		}
-	}
-	return false
-}
-
-// readServeConfig reads the ipn.ServeConfig from path, replacing
-// ${TS_CERT_DOMAIN} with certDomain.
-func readServeConfig(path, certDomain string) (*ipn.ServeConfig, error) {
-	if path == "" {
-		return nil, nil
-	}
-	j, err := os.ReadFile(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil, nil
-		}
-		return nil, err
-	}
-	// Serve config can be provided by users as well as the Kubernetes Operator (for its proxies). User-provided
-	// config could be empty for reasons.
-	if len(j) == 0 {
-		log.Printf("serve proxy: serve config file is empty, skipping")
-		return nil, nil
-	}
-	j = bytes.ReplaceAll(j, []byte("${TS_CERT_DOMAIN}"), []byte(certDomain))
-	var sc ipn.ServeConfig
-	if err := json.Unmarshal(j, &sc); err != nil {
-		return nil, err
-	}
-	return &sc, nil
-}

cmd/containerboot/serve_test.go

@@ -1,271 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"tailscale.com/client/local"
-	"tailscale.com/ipn"
-	"tailscale.com/kube/kubetypes"
-)
-
-func TestUpdateServeConfig(t *testing.T) {
-	tests := []struct {
-		name       string
-		sc         *ipn.ServeConfig
-		certDomain string
-		wantCall   bool
-	}{
-		{
-			name: "no_https_no_cert_domain",
-			sc: &ipn.ServeConfig{
-				TCP: map[uint16]*ipn.TCPPortHandler{
-					80: {HTTP: true},
-				},
-			},
-			certDomain: kubetypes.ValueNoHTTPS, // tailnet has HTTPS disabled
-			wantCall:   true,                   // should set serve config as it doesn't have HTTPS endpoints
-		},
-		{
-			name: "https_with_cert_domain",
-			sc: &ipn.ServeConfig{
-				TCP: map[uint16]*ipn.TCPPortHandler{
-					443: {HTTPS: true},
-				},
-				Web: map[ipn.HostPort]*ipn.WebServerConfig{
-					"${TS_CERT_DOMAIN}:443": {
-						Handlers: map[string]*ipn.HTTPHandler{
-							"/": {Proxy: "http://10.0.1.100:8080"},
-						},
-					},
-				},
-			},
-			certDomain: "test-node.tailnet.ts.net",
-			wantCall:   true,
-		},
-		{
-			name: "https_without_cert_domain",
-			sc: &ipn.ServeConfig{
-				TCP: map[uint16]*ipn.TCPPortHandler{
-					443: {HTTPS: true},
-				},
-			},
-			certDomain: kubetypes.ValueNoHTTPS,
-			wantCall:   false, // incorrect configuration- should not set serve config
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			fakeLC := &fakeLocalClient{}
-			err := updateServeConfig(context.Background(), tt.sc, tt.certDomain, fakeLC)
-			if err != nil {
-				t.Errorf("updateServeConfig() error = %v", err)
-			}
-			if fakeLC.setServeCalled != tt.wantCall {
-				t.Errorf("SetServeConfig() called = %v, want %v", fakeLC.setServeCalled, tt.wantCall)
-			}
-		})
-	}
-}
-
-func TestReadServeConfig(t *testing.T) {
-	tests := []struct {
-		name       string
-		gotSC      string
-		certDomain string
-		wantSC     *ipn.ServeConfig
-		wantErr    bool
-	}{
-		{
-			name: "empty_file",
-		},
-		{
-			name: "valid_config_with_cert_domain_placeholder",
-			gotSC: `{
-				"TCP": {
-					"443": {
-						"HTTPS": true
-					}
-				},
-				"Web": {
-					"${TS_CERT_DOMAIN}:443": {
-					"Handlers": {
-						"/api": {
-							"Proxy": "https://10.2.3.4/api"
-						}}}}}`,
-			certDomain: "example.com",
-			wantSC: &ipn.ServeConfig{
-				TCP: map[uint16]*ipn.TCPPortHandler{
-					443: {
-						HTTPS: true,
-					},
-				},
-				Web: map[ipn.HostPort]*ipn.WebServerConfig{
-					ipn.HostPort("example.com:443"): {
-						Handlers: map[string]*ipn.HTTPHandler{
-							"/api": {
-								Proxy: "https://10.2.3.4/api",
-							},
-						},
-					},
-				},
-			},
-		},
-		{
-			name: "valid_config_for_http_proxy",
-			gotSC: `{
-				"TCP": {
-					"80": {
-						"HTTP": true
-					}
-				}}`,
-			wantSC: &ipn.ServeConfig{
-				TCP: map[uint16]*ipn.TCPPortHandler{
-					80: {
-						HTTP: true,
-					},
-				},
-			},
-		},
-		{
-			name: "config_without_cert_domain",
-			gotSC: `{
-				"TCP": {
-					"443": {
-						"HTTPS": true
-					}
-				},
-				"Web": {
-					"localhost:443": {
-					"Handlers": {
-						"/api": {
-							"Proxy": "https://10.2.3.4/api"
-						}}}}}`,
-			certDomain: "",
-			wantErr:    false,
-			wantSC: &ipn.ServeConfig{
-				TCP: map[uint16]*ipn.TCPPortHandler{
-					443: {
-						HTTPS: true,
-					},
-				},
-				Web: map[ipn.HostPort]*ipn.WebServerConfig{
-					ipn.HostPort("localhost:443"): {
-						Handlers: map[string]*ipn.HTTPHandler{
-							"/api": {
-								Proxy: "https://10.2.3.4/api",
-							},
-						},
-					},
-				},
-			},
-		},
-		{
-			name:    "invalid_json",
-			gotSC:   "invalid json",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			dir := t.TempDir()
-			path := filepath.Join(dir, "serve-config.json")
-			if err := os.WriteFile(path, []byte(tt.gotSC), 0644); err != nil {
-				t.Fatal(err)
-			}
-
-			got, err := readServeConfig(path, tt.certDomain)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("readServeConfig() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if !cmp.Equal(got, tt.wantSC) {
-				t.Errorf("readServeConfig() diff (-got +want):\n%s", cmp.Diff(got, tt.wantSC))
-			}
-		})
-	}
-}
-
-type fakeLocalClient struct {
-	*local.Client
-	setServeCalled bool
-}
-
-func (m *fakeLocalClient) SetServeConfig(ctx context.Context, cfg *ipn.ServeConfig) error {
-	m.setServeCalled = true
-	return nil
-}
-
-func (m *fakeLocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return nil, nil, nil
-}
-
-func TestHasHTTPSEndpoint(t *testing.T) {
-	tests := []struct {
-		name string
-		cfg  *ipn.ServeConfig
-		want bool
-	}{
-		{
-			name: "nil_config",
-			cfg:  nil,
-			want: false,
-		},
-		{
-			name: "empty_config",
-			cfg:  &ipn.ServeConfig{},
-			want: false,
-		},
-		{
-			name: "no_https_endpoints",
-			cfg: &ipn.ServeConfig{
-				TCP: map[uint16]*ipn.TCPPortHandler{
-					80: {
-						HTTPS: false,
-					},
-				},
-			},
-			want: false,
-		},
-		{
-			name: "has_https_endpoint",
-			cfg: &ipn.ServeConfig{
-				TCP: map[uint16]*ipn.TCPPortHandler{
-					443: {
-						HTTPS: true,
-					},
-				},
-			},
-			want: true,
-		},
-		{
-			name: "mixed_endpoints",
-			cfg: &ipn.ServeConfig{
-				TCP: map[uint16]*ipn.TCPPortHandler{
-					80:  {HTTPS: false},
-					443: {HTTPS: true},
-				},
-			},
-			want: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := hasHTTPSEndpoint(tt.cfg)
-			if got != tt.want {
-				t.Errorf("hasHTTPSEndpoint() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

cmd/containerboot/services.go

@@ -1,757 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"log"
-	"net/http"
-	"net/netip"
-	"os"
-	"path/filepath"
-	"reflect"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/fsnotify/fsnotify"
-	"tailscale.com/client/local"
-	"tailscale.com/ipn"
-	"tailscale.com/kube/egressservices"
-	"tailscale.com/kube/kubeclient"
-	"tailscale.com/kube/kubetypes"
-	"tailscale.com/syncs"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/httpm"
-	"tailscale.com/util/linuxfw"
-	"tailscale.com/util/mak"
-)
-
-const tailscaleTunInterface = "tailscale0"
-
-// This file contains functionality to run containerboot as a proxy that can
-// route cluster traffic to one or more tailnet targets, based on portmapping
-// rules read from a configfile. Currently (9/2024) this is only used for the
-// Kubernetes operator egress proxies.
-
-// egressProxy knows how to configure firewall rules to route cluster traffic to
-// one or more tailnet services.
-type egressProxy struct {
-	cfgPath string // path to a directory with egress services config files
-
-	nfr linuxfw.NetfilterRunner // never nil
-
-	kc          kubeclient.Client // never nil
-	stateSecret string            // name of the kube state Secret
-
-	tsClient *local.Client // never nil
-
-	netmapChan chan ipn.Notify // chan to receive netmap updates on
-
-	podIPv4 string // never empty string, currently only IPv4 is supported
-
-	// tailnetFQDNs is the egress service FQDN to tailnet IP mappings that
-	// were last used to configure firewall rules for this proxy.
-	// TODO(irbekrm): target addresses are also stored in the state Secret.
-	// Evaluate whether we should retrieve them from there and not store in
-	// memory at all.
-	targetFQDNs map[string][]netip.Prefix
-
-	tailnetAddrs []netip.Prefix // tailnet IPs of this tailnet device
-
-	// shortSleep is the backoff sleep between healthcheck endpoint calls - can be overridden in tests.
-	shortSleep time.Duration
-	// longSleep is the time to sleep after the routing rules are updated to increase the chance that kube
-	// proxies on all nodes have updated their routing configuration. It can be configured to 0 in
-	// tests.
-	longSleep time.Duration
-	// client is a client that can send HTTP requests.
-	client httpClient
-}
-
-// httpClient is a client that can send HTTP requests and can be mocked in tests.
-type httpClient interface {
-	Do(*http.Request) (*http.Response, error)
-}
-
-// run configures egress proxy firewall rules and ensures that the firewall rules are reconfigured when:
-// - the mounted egress config has changed
-// - the proxy's tailnet IP addresses have changed
-// - tailnet IPs have changed for any backend targets specified by tailnet FQDN
-func (ep *egressProxy) run(ctx context.Context, n ipn.Notify, opts egressProxyRunOpts) error {
-	ep.configure(opts)
-	var tickChan <-chan time.Time
-	var eventChan <-chan fsnotify.Event
-	// TODO (irbekrm): take a look if this can be pulled into a single func
-	// shared with serve config loader.
-	if w, err := fsnotify.NewWatcher(); err != nil {
-		log.Printf("failed to create fsnotify watcher, timer-only mode: %v", err)
-		ticker := time.NewTicker(5 * time.Second)
-		defer ticker.Stop()
-		tickChan = ticker.C
-	} else {
-		defer w.Close()
-		if err := w.Add(ep.cfgPath); err != nil {
-			return fmt.Errorf("failed to add fsnotify watch: %w", err)
-		}
-		eventChan = w.Events
-	}
-
-	if err := ep.sync(ctx, n); err != nil {
-		return err
-	}
-	for {
-		select {
-		case <-ctx.Done():
-			return nil
-		case <-tickChan:
-			log.Printf("periodic sync, ensuring firewall config is up to date...")
-		case <-eventChan:
-			log.Printf("config file change detected, ensuring firewall config is up to date...")
-		case n = <-ep.netmapChan:
-			shouldResync := ep.shouldResync(n)
-			if !shouldResync {
-				continue
-			}
-			log.Printf("netmap change detected, ensuring firewall config is up to date...")
-		}
-		if err := ep.sync(ctx, n); err != nil {
-			return fmt.Errorf("error syncing egress service config: %w", err)
-		}
-	}
-}
-
-type egressProxyRunOpts struct {
-	cfgPath      string
-	nfr          linuxfw.NetfilterRunner
-	kc           kubeclient.Client
-	tsClient     *local.Client
-	stateSecret  string
-	netmapChan   chan ipn.Notify
-	podIPv4      string
-	tailnetAddrs []netip.Prefix
-}
-
-// applyOpts configures egress proxy using the provided options.
-func (ep *egressProxy) configure(opts egressProxyRunOpts) {
-	ep.cfgPath = opts.cfgPath
-	ep.nfr = opts.nfr
-	ep.kc = opts.kc
-	ep.tsClient = opts.tsClient
-	ep.stateSecret = opts.stateSecret
-	ep.netmapChan = opts.netmapChan
-	ep.podIPv4 = opts.podIPv4
-	ep.tailnetAddrs = opts.tailnetAddrs
-	ep.client = &http.Client{} // default HTTP client
-	ep.shortSleep = time.Second
-	ep.longSleep = time.Second * 10
-}
-
-// sync triggers an egress proxy config resync. The resync calculates the diff between config and status to determine if
-// any firewall rules need to be updated. Currently using status in state Secret as a reference for what is the current
-// firewall configuration is good enough because - the status is keyed by the Pod IP - we crash the Pod on errors such
-// as failed firewall update
-func (ep *egressProxy) sync(ctx context.Context, n ipn.Notify) error {
-	cfgs, err := ep.getConfigs()
-	if err != nil {
-		return fmt.Errorf("error retrieving egress service configs: %w", err)
-	}
-	status, err := ep.getStatus(ctx)
-	if err != nil {
-		return fmt.Errorf("error retrieving current egress proxy status: %w", err)
-	}
-	newStatus, err := ep.syncEgressConfigs(cfgs, status, n)
-	if err != nil {
-		return fmt.Errorf("error syncing egress service configs: %w", err)
-	}
-	if !servicesStatusIsEqual(newStatus, status) {
-		if err := ep.setStatus(ctx, newStatus, n); err != nil {
-			return fmt.Errorf("error setting egress proxy status: %w", err)
-		}
-	}
-	return nil
-}
-
-// addrsHaveChanged returns true if the provided netmap update contains tailnet address change for this proxy node.
-// Netmap must not be nil.
-func (ep *egressProxy) addrsHaveChanged(n ipn.Notify) bool {
-	return !reflect.DeepEqual(ep.tailnetAddrs, n.NetMap.SelfNode.Addresses())
-}
-
-// syncEgressConfigs adds and deletes firewall rules to match the desired
-// configuration. It uses the provided status to determine what is currently
-// applied and updates the status after a successful sync.
-func (ep *egressProxy) syncEgressConfigs(cfgs *egressservices.Configs, status *egressservices.Status, n ipn.Notify) (*egressservices.Status, error) {
-	if !(wantsServicesConfigured(cfgs) || hasServicesConfigured(status)) {
-		return nil, nil
-	}
-
-	// Delete unnecessary services.
-	if err := ep.deleteUnnecessaryServices(cfgs, status); err != nil {
-		return nil, fmt.Errorf("error deleting services: %w", err)
-
-	}
-	newStatus := &egressservices.Status{}
-	if !wantsServicesConfigured(cfgs) {
-		return newStatus, nil
-	}
-
-	// Add new services, update rules for any that have changed.
-	rulesPerSvcToAdd := make(map[string][]rule, 0)
-	rulesPerSvcToDelete := make(map[string][]rule, 0)
-	for svcName, cfg := range *cfgs {
-		tailnetTargetIPs, err := ep.tailnetTargetIPsForSvc(cfg, n)
-		if err != nil {
-			return nil, fmt.Errorf("error determining tailnet target IPs: %w", err)
-		}
-		rulesToAdd, rulesToDelete, err := updatesForCfg(svcName, cfg, status, tailnetTargetIPs)
-		if err != nil {
-			return nil, fmt.Errorf("error validating service changes: %v", err)
-		}
-		log.Printf("syncegressservices: looking at svc %s rulesToAdd %d rulesToDelete %d", svcName, len(rulesToAdd), len(rulesToDelete))
-		if len(rulesToAdd) != 0 {
-			mak.Set(&rulesPerSvcToAdd, svcName, rulesToAdd)
-		}
-		if len(rulesToDelete) != 0 {
-			mak.Set(&rulesPerSvcToDelete, svcName, rulesToDelete)
-		}
-		if len(rulesToAdd) != 0 || ep.addrsHaveChanged(n) {
-			// For each tailnet target, set up SNAT from the local tailnet device address of the matching
-			// family.
-			for _, t := range tailnetTargetIPs {
-				var local netip.Addr
-				for _, pfx := range n.NetMap.SelfNode.Addresses().All() {
-					if !pfx.IsSingleIP() {
-						continue
-					}
-					if pfx.Addr().Is4() != t.Is4() {
-						continue
-					}
-					local = pfx.Addr()
-					break
-				}
-				if !local.IsValid() {
-					return nil, fmt.Errorf("no valid local IP: %v", local)
-				}
-				if err := ep.nfr.EnsureSNATForDst(local, t); err != nil {
-					return nil, fmt.Errorf("error setting up SNAT rule: %w", err)
-				}
-			}
-		}
-		// Update the status. Status will be written back to the state Secret by the caller.
-		mak.Set(&newStatus.Services, svcName, &egressservices.ServiceStatus{TailnetTargetIPs: tailnetTargetIPs, TailnetTarget: cfg.TailnetTarget, Ports: cfg.Ports})
-	}
-
-	// Actually apply the firewall rules.
-	if err := ensureRulesAdded(rulesPerSvcToAdd, ep.nfr); err != nil {
-		return nil, fmt.Errorf("error adding rules: %w", err)
-	}
-	if err := ensureRulesDeleted(rulesPerSvcToDelete, ep.nfr); err != nil {
-		return nil, fmt.Errorf("error deleting rules: %w", err)
-	}
-
-	return newStatus, nil
-}
-
-// updatesForCfg calculates any rules that need to be added or deleted for an individucal egress service config.
-func updatesForCfg(svcName string, cfg egressservices.Config, status *egressservices.Status, tailnetTargetIPs []netip.Addr) ([]rule, []rule, error) {
-	rulesToAdd := make([]rule, 0)
-	rulesToDelete := make([]rule, 0)
-	currentConfig, ok := lookupCurrentConfig(svcName, status)
-
-	// If no rules for service are present yet, add them all.
-	if !ok {
-		for _, t := range tailnetTargetIPs {
-			for ports := range cfg.Ports {
-				log.Printf("syncegressservices: svc %s adding port %v", svcName, ports)
-				rulesToAdd = append(rulesToAdd, rule{tailnetPort: ports.TargetPort, containerPort: ports.MatchPort, protocol: ports.Protocol, tailnetIP: t})
-			}
-		}
-		return rulesToAdd, rulesToDelete, nil
-	}
-
-	// If there are no backend targets available, delete any currently configured rules.
-	if len(tailnetTargetIPs) == 0 {
-		log.Printf("tailnet target for egress service %s does not have any backend addresses, deleting all rules", svcName)
-		for _, ip := range currentConfig.TailnetTargetIPs {
-			for ports := range currentConfig.Ports {
-				rulesToDelete = append(rulesToAdd, rule{tailnetPort: ports.TargetPort, containerPort: ports.MatchPort, protocol: ports.Protocol, tailnetIP: ip})
-			}
-		}
-		return rulesToAdd, rulesToDelete, nil
-	}
-
-	// If there are rules present for backend targets that no longer match, delete them.
-	for _, ip := range currentConfig.TailnetTargetIPs {
-		var found bool
-		for _, wantsIP := range tailnetTargetIPs {
-			if reflect.DeepEqual(ip, wantsIP) {
-				found = true
-				break
-			}
-		}
-		if !found {
-			for ports := range currentConfig.Ports {
-				rulesToDelete = append(rulesToDelete, rule{tailnetPort: ports.TargetPort, containerPort: ports.MatchPort, protocol: ports.Protocol, tailnetIP: ip})
-			}
-		}
-	}
-
-	// Sync rules for the currently wanted backend targets.
-	for _, ip := range tailnetTargetIPs {
-
-		// If the backend target is not yet present in status, add all rules.
-		var found bool
-		for _, gotIP := range currentConfig.TailnetTargetIPs {
-			if reflect.DeepEqual(ip, gotIP) {
-				found = true
-				break
-			}
-		}
-		if !found {
-			for ports := range cfg.Ports {
-				rulesToAdd = append(rulesToAdd, rule{tailnetPort: ports.TargetPort, containerPort: ports.MatchPort, protocol: ports.Protocol, tailnetIP: ip})
-			}
-			continue
-		}
-
-		// If the backend target is present in status, check that the
-		// currently applied rules are up to date.
-
-		// Delete any current portmappings that are no longer present in config.
-		for port := range currentConfig.Ports {
-			if _, ok := cfg.Ports[port]; ok {
-				continue
-			}
-			rulesToDelete = append(rulesToDelete, rule{tailnetPort: port.TargetPort, containerPort: port.MatchPort, protocol: port.Protocol, tailnetIP: ip})
-		}
-
-		// Add any new portmappings.
-		for port := range cfg.Ports {
-			if _, ok := currentConfig.Ports[port]; ok {
-				continue
-			}
-			rulesToAdd = append(rulesToAdd, rule{tailnetPort: port.TargetPort, containerPort: port.MatchPort, protocol: port.Protocol, tailnetIP: ip})
-		}
-	}
-	return rulesToAdd, rulesToDelete, nil
-}
-
-// deleteUnneccessaryServices ensure that any services found on status, but not
-// present in config are deleted.
-func (ep *egressProxy) deleteUnnecessaryServices(cfgs *egressservices.Configs, status *egressservices.Status) error {
-	if !hasServicesConfigured(status) {
-		return nil
-	}
-	if !wantsServicesConfigured(cfgs) {
-		for svcName, svc := range status.Services {
-			log.Printf("service %s is no longer required, deleting", svcName)
-			if err := ensureServiceDeleted(svcName, svc, ep.nfr); err != nil {
-				return fmt.Errorf("error deleting service %s: %w", svcName, err)
-			}
-		}
-		return nil
-	}
-
-	for svcName, svc := range status.Services {
-		if _, ok := (*cfgs)[svcName]; !ok {
-			log.Printf("service %s is no longer required, deleting", svcName)
-			if err := ensureServiceDeleted(svcName, svc, ep.nfr); err != nil {
-				return fmt.Errorf("error deleting service %s: %w", svcName, err)
-			}
-			// TODO (irbekrm): also delete the SNAT rule here
-		}
-	}
-	return nil
-}
-
-// getConfigs gets the mounted egress service configuration.
-func (ep *egressProxy) getConfigs() (*egressservices.Configs, error) {
-	svcsCfg := filepath.Join(ep.cfgPath, egressservices.KeyEgressServices)
-	j, err := os.ReadFile(svcsCfg)
-	if os.IsNotExist(err) {
-		return nil, nil
-	}
-	if err != nil {
-		return nil, err
-	}
-	if len(j) == 0 || string(j) == "" {
-		return nil, nil
-	}
-	cfg := &egressservices.Configs{}
-	if err := json.Unmarshal(j, &cfg); err != nil {
-		return nil, err
-	}
-	return cfg, nil
-}
-
-// getStatus gets the current status of the configured firewall. The current
-// status is stored in state Secret. Returns nil status if no status that
-// applies to the current proxy Pod was found. Uses the Pod IP to determine if a
-// status found in the state Secret applies to this proxy Pod.
-func (ep *egressProxy) getStatus(ctx context.Context) (*egressservices.Status, error) {
-	secret, err := ep.kc.GetSecret(ctx, ep.stateSecret)
-	if err != nil {
-		return nil, fmt.Errorf("error retrieving state secret: %w", err)
-	}
-	status := &egressservices.Status{}
-	raw, ok := secret.Data[egressservices.KeyEgressServices]
-	if !ok {
-		return nil, nil
-	}
-	if err := json.Unmarshal([]byte(raw), status); err != nil {
-		return nil, fmt.Errorf("error unmarshalling previous config: %w", err)
-	}
-	if reflect.DeepEqual(status.PodIPv4, ep.podIPv4) {
-		return status, nil
-	}
-	return nil, nil
-}
-
-// setStatus writes egress proxy's currently configured firewall to the state
-// Secret and updates proxy's tailnet addresses.
-func (ep *egressProxy) setStatus(ctx context.Context, status *egressservices.Status, n ipn.Notify) error {
-	// Pod IP is used to determine if a stored status applies to THIS proxy Pod.
-	if status == nil {
-		status = &egressservices.Status{}
-	}
-	status.PodIPv4 = ep.podIPv4
-	secret, err := ep.kc.GetSecret(ctx, ep.stateSecret)
-	if err != nil {
-		return fmt.Errorf("error retrieving state Secret: %w", err)
-	}
-	bs, err := json.Marshal(status)
-	if err != nil {
-		return fmt.Errorf("error marshalling service config: %w", err)
-	}
-	secret.Data[egressservices.KeyEgressServices] = bs
-	patch := kubeclient.JSONPatch{
-		Op:    "replace",
-		Path:  fmt.Sprintf("/data/%s", egressservices.KeyEgressServices),
-		Value: bs,
-	}
-	if err := ep.kc.JSONPatchResource(ctx, ep.stateSecret, kubeclient.TypeSecrets, []kubeclient.JSONPatch{patch}); err != nil {
-		return fmt.Errorf("error patching state Secret: %w", err)
-	}
-	ep.tailnetAddrs = n.NetMap.SelfNode.Addresses().AsSlice()
-	return nil
-}
-
-// tailnetTargetIPsForSvc returns the tailnet IPs to which traffic for this
-// egress service should be proxied. The egress service can be configured by IP
-// or by FQDN. If it's configured by IP, just return that. If it's configured by
-// FQDN, resolve the FQDN and return the resolved IPs. It checks if the
-// netfilter runner supports IPv6 NAT and skips any IPv6 addresses if it
-// doesn't.
-func (ep *egressProxy) tailnetTargetIPsForSvc(svc egressservices.Config, n ipn.Notify) (addrs []netip.Addr, err error) {
-	if svc.TailnetTarget.IP != "" {
-		addr, err := netip.ParseAddr(svc.TailnetTarget.IP)
-		if err != nil {
-			return nil, fmt.Errorf("error parsing tailnet target IP: %w", err)
-		}
-		if addr.Is6() && !ep.nfr.HasIPV6NAT() {
-			log.Printf("tailnet target is an IPv6 address, but this host does not support IPv6 in the chosen firewall mode. This will probably not work.")
-			return addrs, nil
-		}
-		return []netip.Addr{addr}, nil
-	}
-
-	if svc.TailnetTarget.FQDN == "" {
-		return nil, errors.New("unexpected egress service config- neither tailnet target IP nor FQDN is set")
-	}
-	if n.NetMap == nil {
-		log.Printf("netmap is not available, unable to determine backend addresses for %s", svc.TailnetTarget.FQDN)
-		return addrs, nil
-	}
-	var (
-		node      tailcfg.NodeView
-		nodeFound bool
-	)
-	for _, nn := range n.NetMap.Peers {
-		if equalFQDNs(nn.Name(), svc.TailnetTarget.FQDN) {
-			node = nn
-			nodeFound = true
-			break
-		}
-	}
-	if nodeFound {
-		for _, addr := range node.Addresses().AsSlice() {
-			if addr.Addr().Is6() && !ep.nfr.HasIPV6NAT() {
-				log.Printf("tailnet target %v is an IPv6 address, but this host does not support IPv6 in the chosen firewall mode, skipping.", addr.Addr().String())
-				continue
-			}
-			addrs = append(addrs, addr.Addr())
-		}
-		// Egress target endpoints configured via FQDN are stored, so
-		// that we can determine if a netmap update should trigger a
-		// resync.
-		mak.Set(&ep.targetFQDNs, svc.TailnetTarget.FQDN, node.Addresses().AsSlice())
-	}
-	return addrs, nil
-}
-
-// shouldResync parses netmap update and returns true if the update contains
-// changes for which the egress proxy's firewall should be reconfigured.
-func (ep *egressProxy) shouldResync(n ipn.Notify) bool {
-	if n.NetMap == nil {
-		return false
-	}
-
-	// If proxy's tailnet addresses have changed, resync.
-	if !reflect.DeepEqual(n.NetMap.SelfNode.Addresses().AsSlice(), ep.tailnetAddrs) {
-		log.Printf("node addresses have changed, trigger egress config resync")
-		ep.tailnetAddrs = n.NetMap.SelfNode.Addresses().AsSlice()
-		return true
-	}
-
-	// If the IPs for any of the egress services configured via FQDN have
-	// changed, resync.
-	for fqdn, ips := range ep.targetFQDNs {
-		for _, nn := range n.NetMap.Peers {
-			if equalFQDNs(nn.Name(), fqdn) {
-				if !reflect.DeepEqual(ips, nn.Addresses().AsSlice()) {
-					log.Printf("backend addresses for egress target %q have changed old IPs %v, new IPs %v trigger egress config resync", nn.Name(), ips, nn.Addresses().AsSlice())
-				}
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// ensureServiceDeleted ensures that any rules for an egress service are removed
-// from the firewall configuration.
-func ensureServiceDeleted(svcName string, svc *egressservices.ServiceStatus, nfr linuxfw.NetfilterRunner) error {
-
-	// Note that the portmap is needed for iptables based firewall only.
-	// Nftables group rules for a service in a chain, so there is no need to
-	// specify individual portmapping based rules.
-	pms := make([]linuxfw.PortMap, 0)
-	for pm := range svc.Ports {
-		pms = append(pms, linuxfw.PortMap{MatchPort: pm.MatchPort, TargetPort: pm.TargetPort, Protocol: pm.Protocol})
-	}
-
-	if err := nfr.DeleteSvc(svcName, tailscaleTunInterface, svc.TailnetTargetIPs, pms); err != nil {
-		return fmt.Errorf("error deleting service %s: %w", svcName, err)
-	}
-	return nil
-}
-
-// ensureRulesAdded ensures that all portmapping rules are added to the firewall
-// configuration. For any rules that already exist, calling this function is a
-// no-op. In case of nftables, a service consists of one or two (one per IP
-// family) chains that conain the portmapping rules for the service and the
-// chains as needed when this function is called.
-func ensureRulesAdded(rulesPerSvc map[string][]rule, nfr linuxfw.NetfilterRunner) error {
-	for svc, rules := range rulesPerSvc {
-		for _, rule := range rules {
-			log.Printf("ensureRulesAdded svc %s tailnetTarget %s container port %d tailnet port %d protocol %s", svc, rule.tailnetIP, rule.containerPort, rule.tailnetPort, rule.protocol)
-			if err := nfr.EnsurePortMapRuleForSvc(svc, tailscaleTunInterface, rule.tailnetIP, linuxfw.PortMap{MatchPort: rule.containerPort, TargetPort: rule.tailnetPort, Protocol: rule.protocol}); err != nil {
-				return fmt.Errorf("error ensuring rule: %w", err)
-			}
-		}
-	}
-	return nil
-}
-
-// ensureRulesDeleted ensures that the given rules are deleted from the firewall
-// configuration. For any rules that do not exist, calling this funcion is a
-// no-op.
-func ensureRulesDeleted(rulesPerSvc map[string][]rule, nfr linuxfw.NetfilterRunner) error {
-	for svc, rules := range rulesPerSvc {
-		for _, rule := range rules {
-			log.Printf("ensureRulesDeleted svc %s tailnetTarget %s container port %d tailnet port %d protocol %s", svc, rule.tailnetIP, rule.containerPort, rule.tailnetPort, rule.protocol)
-			if err := nfr.DeletePortMapRuleForSvc(svc, tailscaleTunInterface, rule.tailnetIP, linuxfw.PortMap{MatchPort: rule.containerPort, TargetPort: rule.tailnetPort, Protocol: rule.protocol}); err != nil {
-				return fmt.Errorf("error deleting rule: %w", err)
-			}
-		}
-	}
-	return nil
-}
-
-func lookupCurrentConfig(svcName string, status *egressservices.Status) (*egressservices.ServiceStatus, bool) {
-	if status == nil || len(status.Services) == 0 {
-		return nil, false
-	}
-	c, ok := status.Services[svcName]
-	return c, ok
-}
-
-func equalFQDNs(s, s1 string) bool {
-	s, _ = strings.CutSuffix(s, ".")
-	s1, _ = strings.CutSuffix(s1, ".")
-	return strings.EqualFold(s, s1)
-}
-
-// rule contains configuration for an egress proxy firewall rule.
-type rule struct {
-	containerPort uint16     // port to match incoming traffic
-	tailnetPort   uint16     // tailnet service port
-	tailnetIP     netip.Addr // tailnet service IP
-	protocol      string
-}
-
-func wantsServicesConfigured(cfgs *egressservices.Configs) bool {
-	return cfgs != nil && len(*cfgs) != 0
-}
-
-func hasServicesConfigured(status *egressservices.Status) bool {
-	return status != nil && len(status.Services) != 0
-}
-
-func servicesStatusIsEqual(st, st1 *egressservices.Status) bool {
-	if st == nil && st1 == nil {
-		return true
-	}
-	if st == nil || st1 == nil {
-		return false
-	}
-	st.PodIPv4 = ""
-	st1.PodIPv4 = ""
-	return reflect.DeepEqual(*st, *st1)
-}
-
-// registerHandlers adds a new handler to the provided ServeMux that can be called as a Kubernetes prestop hook to
-// delay shutdown till it's safe to do so.
-func (ep *egressProxy) registerHandlers(mux *http.ServeMux) {
-	mux.Handle(fmt.Sprintf("GET %s", kubetypes.EgessServicesPreshutdownEP), ep)
-}
-
-// ServeHTTP serves /internal-egress-services-preshutdown endpoint, when it receives a request, it periodically polls
-// the configured health check endpoint for each egress service till it the health check endpoint no longer hits this
-// proxy Pod. It uses the Pod-IPv4 header to verify if health check response is received from this Pod.
-func (ep *egressProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	cfgs, err := ep.getConfigs()
-	if err != nil {
-		http.Error(w, fmt.Sprintf("error retrieving egress services configs: %v", err), http.StatusInternalServerError)
-		return
-	}
-	if cfgs == nil {
-		if _, err := w.Write([]byte("safe to terminate")); err != nil {
-			http.Error(w, fmt.Sprintf("error writing termination status: %v", err), http.StatusInternalServerError)
-			return
-		}
-	}
-	hp, err := ep.getHEPPings()
-	if err != nil {
-		http.Error(w, fmt.Sprintf("error determining the number of times health check endpoint should be pinged: %v", err), http.StatusInternalServerError)
-		return
-	}
-	ep.waitTillSafeToShutdown(r.Context(), cfgs, hp)
-}
-
-// waitTillSafeToShutdown looks up all egress targets configured to be proxied via this instance and, for each target
-// whose configuration includes a healthcheck endpoint, pings the endpoint till none of the responses
-// are returned by this instance or till the HTTP request times out. In practice, the endpoint will be a Kubernetes Service for whom one of the backends
-// would normally be this Pod. When this Pod is being deleted, the operator should have removed it from the Service
-// backends and eventually kube proxy routing rules should be updated to no longer route traffic for the Service to this
-// Pod.
-func (ep *egressProxy) waitTillSafeToShutdown(ctx context.Context, cfgs *egressservices.Configs, hp int) {
-	if cfgs == nil || len(*cfgs) == 0 { // avoid sleeping if no services are configured
-		return
-	}
-	log.Printf("Ensuring that cluster traffic for egress targets is no longer routed via this Pod...")
-	wg := syncs.WaitGroup{}
-
-	for s, cfg := range *cfgs {
-		hep := cfg.HealthCheckEndpoint
-		if hep == "" {
-			log.Printf("Tailnet target %q does not have a cluster healthcheck specified, unable to verify if cluster traffic for the target is still routed via this Pod", s)
-			continue
-		}
-		svc := s
-		wg.Go(func() {
-			log.Printf("Ensuring that cluster traffic is no longer routed to %q via this Pod...", svc)
-			for {
-				if ctx.Err() != nil { // kubelet's HTTP request timeout
-					log.Printf("Cluster traffic for %s did not stop being routed to this Pod.", svc)
-					return
-				}
-				found, err := lookupPodRoute(ctx, hep, ep.podIPv4, hp, ep.client)
-				if err != nil {
-					log.Printf("unable to reach endpoint %q, assuming the routing rules for this Pod have been deleted: %v", hep, err)
-					break
-				}
-				if !found {
-					log.Printf("service %q is no longer routed through this Pod", svc)
-					break
-				}
-				log.Printf("service %q is still routed through this Pod, waiting...", svc)
-				time.Sleep(ep.shortSleep)
-			}
-		})
-	}
-	wg.Wait()
-	// The check above really only checked that the routing rules are updated on this node. Sleep for a bit to
-	// ensure that the routing rules are updated on other nodes. TODO(irbekrm): this may or may not be good enough.
-	// If it's not good enough, we'd probably want to do something more complex, where the proxies check each other.
-	log.Printf("Sleeping for %s before shutdown to ensure that kube proxies on all nodes have updated routing configuration", ep.longSleep)
-	time.Sleep(ep.longSleep)
-}
-
-// lookupPodRoute calls the healthcheck endpoint repeat times and returns true if the endpoint returns with the podIP
-// header at least once.
-func lookupPodRoute(ctx context.Context, hep, podIP string, repeat int, client httpClient) (bool, error) {
-	for range repeat {
-		f, err := lookup(ctx, hep, podIP, client)
-		if err != nil {
-			return false, err
-		}
-		if f {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-// lookup calls the healthcheck endpoint and returns true if the response contains the podIP header.
-func lookup(ctx context.Context, hep, podIP string, client httpClient) (bool, error) {
-	req, err := http.NewRequestWithContext(ctx, httpm.GET, hep, nil)
-	if err != nil {
-		return false, fmt.Errorf("error creating new HTTP request: %v", err)
-	}
-
-	// Close the TCP connection to ensure that the next request is routed to a different backend.
-	req.Close = true
-
-	resp, err := client.Do(req)
-	if err != nil {
-		log.Printf("Endpoint %q can not be reached: %v, likely because there are no (more) healthy backends", hep, err)
-		return true, nil
-	}
-	defer resp.Body.Close()
-	gotIP := resp.Header.Get(kubetypes.PodIPv4Header)
-	return strings.EqualFold(podIP, gotIP), nil
-}
-
-// getHEPPings gets the number of pings that should be sent to a health check endpoint to ensure that each configured
-// backend is hit. This assumes that a health check endpoint is a Kubernetes Service and traffic to backend Pods is
-// round robin load balanced.
-func (ep *egressProxy) getHEPPings() (int, error) {
-	hepPingsPath := filepath.Join(ep.cfgPath, egressservices.KeyHEPPings)
-	j, err := os.ReadFile(hepPingsPath)
-	if os.IsNotExist(err) {
-		return 0, nil
-	}
-	if err != nil {
-		return -1, err
-	}
-	if len(j) == 0 || string(j) == "" {
-		return 0, nil
-	}
-	hp, err := strconv.Atoi(string(j))
-	if err != nil {
-		return -1, fmt.Errorf("error parsing hep pings as int: %v", err)
-	}
-	if hp < 0 {
-		log.Printf("[unexpected] hep pings is negative: %d", hp)
-		return 0, nil
-	}
-	return hp, nil
-}

cmd/containerboot/services_test.go

@@ -1,324 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net/http"
-	"net/netip"
-	"reflect"
-	"strings"
-	"sync"
-	"testing"
-
-	"tailscale.com/kube/egressservices"
-	"tailscale.com/kube/kubetypes"
-)
-
-func Test_updatesForSvc(t *testing.T) {
-	tailnetIPv4, tailnetIPv6 := netip.MustParseAddr("100.99.99.99"), netip.MustParseAddr("fd7a:115c:a1e0::701:b62a")
-	tailnetIPv4_1, tailnetIPv6_1 := netip.MustParseAddr("100.88.88.88"), netip.MustParseAddr("fd7a:115c:a1e0::4101:512f")
-	ports := map[egressservices.PortMap]struct{}{{Protocol: "tcp", MatchPort: 4003, TargetPort: 80}: {}}
-	ports1 := map[egressservices.PortMap]struct{}{{Protocol: "udp", MatchPort: 4004, TargetPort: 53}: {}}
-	ports2 := map[egressservices.PortMap]struct{}{{Protocol: "tcp", MatchPort: 4003, TargetPort: 80}: {},
-		{Protocol: "tcp", MatchPort: 4005, TargetPort: 443}: {}}
-	fqdnSpec := egressservices.Config{
-		TailnetTarget: egressservices.TailnetTarget{FQDN: "test"},
-		Ports:         ports,
-	}
-	fqdnSpec1 := egressservices.Config{
-		TailnetTarget: egressservices.TailnetTarget{FQDN: "test"},
-		Ports:         ports1,
-	}
-	fqdnSpec2 := egressservices.Config{
-		TailnetTarget: egressservices.TailnetTarget{IP: tailnetIPv4.String()},
-		Ports:         ports,
-	}
-	fqdnSpec3 := egressservices.Config{
-		TailnetTarget: egressservices.TailnetTarget{IP: tailnetIPv4.String()},
-		Ports:         ports2,
-	}
-	r := rule{containerPort: 4003, tailnetPort: 80, protocol: "tcp", tailnetIP: tailnetIPv4}
-	r1 := rule{containerPort: 4003, tailnetPort: 80, protocol: "tcp", tailnetIP: tailnetIPv6}
-	r2 := rule{tailnetPort: 53, containerPort: 4004, protocol: "udp", tailnetIP: tailnetIPv4}
-	r3 := rule{tailnetPort: 53, containerPort: 4004, protocol: "udp", tailnetIP: tailnetIPv6}
-	r4 := rule{containerPort: 4003, tailnetPort: 80, protocol: "tcp", tailnetIP: tailnetIPv4_1}
-	r5 := rule{containerPort: 4003, tailnetPort: 80, protocol: "tcp", tailnetIP: tailnetIPv6_1}
-	r6 := rule{containerPort: 4005, tailnetPort: 443, protocol: "tcp", tailnetIP: tailnetIPv4}
-
-	tests := []struct {
-		name              string
-		svcName           string
-		tailnetTargetIPs  []netip.Addr
-		podIP             string
-		spec              egressservices.Config
-		status            *egressservices.Status
-		wantRulesToAdd    []rule
-		wantRulesToDelete []rule
-	}{
-		{
-			name:              "add_fqdn_svc_that_does_not_yet_exist",
-			svcName:           "test",
-			tailnetTargetIPs:  []netip.Addr{tailnetIPv4, tailnetIPv6},
-			spec:              fqdnSpec,
-			status:            &egressservices.Status{},
-			wantRulesToAdd:    []rule{r, r1},
-			wantRulesToDelete: []rule{},
-		},
-		{
-			name:             "fqdn_svc_already_exists",
-			svcName:          "test",
-			tailnetTargetIPs: []netip.Addr{tailnetIPv4, tailnetIPv6},
-			spec:             fqdnSpec,
-			status: &egressservices.Status{
-				Services: map[string]*egressservices.ServiceStatus{"test": {
-					TailnetTargetIPs: []netip.Addr{tailnetIPv4, tailnetIPv6},
-					TailnetTarget:    egressservices.TailnetTarget{FQDN: "test"},
-					Ports:            ports,
-				}}},
-			wantRulesToAdd:    []rule{},
-			wantRulesToDelete: []rule{},
-		},
-		{
-			name:             "fqdn_svc_already_exists_add_port_remove_port",
-			svcName:          "test",
-			tailnetTargetIPs: []netip.Addr{tailnetIPv4, tailnetIPv6},
-			spec:             fqdnSpec1,
-			status: &egressservices.Status{
-				Services: map[string]*egressservices.ServiceStatus{"test": {
-					TailnetTargetIPs: []netip.Addr{tailnetIPv4, tailnetIPv6},
-					TailnetTarget:    egressservices.TailnetTarget{FQDN: "test"},
-					Ports:            ports,
-				}}},
-			wantRulesToAdd:    []rule{r2, r3},
-			wantRulesToDelete: []rule{r, r1},
-		},
-		{
-			name:             "fqdn_svc_already_exists_change_fqdn_backend_ips",
-			svcName:          "test",
-			tailnetTargetIPs: []netip.Addr{tailnetIPv4_1, tailnetIPv6_1},
-			spec:             fqdnSpec,
-			status: &egressservices.Status{
-				Services: map[string]*egressservices.ServiceStatus{"test": {
-					TailnetTargetIPs: []netip.Addr{tailnetIPv4, tailnetIPv6},
-					TailnetTarget:    egressservices.TailnetTarget{FQDN: "test"},
-					Ports:            ports,
-				}}},
-			wantRulesToAdd:    []rule{r4, r5},
-			wantRulesToDelete: []rule{r, r1},
-		},
-		{
-			name:              "add_ip_service",
-			svcName:           "test",
-			tailnetTargetIPs:  []netip.Addr{tailnetIPv4},
-			spec:              fqdnSpec2,
-			status:            &egressservices.Status{},
-			wantRulesToAdd:    []rule{r},
-			wantRulesToDelete: []rule{},
-		},
-		{
-			name:             "add_ip_service_already_exists",
-			svcName:          "test",
-			tailnetTargetIPs: []netip.Addr{tailnetIPv4},
-			spec:             fqdnSpec2,
-			status: &egressservices.Status{
-				Services: map[string]*egressservices.ServiceStatus{"test": {
-					TailnetTargetIPs: []netip.Addr{tailnetIPv4},
-					TailnetTarget:    egressservices.TailnetTarget{IP: tailnetIPv4.String()},
-					Ports:            ports,
-				}}},
-			wantRulesToAdd:    []rule{},
-			wantRulesToDelete: []rule{},
-		},
-		{
-			name:             "ip_service_add_port",
-			svcName:          "test",
-			tailnetTargetIPs: []netip.Addr{tailnetIPv4},
-			spec:             fqdnSpec3,
-			status: &egressservices.Status{
-				Services: map[string]*egressservices.ServiceStatus{"test": {
-					TailnetTargetIPs: []netip.Addr{tailnetIPv4},
-					TailnetTarget:    egressservices.TailnetTarget{IP: tailnetIPv4.String()},
-					Ports:            ports,
-				}}},
-			wantRulesToAdd:    []rule{r6},
-			wantRulesToDelete: []rule{},
-		},
-		{
-			name:             "ip_service_delete_port",
-			svcName:          "test",
-			tailnetTargetIPs: []netip.Addr{tailnetIPv4},
-			spec:             fqdnSpec,
-			status: &egressservices.Status{
-				Services: map[string]*egressservices.ServiceStatus{"test": {
-					TailnetTargetIPs: []netip.Addr{tailnetIPv4},
-					TailnetTarget:    egressservices.TailnetTarget{IP: tailnetIPv4.String()},
-					Ports:            ports2,
-				}}},
-			wantRulesToAdd:    []rule{},
-			wantRulesToDelete: []rule{r6},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			gotRulesToAdd, gotRulesToDelete, err := updatesForCfg(tt.svcName, tt.spec, tt.status, tt.tailnetTargetIPs)
-			if err != nil {
-				t.Errorf("updatesForSvc() unexpected error %v", err)
-				return
-			}
-			if !reflect.DeepEqual(gotRulesToAdd, tt.wantRulesToAdd) {
-				t.Errorf("updatesForSvc() got rulesToAdd = \n%v\n want rulesToAdd \n%v", gotRulesToAdd, tt.wantRulesToAdd)
-			}
-			if !reflect.DeepEqual(gotRulesToDelete, tt.wantRulesToDelete) {
-				t.Errorf("updatesForSvc() got rulesToDelete = \n%v\n want rulesToDelete \n%v", gotRulesToDelete, tt.wantRulesToDelete)
-			}
-		})
-	}
-}
-
-// A failure of this test will most likely look like a timeout.
-func TestWaitTillSafeToShutdown(t *testing.T) {
-	podIP := "10.0.0.1"
-	anotherIP := "10.0.0.2"
-
-	tests := []struct {
-		name string
-		// services is a map of service name to the number of calls to make to the healthcheck endpoint before
-		// returning a response that does NOT contain this Pod's IP in headers.
-		services       map[string]int
-		replicas       int
-		healthCheckSet bool
-	}{
-		{
-			name: "no_configs",
-		},
-		{
-			name: "one_service_immediately_safe_to_shutdown",
-			services: map[string]int{
-				"svc1": 0,
-			},
-			replicas:       2,
-			healthCheckSet: true,
-		},
-		{
-			name: "multiple_services_immediately_safe_to_shutdown",
-			services: map[string]int{
-				"svc1": 0,
-				"svc2": 0,
-				"svc3": 0,
-			},
-			replicas:       2,
-			healthCheckSet: true,
-		},
-		{
-			name: "multiple_services_no_healthcheck_endpoints",
-			services: map[string]int{
-				"svc1": 0,
-				"svc2": 0,
-				"svc3": 0,
-			},
-			replicas: 2,
-		},
-		{
-			name: "one_service_eventually_safe_to_shutdown",
-			services: map[string]int{
-				"svc1": 3, // After 3 calls to health check endpoint, no longer returns this Pod's IP
-			},
-			replicas:       2,
-			healthCheckSet: true,
-		},
-		{
-			name: "multiple_services_eventually_safe_to_shutdown",
-			services: map[string]int{
-				"svc1": 1, // After 1 call to health check endpoint, no longer returns this Pod's IP
-				"svc2": 3, // After 3 calls to health check endpoint, no longer returns this Pod's IP
-				"svc3": 5, // After 5 calls to the health check endpoint, no longer returns this Pod's IP
-			},
-			replicas:       2,
-			healthCheckSet: true,
-		},
-		{
-			name: "multiple_services_eventually_safe_to_shutdown_with_higher_replica_count",
-			services: map[string]int{
-				"svc1": 7,
-				"svc2": 10,
-			},
-			replicas:       5,
-			healthCheckSet: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cfgs := &egressservices.Configs{}
-			switches := make(map[string]int)
-
-			for svc, callsToSwitch := range tt.services {
-				endpoint := fmt.Sprintf("http://%s.local", svc)
-				if tt.healthCheckSet {
-					(*cfgs)[svc] = egressservices.Config{
-						HealthCheckEndpoint: endpoint,
-					}
-				}
-				switches[endpoint] = callsToSwitch
-			}
-
-			ep := &egressProxy{
-				podIPv4: podIP,
-				client: &mockHTTPClient{
-					podIP:     podIP,
-					anotherIP: anotherIP,
-					switches:  switches,
-				},
-			}
-
-			ep.waitTillSafeToShutdown(context.Background(), cfgs, tt.replicas)
-		})
-	}
-}
-
-// mockHTTPClient is a client that receives an HTTP call for an egress service endpoint and returns a response with an
-// IP address in a 'Pod-IPv4' header. It can be configured to return one IP address for N calls, then switch to another
-// IP address to simulate a scenario where an IP is eventually no longer a backend for an endpoint.
-// TODO(irbekrm): to test this more thoroughly, we should have the client take into account the number of replicas and
-// return as if traffic was round robin load balanced across different Pods.
-type mockHTTPClient struct {
-	// podIP - initial IP address to return, that matches the current proxy's IP address.
-	podIP     string
-	anotherIP string
-	// after how many calls to an endpoint, the client should start returning 'anotherIP' instead of 'podIP.
-	switches map[string]int
-	mu       sync.Mutex // protects the following
-	// calls tracks the number of calls received.
-	calls map[string]int
-}
-
-func (m *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
-	m.mu.Lock()
-	if m.calls == nil {
-		m.calls = make(map[string]int)
-	}
-
-	endpoint := req.URL.String()
-	m.calls[endpoint]++
-	calls := m.calls[endpoint]
-	m.mu.Unlock()
-
-	resp := &http.Response{
-		StatusCode: http.StatusOK,
-		Header:     make(http.Header),
-		Body:       io.NopCloser(strings.NewReader("")),
-	}
-
-	if calls <= m.switches[endpoint] {
-		resp.Header.Set(kubetypes.PodIPv4Header, m.podIP) // Pod is still routable
-	} else {
-		resp.Header.Set(kubetypes.PodIPv4Header, m.anotherIP) // Pod is no longer routable
-	}
-	return resp, nil
-}

cmd/containerboot/settings.go

@@ -1,381 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"log"
-	"net/netip"
-	"os"
-	"path"
-	"strconv"
-	"strings"
-
-	"tailscale.com/ipn/conffile"
-	"tailscale.com/kube/kubeclient"
-)
-
-// settings is all the configuration for containerboot.
-type settings struct {
-	AuthKey  string
-	Hostname string
-	Routes   *string
-	// ProxyTargetIP is the destination IP to which all incoming
-	// Tailscale traffic should be proxied. If empty, no proxying
-	// is done. This is typically a locally reachable IP.
-	ProxyTargetIP string
-	// ProxyTargetDNSName is a DNS name to whose backing IP addresses all
-	// incoming Tailscale traffic should be proxied.
-	ProxyTargetDNSName string
-	// TailnetTargetIP is the destination IP to which all incoming
-	// non-Tailscale traffic should be proxied. This is typically a
-	// Tailscale IP.
-	TailnetTargetIP string
-	// TailnetTargetFQDN is an MagicDNS name to which all incoming
-	// non-Tailscale traffic should be proxied. This must be a full Tailnet
-	// node FQDN.
-	TailnetTargetFQDN             string
-	ServeConfigPath               string
-	DaemonExtraArgs               string
-	ExtraArgs                     string
-	InKubernetes                  bool
-	UserspaceMode                 bool
-	StateDir                      string
-	AcceptDNS                     *bool
-	KubeSecret                    string
-	SOCKSProxyAddr                string
-	HTTPProxyAddr                 string
-	Socket                        string
-	AuthOnce                      bool
-	Root                          string
-	KubernetesCanPatch            bool
-	TailscaledConfigFilePath      string
-	EnableForwardingOptimizations bool
-	// If set to true and, if this containerboot instance is a Kubernetes
-	// ingress proxy, set up rules to forward incoming cluster traffic to be
-	// forwarded to the ingress target in cluster.
-	AllowProxyingClusterTrafficViaIngress bool
-	// PodIP is the IP of the Pod if running in Kubernetes. This is used
-	// when setting up rules to proxy cluster traffic to cluster ingress
-	// target.
-	// Deprecated: use PodIPv4, PodIPv6 instead to support dual stack clusters
-	PodIP                string
-	PodIPv4              string
-	PodIPv6              string
-	PodUID               string
-	HealthCheckAddrPort  string
-	LocalAddrPort        string
-	MetricsEnabled       bool
-	HealthCheckEnabled   bool
-	DebugAddrPort        string
-	EgressProxiesCfgPath string
-	// CertShareMode is set for Kubernetes Pods running cert share mode.
-	// Possible values are empty (containerboot doesn't run any certs
-	// logic),  'ro' (for Pods that shold never attempt to issue/renew
-	// certs) and 'rw' for Pods that should manage the TLS certs shared
-	// amongst the replicas.
-	CertShareMode string
-}
-
-func configFromEnv() (*settings, error) {
-	cfg := &settings{
-		AuthKey:                               defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
-		Hostname:                              defaultEnv("TS_HOSTNAME", ""),
-		Routes:                                defaultEnvStringPointer("TS_ROUTES"),
-		ServeConfigPath:                       defaultEnv("TS_SERVE_CONFIG", ""),
-		ProxyTargetIP:                         defaultEnv("TS_DEST_IP", ""),
-		ProxyTargetDNSName:                    defaultEnv("TS_EXPERIMENTAL_DEST_DNS_NAME", ""),
-		TailnetTargetIP:                       defaultEnv("TS_TAILNET_TARGET_IP", ""),
-		TailnetTargetFQDN:                     defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
-		DaemonExtraArgs:                       defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
-		ExtraArgs:                             defaultEnv("TS_EXTRA_ARGS", ""),
-		InKubernetes:                          os.Getenv("KUBERNETES_SERVICE_HOST") != "",
-		UserspaceMode:                         defaultBool("TS_USERSPACE", true),
-		StateDir:                              defaultEnv("TS_STATE_DIR", ""),
-		AcceptDNS:                             defaultEnvBoolPointer("TS_ACCEPT_DNS"),
-		KubeSecret:                            defaultEnv("TS_KUBE_SECRET", "tailscale"),
-		SOCKSProxyAddr:                        defaultEnv("TS_SOCKS5_SERVER", ""),
-		HTTPProxyAddr:                         defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
-		Socket:                                defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:                              defaultBool("TS_AUTH_ONCE", false),
-		Root:                                  defaultEnv("TS_TEST_ONLY_ROOT", "/"),
-		TailscaledConfigFilePath:              tailscaledConfigFilePath(),
-		AllowProxyingClusterTrafficViaIngress: defaultBool("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS", false),
-		PodIP:                                 defaultEnv("POD_IP", ""),
-		EnableForwardingOptimizations:         defaultBool("TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS", false),
-		HealthCheckAddrPort:                   defaultEnv("TS_HEALTHCHECK_ADDR_PORT", ""),
-		LocalAddrPort:                         defaultEnv("TS_LOCAL_ADDR_PORT", "[::]:9002"),
-		MetricsEnabled:                        defaultBool("TS_ENABLE_METRICS", false),
-		HealthCheckEnabled:                    defaultBool("TS_ENABLE_HEALTH_CHECK", false),
-		DebugAddrPort:                         defaultEnv("TS_DEBUG_ADDR_PORT", ""),
-		EgressProxiesCfgPath:                  defaultEnv("TS_EGRESS_PROXIES_CONFIG_PATH", ""),
-		PodUID:                                defaultEnv("POD_UID", ""),
-	}
-	podIPs, ok := os.LookupEnv("POD_IPS")
-	if ok {
-		ips := strings.Split(podIPs, ",")
-		if len(ips) > 2 {
-			return nil, fmt.Errorf("POD_IPs can contain at most 2 IPs, got %d (%v)", len(ips), ips)
-		}
-		for _, ip := range ips {
-			parsed, err := netip.ParseAddr(ip)
-			if err != nil {
-				return nil, fmt.Errorf("error parsing IP address %s: %w", ip, err)
-			}
-			if parsed.Is4() {
-				cfg.PodIPv4 = parsed.String()
-				continue
-			}
-			cfg.PodIPv6 = parsed.String()
-		}
-	}
-	// If cert share is enabled, set the replica as read or write. Only 0th
-	// replica should be able to write.
-	isInCertShareMode := defaultBool("TS_EXPERIMENTAL_CERT_SHARE", false)
-	if isInCertShareMode {
-		cfg.CertShareMode = "ro"
-		podName := os.Getenv("POD_NAME")
-		if strings.HasSuffix(podName, "-0") {
-			cfg.CertShareMode = "rw"
-		}
-	}
-
-	if err := cfg.validate(); err != nil {
-		return nil, fmt.Errorf("invalid configuration: %v", err)
-	}
-	return cfg, nil
-}
-
-func (s *settings) validate() error {
-	if s.TailscaledConfigFilePath != "" {
-		dir, file := path.Split(s.TailscaledConfigFilePath)
-		if _, err := os.Stat(dir); err != nil {
-			return fmt.Errorf("error validating whether directory with tailscaled config file %s exists: %w", dir, err)
-		}
-		if _, err := os.Stat(s.TailscaledConfigFilePath); err != nil {
-			return fmt.Errorf("error validating whether tailscaled config directory %q contains tailscaled config for current capability version %q: %w. If this is a Tailscale Kubernetes operator proxy, please ensure that the version of the operator is not older than the version of the proxy", dir, file, err)
-		}
-		if _, err := conffile.Load(s.TailscaledConfigFilePath); err != nil {
-			return fmt.Errorf("error validating tailscaled configfile contents: %w", err)
-		}
-	}
-	if s.ProxyTargetIP != "" && s.UserspaceMode {
-		return errors.New("TS_DEST_IP is not supported with TS_USERSPACE")
-	}
-	if s.ProxyTargetDNSName != "" && s.UserspaceMode {
-		return errors.New("TS_EXPERIMENTAL_DEST_DNS_NAME is not supported with TS_USERSPACE")
-	}
-	if s.ProxyTargetDNSName != "" && s.ProxyTargetIP != "" {
-		return errors.New("TS_EXPERIMENTAL_DEST_DNS_NAME and TS_DEST_IP cannot both be set")
-	}
-	if s.TailnetTargetIP != "" && s.UserspaceMode {
-		return errors.New("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
-	}
-	if s.TailnetTargetFQDN != "" && s.UserspaceMode {
-		return errors.New("TS_TAILNET_TARGET_FQDN is not supported with TS_USERSPACE")
-	}
-	if s.TailnetTargetFQDN != "" && s.TailnetTargetIP != "" {
-		return errors.New("Both TS_TAILNET_TARGET_IP and TS_TAILNET_FQDN cannot be set")
-	}
-	if s.TailscaledConfigFilePath != "" && (s.AcceptDNS != nil || s.AuthKey != "" || s.Routes != nil || s.ExtraArgs != "" || s.Hostname != "") {
-		return errors.New("TS_EXPERIMENTAL_VERSIONED_CONFIG_DIR cannot be set in combination with TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY, TS_ROUTES, TS_ACCEPT_DNS.")
-	}
-	if s.AllowProxyingClusterTrafficViaIngress && s.UserspaceMode {
-		return errors.New("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS is not supported in userspace mode")
-	}
-	if s.AllowProxyingClusterTrafficViaIngress && s.ServeConfigPath == "" {
-		return errors.New("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS is set but this is not a cluster ingress proxy")
-	}
-	if s.AllowProxyingClusterTrafficViaIngress && s.PodIP == "" {
-		return errors.New("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS is set but POD_IP is not set")
-	}
-	if s.EnableForwardingOptimizations && s.UserspaceMode {
-		return errors.New("TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS is not supported in userspace mode")
-	}
-	if s.HealthCheckAddrPort != "" {
-		log.Printf("[warning] TS_HEALTHCHECK_ADDR_PORT is deprecated and will be removed in 1.82.0. Please use TS_ENABLE_HEALTH_CHECK and optionally TS_LOCAL_ADDR_PORT instead.")
-		if _, err := netip.ParseAddrPort(s.HealthCheckAddrPort); err != nil {
-			return fmt.Errorf("error parsing TS_HEALTHCHECK_ADDR_PORT value %q: %w", s.HealthCheckAddrPort, err)
-		}
-	}
-	if s.localMetricsEnabled() || s.localHealthEnabled() || s.EgressProxiesCfgPath != "" {
-		if _, err := netip.ParseAddrPort(s.LocalAddrPort); err != nil {
-			return fmt.Errorf("error parsing TS_LOCAL_ADDR_PORT value %q: %w", s.LocalAddrPort, err)
-		}
-	}
-	if s.DebugAddrPort != "" {
-		if _, err := netip.ParseAddrPort(s.DebugAddrPort); err != nil {
-			return fmt.Errorf("error parsing TS_DEBUG_ADDR_PORT value %q: %w", s.DebugAddrPort, err)
-		}
-	}
-	if s.HealthCheckEnabled && s.HealthCheckAddrPort != "" {
-		return errors.New("TS_HEALTHCHECK_ADDR_PORT is deprecated and will be removed in 1.82.0, use TS_ENABLE_HEALTH_CHECK and optionally TS_LOCAL_ADDR_PORT")
-	}
-	if s.EgressProxiesCfgPath != "" && !(s.InKubernetes && s.KubeSecret != "") {
-		return errors.New("TS_EGRESS_PROXIES_CONFIG_PATH is only supported for Tailscale running on Kubernetes")
-	}
-	return nil
-}
-
-// setupKube is responsible for doing any necessary configuration and checks to
-// ensure that tailscale state storage and authentication mechanism will work on
-// Kubernetes.
-func (cfg *settings) setupKube(ctx context.Context, kc *kubeClient) error {
-	if cfg.KubeSecret == "" {
-		return nil
-	}
-	canPatch, canCreate, err := kc.CheckSecretPermissions(ctx, cfg.KubeSecret)
-	if err != nil {
-		return fmt.Errorf("some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
-	}
-	cfg.KubernetesCanPatch = canPatch
-	kc.canPatch = canPatch
-
-	s, err := kc.GetSecret(ctx, cfg.KubeSecret)
-	if err != nil {
-		if !kubeclient.IsNotFoundErr(err) {
-			return fmt.Errorf("getting Tailscale state Secret %s: %v", cfg.KubeSecret, err)
-		}
-
-		if !canCreate {
-			return fmt.Errorf("tailscale state Secret %s does not exist and we don't have permissions to create it. "+
-				"If you intend to store tailscale state elsewhere than a Kubernetes Secret, "+
-				"you can explicitly set TS_KUBE_SECRET env var to an empty string. "+
-				"Else ensure that RBAC is set up that allows the service account associated with this installation to create Secrets.", cfg.KubeSecret)
-		}
-	}
-
-	// Return early if we already have an auth key.
-	if cfg.AuthKey != "" || isOneStepConfig(cfg) {
-		return nil
-	}
-
-	if s == nil {
-		log.Print("TS_AUTHKEY not provided and state Secret does not exist, login will be interactive if needed.")
-		return nil
-	}
-
-	keyBytes, _ := s.Data["authkey"]
-	key := string(keyBytes)
-
-	if key != "" {
-		// Enforce that we must be able to patch out the authkey after
-		// authenticating if you want to use this feature. This avoids
-		// us having to deal with the case where we might leave behind
-		// an unnecessary reusable authkey in a secret, like a rake in
-		// the grass.
-		if !cfg.KubernetesCanPatch {
-			return errors.New("authkey found in TS_KUBE_SECRET, but the pod doesn't have patch permissions on the Secret to manage the authkey.")
-		}
-		cfg.AuthKey = key
-	}
-
-	log.Print("No authkey found in state Secret and TS_AUTHKEY not provided, login will be interactive if needed.")
-
-	return nil
-}
-
-// isTwoStepConfigAuthOnce returns true if the Tailscale node should be configured
-// in two steps and login should only happen once.
-// Step 1: run 'tailscaled'
-// Step 2):
-// A) if this is the first time starting this node run 'tailscale up --authkey <authkey> <config opts>'
-// B) if this is not the first time starting this node run 'tailscale set <config opts>'.
-func isTwoStepConfigAuthOnce(cfg *settings) bool {
-	return cfg.AuthOnce && cfg.TailscaledConfigFilePath == ""
-}
-
-// isTwoStepConfigAlwaysAuth returns true if the Tailscale node should be configured
-// in two steps and we should log in every time it starts.
-// Step 1: run 'tailscaled'
-// Step 2): run 'tailscale up --authkey <authkey> <config opts>'
-func isTwoStepConfigAlwaysAuth(cfg *settings) bool {
-	return !cfg.AuthOnce && cfg.TailscaledConfigFilePath == ""
-}
-
-// isOneStepConfig returns true if the Tailscale node should always be ran and
-// configured in a single step by running 'tailscaled <config opts>'
-func isOneStepConfig(cfg *settings) bool {
-	return cfg.TailscaledConfigFilePath != ""
-}
-
-// isL3Proxy returns true if the Tailscale node needs to be configured to act
-// as an L3 proxy, proxying to an endpoint provided via one of the config env
-// vars.
-func isL3Proxy(cfg *settings) bool {
-	return cfg.ProxyTargetIP != "" || cfg.ProxyTargetDNSName != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" || cfg.AllowProxyingClusterTrafficViaIngress || cfg.EgressProxiesCfgPath != ""
-}
-
-// hasKubeStateStore returns true if the state must be stored in a Kubernetes
-// Secret.
-func hasKubeStateStore(cfg *settings) bool {
-	return cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != ""
-}
-
-func (cfg *settings) localMetricsEnabled() bool {
-	return cfg.LocalAddrPort != "" && cfg.MetricsEnabled
-}
-
-func (cfg *settings) localHealthEnabled() bool {
-	return cfg.LocalAddrPort != "" && cfg.HealthCheckEnabled
-}
-
-func (cfg *settings) egressSvcsTerminateEPEnabled() bool {
-	return cfg.LocalAddrPort != "" && cfg.EgressProxiesCfgPath != ""
-}
-
-// defaultEnv returns the value of the given envvar name, or defVal if
-// unset.
-func defaultEnv(name, defVal string) string {
-	if v, ok := os.LookupEnv(name); ok {
-		return v
-	}
-	return defVal
-}
-
-// defaultEnvStringPointer returns a pointer to the given envvar value if set, else
-// returns nil. This is useful in cases where we need to distinguish between a
-// variable being set to empty string vs unset.
-func defaultEnvStringPointer(name string) *string {
-	if v, ok := os.LookupEnv(name); ok {
-		return &v
-	}
-	return nil
-}
-
-// defaultEnvBoolPointer returns a pointer to the given envvar value if set, else
-// returns nil. This is useful in cases where we need to distinguish between a
-// variable being explicitly set to false vs unset.
-func defaultEnvBoolPointer(name string) *bool {
-	v := os.Getenv(name)
-	ret, err := strconv.ParseBool(v)
-	if err != nil {
-		return nil
-	}
-	return &ret
-}
-
-func defaultEnvs(names []string, defVal string) string {
-	for _, name := range names {
-		if v, ok := os.LookupEnv(name); ok {
-			return v
-		}
-	}
-	return defVal
-}
-
-// defaultBool returns the boolean value of the given envvar name, or
-// defVal if unset or not a bool.
-func defaultBool(name string, defVal bool) bool {
-	v := os.Getenv(name)
-	ret, err := strconv.ParseBool(v)
-	if err != nil {
-		return defVal
-	}
-	return ret
-}

cmd/containerboot/tailscaled.go

@@ -1,246 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io/fs"
-	"log"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"reflect"
-	"strings"
-	"syscall"
-	"time"
-
-	"github.com/fsnotify/fsnotify"
-	"tailscale.com/client/local"
-)
-
-func startTailscaled(ctx context.Context, cfg *settings) (*local.Client, *os.Process, error) {
-	args := tailscaledArgs(cfg)
-	// tailscaled runs without context, since it needs to persist
-	// beyond the startup timeout in ctx.
-	cmd := exec.Command("tailscaled", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Setpgid: true,
-	}
-	if cfg.CertShareMode != "" {
-		cmd.Env = append(os.Environ(), "TS_CERT_SHARE_MODE="+cfg.CertShareMode)
-	}
-	log.Printf("Starting tailscaled")
-	if err := cmd.Start(); err != nil {
-		return nil, nil, fmt.Errorf("starting tailscaled failed: %v", err)
-	}
-
-	// Wait for the socket file to appear, otherwise API ops will racily fail.
-	log.Printf("Waiting for tailscaled socket")
-	for {
-		if ctx.Err() != nil {
-			return nil, nil, errors.New("timed out waiting for tailscaled socket")
-		}
-		_, err := os.Stat(cfg.Socket)
-		if errors.Is(err, fs.ErrNotExist) {
-			time.Sleep(100 * time.Millisecond)
-			continue
-		} else if err != nil {
-			return nil, nil, fmt.Errorf("error waiting for tailscaled socket: %w", err)
-		}
-		break
-	}
-
-	tsClient := &local.Client{
-		Socket:        cfg.Socket,
-		UseSocketOnly: true,
-	}
-
-	return tsClient, cmd.Process, nil
-}
-
-// tailscaledArgs uses cfg to construct the argv for tailscaled.
-func tailscaledArgs(cfg *settings) []string {
-	args := []string{"--socket=" + cfg.Socket}
-	switch {
-	case cfg.InKubernetes && cfg.KubeSecret != "":
-		args = append(args, "--state=kube:"+cfg.KubeSecret)
-		if cfg.StateDir == "" {
-			cfg.StateDir = "/tmp"
-		}
-		fallthrough
-	case cfg.StateDir != "":
-		args = append(args, "--statedir="+cfg.StateDir)
-	default:
-		args = append(args, "--state=mem:", "--statedir=/tmp")
-	}
-
-	if cfg.UserspaceMode {
-		args = append(args, "--tun=userspace-networking")
-	} else if err := ensureTunFile(cfg.Root); err != nil {
-		log.Fatalf("ensuring that /dev/net/tun exists: %v", err)
-	}
-
-	if cfg.SOCKSProxyAddr != "" {
-		args = append(args, "--socks5-server="+cfg.SOCKSProxyAddr)
-	}
-	if cfg.HTTPProxyAddr != "" {
-		args = append(args, "--outbound-http-proxy-listen="+cfg.HTTPProxyAddr)
-	}
-	if cfg.TailscaledConfigFilePath != "" {
-		args = append(args, "--config="+cfg.TailscaledConfigFilePath)
-	}
-	// Once enough proxy versions have been released for all the supported
-	// versions to understand this cfg setting, the operator can stop
-	// setting TS_TAILSCALED_EXTRA_ARGS for the debug flag.
-	if cfg.DebugAddrPort != "" && !strings.Contains(cfg.DaemonExtraArgs, cfg.DebugAddrPort) {
-		args = append(args, "--debug="+cfg.DebugAddrPort)
-	}
-	if cfg.DaemonExtraArgs != "" {
-		args = append(args, strings.Fields(cfg.DaemonExtraArgs)...)
-	}
-	return args
-}
-
-// tailscaleUp uses cfg to run 'tailscale up' everytime containerboot starts, or
-// if TS_AUTH_ONCE is set, only the first time containerboot starts.
-func tailscaleUp(ctx context.Context, cfg *settings) error {
-	args := []string{"--socket=" + cfg.Socket, "up"}
-	if cfg.AcceptDNS != nil && *cfg.AcceptDNS {
-		args = append(args, "--accept-dns=true")
-	} else {
-		args = append(args, "--accept-dns=false")
-	}
-	if cfg.AuthKey != "" {
-		args = append(args, "--authkey="+cfg.AuthKey)
-	}
-	// --advertise-routes can be passed an empty string to configure a
-	// device (that might have previously advertised subnet routes) to not
-	// advertise any routes. Respect an empty string passed by a user and
-	// use it to explicitly unset the routes.
-	if cfg.Routes != nil {
-		args = append(args, "--advertise-routes="+*cfg.Routes)
-	}
-	if cfg.Hostname != "" {
-		args = append(args, "--hostname="+cfg.Hostname)
-	}
-	if cfg.ExtraArgs != "" {
-		args = append(args, strings.Fields(cfg.ExtraArgs)...)
-	}
-	log.Printf("Running 'tailscale up'")
-	cmd := exec.CommandContext(ctx, "tailscale", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("tailscale up failed: %v", err)
-	}
-	return nil
-}
-
-// tailscaleSet uses cfg to run 'tailscale set' to set any known configuration
-// options that are passed in via environment variables. This is run after the
-// node is in Running state and only if TS_AUTH_ONCE is set.
-func tailscaleSet(ctx context.Context, cfg *settings) error {
-	args := []string{"--socket=" + cfg.Socket, "set"}
-	if cfg.AcceptDNS != nil && *cfg.AcceptDNS {
-		args = append(args, "--accept-dns=true")
-	} else {
-		args = append(args, "--accept-dns=false")
-	}
-	// --advertise-routes can be passed an empty string to configure a
-	// device (that might have previously advertised subnet routes) to not
-	// advertise any routes. Respect an empty string passed by a user and
-	// use it to explicitly unset the routes.
-	if cfg.Routes != nil {
-		args = append(args, "--advertise-routes="+*cfg.Routes)
-	}
-	if cfg.Hostname != "" {
-		args = append(args, "--hostname="+cfg.Hostname)
-	}
-	log.Printf("Running 'tailscale set'")
-	cmd := exec.CommandContext(ctx, "tailscale", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("tailscale set failed: %v", err)
-	}
-	return nil
-}
-
-func watchTailscaledConfigChanges(ctx context.Context, path string, lc *local.Client, errCh chan<- error) {
-	var (
-		tickChan          <-chan time.Time
-		eventChan         <-chan fsnotify.Event
-		errChan           <-chan error
-		tailscaledCfgDir  = filepath.Dir(path)
-		prevTailscaledCfg []byte
-	)
-	if w, err := fsnotify.NewWatcher(); err != nil {
-		// Creating a new fsnotify watcher would fail for example if inotify was not able to create a new file descriptor.
-		// See https://github.com/tailscale/tailscale/issues/15081
-		log.Printf("tailscaled config watch: failed to create fsnotify watcher, timer-only mode: %v", err)
-		ticker := time.NewTicker(5 * time.Second)
-		defer ticker.Stop()
-		tickChan = ticker.C
-	} else {
-		defer w.Close()
-		if err := w.Add(tailscaledCfgDir); err != nil {
-			errCh <- fmt.Errorf("failed to add fsnotify watch: %w", err)
-			return
-		}
-		eventChan = w.Events
-		errChan = w.Errors
-	}
-	b, err := os.ReadFile(path)
-	if err != nil {
-		errCh <- fmt.Errorf("error reading configfile: %w", err)
-		return
-	}
-	prevTailscaledCfg = b
-	// kubelet mounts Secrets to Pods using a series of symlinks, one of
-	// which is <mount-dir>/..data that Kubernetes recommends consumers to
-	// use if they need to monitor changes
-	// https://github.com/kubernetes/kubernetes/blob/v1.28.1/pkg/volume/util/atomic_writer.go#L39-L61
-	const kubeletMountedCfg = "..data"
-	toWatch := filepath.Join(tailscaledCfgDir, kubeletMountedCfg)
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case err := <-errChan:
-			errCh <- fmt.Errorf("watcher error: %w", err)
-			return
-		case <-tickChan:
-		case event := <-eventChan:
-			if event.Name != toWatch {
-				continue
-			}
-		}
-		b, err := os.ReadFile(path)
-		if err != nil {
-			errCh <- fmt.Errorf("error reading configfile: %w", err)
-			return
-		}
-		// For some proxy types the mounted volume also contains tailscaled state and other files. We
-		// don't want to reload config unnecessarily on unrelated changes to these files.
-		if reflect.DeepEqual(b, prevTailscaledCfg) {
-			continue
-		}
-		prevTailscaledCfg = b
-		log.Printf("tailscaled config watch: ensuring that config is up to date")
-		ok, err := lc.ReloadConfig(ctx)
-		if err != nil {
-			errCh <- fmt.Errorf("error reloading tailscaled config: %w", err)
-			return
-		}
-		if ok {
-			log.Printf("tailscaled config watch: config was reloaded")
-		}
-	}
-}

cmd/derper/README.md

@@ -1,109 +0,0 @@
-# DERP
-
-This is the code for the [Tailscale DERP server](https://tailscale.com/kb/1232/derp-servers).
-
-In general, you should not need to or want to run this code. The overwhelming
-majority of Tailscale users (both individuals and companies) do not.
-
-In the happy path, Tailscale establishes direct connections between peers and
-data plane traffic flows directly between them, without using DERP for more than
-acting as a low bandwidth side channel to bootstrap the NAT traversal. If you
-find yourself wanting DERP for more bandwidth, the real problem is usually the
-network configuration of your Tailscale node(s), making sure that Tailscale can
-get direction connections via some mechanism.
-
-If you've decided or been advised to run your own `derper`, then read on.
-
-## Caveats
-
-* Node sharing and other cross-Tailnet features don't work when using custom
-  DERP servers.
-
-* DERP servers only see encrypted WireGuard packets and thus are not useful for
-  network-level debugging.
-
-* The Tailscale control plane does certain geo-level steering features and
-  optimizations that are not available when using custom DERP servers.
-
-## Guide to running `cmd/derper`
-
-* You must build and update the `cmd/derper` binary yourself. There are no
-  packages. Use `go install tailscale.com/cmd/derper@latest` with the latest
-  version of Go. You should update this binary approximately as regularly as
-  you update Tailscale nodes. If using `--verify-clients`, the `derper` binary
-  and `tailscaled` binary on the machine must be built from the same git revision.
-  (It might work otherwise, but they're developed and only tested together.)
-
-* The DERP protocol does a protocol switch inside TLS from HTTP to a custom
-  bidirectional binary protocol. It is thus incompatible with many HTTP proxies.
-  Do not put `derper` behind another HTTP proxy.
-
-* The `tailscaled` client does its own selection of the fastest/nearest DERP
-  server based on latency measurements. Do not put `derper` behind a global load
-  balancer.
-
-* DERP servers should ideally have both a static IPv4 and static IPv6 address.
-Both of those should be listed in the DERP map so the client doesn't need to
-rely on its DNS which might be broken and dependent on DERP to get back up.
-
-* A DERP server should not share an IP address with any other DERP server.
-
-* Avoid having multiple DERP nodes in a region. If you must, they all need to be
-  meshed with each other and monitored. Having two one-node "regions" in the
-  same datacenter is usually easier and more reliable than meshing, at the cost
-  of more required connections from clients in some cases. If your clients
-  aren't mobile (battery constrained), one node regions are definitely
-  preferred. If you really need multiple nodes in a region for HA reasons, two
-  is sufficient.
-
-* Monitor your DERP servers with [`cmd/derpprobe`](../derpprobe/).
-
-* If using `--verify-clients`, a `tailscaled` must be running alongside the
-  `derper`, and all clients must be visible to the derper tailscaled in the ACL.
-
-* If using `--verify-clients`, a `tailscaled` must also be running alongside
-  your `derpprobe`, and `derpprobe` needs to use `--derp-map=local`.
-
-* The firewall on the `derper` should permit TCP ports 80 and 443 and UDP port
-  3478.
-
-* Only LetsEncrypt certs are rotated automatically. Other cert updates require a
-  restart.
-
-* Don't use a firewall in front of `derper` that suppresses `RST`s upon
-  receiving traffic to a dead or unknown connection.
-
-* Don't rate-limit UDP STUN packets.
-
-* Don't rate-limit outbound TCP traffic (only inbound).
-
-## Diagnostics
-
-This is not a complete guide on DERP diagnostics.
-
-Running your own DERP services requires exeprtise in multi-layer network and
-application diagnostics. As the DERP runs multiple protocols at multiple layers
-and is not a regular HTTP(s) server you will need expertise in correlative
-analysis to diagnose the most tricky problems. There is no "plain text" or
-"open" mode of operation for DERP.
-
-* The debug handler is accessible at URL path `/debug/`. It is only accessible
-  over localhost or from a Tailscale IP address.
-
-* Go pprof can be accessed via the debug handler at `/debug/pprof/`
-
-* Prometheus compatible metrics can be gathered from the debug handler at
-  `/debug/varz`.
-
-* `cmd/stunc` in the Tailscale repository provides a basic tool for diagnosing
-  issues with STUN.
-
-* `cmd/derpprobe` provides a service for monitoring DERP cluster health.
-
-* `tailscale debug derp` and `tailscale netcheck` provide additional client
-  driven diagnostic information for DERP communications.
-
-* Tailscale logs may provide insight for certain problems, such as if DERPs are
-  unreachable or peers are regularly not reachable in their DERP home regions.
-  There are many possible misconfiguration causes for these problems, but
-  regular log entries are a good first indicator that there is a problem.

cmd/derper/bootstrap_dns.go

@@ -5,45 +5,35 @@ package main
 
 import (
 	"context"
-	"encoding/binary"
 	"encoding/json"
 	"expvar"
 	"log"
-	"math/rand/v2"
 	"net"
 	"net/http"
-	"net/netip"
-	"strconv"
 	"strings"
-	"sync/atomic"
 	"time"
 
 	"tailscale.com/syncs"
-	"tailscale.com/util/mak"
 	"tailscale.com/util/slicesx"
 )
 
 const refreshTimeout = time.Minute
 
-type dnsEntryMap struct {
-	IPs     map[string][]net.IP
-	Percent map[string]float64 // "foo.com" => 0.5 for 50%
-}
+type dnsEntryMap map[string][]net.IP
 
 var (
-	dnsCache            atomic.Pointer[dnsEntryMap]
+	dnsCache            syncs.AtomicValue[dnsEntryMap]
 	dnsCacheBytes       syncs.AtomicValue[[]byte] // of JSON
-	unpublishedDNSCache atomic.Pointer[dnsEntryMap]
+	unpublishedDNSCache syncs.AtomicValue[dnsEntryMap]
 	bootstrapLookupMap  syncs.Map[string, bool]
 )
 
 var (
-	bootstrapDNSRequests        = expvar.NewInt("counter_bootstrap_dns_requests")
-	publishedDNSHits            = expvar.NewInt("counter_bootstrap_dns_published_hits")
-	publishedDNSMisses          = expvar.NewInt("counter_bootstrap_dns_published_misses")
-	unpublishedDNSHits          = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
-	unpublishedDNSMisses        = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
-	unpublishedDNSPercentMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_percent_misses")
+	bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
+	publishedDNSHits     = expvar.NewInt("counter_bootstrap_dns_published_hits")
+	publishedDNSMisses   = expvar.NewInt("counter_bootstrap_dns_published_misses")
+	unpublishedDNSHits   = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
+	unpublishedDNSMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
 )
 
 func init() {
@@ -69,13 +59,15 @@ func refreshBootstrapDNS() {
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
 	defer cancel()
-	dnsEntries := resolveList(ctx, *bootstrapDNS)
+	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
 	// Randomize the order of the IPs for each name to avoid the client biasing
 	// to IPv6
-	for _, vv := range dnsEntries.IPs {
-		slicesx.Shuffle(vv)
+	for k := range dnsEntries {
+		ips := dnsEntries[k]
+		slicesx.Shuffle(ips)
+		dnsEntries[k] = ips
 	}
-	j, err := json.MarshalIndent(dnsEntries.IPs, "", "\t")
+	j, err := json.MarshalIndent(dnsEntries, "", "\t")
 	if err != nil {
 		// leave the old values in place
 		return
@@ -89,50 +81,27 @@ func refreshUnpublishedDNS() {
 	if *unpublishedDNS == "" {
 		return
 	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
 	defer cancel()
-	dnsEntries := resolveList(ctx, *unpublishedDNS)
+
+	dnsEntries := resolveList(ctx, strings.Split(*unpublishedDNS, ","))
 	unpublishedDNSCache.Store(dnsEntries)
 }
 
-// resolveList takes a comma-separated list of DNS names to resolve.
-//
-// If an entry contains a slash, it's two DNS names: the first is the one to
-// resolve and the second is that of a TXT recording containing the rollout
-// percentage in range "0".."100". If the TXT record doesn't exist or is
-// malformed, the percentage is 0. If the TXT record is not provided (there's no
-// slash), then the percentage is 100.
-func resolveList(ctx context.Context, list string) *dnsEntryMap {
-	ents := strings.Split(list, ",")
-
-	ret := &dnsEntryMap{}
+func resolveList(ctx context.Context, names []string) dnsEntryMap {
+	dnsEntries := make(dnsEntryMap)
 
 	var r net.Resolver
-	for _, ent := range ents {
-		name, txtName, _ := strings.Cut(ent, "/")
+	for _, name := range names {
 		addrs, err := r.LookupIP(ctx, "ip", name)
 		if err != nil {
 			log.Printf("bootstrap DNS lookup %q: %v", name, err)
 			continue
 		}
-		mak.Set(&ret.IPs, name, addrs)
-
-		if txtName == "" {
-			mak.Set(&ret.Percent, name, 1.0)
-			continue
-		}
-		vals, err := r.LookupTXT(ctx, txtName)
-		if err != nil {
-			log.Printf("bootstrap DNS lookup %q: %v", txtName, err)
-			continue
-		}
-		for _, v := range vals {
-			if v, err := strconv.Atoi(v); err == nil && v >= 0 && v <= 100 {
-				mak.Set(&ret.Percent, name, float64(v)/100)
-			}
-		}
+		dnsEntries[name] = addrs
 	}
-	return ret
+	return dnsEntries
 }
 
 func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
@@ -146,36 +115,22 @@ func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	// Try answering a query from our hidden map first
 	if q := r.URL.Query().Get("q"); q != "" {
 		bootstrapLookupMap.Store(q, true)
-		if bootstrapLookupMap.Len() > 500 { // defensive
-			bootstrapLookupMap.Clear()
-		}
-		if m := unpublishedDNSCache.Load(); m != nil && len(m.IPs[q]) > 0 {
+		if ips, ok := unpublishedDNSCache.Load()[q]; ok && len(ips) > 0 {
 			unpublishedDNSHits.Add(1)
 
-			percent := m.Percent[q]
-			if remoteAddrMatchesPercent(r.RemoteAddr, percent) {
-				// Only return the specific query, not everything.
-				m := map[string][]net.IP{q: m.IPs[q]}
-				j, err := json.MarshalIndent(m, "", "\t")
-				if err == nil {
-					w.Write(j)
-					return
-				}
-			} else {
-				unpublishedDNSPercentMisses.Add(1)
+			// Only return the specific query, not everything.
+			m := dnsEntryMap{q: ips}
+			j, err := json.MarshalIndent(m, "", "\t")
+			if err == nil {
+				w.Write(j)
+				return
 			}
 		}
 
 		// If we have a "q" query for a name in the published cache
 		// list, then track whether that's a hit/miss.
-		m := dnsCache.Load()
-		var inPub bool
-		var ips []net.IP
-		if m != nil {
-			ips, inPub = m.IPs[q]
-		}
-		if inPub {
-			if len(ips) > 0 {
+		if m, ok := dnsCache.Load()[q]; ok {
+			if len(m) > 0 {
 				publishedDNSHits.Add(1)
 			} else {
 				publishedDNSMisses.Add(1)
@@ -191,29 +146,3 @@ func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	j := dnsCacheBytes.Load()
 	w.Write(j)
 }
-
-// percent is [0.0, 1.0].
-func remoteAddrMatchesPercent(remoteAddr string, percent float64) bool {
-	if percent == 0 {
-		return false
-	}
-	if percent == 1 {
-		return true
-	}
-	reqIPStr, _, err := net.SplitHostPort(remoteAddr)
-	if err != nil {
-		return false
-	}
-	reqIP, err := netip.ParseAddr(reqIPStr)
-	if err != nil {
-		return false
-	}
-	if reqIP.IsLoopback() {
-		// For local testing.
-		return rand.Float64() < 0.5
-	}
-	reqIP16 := reqIP.As16()
-	rndSrc := rand.NewPCG(binary.LittleEndian.Uint64(reqIP16[:8]), binary.LittleEndian.Uint64(reqIP16[8:]))
-	rnd := rand.New(rndSrc)
-	return percent > rnd.Float64()
-}

cmd/derper/bootstrap_dns_test.go

@@ -4,26 +4,22 @@
 package main
 
 import (
-	"bytes"
 	"encoding/json"
-	"io"
 	"net"
 	"net/http"
 	"net/http/httptest"
-	"net/netip"
 	"net/url"
 	"reflect"
 	"testing"
 
 	"tailscale.com/tstest"
-	"tailscale.com/tstest/nettest"
 )
 
 func BenchmarkHandleBootstrapDNS(b *testing.B) {
-	tstest.Replace(b, bootstrapDNS, "log.tailscale.com,login.tailscale.com,controlplane.tailscale.com,login.us.tailscale.com")
+	tstest.Replace(b, bootstrapDNS, "log.tailscale.io,login.tailscale.com,controlplane.tailscale.com,login.us.tailscale.com")
 	refreshBootstrapDNS()
 	w := new(bitbucketResponseWriter)
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.com"), nil)
+	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.io"), nil)
 	b.ReportAllocs()
 	b.ResetTimer()
 	b.RunParallel(func(b *testing.PB) {
@@ -41,7 +37,7 @@ func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p),
 
 func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}
 
-func getBootstrapDNS(t *testing.T, q string) map[string][]net.IP {
+func getBootstrapDNS(t *testing.T, q string) dnsEntryMap {
 	t.Helper()
 	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape(q), nil)
 	w := httptest.NewRecorder()
@@ -51,19 +47,16 @@ func getBootstrapDNS(t *testing.T, q string) map[string][]net.IP {
 	if res.StatusCode != 200 {
 		t.Fatalf("got status=%d; want %d", res.StatusCode, 200)
 	}
-	var m map[string][]net.IP
-	var buf bytes.Buffer
-	if err := json.NewDecoder(io.TeeReader(res.Body, &buf)).Decode(&m); err != nil {
-		t.Fatalf("error decoding response body %q: %v", buf.Bytes(), err)
+	var ips dnsEntryMap
+	if err := json.NewDecoder(res.Body).Decode(&ips); err != nil {
+		t.Fatalf("error decoding response body: %v", err)
 	}
-	return m
+	return ips
 }
 
 func TestUnpublishedDNS(t *testing.T) {
-	nettest.SkipIfNoNetwork(t)
-
 	const published = "login.tailscale.com"
-	const unpublished = "log.tailscale.com"
+	const unpublished = "log.tailscale.io"
 
 	prev1, prev2 := *bootstrapDNS, *unpublishedDNS
 	*bootstrapDNS = published
@@ -111,32 +104,26 @@ func resetMetrics() {
 // Verify that we don't count an empty list in the unpublishedDNSCache as a
 // cache hit in our metrics.
 func TestUnpublishedDNSEmptyList(t *testing.T) {
-	pub := &dnsEntryMap{
-		IPs: map[string][]net.IP{"tailscale.com": {net.IPv4(10, 10, 10, 10)}},
+	pub := dnsEntryMap{
+		"tailscale.com": {net.IPv4(10, 10, 10, 10)},
 	}
 	dnsCache.Store(pub)
 	dnsCacheBytes.Store([]byte(`{"tailscale.com":["10.10.10.10"]}`))
 
-	unpublishedDNSCache.Store(&dnsEntryMap{
-		IPs: map[string][]net.IP{
-			"log.tailscale.com":          {},
-			"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
-		},
-		Percent: map[string]float64{
-			"log.tailscale.com":          1.0,
-			"controlplane.tailscale.com": 1.0,
-		},
+	unpublishedDNSCache.Store(dnsEntryMap{
+		"log.tailscale.io":           {},
+		"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
 	})
 
 	t.Run("CacheMiss", func(t *testing.T) {
 		// One domain in map but empty, one not in map at all
-		for _, q := range []string{"log.tailscale.com", "login.tailscale.com"} {
+		for _, q := range []string{"log.tailscale.io", "login.tailscale.com"} {
 			resetMetrics()
 			ips := getBootstrapDNS(t, q)
 
 			// Expected our public map to be returned on a cache miss
-			if !reflect.DeepEqual(ips, pub.IPs) {
-				t.Errorf("got ips=%+v; want %+v", ips, pub.IPs)
+			if !reflect.DeepEqual(ips, pub) {
+				t.Errorf("got ips=%+v; want %+v", ips, pub)
 			}
 			if v := unpublishedDNSHits.Value(); v != 0 {
 				t.Errorf("got hits=%d; want 0", v)
@@ -151,7 +138,7 @@ func TestUnpublishedDNSEmptyList(t *testing.T) {
 	t.Run("CacheHit", func(t *testing.T) {
 		resetMetrics()
 		ips := getBootstrapDNS(t, "controlplane.tailscale.com")
-		want := map[string][]net.IP{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
+		want := dnsEntryMap{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
 		if !reflect.DeepEqual(ips, want) {
 			t.Errorf("got ips=%+v; want %+v", ips, want)
 		}
@@ -176,54 +163,3 @@ func TestLookupMetric(t *testing.T) {
 		t.Errorf("bootstrapLookupMap.Len() want=5, got %v", bootstrapLookupMap.Len())
 	}
 }
-
-func TestRemoteAddrMatchesPercent(t *testing.T) {
-	tests := []struct {
-		remoteAddr string
-		percent    float64
-		want       bool
-	}{
-		// 0% and 100%.
-		{"10.0.0.1:1234", 0.0, false},
-		{"10.0.0.1:1234", 1.0, true},
-
-		// Invalid IP.
-		{"", 1.0, true},
-		{"", 0.0, false},
-		{"", 0.5, false},
-
-		// Small manual sample at 50%. The func uses a deterministic PRNG seed.
-		{"1.2.3.4:567", 0.5, true},
-		{"1.2.3.5:567", 0.5, true},
-		{"1.2.3.6:567", 0.5, false},
-		{"1.2.3.7:567", 0.5, true},
-		{"1.2.3.8:567", 0.5, false},
-		{"1.2.3.9:567", 0.5, true},
-		{"1.2.3.10:567", 0.5, true},
-	}
-	for _, tt := range tests {
-		got := remoteAddrMatchesPercent(tt.remoteAddr, tt.percent)
-		if got != tt.want {
-			t.Errorf("remoteAddrMatchesPercent(%q, %v) = %v; want %v", tt.remoteAddr, tt.percent, got, tt.want)
-		}
-	}
-
-	var match, all int
-	const wantPercent = 0.5
-	for a := range 256 {
-		for b := range 256 {
-			all++
-			if remoteAddrMatchesPercent(
-				netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 2, byte(a), byte(b)}), 12345).String(),
-				wantPercent) {
-				match++
-			}
-		}
-	}
-	gotPercent := float64(match) / float64(all)
-	const tolerance = 0.005
-	t.Logf("got percent %v (goal %v)", gotPercent, wantPercent)
-	if gotPercent < wantPercent-tolerance || gotPercent > wantPercent+tolerance {
-		t.Errorf("got %v; want %v ± %v", gotPercent, wantPercent, tolerance)
-	}
-}

cmd/derper/cert.go

@@ -4,28 +4,15 @@
 package main
 
 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/json"
-	"encoding/pem"
 	"errors"
 	"fmt"
-	"log"
-	"math/big"
-	"net"
 	"net/http"
-	"os"
 	"path/filepath"
 	"regexp"
-	"time"
 
 	"golang.org/x/crypto/acme/autocert"
-	"tailscale.com/tailcfg"
 )
 
 var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)
@@ -66,9 +53,8 @@ func certProviderByCertMode(mode, dir, hostname string) (certProvider, error) {
 }
 
 type manualCertManager struct {
-	cert       *tls.Certificate
-	hostname   string // hostname or IP address of server
-	noHostname bool   // whether hostname is an IP address
+	cert     *tls.Certificate
+	hostname string
 }
 
 // NewManualCertManager returns a cert provider which read certificate by given hostname on create.
@@ -77,18 +63,8 @@ func NewManualCertManager(certdir, hostname string) (certProvider, error) {
 	crtPath := filepath.Join(certdir, keyname+".crt")
 	keyPath := filepath.Join(certdir, keyname+".key")
 	cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
-	hostnameIP := net.ParseIP(hostname) // or nil if hostname isn't an IP address
 	if err != nil {
-		// If the hostname is an IP address, automatically create a
-		// self-signed certificate for it.
-		var certp *tls.Certificate
-		if os.IsNotExist(err) && hostnameIP != nil {
-			certp, err = createSelfSignedIPCert(crtPath, keyPath, hostname)
-		}
-		if err != nil {
-			return nil, fmt.Errorf("can not load x509 key pair for hostname %q: %w", keyname, err)
-		}
-		cert = *certp
+		return nil, fmt.Errorf("can not load x509 key pair for hostname %q: %w", keyname, err)
 	}
 	// ensure hostname matches with the certificate
 	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
@@ -98,23 +74,7 @@ func NewManualCertManager(certdir, hostname string) (certProvider, error) {
 	if err := x509Cert.VerifyHostname(hostname); err != nil {
 		return nil, fmt.Errorf("cert invalid for hostname %q: %w", hostname, err)
 	}
-	if hostnameIP != nil {
-		// If the hostname is an IP address, print out information on how to
-		// confgure this in the derpmap.
-		dn := &tailcfg.DERPNode{
-			Name:     "custom",
-			RegionID: 900,
-			HostName: hostname,
-			CertName: fmt.Sprintf("sha256-raw:%-02x", sha256.Sum256(x509Cert.Raw)),
-		}
-		dnJSON, _ := json.Marshal(dn)
-		log.Printf("Using self-signed certificate for IP address %q. Configure it in DERPMap using: (https://tailscale.com/s/custom-derp)\n  %s", hostname, dnJSON)
-	}
-	return &manualCertManager{
-		cert:       &cert,
-		hostname:   hostname,
-		noHostname: net.ParseIP(hostname) != nil,
-	}, nil
+	return &manualCertManager{cert: &cert, hostname: hostname}, nil
 }
 
 func (m *manualCertManager) TLSConfig() *tls.Config {
@@ -128,7 +88,7 @@ func (m *manualCertManager) TLSConfig() *tls.Config {
 }
 
 func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi.ServerName != m.hostname && !m.noHostname {
+	if hi.ServerName != m.hostname {
 		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
 	}
 
@@ -143,69 +103,3 @@ func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certif
 func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
 	return fallback
 }
-
-func createSelfSignedIPCert(crtPath, keyPath, ipStr string) (*tls.Certificate, error) {
-	ip := net.ParseIP(ipStr)
-	if ip == nil {
-		return nil, fmt.Errorf("invalid IP address: %s", ipStr)
-	}
-
-	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate EC private key: %v", err)
-	}
-
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate serial number: %v", err)
-	}
-
-	now := time.Now()
-	template := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			CommonName: ipStr,
-		},
-		NotBefore: now,
-		NotAfter:  now.AddDate(1, 0, 0), // expires in 1 year; a bit over that is rejected by macOS etc
-
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-
-	// Set the IP as a SAN.
-	template.IPAddresses = []net.IP{ip}
-
-	// Create the self-signed certificate.
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create certificate: %v", err)
-	}
-
-	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
-
-	keyBytes, err := x509.MarshalECPrivateKey(priv)
-	if err != nil {
-		return nil, fmt.Errorf("unable to marshal EC private key: %v", err)
-	}
-
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes})
-
-	if err := os.MkdirAll(filepath.Dir(crtPath), 0700); err != nil {
-		return nil, fmt.Errorf("failed to create directory for certificate: %v", err)
-	}
-	if err := os.WriteFile(crtPath, certPEM, 0644); err != nil {
-		return nil, fmt.Errorf("failed to write certificate to %s: %v", crtPath, err)
-	}
-	if err := os.WriteFile(keyPath, keyPEM, 0600); err != nil {
-		return nil, fmt.Errorf("failed to write key to %s: %v", keyPath, err)
-	}
-
-	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create tls.Certificate: %v", err)
-	}
-	return &tlsCert, nil
-}

cmd/derper/cert_test.go

@@ -1,170 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/sha256"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"testing"
-	"time"
-
-	"tailscale.com/derp"
-	"tailscale.com/derp/derphttp"
-	"tailscale.com/net/netmon"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
-)
-
-// Verify that in --certmode=manual mode, we can use a bare IP address
-// as the --hostname and that GetCertificate will return it.
-func TestCertIP(t *testing.T) {
-	dir := t.TempDir()
-	const hostname = "1.2.3.4"
-
-	priv, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		t.Fatal(err)
-	}
-	ip := net.ParseIP(hostname)
-	if ip == nil {
-		t.Fatalf("invalid IP address %q", hostname)
-	}
-	template := &x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			Organization: []string{"Tailscale Test Corp"},
-		},
-		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(30 * 24 * time.Hour),
-
-		KeyUsage:              x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-		IPAddresses:           []net.IP{ip},
-	}
-	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
-	if err != nil {
-		t.Fatal(err)
-	}
-	certOut, err := os.Create(filepath.Join(dir, hostname+".crt"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
-		t.Fatalf("Failed to write data to cert.pem: %v", err)
-	}
-	if err := certOut.Close(); err != nil {
-		t.Fatalf("Error closing cert.pem: %v", err)
-	}
-
-	keyOut, err := os.OpenFile(filepath.Join(dir, hostname+".key"), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		t.Fatal(err)
-	}
-	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
-	if err != nil {
-		t.Fatalf("Unable to marshal private key: %v", err)
-	}
-	if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil {
-		t.Fatalf("Failed to write data to key.pem: %v", err)
-	}
-	if err := keyOut.Close(); err != nil {
-		t.Fatalf("Error closing key.pem: %v", err)
-	}
-
-	cp, err := certProviderByCertMode("manual", dir, hostname)
-	if err != nil {
-		t.Fatal(err)
-	}
-	back, err := cp.TLSConfig().GetCertificate(&tls.ClientHelloInfo{
-		ServerName: "", // no SNI
-	})
-	if err != nil {
-		t.Fatalf("GetCertificate: %v", err)
-	}
-	if back == nil {
-		t.Fatalf("GetCertificate returned nil")
-	}
-}
-
-// Test that we can dial a raw IP without using a hostname and without a WebPKI
-// cert, validating the cert against the signature of the cert in the DERP map's
-// DERPNode.
-//
-// See https://github.com/tailscale/tailscale/issues/11776.
-func TestPinnedCertRawIP(t *testing.T) {
-	td := t.TempDir()
-	cp, err := NewManualCertManager(td, "127.0.0.1")
-	if err != nil {
-		t.Fatalf("NewManualCertManager: %v", err)
-	}
-
-	cert, err := cp.TLSConfig().GetCertificate(&tls.ClientHelloInfo{
-		ServerName: "127.0.0.1",
-	})
-	if err != nil {
-		t.Fatalf("GetCertificate: %v", err)
-	}
-
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatalf("Listen: %v", err)
-	}
-	defer ln.Close()
-
-	ds := derp.NewServer(key.NewNode(), t.Logf)
-
-	derpHandler := derphttp.Handler(ds)
-	mux := http.NewServeMux()
-	mux.Handle("/derp", derpHandler)
-
-	var hs http.Server
-	hs.Handler = mux
-	hs.TLSConfig = cp.TLSConfig()
-	go hs.ServeTLS(ln, "", "")
-
-	lnPort := ln.Addr().(*net.TCPAddr).Port
-
-	reg := &tailcfg.DERPRegion{
-		RegionID: 900,
-		Nodes: []*tailcfg.DERPNode{
-			{
-				RegionID: 900,
-				HostName: "127.0.0.1",
-				CertName: fmt.Sprintf("sha256-raw:%-02x", sha256.Sum256(cert.Leaf.Raw)),
-				DERPPort: lnPort,
-			},
-		},
-	}
-
-	netMon := netmon.NewStatic()
-	dc := derphttp.NewRegionClient(key.NewNode(), t.Logf, netMon, func() *tailcfg.DERPRegion {
-		return reg
-	})
-	defer dc.Close()
-
-	_, connClose, _, err := dc.DialRegionTLS(context.Background(), reg)
-	if err != nil {
-		t.Fatalf("DialRegionTLS: %v", err)
-	}
-	defer connClose.Close()
-}

cmd/derper/depaware.txt

@@ -7,19 +7,9 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
         github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
      💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
-        github.com/coder/websocket                                   from tailscale.com/cmd/derper+
-        github.com/coder/websocket/internal/errd                     from github.com/coder/websocket
-        github.com/coder/websocket/internal/util                     from github.com/coder/websocket
-        github.com/coder/websocket/internal/xsync                    from github.com/coder/websocket
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
    W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
-        github.com/go-json-experiment/json                           from tailscale.com/types/opt+
-        github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json+
-        github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json+
-        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json+
-        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json+
-        github.com/go-json-experiment/json/jsontext                  from github.com/go-json-experiment/json+
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
    L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
    L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
@@ -27,19 +17,21 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
    L    github.com/google/nftables/expr                              from github.com/google/nftables+
    L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
    L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
+        github.com/google/uuid                                       from tailscale.com/tsweb
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/netmon
+   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
    L 💣 github.com/mdlayher/netlink                                  from github.com/google/nftables+
    L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
    L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
    L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
-        github.com/munnerz/goautoneg                                 from github.com/prometheus/common/expfmt
      💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
         github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
         github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
         github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
         github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
   LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
   LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
@@ -50,21 +42,18 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
    W    github.com/tailscale/go-winio/internal/stringbuffer          from github.com/tailscale/go-winio/internal/fs
    W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
    L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
-   L 💣 github.com/tailscale/netlink/nl                              from github.com/tailscale/netlink
-        github.com/tailscale/setec/client/setec                      from tailscale.com/cmd/derper
-        github.com/tailscale/setec/types/api                         from github.com/tailscale/setec/client/setec
+   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
    L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
         github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
-     💣 go4.org/mem                                                  from tailscale.com/client/local+
-        go4.org/netipx                                               from tailscale.com/net/tsaddr
-   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/netmon+
+     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
+        go4.org/netipx                                               from tailscale.com/net/tsaddr+
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
         google.golang.org/protobuf/encoding/protodelim               from github.com/prometheus/common/expfmt
         google.golang.org/protobuf/encoding/prototext                from github.com/prometheus/common/expfmt+
         google.golang.org/protobuf/encoding/protowire                from google.golang.org/protobuf/encoding/protodelim+
         google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
         google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
         google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
-        google.golang.org/protobuf/internal/editiondefaults          from google.golang.org/protobuf/internal/filedesc
         google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
         google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
         google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
@@ -86,56 +75,58 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         google.golang.org/protobuf/runtime/protoiface                from google.golang.org/protobuf/internal/impl+
         google.golang.org/protobuf/runtime/protoimpl                 from github.com/prometheus/client_model/go+
         google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
+        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
+        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
+        nhooyr.io/websocket/internal/util                            from nhooyr.io/websocket
+        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
         tailscale.com                                                from tailscale.com/version
-     💣 tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
-        tailscale.com/client/local                                   from tailscale.com/client/tailscale+
+        tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
         tailscale.com/client/tailscale                               from tailscale.com/derp
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
+        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale
         tailscale.com/derp                                           from tailscale.com/cmd/derper+
         tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
         tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/drive                                          from tailscale.com/client/local+
-        tailscale.com/envknob                                        from tailscale.com/client/local+
-        tailscale.com/feature                                        from tailscale.com/tsweb
-        tailscale.com/health                                         from tailscale.com/net/tlsdial+
-        tailscale.com/hostinfo                                       from tailscale.com/net/netmon+
-        tailscale.com/ipn                                            from tailscale.com/client/local
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/local+
-        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
+        tailscale.com/drive                                          from tailscale.com/client/tailscale+
+        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
+        tailscale.com/health                                         from tailscale.com/net/tlsdial
+        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
+        tailscale.com/ipn                                            from tailscale.com/client/tailscale
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
         tailscale.com/metrics                                        from tailscale.com/cmd/derper+
-        tailscale.com/net/bakedroots                                 from tailscale.com/net/tlsdial
         tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
+        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netmon+
         tailscale.com/net/ktimeout                                   from tailscale.com/cmd/derper
         tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
-     💣 tailscale.com/net/netmon                                     from tailscale.com/derp/derphttp+
-     💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
-        tailscale.com/net/netutil                                    from tailscale.com/client/local
+        tailscale.com/net/netmon                                     from tailscale.com/derp/derphttp+
+        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
+        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
+        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
         tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
         tailscale.com/net/stun                                       from tailscale.com/net/stunserver
         tailscale.com/net/stunserver                                 from tailscale.com/cmd/derper
    L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
-        tailscale.com/net/tlsdial/blockblame                         from tailscale.com/net/tlsdial
         tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-        tailscale.com/net/wsconn                                     from tailscale.com/cmd/derper
-        tailscale.com/paths                                          from tailscale.com/client/local
-     💣 tailscale.com/safesocket                                     from tailscale.com/client/local
+        tailscale.com/net/wsconn                                     from tailscale.com/cmd/derper+
+        tailscale.com/paths                                          from tailscale.com/client/tailscale
+     💣 tailscale.com/safesocket                                     from tailscale.com/client/tailscale
         tailscale.com/syncs                                          from tailscale.com/cmd/derper+
-        tailscale.com/tailcfg                                        from tailscale.com/client/local+
-        tailscale.com/tka                                            from tailscale.com/client/local+
-   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon+
+        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
+        tailscale.com/tka                                            from tailscale.com/client/tailscale+
+   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
         tailscale.com/tstime                                         from tailscale.com/derp+
         tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/derp
-        tailscale.com/tsweb                                          from tailscale.com/cmd/derper+
-        tailscale.com/tsweb/promvarz                                 from tailscale.com/cmd/derper
+        tailscale.com/tstime/rate                                    from tailscale.com/derp+
+        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
+        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
         tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
-        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg+
+        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
         tailscale.com/types/empty                                    from tailscale.com/ipn
-        tailscale.com/types/ipproto                                  from tailscale.com/tailcfg+
-        tailscale.com/types/key                                      from tailscale.com/client/local+
+        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
+        tailscale.com/types/key                                      from tailscale.com/client/tailscale+
         tailscale.com/types/lazy                                     from tailscale.com/version+
         tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
         tailscale.com/types/netmap                                   from tailscale.com/ipn
@@ -143,74 +134,54 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/types/persist                                  from tailscale.com/ipn
         tailscale.com/types/preftype                                 from tailscale.com/ipn
         tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
-        tailscale.com/types/result                                   from tailscale.com/util/lineiter
         tailscale.com/types/structs                                  from tailscale.com/ipn+
-        tailscale.com/types/tkatype                                  from tailscale.com/client/local+
+        tailscale.com/types/tkatype                                  from tailscale.com/client/tailscale+
         tailscale.com/types/views                                    from tailscale.com/ipn+
-        tailscale.com/util/cibuild                                   from tailscale.com/health
         tailscale.com/util/clientmetric                              from tailscale.com/net/netmon+
         tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
    W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
         tailscale.com/util/ctxkey                                    from tailscale.com/tsweb+
-     💣 tailscale.com/util/deephash                                  from tailscale.com/util/syspolicy/setting
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
         tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
-        tailscale.com/util/lineiter                                  from tailscale.com/hostinfo+
+        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
    L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
-        tailscale.com/util/mak                                       from tailscale.com/health+
+        tailscale.com/util/mak                                       from tailscale.com/net/interfaces+
         tailscale.com/util/multierr                                  from tailscale.com/health+
         tailscale.com/util/nocasemaps                                from tailscale.com/types/ipproto
-        tailscale.com/util/rands                                     from tailscale.com/tsweb
         tailscale.com/util/set                                       from tailscale.com/derp+
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
         tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
         tailscale.com/util/syspolicy                                 from tailscale.com/ipn
-        tailscale.com/util/syspolicy/internal                        from tailscale.com/util/syspolicy/setting+
-        tailscale.com/util/syspolicy/internal/loggerx                from tailscale.com/util/syspolicy/internal/metrics+
-        tailscale.com/util/syspolicy/internal/metrics                from tailscale.com/util/syspolicy/source
-        tailscale.com/util/syspolicy/rsop                            from tailscale.com/util/syspolicy
-        tailscale.com/util/syspolicy/setting                         from tailscale.com/util/syspolicy+
-        tailscale.com/util/syspolicy/source                          from tailscale.com/util/syspolicy+
-        tailscale.com/util/testenv                                   from tailscale.com/util/syspolicy+
-        tailscale.com/util/usermetric                                from tailscale.com/health
         tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
    W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
-   W 💣 tailscale.com/util/winutil/gp                                from tailscale.com/util/syspolicy/source
-   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo+
         tailscale.com/version                                        from tailscale.com/derp+
         tailscale.com/version/distro                                 from tailscale.com/envknob+
-        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap
+        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
         golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
         golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
         golang.org/x/crypto/argon2                                   from tailscale.com/tka
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+
         golang.org/x/crypto/blake2s                                  from tailscale.com/tka
         golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
-        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
-        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-   W    golang.org/x/exp/constraints                                 from tailscale.com/util/winutil
-        golang.org/x/exp/maps                                        from tailscale.com/util/syspolicy/setting+
    L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http
         golang.org/x/net/http/httpproxy                              from net/http+
         golang.org/x/net/http2/hpack                                 from net/http
         golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
-        golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from net+
         golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sync/singleflight                               from github.com/tailscale/setec/client/setec
-        golang.org/x/sys/cpu                                         from golang.org/x/crypto/argon2+
+        golang.org/x/sys/cpu                                         from github.com/josharian/native+
   LD    golang.org/x/sys/unix                                        from github.com/google/nftables+
    W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
    W    golang.org/x/sys/windows/registry                            from github.com/dblohm7/wingoes+
@@ -229,7 +200,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509
@@ -238,58 +209,19 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
-        crypto/internal/boring                                       from crypto/aes+
-        crypto/internal/boring/bbig                                  from crypto/ecdsa+
-        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
-        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
-        crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
         crypto/tls                                                   from golang.org/x/crypto/acme+
-        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls+
-   D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from google.golang.org/protobuf/internal/editiondefaults+
+        database/sql/driver                                          from github.com/google/uuid
+        embed                                                        from crypto/internal/nistec+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -308,51 +240,9 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
         hash/maphash                                                 from go4.org/mem
         html                                                         from net/http/pprof+
-        html/template                                                from tailscale.com/cmd/derper
-        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
-        internal/bisect                                              from internal/godebug
-        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
-        internal/chacha8rand                                         from math/rand/v2+
-        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
-        internal/filepathlite                                        from os+
-        internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
-        internal/godebug                                             from crypto/internal/fips140deps/godebug+
-        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
-        internal/goos                                                from crypto/x509+
-        internal/itoa                                                from internal/poll+
-        internal/msan                                                from internal/runtime/maps+
-        internal/nettrace                                            from net+
-        internal/oserror                                             from io/fs+
-        internal/poll                                                from net+
-        internal/profile                                             from net/http/pprof
-        internal/profilerecord                                       from runtime+
-        internal/race                                                from internal/poll+
-        internal/reflectlite                                         from context+
-        internal/runtime/atomic                                      from internal/runtime/exithook+
-        internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
-   L    internal/runtime/syscall                                     from runtime+
-        internal/singleflight                                        from net
-        internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
-        internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
-   W    internal/syscall/windows/registry                            from mime+
-   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
-        internal/testlog                                             from os
-        internal/unsafeheader                                        from internal/reflectlite+
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
-   L    io/ioutil                                                    from github.com/mitchellh/go-ps+
-        iter                                                         from maps+
+        io/ioutil                                                    from github.com/mitchellh/go-ps+
         log                                                          from expvar+
         log/internal                                                 from log
         maps                                                         from tailscale.com/ipn+
@@ -360,7 +250,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
         math/rand                                                    from github.com/mdlayher/netlink+
-        math/rand/v2                                                 from crypto/ecdsa+
         mime                                                         from github.com/prometheus/common/expfmt+
         mime/multipart                                               from net/http
         mime/quotedprintable                                         from mime/multipart
@@ -368,39 +257,33 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         net/http                                                     from expvar+
         net/http/httptrace                                           from net/http+
         net/http/internal                                            from net/http
-        net/http/internal/ascii                                      from net/http
-        net/http/pprof                                               from tailscale.com/tsweb
+        net/http/pprof                                               from tailscale.com/tsweb+
         net/netip                                                    from go4.org/netipx+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
         os/exec                                                      from github.com/coreos/go-iptables/iptables+
         os/signal                                                    from tailscale.com/cmd/derper
-   W    os/user                                                      from tailscale.com/util/winutil+
+   W    os/user                                                      from tailscale.com/util/winutil
         path                                                         from github.com/prometheus/client_golang/prometheus/internal+
         path/filepath                                                from crypto/x509+
         reflect                                                      from crypto/x509+
         regexp                                                       from github.com/coreos/go-iptables/iptables+
         regexp/syntax                                                from regexp
-        runtime                                                      from crypto/internal/fips140+
         runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
         runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof
-        runtime/trace                                                from net/http/pprof
+        runtime/trace                                                from net/http/pprof+
         slices                                                       from tailscale.com/ipn/ipnstate+
         sort                                                         from compress/flate+
         strconv                                                      from compress/flate+
         strings                                                      from bufio+
         sync                                                         from compress/flate+
         sync/atomic                                                  from context+
-        syscall                                                      from crypto/internal/sysrand+
+        syscall                                                      from crypto/rand+
+        testing                                                      from tailscale.com/util/syspolicy
         text/tabwriter                                               from runtime/pprof
-        text/template                                                from html/template
-        text/template/parse                                          from html/template+
         time                                                         from compress/gzip+
         unicode                                                      from bytes+
         unicode/utf16                                                from crypto/x509+
         unicode/utf8                                                 from bufio+
-        unique                                                       from net/netip
-        unsafe                                                       from bytes+
-        weak                                                         from unique

cmd/derper/derper.go

@@ -2,12 +2,6 @@
 // SPDX-License-Identifier: BSD-3-Clause
 
 // The derper binary is a simple DERP server.
-//
-// For more information, see:
-//
-//   - About: https://tailscale.com/kb/1232/derp-servers
-//   - Protocol & Go docs: https://pkg.go.dev/tailscale.com/derp
-//   - Running a DERP server: https://github.com/tailscale/tailscale/tree/main/cmd/derper#derp
 package main // import "tailscale.com/cmd/derper"
 
 import (
@@ -19,7 +13,6 @@ import (
 	"expvar"
 	"flag"
 	"fmt"
-	"html/template"
 	"io"
 	"log"
 	"math"
@@ -27,17 +20,12 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"path"
 	"path/filepath"
 	"regexp"
-	"runtime"
-	runtimemetrics "runtime/metrics"
-	"strconv"
 	"strings"
 	"syscall"
 	"time"
 
-	"github.com/tailscale/setec/client/setec"
 	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
@@ -49,9 +37,6 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
-
-	// Support for prometheus varz in tsweb
-	_ "tailscale.com/tsweb/promvarz"
 )
 
 var (
@@ -63,25 +48,18 @@ var (
 	configPath  = flag.String("c", "", "config file path")
 	certMode    = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
 	certDir     = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
-	hostname    = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443. When --certmode=manual, this can be an IP address to avoid SNI checks")
+	hostname    = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
 	runSTUN     = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
 	runDERP     = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
-	flagHome    = flag.String("home", "", "what to serve at the root path. It may be left empty (the default, for a default homepage), \"blank\" for a blank page, or a URL to redirect to")
 
 	meshPSKFile     = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith        = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list. If an entry contains a slash, the second part names a hostname to be used when dialing the target.")
-	secretsURL      = flag.String("secrets-url", "", "SETEC server URL for secrets retrieval of mesh key")
-	secretPrefix    = flag.String("secrets-path-prefix", "prod/derp", "setec path prefix for \""+setecMeshKeyName+"\" secret for DERP mesh key")
-	secretsCacheDir = flag.String("secrets-cache-dir", defaultSetecCacheDir(), "directory to cache setec secrets in (required if --secrets-url is set)")
+	meshWith        = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
 	bootstrapDNS    = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	unpublishedDNS  = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list. If an entry contains a slash, the second part names a DNS record to poll for its TXT record with a `0` to `100` value for rollout percentage.")
-
+	unpublishedDNS  = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
 	verifyClients   = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
 	verifyClientURL = flag.String("verify-client-url", "", "if non-empty, an admission controller URL for permitting client connections; see tailcfg.DERPAdmitClientRequest")
 	verifyFailOpen  = flag.Bool("verify-client-url-fail-open", true, "whether we fail open if --verify-client-url is unreachable")
 
-	socket = flag.String("socket", "", "optional alternate path to tailscaled socket (only relevant when using --verify-clients)")
-
 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
 
@@ -89,21 +67,13 @@ var (
 	tcpKeepAlive = flag.Duration("tcp-keepalive-time", 10*time.Minute, "TCP keepalive time")
 	// tcpUserTimeout is intentionally short, so that hung connections are cleaned up promptly. DERPs should be nearby users.
 	tcpUserTimeout = flag.Duration("tcp-user-timeout", 15*time.Second, "TCP user timeout")
-	// tcpWriteTimeout is the timeout for writing to client TCP connections. It does not apply to mesh connections.
-	tcpWriteTimeout = flag.Duration("tcp-write-timeout", derp.DefaultTCPWiteTimeout, "TCP write timeout; 0 results in no timeout being set on writes")
 )
 
 var (
 	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
 	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}
-
-	// Exactly 64 hexadecimal lowercase digits.
-	validMeshKey = regexp.MustCompile(`^[0-9a-f]{64}$`)
 )
 
-const setecMeshKeyName = "meshkey"
-const meshKeyEnvVar = "TAILSCALE_DERPER_MESH_KEY"
-
 func init() {
 	expvar.Publish("derper_tls_request_version", tlsRequestVersion)
 	expvar.Publish("gauge_derper_tls_active_version", tlsActiveVersion)
@@ -159,14 +129,6 @@ func writeNewConfig() config {
 	return cfg
 }
 
-func checkMeshKey(key string) (string, error) {
-	key = strings.TrimSpace(key)
-	if !validMeshKey.MatchString(key) {
-		return "", errors.New("key must contain exactly 64 hex digits")
-	}
-	return key, nil
-}
-
 func main() {
 	flag.Parse()
 	if *versionFlag {
@@ -199,70 +161,26 @@ func main() {
 
 	s := derp.NewServer(cfg.PrivateKey, log.Printf)
 	s.SetVerifyClient(*verifyClients)
-	s.SetTailscaledSocketPath(*socket)
 	s.SetVerifyClientURL(*verifyClientURL)
 	s.SetVerifyClientURLFailOpen(*verifyFailOpen)
-	s.SetTCPWriteTimeout(*tcpWriteTimeout)
 
-	var meshKey string
-	if *dev {
-		meshKey = os.Getenv(meshKeyEnvVar)
-		if meshKey == "" {
-			log.Printf("No mesh key specified for dev via %s\n", meshKeyEnvVar)
-		} else {
-			log.Printf("Set mesh key from %s\n", meshKeyEnvVar)
-		}
-	} else if *secretsURL != "" {
-		meshKeySecret := path.Join(*secretPrefix, setecMeshKeyName)
-		fc, err := setec.NewFileCache(*secretsCacheDir)
+	if *meshPSKFile != "" {
+		b, err := os.ReadFile(*meshPSKFile)
 		if err != nil {
-			log.Fatalf("NewFileCache: %v", err)
+			log.Fatal(err)
 		}
-		log.Printf("Setting up setec store from %q", *secretsURL)
-		st, err := setec.NewStore(ctx,
-			setec.StoreConfig{
-				Client: setec.Client{Server: *secretsURL},
-				Secrets: []string{
-					meshKeySecret,
-				},
-				Cache: fc,
-			})
-		if err != nil {
-			log.Fatalf("NewStore: %v", err)
+		key := strings.TrimSpace(string(b))
+		if matched, _ := regexp.MatchString(`(?i)^[0-9a-f]{64,}$`, key); !matched {
+			log.Fatalf("key in %s must contain 64+ hex digits", *meshPSKFile)
 		}
-		meshKey = st.Secret(meshKeySecret).GetString()
-		log.Println("Got mesh key from setec store")
-		st.Close()
-	} else if *meshPSKFile != "" {
-		b, err := setec.StaticFile(*meshPSKFile)
-		if err != nil {
-			log.Fatalf("StaticFile failed to get key: %v", err)
-		}
-		log.Println("Got mesh key from static file")
-		meshKey = b.GetString()
-	}
-
-	if meshKey == "" && *dev {
-		log.Printf("No mesh key configured for --dev mode")
-	} else if meshKey == "" {
-		log.Printf("No mesh key configured")
-	} else if key, err := checkMeshKey(meshKey); err != nil {
-		log.Fatalf("invalid mesh key: %v", err)
-	} else {
 		s.SetMeshKey(key)
-		log.Println("DERP mesh key configured")
+		log.Printf("DERP mesh key configured")
 	}
-
 	if err := startMesh(s); err != nil {
 		log.Fatalf("startMesh: %v", err)
 	}
 	expvar.Publish("derp", s.ExpVar())
 
-	handleHome, ok := getHomeHandler(*flagHome)
-	if !ok {
-		log.Fatalf("unknown --home value %q", *flagHome)
-	}
-
 	mux := http.NewServeMux()
 	if *runDERP {
 		derpHandler := derphttp.Handler(s)
@@ -273,23 +191,34 @@ func main() {
 			http.Error(w, "derp server disabled", http.StatusNotFound)
 		}))
 	}
-
-	// These two endpoints are the same. Different versions of the clients
-	// have assumes different paths over time so we support both.
-	mux.HandleFunc("/derp/probe", derphttp.ProbeHandler)
-	mux.HandleFunc("/derp/latency-check", derphttp.ProbeHandler)
-
+	mux.HandleFunc("/derp/probe", probeHandler)
 	go refreshBootstrapDNSLoop()
 	mux.HandleFunc("/bootstrap-dns", tsweb.BrowserHeaderHandlerFunc(handleBootstrapDNS))
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		tsweb.AddBrowserHeaders(w)
-		handleHome.ServeHTTP(w, r)
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(200)
+		io.WriteString(w, `<html><body>
+<h1>DERP</h1>
+<p>
+  This is a
+  <a href="https://tailscale.com/">Tailscale</a>
+  <a href="https://pkg.go.dev/tailscale.com/derp">DERP</a>
+  server.
+</p>
+`)
+		if !*runDERP {
+			io.WriteString(w, `<p>Status: <b>disabled</b></p>`)
+		}
+		if tsweb.AllowDebugAccess(r) {
+			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
+		}
 	}))
 	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		tsweb.AddBrowserHeaders(w)
 		io.WriteString(w, "User-agent: *\nDisallow: /\n")
 	}))
-	mux.Handle("/generate_204", http.HandlerFunc(derphttp.ServeNoContent))
+	mux.Handle("/generate_204", http.HandlerFunc(serveNoContent))
 	debug := tsweb.Debugger(mux)
 	debug.KV("TLS hostname", *hostname)
 	debug.KV("Mesh key", s.HasMeshKey())
@@ -302,20 +231,6 @@ func main() {
 		}
 	}))
 	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))
-	debug.Handle("set-mutex-profile-fraction", "SetMutexProfileFraction", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		s := r.FormValue("rate")
-		if s == "" || r.Header.Get("Sec-Debug") != "derp" {
-			http.Error(w, "To set, use: curl -HSec-Debug:derp 'http://derp/debug/set-mutex-profile-fraction?rate=100'", http.StatusBadRequest)
-			return
-		}
-		v, err := strconv.Atoi(s)
-		if err != nil {
-			http.Error(w, "bad rate value", http.StatusBadRequest)
-			return
-		}
-		old := runtime.SetMutexProfileFraction(v)
-		fmt.Fprintf(w, "mutex changed from %v to %v\n", old, v)
-	}))
 
 	// Longer lived DERP connections send an application layer keepalive. Note
 	// if the keepalive is hit, the user timeout will take precedence over the
@@ -325,9 +240,6 @@ func main() {
 		Control:   ktimeout.UserTimeout(*tcpUserTimeout),
 		KeepAlive: *tcpKeepAlive,
 	}
-	// As of 2025-02-19, MPTCP does not support TCP_USER_TIMEOUT socket option
-	// set in ktimeout.UserTimeout above.
-	lc.SetMultipathTCP(false)
 
 	quietLogger := log.New(logger.HTTPServerLogFilter{Inner: log.Printf}, "", 0)
 	httpsrv := &http.Server{
@@ -392,7 +304,7 @@ func main() {
 		if *httpPort > -1 {
 			go func() {
 				port80mux := http.NewServeMux()
-				port80mux.HandleFunc("/generate_204", derphttp.ServeNoContent)
+				port80mux.HandleFunc("/generate_204", serveNoContent)
 				port80mux.Handle("/", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 				port80srv := &http.Server{
 					Addr:        net.JoinHostPort(listenHost, fmt.Sprintf("%d", *httpPort)),
@@ -433,6 +345,42 @@ func main() {
 	}
 }
 
+const (
+	noContentChallengeHeader = "X-Tailscale-Challenge"
+	noContentResponseHeader  = "X-Tailscale-Response"
+)
+
+// For captive portal detection
+func serveNoContent(w http.ResponseWriter, r *http.Request) {
+	if challenge := r.Header.Get(noContentChallengeHeader); challenge != "" {
+		badChar := strings.IndexFunc(challenge, func(r rune) bool {
+			return !isChallengeChar(r)
+		}) != -1
+		if len(challenge) <= 64 && !badChar {
+			w.Header().Set(noContentResponseHeader, "response "+challenge)
+		}
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func isChallengeChar(c rune) bool {
+	// Semi-randomly chosen as a limited set of valid characters
+	return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') ||
+		('0' <= c && c <= '9') ||
+		c == '.' || c == '-' || c == '_'
+}
+
+// probeHandler is the endpoint that js/wasm clients hit to measure
+// DERP latency, since they can't do UDP STUN queries.
+func probeHandler(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case "HEAD", "GET":
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+	default:
+		http.Error(w, "bogus probe method", http.StatusMethodNotAllowed)
+	}
+}
+
 var validProdHostname = regexp.MustCompile(`^derp([^.]*)\.tailscale\.com\.?$`)
 
 func prodAutocertHostPolicy(_ context.Context, host string) error {
@@ -442,10 +390,6 @@ func prodAutocertHostPolicy(_ context.Context, host string) error {
 	return errors.New("invalid hostname")
 }
 
-func defaultSetecCacheDir() string {
-	return filepath.Join(os.Getenv("HOME"), ".cache", "derper-secrets")
-}
-
 func defaultMeshPSKFile() string {
 	try := []string{
 		"/home/derp/keys/derp-mesh.key",
@@ -514,97 +458,3 @@ func (l *rateLimitedListener) Accept() (net.Conn, error) {
 	l.numAccepts.Add(1)
 	return cn, nil
 }
-
-func init() {
-	expvar.Publish("go_sync_mutex_wait_seconds", expvar.Func(func() any {
-		const name = "/sync/mutex/wait/total:seconds" // Go 1.20+
-		var s [1]runtimemetrics.Sample
-		s[0].Name = name
-		runtimemetrics.Read(s[:])
-		if v := s[0].Value; v.Kind() == runtimemetrics.KindFloat64 {
-			return v.Float64()
-		}
-		return 0
-	}))
-}
-
-type templateData struct {
-	ShowAbuseInfo bool
-	Disabled      bool
-	AllowDebug    bool
-}
-
-// homePageTemplate renders the home page using [templateData].
-var homePageTemplate = template.Must(template.New("home").Parse(`<html><body>
-<h1>DERP</h1>
-<p>
-  This is a <a href="https://tailscale.com/">Tailscale</a> DERP server.
-</p>
-
-<p>
-  It provides STUN, interactive connectivity establishment, and relaying of end-to-end encrypted traffic
-  for Tailscale clients.
-</p>
-
-{{if .ShowAbuseInfo }}
-<p>
-  If you suspect abuse, please contact <a href="mailto:security@tailscale.com">security@tailscale.com</a>.
-</p>
-{{end}}
-
-<p>
-  Documentation:
-</p>
-
-<ul>
-{{if .ShowAbuseInfo }}
-  <li><a href="https://tailscale.com/security-policies">Tailscale Security Policies</a></li>
-  <li><a href="https://tailscale.com/tailscale-aup">Tailscale Acceptable Use Policies</a></li>
-{{end}}
-  <li><a href="https://tailscale.com/kb/1232/derp-servers">About DERP</a></li>
-  <li><a href="https://pkg.go.dev/tailscale.com/derp">Protocol & Go docs</a></li>
-  <li><a href="https://github.com/tailscale/tailscale/tree/main/cmd/derper#derp">How to run a DERP server</a></li>
-</ul>
-
-{{if .Disabled}}
-<p>Status: <b>disabled</b></p>
-{{end}}
-
-{{if .AllowDebug}}
-<p>Debug info at <a href='/debug/'>/debug/</a>.</p>
-{{end}}
-</body>
-</html>
-`))
-
-// getHomeHandler returns a handler for the home page based on a flag string
-// as documented on the --home flag.
-func getHomeHandler(val string) (_ http.Handler, ok bool) {
-	if val == "" {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			w.WriteHeader(200)
-			err := homePageTemplate.Execute(w, templateData{
-				ShowAbuseInfo: validProdHostname.MatchString(*hostname),
-				Disabled:      !*runDERP,
-				AllowDebug:    tsweb.AllowDebugAccess(r),
-			})
-			if err != nil {
-				if r.Context().Err() == nil {
-					log.Printf("homePageTemplate.Execute: %v", err)
-				}
-				return
-			}
-		}), true
-	}
-	if val == "blank" {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			w.WriteHeader(200)
-		}), true
-	}
-	if strings.HasPrefix(val, "http://") || strings.HasPrefix(val, "https://") {
-		return http.RedirectHandler(val, http.StatusFound), true
-	}
-	return nil, false
-}

cmd/derper/derper_test.go

@@ -4,14 +4,12 @@
 package main
 
 import (
-	"bytes"
 	"context"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 
-	"tailscale.com/derp/derphttp"
 	"tailscale.com/tstest/deptest"
 )
 
@@ -78,20 +76,20 @@ func TestNoContent(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			req, _ := http.NewRequest("GET", "https://localhost/generate_204", nil)
 			if tt.input != "" {
-				req.Header.Set(derphttp.NoContentChallengeHeader, tt.input)
+				req.Header.Set(noContentChallengeHeader, tt.input)
 			}
 			w := httptest.NewRecorder()
-			derphttp.ServeNoContent(w, req)
+			serveNoContent(w, req)
 			resp := w.Result()
 
 			if tt.want == "" {
-				if h, found := resp.Header[derphttp.NoContentResponseHeader]; found {
+				if h, found := resp.Header[noContentResponseHeader]; found {
 					t.Errorf("got %+v; expected no response header", h)
 				}
 				return
 			}
 
-			if got := resp.Header.Get(derphttp.NoContentResponseHeader); got != tt.want {
+			if got := resp.Header.Get(noContentResponseHeader); got != tt.want {
 				t.Errorf("got %q; want %q", got, tt.want)
 			}
 		})
@@ -101,83 +99,10 @@ func TestNoContent(t *testing.T) {
 func TestDeps(t *testing.T) {
 	deptest.DepChecker{
 		BadDeps: map[string]string{
-			"testing":                            "do not use testing package in production code",
 			"gvisor.dev/gvisor/pkg/buffer":       "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/cpuid":        "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/tcpip":        "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/tcpip/header": "https://github.com/tailscale/tailscale/issues/9756",
-			"tailscale.com/net/packet":           "not needed in derper",
-			"github.com/gaissmai/bart":           "not needed in derper",
-			"database/sql/driver":                "not needed in derper", // previously came in via github.com/google/uuid
 		},
 	}.Check(t)
 }
-
-func TestTemplate(t *testing.T) {
-	buf := &bytes.Buffer{}
-	err := homePageTemplate.Execute(buf, templateData{
-		ShowAbuseInfo: true,
-		Disabled:      true,
-		AllowDebug:    true,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	str := buf.String()
-	if !strings.Contains(str, "If you suspect abuse") {
-		t.Error("Output is missing abuse mailto")
-	}
-	if !strings.Contains(str, "Tailscale Security Policies") {
-		t.Error("Output is missing Tailscale Security Policies link")
-	}
-	if !strings.Contains(str, "Status:") {
-		t.Error("Output is missing disabled status")
-	}
-	if !strings.Contains(str, "Debug info") {
-		t.Error("Output is missing debug info")
-	}
-}
-
-func TestCheckMeshKey(t *testing.T) {
-	testCases := []struct {
-		name    string
-		input   string
-		want    string
-		wantErr bool
-	}{
-		{
-			name:    "KeyOkay",
-			input:   "f1ffafffffffffffffffffffffffffffffffffffffffffffffffff2ffffcfff6",
-			want:    "f1ffafffffffffffffffffffffffffffffffffffffffffffffffff2ffffcfff6",
-			wantErr: false,
-		},
-		{
-			name:    "TrimKeyOkay",
-			input:   "  f1ffafffffffffffffffffffffffffffffffffffffffffffffffff2ffffcfff6  ",
-			want:    "f1ffafffffffffffffffffffffffffffffffffffffffffffffffff2ffffcfff6",
-			wantErr: false,
-		},
-		{
-			name:    "NotAKey",
-			input:   "zzthisisnotakey",
-			want:    "",
-			wantErr: true,
-		},
-	}
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			k, err := checkMeshKey(tt.input)
-			if err != nil && !tt.wantErr {
-				t.Errorf("unexpected error: %v", err)
-			}
-			if k != tt.want && err == nil {
-				t.Errorf("want: %s doesn't match expected: %s", tt.want, k)
-			}
-
-		})
-	}
-
-}

cmd/derper/mesh.go

@@ -9,11 +9,13 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"net/netip"
 	"strings"
+	"time"
 
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
-	"tailscale.com/net/netmon"
+	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
 
@@ -24,54 +26,51 @@ func startMesh(s *derp.Server) error {
 	if !s.HasMeshKey() {
 		return errors.New("--mesh-with requires --mesh-psk-file")
 	}
-	for _, hostTuple := range strings.Split(*meshWith, ",") {
-		if err := startMeshWithHost(s, hostTuple); err != nil {
+	for _, host := range strings.Split(*meshWith, ",") {
+		if err := startMeshWithHost(s, host); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 
-func startMeshWithHost(s *derp.Server, hostTuple string) error {
-	var host string
-	var dialHost string
-	hostParts := strings.Split(hostTuple, "/")
-	if len(hostParts) > 2 {
-		return fmt.Errorf("too many components in host tuple %q", hostTuple)
-	}
-	host = hostParts[0]
-	if len(hostParts) == 2 {
-		dialHost = hostParts[1]
-	} else {
-		dialHost = hostParts[0]
-	}
-
+func startMeshWithHost(s *derp.Server, host string) error {
 	logf := logger.WithPrefix(log.Printf, fmt.Sprintf("mesh(%q): ", host))
-	netMon := netmon.NewStatic() // good enough for cmd/derper; no need for netns fanciness
-	c, err := derphttp.NewClient(s.PrivateKey(), "https://"+host+"/derp", logf, netMon)
+	c, err := derphttp.NewClient(s.PrivateKey(), "https://"+host+"/derp", logf)
 	if err != nil {
 		return err
 	}
 	c.MeshKey = s.MeshKey()
 	c.WatchConnectionChanges = true
 
-	logf("will dial %q for %q", dialHost, host)
-	if dialHost != host {
+	// For meshed peers within a region, connect via VPC addresses.
+	c.SetURLDialer(func(ctx context.Context, network, addr string) (net.Conn, error) {
+		host, port, err := net.SplitHostPort(addr)
+		if err != nil {
+			return nil, err
+		}
 		var d net.Dialer
-		c.SetURLDialer(func(ctx context.Context, network, addr string) (net.Conn, error) {
-			_, port, err := net.SplitHostPort(addr)
-			if err != nil {
-				logf("failed to split %q: %v", addr, err)
-				return nil, err
+		var r net.Resolver
+		if base, ok := strings.CutSuffix(host, ".tailscale.com"); ok && port == "443" {
+			subCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
+			defer cancel()
+			vpcHost := base + "-vpc.tailscale.com"
+			ips, _ := r.LookupIP(subCtx, "ip", vpcHost)
+			if len(ips) > 0 {
+				vpcAddr := net.JoinHostPort(ips[0].String(), port)
+				c, err := d.DialContext(subCtx, network, vpcAddr)
+				if err == nil {
+					log.Printf("connected to %v (%v) instead of %v", vpcHost, ips[0], base)
+					return c, nil
+				}
+				log.Printf("failed to connect to %v (%v): %v; trying non-VPC route", vpcHost, ips[0], err)
 			}
-			dialAddr := net.JoinHostPort(dialHost, port)
-			logf("dialing %q instead of %q", dialAddr, addr)
-			return d.DialContext(ctx, network, dialAddr)
-		})
-	}
+		}
+		return d.DialContext(ctx, network, addr)
+	})
 
-	add := func(m derp.PeerPresentMessage) { s.AddPacketForwarder(m.Key, c) }
-	remove := func(m derp.PeerGoneMessage) { s.RemovePacketForwarder(m.Peer, c) }
+	add := func(k key.NodePublic, _ netip.AddrPort) { s.AddPacketForwarder(k, c) }
+	remove := func(k key.NodePublic) { s.RemovePacketForwarder(k, c) }
 	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)
 	return nil
 }

cmd/derper/websocket.go

@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/coder/websocket"
+	"nhooyr.io/websocket"
 	"tailscale.com/derp"
 	"tailscale.com/net/wsconn"
 )

cmd/derpprobe/derpprobe.go

@@ -7,6 +7,8 @@ package main
 import (
 	"flag"
 	"fmt"
+	"html"
+	"io"
 	"log"
 	"net/http"
 	"sort"
@@ -15,27 +17,20 @@ import (
 	"tailscale.com/prober"
 	"tailscale.com/tsweb"
 	"tailscale.com/version"
-
-	// Support for prometheus varz in tsweb
-	_ "tailscale.com/tsweb/promvarz"
 )
 
 var (
-	derpMapURL         = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://) or 'local' to use the local tailscaled's DERP map")
-	versionFlag        = flag.Bool("version", false, "print version and exit")
-	listen             = flag.String("listen", ":8030", "HTTP listen address")
-	probeOnce          = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
-	spread             = flag.Bool("spread", true, "whether to spread probing over time")
-	interval           = flag.Duration("interval", 15*time.Second, "probe interval")
-	meshInterval       = flag.Duration("mesh-interval", 15*time.Second, "mesh probe interval")
-	stunInterval       = flag.Duration("stun-interval", 15*time.Second, "STUN probe interval")
-	tlsInterval        = flag.Duration("tls-interval", 15*time.Second, "TLS probe interval")
-	bwInterval         = flag.Duration("bw-interval", 0, "bandwidth probe interval (0 = no bandwidth probing)")
-	bwSize             = flag.Int64("bw-probe-size-bytes", 1_000_000, "bandwidth probe size")
-	bwTUNIPv4Address   = flag.String("bw-tun-ipv4-addr", "", "if specified, bandwidth probes will be performed over a TUN device at this address in order to exercise TCP-in-TCP in similar fashion to TCP over Tailscale via DERP; we will use a /30 subnet including this IP address")
-	qdPacketsPerSecond = flag.Int("qd-packets-per-second", 0, "if greater than 0, queuing delay will be measured continuously using 260 byte packets (approximate size of a CallMeMaybe packet) sent at this rate per second")
-	qdPacketTimeout    = flag.Duration("qd-packet-timeout", 5*time.Second, "queuing delay packets arriving after this period of time from being sent are treated like dropped packets and don't count toward queuing delay timings")
-	regionCodeOrID     = flag.String("region-code", "", "probe only this region (e.g. 'lax' or '17'); if left blank, all regions will be probed")
+	derpMapURL   = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
+	versionFlag  = flag.Bool("version", false, "print version and exit")
+	listen       = flag.String("listen", ":8030", "HTTP listen address")
+	probeOnce    = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
+	spread       = flag.Bool("spread", true, "whether to spread probing over time")
+	interval     = flag.Duration("interval", 15*time.Second, "probe interval")
+	meshInterval = flag.Duration("mesh-interval", 15*time.Second, "mesh probe interval")
+	stunInterval = flag.Duration("stun-interval", 15*time.Second, "STUN probe interval")
+	tlsInterval  = flag.Duration("tls-interval", 15*time.Second, "TLS probe interval")
+	bwInterval   = flag.Duration("bw-interval", 0, "bandwidth probe interval (0 = no bandwidth probing)")
+	bwSize       = flag.Int64("bw-probe-size-bytes", 1_000_000, "bandwidth probe size")
 )
 
 func main() {
@@ -50,13 +45,9 @@ func main() {
 		prober.WithMeshProbing(*meshInterval),
 		prober.WithSTUNProbing(*stunInterval),
 		prober.WithTLSProbing(*tlsInterval),
-		prober.WithQueuingDelayProbing(*qdPacketsPerSecond, *qdPacketTimeout),
 	}
 	if *bwInterval > 0 {
-		opts = append(opts, prober.WithBandwidthProbing(*bwInterval, *bwSize, *bwTUNIPv4Address))
-	}
-	if *regionCodeOrID != "" {
-		opts = append(opts, prober.WithRegionCodeOrID(*regionCodeOrID))
+		opts = append(opts, prober.WithBandwidthProbing(*bwInterval, *bwSize))
 	}
 	dp, err := prober.DERP(p, *derpMapURL, opts...)
 	if err != nil {
@@ -79,18 +70,8 @@ func main() {
 	}
 
 	mux := http.NewServeMux()
-	d := tsweb.Debugger(mux)
-	d.Handle("probe-run", "Run a probe", tsweb.StdHandler(tsweb.ReturnHandlerFunc(p.RunHandler), tsweb.HandlerOptions{Logf: log.Printf}))
-	mux.Handle("/", tsweb.StdHandler(p.StatusHandler(
-		prober.WithTitle("DERP Prober"),
-		prober.WithPageLink("Prober metrics", "/debug/varz"),
-		prober.WithProbeLink("Run Probe", "/debug/probe-run?name={{.Name}}"),
-	), tsweb.HandlerOptions{Logf: log.Printf}))
-	mux.Handle("/healthz", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "text/plain")
-		w.WriteHeader(http.StatusOK)
-		w.Write([]byte("ok\n"))
-	}))
+	tsweb.Debugger(mux)
+	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
 	log.Printf("Listening on %s", *listen)
 	log.Fatal(http.ListenAndServe(*listen, mux))
 }
@@ -113,7 +94,7 @@ func getOverallStatus(p *prober.Prober) (o overallStatus) {
 			// Do not show probes that have not finished yet.
 			continue
 		}
-		if i.Status == prober.ProbeStatusSucceeded {
+		if i.Result {
 			o.addGoodf("%s: %s", p, i.Latency)
 		} else {
 			o.addBadf("%s: %s", p, i.Error)
@@ -124,3 +105,26 @@ func getOverallStatus(p *prober.Prober) (o overallStatus) {
 	sort.Strings(o.good)
 	return
 }
+
+func serveFunc(p *prober.Prober) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		st := getOverallStatus(p)
+		summary := "All good"
+		if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
+			// Returning a 500 allows monitoring this server externally and configuring
+			// an alert on HTTP response code.
+			w.WriteHeader(500)
+			summary = fmt.Sprintf("%d problems", len(st.bad))
+		}
+
+		io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
+		fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
+		for _, s := range st.bad {
+			fmt.Fprintf(w, "<li class=bad>%s</li>\n", html.EscapeString(s))
+		}
+		for _, s := range st.good {
+			fmt.Fprintf(w, "<li>%s</li>\n", html.EscapeString(s))
+		}
+		io.WriteString(w, "</ul></body></html>\n")
+	}
+}

cmd/dist/dist.go

@@ -13,16 +13,11 @@ import (
 
 	"tailscale.com/release/dist"
 	"tailscale.com/release/dist/cli"
-	"tailscale.com/release/dist/qnap"
 	"tailscale.com/release/dist/synology"
 	"tailscale.com/release/dist/unixpkgs"
 )
 
-var (
-	synologyPackageCenter bool
-	qnapPrivateKeyPath    string
-	qnapCertificatePath   string
-)
+var synologyPackageCenter bool
 
 func getTargets() ([]dist.Target, error) {
 	var ret []dist.Target
@@ -42,10 +37,6 @@ func getTargets() ([]dist.Target, error) {
 	// To build for package center, run
 	// ./tool/go run ./cmd/dist build --synology-package-center synology
 	ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)
-	if (qnapPrivateKeyPath == "") != (qnapCertificatePath == "") {
-		return nil, errors.New("both --qnap-private-key-path and --qnap-certificate-path must be set")
-	}
-	ret = append(ret, qnap.Targets(qnapPrivateKeyPath, qnapCertificatePath)...)
 	return ret, nil
 }
 
@@ -54,8 +45,6 @@ func main() {
 	for _, subcmd := range cmd.Subcommands {
 		if subcmd.Name == "build" {
 			subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")
-			subcmd.FlagSet.StringVar(&qnapPrivateKeyPath, "qnap-private-key-path", "", "sign qnap packages with given key (must also provide --qnap-certificate-path)")
-			subcmd.FlagSet.StringVar(&qnapCertificatePath, "qnap-certificate-path", "", "sign qnap packages with given certificate (must also provide --qnap-private-key-path)")
 		}
 	}
 

cmd/get-authkey/main.go

@@ -16,10 +16,14 @@ import (
 	"strings"
 
 	"golang.org/x/oauth2/clientcredentials"
-	"tailscale.com/internal/client/tailscale"
+	"tailscale.com/client/tailscale"
 )
 
 func main() {
+	// Required to use our client API. We're fine with the instability since the
+	// client lives in the same repo as this code.
+	tailscale.I_Acknowledge_This_API_Is_Unstable = true
+
 	reusable := flag.Bool("reusable", false, "allocate a reusable authkey")
 	ephemeral := flag.Bool("ephemeral", false, "allocate an ephemeral authkey")
 	preauth := flag.Bool("preauth", true, "set the authkey as pre-authorized")
@@ -42,11 +46,11 @@ func main() {
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		TokenURL:     baseURL + "/api/v2/oauth/token",
+		Scopes:       []string{"device"},
 	}
 
 	ctx := context.Background()
 	tsClient := tailscale.NewClient("-", nil)
-	tsClient.UserAgent = "tailscale-get-authkey"
 	tsClient.HTTPClient = credentials.Client(ctx)
 	tsClient.BaseURL = baseURL
 

cmd/gitops-pusher/gitops-pusher.go

@@ -13,7 +13,6 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"io"
 	"log"
 	"net/http"
 	"os"
@@ -29,20 +28,19 @@ import (
 )
 
 var (
-	rootFlagSet       = flag.NewFlagSet("gitops-pusher", flag.ExitOnError)
-	policyFname       = rootFlagSet.String("policy-file", "./policy.hujson", "filename for policy file")
-	cacheFname        = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash")
-	timeout           = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
-	githubSyntax      = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)")
-	apiServer         = rootFlagSet.String("api-server", "api.tailscale.com", "API server to contact")
-	failOnManualEdits = rootFlagSet.Bool("fail-on-manual-edits", false, "fail if manual edits to the ACLs in the admin panel are detected; when set to false (the default) only a warning is printed")
+	rootFlagSet  = flag.NewFlagSet("gitops-pusher", flag.ExitOnError)
+	policyFname  = rootFlagSet.String("policy-file", "./policy.hujson", "filename for policy file")
+	cacheFname   = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash")
+	timeout      = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
+	githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)")
+	apiServer    = rootFlagSet.String("api-server", "api.tailscale.com", "API server to contact")
 )
 
-func modifiedExternallyError() error {
+func modifiedExternallyError() {
 	if *githubSyntax {
-		return fmt.Errorf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.", *policyFname)
+		fmt.Printf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.\n", *policyFname)
 	} else {
-		return fmt.Errorf("The policy file was modified externally in the admin console.")
+		fmt.Printf("The policy file was modified externally in the admin console.\n")
 	}
 }
 
@@ -59,30 +57,24 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
 		}
 
 		if cache.PrevETag == "" {
-			log.Println("no previous etag found, assuming the latest control etag")
-			cache.PrevETag = controlEtag
+			log.Println("no previous etag found, assuming local file is correct and recording that")
+			cache.PrevETag = localEtag
 		}
 
 		log.Printf("control: %s", controlEtag)
 		log.Printf("local:   %s", localEtag)
 		log.Printf("cache:   %s", cache.PrevETag)
 
+		if cache.PrevETag != controlEtag {
+			modifiedExternallyError()
+		}
+
 		if controlEtag == localEtag {
 			cache.PrevETag = localEtag
 			log.Println("no update needed, doing nothing")
 			return nil
 		}
 
-		if cache.PrevETag != controlEtag {
-			if err := modifiedExternallyError(); err != nil {
-				if *failOnManualEdits {
-					return err
-				} else {
-					fmt.Println(err)
-				}
-			}
-		}
-
 		if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil {
 			return err
 		}
@@ -106,29 +98,23 @@ func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(contex
 		}
 
 		if cache.PrevETag == "" {
-			log.Println("no previous etag found, assuming the latest control etag")
-			cache.PrevETag = controlEtag
+			log.Println("no previous etag found, assuming local file is correct and recording that")
+			cache.PrevETag = localEtag
 		}
 
 		log.Printf("control: %s", controlEtag)
 		log.Printf("local:   %s", localEtag)
 		log.Printf("cache:   %s", cache.PrevETag)
 
+		if cache.PrevETag != controlEtag {
+			modifiedExternallyError()
+		}
+
 		if controlEtag == localEtag {
 			log.Println("no updates found, doing nothing")
 			return nil
 		}
 
-		if cache.PrevETag != controlEtag {
-			if err := modifiedExternallyError(); err != nil {
-				if *failOnManualEdits {
-					return err
-				} else {
-					fmt.Println(err)
-				}
-			}
-		}
-
 		if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil {
 			return err
 		}
@@ -149,8 +135,8 @@ func getChecksums(cache *Cache, client *http.Client, tailnet, apiKey string) fun
 		}
 
 		if cache.PrevETag == "" {
-			log.Println("no previous etag found, assuming control etag")
-			cache.PrevETag = Shuck(controlEtag)
+			log.Println("no previous etag found, assuming local file is correct and recording that")
+			cache.PrevETag = Shuck(localEtag)
 		}
 
 		log.Printf("control: %s", controlEtag)
@@ -406,8 +392,7 @@ func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string
 	got := resp.StatusCode
 	want := http.StatusOK
 	if got != want {
-		errorDetails, _ := io.ReadAll(resp.Body)
-		return "", fmt.Errorf("wanted HTTP status code %d but got %d: %#q", want, got, string(errorDetails))
+		return "", fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
 	}
 
 	return Shuck(resp.Header.Get("ETag")), nil

cmd/hello/hello.go

@@ -18,9 +18,8 @@ import (
 	"strings"
 	"time"
 
-	"tailscale.com/client/local"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/tailcfg"
 )
 
 var (
@@ -32,7 +31,7 @@ var (
 //go:embed hello.tmpl.html
 var embeddedTemplate string
 
-var localClient local.Client
+var localClient tailscale.LocalClient
 
 func main() {
 	flag.Parse()
@@ -135,10 +134,6 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 	if who == nil {
 		return ""
 	}
-	vals, err := tailcfg.UnmarshalNodeCapJSON[string](who.Node.CapMap, tailcfg.NodeAttrNativeIPV4)
-	if err == nil && len(vals) > 0 {
-		return vals[0]
-	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.Addr().Is4() && nodeIP.IsSingleIP() {
 			return nodeIP.Addr().String()

cmd/k8s-nameserver/main.go

@@ -36,6 +36,7 @@ const (
 	// provided by a mounted Kubernetes Configmap. The Configmap mounted at
 	// /config is the only supported way for configuring this nameserver.
 	defaultDNSConfigDir    = "/config"
+	defaultDNSFile         = "dns.json"
 	kubeletMountedConfigLn = "..data"
 )
 
@@ -92,7 +93,7 @@ func main() {
 	sig := make(chan os.Signal, 1)
 	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
 	s := <-sig
-	log.Printf("OS signal (%s) received, shutting down", s)
+	log.Printf("OS signal (%s) received, shutting down\n", s)
 	cancel()    // exit the records reconciler and configmap watcher goroutines
 	udpSig <- s // stop the UDP listener
 	tcpSig <- s // stop the TCP listener
@@ -115,7 +116,7 @@ func (n *nameserver) handleFunc() func(w dns.ResponseWriter, r *dns.Msg) {
 			w.WriteMsg(m)
 		}()
 		if len(r.Question) < 1 {
-			log.Print("[unexpected] nameserver received a request with no questions")
+			log.Print("[unexpected] nameserver received a request with no questions\n")
 			m = r.SetRcodeFormatError(r)
 			return
 		}
@@ -142,49 +143,17 @@ func (n *nameserver) handleFunc() func(w dns.ResponseWriter, r *dns.Msg) {
 				m = m.SetRcode(r, dns.RcodeNameError)
 				return
 			}
-			// TODO (irbekrm): TTL is currently set to 0, meaning
-			// that cluster workloads will not cache the DNS
-			// records. Revisit this in future when we understand
-			// the usage patterns better- is it putting too much
-			// load on kube DNS server or is this fine?
+			// TODO (irbekrm): what TTL?
 			for _, ip := range ips {
 				rr := &dns.A{Hdr: dns.RR_Header{Name: q, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 0}, A: ip}
 				m.SetRcode(r, dns.RcodeSuccess)
 				m.Answer = append(m.Answer, rr)
 			}
 		case dns.TypeAAAA:
-			// TODO (irbekrm): add IPv6 support.
-			// The nameserver currently does not support IPv6
-			// (records are not being created for IPv6 Pod addresses).
-			// However, we can expect that some callers will
-			// nevertheless send AAAA queries.
-			// We have to return NOERROR if a query is received for
-			// an AAAA record for a DNS name that we have an A
-			// record for- else the caller might not follow with an
-			// A record query.
-			// https://github.com/tailscale/tailscale/issues/12321
-			// https://datatracker.ietf.org/doc/html/rfc4074
-			q := r.Question[0].Name
-			fqdn, err := dnsname.ToFQDN(q)
-			if err != nil {
-				m = r.SetRcodeFormatError(r)
-				return
-			}
-			// The only supported use of this nameserver is as a
-			// single source of truth for MagicDNS names by
-			// non-tailnet Kubernetes workloads.
-			m.Authoritative = true
-			ips := n.lookupIP4(fqdn)
-			if len(ips) == 0 {
-				// As we are the authoritative nameserver for MagicDNS
-				// names, if we do not have a record for this MagicDNS
-				// name, it does not exist.
-				m = m.SetRcode(r, dns.RcodeNameError)
-				return
-			}
-			m.SetRcode(r, dns.RcodeSuccess)
+			// TODO (irbekrm): implement IPv6 support
+			fallthrough
 		default:
-			log.Printf("[unexpected] nameserver received a query for an unsupported record type: %s", r.Question[0].String())
+			log.Printf("[unexpected] nameserver received a query for an unsupported record type: %s\n", r.Question[0].String())
 			m.SetRcode(r, dns.RcodeNotImplemented)
 		}
 	}
@@ -194,19 +163,19 @@ func (n *nameserver) handleFunc() func(w dns.ResponseWriter, r *dns.Msg) {
 // runRecordsReconciler ensures that nameserver's in-memory records are
 // reset when the provided configuration changes.
 func (n *nameserver) runRecordsReconciler(ctx context.Context) {
-	log.Print("updating nameserver's records from the provided configuration...")
+	log.Print("updating nameserver's records from the provided configuration...\n")
 	if err := n.resetRecords(); err != nil { // ensure records are up to date before the nameserver starts
-		log.Fatalf("error setting nameserver's records: %v", err)
+		log.Fatalf("error setting nameserver's records: %v\n", err)
 	}
-	log.Print("nameserver's records were updated")
+	log.Print("nameserver's records were updated\n")
 	go func() {
 		for {
 			select {
 			case <-ctx.Done():
-				log.Printf("context cancelled, exiting records reconciler")
+				log.Printf("context cancelled, exiting records reconciler\n")
 				return
 			case <-n.configWatcher:
-				log.Print("configuration update detected, resetting records")
+				log.Print("configuration update detected, resetting records\n")
 				if err := n.resetRecords(); err != nil {
 					// TODO (irbekrm): this runs in a
 					// container that will be thrown away,
@@ -214,9 +183,9 @@ func (n *nameserver) runRecordsReconciler(ctx context.Context) {
 					// need to ensure that the DNS server
 					// terminates connections more
 					// gracefully.
-					log.Fatalf("error resetting records: %v", err)
+					log.Fatalf("error resetting records: %v\n", err)
 				}
-				log.Print("nameserver records were reset")
+				log.Print("nameserver records were reset\n")
 			}
 		}
 	}()
@@ -228,11 +197,11 @@ func (n *nameserver) runRecordsReconciler(ctx context.Context) {
 func (n *nameserver) resetRecords() error {
 	dnsCfgBytes, err := n.configReader()
 	if err != nil {
-		log.Printf("error reading nameserver's configuration: %v", err)
+		log.Printf("error reading nameserver's configuration: %v\n", err)
 		return err
 	}
 	if dnsCfgBytes == nil || len(dnsCfgBytes) < 1 {
-		log.Print("nameserver's configuration is empty, any in-memory records will be unset")
+		log.Print("nameserver's configuration is empty, any in-memory records will be unset\n")
 		n.mu.Lock()
 		n.ip4 = make(map[dnsname.FQDN][]net.IP)
 		n.mu.Unlock()
@@ -255,21 +224,21 @@ func (n *nameserver) resetRecords() error {
 		n.ip4 = ip4
 	}()
 
-	if len(dnsCfg.IP4) == 0 {
-		log.Print("nameserver's configuration contains no records, any in-memory records will be unset")
+	if dnsCfg.IP4 == nil || len(dnsCfg.IP4) == 0 {
+		log.Print("nameserver's configuration contains no records, any in-memory records will be unset\n")
 		return nil
 	}
 
 	for fqdn, ips := range dnsCfg.IP4 {
 		fqdn, err := dnsname.ToFQDN(fqdn)
 		if err != nil {
-			log.Printf("invalid nameserver's configuration: %s is not a valid FQDN: %v; skipping this record", fqdn, err)
+			log.Printf("invalid nameserver's configuration: %s is not a valid FQDN: %v; skipping this record\n", fqdn, err)
 			continue // one invalid hostname should not break the whole nameserver
 		}
 		for _, ipS := range ips {
 			ip := net.ParseIP(ipS).To4()
 			if ip == nil { // To4 returns nil if IP is not a IPv4 address
-				log.Printf("invalid nameserver's configuration: %v does not appear to be an IPv4 address; skipping this record", ipS)
+				log.Printf("invalid nameserver's configuration: %v does not appear to be an IPv4 address; skipping this record\n", ipS)
 				continue // one invalid IP address should not break the whole nameserver
 			}
 			ip4[fqdn] = []net.IP{ip}
@@ -283,12 +252,12 @@ func listenAndServe(net, addr string, shutdown chan os.Signal) {
 	s := &dns.Server{Addr: addr, Net: net}
 	go func() {
 		<-shutdown
-		log.Printf("shutting down server for %s", net)
+		log.Printf("shutting down server for %s\n", net)
 		s.Shutdown()
 	}()
-	log.Printf("listening for %s queries on %s", net, addr)
+	log.Printf("listening for %s queries on %s\n", net, addr)
 	if err := s.ListenAndServe(); err != nil {
-		log.Fatalf("error running %s server: %v", net, err)
+		log.Fatalf("error running %s server: %v\n", net, err)
 	}
 }
 
@@ -299,7 +268,7 @@ func ensureWatcherForKubeConfigMap(ctx context.Context) chan string {
 	c := make(chan string)
 	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
-		log.Fatalf("error creating a new watcher for the mounted ConfigMap: %v", err)
+		log.Fatalf("error creating a new watcher for the mounted ConfigMap: %v\n", err)
 	}
 	// kubelet mounts configmap to a Pod using a series of symlinks, one of
 	// which is <mount-dir>/..data that Kubernetes recommends consumers to
@@ -308,22 +277,31 @@ func ensureWatcherForKubeConfigMap(ctx context.Context) chan string {
 	toWatch := filepath.Join(defaultDNSConfigDir, kubeletMountedConfigLn)
 	go func() {
 		defer watcher.Close()
-		log.Printf("starting file watch for %s", defaultDNSConfigDir)
+		log.Printf("starting file watch for %s\n", defaultDNSConfigDir)
 		for {
 			select {
 			case <-ctx.Done():
-				log.Print("context cancelled, exiting ConfigMap watcher")
+				log.Print("context cancelled, exiting ConfigMap watcher\n")
 				return
 			case event, ok := <-watcher.Events:
 				if !ok {
 					log.Fatal("watcher finished; exiting")
 				}
 				if event.Name == toWatch {
-					msg := fmt.Sprintf("ConfigMap update received: %s", event)
+					msg := fmt.Sprintf("ConfigMap update received: %s\n", event)
 					log.Print(msg)
 					c <- msg
 				}
 			case err, ok := <-watcher.Errors:
+				if !ok {
+					// TODO (irbekrm): this runs in a
+					// container that will be thrown away,
+					// so this should be ok. But maybe still
+					// need to ensure that the DNS server
+					// terminates connections more
+					// gracefully.
+					log.Fatalf("[unexpected] configuration watcher error: errors watcher finished: %v\n", err)
+				}
 				if err != nil {
 					// TODO (irbekrm): this runs in a
 					// container that will be thrown away,
@@ -331,22 +309,13 @@ func ensureWatcherForKubeConfigMap(ctx context.Context) chan string {
 					// need to ensure that the DNS server
 					// terminates connections more
 					// gracefully.
-					log.Fatalf("[unexpected] error watching configuration: %v", err)
-				}
-				if !ok {
-					// TODO (irbekrm): this runs in a
-					// container that will be thrown away,
-					// so this should be ok. But maybe still
-					// need to ensure that the DNS server
-					// terminates connections more
-					// gracefully.
-					log.Fatalf("[unexpected] errors watcher exited")
+					log.Fatalf("[unexpected] error watching configuration: %v\n", err)
 				}
 			}
 		}
 	}()
 	if err = watcher.Add(defaultDNSConfigDir); err != nil {
-		log.Fatalf("failed setting up a watcher for the mounted ConfigMap: %v", err)
+		log.Fatalf("failed setting up a watcher for the mounted ConfigMap: %v\n", err)
 	}
 	return c
 }
@@ -355,9 +324,9 @@ func ensureWatcherForKubeConfigMap(ctx context.Context) chan string {
 type configReaderFunc func() ([]byte, error)
 
 // configMapConfigReader reads the desired nameserver configuration from a
-// records.json file in a ConfigMap mounted at /config.
+// dns.json file in a ConfigMap mounted at /config.
 var configMapConfigReader configReaderFunc = func() ([]byte, error) {
-	if contents, err := os.ReadFile(filepath.Join(defaultDNSConfigDir, operatorutils.DNSRecordsCMKey)); err == nil {
+	if contents, err := os.ReadFile(filepath.Join(defaultDNSConfigDir, defaultDNSFile)); err == nil {
 		return contents, nil
 	} else if os.IsNotExist(err) {
 		return nil, nil