cmd/gitops-pusher: standardize hujson before posting to validate (#5525 )

Apparently the validate route doesn't check content-types or handle hujson with comments correctly. This patch makes gitops-pusher convert the hujson to normal json. Signed-off-by: Xe <xe@tailscale.com> Signed-off-by: Xe <xe@tailscale.com> (cherry picked from commit 3564fd61b5)
VERSION.txt: this is v1.28.0
2022-09-01 14:57:46 -07:00 · 2022-08-31 06:25:05 -07:00
177 changed files with 1531 additions and 4413 deletions
--- a/.github/workflows/cross-android.yml
+++ b/.github/workflows/cross-android.yml
@@ -1,54 +0,0 @@
-name: Android-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Android smoke build
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
-      env:
-        GOOS: android
-        GOARCH: arm64
-      run: go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/2
+++ b/2
@@ -32,7 +32,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.19-alpine AS build-env
+FROM golang:1.18-alpine AS build-env

 WORKDIR /go/src/tailscale

--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.31.0
+1.30.0
--- a/api.md
+++ b/api.md
@@ -3,12 +3,11 @@
 The Tailscale API is a (mostly) RESTful API. Typically, POST bodies should be JSON encoded and responses will be JSON encoded.

 # Authentication
-
 Currently based on {some authentication method}. Visit the [admin panel](https://login.tailscale.com/admin) and navigate to the `Settings` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints (leave the password blank).

 # APIs

- **[Devices](#device)**
+* **[Devices](#device)**
  - [GET device](#device-get)
  - [DELETE device](#device-delete)
  - Routes
@@ -20,12 +19,12 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
    - [POST device tags](#device-tags-post)
  - Key
    - [POST device key](#device-key-post)
- **[Tailnets](#tailnet)**
+* **[Tailnets](#tailnet)**
  - ACLs
    - [GET tailnet ACL](#tailnet-acl-get)
    - [POST tailnet ACL](#tailnet-acl-post)
    - [POST tailnet ACL preview](#tailnet-acl-preview-post)
-    - [POST tailnet ACL validate](#tailnet-acl-validate-post)
+	- [POST tailnet ACL validate](#tailnet-acl-validate-post)
  - [Devices](#tailnet-devices)
    - [GET tailnet devices](#tailnet-devices-get)
  - [Keys](#tailnet-keys)
@@ -42,9 +41,7 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
    - [POST tailnet DNS searchpaths](#tailnet-dns-searchpaths-post)

 ## Device
-
 <!-- TODO: description about what devices are -->
-
 Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id".
 You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.

@@ -55,23 +52,20 @@ This is your deviceID.
 <a name=device-get></a>

 #### `GET /api/v2/device/:deviceid` - lists the details for a device
-
 Returns the details for the specified device.
 Supply the device of interest in the path using its ID.
 Use the `fields` query parameter to explicitly indicate which fields are returned.

+
 ##### Parameters
-
 ##### Query Parameters
-
 `fields` - Controls which fields will be included in the returned response.
 Currently, supported options are:
-
- `all`: returns all fields in the response.
- `default`: return all fields except:
-  - `enabledRoutes`
-  - `advertisedRoutes`
-  - `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+* `all`: returns all fields in the response.
+* `default`: return all fields except:
+  * `enabledRoutes`
+  * `advertisedRoutes`
+  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)

 Use commas to separate multiple options.
 If more than one option is indicated, then the union is used.
@@ -79,7 +73,6 @@ For example, for `fields=default,all`, all fields are returned.
 If the `fields` parameter is not provided, then the default option is used.

 ##### Example
-
 ```
 GET /api/v2/device/12345
 curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
@@ -87,7 +80,6 @@ curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
 ```

 Response
-
 ```
 {
  "addresses":[
@@ -149,18 +141,16 @@ Response
 <a name=device-delete></a>

 #### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
-
 Deletes the provided device from its tailnet.
 The device must belong to the user's tailnet.
 Deleting shared/external devices is not supported.
 Supply the device of interest in the path using its ID.

-##### Parameters

+##### Parameters
 No parameters.

 ##### Example
-
 ```
 DELETE /api/v2/device/12345
 curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
@@ -170,7 +160,6 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
 Response

 If successful, the response should be empty:
-
 ```
 < HTTP/1.1 200 OK
 ...
@@ -179,13 +168,13 @@ If successful, the response should be empty:
 ```

 If the device is not owned by your tailnet:
-
 ```
 < HTTP/1.1 501 Not Implemented
 ...
 {"message":"cannot delete devices outside of your tailnet"}
 ```

+
 <a name=device-routes-get></a>

 #### `GET /api/v2/device/:deviceID/routes` - fetch subnet routes that are advertised and enabled for a device
@@ -204,7 +193,6 @@ curl 'https://api.tailscale.com/api/v2/device/11055/routes' \
 ```

 Response
-
 ```
 {
   "advertisedRoutes" : [
@@ -225,9 +213,7 @@ Sets which subnet routes are enabled to be routed by a device by replacing the e
 ##### Parameters

 ###### POST Body
-
 `routes` - The new list of enabled subnet routes in JSON.
-
 ```
 {
  "routes": ["10.0.1.0/24", "1.2.0.0/16", "2.0.0.0/24"]
@@ -268,9 +254,7 @@ Marks a device as authorized, for Tailnets where device authorization is require
 ##### Parameters

 ###### POST Body
-
 `authorized` - whether the device is authorized; only `true` is currently supported.
-
 ```
 {
  "authorized": true
@@ -351,9 +335,9 @@ The response is 2xx on success. The response body is currently an empty JSON
 object.

 ## Tailnet
-
 A tailnet is the name of your Tailscale network.
-You can find it in the [Settings](https://login.tailscale.com/admin/settings/) page of the admin console.
+You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
+

 `alice@example.com` belongs to the `example.com` tailnet and would use the following format for API calls:

@@ -362,10 +346,10 @@ GET /api/v2/tailnet/example.com/...
 curl https://api.tailscale.com/api/v2/tailnet/example.com/...
 ```

+
 For solo plans, the tailnet is the email you signed up with.
 So `alice@gmail.com` has the tailnet `alice@gmail.com` since `@gmail.com` is a shared email host.
 Her API calls would have the following format:
-
 ```
 GET /api/v2/tailnet/alice@gmail.com/...
 curl https://api.tailscale.com/api/v2/tailnet/alice@gmail.com/...
@@ -386,19 +370,15 @@ Retrieves the ACL that is currently set for the given tailnet. Supply the tailne
 ##### Parameters

 ###### Headers
-
 `Accept` - Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.

 ##### Returns
-
 Returns the ACL HuJSON by default. Returns a parsed JSON of the ACL (sans comments) if the `Accept` type is explicitly set to `application/json`. An `ETag` header is also sent in the response, which can be optionally used in POST requests to avoid missed updates.
-
 <!-- TODO (chungdaniel): define error types and a set of docs for them -->

 ##### Example

 ###### Requesting a HuJSON response:
-
 ```
 GET /api/v2/tailnet/example.com/acl
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
@@ -408,7 +388,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 ```

 Response
-
 ```
 ...
 Content-Type: application/hujson
@@ -447,7 +426,6 @@ Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
 ```

 ###### Requesting a JSON response:
-
 ```
 GET /api/v2/tailnet/example.com/acl
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
@@ -457,7 +435,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 ```

 Response
-
 ```
 ...
 Content-Type: application/json
@@ -500,7 +477,6 @@ Returns the updated ACL in JSON or HuJSON according to the `Accept` header on su
 ##### Parameters

 ###### Headers
-
 `If-Match` - A request header. Set this value to the ETag header provided in an `ACL GET` request to avoid missed updates.

 `Accept` - Sets the return type of the updated ACL. Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.
@@ -510,16 +486,15 @@ Returns the updated ACL in JSON or HuJSON according to the `Accept` header on su
 The POST body should be a JSON or [HuJSON](https://github.com/tailscale/hujson#hujson---human-json) formatted JSON object.
 An ACL policy may contain the following top-level properties:

- `Groups` - Static groups of users which can be used for ACL rules.
- `Hosts` - Hostname aliases to use in place of IP addresses or subnets.
- `ACLs` - Access control lists.
- `TagOwners` - Defines who is allowed to use which tags.
- `Tests` - Run on ACL updates to check correct functionality of defined ACLs.
+* `Groups` - Static groups of users which can be used for ACL rules.
+* `Hosts` - Hostname aliases to use in place of IP addresses or subnets.
+* `ACLs` - Access control lists.
+* `TagOwners` - Defines who is allowed to use which tags.
+* `Tests` - Run on ACL updates to check correct functionality of defined ACLs.

 See https://tailscale.com/kb/1018/acls for more information on those properties.

 ##### Example
-
 ```
 POST /api/v2/tailnet/example.com/acl
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
@@ -549,7 +524,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 ```

 Response:
-
 ```
 // Example/default ACLs for unrestricted connections.
 {
@@ -575,7 +549,6 @@ Response:
 ```

 Failed test error response:
-
 ```
 {
    "message": "test(s) failed",
@@ -599,17 +572,14 @@ Determines what rules match for a user on an ACL without saving the ACL to the s
 ##### Parameters

 ###### Query Parameters
-
 `type` - can be 'user' or 'ipport'
 `previewFor` - if type=user, a user's email. If type=ipport, a IP address + port like "10.0.0.1:80".
 The provided ACL is queried with this parameter to determine which rules match.

 ###### POST Body
-
 ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)

 ##### Example
-
 ```
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFor=user1@example.com&type=user' \
  -u "tskey-yourapikey123:" \
@@ -637,7 +607,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFo
 ```

 Response:
-
 ```
 {"matches":[{"users":["*"],"ports":["*:*"],"lineNumber":19}],"user":"user1@example.com"}
 ```
@@ -662,7 +631,6 @@ The POST body should be a JSON formatted array of ACL Tests.
 See https://tailscale.com/kb/1018/acls for more information on the format of ACL tests.

 ##### Example with tests
-
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
@@ -674,7 +642,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
 ```

 ##### Example with an ACL body
-
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
@@ -717,23 +684,21 @@ An empty body or a JSON object with no `message` is returned on success.
 <a name=tailnet-devices-get></a>

 #### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
-
 Lists the devices in a tailnet.
 Supply the tailnet of interest in the path.
 Use the `fields` query parameter to explicitly indicate which fields are returned.

+
 ##### Parameters

 ###### Query Parameters
-
 `fields` - Controls which fields will be included in the returned response.
 Currently, supported options are:
-
- `all`: Returns all fields in the response.
- `default`: return all fields except:
-  - `enabledRoutes`
-  - `advertisedRoutes`
-  - `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+* `all`: Returns all fields in the response.
+* `default`: return all fields except:
+  * `enabledRoutes`
+  * `advertisedRoutes`
+  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)

 Use commas to separate multiple options.
 If more than one option is indicated, then the union is used.
@@ -749,7 +714,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
 ```

 Response
-
 ```
 {
  "devices":[
@@ -812,7 +776,6 @@ for the user who owns the API key used to perform this query.
 Supply the tailnet of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Returns
@@ -829,7 +792,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys' \
 ```

 Response:
-
 ```
 {"keys": [
 	{"id": "kYKVU14CNTRL"},
@@ -850,9 +812,7 @@ Supply the tailnet in the path.
 ##### Parameters

 ###### POST Body
-
 `capabilities` - A mapping of resources to permissible actions.
-
 ```
 {
  "capabilities": {
@@ -899,7 +859,6 @@ echo '{
 ```

 Response:
-
 ```
 {
 	"id":           "k123456CNTRL",
@@ -918,7 +877,6 @@ Returns a JSON object with information about specific key.
 Supply the tailnet and key ID of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Returns
@@ -935,7 +893,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
 ```

 Response:
-
 ```
 {
  "id": "k123456CNTRL",
@@ -965,11 +922,9 @@ Deletes a specific key.
 Supply the tailnet and key ID of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Returns
-
 This reports status 200 upon success.

 ##### Example
@@ -986,12 +941,10 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k12345
 <a name=tailnet-dns-nameservers-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
-
 Lists the DNS nameservers for a tailnet.
 Supply the tailnet of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Example
@@ -1003,7 +956,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
 ```

 Response
-
 ```
 {
  "dns": ["8.8.8.8"],
@@ -1013,17 +965,13 @@ Response
 <a name=tailnet-dns-nameservers-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
-
 Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user.
 Supply the tailnet of interest in the path.
 Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).

 ##### Parameters
-
 ###### POST Body
-
 `dns` - The new list of DNS nameservers in JSON.
-
 ```
 {
  "dns":["8.8.8.8"]
@@ -1031,15 +979,12 @@ Note that changing the list of DNS nameservers may also affect the status of Mag
 ```

 ##### Returns
-
 Returns the new list of nameservers and the status of MagicDNS.

 If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).

 ##### Example
-
 ###### Adding DNS nameservers with the MagicDNS on:
-
 ```
 POST /api/v2/tailnet/example.com/dns/nameservers
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
@@ -1048,7 +993,6 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameserve
 ```

 Response:
-
 ```
 {
  "dns":["8.8.8.8"],
@@ -1057,7 +1001,6 @@ Response:
 ```

 ###### Removing all DNS nameservers with the MagicDNS on:
-
 ```
 POST /api/v2/tailnet/example.com/dns/nameservers
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
@@ -1066,7 +1009,6 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameserve
 ```

 Response:
-
 ```
 {
  "dns":[],
@@ -1077,16 +1019,13 @@ Response:
 <a name=tailnet-dns-preferences-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/preferences` - retrieves the DNS preferences for a tailnet
-
 Retrieves the DNS preferences that are currently set for the given tailnet.
 Supply the tailnet of interest in the path.

 ##### Parameters
-
 No parameters.

 ##### Example
-
 ```
 GET /api/v2/tailnet/example.com/dns/preferences
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
@@ -1094,7 +1033,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
 ```

 Response:
-
 ```
 {
  "magicDNS":false,
@@ -1104,7 +1042,6 @@ Response:
 <a name=tailnet-dns-preferences-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet
-
 Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
 Note that MagicDNS is dependent on DNS servers.

@@ -1114,12 +1051,9 @@ Note that removing all nameservers will turn off MagicDNS.
 To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.

 ##### Parameters
-
 ###### POST Body
-
 The DNS preferences in JSON. Currently, MagicDNS is the only setting available.
-`magicDNS` - Automatically registers DNS names for devices in your tailnet.
-
+`magicDNS` -  Automatically registers DNS names for devices in your tailnet.
 ```
 {
  "magicDNS": true
@@ -1127,7 +1061,6 @@ The DNS preferences in JSON. Currently, MagicDNS is the only setting available.
 ```

 ##### Example
-
 ```
 POST /api/v2/tailnet/example.com/dns/preferences
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
@@ -1135,10 +1068,10 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferenc
  --data-binary '{"magicDNS": true}'
 ```

+
 Response:

 If there are no DNS servers, it returns an error message:
-
 ```
 {
  "message":"need at least one nameserver to enable MagicDNS"
@@ -1146,7 +1079,6 @@ If there are no DNS servers, it returns an error message:
 ```

 If there are DNS servers:
-
 ```
 {
  "magicDNS":true,
@@ -1156,16 +1088,14 @@ If there are DNS servers:
 <a name=tailnet-dns-searchpaths-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet
-
 Retrieves the list of search paths that is currently set for the given tailnet.
 Supply the tailnet of interest in the path.

-##### Parameters

+##### Parameters
 No parameters.

 ##### Example
-
 ```
 GET /api/v2/tailnet/example.com/dns/searchpaths
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
@@ -1173,7 +1103,6 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
 ```

 Response:
-
 ```
 {
  "searchPaths": ["user1.example.com"],
@@ -1183,15 +1112,12 @@ Response:
 <a name=tailnet-dns-searchpaths-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet
-
 Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.

 ##### Parameters

 ###### POST Body
-
 `searchPaths` - A list of searchpaths in JSON.
-
 ```
 {
  "searchPaths": ["user1.example.com", "user2.example.com"]
@@ -1199,7 +1125,6 @@ Replaces the list of searchpaths with the list supplied by the user and returns
 ```

 ##### Example
-
 ```
 POST /api/v2/tailnet/example.com/dns/searchpaths
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
@@ -1208,7 +1133,6 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpat
 ```

 Response:
-
 ```
 {
  "searchPaths": ["user1.example.com", "user2.example.com"],
--- a/atomicfile/atomicfile.go
+++ b/atomicfile/atomicfile.go
@@ -9,6 +9,7 @@
 package atomicfile // import "tailscale.com/atomicfile"

 import (
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -17,7 +18,7 @@ import (
 // WriteFile writes data to filename+some suffix, then renames it
 // into filename. The perm argument is ignored on Windows.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
-	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
+	f, err := ioutil.TempFile(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err
 	}
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -15,6 +15,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/http/httptrace"
@@ -136,7 +137,7 @@ func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Respons
 			onVersionMismatch(ipn.IPCVersion(), server)
 		}
 		if res.StatusCode == 403 {
-			all, _ := io.ReadAll(res.Body)
+			all, _ := ioutil.ReadAll(res.Body)
 			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
 		}
 		return res, nil
@@ -206,7 +207,7 @@ func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus
 		return nil, err
 	}
 	defer res.Body.Close()
-	slurp, err := io.ReadAll(res.Body)
+	slurp, err := ioutil.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -364,7 +365,7 @@ func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc
 		return nil, 0, fmt.Errorf("unexpected chunking")
 	}
 	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
+		body, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
 		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
 	}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -17,6 +17,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 )

@@ -130,7 +131,7 @@ func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error)

 	// Read response. Limit the response to 10MB.
 	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := io.ReadAll(body)
+	b, err := ioutil.ReadAll(body)
 	if len(b) > maxReadSize {
 		err = errors.New("API response too large")
 	}
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@@ -17,31 +17,16 @@ import (
 	"tailscale.com/syncs"
 )

-const refreshTimeout = time.Minute
+var dnsCache syncs.AtomicValue[[]byte]

-type dnsEntryMap map[string][]net.IP
-
-var (
-	dnsCache            syncs.AtomicValue[dnsEntryMap]
-	dnsCacheBytes       syncs.AtomicValue[[]byte] // of JSON
-	unpublishedDNSCache syncs.AtomicValue[dnsEntryMap]
-)
-
-var (
-	bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
-	publishedDNSHits     = expvar.NewInt("counter_bootstrap_dns_published_hits")
-	publishedDNSMisses   = expvar.NewInt("counter_bootstrap_dns_published_misses")
-	unpublishedDNSHits   = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
-	unpublishedDNSMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
-)
+var bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")

 func refreshBootstrapDNSLoop() {
-	if *bootstrapDNS == "" && *unpublishedDNS == "" {
+	if *bootstrapDNS == "" {
 		return
 	}
 	for {
 		refreshBootstrapDNS()
-		refreshUnpublishedDNS()
 		time.Sleep(10 * time.Minute)
 	}
 }
@@ -50,34 +35,10 @@ func refreshBootstrapDNS() {
 	if *bootstrapDNS == "" {
 		return
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
+	dnsEntries := make(map[string][]net.IP)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
-	j, err := json.MarshalIndent(dnsEntries, "", "\t")
-	if err != nil {
-		// leave the old values in place
-		return
-	}
-
-	dnsCache.Store(dnsEntries)
-	dnsCacheBytes.Store(j)
-}
-
-func refreshUnpublishedDNS() {
-	if *unpublishedDNS == "" {
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
-	defer cancel()
-
-	dnsEntries := resolveList(ctx, strings.Split(*unpublishedDNS, ","))
-	unpublishedDNSCache.Store(dnsEntries)
-}
-
-func resolveList(ctx context.Context, names []string) dnsEntryMap {
-	dnsEntries := make(dnsEntryMap)
-
+	names := strings.Split(*bootstrapDNS, ",")
 	var r net.Resolver
 	for _, name := range names {
 		addrs, err := r.LookupIP(ctx, "ip", name)
@@ -87,47 +48,21 @@ func resolveList(ctx context.Context, names []string) dnsEntryMap {
 		}
 		dnsEntries[name] = addrs
 	}
-	return dnsEntries
+	j, err := json.MarshalIndent(dnsEntries, "", "\t")
+	if err != nil {
+		// leave the old values in place
+		return
+	}
+	dnsCache.Store(j)
 }

 func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	bootstrapDNSRequests.Add(1)
-
 	w.Header().Set("Content-Type", "application/json")
-	// Bootstrap DNS requests occur cross-regions, and are randomized per
-	// request, so keeping a connection open is pointlessly expensive.
+	j := dnsCache.Load()
+	// Bootstrap DNS requests occur cross-regions,
+	// and are randomized per request,
+	// so keeping a connection open is pointlessly expensive.
 	w.Header().Set("Connection", "close")
-
-	// Try answering a query from our hidden map first
-	if q := r.URL.Query().Get("q"); q != "" {
-		if ips, ok := unpublishedDNSCache.Load()[q]; ok && len(ips) > 0 {
-			unpublishedDNSHits.Add(1)
-
-			// Only return the specific query, not everything.
-			m := dnsEntryMap{q: ips}
-			j, err := json.MarshalIndent(m, "", "\t")
-			if err == nil {
-				w.Write(j)
-				return
-			}
-		}
-
-		// If we have a "q" query for a name in the published cache
-		// list, then track whether that's a hit/miss.
-		if m, ok := dnsCache.Load()[q]; ok {
-			if len(m) > 0 {
-				publishedDNSHits.Add(1)
-			} else {
-				publishedDNSMisses.Add(1)
-			}
-		} else {
-			// If it wasn't in either cache, treat this as a query
-			// for the unpublished cache, and thus a cache miss.
-			unpublishedDNSMisses.Add(1)
-		}
-	}
-
-	// Fall back to returning the public set of cached DNS names
-	j := dnsCacheBytes.Load()
 	w.Write(j)
 }
--- a/cmd/derper/bootstrap_dns_test.go
+++ b/cmd/derper/bootstrap_dns_test.go
@@ -5,12 +5,7 @@
 package main

 import (
-	"encoding/json"
-	"net"
 	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"reflect"
 	"testing"
 )

@@ -22,12 +17,11 @@ func BenchmarkHandleBootstrapDNS(b *testing.B) {
 	}()
 	refreshBootstrapDNS()
 	w := new(bitbucketResponseWriter)
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.io"), nil)
 	b.ReportAllocs()
 	b.ResetTimer()
 	b.RunParallel(func(b *testing.PB) {
 		for b.Next() {
-			handleBootstrapDNS(w, req)
+			handleBootstrapDNS(w, nil)
 		}
 	})
 }
@@ -39,116 +33,3 @@ func (b *bitbucketResponseWriter) Header() http.Header { return make(http.Header
 func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p), nil }

 func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}
-
-func getBootstrapDNS(t *testing.T, q string) dnsEntryMap {
-	t.Helper()
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape(q), nil)
-	w := httptest.NewRecorder()
-	handleBootstrapDNS(w, req)
-
-	res := w.Result()
-	if res.StatusCode != 200 {
-		t.Fatalf("got status=%d; want %d", res.StatusCode, 200)
-	}
-	var ips dnsEntryMap
-	if err := json.NewDecoder(res.Body).Decode(&ips); err != nil {
-		t.Fatalf("error decoding response body: %v", err)
-	}
-	return ips
-}
-
-func TestUnpublishedDNS(t *testing.T) {
-	const published = "login.tailscale.com"
-	const unpublished = "log.tailscale.io"
-
-	prev1, prev2 := *bootstrapDNS, *unpublishedDNS
-	*bootstrapDNS = published
-	*unpublishedDNS = unpublished
-	t.Cleanup(func() {
-		*bootstrapDNS = prev1
-		*unpublishedDNS = prev2
-	})
-
-	refreshBootstrapDNS()
-	refreshUnpublishedDNS()
-
-	hasResponse := func(q string) bool {
-		_, found := getBootstrapDNS(t, q)[q]
-		return found
-	}
-
-	if !hasResponse(published) {
-		t.Errorf("expected response for: %s", published)
-	}
-	if !hasResponse(unpublished) {
-		t.Errorf("expected response for: %s", unpublished)
-	}
-
-	// Verify that querying for a random query or a real query does not
-	// leak our unpublished domain
-	m1 := getBootstrapDNS(t, published)
-	if _, found := m1[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m1)
-	}
-	m2 := getBootstrapDNS(t, "random.example.com")
-	if _, found := m2[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m2)
-	}
-}
-
-func resetMetrics() {
-	publishedDNSHits.Set(0)
-	publishedDNSMisses.Set(0)
-	unpublishedDNSHits.Set(0)
-	unpublishedDNSMisses.Set(0)
-}
-
-// Verify that we don't count an empty list in the unpublishedDNSCache as a
-// cache hit in our metrics.
-func TestUnpublishedDNSEmptyList(t *testing.T) {
-	pub := dnsEntryMap{
-		"tailscale.com": {net.IPv4(10, 10, 10, 10)},
-	}
-	dnsCache.Store(pub)
-	dnsCacheBytes.Store([]byte(`{"tailscale.com":["10.10.10.10"]}`))
-
-	unpublishedDNSCache.Store(dnsEntryMap{
-		"log.tailscale.io":           {},
-		"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
-	})
-
-	t.Run("CacheMiss", func(t *testing.T) {
-		// One domain in map but empty, one not in map at all
-		for _, q := range []string{"log.tailscale.io", "login.tailscale.com"} {
-			resetMetrics()
-			ips := getBootstrapDNS(t, q)
-
-			// Expected our public map to be returned on a cache miss
-			if !reflect.DeepEqual(ips, pub) {
-				t.Errorf("got ips=%+v; want %+v", ips, pub)
-			}
-			if v := unpublishedDNSHits.Value(); v != 0 {
-				t.Errorf("got hits=%d; want 0", v)
-			}
-			if v := unpublishedDNSMisses.Value(); v != 1 {
-				t.Errorf("got misses=%d; want 1", v)
-			}
-		}
-	})
-
-	// Verify that we do get a valid response and metric.
-	t.Run("CacheHit", func(t *testing.T) {
-		resetMetrics()
-		ips := getBootstrapDNS(t, "controlplane.tailscale.com")
-		want := dnsEntryMap{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
-		if !reflect.DeepEqual(ips, want) {
-			t.Errorf("got ips=%+v; want %+v", ips, want)
-		}
-		if v := unpublishedDNSHits.Value(); v != 1 {
-			t.Errorf("got hits=%d; want 1", v)
-		}
-		if v := unpublishedDNSMisses.Value(); v != 0 {
-			t.Errorf("got misses=%d; want 0", v)
-		}
-	})
-}
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -14,6 +14,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"math"
 	"net"
@@ -25,7 +26,6 @@ import (
 	"strings"
 	"time"

-	"go4.org/mem"
 	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
@@ -46,13 +46,11 @@ var (
 	certDir    = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
 	hostname   = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
 	runSTUN    = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
-	runDERP    = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")

-	meshPSKFile    = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith       = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
-	bootstrapDNS   = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	unpublishedDNS = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
-	verifyClients  = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
+	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
+	bootstrapDNS  = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
+	verifyClients = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")

 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
@@ -98,7 +96,7 @@ func loadConfig() config {
 		}
 		log.Printf("no config path specified; using %s", *configPath)
 	}
-	b, err := os.ReadFile(*configPath)
+	b, err := ioutil.ReadFile(*configPath)
 	switch {
 	case errors.Is(err, os.ErrNotExist):
 		return writeNewConfig()
@@ -154,7 +152,7 @@ func main() {
 	s.SetVerifyClient(*verifyClients)

 	if *meshPSKFile != "" {
-		b, err := os.ReadFile(*meshPSKFile)
+		b, err := ioutil.ReadFile(*meshPSKFile)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -171,15 +169,9 @@ func main() {
 	expvar.Publish("derp", s.ExpVar())

 	mux := http.NewServeMux()
-	if *runDERP {
-		derpHandler := derphttp.Handler(s)
-		derpHandler = addWebSocketSupport(s, derpHandler)
-		mux.Handle("/derp", derpHandler)
-	} else {
-		mux.Handle("/derp", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			http.Error(w, "derp server disabled", http.StatusNotFound)
-		}))
-	}
+	derpHandler := derphttp.Handler(s)
+	derpHandler = addWebSocketSupport(s, derpHandler)
+	mux.Handle("/derp", derpHandler)
 	mux.HandleFunc("/derp/probe", probeHandler)
 	go refreshBootstrapDNSLoop()
 	mux.HandleFunc("/bootstrap-dns", handleBootstrapDNS)
@@ -195,17 +187,10 @@ func main() {
  server.
 </p>
 `)
-		if !*runDERP {
-			io.WriteString(w, `<p>Status: <b>disabled</b></p>`)
-		}
 		if tsweb.AllowDebugAccess(r) {
 			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
 		}
 	}))
-	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		io.WriteString(w, "User-agent: *\nDisallow: /\n")
-	}))
-	mux.Handle("/generate_204", http.HandlerFunc(serveNoContent))
 	debug := tsweb.Debugger(mux)
 	debug.KV("TLS hostname", *hostname)
 	debug.KV("Mesh key", s.HasMeshKey())
@@ -223,11 +208,9 @@ func main() {
 		go serveSTUN(listenHost, *stunPort)
 	}

-	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
-		Addr:     *addr,
-		Handler:  mux,
-		ErrorLog: quietLogger,
+		Addr:    *addr,
+		Handler: mux,

 		// Set read/write timeout. For derper, this basically
 		// only affects TLS setup, as read/write deadlines are
@@ -293,13 +276,9 @@ func main() {
 		})
 		if *httpPort > -1 {
 			go func() {
-				port80mux := http.NewServeMux()
-				port80mux.HandleFunc("/generate_204", serveNoContent)
-				port80mux.Handle("/", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 				port80srv := &http.Server{
 					Addr:        net.JoinHostPort(listenHost, fmt.Sprintf("%d", *httpPort)),
-					Handler:     port80mux,
-					ErrorLog:    quietLogger,
+					Handler:     certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}),
 					ReadTimeout: 30 * time.Second,
 					// Crank up WriteTimeout a bit more than usually
 					// necessary just so we can do long CPU profiles
@@ -325,11 +304,6 @@ func main() {
 	}
 }

-// For captive portal detection
-func serveNoContent(w http.ResponseWriter, r *http.Request) {
-	w.WriteHeader(http.StatusNoContent)
-}
-
 // probeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
 func probeHandler(w http.ResponseWriter, r *http.Request) {
@@ -475,22 +449,3 @@ func (l *rateLimitedListener) Accept() (net.Conn, error) {
 	l.numAccepts.Add(1)
 	return cn, nil
 }
-
-// logFilter is used to filter out useless error logs that are logged to
-// the net/http.Server.ErrorLog logger.
-type logFilter struct{}
-
-func (logFilter) Write(p []byte) (int, error) {
-	b := mem.B(p)
-	if mem.HasSuffix(b, mem.S(": EOF\n")) ||
-		mem.HasSuffix(b, mem.S(": i/o timeout\n")) ||
-		mem.HasSuffix(b, mem.S(": read: connection reset by peer\n")) ||
-		mem.HasSuffix(b, mem.S(": remote error: tls: bad certificate\n")) ||
-		mem.HasSuffix(b, mem.S(": tls: first record does not look like a TLS handshake\n")) {
-		// Skip this log message, but say that we processed it
-		return len(p), nil
-	}
-
-	log.Printf("%s", p)
-	return len(p), nil
-}
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -33,12 +33,6 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
 			Subprotocols:   []string{"derp"},
 			OriginPatterns: []string{"*"},
-			// Disable compression because we transmit WireGuard messages that
-			// are not compressible.
-			// Additionally, Safari has a broken implementation of compression
-			// (see https://github.com/nhooyr/websocket/issues/218) that makes
-			// enabling it actively harmful.
-			CompressionMode: websocket.CompressionDisabled,
 		})
 		if err != nil {
 			log.Printf("websocket.Accept: %v", err)
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -13,6 +13,7 @@ import (
 	"errors"
 	"flag"
 	"html/template"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -105,7 +106,7 @@ func devMode() bool { return *httpsAddr == "" && *httpAddr != "" }

 func getTmpl() (*template.Template, error) {
 	if devMode() {
-		tmplData, err := os.ReadFile("hello.tmpl.html")
+		tmplData, err := ioutil.ReadFile("hello.tmpl.html")
 		if os.IsNotExist(err) {
 			log.Printf("using baked-in template in dev mode; can't find hello.tmpl.html in current directory")
 			return tmpl, nil
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@@ -75,7 +75,12 @@ func main() {
 				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
 				return
 			}
-			tailnet = strings.TrimSuffix(tailnet, ".beta.tailscale.net")
+			tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net")
+			if !ok {
+				w.WriteHeader(http.StatusUnauthorized)
+				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+				return
+			}
 		}

 		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -29,7 +29,7 @@ var certCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("cert")
 		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
+		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
 		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
 		return fs
 	})(),
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -762,9 +762,6 @@ func TestPrefFlagMapping(t *testing.T) {
 		case "NotepadURLs":
 			// TODO(bradfitz): https://github.com/tailscale/tailscale/issues/1830
 			continue
-		case "Egg":
-			// Not applicable.
-			continue
 		}
 		t.Errorf("unexpected new ipn.Pref field %q is not handled by up.go (see addPrefFlagMapping and checkForAccidentalSettingReverts)", prefName)
 	}
@@ -789,10 +786,6 @@ func TestUpdatePrefs(t *testing.T) {
 		curPrefs *ipn.Prefs
 		env      upCheckEnv // empty goos means "linux"

-		// sshOverTailscale specifies if the cmd being run over SSH over Tailscale.
-		// It is used to test the --accept-risks flag.
-		sshOverTailscale bool
-
 		// checkUpdatePrefsMutations, if non-nil, is run with the new prefs after
 		// updatePrefs might've mutated them (from applyImplicitPrefs).
 		checkUpdatePrefsMutations func(t *testing.T, newPrefs *ipn.Prefs)
@@ -920,159 +913,15 @@ func TestUpdatePrefs(t *testing.T) {
 				}
 			},
 		},
-		{
-			name:  "enable_ssh",
-			flags: []string{"--ssh"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
-		{
-			name:  "disable_ssh",
-			flags: []string{"--ssh=false"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				RunSSH:           true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to false")
-				}
-			},
-			env: upCheckEnv{backendState: "Running", upArgs: upArgsT{
-				runSSH: true,
-			}},
-		},
-		{
-			name:             "disable_ssh_over_ssh_no_risk",
-			flags:            []string{"--ssh=false"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				RunSSH:           true,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "enable_ssh_over_ssh_no_risk",
-			flags:            []string{"--ssh=true"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env:          upCheckEnv{backendState: "Running"},
-			wantErrSubtr: "aborted, no changes made",
-		},
-		{
-			name:             "enable_ssh_over_ssh",
-			flags:            []string{"--ssh=true", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if !newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to true")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
-		{
-			name:             "disable_ssh_over_ssh",
-			flags:            []string{"--ssh=false", "--accept-risk=lose-ssh"},
-			sshOverTailscale: true,
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				RunSSH:           true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				RunSSHSet:      true,
-				WantRunningSet: true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
-				if newPrefs.RunSSH {
-					t.Errorf("RunSSH not set to false")
-				}
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.sshOverTailscale {
-				old := getSSHClientEnvVar
-				getSSHClientEnvVar = func() string { return "100.100.100.100 1 1" }
-				t.Cleanup(func() { getSSHClientEnvVar = old })
-			}
 			if tt.env.goos == "" {
 				tt.env.goos = "linux"
 			}
 			tt.env.flagSet = newUpFlagSet(tt.env.goos, &tt.env.upArgs)
 			flags := CleanUpArgs(tt.flags)
-			if err := tt.env.flagSet.Parse(flags); err != nil {
-				t.Fatal(err)
-			}
+			tt.env.flagSet.Parse(flags)

 			newPrefs, err := prefsFromUpArgs(tt.env.upArgs, t.Logf, new(ipnstate.Status), tt.env.goos)
 			if err != nil {
@@ -1087,8 +936,6 @@ func TestUpdatePrefs(t *testing.T) {
 					return
 				}
 				t.Fatal(err)
-			} else if tt.wantErrSubtr != "" {
-				t.Fatalf("want error %q, got nil", tt.wantErrSubtr)
 			}
 			if tt.checkUpdatePrefsMutations != nil {
 				tt.checkUpdatePrefsMutations(t, newPrefs)
@@ -1102,18 +949,13 @@ func TestUpdatePrefs(t *testing.T) {
 				justEditMP.Prefs = ipn.Prefs{} // uninteresting
 			}
 			if !reflect.DeepEqual(justEditMP, tt.wantJustEditMP) {
-				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was \n%v", asJSON(oldEditPrefs))
+				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was %+v", oldEditPrefs)
 				t.Fatalf("justEditMP: %v\n\n: ", cmp.Diff(justEditMP, tt.wantJustEditMP, cmpIP))
 			}
 		})
 	}
 }

-func asJSON(v any) string {
-	b, _ := json.MarshalIndent(v, "", "\t")
-	return string(b)
-}
-
 var cmpIP = cmp.Comparer(func(a, b netip.Addr) bool {
 	return a == b
 })
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -489,15 +489,7 @@ func runTS2021(ctx context.Context, args []string) error {
 		return c, err
 	}

-	conn, err := (&controlhttp.Dialer{
-		Hostname:        ts2021Args.host,
-		HTTPPort:        "80",
-		HTTPSPort:       "443",
-		MachineKey:      machinePrivate,
-		ControlKey:      keys.PublicKey,
-		ProtocolVersion: uint16(ts2021Args.version),
-		Dialer:          dialFunc,
-	}).Dial(ctx)
+	conn, err := controlhttp.Dial(ctx, ts2021Args.host, "80", "443", machinePrivate, keys.PublicKey, uint16(ts2021Args.version), dialFunc)
 	log.Printf("controlhttp.Dial = %p, %v", conn, err)
 	if err != nil {
 		return err
--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -22,13 +22,9 @@ var downCmd = &ffcli.Command{
 	FlagSet: newDownFlagSet(),
 }

-var downArgs struct {
-	acceptedRisks string
-}
-
 func newDownFlagSet() *flag.FlagSet {
 	downf := newFlagSet("down")
-	registerAcceptRiskFlag(downf, &downArgs.acceptedRisks)
+	registerAcceptRiskFlag(downf)
 	return downf
 }

@@ -38,7 +34,7 @@ func runDown(ctx context.Context, args []string) error {
 	}

 	if isSSHOverTailscale() {
-		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`, downArgs.acceptedRisks); err != nil {
+		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`); err != nil {
 			return err
 		}
 	}
--- a/cmd/tailscale/cli/licenses.go
+++ b/cmd/tailscale/cli/licenses.go
@@ -19,27 +19,24 @@ var licensesCmd = &ffcli.Command{
 	Exec:       runLicenses,
 }

-// licensesURL returns the absolute URL containing open source license information for the current platform.
-func licensesURL() string {
+func runLicenses(ctx context.Context, args []string) error {
+	var licenseURL string
 	switch runtime.GOOS {
 	case "android":
-		return "https://tailscale.com/licenses/android"
+		licenseURL = "https://tailscale.com/licenses/android"
 	case "darwin", "ios":
-		return "https://tailscale.com/licenses/apple"
+		licenseURL = "https://tailscale.com/licenses/apple"
 	case "windows":
-		return "https://tailscale.com/licenses/windows"
+		licenseURL = "https://tailscale.com/licenses/windows"
 	default:
-		return "https://tailscale.com/licenses/tailscale"
+		licenseURL = "https://tailscale.com/licenses/tailscale"
 	}
-}

-func runLicenses(ctx context.Context, args []string) error {
-	licenses := licensesURL()
 	outln(`
 Tailscale wouldn't be possible without the contributions of thousands of open
 source developers. To see the open source packages included in Tailscale and
 their respective license information, visit:

-    ` + licenses)
+    ` + licenseURL)
 	return nil
 }
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -10,6 +10,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"sort"
@@ -201,7 +202,7 @@ func prodDERPMap(ctx context.Context, httpc *http.Client) (*tailcfg.DERPMap, err
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}
--- a/cmd/tailscale/cli/risks.go
+++ b/cmd/tailscale/cli/risks.go
@@ -16,8 +16,9 @@ import (
 )

 var (
-	riskTypes   []string
-	riskLoseSSH = registerRiskType("lose-ssh")
+	riskTypes     []string
+	acceptedRisks string
+	riskLoseSSH   = registerRiskType("lose-ssh")
 )

 func registerRiskType(riskType string) string {
@@ -27,13 +28,12 @@ func registerRiskType(riskType string) string {

 // registerAcceptRiskFlag registers the --accept-risk flag. Accepted risks are accounted for
 // in presentRiskToUser.
-func registerAcceptRiskFlag(f *flag.FlagSet, acceptedRisks *string) {
-	f.StringVar(acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
+func registerAcceptRiskFlag(f *flag.FlagSet) {
+	f.StringVar(&acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
 }

-// isRiskAccepted reports whether riskType is in the comma-separated list of
-// risks in acceptedRisks.
-func isRiskAccepted(riskType, acceptedRisks string) bool {
+// riskAccepted reports whether riskType is in acceptedRisks.
+func riskAccepted(riskType string) bool {
 	for _, r := range strings.Split(acceptedRisks, ",") {
 		if r == riskType {
 			return true
@@ -49,16 +49,12 @@ var errAborted = errors.New("aborted, no changes made")
 // It is used by the presentRiskToUser function below.
 const riskAbortTimeSeconds = 5

-// presentRiskToUser displays the risk message and waits for the user to cancel.
-// It returns errorAborted if the user aborts. In tests it returns errAborted
-// immediately unless the risk has been explicitly accepted.
-func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
-	if isRiskAccepted(riskType, acceptedRisks) {
+// presentRiskToUser displays the risk message and waits for the user to
+// cancel. It returns errorAborted if the user aborts.
+func presentRiskToUser(riskType, riskMessage string) error {
+	if riskAccepted(riskType) {
 		return nil
 	}
-	if inTest() {
-		return errAborted
-	}
 	outln(riskMessage)
 	printf("To skip this warning, use --accept-risk=%s\n", riskType)

--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -116,7 +116,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 		upf.BoolVar(&upArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
 	}
 	upf.DurationVar(&upArgs.timeout, "timeout", 0, "maximum amount of time to wait for tailscaled to enter a Running state; default (0s) blocks forever")
-	registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
+	registerAcceptRiskFlag(upf)
 	return upf
 }

@@ -150,7 +150,6 @@ type upArgsT struct {
 	opUser                 string
 	json                   bool
 	timeout                time.Duration
-	acceptedRisks          string
 }

 func (a upArgsT) getAuthKey() (string, error) {
@@ -377,21 +376,6 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 		return false, nil, fmt.Errorf("can't change --login-server without --force-reauth")
 	}

-	// Do this after validations to avoid the 5s delay if we're going to error
-	// out anyway.
-	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
-	fmt.Println("wantSSH", wantSSH, "haveSSH", haveSSH)
-	if wantSSH != haveSSH && isSSHOverTailscale() {
-		if wantSSH {
-			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		} else {
-			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`, env.upArgs.acceptedRisks)
-		}
-		if err != nil {
-			return false, nil, err
-		}
-	}
-
 	tagsChanged := !reflect.DeepEqual(curPrefs.AdvertiseTags, prefs.AdvertiseTags)

 	simpleUp = env.flagSet.NFlag() == 0 &&
@@ -422,12 +406,8 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 }

 func runUp(ctx context.Context, args []string) (retErr error) {
-	var egg bool
 	if len(args) > 0 {
-		egg = fmt.Sprint(args) == "[up down down left right left right b a]"
-		if !egg {
-			fatalf("too many non-flag arguments: %q", args)
-		}
+		fatalf("too many non-flag arguments: %q", args)
 	}

 	st, err := localClient.Status(ctx)
@@ -491,6 +471,17 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		curExitNodeIP: exitNodeIP(curPrefs, st),
 	}

+	if upArgs.runSSH != curPrefs.RunSSH && isSSHOverTailscale() {
+		if upArgs.runSSH {
+			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`)
+		} else {
+			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`)
+		}
+		if err != nil {
+			return err
+		}
+	}
+
 	defer func() {
 		if retErr == nil {
 			checkSSHUpWarnings(ctx)
@@ -502,7 +493,6 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		justEditMP.EggSet = true
 		_, err := localClient.EditPrefs(ctx, justEditMP)
 		return err
 	}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -15,6 +15,7 @@ import (
 	"fmt"
 	"html/template"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -58,7 +59,6 @@ type tmplData struct {
 	IP                string
 	AdvertiseExitNode bool
 	AdvertiseRoutes   string
-	LicensesURL       string
 }

 var webCmd = &ffcli.Command{
@@ -253,7 +253,7 @@ func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
 		return "", nil, err
 	}
 	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
+	out, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", nil, err
 	}
@@ -392,7 +392,6 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		Profile:      profile,
 		Status:       st.BackendState,
 		DeviceName:   deviceName,
-		LicensesURL:  licensesURL(),
 	}
 	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
 	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@@ -11,7 +11,7 @@
 </head>

 <body class="py-14">
-<main class="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
+<main class="container max-w-lg mx-auto py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
 	<header class="flex justify-between items-center min-width-0 py-2 mb-8">
 		<svg width="26" height="26" viewBox="0 0 23 23" title="Tailscale" fill="none" xmlns="http://www.w3.org/2000/svg"
 			class="flex-shrink-0 mr-4">
@@ -100,9 +100,6 @@
 	</div>
 	{{ end }}
 </main>
-<footer class="container max-w-lg mx-auto text-center">
-	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
-</footer>
 <script>(function () {
 const advertiseExitNode = {{.AdvertiseExitNode}};
 let fetchingUrl = false;
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -15,6 +15,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -172,7 +173,7 @@ func checkDerp(ctx context.Context, derpRegion string) error {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -212,7 +212,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
     💣 tailscale.com/metrics                                        from tailscale.com/derp+
        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver+
+        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver
        tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
        tailscale.com/net/dns/resolver                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
@@ -281,7 +281,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
-        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
+   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
     💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
@@ -290,7 +290,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
--- a/cmd/tailscaled/install_darwin.go
+++ b/cmd/tailscaled/install_darwin.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -141,7 +142,7 @@ func installSystemDaemonDarwin(args []string) (err error) {
 		return err
 	}

-	if err := os.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
+	if err := ioutil.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
 		return err
 	}

--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -26,7 +26,6 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime"
-	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -98,20 +97,6 @@ func defaultTunName() string {
 	return "tailscale0"
 }

-// defaultPort returns the default UDP port to listen on for disco+wireguard.
-// By default it returns 0, to pick one randomly from the kernel.
-// If the environment variable PORT is set, that's used instead.
-// The PORT environment variable is chosen to match what the Linux systemd
-// unit uses, to make documentation more consistent.
-func defaultPort() uint16 {
-	if s := envknob.String("PORT"); s != "" {
-		if p, err := strconv.ParseUint(s, 10, 16); err == nil {
-			return uint16(p)
-		}
-	}
-	return 0
-}
-
 var args struct {
 	// tunname is a /dev/net/tun tunnel name ("tailscale0"), the
 	// string "userspace-networking", "tap:TAPNAME[:BRIDGENAME]"
@@ -128,7 +113,6 @@ var args struct {
 	verbose        int
 	socksAddr      string // listen address for SOCKS5 server
 	httpProxyAddr  string // listen address for HTTP proxy server
-	disableLogs    bool
 }

 var (
@@ -147,9 +131,6 @@ var subCommands = map[string]*func([]string) error{
 var beCLI func() // non-nil if CLI is linked in

 func main() {
-	envknob.PanicIfAnyEnvCheckedInInit()
-	envknob.ApplyDiskConfig()
-
 	printVersion := false
 	flag.IntVar(&args.verbose, "verbose", 0, "log verbosity level; 0 is default, 1 or higher are increasingly verbose")
 	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
@@ -157,13 +138,12 @@ func main() {
 	flag.StringVar(&args.socksAddr, "socks5-server", "", `optional [ip]:port to run a SOCK5 server (e.g. "localhost:1080")`)
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
-	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
+	flag.Var(flagtype.PortValue(&args.port, 0), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
 	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
 	flag.BoolVar(&printVersion, "version", false, "print version information and exit")
-	flag.BoolVar(&args.disableLogs, "no-logs-no-support", false, "disable log uploads; this also disables any technical support")

 	if len(os.Args) > 0 && filepath.Base(os.Args[0]) == "tailscale" && beCLI != nil {
 		beCLI()
@@ -219,10 +199,6 @@ func main() {
 		args.statepath = paths.DefaultTailscaledStateFile()
 	}

-	if args.disableLogs {
-		envknob.SetNoLogsNoSupport()
-	}
-
 	if beWindowsSubprocess() {
 		return
 	}
@@ -326,10 +302,6 @@ func run() error {
 		pol.Shutdown(ctx)
 	}()

-	if err := envknob.ApplyDiskConfigError(); err != nil {
-		log.Printf("Error reading environment config: %v", err)
-	}
-
 	if isWindowsService() {
 		// Run the IPN server from the Windows service manager.
 		log.Printf("Running service...")
@@ -398,7 +370,7 @@ func run() error {
 		return fmt.Errorf("newNetstack: %w", err)
 	}
 	ns.ProcessLocalIPs = useNetstack
-	ns.ProcessSubnets = useNetstack || shouldWrapNetstack()
+	ns.ProcessSubnets = useNetstack || wrapNetstack

 	if useNetstack {
 		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
@@ -499,6 +471,8 @@ func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer)
 	return nil, false, multierr.New(errs...)
 }

+var wrapNetstack = shouldWrapNetstack()
+
 func shouldWrapNetstack() bool {
 	if v, ok := envknob.LookupBool("TS_DEBUG_WRAP_NETSTACK"); ok {
 		return v
@@ -569,7 +543,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 		}
 		conf.DNS = d
 		conf.Router = r
-		if shouldWrapNetstack() {
+		if wrapNetstack {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
 		}
 	}
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -197,9 +197,6 @@ func beWindowsSubprocess() bool {

 	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
 	log.Printf("subproc mode: logid=%v", logid)
-	if err := envknob.ApplyDiskConfigError(); err != nil {
-		log.Printf("Error reading environment config: %v", err)
-	}

 	go func() {
 		b := make([]byte, 16)
@@ -277,7 +274,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 			dev.Close()
 			return nil, nil, fmt.Errorf("router: %w", err)
 		}
-		if shouldWrapNetstack() {
+		if wrapNetstack {
 			r = netstack.NewSubnetRouterWrapper(r)
 		}
 		d, err := dns.NewOSConfigurator(logf, devName)
@@ -304,7 +301,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 			return nil, nil, fmt.Errorf("newNetstack: %w", err)
 		}
 		ns.ProcessLocalIPs = false
-		ns.ProcessSubnets = shouldWrapNetstack()
+		ns.ProcessSubnets = wrapNetstack
 		if err := ns.Start(); err != nil {
 			return nil, nil, fmt.Errorf("failed to start netstack: %w", err)
 		}
--- a/cmd/tsconnect/README.md
+++ b/cmd/tsconnect/README.md
@@ -38,12 +38,3 @@ The client is also available as an NPM package. To build it, run:
 ```

 That places the output in the `pkg/` directory, which may then be uploaded to a package registry (or installed from the file path directly).
-
-To do two-sided development (on both the NPM package and code that uses it), run:
-
-```
-./tool/go run ./cmd/tsconnect dev-pkg
-
-```
-
-This serves the module at http://localhost:9090/pkg/pkg.js and the generated wasm file at http://localhost:9090/pkg/main.wasm. The two files can be used as drop-in replacements for normal imports of the NPM module.
--- a/cmd/tsconnect/build-pkg.go
+++ b/cmd/tsconnect/build-pkg.go
@@ -11,12 +11,13 @@ import (
 	"os"
 	"path"

+	esbuild "github.com/evanw/esbuild/pkg/api"
 	"github.com/tailscale/hujson"
 	"tailscale.com/version"
 )

 func runBuildPkg() {
-	buildOptions, err := commonPkgSetup(prodMode)
+	buildOptions, err := commonSetup(prodMode)
 	if err != nil {
 		log.Fatalf("Cannot setup: %v", err)
 	}
@@ -30,6 +31,10 @@ func runBuildPkg() {
 		log.Fatalf("Cannot clean %s: %v", *pkgDir, err)
 	}

+	buildOptions.EntryPoints = []string{"src/pkg/pkg.ts", "src/pkg/pkg.css"}
+	buildOptions.Outdir = *pkgDir
+	buildOptions.Format = esbuild.FormatESModule
+	buildOptions.AssetNames = "[name]"
 	buildOptions.Write = true
 	buildOptions.MinifyWhitespace = true
 	buildOptions.MinifyIdentifiers = true
--- a/cmd/tsconnect/build.go
+++ b/cmd/tsconnect/build.go
@@ -7,6 +7,7 @@ package main
 import (
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"os"
 	"path"
@@ -46,7 +47,7 @@ func runBuild() {
 	if err != nil {
 		log.Fatalf("Cannot fix esbuild metadata paths: %v", err)
 	}
-	if err := os.WriteFile(path.Join(*distDir, "/esbuild-metadata.json"), metadataBytes, 0666); err != nil {
+	if err := ioutil.WriteFile(path.Join(*distDir, "/esbuild-metadata.json"), metadataBytes, 0666); err != nil {
 		log.Fatalf("Cannot write metadata: %v", err)
 	}

--- a/cmd/tsconnect/common.go
+++ b/cmd/tsconnect/common.go
@@ -6,8 +6,8 @@ package main

 import (
 	"fmt"
+	"io/ioutil"
 	"log"
-	"net"
 	"os"
 	"os/exec"
 	"path"
@@ -68,18 +68,6 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 	}, nil
 }

-func commonPkgSetup(dev bool) (*esbuild.BuildOptions, error) {
-	buildOptions, err := commonSetup(dev)
-	if err != nil {
-		return nil, err
-	}
-	buildOptions.EntryPoints = []string{"src/pkg/pkg.ts", "src/pkg/pkg.css"}
-	buildOptions.Outdir = *pkgDir
-	buildOptions.Format = esbuild.FormatESModule
-	buildOptions.AssetNames = "[name]"
-	return buildOptions, nil
-}
-
 // cleanDir removes files from dirPath, except the ones specified by
 // preserveFiles.
 func cleanDir(dirPath string, preserveFiles ...string) error {
@@ -102,27 +90,6 @@ func cleanDir(dirPath string, preserveFiles ...string) error {
 	return nil
 }

-func runEsbuildServe(buildOptions esbuild.BuildOptions) {
-	host, portStr, err := net.SplitHostPort(*addr)
-	if err != nil {
-		log.Fatalf("Cannot parse addr: %v", err)
-	}
-	port, err := strconv.ParseUint(portStr, 10, 16)
-	if err != nil {
-		log.Fatalf("Cannot parse port: %v", err)
-	}
-	result, err := esbuild.Serve(esbuild.ServeOptions{
-		Port:     uint16(port),
-		Host:     host,
-		Servedir: "./",
-	}, buildOptions)
-	if err != nil {
-		log.Fatalf("Cannot start esbuild server: %v", err)
-	}
-	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
-	result.Wait()
-}
-
 func runEsbuild(buildOptions esbuild.BuildOptions) esbuild.BuildResult {
 	log.Printf("Running esbuild...\n")
 	result := esbuild.Build(buildOptions)
@@ -182,7 +149,7 @@ func setupEsbuildWasm(build esbuild.PluginBuild, dev bool) {

 func buildWasm(dev bool) ([]byte, error) {
 	start := time.Now()
-	outputFile, err := os.CreateTemp("", "main.*.wasm")
+	outputFile, err := ioutil.TempFile("", "main.*.wasm")
 	if err != nil {
 		return nil, fmt.Errorf("Cannot create main.wasm output file: %w", err)
 	}
--- a/cmd/tsconnect/dev-pkg.go
+++ b/cmd/tsconnect/dev-pkg.go
@@ -1,17 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"log"
-)
-
-func runDevPkg() {
-	buildOptions, err := commonPkgSetup(devMode)
-	if err != nil {
-		log.Fatalf("Cannot setup: %v", err)
-	}
-	runEsbuildServe(*buildOptions)
-}
--- a/cmd/tsconnect/dev.go
+++ b/cmd/tsconnect/dev.go
@@ -6,6 +6,10 @@ package main

 import (
 	"log"
+	"net"
+	"strconv"
+
+	esbuild "github.com/evanw/esbuild/pkg/api"
 )

 func runDev() {
@@ -13,5 +17,22 @@ func runDev() {
 	if err != nil {
 		log.Fatalf("Cannot setup: %v", err)
 	}
-	runEsbuildServe(*buildOptions)
+	host, portStr, err := net.SplitHostPort(*addr)
+	if err != nil {
+		log.Fatalf("Cannot parse addr: %v", err)
+	}
+	port, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		log.Fatalf("Cannot parse port: %v", err)
+	}
+	result, err := esbuild.Serve(esbuild.ServeOptions{
+		Port:     uint16(port),
+		Host:     host,
+		Servedir: "./",
+	}, *buildOptions)
+	if err != nil {
+		log.Fatalf("Cannot start esbuild server: %v", err)
+	}
+	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
+	result.Wait()
 }
--- a/cmd/tsconnect/package.json
+++ b/cmd/tsconnect/package.json
@@ -10,9 +10,8 @@
    "qrcode": "^1.5.0",
    "tailwindcss": "^3.1.6",
    "typescript": "^4.7.4",
-    "xterm": "5.0.0-beta.58",
-    "xterm-addon-fit": "^0.5.0",
-    "xterm-addon-web-links": "0.7.0-beta.6"
+    "xterm": "^4.18.0",
+    "xterm-addon-fit": "^0.5.0"
  },
  "scripts": {
    "lint": "tsc --noEmit",
--- a/cmd/tsconnect/serve.go
+++ b/cmd/tsconnect/serve.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -74,7 +75,7 @@ func generateServeIndex(distFS fs.FS) ([]byte, error) {
 		return nil, fmt.Errorf("Could not open esbuild-metadata.json: %w", err)
 	}
 	defer esbuildMetadataFile.Close()
-	esbuildMetadataBytes, err := io.ReadAll(esbuildMetadataFile)
+	esbuildMetadataBytes, err := ioutil.ReadAll(esbuildMetadataFile)
 	if err != nil {
 		return nil, fmt.Errorf("Could not read esbuild-metadata.json: %w", err)
 	}
--- a/cmd/tsconnect/src/app/app.tsx
+++ b/cmd/tsconnect/src/app/app.tsx
@@ -92,12 +92,6 @@ class App extends Component<{}, AppState> {
  }

  handleBrowseToURL = (url: string) => {
-    if (this.state.ipnState === "Running") {
-      // Ignore URL requests if we're already running -- it's most likely an
-      // SSH check mode trigger and we already linkify the displayed URL
-      // in the terminal.
-      return
-    }
    this.setState({ browseToURL: url })
  }

--- a/cmd/tsconnect/src/app/ssh.tsx
+++ b/cmd/tsconnect/src/app/ssh.tsx
@@ -2,24 +2,16 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-import { useState, useCallback, useMemo, useEffect, useRef } from "preact/hooks"
-import { createPortal } from "preact/compat"
-import type { VNode } from "preact"
+import { useState, useCallback } from "preact/hooks"
 import { runSSHSession, SSHSessionDef } from "../lib/ssh"

 export function SSH({ netMap, ipn }: { netMap: IPNNetMap; ipn: IPN }) {
-  const [sshSessionDef, setSSHSessionDef] = useState<SSHFormSessionDef | null>(
-    null
-  )
+  const [sshSessionDef, setSSHSessionDef] = useState<SSHSessionDef | null>(null)
  const clearSSHSessionDef = useCallback(() => setSSHSessionDef(null), [])
  if (sshSessionDef) {
-    const sshSession = (
+    return (
      <SSHSession def={sshSessionDef} ipn={ipn} onDone={clearSSHSessionDef} />
    )
-    if (sshSessionDef.newWindow) {
-      return <NewWindow close={clearSSHSessionDef}>{sshSession}</NewWindow>
-    }
-    return sshSession
  }
  const sshPeers = netMap.peers.filter(
    (p) => p.tailscaleSSHEnabled && p.online !== false
@@ -32,8 +24,6 @@ export function SSH({ netMap, ipn }: { netMap: IPNNetMap; ipn: IPN }) {
  return <SSHForm sshPeers={sshPeers} onSubmit={setSSHSessionDef} />
 }

-type SSHFormSessionDef = SSHSessionDef & { newWindow?: boolean }
-
 function SSHSession({
  def,
  ipn,
@@ -43,14 +33,20 @@ function SSHSession({
  ipn: IPN
  onDone: () => void
 }) {
-  const ref = useRef<HTMLDivElement>(null)
-  useEffect(() => {
-    if (ref.current) {
-      runSSHSession(ref.current, def, ipn, onDone)
-    }
-  }, [ref])
-
-  return <div class="flex-grow bg-black p-2 overflow-hidden" ref={ref} />
+  return (
+    <div
+      class="flex-grow bg-black p-2 overflow-hidden"
+      ref={(node) => {
+        if (node) {
+          // Run the SSH session aysnchronously, so that the React render
+          // loop is complete (otherwise the SSH form may still be visible,
+          // which affects the size of the terminal, leading to a spurious
+          // initial resize).
+          setTimeout(() => runSSHSession(node, def, ipn, onDone), 0)
+        }
+      }}
+    />
+  )
 }

 function NoSSHPeers() {
@@ -70,7 +66,7 @@ function SSHForm({
  onSubmit,
 }: {
  sshPeers: IPNNetMapPeerNode[]
-  onSubmit: (def: SSHFormSessionDef) => void
+  onSubmit: (def: SSHSessionDef) => void
 }) {
  sshPeers = sshPeers.slice().sort((a, b) => a.name.localeCompare(b.name))
  const [username, setUsername] = useState("")
@@ -103,51 +99,7 @@ function SSHForm({
        type="submit"
        class="button bg-green-500 border-green-500 text-white hover:bg-green-600 hover:border-green-600"
        value="SSH"
-        onClick={(e) => {
-          if (e.altKey) {
-            e.preventDefault()
-            e.stopPropagation()
-            onSubmit({ username, hostname, newWindow: true })
-          }
-        }}
      />
    </form>
  )
 }
-
-const NewWindow = ({
-  children,
-  close,
-}: {
-  children: VNode
-  close: () => void
-}) => {
-  const newWindow = useMemo(() => {
-    const newWindow = window.open(undefined, undefined, "width=600,height=400")
-    if (newWindow) {
-      const containerNode = newWindow.document.createElement("div")
-      containerNode.className = "h-screen flex flex-col overflow-hidden"
-      newWindow.document.body.appendChild(containerNode)
-
-      for (const linkNode of document.querySelectorAll(
-        "head link[rel=stylesheet]"
-      )) {
-        const newLink = document.createElement("link")
-        newLink.rel = "stylesheet"
-        newLink.href = (linkNode as HTMLLinkElement).href
-        newWindow.document.head.appendChild(newLink)
-      }
-    }
-    return newWindow
-  }, [])
-  if (!newWindow) {
-    console.error("Could not open window")
-    return null
-  }
-  newWindow.onbeforeunload = () => {
-    close()
-  }
-
-  useEffect(() => () => newWindow.close(), [])
-  return createPortal(children, newWindow.document.body.lastChild as Element)
-}
--- a/cmd/tsconnect/src/lib/ssh.ts
+++ b/cmd/tsconnect/src/lib/ssh.ts
@@ -1,6 +1,5 @@
-import { Terminal, ITerminalOptions } from "xterm"
+import { Terminal } from "xterm"
 import { FitAddon } from "xterm-addon-fit"
-import { WebLinksAddon } from "xterm-addon-web-links"

 export type SSHSessionDef = {
  username: string
@@ -11,26 +10,16 @@ export function runSSHSession(
  termContainerNode: HTMLDivElement,
  def: SSHSessionDef,
  ipn: IPN,
-  onDone: () => void,
-  terminalOptions?: ITerminalOptions
+  onDone: () => void
 ) {
-  const parentWindow = termContainerNode.ownerDocument.defaultView ?? window
  const term = new Terminal({
    cursorBlink: true,
-    allowProposedApi: true,
-    ...terminalOptions,
  })
-
  const fitAddon = new FitAddon()
  term.loadAddon(fitAddon)
  term.open(termContainerNode)
  fitAddon.fit()

-  const webLinksAddon = new WebLinksAddon((event, uri) =>
-    event.view?.open(uri, "_blank", "noopener")
-  )
-  term.loadAddon(webLinksAddon)
-
  let onDataHook: ((data: string) => void) | undefined
  term.onData((e) => {
    onDataHook?.(e)
@@ -41,7 +30,7 @@ export function runSSHSession(
  let resizeObserver: ResizeObserver | undefined
  let handleBeforeUnload: ((e: BeforeUnloadEvent) => void) | undefined

-  const sshSession = ipn.ssh(def.hostname, def.username, {
+  const sshSession = ipn.ssh(def.hostname + "2", def.username, {
    writeFn(input) {
      term.write(input)
    },
@@ -58,19 +47,19 @@ export function runSSHSession(
      resizeObserver?.disconnect()
      term.dispose()
      if (handleBeforeUnload) {
-        parentWindow.removeEventListener("beforeunload", handleBeforeUnload)
+        window.removeEventListener("beforeunload", handleBeforeUnload)
      }
      onDone()
    },
  })

  // Make terminal and SSH session track the size of the containing DOM node.
-  resizeObserver = new parentWindow.ResizeObserver(() => fitAddon.fit())
+  resizeObserver = new ResizeObserver(() => fitAddon.fit())
  resizeObserver.observe(termContainerNode)
  term.onResize(({ rows, cols }) => sshSession.resize(rows, cols))

  // Close the session if the user closes the window without an explicit
  // exit.
  handleBeforeUnload = () => sshSession.close()
-  parentWindow.addEventListener("beforeunload", handleBeforeUnload)
+  window.addEventListener("beforeunload", handleBeforeUnload)
 }
--- a/cmd/tsconnect/src/types/wasm_js.d.ts
+++ b/cmd/tsconnect/src/types/wasm_js.d.ts
@@ -47,7 +47,6 @@ declare global {
    stateStorage?: IPNStateStorage
    authKey?: string
    controlURL?: string
-    hostname?: string
  }

  type IPNCallbacks = {
--- a/cmd/tsconnect/tsconnect.go
+++ b/cmd/tsconnect/tsconnect.go
@@ -36,8 +36,6 @@ func main() {
 	switch flag.Arg(0) {
 	case "dev":
 		runDev()
-	case "dev-pkg":
-		runDevPkg()
 	case "build":
 		runBuild()
 	case "build-pkg":
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -61,30 +61,26 @@ func main() {
 func newIPN(jsConfig js.Value) map[string]any {
 	netns.SetEnabled(false)

+	jsStateStorage := jsConfig.Get("stateStorage")
 	var store ipn.StateStore
-	if jsStateStorage := jsConfig.Get("stateStorage"); !jsStateStorage.IsUndefined() {
-		store = &jsStateStore{jsStateStorage}
-	} else {
+	if jsStateStorage.IsUndefined() {
 		store = new(mem.Store)
+	} else {
+		store = &jsStateStore{jsStateStorage}
 	}

+	jsControlURL := jsConfig.Get("controlURL")
 	controlURL := ControlURL
-	if jsControlURL := jsConfig.Get("controlURL"); jsControlURL.Type() == js.TypeString {
+	if jsControlURL.Type() == js.TypeString {
 		controlURL = jsControlURL.String()
 	}

+	jsAuthKey := jsConfig.Get("authKey")
 	var authKey string
-	if jsAuthKey := jsConfig.Get("authKey"); jsAuthKey.Type() == js.TypeString {
+	if jsAuthKey.Type() == js.TypeString {
 		authKey = jsAuthKey.String()
 	}

-	var hostname string
-	if jsHostname := jsConfig.Get("hostname"); jsHostname.Type() == js.TypeString {
-		hostname = jsHostname.String()
-	} else {
-		hostname = generateHostname()
-	}
-
 	lpc := getOrCreateLogPolicyConfig(store)
 	c := logtail.Config{
 		Collection: lpc.Collection,
@@ -140,7 +136,6 @@ func newIPN(jsConfig js.Value) map[string]any {
 		lb:         lb,
 		controlURL: controlURL,
 		authKey:    authKey,
-		hostname:   hostname,
 	}

 	return map[string]any{
@@ -201,7 +196,6 @@ type jsIPN struct {
 	lb         *ipnlocal.LocalBackend
 	controlURL string
 	authKey    string
-	hostname   string
 }

 var jsIPNState = map[ipn.State]string{
@@ -290,7 +284,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 				RouteAll:         false,
 				AllowSingleHosts: true,
 				WantRunning:      true,
-				Hostname:         i.hostname,
+				Hostname:         generateHostname(),
 			},
 			AuthKey: i.authKey,
 		})
@@ -349,9 +343,6 @@ type jsSSHSession struct {
 	username   string
 	termConfig js.Value
 	session    *ssh.Session
-
-	pendingResizeRows int
-	pendingResizeCols int
 }

 func (s *jsSSHSession) Run() {
@@ -363,6 +354,9 @@ func (s *jsSSHSession) Run() {
 	onDone := s.termConfig.Get("onDone")
 	defer onDone.Invoke()

+	write := func(s string) {
+		writeFn.Invoke(s)
+	}
 	writeError := func(label string, err error) {
 		writeErrorFn.Invoke(fmt.Sprintf("%s Error: %v\r\n", label, err))
 	}
@@ -387,6 +381,7 @@ func (s *jsSSHSession) Run() {
 		return
 	}
 	defer sshConn.Close()
+	write("SSH Connected\r\n")

 	sshClient := ssh.NewClient(sshConn, nil, nil)
 	defer sshClient.Close()
@@ -397,6 +392,7 @@ func (s *jsSSHSession) Run() {
 		return
 	}
 	s.session = session
+	write("Session Established\r\n")
 	defer session.Close()

 	stdin, err := session.StdinPipe()
@@ -417,14 +413,6 @@ func (s *jsSSHSession) Run() {
 		return nil
 	}))

-	// We might have gotten a resize notification since we started opening the
-	// session, pick up the latest size.
-	if s.pendingResizeRows != 0 {
-		rows = s.pendingResizeRows
-	}
-	if s.pendingResizeCols != 0 {
-		cols = s.pendingResizeCols
-	}
 	err = session.RequestPty("xterm", rows, cols, ssh.TerminalModes{})

 	if err != nil {
@@ -450,11 +438,6 @@ func (s *jsSSHSession) Close() error {
 }

 func (s *jsSSHSession) Resize(rows, cols int) error {
-	if s.session == nil {
-		s.pendingResizeRows = rows
-		s.pendingResizeCols = cols
-		return nil
-	}
 	return s.session.WindowChange(rows, cols)
 }

--- a/cmd/tsconnect/yarn.lock
+++ b/cmd/tsconnect/yarn.lock
@@ -644,15 +644,10 @@ xterm-addon-fit@^0.5.0:
  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.5.0.tgz#2d51b983b786a97dcd6cde805e700c7f913bc596"
  integrity sha512-DsS9fqhXHacEmsPxBJZvfj2la30Iz9xk+UKjhQgnYNkrUIN5CYLbw7WEfz117c7+S86S/tpHPfvNxJsF5/G8wQ==

-xterm@5.0.0-beta.58:
-  version "5.0.0-beta.58"
-  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0-beta.58.tgz#e3e96ab9fd24d006ec16cc9351a060cc79e67e80"
-  integrity sha512-gjg39oKdgUKful27+7I1hvSK51lu/LRhdimFhfZyMvdk0iATH0FAfzv1eAvBKWY2UBgYUfxhicTkanYioANdMw==
-
-xterm-addon-web-links@0.7.0-beta.6:
-  version "0.7.0-beta.6"
-  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0-beta.6.tgz#ec63b681b4f0f0135fa039f53664f65fe9d9f43a"
-  integrity sha512-nD/r/GchGTN4c9gAIVLWVoxExTzAUV7E9xZnwsvhuwI4CEE6yqO15ns8g2hdcUrsPyCbNEw05mIrkF6W5Yj8qA==
+xterm@^4.18.0:
+  version "4.18.0"
+  resolved "https://registry.yarnpkg.com/xterm/-/xterm-4.18.0.tgz#a1f6ab2c330c3918fb094ae5f4c2562987398ea1"
+  integrity sha512-JQoc1S0dti6SQfI0bK1AZvGnAxH4MVw45ZPFSO6FHTInAiau3Ix77fSxNx3mX4eh9OL4AYa8+4C8f5UvnSfppQ==

 y18n@^4.0.0:
  version "4.0.3"
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -14,6 +14,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"net/http/httptest"
@@ -489,7 +490,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			c.logf("RegisterReq sign error: %v", err)
 		}
 	}
-	if debugRegister() {
+	if debugRegister {
 		j, _ := json.MarshalIndent(request, "", "\t")
 		c.logf("RegisterRequest: %s", j)
 	}
@@ -522,7 +523,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		return regen, opt.URL, fmt.Errorf("register request: %w", err)
 	}
 	if res.StatusCode != 200 {
-		msg, _ := io.ReadAll(res.Body)
+		msg, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
 		return regen, opt.URL, fmt.Errorf("register request: http %d: %.200s",
 			res.StatusCode, strings.TrimSpace(string(msg)))
@@ -532,7 +533,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
 		return regen, opt.URL, fmt.Errorf("register request: %v", err)
 	}
-	if debugRegister() {
+	if debugRegister {
 		j, _ := json.MarshalIndent(resp, "", "\t")
 		c.logf("RegisterResponse: %s", j)
 	}
@@ -714,7 +715,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	c.logf("[v1] PollNetMap: stream=%v ep=%v", allowStream, epStrs)

 	vlogf := logger.Discard
-	if DevKnob.DumpNetMaps() {
+	if DevKnob.DumpNetMaps {
 		// TODO(bradfitz): update this to use "[v2]" prefix perhaps? but we don't
 		// want to upload it always.
 		vlogf = c.logf
@@ -803,7 +804,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	}
 	vlogf("netmap: Do = %v after %v", res.StatusCode, time.Since(t0).Round(time.Millisecond))
 	if res.StatusCode != 200 {
-		msg, _ := io.ReadAll(res.Body)
+		msg, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
 		return fmt.Errorf("initial fetch failed %d: %.200s",
 			res.StatusCode, strings.TrimSpace(string(msg)))
@@ -813,7 +814,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	health.NoteMapRequestHeard(request)

 	if cb == nil {
-		io.Copy(io.Discard, res.Body)
+		io.Copy(ioutil.Discard, res.Body)
 		return nil
 	}

@@ -936,7 +937,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 			}
 			if resp.Debug.DisableLogTail {
 				logtail.Disable()
-				envknob.SetNoLogsNoSupport()
 			}
 			if resp.Debug.LogHeapPprof {
 				go logheap.LogHeap(resp.Debug.LogHeapURL)
@@ -962,12 +962,12 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 			controlTrimWGConfig.Store(d.TrimWGConfig)
 		}

-		if DevKnob.StripEndpoints() {
+		if DevKnob.StripEndpoints {
 			for _, p := range resp.Peers {
 				p.Endpoints = nil
 			}
 		}
-		if DevKnob.StripCaps() {
+		if DevKnob.StripCaps {
 			nm.SelfNode.Capabilities = nil
 		}

@@ -997,7 +997,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 // it uses the serverKey and mkey to decode the message from the NaCl-crypto-box.
 func decode(res *http.Response, v any, serverKey, serverNoiseKey key.MachinePublic, mkey key.MachinePrivate) error {
 	defer res.Body.Close()
-	msg, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
+	msg, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return err
 	}
@@ -1011,8 +1011,8 @@ func decode(res *http.Response, v any, serverKey, serverNoiseKey key.MachinePubl
 }

 var (
-	debugMap      = envknob.RegisterBool("TS_DEBUG_MAP")
-	debugRegister = envknob.RegisterBool("TS_DEBUG_REGISTER")
+	debugMap      = envknob.Bool("TS_DEBUG_MAP")
+	debugRegister = envknob.Bool("TS_DEBUG_REGISTER")
 )

 var jsonEscapedZero = []byte(`\u0000`)
@@ -1050,7 +1050,7 @@ func (c *Direct) decodeMsg(msg []byte, v any, mkey key.MachinePrivate) error {
 			return err
 		}
 	}
-	if debugMap() {
+	if debugMap {
 		var buf bytes.Buffer
 		json.Indent(&buf, b, "", "    ")
 		log.Printf("MapResponse: %s", buf.Bytes())
@@ -1087,7 +1087,7 @@ func encode(v any, serverKey, serverNoiseKey key.MachinePublic, mkey key.Machine
 	if err != nil {
 		return nil, err
 	}
-	if debugMap() {
+	if debugMap {
 		if _, ok := v.(*tailcfg.MapRequest); ok {
 			log.Printf("MapRequest: %s", b)
 		}
@@ -1109,7 +1109,7 @@ func loadServerPubKeys(ctx context.Context, httpc *http.Client, serverURL string
 		return nil, fmt.Errorf("fetch control key: %v", err)
 	}
 	defer res.Body.Close()
-	b, err := io.ReadAll(io.LimitReader(res.Body, 64<<10))
+	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 64<<10))
 	if err != nil {
 		return nil, fmt.Errorf("fetch control key response: %v", err)
 	}
@@ -1138,18 +1138,18 @@ func loadServerPubKeys(ctx context.Context, httpc *http.Client, serverURL string
 var DevKnob = initDevKnob()

 type devKnobs struct {
-	DumpNetMaps    func() bool
-	ForceProxyDNS  func() bool
-	StripEndpoints func() bool // strip endpoints from control (only use disco messages)
-	StripCaps      func() bool // strip all local node's control-provided capabilities
+	DumpNetMaps    bool
+	ForceProxyDNS  bool
+	StripEndpoints bool // strip endpoints from control (only use disco messages)
+	StripCaps      bool // strip all local node's control-provided capabilities
 }

 func initDevKnob() devKnobs {
 	return devKnobs{
-		DumpNetMaps:    envknob.RegisterBool("TS_DEBUG_NETMAP"),
-		ForceProxyDNS:  envknob.RegisterBool("TS_DEBUG_PROXY_DNS"),
-		StripEndpoints: envknob.RegisterBool("TS_DEBUG_STRIP_ENDPOINTS"),
-		StripCaps:      envknob.RegisterBool("TS_DEBUG_STRIP_CAPS"),
+		DumpNetMaps:    envknob.Bool("TS_DEBUG_NETMAP"),
+		ForceProxyDNS:  envknob.Bool("TS_DEBUG_PROXY_DNS"),
+		StripEndpoints: envknob.Bool("TS_DEBUG_STRIP_ENDPOINTS"),
+		StripCaps:      envknob.Bool("TS_DEBUG_STRIP_CAPS"),
 	}
 }

@@ -1397,7 +1397,7 @@ func (c *Direct) setDNSNoise(ctx context.Context, req *tailcfg.SetDNSRequest) er
 	}
 	defer res.Body.Close()
 	if res.StatusCode != 200 {
-		msg, _ := io.ReadAll(res.Body)
+		msg, _ := ioutil.ReadAll(res.Body)
 		return fmt.Errorf("set-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
 	}
 	var setDNSRes tailcfg.SetDNSResponse
@@ -1463,7 +1463,7 @@ func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) (err er
 	}
 	defer res.Body.Close()
 	if res.StatusCode != 200 {
-		msg, _ := io.ReadAll(res.Body)
+		msg, _ := ioutil.ReadAll(res.Body)
 		return fmt.Errorf("set-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
 	}
 	var setDNSRes tailcfg.SetDNSResponse
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -190,7 +190,7 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		}
 		ms.addUserProfile(peer.User)
 	}
-	if DevKnob.ForceProxyDNS() {
+	if DevKnob.ForceProxyDNS {
 		nm.DNS.Proxied = true
 	}
 	ms.netMapBuilding = nil
@@ -356,13 +356,13 @@ func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
 	return v2
 }

-var debugSelfIPv6Only = envknob.RegisterBool("TS_DEBUG_SELF_V6_ONLY")
+var debugSelfIPv6Only = envknob.Bool("TS_DEBUG_SELF_V6_ONLY")

 func filterSelfAddresses(in []netip.Prefix) (ret []netip.Prefix) {
 	switch {
 	default:
 		return in
-	case debugSelfIPv6Only():
+	case debugSelfIPv6Only:
 		for _, a := range in {
 			if a.Addr().Is6() {
 				ret = append(ret, a)
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -165,15 +165,7 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 		// thousand version numbers before getting to this point.
 		panic("capability version is too high to fit in the wire protocol")
 	}
-	conn, err := (&controlhttp.Dialer{
-		Hostname:        nc.host,
-		HTTPPort:        nc.httpPort,
-		HTTPSPort:       nc.httpsPort,
-		MachineKey:      nc.privKey,
-		ControlKey:      nc.serverPubKey,
-		ProtocolVersion: uint16(tailcfg.CurrentCapabilityVersion),
-		Dialer:          nc.dialer.SystemDial,
-	}).Dial(ctx)
+	conn, err := controlhttp.Dial(ctx, nc.host, nc.httpPort, nc.httpsPort, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion), nc.dialer.SystemDial)
 	if err != nil {
 		return nil, err
 	}
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -40,49 +40,57 @@ import (
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/types/key"
 )

-var stdDialer net.Dialer
-
-// Dial connects to the HTTP server at this Dialer's Host:HTTPPort, requests to
-// switch to the Tailscale control protocol, and returns an established control
+// Dial connects to the HTTP server at host:httpPort, requests to switch to the
+// Tailscale control protocol, and returns an established control
 // protocol connection.
 //
-// If Dial fails to connect using HTTP, it also tries to tunnel over TLS to the
-// Dialer's Host:HTTPSPort as a compatibility fallback.
+// If Dial fails to connect using addr, it also tries to tunnel over
+// TLS to host:httpsPort as a compatibility fallback.
 //
 // The provided ctx is only used for the initial connection, until
 // Dial returns. It does not affect the connection once established.
-func (a *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
-	if a.Hostname == "" {
-		return nil, errors.New("required Dialer.Hostname empty")
+func Dial(ctx context.Context, host string, httpPort string, httpsPort string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
+	a := &dialParams{
+		host:       host,
+		httpPort:   httpPort,
+		httpsPort:  httpsPort,
+		machineKey: machineKey,
+		controlKey: controlKey,
+		version:    protocolVersion,
+		proxyFunc:  tshttpproxy.ProxyFromEnvironment,
+		dialer:     dialer,
 	}
 	return a.dial(ctx)
 }

-func (a *Dialer) logf(format string, args ...any) {
-	if a.Logf != nil {
-		a.Logf(format, args...)
-	}
+type dialParams struct {
+	host       string
+	httpPort   string
+	httpsPort  string
+	machineKey key.MachinePrivate
+	controlKey key.MachinePublic
+	version    uint16
+	proxyFunc  func(*http.Request) (*url.URL, error) // or nil
+	dialer     dnscache.DialContextFunc
+
+	// For tests only
+	insecureTLS       bool
+	testFallbackDelay time.Duration
 }

-func (a *Dialer) getProxyFunc() func(*http.Request) (*url.URL, error) {
-	if a.proxyFunc != nil {
-		return a.proxyFunc
-	}
-	return tshttpproxy.ProxyFromEnvironment
-}
-
-// httpsFallbackDelay is how long we'll wait for a.HTTPPort to work before
-// starting to try a.HTTPSPort.
-func (a *Dialer) httpsFallbackDelay() time.Duration {
+// httpsFallbackDelay is how long we'll wait for a.httpPort to work before
+// starting to try a.httpsPort.
+func (a *dialParams) httpsFallbackDelay() time.Duration {
 	if v := a.testFallbackDelay; v != 0 {
 		return v
 	}
 	return 500 * time.Millisecond
 }

-func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
+func (a *dialParams) dial(ctx context.Context) (*controlbase.Conn, error) {
 	// Create one shared context used by both port 80 and port 443 dials.
 	// If port 80 is still in flight when 443 returns, this deferred cancel
 	// will stop the port 80 dial.
@@ -94,12 +102,12 @@ func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
 	// we'll speak Noise.
 	u80 := &url.URL{
 		Scheme: "http",
-		Host:   net.JoinHostPort(a.Hostname, strDef(a.HTTPPort, "80")),
+		Host:   net.JoinHostPort(a.host, a.httpPort),
 		Path:   serverUpgradePath,
 	}
 	u443 := &url.URL{
 		Scheme: "https",
-		Host:   net.JoinHostPort(a.Hostname, strDef(a.HTTPSPort, "443")),
+		Host:   net.JoinHostPort(a.host, a.httpsPort),
 		Path:   serverUpgradePath,
 	}

@@ -161,8 +169,8 @@ func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
 }

 // dialURL attempts to connect to the given URL.
-func (a *Dialer) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, error) {
-	init, cont, err := controlbase.ClientDeferred(a.MachineKey, a.ControlKey, a.ProtocolVersion)
+func (a *dialParams) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, error) {
+	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
 	if err != nil {
 		return nil, err
 	}
@@ -181,34 +189,26 @@ func (a *Dialer) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, er
 // tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn.
 //
 // Only the provided ctx is used, not a.ctx.
-func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte) (net.Conn, error) {
+func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte) (net.Conn, error) {
 	dns := &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward,
 		LookupIPFallback: dnsfallback.Lookup,
 		UseLastGood:      true,
 	}
-
-	var dialer dnscache.DialContextFunc
-	if a.Dialer != nil {
-		dialer = a.Dialer
-	} else {
-		dialer = stdDialer.DialContext
-	}
-
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	defer tr.CloseIdleConnections()
-	tr.Proxy = a.getProxyFunc()
+	tr.Proxy = a.proxyFunc
 	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
-	tr.DialContext = dnscache.Dialer(dialer, dns)
+	tr.DialContext = dnscache.Dialer(a.dialer, dns)
 	// Disable HTTP2, since h2 can't do protocol switching.
 	tr.TLSClientConfig.NextProtos = []string{}
 	tr.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
-	tr.TLSClientConfig = tlsdial.Config(a.Hostname, tr.TLSClientConfig)
+	tr.TLSClientConfig = tlsdial.Config(a.host, tr.TLSClientConfig)
 	if a.insecureTLS {
 		tr.TLSClientConfig.InsecureSkipVerify = true
 		tr.TLSClientConfig.VerifyConnection = nil
 	}
-	tr.DialTLSContext = dnscache.TLSDialer(dialer, dns, tr.TLSClientConfig)
+	tr.DialTLSContext = dnscache.TLSDialer(a.dialer, dns, tr.TLSClientConfig)
 	tr.DisableCompression = true

 	// (mis)use httptrace to extract the underlying net.Conn from the
--- a/control/controlhttp/client_js.go
+++ b/control/controlhttp/client_js.go
@@ -7,31 +7,27 @@ package controlhttp
 import (
 	"context"
 	"encoding/base64"
-	"errors"
 	"net"
 	"net/url"

 	"nhooyr.io/websocket"
 	"tailscale.com/control/controlbase"
+	"tailscale.com/net/dnscache"
+	"tailscale.com/types/key"
 )

 // Variant of Dial that tunnels the request over WebSockets, since we cannot do
 // bi-directional communication over an HTTP connection when in JS.
-func (d *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
-	if d.Hostname == "" {
-		return nil, errors.New("required Dialer.Hostname empty")
-	}
-
-	init, cont, err := controlbase.ClientDeferred(d.MachineKey, d.ControlKey, d.ProtocolVersion)
+func Dial(ctx context.Context, host string, httpPort string, httpsPort string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
+	init, cont, err := controlbase.ClientDeferred(machineKey, controlKey, protocolVersion)
 	if err != nil {
 		return nil, err
 	}

 	wsScheme := "wss"
-	host := d.Hostname
 	if host == "localhost" {
 		wsScheme = "ws"
-		host = net.JoinHostPort(host, strDef(d.HTTPPort, "80"))
+		host = net.JoinHostPort(host, httpPort)
 	}
 	wsURL := &url.URL{
 		Scheme: wsScheme,
@@ -56,4 +52,5 @@ func (d *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
 		return nil, err
 	}
 	return cbConn, nil
+
 }
--- a/control/controlhttp/constants.go
+++ b/control/controlhttp/constants.go
@@ -4,16 +4,6 @@

 package controlhttp

-import (
-	"net/http"
-	"net/url"
-	"time"
-
-	"tailscale.com/net/dnscache"
-	"tailscale.com/types/key"
-	"tailscale.com/types/logger"
-)
-
 const (
 	// upgradeHeader is the value of the Upgrade HTTP header used to
 	// indicate the Tailscale control protocol.
@@ -28,58 +18,3 @@ const (
 	// to do the protocol switch is located.
 	serverUpgradePath = "/ts2021"
 )
-
-// Dialer contains configuration on how to dial the Tailscale control server.
-type Dialer struct {
-	// Hostname is the hostname to connect to, with no port number.
-	//
-	// This field is required.
-	Hostname string
-
-	// MachineKey contains the current machine's private key.
-	//
-	// This field is required.
-	MachineKey key.MachinePrivate
-
-	// ControlKey contains the expected public key for the control server.
-	//
-	// This field is required.
-	ControlKey key.MachinePublic
-
-	// ProtocolVersion is the expected protocol version to negotiate.
-	//
-	// This field is required.
-	ProtocolVersion uint16
-
-	// HTTPPort is the port number to use when making a HTTP connection.
-	//
-	// If not specified, this defaults to port 80.
-	HTTPPort string
-
-	// HTTPSPort is the port number to use when making a HTTPS connection.
-	//
-	// If not specified, this defaults to port 443.
-	HTTPSPort string
-
-	// Dialer is the dialer used to make outbound connections.
-	//
-	// If not specified, this defaults to net.Dialer.DialContext.
-	Dialer dnscache.DialContextFunc
-
-	// Logf, if set, is a logging function to use; if unset, logs are
-	// dropped.
-	Logf logger.Logf
-
-	proxyFunc func(*http.Request) (*url.URL, error) // or nil
-
-	// For tests only
-	insecureTLS       bool
-	testFallbackDelay time.Duration
-}
-
-func strDef(v1, v2 string) string {
-	if v1 != "" {
-		return v1
-	}
-	return v2
-}
--- a/control/controlhttp/http_test.go
+++ b/control/controlhttp/http_test.go
@@ -170,16 +170,15 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 		defer cancel()
 	}

-	a := &Dialer{
-		Hostname:          "localhost",
-		HTTPPort:          strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
-		HTTPSPort:         strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
-		MachineKey:        client,
-		ControlKey:        server.Public(),
-		ProtocolVersion:   testProtocolVersion,
-		Dialer:            new(tsdial.Dialer).SystemDial,
-		Logf:              t.Logf,
+	a := dialParams{
+		host:              "localhost",
+		httpPort:          strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
+		httpsPort:         strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
+		machineKey:        client,
+		controlKey:        server.Public(),
+		version:           testProtocolVersion,
 		insecureTLS:       true,
+		dialer:            new(tsdial.Dialer).SystemDial,
 		testFallbackDelay: 50 * time.Millisecond,
 	}

--- a/control/controlhttp/server.go
+++ b/control/controlhttp/server.go
@@ -82,12 +82,6 @@ func acceptWebsocket(ctx context.Context, w http.ResponseWriter, r *http.Request
 	c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
 		Subprotocols:   []string{upgradeHeaderValue},
 		OriginPatterns: []string{"*"},
-		// Disable compression because we transmit Noise messages that are not
-		// compressible.
-		// Additionally, Safari has a broken implementation of compression
-		// (see https://github.com/nhooyr/websocket/issues/218) that makes
-		// enabling it actively harmful.
-		CompressionMode: websocket.CompressionDisabled,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("Could not accept WebSocket connection %v", err)
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -13,18 +13,20 @@ import (
 )

 // disableUPnP indicates whether to attempt UPnP mapping.
-var disableUPnPControl atomic.Bool
+var disableUPnP atomic.Bool

-var disableUPnpEnv = envknob.RegisterBool("TS_DISABLE_UPNP")
+func init() {
+	SetDisableUPnP(envknob.Bool("TS_DISABLE_UPNP"))
+}

 // DisableUPnP reports the last reported value from control
 // whether UPnP portmapping should be disabled.
 func DisableUPnP() bool {
-	return disableUPnPControl.Load() || disableUPnpEnv()
+	return disableUPnP.Load()
 }

 // SetDisableUPnP sets whether control says that UPnP should be
 // disabled.
 func SetDisableUPnP(v bool) {
-	disableUPnPControl.Store(v)
+	disableUPnP.Store(v)
 }
--- a/derp/derp.go
+++ b/derp/derp.go
@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// Package derp implements the Designated Encrypted Relay for Packets (DERP)
-// protocol.
+// Package derp implements DERP, the Detour Encrypted Routing Protocol.
 //
 // DERP routes packets to clients using curve25519 keys as addresses.
 //
@@ -19,6 +18,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"time"
 )

@@ -194,7 +194,7 @@ func readFrame(br *bufio.Reader, maxSize uint32, b []byte) (t frameType, frameLe
 	}
 	remain := frameLen - uint32(n)
 	if remain > 0 {
-		if _, err := io.CopyN(io.Discard, br, int64(remain)); err != nil {
+		if _, err := io.CopyN(ioutil.Discard, br, int64(remain)); err != nil {
 			return 0, 0, err
 		}
 		err = io.ErrShortBuffer
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -18,6 +18,7 @@ import (
 	"expvar"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"math"
 	"math/big"
@@ -46,6 +47,8 @@ import (
 	"tailscale.com/version"
 )

+var debug = envknob.Bool("DERP_DEBUG_LOGS")
+
 // verboseDropKeys is the set of destination public keys that should
 // verbosely log whenever DERP drops a packet.
 var verboseDropKeys = map[key.NodePublic]bool{}
@@ -103,7 +106,6 @@ type Server struct {
 	limitedLogf logger.Logf
 	metaCert    []byte // the encoded x509 cert to send after LetsEncrypt cert+intermediate
 	dupPolicy   dupPolicy
-	debug       bool

 	// Counters:
 	packetsSent, bytesSent       expvar.Int
@@ -297,7 +299,6 @@ func NewServer(privateKey key.NodePrivate, logf logger.Logf) *Server {
 	runtime.ReadMemStats(&ms)

 	s := &Server{
-		debug:                envknob.Bool("DERP_DEBUG_LOGS"),
 		privateKey:           privateKey,
 		publicKey:            privateKey.Public(),
 		logf:                 logf,
@@ -757,7 +758,7 @@ func (c *sclient) run(ctx context.Context) error {
 }

 func (c *sclient) handleUnknownFrame(ft frameType, fl uint32) error {
-	_, err := io.CopyN(io.Discard, c.br, int64(fl))
+	_, err := io.CopyN(ioutil.Discard, c.br, int64(fl))
 	return err
 }

@@ -800,7 +801,7 @@ func (c *sclient) handleFramePing(ft frameType, fl uint32) error {
 		return err
 	}
 	if extra := int64(fl) - int64(len(m)); extra > 0 {
-		_, err = io.CopyN(io.Discard, c.br, extra)
+		_, err = io.CopyN(ioutil.Discard, c.br, extra)
 	}
 	select {
 	case c.sendPongCh <- [8]byte(m):
@@ -979,7 +980,7 @@ func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.NodePublic, r
 		msg := fmt.Sprintf("drop (%s) %s -> %s", srcKey.ShortString(), reason, dstKey.ShortString())
 		s.limitedLogf(msg)
 	}
-	if s.debug {
+	if debug {
 		s.logf("dropping packet reason=%s dst=%s disco=%v", reason, dstKey, disco.LooksLikeDiscoWrapper(packetBytes))
 	}
 }
@@ -1827,7 +1828,7 @@ func (s *Server) ServeDebugTraffic(w http.ResponseWriter, r *http.Request) {

 var bufioWriterPool = &sync.Pool{
 	New: func() any {
-		return bufio.NewWriterSize(io.Discard, 2<<10)
+		return bufio.NewWriterSize(ioutil.Discard, 2<<10)
 	},
 }

@@ -1860,7 +1861,7 @@ func (w *lazyBufioWriter) Flush() error {
 	}
 	err := w.lbw.Flush()

-	w.lbw.Reset(io.Discard)
+	w.lbw.Reset(ioutil.Discard)
 	bufioWriterPool.Put(w.lbw)
 	w.lbw = nil

--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -15,9 +15,9 @@ import (
 	"expvar"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
-	"os"
 	"reflect"
 	"sync"
 	"testing"
@@ -1240,7 +1240,7 @@ func benchmarkSendRecvSize(b *testing.B, packetSize int) {
 }

 func BenchmarkWriteUint32(b *testing.B) {
-	w := bufio.NewWriter(io.Discard)
+	w := bufio.NewWriter(ioutil.Discard)
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
@@ -1279,9 +1279,9 @@ func waitConnect(t testing.TB, c *Client) {
 }

 func TestParseSSOutput(t *testing.T) {
-	contents, err := os.ReadFile("testdata/example_ss.txt")
+	contents, err := ioutil.ReadFile("testdata/example_ss.txt")
 	if err != nil {
-		t.Errorf("os.ReadFile(example_ss.txt) failed: %v", err)
+		t.Errorf("ioutil.Readfile(example_ss.txt) failed: %v", err)
 	}
 	seen := parseSSOutput(string(contents))
 	if len(seen) == 0 {
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/netip"
@@ -431,7 +432,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 			return nil, 0, err
 		}
 		if resp.StatusCode != http.StatusSwitchingProtocols {
-			b, _ := io.ReadAll(resp.Body)
+			b, _ := ioutil.ReadAll(resp.Body)
 			resp.Body.Close()
 			return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
 		}
--- a/docs/k8s/run.sh
+++ b/docs/k8s/run.sh
@@ -4,6 +4,8 @@

 #! /bin/sh

+set -m # enable job control
+
 export PATH=$PATH:/tailscale/bin

 TS_AUTH_KEY="${TS_AUTH_KEY:-}"
@@ -58,16 +60,8 @@ if [[ ! -z "${TS_TAILSCALED_EXTRA_ARGS}" ]]; then
  TAILSCALED_ARGS="${TAILSCALED_ARGS} ${TS_TAILSCALED_EXTRA_ARGS}"
 fi

-handler() {
-  echo "Caught SIGINT/SIGTERM, shutting down tailscaled"
-  kill -s SIGINT $PID
-  wait ${PID}
-}
-
 echo "Starting tailscaled"
 tailscaled ${TAILSCALED_ARGS} &
-PID=$!
-trap handler SIGINT SIGTERM

 UP_ARGS="--accept-dns=${TS_ACCEPT_DNS}"
 if [[ ! -z "${TS_ROUTES}" ]]; then
@@ -88,5 +82,4 @@ if [[ ! -z "${TS_DEST_IP}" ]]; then
  iptables -t nat -I PREROUTING -d "$(tailscale --socket=/tmp/tailscaled.sock ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
 fi

-echo "Waiting for tailscaled to exit"
-wait ${PID}
+fg
--- a/docs/k8s/sidecar.yaml
+++ b/docs/k8s/sidecar.yaml
@@ -23,7 +23,7 @@ spec:
      valueFrom:
        secretKeyRef:
          name: tailscale-auth
-          key: TS_AUTH_KEY
+          key: AUTH_KEY
          optional: true
    securityContext:
      capabilities:
--- a/envknob/envknob.go
+++ b/envknob/envknob.go
@@ -17,43 +17,30 @@
 package envknob

 import (
-	"bufio"
-	"fmt"
-	"io"
 	"log"
 	"os"
-	"path/filepath"
-	"runtime"
-	"sort"
 	"strconv"
-	"strings"
 	"sync"
-	"sync/atomic"

 	"tailscale.com/types/opt"
-	"tailscale.com/version/distro"
 )

 var (
-	mu         sync.Mutex
-	set        = map[string]string{}
-	regStr     = map[string]*string{}
-	regBool    = map[string]*bool{}
-	regOptBool = map[string]*opt.Bool{}
+	mu   sync.Mutex
+	set  = map[string]string{}
+	list []string
 )

 func noteEnv(k, v string) {
+	if v == "" {
+		return
+	}
 	mu.Lock()
 	defer mu.Unlock()
-	noteEnvLocked(k, v)
-}
-
-func noteEnvLocked(k, v string) {
-	if v != "" {
-		set[k] = v
-	} else {
-		delete(set, k)
+	if _, ok := set[k]; !ok {
+		list = append(list, k)
 	}
+	set[k] = v
 }

 // logf is logger.Logf, but logger depends on envknob, so for circular
@@ -65,39 +52,11 @@ type logf = func(format string, args ...any)
 func LogCurrent(logf logf) {
 	mu.Lock()
 	defer mu.Unlock()
-
-	list := make([]string, 0, len(set))
-	for k := range set {
-		list = append(list, k)
-	}
-	sort.Strings(list)
 	for _, k := range list {
 		logf("envknob: %s=%q", k, set[k])
 	}
 }

-// Setenv changes an environment variable.
-//
-// It is not safe for concurrent reading of environment variables via the
-// Register functions. All Setenv calls are meant to happen early in main before
-// any goroutines are started.
-func Setenv(envVar, val string) {
-	mu.Lock()
-	defer mu.Unlock()
-	os.Setenv(envVar, val)
-	noteEnvLocked(envVar, val)
-
-	if p := regStr[envVar]; p != nil {
-		*p = val
-	}
-	if p := regBool[envVar]; p != nil {
-		setBoolLocked(p, envVar, val)
-	}
-	if p := regOptBool[envVar]; p != nil {
-		setOptBoolLocked(p, envVar, val)
-	}
-}
-
 // String returns the named environment variable, using os.Getenv.
 //
 // If the variable is non-empty, it's also tracked & logged as being
@@ -108,82 +67,6 @@ func String(envVar string) string {
 	return v
 }

-// RegisterString returns a func that gets the named environment variable,
-// without a map lookup per call. It assumes that mutations happen via
-// envknob.Setenv.
-func RegisterString(envVar string) func() string {
-	mu.Lock()
-	defer mu.Unlock()
-	p, ok := regStr[envVar]
-	if !ok {
-		val := os.Getenv(envVar)
-		if val != "" {
-			noteEnvLocked(envVar, val)
-		}
-		p = &val
-		regStr[envVar] = p
-	}
-	return func() string { return *p }
-}
-
-// RegisterBool returns a func that gets the named environment variable,
-// without a map lookup per call. It assumes that mutations happen via
-// envknob.Setenv.
-func RegisterBool(envVar string) func() bool {
-	mu.Lock()
-	defer mu.Unlock()
-	p, ok := regBool[envVar]
-	if !ok {
-		var b bool
-		p = &b
-		setBoolLocked(p, envVar, os.Getenv(envVar))
-		regBool[envVar] = p
-	}
-	return func() bool { return *p }
-}
-
-// RegisterOptBool returns a func that gets the named environment variable,
-// without a map lookup per call. It assumes that mutations happen via
-// envknob.Setenv.
-func RegisterOptBool(envVar string) func() opt.Bool {
-	mu.Lock()
-	defer mu.Unlock()
-	p, ok := regOptBool[envVar]
-	if !ok {
-		var b opt.Bool
-		p = &b
-		setOptBoolLocked(p, envVar, os.Getenv(envVar))
-		regOptBool[envVar] = p
-	}
-	return func() opt.Bool { return *p }
-}
-
-func setBoolLocked(p *bool, envVar, val string) {
-	noteEnvLocked(envVar, val)
-	if val == "" {
-		*p = false
-		return
-	}
-	var err error
-	*p, err = strconv.ParseBool(val)
-	if err != nil {
-		log.Fatalf("invalid boolean environment variable %s value %q", envVar, val)
-	}
-}
-
-func setOptBoolLocked(p *opt.Bool, envVar, val string) {
-	noteEnvLocked(envVar, val)
-	if val == "" {
-		*p = ""
-		return
-	}
-	b, err := strconv.ParseBool(val)
-	if err != nil {
-		log.Fatalf("invalid boolean environment variable %s value %q", envVar, val)
-	}
-	p.Set(b)
-}
-
 // Bool returns the boolean value of the named environment variable.
 // If the variable is not set, it returns false.
 // An invalid value exits the binary with a failure.
@@ -198,7 +81,6 @@ func BoolDefaultTrue(envVar string) bool {
 }

 func boolOr(envVar string, implicitValue bool) bool {
-	assertNotInInit()
 	val := os.Getenv(envVar)
 	if val == "" {
 		return implicitValue
@@ -216,7 +98,6 @@ func boolOr(envVar string, implicitValue bool) bool {
 // The ok result is whether a value was set.
 // If the value isn't a valid int, it exits the program with a failure.
 func LookupBool(envVar string) (v bool, ok bool) {
-	assertNotInInit()
 	val := os.Getenv(envVar)
 	if val == "" {
 		return false, false
@@ -232,7 +113,6 @@ func LookupBool(envVar string) (v bool, ok bool) {
 // OptBool is like Bool, but returns an opt.Bool, so the caller can
 // distinguish between implicitly and explicitly false.
 func OptBool(envVar string) opt.Bool {
-	assertNotInInit()
 	b, ok := LookupBool(envVar)
 	if !ok {
 		return ""
@@ -246,7 +126,6 @@ func OptBool(envVar string) opt.Bool {
 // The ok result is whether a value was set.
 // If the value isn't a valid int, it exits the program with a failure.
 func LookupInt(envVar string) (v int, ok bool) {
-	assertNotInInit()
 	val := os.Getenv(envVar)
 	if val == "" {
 		return 0, false
@@ -276,151 +155,3 @@ func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }

 // SSHIgnoreTailnetPolicy is whether to ignore the Tailnet SSH policy for development.
 func SSHIgnoreTailnetPolicy() bool { return Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") }
-
-// NoLogsNoSupport reports whether the client's opted out of log uploads and
-// technical support.
-func NoLogsNoSupport() bool {
-	return Bool("TS_NO_LOGS_NO_SUPPORT")
-}
-
-// SetNoLogsNoSupport enables no-logs-no-support mode.
-func SetNoLogsNoSupport() {
-	Setenv("TS_NO_LOGS_NO_SUPPORT", "true")
-}
-
-// notInInit is set true the first time we've seen a non-init stack trace.
-var notInInit atomic.Bool
-
-func assertNotInInit() {
-	if notInInit.Load() {
-		return
-	}
-	skip := 0
-	for {
-		pc, _, _, ok := runtime.Caller(skip)
-		if !ok {
-			notInInit.Store(true)
-			return
-		}
-		fu := runtime.FuncForPC(pc)
-		if fu == nil {
-			return
-		}
-		name := fu.Name()
-		name = strings.TrimRightFunc(name, func(r rune) bool { return r >= '0' && r <= '9' })
-		if strings.HasSuffix(name, ".init") || strings.HasSuffix(name, ".init.") {
-			stack := make([]byte, 1<<10)
-			stack = stack[:runtime.Stack(stack, false)]
-			envCheckedInInitStack = stack
-		}
-		skip++
-	}
-}
-
-var envCheckedInInitStack []byte
-
-// PanicIfAnyEnvCheckedInInit panics if environment variables were read during
-// init.
-func PanicIfAnyEnvCheckedInInit() {
-	if envCheckedInInitStack != nil {
-		panic("envknob check of called from init function: " + string(envCheckedInInitStack))
-	}
-}
-
-var applyDiskConfigErr error
-
-// ApplyDiskConfigError returns the most recent result of ApplyDiskConfig.
-func ApplyDiskConfigError() error { return applyDiskConfigErr }
-
-// ApplyDiskConfig returns a platform-specific config file of environment keys/values and
-// applies them. On Linux and Unix operating systems, it's a no-op and always returns nil.
-// If no platform-specific config file is found, it also returns nil.
-//
-// It exists primarily for Windows to make it easy to apply environment variables to
-// a running service in a way similar to modifying /etc/default/tailscaled on Linux.
-// On Windows, you use %ProgramData%\Tailscale\tailscaled-env.txt instead.
-func ApplyDiskConfig() (err error) {
-	var f *os.File
-	defer func() {
-		if err != nil {
-			// Stash away our return error for the healthcheck package to use.
-			applyDiskConfigErr = fmt.Errorf("error parsing %s: %w", f.Name(), err)
-		}
-	}()
-
-	// First try the explicitly-provided value for development testing. Not
-	// useful for users to use on their own. (if they can set this, they can set
-	// any environment variable anyway)
-	if name := os.Getenv("TS_DEBUG_ENV_FILE"); name != "" {
-		f, err = os.Open(name)
-		if err != nil {
-			return fmt.Errorf("error opening explicitly configured TS_DEBUG_ENV_FILE: %w", err)
-		}
-		defer f.Close()
-		return applyKeyValueEnv(f)
-	}
-
-	name := getPlatformEnvFile()
-	if name == "" {
-		return nil
-	}
-	f, err = os.Open(name)
-	if os.IsNotExist(err) {
-		return nil
-	}
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	return applyKeyValueEnv(f)
-}
-
-// getPlatformEnvFile returns the current platform's path to an optional
-// tailscaled-env.txt file. It returns an empty string if none is defined
-// for the platform.
-func getPlatformEnvFile() string {
-	switch runtime.GOOS {
-	case "windows":
-		return filepath.Join(os.Getenv("ProgramData"), "Tailscale", "tailscaled-env.txt")
-	case "linux":
-		if distro.Get() == distro.Synology {
-			return "/etc/tailscale/tailscaled-env.txt"
-		}
-	case "darwin":
-		// TODO(bradfitz): figure this out. There are three ways to run
-		// Tailscale on macOS (tailscaled, GUI App Store, GUI System Extension)
-		// and we should deal with all three.
-	}
-	return ""
-}
-
-// applyKeyValueEnv reads key=value lines r and calls Setenv for each.
-//
-// Empty lines and lines beginning with '#' are skipped.
-//
-// Values can be double quoted, in which case they're unquoted using
-// strconv.Unquote.
-func applyKeyValueEnv(r io.Reader) error {
-	bs := bufio.NewScanner(r)
-	for bs.Scan() {
-		line := strings.TrimSpace(bs.Text())
-		if line == "" || line[0] == '#' {
-			continue
-		}
-		k, v, ok := strings.Cut(line, "=")
-		k = strings.TrimSpace(k)
-		if !ok || k == "" {
-			continue
-		}
-		v = strings.TrimSpace(v)
-		if strings.HasPrefix(v, `"`) {
-			var err error
-			v, err = strconv.Unquote(v)
-			if err != nil {
-				return fmt.Errorf("invalid value in line %q: %v", line, err)
-			}
-		}
-		Setenv(k, v)
-	}
-	return bs.Err()
-}
--- a/go.mod
+++ b/go.mod
@@ -63,9 +63,9 @@ require (
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11
-	golang.zx2c4.com/wireguard v0.0.0-20220904105730-b51010ba13f0
-	golang.zx2c4.com/wireguard/windows v0.5.3
-	gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5
+	golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478
+	golang.zx2c4.com/wireguard/windows v0.4.10
+	gvisor.dev/gvisor v0.0.0-20220801230058-850e42eb4444
 	honnef.co/go/tools v0.4.0-0.dev.0.20220404092545-59d7a2877f83
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/wf v0.0.0-20220728202103-50d96caab2f6
@@ -266,7 +266,7 @@ require (
 	github.com/yeya24/promlinter v0.1.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 // indirect
+	golang.org/x/text v0.3.7 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
--- a/go.sum
+++ b/go.sum
@@ -729,6 +729,8 @@ github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
+github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
+github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
@@ -1350,6 +1352,7 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -1446,6 +1449,7 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201109165425-215b40eba54c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1504,9 +1508,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 h1:GLw7MR8AfAG2GmGcmVgObFOHXYypgGjnGno25RDwn3Y=
-golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1633,10 +1636,11 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220904105730-b51010ba13f0 h1:5ZkdpbduT/g+9OtbSDvbF3KvfQG45CtH/ppO8FUmvCQ=
-golang.zx2c4.com/wireguard v0.0.0-20220904105730-b51010ba13f0/go.mod h1:enML0deDxY1ux+B6ANGiwtg0yAJi1rctkTpcHNAVPyg=
-golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
-golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
+golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
+golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478 h1:vDy//hdR+GnROE3OdYbQKt9rdtNdHkDtONvpRwmls/0=
+golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
+golang.zx2c4.com/wireguard/windows v0.4.10 h1:HmjzJnb+G4NCdX+sfjsQlsxGPuYaThxRbZUZFLyR0/s=
+golang.zx2c4.com/wireguard/windows v0.4.10/go.mod h1:v7w/8FC48tTBm1IzScDVPEEb0/GjLta+T0ybpP9UWRg=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1816,8 +1820,8 @@ gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
-gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5 h1:cv/zaNV0nr1mJzaeo4S5mHIm5va1W0/9J3/5prlsuRM=
-gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
+gvisor.dev/gvisor v0.0.0-20220801230058-850e42eb4444 h1:0d3ygmOM5RgQB8rmsZNeAY/7Q98fKt1HrGO2XIp4pDI=
+gvisor.dev/gvisor v0.0.0-20220801230058-850e42eb4444/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-b13188dd36c1ad2509796ce10b6a1231b200c36a
+6dca83b256c7decd3dd6706ee47e04f21a0b935c
--- a/health/health.go
+++ b/health/health.go
@@ -325,7 +325,7 @@ func OverallError() error {
 	return overallErrorLocked()
 }

-var fakeErrForTesting = envknob.RegisterString("TS_DEBUG_FAKE_HEALTH_ERROR")
+var fakeErrForTesting = envknob.String("TS_DEBUG_FAKE_HEALTH_ERROR")

 func overallErrorLocked() error {
 	if !anyInterfaceUp {
@@ -383,10 +383,7 @@ func overallErrorLocked() error {
 	for _, s := range controlHealth {
 		errs = append(errs, errors.New(s))
 	}
-	if err := envknob.ApplyDiskConfigError(); err != nil {
-		errs = append(errs, err)
-	}
-	if e := fakeErrForTesting(); len(errs) == 0 && e != "" {
+	if e := fakeErrForTesting; len(errs) == 0 && e != "" {
 		return errors.New(e)
 	}
 	sort.Slice(errs, func(i, j int) bool {
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -12,12 +12,10 @@ import (
 	"os"
 	"runtime"
 	"strings"
-	"sync"
 	"sync/atomic"
 	"time"

 	"go4.org/mem"
-	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/cloudenv"
@@ -33,69 +31,25 @@ func New() *tailcfg.Hostinfo {
 	hostname, _ := os.Hostname()
 	hostname = dnsname.FirstLabel(hostname)
 	return &tailcfg.Hostinfo{
-		IPNVersion:      version.Long,
-		Hostname:        hostname,
-		OS:              version.OS(),
-		OSVersion:       GetOSVersion(),
-		Container:       lazyInContainer.Get(),
-		Distro:          condCall(distroName),
-		DistroVersion:   condCall(distroVersion),
-		DistroCodeName:  condCall(distroCodeName),
-		Env:             string(GetEnvType()),
-		Desktop:         desktop(),
-		Package:         packageTypeCached(),
-		GoArch:          runtime.GOARCH,
-		GoVersion:       runtime.Version(),
-		DeviceModel:     deviceModel(),
-		Cloud:           string(cloudenv.Get()),
-		NoLogsNoSupport: envknob.NoLogsNoSupport(),
+		IPNVersion:  version.Long,
+		Hostname:    hostname,
+		OS:          version.OS(),
+		OSVersion:   GetOSVersion(),
+		Desktop:     desktop(),
+		Package:     packageTypeCached(),
+		GoArch:      runtime.GOARCH,
+		GoVersion:   runtime.Version(),
+		DeviceModel: deviceModel(),
+		Cloud:       string(cloudenv.Get()),
 	}
 }

 // non-nil on some platforms
 var (
-	osVersion      func() string
-	packageType    func() string
-	distroName     func() string
-	distroVersion  func() string
-	distroCodeName func() string
+	osVersion   func() string
+	packageType func() string
 )

-func condCall[T any](fn func() T) T {
-	var zero T
-	if fn == nil {
-		return zero
-	}
-	return fn()
-}
-
-var (
-	lazyInContainer = &lazyAtomicValue[opt.Bool]{f: ptrTo(inContainer)}
-)
-
-func ptrTo[T any](v T) *T { return &v }
-
-type lazyAtomicValue[T any] struct {
-	// f is a pointer to a fill function. If it's nil or points
-	// to nil, then Get returns the zero value for T.
-	f *func() T
-
-	once sync.Once
-	v    T
-}
-
-func (v *lazyAtomicValue[T]) Get() T {
-	v.once.Do(v.fill)
-	return v.v
-}
-
-func (v *lazyAtomicValue[T]) fill() {
-	if v.f == nil || *v.f == nil {
-		return
-	}
-	v.v = (*v.f)()
-}
-
 // GetOSVersion returns the OSVersion of current host if available.
 func GetOSVersion() string {
 	if s, _ := osVersionAtomic.Load().(string); s != "" {
@@ -225,32 +179,22 @@ func getEnvType() EnvType {
 }

 // inContainer reports whether we're running in a container.
-func inContainer() opt.Bool {
+func inContainer() bool {
 	if runtime.GOOS != "linux" {
-		return ""
-	}
-	var ret opt.Bool
-	ret.Set(false)
-	if _, err := os.Stat("/.dockerenv"); err == nil {
-		ret.Set(true)
-		return ret
-	}
-	if _, err := os.Stat("/run/.containerenv"); err == nil {
-		// See https://github.com/cri-o/cri-o/issues/5461
-		ret.Set(true)
-		return ret
+		return false
 	}
+	var ret bool
 	lineread.File("/proc/1/cgroup", func(line []byte) error {
 		if mem.Contains(mem.B(line), mem.S("/docker/")) ||
 			mem.Contains(mem.B(line), mem.S("/lxc/")) {
-			ret.Set(true)
+			ret = true
 			return io.EOF // arbitrary non-nil error to stop loop
 		}
 		return nil
 	})
 	lineread.File("/proc/mounts", func(line []byte) error {
 		if mem.Contains(mem.B(line), mem.S("fuse.lxcfs")) {
-			ret.Set(true)
+			ret = true
 			return io.EOF
 		}
 		return nil
--- a/hostinfo/hostinfo_freebsd.go
+++ b/hostinfo/hostinfo_freebsd.go
@@ -8,58 +8,48 @@
 package hostinfo

 import (
-	"bytes"
+	"fmt"
 	"os"
 	"os/exec"
+	"strings"

 	"golang.org/x/sys/unix"
 	"tailscale.com/version/distro"
 )

 func init() {
-	osVersion = lazyOSVersion.Get
-	distroName = distroNameFreeBSD
-	distroVersion = distroVersionFreeBSD
+	osVersion = osVersionFreebsd
 }

-var (
-	lazyVersionMeta = &lazyAtomicValue[versionMeta]{f: ptrTo(freebsdVersionMeta)}
-	lazyOSVersion   = &lazyAtomicValue[string]{f: ptrTo(osVersionFreeBSD)}
-)
-
-func distroNameFreeBSD() string {
-	return lazyVersionMeta.Get().DistroName
-}
-
-func distroVersionFreeBSD() string {
-	return lazyVersionMeta.Get().DistroVersion
-}
-
-type versionMeta struct {
-	DistroName     string
-	DistroVersion  string
-	DistroCodeName string
-}
-
-func osVersionFreeBSD() string {
-	var un unix.Utsname
+func osVersionFreebsd() string {
+	un := unix.Utsname{}
 	unix.Uname(&un)
-	return unix.ByteSliceToString(un.Release[:])
-}

-func freebsdVersionMeta() (meta versionMeta) {
-	d := distro.Get()
-	meta.DistroName = string(d)
-	switch d {
+	var attrBuf strings.Builder
+	attrBuf.WriteString("; version=")
+	attrBuf.WriteString(unix.ByteSliceToString(un.Release[:]))
+	attr := attrBuf.String()
+
+	version := "FreeBSD"
+	switch distro.Get() {
 	case distro.Pfsense:
 		b, _ := os.ReadFile("/etc/version")
-		meta.DistroVersion = string(bytes.TrimSpace(b))
+		version = fmt.Sprintf("pfSense %s", b)
 	case distro.OPNsense:
-		b, _ := exec.Command("opnsense-version").Output()
-		meta.DistroVersion = string(bytes.TrimSpace(b))
+		b, err := exec.Command("opnsense-version").Output()
+		if err == nil {
+			version = string(b)
+		} else {
+			version = "OPNsense"
+		}
 	case distro.TrueNAS:
-		b, _ := os.ReadFile("/etc/version")
-		meta.DistroVersion = string(bytes.TrimSpace(b))
+		b, err := os.ReadFile("/etc/version")
+		if err == nil {
+			version = string(b)
+		} else {
+			version = "TrueNAS"
+		}
 	}
-	return
+	// the /etc/version files end in a newline
+	return fmt.Sprintf("%s%s", strings.TrimSuffix(version, "\n"), attr)
 }
--- a/hostinfo/hostinfo_linux.go
+++ b/hostinfo/hostinfo_linux.go
@@ -9,6 +9,8 @@ package hostinfo

 import (
 	"bytes"
+	"fmt"
+	"io/ioutil"
 	"os"
 	"strings"

@@ -19,39 +21,14 @@ import (
 )

 func init() {
-	osVersion = lazyOSVersion.Get
+	osVersion = osVersionLinux
 	packageType = packageTypeLinux
-	distroName = distroNameLinux
-	distroVersion = distroVersionLinux
-	distroCodeName = distroCodeNameLinux
+
 	if v := linuxDeviceModel(); v != "" {
 		SetDeviceModel(v)
 	}
 }

-var (
-	lazyVersionMeta = &lazyAtomicValue[versionMeta]{f: ptrTo(linuxVersionMeta)}
-	lazyOSVersion   = &lazyAtomicValue[string]{f: ptrTo(osVersionLinux)}
-)
-
-type versionMeta struct {
-	DistroName     string
-	DistroVersion  string
-	DistroCodeName string // "jammy", etc (VERSION_CODENAME from /etc/os-release)
-}
-
-func distroNameLinux() string {
-	return lazyVersionMeta.Get().DistroName
-}
-
-func distroVersionLinux() string {
-	return lazyVersionMeta.Get().DistroVersion
-}
-
-func distroCodeNameLinux() string {
-	return lazyVersionMeta.Get().DistroCodeName
-}
-
 func linuxDeviceModel() string {
 	for _, path := range []string{
 		// First try the Synology-specific location.
@@ -75,22 +52,15 @@ func linuxDeviceModel() string {
 func getQnapQtsVersion(versionInfo string) string {
 	for _, field := range strings.Fields(versionInfo) {
 		if suffix, ok := strs.CutPrefix(field, "QTSFW_"); ok {
-			return suffix
+			return "QTS " + suffix
 		}
 	}
 	return ""
 }

 func osVersionLinux() string {
-	var un unix.Utsname
-	unix.Uname(&un)
-	return unix.ByteSliceToString(un.Release[:])
-}
-
-func linuxVersionMeta() (meta versionMeta) {
+	// TODO(bradfitz,dgentry): cache this, or make caller(s) cache it.
 	dist := distro.Get()
-	meta.DistroName = string(dist)
-
 	propFile := "/etc/os-release"
 	switch dist {
 	case distro.Synology:
@@ -98,13 +68,11 @@ func linuxVersionMeta() (meta versionMeta) {
 	case distro.OpenWrt:
 		propFile = "/etc/openwrt_release"
 	case distro.WDMyCloud:
-		slurp, _ := os.ReadFile("/etc/version")
-		meta.DistroVersion = string(bytes.TrimSpace(slurp))
-		return
+		slurp, _ := ioutil.ReadFile("/etc/version")
+		return fmt.Sprintf("%s", string(bytes.TrimSpace(slurp)))
 	case distro.QNAP:
-		slurp, _ := os.ReadFile("/etc/version_info")
-		meta.DistroVersion = getQnapQtsVersion(string(slurp))
-		return
+		slurp, _ := ioutil.ReadFile("/etc/version_info")
+		return getQnapQtsVersion(string(slurp))
 	}

 	m := map[string]string{}
@@ -118,45 +86,50 @@ func linuxVersionMeta() (meta versionMeta) {
 		return nil
 	})

-	if v := m["VERSION_CODENAME"]; v != "" {
-		meta.DistroCodeName = v
+	var un unix.Utsname
+	unix.Uname(&un)
+
+	var attrBuf strings.Builder
+	attrBuf.WriteString("; kernel=")
+	attrBuf.WriteString(unix.ByteSliceToString(un.Release[:]))
+	if inContainer() {
+		attrBuf.WriteString("; container")
 	}
-	if v := m["VERSION_ID"]; v != "" {
-		meta.DistroVersion = v
+	if env := GetEnvType(); env != "" {
+		fmt.Fprintf(&attrBuf, "; env=%s", env)
 	}
+	attr := attrBuf.String()
+
 	id := m["ID"]
-	if id != "" {
-		meta.DistroName = id
-	}
+
 	switch id {
 	case "debian":
-		// Debian's VERSION_ID is just like "11". But /etc/debian_version has "11.5" normally.
-		// Or "bookworm/sid" on sid/testing.
-		slurp, _ := os.ReadFile("/etc/debian_version")
-		if v := string(bytes.TrimSpace(slurp)); v != "" {
-			if '0' <= v[0] && v[0] <= '9' {
-				meta.DistroVersion = v
-			} else if meta.DistroCodeName == "" {
-				meta.DistroCodeName = v
-			}
-		}
+		slurp, _ := ioutil.ReadFile("/etc/debian_version")
+		return fmt.Sprintf("Debian %s (%s)%s", bytes.TrimSpace(slurp), m["VERSION_CODENAME"], attr)
+	case "ubuntu":
+		return fmt.Sprintf("Ubuntu %s%s", m["VERSION"], attr)
 	case "", "centos": // CentOS 6 has no /etc/os-release, so its id is ""
-		if meta.DistroVersion == "" {
-			if cr, _ := os.ReadFile("/etc/centos-release"); len(cr) > 0 { // "CentOS release 6.10 (Final)
-				meta.DistroVersion = string(bytes.TrimSpace(cr))
-			}
+		if cr, _ := ioutil.ReadFile("/etc/centos-release"); len(cr) > 0 { // "CentOS release 6.10 (Final)
+			return fmt.Sprintf("%s%s", bytes.TrimSpace(cr), attr)
+		}
+		fallthrough
+	case "fedora", "rhel", "alpine", "nixos":
+		// Their PRETTY_NAME is fine as-is for all versions I tested.
+		fallthrough
+	default:
+		if v := m["PRETTY_NAME"]; v != "" {
+			return fmt.Sprintf("%s%s", v, attr)
 		}
-	}
-	if v := m["PRETTY_NAME"]; v != "" && meta.DistroVersion == "" && !strings.HasSuffix(v, "/sid") {
-		meta.DistroVersion = v
 	}
 	switch dist {
 	case distro.Synology:
-		meta.DistroVersion = m["productversion"]
+		return fmt.Sprintf("Synology %s%s", m["productversion"], attr)
 	case distro.OpenWrt:
-		meta.DistroVersion = m["DISTRIB_RELEASE"]
+		return fmt.Sprintf("OpenWrt %s%s", m["DISTRIB_RELEASE"], attr)
+	case distro.Gokrazy:
+		return fmt.Sprintf("Gokrazy%s", attr)
 	}
-	return
+	return fmt.Sprintf("Other%s", attr)
 }

 func packageTypeLinux() string {
--- a/hostinfo/hostinfo_linux_test.go
+++ b/hostinfo/hostinfo_linux_test.go
@@ -19,7 +19,7 @@ Date:   2022-05-30 16:08:45 +0800
 remotes/origin/QTSFW_5.0.0`

 	got := getQnapQtsVersion(version_info)
-	want := "5.0.0"
+	want := "QTS 5.0.0"
 	if got != want {
 		t.Errorf("got %q; want %q", got, want)
 	}
--- a/hostinfo/hostinfo_windows.go
+++ b/hostinfo/hostinfo_windows.go
@@ -11,20 +11,21 @@ import (

 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
+	"tailscale.com/syncs"
 	"tailscale.com/util/winutil"
 )

 func init() {
-	osVersion = lazyOSVersion.Get
-	packageType = lazyPackageType.Get
+	osVersion = osVersionWindows
+	packageType = packageTypeWindows
 }

-var (
-	lazyOSVersion   = &lazyAtomicValue[string]{f: ptrTo(osVersionWindows)}
-	lazyPackageType = &lazyAtomicValue[string]{f: ptrTo(packageTypeWindows)}
-)
+var winVerCache syncs.AtomicValue[string]

 func osVersionWindows() string {
+	if s, ok := winVerCache.LoadOk(); ok {
+		return s
+	}
 	major, minor, build := windows.RtlGetNtVersionNumbers()
 	s := fmt.Sprintf("%d.%d.%d", major, minor, build)
 	// Windows 11 still uses 10 as its major number internally
@@ -33,6 +34,9 @@ func osVersionWindows() string {
 			s += fmt.Sprintf(".%d", ubr)
 		}
 	}
+	if s != "" {
+		winVerCache.Store(s)
+	}
 	return s // "10.0.19041.388", ideally
 }

--- a/ipn/ipn_clone.go
+++ b/ipn/ipn_clone.go
@@ -48,7 +48,6 @@ var _PrefsCloneNeedsRegeneration = Prefs(struct {
 	Hostname               string
 	NotepadURLs            bool
 	ForceDaemon            bool
-	Egg                    bool
 	AdvertiseRoutes        []netip.Prefix
 	NoSNAT                 bool
 	NetfilterMode          preftype.NetfilterMode
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -5,11 +5,8 @@
 package ipnlocal

 import (
-	"encoding/json"
 	"io"
 	"net/http"
-
-	"tailscale.com/tailcfg"
 )

 func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
@@ -18,21 +15,6 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 		// Test handler.
 		body, _ := io.ReadAll(r.Body)
 		w.Write(body)
-	case "/ssh/usernames":
-		var req tailcfg.C2NSSHUsernamesRequest
-		if r.Method == "POST" {
-			if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-				http.Error(w, err.Error(), http.StatusBadRequest)
-				return
-			}
-		}
-		res, err := b.getSSHUsernames(&req)
-		if err != nil {
-			http.Error(w, err.Error(), 500)
-			return
-		}
-		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(res)
 	default:
 		http.Error(w, "unknown c2n path", http.StatusBadRequest)
 	}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -24,6 +24,7 @@ import (
 	"time"

 	"go4.org/netipx"
+	"golang.org/x/exp/slices"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
@@ -33,7 +34,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
 	"tailscale.com/net/dns"
-	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsaddr"
@@ -67,6 +67,7 @@ import (
 )

 var controlDebugFlags = getControlDebugFlags()
+var canSSH = envknob.CanSSHD()

 func getControlDebugFlags() []string {
 	if e := envknob.String("TS_DEBUG_CONTROL_FLAGS"); e != "" {
@@ -163,7 +164,6 @@ type LocalBackend struct {
 	authURL          string // cleared on Notify
 	authURLSticky    string // not cleared on Notify
 	interact         bool
-	egg              bool
 	prevIfState      *interfaces.State
 	peerAPIServer    *peerAPIServer // or nil
 	peerAPIListeners []*peerAPIListener
@@ -423,6 +423,7 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 		s.Version = version.Long
 		s.BackendState = b.state.String()
 		s.AuthURL = b.authURLSticky
+
 		if err := health.OverallError(); err != nil {
 			switch e := err.(type) {
 			case multierr.Error:
@@ -573,10 +574,6 @@ func (b *LocalBackend) WhoIs(ipp netip.AddrPort) (n *tailcfg.Node, u tailcfg.Use
 func (b *LocalBackend) PeerCaps(src netip.Addr) []string {
 	b.mu.Lock()
 	defer b.mu.Unlock()
-	return b.peerCapsLocked(src)
-}
-
-func (b *LocalBackend) peerCapsLocked(src netip.Addr) []string {
 	if b.netMap == nil {
 		return nil
 	}
@@ -588,9 +585,9 @@ func (b *LocalBackend) peerCapsLocked(src netip.Addr) []string {
 		if !a.IsSingleIP() {
 			continue
 		}
-		dst := a.Addr()
-		if dst.BitLen() == src.BitLen() { // match on family
-			return filt.AppendCaps(nil, src, dst)
+		dstIP := a.Addr()
+		if dstIP.BitLen() == src.BitLen() {
+			return filt.AppendCaps(nil, src, a.Addr())
 		}
 	}
 	return nil
@@ -734,9 +731,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		b.e.SetNetworkMap(st.NetMap)
 		b.e.SetDERPMap(st.NetMap.DERPMap)

-		// Update our cached DERP map
-		dnsfallback.UpdateCache(st.NetMap.DERPMap)
-
 		b.send(ipn.Notify{NetMap: st.NetMap})
 	}
 	if st.URL != "" {
@@ -1512,12 +1506,12 @@ func (b *LocalBackend) tellClientToBrowseToURL(url string) {
 }

 // For testing lazy machine key generation.
-var panicOnMachineKeyGeneration = envknob.RegisterBool("TS_DEBUG_PANIC_MACHINE_KEY")
+var panicOnMachineKeyGeneration = envknob.Bool("TS_DEBUG_PANIC_MACHINE_KEY")

 func (b *LocalBackend) createGetMachinePrivateKeyFunc() func() (key.MachinePrivate, error) {
 	var cache syncs.AtomicValue[key.MachinePrivate]
 	return func() (key.MachinePrivate, error) {
-		if panicOnMachineKeyGeneration() {
+		if panicOnMachineKeyGeneration {
 			panic("machine key generated")
 		}
 		if v, ok := cache.LoadOk(); ok {
@@ -1754,7 +1748,7 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 // setAtomicValuesFromPrefs populates sshAtomicBool and containsViaIPFuncAtomic
 // from the prefs p, which may be nil.
 func (b *LocalBackend) setAtomicValuesFromPrefs(p *ipn.Prefs) {
-	b.sshAtomicBool.Store(p != nil && p.RunSSH && envknob.CanSSHD())
+	b.sshAtomicBool.Store(p != nil && p.RunSSH && canSSH)

 	if p == nil {
 		b.containsViaIPFuncAtomic.Store(tsaddr.NewContainsIPFunc(nil))
@@ -1969,7 +1963,7 @@ func (b *LocalBackend) checkSSHPrefsLocked(p *ipn.Prefs) error {
 	default:
 		return errors.New("The Tailscale SSH server is not supported on " + runtime.GOOS)
 	}
-	if !envknob.CanSSHD() {
+	if !canSSH {
 		return errors.New("The Tailscale SSH server has been administratively disabled.")
 	}
 	if envknob.SSHIgnoreTailnetPolicy() || envknob.SSHPolicyFile() != "" {
@@ -2021,11 +2015,6 @@ func (b *LocalBackend) isDefaultServerLocked() bool {

 func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
 	b.mu.Lock()
-	if mp.EggSet {
-		mp.EggSet = false
-		b.egg = true
-		go b.doSetHostinfoFilterServices(b.hostinfo.Clone())
-	}
 	p0 := b.prefs.Clone()
 	p1 := b.prefs.Clone()
 	p1.ApplyEdits(mp)
@@ -2034,7 +2023,7 @@ func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
 		b.logf("EditPrefs check error: %v", err)
 		return nil, err
 	}
-	if p1.RunSSH && !envknob.CanSSHD() {
+	if p1.RunSSH && !canSSH {
 		b.mu.Unlock()
 		b.logf("EditPrefs requests SSH, but disabled by envknob; returning error")
 		return nil, errors.New("Tailscale SSH server administratively disabled.")
@@ -2222,9 +2211,6 @@ func (b *LocalBackend) doSetHostinfoFilterServices(hi *tailcfg.Hostinfo) {
 		return
 	}
 	peerAPIServices := b.peerAPIServicesLocked()
-	if b.egg {
-		peerAPIServices = append(peerAPIServices, tailcfg.Service{Proto: "egg"})
-	}
 	b.mu.Unlock()

 	// Make a shallow copy of hostinfo so we can mutate
@@ -2856,7 +2842,7 @@ func (b *LocalBackend) applyPrefsToHostinfo(hi *tailcfg.Hostinfo, prefs *ipn.Pre
 	hi.ShieldsUp = prefs.ShieldsUp

 	var sshHostKeys []string
-	if prefs.RunSSH && envknob.CanSSHD() {
+	if prefs.RunSSH && canSSH {
 		// TODO(bradfitz): this is called with b.mu held. Not ideal.
 		// If the filesystem gets wedged or something we could block for
 		// a long time. But probably fine.
@@ -3075,7 +3061,7 @@ func (b *LocalBackend) ResetForClientDisconnect() {
 	b.setAtomicValuesFromPrefs(nil)
 }

-func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() }
+func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && canSSH }

 // ShouldHandleViaIP reports whether whether ip is an IPv6 address in the
 // Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
@@ -3307,15 +3293,13 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 		return nil, errors.New("file sharing not enabled by Tailscale admin")
 	}
 	for _, p := range nm.Peers {
-		if len(p.Addresses) == 0 {
-			continue
-		}
-		if p.User != nm.User && b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityFileSharing) {
+		if p.User != nm.User && !slices.Contains(p.Capabilities, tailcfg.CapabilityFileSharingTarget) {
 			continue
 		}
 		peerAPI := peerAPIBase(b.netMap, p)
 		if peerAPI == "" {
 			continue
+
 		}
 		ret = append(ret, &apitype.FileTarget{
 			Node:       p,
@@ -3326,15 +3310,6 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 	return ret, nil
 }

-func (b *LocalBackend) peerHasCapLocked(addr netip.Addr, wantCap string) bool {
-	for _, hasCap := range b.peerCapsLocked(addr) {
-		if hasCap == wantCap {
-			return true
-		}
-	}
-	return false
-}
-
 // SetDNS adds a DNS record for the given domain name & TXT record
 // value.
 //
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -478,8 +478,8 @@ func (panicOnUseTransport) RoundTrip(*http.Request) (*http.Response, error) {

 // Issue 1573: don't generate a machine key if we don't want to be running.
 func TestLazyMachineKeyGeneration(t *testing.T) {
-	defer func(old func() bool) { panicOnMachineKeyGeneration = old }(panicOnMachineKeyGeneration)
-	panicOnMachineKeyGeneration = func() bool { return true }
+	defer func(old bool) { panicOnMachineKeyGeneration = old }(panicOnMachineKeyGeneration)
+	panicOnMachineKeyGeneration = true

 	var logf logger.Logf = logger.Discard
 	store := new(mem.Store)
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -24,7 +24,7 @@ import (
 	"tailscale.com/types/tkatype"
 )

-var networkLockAvailable = envknob.RegisterBool("TS_EXPERIMENTAL_NETWORK_LOCK")
+var networkLockAvailable = envknob.Bool("TS_EXPERIMENTAL_NETWORK_LOCK")

 type tkaState struct {
 	authority *tka.Authority
@@ -82,7 +82,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	if b.tka != nil {
 		return errors.New("network-lock is already initialized")
 	}
-	if !networkLockAvailable() {
+	if !networkLockAvailable {
 		return errors.New("this is an experimental feature in your version of tailscale - Please upgrade to the latest to use this.")
 	}
 	if !b.CanSupportNetworkLock() {
@@ -147,7 +147,7 @@ func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeK
 		SigKind:        tka.SigDirect,
 		KeyID:          signer.KeyID(),
 		Pubkey:         p,
-		WrappingPubkey: nodeInfo.RotationPubkey,
+		RotationPubkey: nodeInfo.RotationPubkey,
 	}
 	sig.Signature, err = signer.SignNKS(sig.SigHash())
 	if err != nil {
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -44,7 +44,6 @@ import (
 	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/strs"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 )
@@ -721,8 +720,8 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	rawPath := r.URL.EscapedPath()
-	suffix, ok := strs.CutPrefix(rawPath, "/v0/put/")
-	if !ok {
+	suffix := strings.TrimPrefix(rawPath, "/v0/put/")
+	if suffix == rawPath {
 		http.Error(w, "misconfigured internals", 500)
 		return
 	}
--- a/ipn/ipnlocal/peerapi_test.go
+++ b/ipn/ipnlocal/peerapi_test.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"io/ioutil"
 	"math/rand"
 	"net/http"
 	"net/http/httptest"
@@ -86,7 +87,7 @@ func fileHasContents(name string, want string) check {
 			return
 		}
 		path := filepath.Join(root, name)
-		got, err := os.ReadFile(path)
+		got, err := ioutil.ReadFile(path)
 		if err != nil {
 			t.Errorf("fileHasContents: %v", err)
 			return
@@ -516,7 +517,7 @@ func TestDeletedMarkers(t *testing.T) {
 	}
 	wantEmptyTempDir := func() {
 		t.Helper()
-		if fis, err := os.ReadDir(dir); err != nil {
+		if fis, err := ioutil.ReadDir(dir); err != nil {
 			t.Fatal(err)
 		} else if len(fis) > 0 && runtime.GOOS != "windows" {
 			for _, fi := range fis {
--- a/ipn/ipnlocal/ssh.go
+++ b/ipn/ipnlocal/ssh.go
@@ -18,97 +18,24 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
-	"runtime"
 	"strings"
 	"sync"

 	"github.com/tailscale/golang-x-crypto/ssh"
-	"go4.org/mem"
-	"golang.org/x/exp/slices"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/lineread"
+	"tailscale.com/envknob"
 	"tailscale.com/util/mak"
 )

+var useHostKeys = envknob.Bool("TS_USE_SYSTEM_SSH_HOST_KEYS")
+
 // keyTypes are the SSH key types that we either try to read from the
 // system's OpenSSH keys or try to generate for ourselves when not
 // running as root.
 var keyTypes = []string{"rsa", "ecdsa", "ed25519"}

-func (b *LocalBackend) getSSHUsernames(req *tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
-	res := new(tailcfg.C2NSSHUsernamesResponse)
-
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if b.sshServer == nil {
-		return res, nil
-	}
-	max := 10
-	if req != nil && req.Max != 0 {
-		max = req.Max
-	}
-
-	add := func(u string) {
-		if req != nil && req.Exclude[u] {
-			return
-		}
-		switch u {
-		case "nobody", "daemon", "sync":
-			return
-		}
-		if slices.Contains(res.Usernames, u) {
-			return
-		}
-		if len(res.Usernames) > max {
-			// Enough for a hint.
-			return
-		}
-		res.Usernames = append(res.Usernames, u)
-	}
-
-	if b.prefs != nil && b.prefs.OperatorUser != "" {
-		add(b.prefs.OperatorUser)
-	}
-
-	// Check popular usernames and see if they exist with a real shell.
-	switch runtime.GOOS {
-	case "darwin":
-		out, err := exec.Command("dscl", ".", "list", "/Users").Output()
-		if err != nil {
-			return nil, err
-		}
-		lineread.Reader(bytes.NewReader(out), func(line []byte) error {
-			line = bytes.TrimSpace(line)
-			if len(line) == 0 || line[0] == '_' {
-				return nil
-			}
-			add(string(line))
-			return nil
-		})
-	default:
-		lineread.File("/etc/passwd", func(line []byte) error {
-			line = bytes.TrimSpace(line)
-			if len(line) == 0 || line[0] == '#' || line[0] == '_' {
-				return nil
-			}
-			if mem.HasSuffix(mem.B(line), mem.S("/nologin")) ||
-				mem.HasSuffix(mem.B(line), mem.S("/false")) {
-				return nil
-			}
-			colon := bytes.IndexByte(line, ':')
-			if colon != -1 {
-				add(string(line[:colon]))
-			}
-			return nil
-		})
-	}
-	return res, nil
-}
-
 func (b *LocalBackend) GetSSH_HostKeys() (keys []ssh.Signer, err error) {
 	var existing map[string]ssh.Signer
 	if os.Geteuid() == 0 {
@@ -156,7 +83,7 @@ func (b *LocalBackend) hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
 	defer keyGenMu.Unlock()

 	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
-	v, err := os.ReadFile(path)
+	v, err := ioutil.ReadFile(path)
 	if err == nil {
 		return v, nil
 	}
@@ -197,7 +124,7 @@ func (b *LocalBackend) hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
 func (b *LocalBackend) getSystemSSH_HostKeys() (ret map[string]ssh.Signer) {
 	for _, typ := range keyTypes {
 		filename := "/etc/ssh/ssh_host_" + typ + "_key"
-		hostKey, err := os.ReadFile(filename)
+		hostKey, err := ioutil.ReadFile(filename)
 		if err != nil || len(bytes.TrimSpace(hostKey)) == 0 {
 			continue
 		}
--- a/ipn/ipnlocal/ssh_stub.go
+++ b/ipn/ipnlocal/ssh_stub.go
@@ -6,16 +6,6 @@

 package ipnlocal

-import (
-	"errors"
-
-	"tailscale.com/tailcfg"
-)
-
 func (b *LocalBackend) getSSHHostKeyPublicStrings() []string {
 	return nil
 }
-
-func (b *LocalBackend) getSSHUsernames(*tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
-	return nil, errors.New("not implemented")
-}
--- a/ipn/ipnlocal/ssh_test.go
+++ b/ipn/ipnlocal/ssh_test.go
@@ -2,18 +2,14 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux || (darwin && !ios)
-// +build linux darwin,!ios
+//go:build linux
+// +build linux

 package ipnlocal

 import (
-	"encoding/json"
 	"reflect"
 	"testing"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/must"
 )

 func TestSSHKeyGen(t *testing.T) {
@@ -44,17 +40,3 @@ func TestSSHKeyGen(t *testing.T) {
 		t.Errorf("got different keys on second call")
 	}
 }
-
-type fakeSSHServer struct {
-	SSHServer
-}
-
-func TestGetSSHUsernames(t *testing.T) {
-	b := new(LocalBackend)
-	b.sshServer = fakeSSHServer{}
-	res, err := b.getSSHUsernames(new(tailcfg.C2NSSHUsernamesRequest))
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Logf("Got: %s", must.Get(json.Marshal(res)))
-}
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -12,6 +12,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -36,7 +37,6 @@ import (
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/localapi"
 	"tailscale.com/logtail/backoff"
-	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/netstat"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsdial"
@@ -214,7 +214,7 @@ func (s *Server) blockWhileInUse(conn io.Reader, ci connIdentity) {
 	s.logf("blocking client while server in use; connIdentity=%v", ci)
 	connDone := make(chan struct{})
 	go func() {
-		io.Copy(io.Discard, conn)
+		io.Copy(ioutil.Discard, conn)
 		close(connDone)
 	}()
 	ch := make(chan struct{}, 1)
@@ -786,8 +786,6 @@ func New(logf logger.Logf, logid string, store ipn.StateStore, eng wgengine.Engi
 			b.SetTailnetKeyAuthority(authority, storage)
 			logf("tka initialized at head %x", authority.Head())
 		}
-
-		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"))
 	} else {
 		logf("network-lock unavailable; no state directory")
 	}
@@ -932,6 +930,14 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		startTime := time.Now()
 		log.Printf("exec: %#v %v", executable, args)
 		cmd := exec.Command(executable, args...)
+		if runtime.GOOS == "windows" {
+			extraEnv, err := loadExtraEnv()
+			if err != nil {
+				logf("errors loading extra env file; ignoring: %v", err)
+			} else {
+				cmd.Env = append(os.Environ(), extraEnv...)
+			}
+		}

 		// Create a pipe object to use as the subproc's stdin.
 		// When the writer goes away, the reader gets EOF.
@@ -1166,7 +1172,7 @@ func findTrueNASTaildropDir(name string) (dir string, err error) {
 	}

 	// but if running on the host, it may be something like /mnt/Primary/Taildrop
-	fis, err := os.ReadDir("/mnt")
+	fis, err := ioutil.ReadDir("/mnt")
 	if err != nil {
 		return "", fmt.Errorf("error reading /mnt: %w", err)
 	}
@@ -1200,3 +1206,38 @@ func findQnapTaildropDir(name string) (string, error) {
 	}
 	return "", fmt.Errorf("shared folder %q not found", name)
 }
+
+func loadExtraEnv() (env []string, err error) {
+	if runtime.GOOS != "windows" {
+		return nil, nil
+	}
+	name := filepath.Join(os.Getenv("ProgramData"), "Tailscale", "tailscaled-env.txt")
+	contents, err := os.ReadFile(name)
+	if os.IsNotExist(err) {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	for _, line := range strings.Split(string(contents), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" || line[0] == '#' {
+			continue
+		}
+		k, v, ok := strings.Cut(line, "=")
+		if !ok || k == "" {
+			continue
+		}
+		if strings.HasPrefix(v, `"`) {
+			var err error
+			v, err = strconv.Unquote(v)
+			if err != nil {
+				return nil, fmt.Errorf("invalid value in line %q: %v", line, err)
+			}
+			env = append(env, k+"="+v)
+		} else {
+			env = append(env, line)
+		}
+	}
+	return env, nil
+}
--- a/ipn/localapi/cert.go
+++ b/ipn/localapi/cert.go
@@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -37,7 +38,6 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/strs"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -73,7 +73,7 @@ func (h *Handler) certDir() (string, error) {
 	return full, nil
 }

-var acmeDebug = envknob.RegisterBool("TS_DEBUG_ACME")
+var acmeDebug = envknob.Bool("TS_DEBUG_ACME")

 func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite && !h.PermitCert {
@@ -87,19 +87,16 @@ func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	domain, ok := strs.CutPrefix(r.URL.Path, "/localapi/v0/cert/")
-	if !ok {
+	domain := strings.TrimPrefix(r.URL.Path, "/localapi/v0/cert/")
+	if domain == r.URL.Path {
 		http.Error(w, "internal handler config wired wrong", 500)
 		return
 	}
-	if !validLookingCertDomain(domain) {
-		http.Error(w, "invalid domain", 400)
-		return
-	}
+
 	now := time.Now()
 	logf := logger.WithPrefix(h.logf, fmt.Sprintf("cert(%q): ", domain))
 	traceACME := func(v any) {
-		if !acmeDebug() {
+		if !acmeDebug {
 			return
 		}
 		j, _ := json.MarshalIndent(v, "", "\t")
@@ -168,11 +165,6 @@ func certFile(dir, domain string) string { return filepath.Join(dir, domain+".cr
 // keypair for domain exists on disk in dir that is valid at the
 // provided now time.
 func (h *Handler) getCertPEMCached(dir, domain string, now time.Time) (p *keyPair, ok bool) {
-	if !validLookingCertDomain(domain) {
-		// Before we read files from disk using it, validate it's halfway
-		// reasonable looking.
-		return nil, false
-	}
 	if keyPEM, err := os.ReadFile(keyFile(dir, domain)); err == nil {
 		certPEM, _ := os.ReadFile(certFile(dir, domain))
 		if validCertPEM(domain, keyPEM, certPEM, now) {
@@ -301,7 +293,7 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 	if err := encodeECDSAKey(&privPEM, certPrivKey); err != nil {
 		return nil, err
 	}
-	if err := os.WriteFile(keyFile(dir, domain), privPEM.Bytes(), 0600); err != nil {
+	if err := ioutil.WriteFile(keyFile(dir, domain), privPEM.Bytes(), 0600); err != nil {
 		return nil, err
 	}

@@ -324,7 +316,7 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 			return nil, err
 		}
 	}
-	if err := os.WriteFile(certFile(dir, domain), certPEM.Bytes(), 0644); err != nil {
+	if err := ioutil.WriteFile(certFile(dir, domain), certPEM.Bytes(), 0644); err != nil {
 		return nil, err
 	}

@@ -380,7 +372,7 @@ func parsePrivateKey(der []byte) (crypto.Signer, error) {

 func acmeKey(dir string) (crypto.Signer, error) {
 	pemName := filepath.Join(dir, "acme-account.key.pem")
-	if v, err := os.ReadFile(pemName); err == nil {
+	if v, err := ioutil.ReadFile(pemName); err == nil {
 		priv, _ := pem.Decode(v)
 		if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
 			return nil, errors.New("acme/autocert: invalid account key found in cache")
@@ -396,7 +388,7 @@ func acmeKey(dir string) (crypto.Signer, error) {
 	if err := encodeECDSAKey(&pemBuf, privKey); err != nil {
 		return nil, err
 	}
-	if err := os.WriteFile(pemName, pemBuf.Bytes(), 0600); err != nil {
+	if err := ioutil.WriteFile(pemName, pemBuf.Bytes(), 0600); err != nil {
 		return nil, err
 	}
 	return privKey, nil
@@ -434,21 +426,6 @@ func validCertPEM(domain string, keyPEM, certPEM []byte, now time.Time) bool {
 	return err == nil
 }

-// validLookingCertDomain reports whether name looks like a valid domain name that
-// we might be able to get a cert for.
-//
-// It's a light check primarily for double checking before it's used
-// as part of a filesystem path. The actual validation happens in checkCertDomain.
-func validLookingCertDomain(name string) bool {
-	if name == "" ||
-		strings.Contains(name, "..") ||
-		strings.ContainsAny(name, ":/\\\x00") ||
-		!strings.Contains(name, ".") {
-		return false
-	}
-	return true
-}
-
 func checkCertDomain(st *ipnstate.Status, domain string) error {
 	if domain == "" {
 		return errors.New("missing domain name")
--- a/ipn/localapi/cert_test.go
+++ b/ipn/localapi/cert_test.go
@@ -1,30 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !ios && !android && !js
-// +build !ios,!android,!js
-
-package localapi
-
-import "testing"
-
-func TestValidLookingCertDomain(t *testing.T) {
-	tests := []struct {
-		in   string
-		want bool
-	}{
-		{"foo.com", true},
-		{"foo..com", false},
-		{"foo/com.com", false},
-		{"NUL", false},
-		{"", false},
-		{"foo\\bar.com", false},
-		{"foo\x00bar.com", false},
-	}
-	for _, tt := range tests {
-		if got := validLookingCertDomain(tt.in); got != tt.want {
-			t.Errorf("validLookingCertDomain(%q) = %v, want %v", tt.in, got, tt.want)
-		}
-	}
-}
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -18,6 +18,7 @@ import (
 	"net/http/httputil"
 	"net/netip"
 	"net/url"
+	"reflect"
 	"runtime"
 	"strconv"
 	"strings"
@@ -25,7 +26,6 @@ import (
 	"time"

 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnstate"
@@ -34,7 +34,6 @@ import (
 	"tailscale.com/tka"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/mak"
 	"tailscale.com/version"
 )

@@ -214,9 +213,6 @@ func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
 	}

 	logMarker := fmt.Sprintf("BUG-%v-%v-%v", h.backendLogID, time.Now().UTC().Format("20060102150405Z"), randHex(8))
-	if envknob.NoLogsNoSupport() {
-		logMarker = "BUG-NO-LOGS-NO-SUPPORT-this-node-has-had-its-logging-disabled"
-	}
 	h.logf("user bugreport: %s", logMarker)
 	if note := r.FormValue("note"); len(note) > 0 {
 		h.logf("user bugreport note: %s", note)
@@ -531,7 +527,7 @@ func (h *Handler) serveFileTargets(w http.ResponseWriter, r *http.Request) {
 		writeErrorJSON(w, err)
 		return
 	}
-	mak.NonNilSliceForJSON(&fts)
+	makeNonNil(&fts)
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(fts)
 }
@@ -862,3 +858,30 @@ func defBool(a string, def bool) bool {
 	}
 	return v
 }
+
+// makeNonNil takes a pointer to a Go data structure
+// (currently only a slice or a map) and makes sure it's non-nil for
+// JSON serialization. (In particular, JavaScript clients usually want
+// the field to be defined after they decode the JSON.)
+func makeNonNil(ptr any) {
+	if ptr == nil {
+		panic("nil interface")
+	}
+	rv := reflect.ValueOf(ptr)
+	if rv.Kind() != reflect.Ptr {
+		panic(fmt.Sprintf("kind %v, not Ptr", rv.Kind()))
+	}
+	if rv.Pointer() == 0 {
+		panic("nil pointer")
+	}
+	rv = rv.Elem()
+	if rv.Pointer() != 0 {
+		return
+	}
+	switch rv.Type().Kind() {
+	case reflect.Slice:
+		rv.Set(reflect.MakeSlice(rv.Type(), 0, 0))
+	case reflect.Map:
+		rv.Set(reflect.MakeMap(rv.Type()))
+	}
+}
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net/netip"
 	"os"
@@ -162,9 +163,6 @@ type Prefs struct {
 	// for Linux/etc, which always operate in daemon mode.
 	ForceDaemon bool `json:"ForceDaemon,omitempty"`

-	// Egg is a optional debug flag.
-	Egg bool
-
 	// The following block of options only have an effect on Linux.

 	// AdvertiseRoutes specifies CIDR prefixes to advertise into the
@@ -219,7 +217,6 @@ type MaskedPrefs struct {
 	HostnameSet               bool `json:",omitempty"`
 	NotepadURLsSet            bool `json:",omitempty"`
 	ForceDaemonSet            bool `json:",omitempty"`
-	EggSet                    bool `json:",omitempty"`
 	AdvertiseRoutesSet        bool `json:",omitempty"`
 	NoSNATSet                 bool `json:",omitempty"`
 	NetfilterModeSet          bool `json:",omitempty"`
@@ -617,7 +614,7 @@ func PrefsFromBytes(b []byte) (*Prefs, error) {
 // LoadPrefs loads a legacy relaynode config file into Prefs
 // with sensible migration defaults set.
 func LoadPrefs(filename string) (*Prefs, error) {
-	data, err := os.ReadFile(filename)
+	data, err := ioutil.ReadFile(filename)
 	if err != nil {
 		return nil, fmt.Errorf("LoadPrefs open: %w", err) // err includes path
 	}
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"net/netip"
 	"os"
 	"reflect"
@@ -51,7 +52,6 @@ func TestPrefsEqual(t *testing.T) {
 		"Hostname",
 		"NotepadURLs",
 		"ForceDaemon",
-		"Egg",
 		"AdvertiseRoutes",
 		"NoSNAT",
 		"NetfilterMode",
@@ -473,7 +473,7 @@ func TestLoadPrefsNotExist(t *testing.T) {
 // TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs hanldes corrupted input files.
 // See issue #954 for details.
 func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
-	f, err := os.CreateTemp("", "TestLoadPrefsFileWithZeroInIt")
+	f, err := ioutil.TempFile("", "TestLoadPrefsFileWithZeroInIt")
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/ipn/store/stores.go
+++ b/ipn/store/stores.go
@@ -9,6 +9,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -127,7 +128,7 @@ func NewFileStore(logf logger.Logf, path string) (ipn.StateStore, error) {
 		return nil, fmt.Errorf("creating state directory: %w", err)
 	}

-	bs, err := os.ReadFile(path)
+	bs, err := ioutil.ReadFile(path)

 	// Treat an empty file as a missing file.
 	// (https://github.com/tailscale/tailscale/issues/895#issuecomment-723255589)
--- a/licenses/android.md
+++ b/licenses/android.md
@@ -59,10 +59,10 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.3.7:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
- - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=b51010ba13f0))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/846276b3dbc5/LICENSE))
+ - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=c31a7b1ab478))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/850e42eb4444/LICENSE))
 - [inet.af/netaddr](https://pkg.go.dev/inet.af/netaddr) ([BSD-3-Clause](https://github.com/inetaf/netaddr/blob/097006376321/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -17,7 +17,7 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.0.1/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
- - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/1ca156eafb9f/LICENSE))
+ - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/7d93572ebe8e/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/v1.0.0/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
 - [github.com/klauspost/compress/flate](https://pkg.go.dev/github.com/klauspost/compress/flate) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.5/LICENSE))
@@ -42,10 +42,10 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.3.7:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
- - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=b51010ba13f0))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/846276b3dbc5/LICENSE))
+ - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=c31a7b1ab478))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/850e42eb4444/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))

--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -75,12 +75,12 @@ Some packages may only be included on certain architectures or operating systems
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.3.7:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
- - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=b51010ba13f0))
- - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/846276b3dbc5/LICENSE))
+ - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=c31a7b1ab478))
+ - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.4.10))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/850e42eb4444/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [inet.af/wf](https://pkg.go.dev/inet.af/wf) ([BSD-3-Clause](https://github.com/inetaf/wf/blob/50d96caab2f6/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -36,7 +36,7 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
- - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
+ - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.4.10))
 - [gopkg.in/Knetic/govaluate.v3](https://pkg.go.dev/gopkg.in/Knetic/govaluate.v3) ([MIT](https://github.com/Knetic/govaluate/blob/v3.0.0/LICENSE))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))

--- a/log/filelogger/log.go
+++ b/log/filelogger/log.go
@@ -9,6 +9,7 @@ package filelogger
 import (
 	"bytes"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"os"
 	"path/filepath"
@@ -185,18 +186,12 @@ func (w *logFileWriter) startNewFileLocked() {
 //
 // w.mu must be held.
 func (w *logFileWriter) cleanLocked() {
-	entries, _ := os.ReadDir(w.dir)
+	fis, _ := ioutil.ReadDir(w.dir)
 	prefix := w.fileBasePrefix + "-"
 	fileSize := map[string]int64{}
 	var files []string
 	var sumSize int64
-	for _, entry := range entries {
-		fi, err := entry.Info()
-		if err != nil {
-			w.wrappedLogf("error getting log file info: %v", err)
-			continue
-		}
-
+	for _, fi := range fis {
 		baseName := filepath.Base(fi.Name())
 		if !strings.HasPrefix(baseName, prefix) {
 			continue
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -16,6 +16,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -247,7 +248,7 @@ func logsDir(logf logger.Logf) string {
 	// No idea where to put stuff. Try to create a temp dir. It'll
 	// mean we might lose some logs and rotate through log IDs, but
 	// it's something.
-	tmp, err := os.MkdirTemp("", "tailscaled-log-*")
+	tmp, err := ioutil.TempDir("", "tailscaled-log-*")
 	if err != nil {
 		panic("no safe place found to store log state")
 	}
@@ -258,7 +259,7 @@ func logsDir(logf logger.Logf) string {
 // runningUnderSystemd reports whether we're running under systemd.
 func runningUnderSystemd() bool {
 	if runtime.GOOS == "linux" && os.Getppid() == 1 {
-		slurp, _ := os.ReadFile("/proc/1/stat")
+		slurp, _ := ioutil.ReadFile("/proc/1/stat")
 		return bytes.HasPrefix(slurp, []byte("1 (systemd) "))
 	}
 	return false
@@ -437,13 +438,6 @@ func tryFixLogStateLocation(dir, cmdname string) {
 // New returns a new log policy (a logger and its instance ID) for a
 // given collection name.
 func New(collection string) *Policy {
-	return NewWithConfigPath(collection, "", "")
-}
-
-// NewWithConfigPath is identical to New,
-// but uses the specified directory and command name.
-// If either is empty, it derives them automatically.
-func NewWithConfigPath(collection, dir, cmdName string) *Policy {
 	var lflags int
 	if term.IsTerminal(2) || runtime.GOOS == "windows" {
 		lflags = 0
@@ -466,12 +460,9 @@ func NewWithConfigPath(collection, dir, cmdName string) *Policy {
 		earlyErrBuf.WriteByte('\n')
 	}

-	if dir == "" {
-		dir = logsDir(earlyLogf)
-	}
-	if cmdName == "" {
-		cmdName = version.CmdName()
-	}
+	dir := logsDir(earlyLogf)
+
+	cmdName := version.CmdName()
 	tryFixLogStateLocation(dir, cmdName)

 	cfgPath := filepath.Join(dir, fmt.Sprintf("%s.log.conf", cmdName))
@@ -548,10 +539,7 @@ func NewWithConfigPath(collection, dir, cmdName string) *Policy {
 		conf.IncludeProcSequence = true
 	}

-	if envknob.NoLogsNoSupport() {
-		log.Println("You have disabled logging. Tailscale will not be able to provide support.")
-		conf.HTTPC = &http.Client{Transport: noopPretendSuccessTransport{}}
-	} else if val := getLogTarget(); val != "" {
+	if val := getLogTarget(); val != "" {
 		log.Println("You have enabled a non-default log target. Doing without being told to by Tailscale staff or your network administrator will make getting support difficult.")
 		conf.BaseURL = val
 		u, _ := url.Parse(val)
@@ -747,14 +735,3 @@ func goVersion() string {
 	}
 	return v
 }
-
-type noopPretendSuccessTransport struct{}
-
-func (noopPretendSuccessTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	io.ReadAll(req.Body)
-	req.Body.Close()
-	return &http.Response{
-		StatusCode: 200,
-		Status:     "200 OK",
-	}, nil
-}
--- a/logtail/example/logadopt/logadopt.go
+++ b/logtail/example/logadopt/logadopt.go
@@ -6,7 +6,7 @@ package main

 import (
 	"flag"
-	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"net/url"
@@ -39,7 +39,7 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	b, err := io.ReadAll(resp.Body)
+	b, err := ioutil.ReadAll(resp.Body)
 	resp.Body.Close()
 	if err != nil {
 		log.Fatalf("logadopt: response read failed %d: %v", resp.StatusCode, err)
--- a/logtail/example/logreprocess/logreprocess.go
+++ b/logtail/example/logreprocess/logreprocess.go
@@ -9,7 +9,7 @@ import (
 	"bufio"
 	"encoding/json"
 	"flag"
-	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -50,7 +50,7 @@ func main() {
 	defer resp.Body.Close()

 	if resp.StatusCode != 200 {
-		b, err := io.ReadAll(resp.Body)
+		b, err := ioutil.ReadAll(resp.Body)
 		if err != nil {
 			log.Fatalf("logreprocess: read error %d: %v", resp.StatusCode, err)
 		}
--- a/logtail/filch/filch_test.go
+++ b/logtail/filch/filch_test.go
@@ -6,7 +6,7 @@ package filch

 import (
 	"fmt"
-	"io"
+	"io/ioutil"
 	"os"
 	"runtime"
 	"strings"
@@ -195,7 +195,7 @@ func TestFilchStderr(t *testing.T) {
 	f.close(t)

 	pipeW.Close()
-	b, err := io.ReadAll(pipeR)
+	b, err := ioutil.ReadAll(pipeR)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -13,6 +13,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"os"
 	"strconv"
@@ -429,7 +430,7 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded

 	if resp.StatusCode != 200 {
 		uploaded = resp.StatusCode == 400 // the server saved the logs anyway
-		b, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+		b, _ := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
 		return uploaded, fmt.Errorf("log upload of %d bytes %s failed %d: %q", len(body), compressedNote, resp.StatusCode, b)
 	}

@@ -653,7 +654,7 @@ func (l *Logger) Write(buf []byte) (int, error) {
 		return 0, nil
 	}
 	level, buf := parseAndRemoveLogLevel(buf)
-	if l.stderr != nil && l.stderr != io.Discard && int64(level) <= atomic.LoadInt64(&l.stderrLevel) {
+	if l.stderr != nil && l.stderr != ioutil.Discard && int64(level) <= atomic.LoadInt64(&l.stderrLevel) {
 		if buf[len(buf)-1] == '\n' {
 			l.stderr.Write(buf)
 		} else {
--- a/logtail/logtail_test.go
+++ b/logtail/logtail_test.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"encoding/json"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"strings"
@@ -51,7 +52,7 @@ func NewLogtailTestHarness(t *testing.T) (*LogtailTestServer, *Logger) {

 	ts.srv = httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
-			body, err := io.ReadAll(r.Body)
+			body, err := ioutil.ReadAll(r.Body)
 			if err != nil {
 				t.Error("failed to read HTTP request")
 			}
--- a/net/dns/config.go
+++ b/net/dns/config.go
@@ -10,7 +10,6 @@ import (
 	"net/netip"
 	"sort"

-	"tailscale.com/net/dns/publicdns"
 	"tailscale.com/net/dns/resolver"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/dnstype"
@@ -79,14 +78,13 @@ func (c Config) hasRoutes() bool {
 }

 // hasDefaultIPResolversOnly reports whether the only resolvers in c are
-// DefaultResolvers, and that those resolvers are simple IP addresses
-// that speak regular port 53 DNS.
+// DefaultResolvers, and that those resolvers are simple IP addresses.
 func (c Config) hasDefaultIPResolversOnly() bool {
 	if !c.hasDefaultResolvers() || c.hasRoutes() {
 		return false
 	}
 	for _, r := range c.DefaultResolvers {
-		if ipp, ok := r.IPPort(); !ok || ipp.Port() != 53 || publicdns.IPIsDoHOnlyServer(ipp.Addr()) {
+		if ipp, ok := r.IPPort(); !ok || ipp.Port() != 53 {
 			return false
 		}
 	}
--- a/net/dns/debian_resolvconf.go
+++ b/net/dns/debian_resolvconf.go
@@ -12,6 +12,7 @@ import (
 	"bytes"
 	_ "embed"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -157,7 +158,7 @@ func (m *resolvconfManager) GetBaseConfig() (OSConfig, error) {
 		if sc.Text() == resolvconfConfigName {
 			continue
 		}
-		bs, err := os.ReadFile(filepath.Join(m.interfacesDir, sc.Text()))
+		bs, err := ioutil.ReadFile(filepath.Join(m.interfacesDir, sc.Text()))
 		if err != nil {
 			if os.IsNotExist(err) {
 				// Probably raced with a deletion, that's okay.
--- a/net/dns/direct.go
+++ b/net/dns/direct.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"io/ioutil"
 	"net/netip"
 	"os"
 	"os/exec"
@@ -451,7 +452,7 @@ func (fs directFS) Rename(oldName, newName string) error {
 func (fs directFS) Remove(name string) error { return os.Remove(fs.path(name)) }

 func (fs directFS) ReadFile(name string) ([]byte, error) {
-	return os.ReadFile(fs.path(name))
+	return ioutil.ReadFile(fs.path(name))
 }

 func (fs directFS) Truncate(name string) error {
@@ -459,7 +460,7 @@ func (fs directFS) Truncate(name string) error {
 }

 func (fs directFS) WriteFile(name string, contents []byte, perm os.FileMode) error {
-	return os.WriteFile(fs.path(name), contents, perm)
+	return ioutil.WriteFile(fs.path(name), contents, perm)
 }

 // runningAsGUIDesktopUser reports whether it seems that this code is
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -194,7 +194,6 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 			routes[suffix] = resolvers
 		}
 	}
-
 	// Similarly, the OS always gets search paths.
 	ocfg.SearchDomains = cfg.SearchDomains
 	if runtime.GOOS == "windows" {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .31.0
 .30.0