NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commitfbf329f

authored

fix(tailnet): set TCP keepalive idle to 72 hours for SSH conns (#7196)

1 parent57c4de4 commitfbf329fCopy full SHA for fbf329f

File tree

4 files changed

+41

-36

lines changed

4 files changed

+41

-36

lines changed

`‎codersdk/workspaceagentconn.go‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,9 +30,9 @@ import (`
`30`	`30`	`varWorkspaceAgentIP=netip.MustParseAddr("fd7a:115c:a1e0:49d6:b259:b7ac:b1b2:48f4")`
`31`	`31`
`32`	`32`	`const (`
`33`		`-WorkspaceAgentSSHPort=1`
`34`		`-WorkspaceAgentReconnectingPTYPort=2`
`35`		`-WorkspaceAgentSpeedtestPort=3`
	`33`	`+WorkspaceAgentSSHPort=tailnet.WorkspaceAgentSSHPort`
	`34`	`+WorkspaceAgentReconnectingPTYPort=tailnet.WorkspaceAgentReconnectingPTYPort`
	`35`	`+WorkspaceAgentSpeedtestPort=tailnet.WorkspaceAgentSpeedtestPort`
`36`	`36`	`// WorkspaceAgentHTTPAPIServerPort serves a HTTP server with endpoints for e.g.`
`37`	`37`	`// gathering agent statistics.`
`38`	`38`	`WorkspaceAgentHTTPAPIServerPort=4`

`‎go.mod‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ replace github.com/dlclark/regexp2 => github.com/dlclark/regexp2 v1.7.0`
`36`	`36`
`37`	`37`	`// There are a few minor changes we make to Tailscale that we're slowly upstreaming. Compare here:`
`38`	`38`	`// https://github.com/tailscale/tailscale/compare/main...coder:tailscale:main`
`39`		`-replacetailscale.com =>github.com/coder/tailscalev1.1.1-0.20230411160749-27a458a0ac0a`
	`39`	`+replacetailscale.com =>github.com/coder/tailscalev1.1.1-0.20230418202606-ed9307cf1b22`
`40`	`40`
`41`	`41`	`// Switch to our fork that imports fixes from http://github.com/tailscale/ssh.`
`42`	`42`	`// See: https://github.com/coder/coder/issues/3371`

`‎go.sum‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -380,8 +380,8 @@ github.com/coder/retry v1.3.1-0.20230210155434-e90a2e1e091d h1:09JG37IgTB6n3ouX9`
`380`	`380`	`github.com/coder/retryv1.3.1-0.20230210155434-e90a2e1e091d/go.mod h1:r+1J5i/989wt6CUeNSuvFKKA9hHuKKPMxdzDbTuvwwk=`
`381`	`381`	`github.com/coder/sshv0.0.0-20220811105153-fcea99919338 h1:tN5GKFT68YLVzJoA8AHuiMNJ0qlhoD3pGN3JY9gxSko=`
`382`	`382`	`github.com/coder/sshv0.0.0-20220811105153-fcea99919338/go.mod h1:ZSS+CUoKHDrqVakTfTWUlKSr9MtMFkC4UvtQKD7O914=`
`383`		`-github.com/coder/tailscalev1.1.1-0.20230411160749-27a458a0ac0a h1:kgfkNHT0yiDAfs5AKwxICqsFWeiHD/pR+bd0w20LXYI=`
`384`		`-github.com/coder/tailscalev1.1.1-0.20230411160749-27a458a0ac0a/go.mod h1:jpg+77g19FpXL43U1VoIqoSg1K/Vh5CVxycGldQ8KhA=`
	`383`	`+github.com/coder/tailscalev1.1.1-0.20230418202606-ed9307cf1b22 h1:bvGOqnI0ITbwOZFQ0SZ4MBw/8LLUEjxmNu57XEujrfQ=`
	`384`	`+github.com/coder/tailscalev1.1.1-0.20230418202606-ed9307cf1b22/go.mod h1:jpg+77g19FpXL43U1VoIqoSg1K/Vh5CVxycGldQ8KhA=`
`385`	`385`	`github.com/coder/terraform-provider-coderv0.6.23 h1:O2Rcj0umez4DfVdGnKZi63z1Xzxd0IQOn9VQDB8YU8g=`
`386`	`386`	`github.com/coder/terraform-provider-coderv0.6.23/go.mod h1:UIfU3bYNeSzJJvHyJ30tEKjD6Z9utloI+HUM/7n94CY=`
`387`	`387`	`github.com/coder/wgtunnelv0.1.5 h1:WP3sCj/3iJ34eKvpMQEp1oJHvm24RYh0NHbj1kfUKfs=`

`‎tailnet/conn.go‎`

Lines changed: 35 additions & 30 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ import (`
`17`	`17`	`"github.com/google/uuid"`
`18`	`18`	`"go4.org/netipx"`
`19`	`19`	`"golang.org/x/xerrors"`
	`20`	`+"gvisor.dev/gvisor/pkg/tcpip"`
`20`	`21`	`"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"`
`21`	`22`	`"tailscale.com/hostinfo"`
`22`	`23`	`"tailscale.com/ipn/ipnstate"`
`@@ -44,6 +45,12 @@ import (`
`44`	`45`	`"github.com/coder/coder/cryptorand"`
`45`	`46`	`)`
`46`	`47`
	`48`	`+const (`
	`49`	`+WorkspaceAgentSSHPort=1`
	`50`	`+WorkspaceAgentReconnectingPTYPort=2`
	`51`	`+WorkspaceAgentSpeedtestPort=3`
	`52`	`+)`
	`53`	`+`
`47`	`54`	`funcinit() {`
`48`	`55`	`// Globally disable network namespacing. All networking happens in`
`49`	`56`	`// userspace.`
`@@ -267,6 +274,7 @@ func NewConn(options Options) (conn Conn, err error) {`
`267`	`274`	`server.sendNode()`
`268`	`275`	`})`
`269`	`276`	`netStack.ForwardTCPIn=server.forwardTCP`
	`277`	`+netStack.ForwardTCPSockOpts=server.forwardTCPSockOpts`
`270`	`278`
`271`	`279`	`err=netStack.Start(nil)`
`272`	`280`	`iferr!=nil {`
`@@ -301,17 +309,16 @@ type Conn struct {`
`301`	`309`	`logger slog.Logger`
`302`	`310`	`blockEndpointsbool`
`303`	`311`
`304`		`-dialer*tsdial.Dialer`
`305`		`-tunDevice*tstun.Wrapper`
`306`		`-peerMapmap[tailcfg.NodeID]*tailcfg.Node`
`307`		`-netMap*netmap.NetworkMap`
`308`		`-netStack*netstack.Impl`
`309`		`-magicConn*magicsock.Conn`
`310`		`-wireguardMonitor*monitor.Mon`
`311`		`-wireguardRouter*router.Config`
`312`		`-wireguardEngine wgengine.Engine`
`313`		`-listenersmap[listenKey]*listener`
`314`		`-forwardTCPCallbackfunc(conn net.Conn,listenerExistsbool) net.Conn`
	`312`	`+dialer*tsdial.Dialer`
	`313`	`+tunDevice*tstun.Wrapper`
	`314`	`+peerMapmap[tailcfg.NodeID]*tailcfg.Node`
	`315`	`+netMap*netmap.NetworkMap`
	`316`	`+netStack*netstack.Impl`
	`317`	`+magicConn*magicsock.Conn`
	`318`	`+wireguardMonitor*monitor.Mon`
	`319`	`+wireguardRouter*router.Config`
	`320`	`+wireguardEngine wgengine.Engine`
	`321`	`+listenersmap[listenKey]*listener`
`315`	`322`
`316`	`323`	`lastMutex sync.Mutex`
`317`	`324`	`nodeSendingbool`
`@@ -327,17 +334,6 @@ type Conn struct {`
`327`	`334`	`trafficStats*connstats.Statistics`
`328`	`335`	`}`
`329`	`336`
`330`		`-// SetForwardTCPCallback is called every time a TCP connection is initiated inbound.`
`331`		`-// listenerExists is true if a listener is registered for the target port. If there`
`332`		`-// isn't one, traffic is forwarded to the local listening port.`
`333`		`-//`
`334`		`-// This allows wrapping a Conn to track reads and writes.`
`335`		`-func (c*Conn)SetForwardTCPCallback(callbackfunc(conn net.Conn,listenerExistsbool) net.Conn) {`
`336`		`-c.mutex.Lock()`
`337`		`-deferc.mutex.Unlock()`
`338`		`-c.forwardTCPCallback=callback`
`339`		`-}`
`340`		`-`
`341`	`337`	`func (cConn)SetNodeCallback(callbackfunc(nodeNode)) {`
`342`	`338`	`c.lastMutex.Lock()`
`343`	`339`	`c.nodeCallback=callback`
`@@ -699,12 +695,11 @@ func (c Conn) selfNode() Node {`
`699`	`695`	`// This and below is taken _mostly_ verbatim from Tailscale:`
`700`	`696`	`// https://github.com/tailscale/tailscale/blob/c88bd53b1b7b2fcf7ba302f2e53dd1ce8c32dad4/tsnet/tsnet.go#L459-L494`
`701`	`697`
`702`		`-// Listen announces only on the Tailscale network.`
`703`		`-// It will start the server if it has not been started yet.`
	`698`	`+// Listen listens for connections only on the Tailscale network.`
`704`	`699`	`func (c*Conn)Listen(network,addrstring) (net.Listener,error) {`
`705`	`700`	`host,port,err:=net.SplitHostPort(addr)`
`706`	`701`	`iferr!=nil {`
`707`		`-returnnil,xerrors.Errorf("wgnet: %w",err)`
	`702`	`+returnnil,xerrors.Errorf("tailnet: split host port for listen: %w",err)`
`708`	`703`	`}`
`709`	`704`	`lk:=listenKey{network,host,port}`
`710`	`705`	`ln:=&listener{`
`@@ -725,7 +720,7 @@ func (c *Conn) Listen(network, addr string) (net.Listener, error) {`
`725`	`720`	`}`
`726`	`721`	`if_,ok:=c.listeners[lk];ok {`
`727`	`722`	`c.mutex.Unlock()`
`728`		`-returnnil,xerrors.Errorf("wgnet: listener already open for %s, %s",network,addr)`
	`723`	`+returnnil,xerrors.Errorf("tailnet: listener already open for %s, %s",network,addr)`
`729`	`724`	`}`
`730`	`725`	`c.listeners[lk]=ln`
`731`	`726`	`c.mutex.Unlock()`
`@@ -743,14 +738,12 @@ func (c Conn) DialContextUDP(ctx context.Context, ipp netip.AddrPort) (gonet.U`
`743`	`738`	`func (c*Conn)forwardTCP(conn net.Conn,portuint16) {`
`744`	`739`	`c.mutex.Lock()`
`745`	`740`	`ln,ok:=c.listeners[listenKey{"tcp","",fmt.Sprint(port)}]`
`746`		`-ifc.forwardTCPCallback!=nil {`
`747`		`-conn=c.forwardTCPCallback(conn,ok)`
`748`		`-}`
`749`	`741`	`c.mutex.Unlock()`
`750`	`742`	`if!ok {`
`751`	`743`	`c.forwardTCPToLocal(conn,port)`
`752`	`744`	`return`
`753`	`745`	`}`
	`746`	`+`
`754`	`747`	`t:=time.NewTimer(time.Second)`
`755`	`748`	`defert.Stop()`
`756`	`749`	`select {`
`@@ -763,6 +756,18 @@ func (c *Conn) forwardTCP(conn net.Conn, port uint16) {`
`763`	`756`	`_=conn.Close()`
`764`	`757`	`}`
`765`	`758`
	`759`	`+func (*Conn)forwardTCPSockOpts(portuint16) []tcpip.SettableSocketOption {`
	`760`	`+opts:= []tcpip.SettableSocketOption{}`
	`761`	`+`
	`762`	`+// See: https://github.com/tailscale/tailscale/blob/c7cea825aea39a00aca71ea02bab7266afc03e7c/wgengine/netstack/netstack.go#L888`
	`763`	`+ifport==WorkspaceAgentSSHPort\|\|port==22 {`
	`764`	`+opt:=tcpip.KeepaliveIdleOption(72*time.Hour)`
	`765`	`+opts=append(opts,&opt)`
	`766`	`+}`
	`767`	`+`
	`768`	`+returnopts`
	`769`	`+}`
	`770`	`+`
`766`	`771`	`func (c*Conn)forwardTCPToLocal(conn net.Conn,portuint16) {`
`767`	`772`	`deferconn.Close()`
`768`	`773`	`dialAddrStr:=net.JoinHostPort("127.0.0.1",strconv.Itoa(int(port)))`
`@@ -842,7 +847,7 @@ func (ln *listener) Accept() (net.Conn, error) {`
`842`	`847`	`select {`
`843`	`848`	`casec=<-ln.conn:`
`844`	`849`	`case<-ln.closed:`
`845`		`-returnnil,xerrors.Errorf("wgnet: %w",net.ErrClosed)`
	`850`	`+returnnil,xerrors.Errorf("tailnet: %w",net.ErrClosed)`
`846`	`851`	`}`
`847`	`852`	`returnc,nil`
`848`	`853`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfbf329f

File tree

4 files changed

4 files changed

`‎codersdk/workspaceagentconn.go‎`

`‎go.mod‎`

`‎go.sum‎`

`‎tailnet/conn.go‎`

0 commit comments