illumos/solaris support rebased onto 1.78.1

Author: nshalman

.github/workflows/cross-illumos.yaml

@@ -0,0 +1,32 @@
+name: illumos-Cross
+
+on:
+  push:
+    branches:
+      - main
+      - 'illumos-*'
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+          check-latest: true
+        id: go
+
+      - name: SunOS build script
+        run: bash -x build.sh

.github/workflows/nshalman-sunos-releases.yml

@@ -0,0 +1,39 @@
+---
+name: "tagged-release"
+
+on:
+  push:
+    tags:
+      - "v*-sunos"
+
+jobs:
+  tagged-release:
+    name: "SunOS Tagged Release"
+    runs-on: "ubuntu-latest"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+          check-latest: true
+        id: go
+
+      - name: SunOS build script
+        run: bash -x build.sh
+
+      - name: Create Release
+        uses: "marvinpinto/action-automatic-releases@latest"
+        with:
+          repo_token: "${{ secrets.GITHUB_TOKEN }}"
+          prerelease: false
+          files: |
+            cmd/tailscaled/tailscale.xml
+            sha256sums
+            tailscaled-illumos
+            tailscaled-solaris

AUTHORS

@@ -15,3 +15,4 @@
 # company that owns the rights to your contribution.
 
 Tailscale Inc.
+Nahum Shalman <nahamu@gmail.com>

build.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -o xtrace
+set -o errexit
+
+export TS_USE_TOOLCHAIN=true
+# This prevents illumos libc from leaking into Solaris binaries when built on illumos
+export CGO_ENABLED=0
+
+fix_osabi () {
+	if [[ $(uname -s) == SunOS ]]; then
+		/usr/bin/elfedit \
+			-e "ehdr:ei_osabi ELFOSABI_SOLARIS" \
+			-e "ehdr:ei_abiversion EAV_SUNW_CURRENT" \
+			"${1?}"
+	else
+		elfedit --output-osabi "Solaris" --output-abiversion "1" "${1?}"
+	fi
+}
+
+for GOOS in illumos solaris; do
+	export GOOS
+	bash -x ./build_dist.sh --box ./cmd/tailscaled
+	fix_osabi tailscaled
+	mv tailscaled{,-${GOOS}}
+done
+
+ln cmd/tailscaled/tailscale.xml .
+shasum -a 256 tailscaled-* tailscale.xml >sha256sums
+rm ./tailscale.xml

cmd/tailscaled/tailscale-smartos-gz.xml

@@ -0,0 +1,36 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+  <service name='vpn/tailscale' type='service' version='0'>
+    <create_default_instance enabled='true'/>
+    <single_instance/>
+    <dependency name='network' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/milestone/network:default'/>
+    </dependency>
+    <dependency name='filesystem' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/system/filesystem/local'/>
+    </dependency>
+    <method_context>
+      <method_credential group='root' user='root'/>
+    </method_context>
+    <exec_method name='start' type='method' exec='/opt/local/sbin/tailscaled' timeout_seconds='60'>
+      <method_context>
+        <method_environment>
+          <envvar name='SSL_CERT_FILE' value='/opt/tools/share/mozilla-rootcerts/cacert.pem'/>
+        </method_environment>
+      </method_context>
+    </exec_method>
+    <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
+    <property_group name='application' type='application'/>
+    <property_group name='startd' type='framework'>
+      <propval name='duration' type='astring' value='child'/>
+      <propval name='ignore_error' type='astring' value='core,signal'/>
+    </property_group>
+    <stability value='Evolving'/>
+    <template>
+      <common_name>
+        <loctext xml:lang='C'>Tailscale</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>

cmd/tailscaled/tailscale.xml

@@ -0,0 +1,30 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+  <service name='vpn/tailscale' type='service' version='0'>
+    <create_default_instance enabled='true'/>
+    <single_instance/>
+    <dependency name='network' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/milestone/network:default'/>
+    </dependency>
+    <dependency name='filesystem' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/system/filesystem/local'/>
+    </dependency>
+    <method_context>
+      <method_credential group='root' user='root'/>
+    </method_context>
+    <exec_method name='start' type='method' exec='/usr/local/sbin/tailscaled' timeout_seconds='60'/>
+    <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
+    <property_group name='application' type='application'/>
+    <property_group name='startd' type='framework'>
+      <propval name='duration' type='astring' value='child'/>
+      <propval name='ignore_error' type='astring' value='core,signal'/>
+    </property_group>
+    <stability value='Evolving'/>
+    <template>
+      <common_name>
+        <loctext xml:lang='C'>Tailscale</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>

cmd/tailscaled/tailscaled.go

@@ -73,6 +73,8 @@ import (
 // defaultTunName returns the default tun device name for the platform.
 func defaultTunName() string {
 	switch runtime.GOOS {
+	case "illumos", "solaris":
+		return "tun"
 	case "openbsd":
 		return "tun"
 	case "windows":

derper

@@ -405,3 +405,5 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
+
+replace github.com/tailscale/wireguard-go => github.com/nshalman/wireguard-go v0.0.20200321-0.20240821122409-fbd66f85d5bc

go.mod

@@ -735,6 +735,8 @@ github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhK
 github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs=
 github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk=
 github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
+github.com/nshalman/wireguard-go v0.0.20200321-0.20240821122409-fbd66f85d5bc h1:I/q5kiFd4mTc475wxRWqYEd2SbFGEG0NvbuvfzUOweQ=
+github.com/nshalman/wireguard-go v0.0.20200321-0.20240821122409-fbd66f85d5bc/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/nunnatsa/ginkgolinter v0.16.1 h1:uDIPSxgVHZ7PgbJElRDGzymkXH+JaF7mjew+Thjnt6Q=
 github.com/nunnatsa/ginkgolinter v0.16.1/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
@@ -941,8 +943,6 @@ github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:t
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20241113014420-4e883d38c8d3 h1:dmoPb3dG27tZgMtrvqfD/LW4w7gA6BSWl8prCPNmkCQ=
-github.com/tailscale/wireguard-go v0.0.0-20241113014420-4e883d38c8d3/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=

go.sum

@@ -4126,7 +4126,7 @@ func (b *LocalBackend) peerAPIServicesLocked() (ret []tailcfg.Service) {
 		})
 	}
 	switch runtime.GOOS {
-	case "linux", "freebsd", "openbsd", "illumos", "darwin", "windows", "android", "ios":
+	case "linux", "freebsd", "openbsd", "illumos", "solaris", "darwin", "windows", "android", "ios":
 		// These are the platforms currently supported by
 		// net/dns/resolver/tsdns.go:Resolver.HandleExitNodeDNSQuery.
 		ret = append(ret, tailcfg.Service{

ipn/ipnlocal/local.go

@@ -650,6 +650,8 @@ func osEmoji(os string) string {
 		return "🐡"
 	case "illumos":
 		return "☀️"
+	case "solaris":
+		return "🌤️"
 	}
 	return "👽"
 }

ipn/ipnstate/ipnstate.go

@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !linux && !freebsd && !openbsd && !windows && !darwin
+//go:build !linux && !freebsd && !openbsd && !windows && !darwin && !illumos && !solaris
 
 package dns
 

net/dns/manager_default.go

@@ -0,0 +1,14 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package dns
+
+import (
+	"tailscale.com/control/controlknobs"
+	"tailscale.com/health"
+	"tailscale.com/types/logger"
+)
+
+func NewOSConfigurator(logf logger.Logf, health *health.Tracker, _ *controlknobs.Knobs, iface string) (OSConfigurator, error) {
+	return newDirectManager(logf, health), nil
+}

net/dns/manager_solaris.go

@@ -384,7 +384,7 @@ func (r *Resolver) HandlePeerDNSQuery(ctx context.Context, q []byte, from netip.
 		// but for now that's probably good enough. Later we'll
 		// want to blend in everything from scutil --dns.
 		fallthrough
-	case "linux", "freebsd", "openbsd", "illumos", "ios":
+	case "linux", "freebsd", "openbsd", "illumos", "solaris", "ios":
 		nameserver, err := stubResolverForOS()
 		if err != nil {
 			r.logf("stubResolverForOS: %v", err)

net/dns/resolver/tsdns.go

@@ -63,6 +63,11 @@ func CheckIPForwarding(routes []netip.Prefix, state *netmon.State) (warn, err er
 		switch runtime.GOOS {
 		case "dragonfly", "freebsd", "netbsd", "openbsd":
 			return fmt.Errorf("Subnet routing and exit nodes only work with additional manual configuration on %v, and is not currently officially supported.", runtime.GOOS), nil
+		case "illumos", "solaris":
+			_, err := ipForwardingEnabledSunOS(ipv4, "")
+			if err != nil {
+				return nil, fmt.Errorf("Couldn't check system's IP forwarding configuration, subnet routing/exit nodes may not work: %w%s", err, "")
+			}
 		}
 		return nil, nil
 	}
@@ -325,3 +330,24 @@ func reversePathFilterValueLinux(iface string) (int, error) {
 	}
 	return v, nil
 }
+
+func ipForwardingEnabledSunOS(p protocol, iface string) (bool, error) {
+	var proto string
+	if p == ipv4 {
+		proto = "ipv4"
+	} else if p == ipv6 {
+		proto = "ipv6"
+	} else {
+		return false, fmt.Errorf("unknown protocol")
+	}
+
+	ipadmCmd := "\"ipadm show-prop " + proto + " -p forwarding -o CURRENT -c\""
+	bs, err := exec.Command("ipadm", "show-prop", proto, "-p", "forwarding", "-o", "CURRENT", "-c").Output()
+	if err != nil {
+		return false, fmt.Errorf("couldn't check %s (%v).\nSubnet routes won't work without IP forwarding.", ipadmCmd, err)
+	}
+	if string(bs) != "on\n" {
+		return false, fmt.Errorf("IP forwarding is set to off. Subnet routes won't work. Try 'routeadm -u -e " + proto + "-forwarding'")
+	}
+	return true, nil
+}

net/netutil/ip_forward.go

@@ -22,7 +22,7 @@ func init() {
 
 func statePath() string {
 	switch runtime.GOOS {
-	case "linux":
+	case "linux", "illumos", "solaris":
 		return "/var/lib/tailscale/tailscaled.state"
 	case "freebsd", "openbsd":
 		return "/var/db/tailscale/tailscaled.state"

paths/paths_unix.go

@@ -4,4 +4,10 @@
 # currently-desired version from https://github.com/tailscale/go,
 # downloading it first if necessary.
 
+case $(uname -s) in
+	SunOS)
+		exec go "$@"
+		;;
+esac
+
 exec "$(dirname "$0")/../tool/gocross/gocross-wrapper.sh" "$@"

tool/go

@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !windows && !linux && !darwin && !openbsd && !freebsd
+//go:build !windows && !linux && !darwin && !openbsd && !freebsd && !illumos && !solaris
 
 package router
 

wgengine/router/router_default.go

@@ -0,0 +1,46 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package router
+
+import (
+	"strings"
+
+	"github.com/tailscale/wireguard-go/tun"
+	"tailscale.com/health"
+	"tailscale.com/net/netmon"
+	"tailscale.com/types/logger"
+)
+
+// For now this router only supports the userspace WireGuard implementations.
+
+func newUserspaceRouter(logf logger.Logf, tundev tun.Device, linkMon *netmon.Monitor, health *health.Tracker) (Router, error) {
+	return newUserspaceSunosRouter(logf, tundev, linkMon, health)
+}
+
+func cleanUp(logf logger.Logf, interfaceName string) {
+	ipadm := []string{"ipadm", "show-addr", "-p", "-o", "addrobj"}
+	out, err := cmd(ipadm...).Output()
+	if err != nil {
+		logf("ipadm show-addr: %v\n%s", err, out)
+	}
+	for _, a := range strings.Fields(string(out)) {
+		s := strings.Split(a, "/")
+		if len(s) > 1 && strings.Contains(s[1], "tailscale") {
+			ipadm = []string{"ipadm", "down-addr", "-t", a}
+			cmdVerbose(logf, ipadm)
+			ipadm = []string{"ipadm", "delete-addr", a}
+			cmdVerbose(logf, ipadm)
+			ipadm = []string{"ipadm", "delete-if", s[0]}
+			cmdVerbose(logf, ipadm)
+		}
+	}
+	ifcfg := []string{"ifconfig", interfaceName, "unplumb"}
+	if out, err := cmd(ifcfg...).CombinedOutput(); err != nil {
+		logf("ifconfig unplumb: %v\n%s", err, out)
+	}
+	ifcfg = []string{"ifconfig", interfaceName, "inet6", "unplumb"}
+	if out, err := cmd(ifcfg...).CombinedOutput(); err != nil {
+		logf("ifconfig inet6 unplumb: %v\n%s", err, out)
+	}
+}