illumos/solaris support rebased onto main

Author: nshalman

.github/workflows/cross-illumos.yaml

@@ -0,0 +1,32 @@
+name: illumos-Cross
+
+on:
+  push:
+    branches:
+      - main
+      - 'illumos-*'
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+          check-latest: true
+        id: go
+
+      - name: SunOS build script
+        run: bash -x build.sh

.github/workflows/nshalman-sunos-releases.yml

@@ -0,0 +1,39 @@
+---
+name: "tagged-release"
+
+on:
+  push:
+    tags:
+      - "v*-sunos"
+
+jobs:
+  tagged-release:
+    name: "SunOS Tagged Release"
+    runs-on: "ubuntu-latest"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+          check-latest: true
+        id: go
+
+      - name: SunOS build script
+        run: bash -x build.sh
+
+      - name: Create Release
+        uses: "marvinpinto/action-automatic-releases@latest"
+        with:
+          repo_token: "${{ secrets.GITHUB_TOKEN }}"
+          prerelease: false
+          files: |
+            cmd/tailscaled/tailscale.xml
+            sha256sums
+            tailscaled-illumos
+            tailscaled-solaris

AUTHORS

@@ -15,3 +15,4 @@
 # company that owns the rights to your contribution.
 
 Tailscale Inc.
+Nahum Shalman <[email protected]>

build.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -o xtrace
+set -o errexit
+
+export TS_USE_TOOLCHAIN=true
+# This prevents illumos libc from leaking into Solaris binaries when built on illumos
+export CGO_ENABLED=0
+
+fix_osabi () {
+	if [[ $(uname -s) == SunOS ]]; then
+		/usr/bin/elfedit \
+			-e "ehdr:ei_osabi ELFOSABI_SOLARIS" \
+			-e "ehdr:ei_abiversion EAV_SUNW_CURRENT" \
+			"${1?}"
+	else
+		elfedit --output-osabi "Solaris" --output-abiversion "1" "${1?}"
+	fi
+}
+
+for GOOS in illumos solaris; do
+	export GOOS
+	bash -x ./build_dist.sh --box ./cmd/tailscaled
+	fix_osabi tailscaled
+	mv tailscaled{,-${GOOS}}
+done
+
+ln cmd/tailscaled/tailscale.xml .
+shasum -a 256 tailscaled-* tailscale.xml >sha256sums
+rm ./tailscale.xml

cmd/tailscaled/tailscale-smartos-gz.xml

@@ -0,0 +1,36 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+  <service name='vpn/tailscale' type='service' version='0'>
+    <create_default_instance enabled='true'/>
+    <single_instance/>
+    <dependency name='network' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/milestone/network:default'/>
+    </dependency>
+    <dependency name='filesystem' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/system/filesystem/local'/>
+    </dependency>
+    <method_context>
+      <method_credential group='root' user='root'/>
+    </method_context>
+    <exec_method name='start' type='method' exec='/opt/local/sbin/tailscaled' timeout_seconds='60'>
+      <method_context>
+        <method_environment>
+          <envvar name='SSL_CERT_FILE' value='/opt/tools/share/mozilla-rootcerts/cacert.pem'/>
+        </method_environment>
+      </method_context>
+    </exec_method>
+    <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
+    <property_group name='application' type='application'/>
+    <property_group name='startd' type='framework'>
+      <propval name='duration' type='astring' value='child'/>
+      <propval name='ignore_error' type='astring' value='core,signal'/>
+    </property_group>
+    <stability value='Evolving'/>
+    <template>
+      <common_name>
+        <loctext xml:lang='C'>Tailscale</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>

cmd/tailscaled/tailscale.xml

@@ -0,0 +1,30 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+  <service name='vpn/tailscale' type='service' version='0'>
+    <create_default_instance enabled='true'/>
+    <single_instance/>
+    <dependency name='network' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/milestone/network:default'/>
+    </dependency>
+    <dependency name='filesystem' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/system/filesystem/local'/>
+    </dependency>
+    <method_context>
+      <method_credential group='root' user='root'/>
+    </method_context>
+    <exec_method name='start' type='method' exec='/usr/local/sbin/tailscaled' timeout_seconds='60'/>
+    <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
+    <property_group name='application' type='application'/>
+    <property_group name='startd' type='framework'>
+      <propval name='duration' type='astring' value='child'/>
+      <propval name='ignore_error' type='astring' value='core,signal'/>
+    </property_group>
+    <stability value='Evolving'/>
+    <template>
+      <common_name>
+        <loctext xml:lang='C'>Tailscale</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>

cmd/tailscaled/tailscaled.go

@@ -69,6 +69,8 @@ import (
 // defaultTunName returns the default tun device name for the platform.
 func defaultTunName() string {
 	switch runtime.GOOS {
+	case "illumos", "solaris":
+		return "tun"
 	case "openbsd":
 		return "tun"
 	case "windows":

derper

@@ -365,3 +365,5 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
 )
+
+replace github.com/tailscale/wireguard-go => github.com/nshalman/wireguard-go v0.0.20200321-0.20230423150539-55df1b6c04ac

go.mod

@@ -696,6 +696,8 @@ github.com/nishanths/exhaustive v0.10.0 h1:BMznKAcVa9WOoLq/kTGp4NJOJSMwEpcpjFNAV
 github.com/nishanths/exhaustive v0.10.0/go.mod h1:IbwrGdVMizvDcIxPYGVdQn5BqWJaOwpCvg4RGb8r/TA=
 github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk=
 github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
+github.com/nshalman/wireguard-go v0.0.20200321-0.20230423150539-55df1b6c04ac h1:wEG2xJ+7q062tBEU8gkJvN2hC5RpZWhEIWAug5LUC0k=
+github.com/nshalman/wireguard-go v0.0.20200321-0.20230423150539-55df1b6c04ac/go.mod h1:J62uaH3KrbhKtrKXQJ6/Z+kcs0r4CdA7qd5AXQtl0/s=
 github.com/nunnatsa/ginkgolinter v0.11.2 h1:xzQpAsEyZe5F1RMy2Z5kn8UFCGiWfKqJOUd2ZzBXA4M=
 github.com/nunnatsa/ginkgolinter v0.11.2/go.mod h1:dJIGXYXbkBswqa/pIzG0QlVTTDSBMxDoCFwhsl4Uras=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
@@ -884,8 +886,6 @@ github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQ
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/web-client-prebuilt v0.0.0-20230919211114-7bcd7bca7bc5 h1:wKUtQPRpjhZZvAuwYRMcjMZnpWSUEJWIbNJmLtDbR0k=
 github.com/tailscale/web-client-prebuilt v0.0.0-20230919211114-7bcd7bca7bc5/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
-github.com/tailscale/wireguard-go v0.0.0-20231101022006-db7604d1aa90 h1:lMGYrokOq9NKDw1UMBH7AsS4boZ41jcduvYaRIdedhE=
-github.com/tailscale/wireguard-go v0.0.0-20231101022006-db7604d1aa90/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
 github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=

go.sum

@@ -3156,7 +3156,7 @@ func (b *LocalBackend) peerAPIServicesLocked() (ret []tailcfg.Service) {
 		})
 	}
 	switch runtime.GOOS {
-	case "linux", "freebsd", "openbsd", "illumos", "darwin", "windows", "android", "ios":
+	case "linux", "freebsd", "openbsd", "illumos", "solaris", "darwin", "windows", "android", "ios":
 		// These are the platforms currently supported by
 		// net/dns/resolver/tsdns.go:Resolver.HandleExitNodeDNSQuery.
 		ret = append(ret, tailcfg.Service{

ipn/ipnlocal/local.go

@@ -617,6 +617,8 @@ func osEmoji(os string) string {
 		return "🐡"
 	case "illumos":
 		return "☀️"
+	case "solaris":
+		return "🌤️"
 	}
 	return "👽"
 }

ipn/ipnstate/ipnstate.go

@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !linux && !freebsd && !openbsd && !windows && !darwin
+//go:build !linux && !freebsd && !openbsd && !windows && !darwin && !illumos && !solaris
 
 package dns
 

net/dns/manager_default.go

@@ -0,0 +1,12 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package dns
+
+import (
+	"tailscale.com/types/logger"
+)
+
+func NewOSConfigurator(logf logger.Logf, _ string) (OSConfigurator, error) {
+	return newDirectManager(logf), nil
+}

net/dns/manager_solaris.go

@@ -350,7 +350,7 @@ func (r *Resolver) HandlePeerDNSQuery(ctx context.Context, q []byte, from netip.
 		// but for now that's probably good enough. Later we'll
 		// want to blend in everything from scutil --dns.
 		fallthrough
-	case "linux", "freebsd", "openbsd", "illumos", "ios":
+	case "linux", "freebsd", "openbsd", "illumos", "solaris", "ios":
 		nameserver, err := stubResolverForOS()
 		if err != nil {
 			r.logf("stubResolverForOS: %v", err)

net/dns/resolver/tsdns.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net/netip"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strconv"
@@ -62,6 +63,11 @@ func CheckIPForwarding(routes []netip.Prefix, state *interfaces.State) (warn, er
 		switch runtime.GOOS {
 		case "dragonfly", "freebsd", "netbsd", "openbsd":
 			return fmt.Errorf("Subnet routing and exit nodes only work with additional manual configuration on %v, and is not currently officially supported.", runtime.GOOS), nil
+		case "illumos", "solaris":
+			_, err := ipForwardingEnabledSunOS(ipv4, "")
+			if err != nil {
+				return nil, fmt.Errorf("Couldn't check system's IP forwarding configuration, subnet routing/exit nodes may not work: %w%s", err, "")
+			}
 		}
 		return nil, nil
 	}
@@ -221,3 +227,24 @@ func ipForwardingEnabledLinux(p protocol, iface string) (bool, error) {
 	on := val == 1 || val == 2
 	return on, nil
 }
+
+func ipForwardingEnabledSunOS(p protocol, iface string) (bool, error) {
+	var proto string
+	if p == ipv4 {
+		proto = "ipv4"
+	} else if p == ipv6 {
+		proto = "ipv6"
+	} else {
+		return false, fmt.Errorf("unknown protocol")
+	}
+
+	ipadmCmd := "\"ipadm show-prop " + proto + " -p forwarding -o CURRENT -c\""
+	bs, err := exec.Command("ipadm", "show-prop", proto, "-p", "forwarding", "-o", "CURRENT", "-c").Output()
+	if err != nil {
+		return false, fmt.Errorf("couldn't check %s (%v).\nSubnet routes won't work without IP forwarding.", ipadmCmd, err)
+	}
+	if string(bs) != "on\n" {
+		return false, fmt.Errorf("IP forwarding is set to off. Subnet routes won't work. Try 'routeadm -u -e " + proto + "-forwarding'")
+	}
+	return true, nil
+}

net/netutil/ip_forward.go

@@ -22,7 +22,7 @@ func init() {
 
 func statePath() string {
 	switch runtime.GOOS {
-	case "linux":
+	case "linux", "illumos", "solaris":
 		return "/var/lib/tailscale/tailscaled.state"
 	case "freebsd", "openbsd":
 		return "/var/db/tailscale/tailscaled.state"

paths/paths_unix.go

@@ -4,4 +4,10 @@
 # currently-desired version from https://github.com/tailscale/go,
 # downloading it first if necessary.
 
+case $(uname -s) in
+	SunOS)
+		exec go "$@"
+		;;
+esac
+
 exec "$(dirname "$0")/../tool/gocross/gocross-wrapper.sh" "$@"

tool/go

@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !windows && !linux && !darwin && !openbsd && !freebsd
+//go:build !windows && !linux && !darwin && !openbsd && !freebsd && !illumos && !solaris
 
 package router
 

wgengine/router/router_default.go

@@ -0,0 +1,45 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package router
+
+import (
+	"strings"
+
+	"github.com/tailscale/wireguard-go/tun"
+	"tailscale.com/types/logger"
+	"tailscale.com/net/netmon"
+)
+
+// For now this router only supports the userspace WireGuard implementations.
+
+func newUserspaceRouter(logf logger.Logf, tundev tun.Device, linkMon *netmon.Monitor) (Router, error) {
+	return newUserspaceSunosRouter(logf, tundev, linkMon)
+}
+
+func cleanup(logf logger.Logf, interfaceName string) {
+	ipadm := []string{"ipadm", "show-addr", "-p", "-o", "addrobj"}
+	out, err := cmd(ipadm...).Output()
+	if err != nil {
+		logf("ipadm show-addr: %v\n%s", err, out)
+	}
+	for _, a := range strings.Fields(string(out)) {
+		s := strings.Split(a, "/")
+		if len(s) > 1 && strings.Contains(s[1], "tailscale") {
+			ipadm = []string{"ipadm", "down-addr", "-t", a}
+			cmdVerbose(logf, ipadm)
+			ipadm = []string{"ipadm", "delete-addr", a}
+			cmdVerbose(logf, ipadm)
+			ipadm = []string{"ipadm", "delete-if", s[0]}
+			cmdVerbose(logf, ipadm)
+		}
+	}
+	ifcfg := []string{"ifconfig", interfaceName, "unplumb"}
+	if out, err := cmd(ifcfg...).CombinedOutput(); err != nil {
+		logf("ifconfig unplumb: %v\n%s", err, out)
+	}
+	ifcfg = []string{"ifconfig", interfaceName, "inet6", "unplumb"}
+	if out, err := cmd(ifcfg...).CombinedOutput(); err != nil {
+		logf("ifconfig inet6 unplumb: %v\n%s", err, out)
+	}
+}