embed (hidden) tailsql for debugging (#1663)

Signed-off-by: Kristoffer Dalby <kristoffer@dalby.cc>
2023-12-20 21:47:48 +01:00 · 2023-12-20 21:47:48 +01:00 · 55ca078f22
commit 55ca078f22
parent 6049ec758c
7 changed files with 324 additions and 32 deletions
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@ -48,6 +48,7 @@ import (
 	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/reflection"
 	"google.golang.org/grpc/status"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
@ -59,7 +60,9 @@ var (
 	errUnsupportedLetsEncryptChallengeType = errors.New(
 		"unknown value for Lets Encrypt challenge type",
 	)
-	errEmptyInitialDERPMap = errors.New("initial DERPMap is empty, Headscale requries at least one entry")
+	errEmptyInitialDERPMap = errors.New(
+		"initial DERPMap is empty, Headscale requries at least one entry",
+	)
 )

 const (
@ -96,8 +99,15 @@ type Headscale struct {
 	pollNetMapStreamWG sync.WaitGroup
 }

+var (
+	profilingEnabled = envknob.Bool("HEADSCALE_PROFILING_ENABLED")
+	tailsqlEnabled   = envknob.Bool("HEADSCALE_DEBUG_TAILSQL_ENABLED")
+	tailsqlStateDir  = envknob.String("HEADSCALE_DEBUG_TAILSQL_STATE_DIR")
+	tailsqlTSKey     = envknob.String("TS_AUTHKEY")
+)
+
 func NewHeadscale(cfg *types.Config) (*Headscale, error) {
-	if _, enableProfile := os.LookupEnv("HEADSCALE_PROFILING_ENABLED"); enableProfile {
+	if profilingEnabled {
 		runtime.SetBlockProfileRate(1)
 	}

@ -696,6 +706,18 @@ func (h *Headscale) Serve() error {
 	log.Info().
 		Msgf("listening and serving metrics on: %s", h.cfg.MetricsAddr)

+	var tailsqlContext context.Context
+	if tailsqlEnabled {
+		if h.cfg.DBtype != db.Sqlite {
+			log.Fatal().Str("type", h.cfg.DBtype).Msgf("tailsql only support %q", db.Sqlite)
+		}
+		if tailsqlTSKey == "" {
+			log.Fatal().Msg("tailsql requires TS_AUTHKEY to be set")
+		}
+		tailsqlContext = context.Background()
+		go runTailSQLService(ctx, util.TSLogfWrapper(), tailsqlStateDir, h.cfg.DBpath)
+	}
+
 	// Handle common process-killing signals so we can gracefully shut down:
 	h.shutdownChan = make(chan struct{})
 	sigc := make(chan os.Signal, 1)
@ -761,6 +783,10 @@ func (h *Headscale) Serve() error {
 					grpcListener.Close()
 				}

+				if tailsqlContext != nil {
+					tailsqlContext.Done()
+				}
+
 				// Close network listeners
 				promHTTPListener.Close()
 				httpListener.Close()
@ -898,7 +924,8 @@ func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {
 		err = os.WriteFile(path, machineKeyStr, privateKeyFileMode)
 		if err != nil {
 			return nil, fmt.Errorf(
-				"failed to save private key to disk: %w",
+				"failed to save private key to disk at path %q: %w",
+				path,
 				err,
 			)
 		}
--- a/hscontrol/derp/server/derp_server.go
+++ b/hscontrol/derp/server/derp_server.go
@ -13,12 +13,12 @@ import (
 	"time"

 	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"tailscale.com/derp"
 	"tailscale.com/net/stun"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/types/logger"
 )

 // fastStartHeader is the header (with value "1") that signals to the HTTP
@ -34,19 +34,13 @@ type DERPServer struct {
 	tailscaleDERP *derp.Server
 }

-func derpLogf() logger.Logf {
-	return func(format string, args ...any) {
-		log.Debug().Caller().Msgf(format, args...)
-	}
-}
-
 func NewDERPServer(
 	serverURL string,
 	derpKey key.NodePrivate,
 	cfg *types.DERPConfig,
 ) (*DERPServer, error) {
 	log.Trace().Caller().Msg("Creating new embedded DERP server")
-	server := derp.NewServer(derpKey, derpLogf()) // nolint // zerolinter complains
+	server := derp.NewServer(derpKey, util.TSLogfWrapper()) // nolint // zerolinter complains

 	return &DERPServer{
 		serverURL:     serverURL,
--- a/hscontrol/tailsql.go
+++ b/hscontrol/tailsql.go
@ -0,0 +1,99 @@
+package hscontrol
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/tailscale/tailsql/server/tailsql"
+	"tailscale.com/tsnet"
+	"tailscale.com/tsweb"
+	"tailscale.com/types/logger"
+)
+
+func runTailSQLService(ctx context.Context, logf logger.Logf, stateDir, dbPath string) error {
+	opts := tailsql.Options{
+		Hostname: "tailsql-headscale",
+		StateDir: stateDir,
+		Sources: []tailsql.DBSpec{
+			{
+				Source: "headscale",
+				Label:  "headscale - sqlite",
+				Driver: "sqlite",
+				URL:    fmt.Sprintf("file:%s?mode=ro", dbPath),
+				Named: map[string]string{
+					"schema": `select * from sqlite_schema`,
+				},
+			},
+		},
+	}
+
+	tsNode := &tsnet.Server{
+		Dir:      os.ExpandEnv(opts.StateDir),
+		Hostname: opts.Hostname,
+		Logf:     logger.Discard,
+	}
+	// if *doDebugLog {
+	// 	tsNode.Logf = logf
+	// }
+	defer tsNode.Close()
+
+	logf("Starting tailscale (hostname=%q)", opts.Hostname)
+	lc, err := tsNode.LocalClient()
+	if err != nil {
+		return fmt.Errorf("connect local client: %w", err)
+	}
+	opts.LocalClient = lc // for authentication
+
+	// Make sure the Tailscale node starts up. It might not, if it is a new node
+	// and the user did not provide an auth key.
+	if st, err := tsNode.Up(ctx); err != nil {
+		return fmt.Errorf("starting tailscale: %w", err)
+	} else {
+		logf("tailscale started, node state %q", st.BackendState)
+	}
+
+	// Reaching here, we have a running Tailscale node, now we can set up the
+	// HTTP and/or HTTPS plumbing for TailSQL itself.
+	tsql, err := tailsql.NewServer(opts)
+	if err != nil {
+		return fmt.Errorf("creating tailsql server: %w", err)
+	}
+
+	lst, err := tsNode.Listen("tcp", ":80")
+	if err != nil {
+		return fmt.Errorf("listen port 80: %w", err)
+	}
+
+	if opts.ServeHTTPS {
+		// When serving TLS, add a redirect from HTTP on port 80 to HTTPS on 443.
+		certDomains := tsNode.CertDomains()
+		if len(certDomains) == 0 {
+			fmt.Errorf("no cert domains available for HTTPS")
+		}
+		base := "https://" + certDomains[0]
+		go http.Serve(lst, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			target := base + r.RequestURI
+			http.Redirect(w, r, target, http.StatusPermanentRedirect)
+		}))
+		// log.Printf("Redirecting HTTP to HTTPS at %q", base)
+
+		// For the real service, start a separate listener.
+		// Note: Replaces the port 80 listener.
+		var err error
+		lst, err = tsNode.ListenTLS("tcp", ":443")
+		if err != nil {
+			return fmt.Errorf("listen TLS: %w", err)
+		}
+		logf("enabled serving via HTTPS")
+	}
+
+	mux := tsql.NewMux()
+	tsweb.Debugger(mux)
+	go http.Serve(lst, mux)
+	logf("ailSQL started")
+	<-ctx.Done()
+	logf("TailSQL shutting down...")
+	return tsNode.Close()
+}
--- a/hscontrol/util/log.go
+++ b/hscontrol/util/log.go
@ -1,7 +1,16 @@
 package util

-import "github.com/rs/zerolog/log"
+import (
+	"github.com/rs/zerolog/log"
+	"tailscale.com/types/logger"
+)

 func LogErr(err error, msg string) {
 	log.Error().Caller().Err(err).Msg(msg)
 }
+
+func TSLogfWrapper() logger.Logf {
+	return func(format string, args ...any) {
+		log.Debug().Caller().Msgf(format, args...)
+	}
+}