* TUN-9919: Make RPM postinstall scriplet idempotent
Before this commit the postinstall scriptlet isn't idempotent, meaning the users see this error in their upgrade logs:
`ln: failed to create symbolic link '/usr/local/bin/cloudflared': File exists
warning: %post(cloudflared-2025.10.0-1.x86_64) scriptlet failed, exit status 1`
This doesn't break the upgrade (which is why we haven't touched this in 5 years), but adding the -f (force) flag to the symlink command prevents this issue from happening
Closes TUN-9919
* chore: Fix upload of RPM repo file during double signing
This commit fixes a variable that was supposed to hold the path of the repo file, but instead was being overwritten with the repo file handle
* chore: Fix import of GPG keys when two keys are provided
We were only retrieving the first output of gpg.list keys because previously we were only running import_gpg_keys once. Now that we run it twice we need to ensure that the key we select from the list matches the one we've imported.
Adds new metrics for:
- Dropped UDP datagrams for reads and write paths
- Dropped ICMP packets for write paths
- Failures that preemptively close UDP flows
Closes TUN-9882
Add a deadline for origin writes as a preventative measure in the case that the kernel blocks any writes for too long.
In the case that the socket exceeds the write deadline, the datagram will be dropped.
Closes TUN-9882
Instead of creating a go routine to process each incoming datagram from the tunnel, a single consumer (the demuxer) will
process each of the datagrams in serial.
Registration datagrams will still be spun out into separate go routines since they are responsible for managing the
lifetime of the session once started via the `Serve` method.
UDP payload datagrams will be handled in separate channels to allow for parallel writing inside of the scope of a
session via a new write loop. This channel will have a small buffer to help unblock the demuxer from dequeueing other
datagrams.
ICMP datagrams will be funneled into a single channel across all possible origins with a single consumer to write to
their respective destinations.
Each of these changes is to prevent datagram reordering from occurring when dequeuing from the tunnel connection. By
establishing a single demuxer that serializes the writes per session, each session will be able to write sequentially,
but in parallel to their respective origins.
Closes TUN-9882
* TUN-9776: Support signing Debian packages with two keys for rollover
Debian Trixie doesn't support the SHA-1 algo for GPG keys.
This commit leverages the ability of providing two keys in the reprepro configuration in order to have two signatures in InRelease and Release.gpg files.
This allows users that have the old key to continue fetching the binaries with the old key while allowing us to provide a new key that can be used in Trixie.
Unfortunately current versions of RPM (since 2002) don't support double signing, so we can't apply the same logic for RPM
Closes TUN-9776
## Summary
This commit migrates the cloduflared ci pipelines, that built, tested and component tested the linux binaries to gitlab ci.
The only thing that is remaining to move from teamcity to gitlab are now the release pipelines that run on master.
Relates to TUN-9800
Corrects the pattern of using errgroup's and context cancellation to simplify the logic for canceling extra routines for the QUIC connection. This is because the extra context cancellation is redundant with the fact that the errgroup also cancels it's own provided context when a routine returns (error or not).
For the datagram handler specifically, since it can respond faster to a context cancellation from the QUIC connection, we wrap the error before surfacing it outside of the QUIC connection scope to the supervisor. Additionally, the supervisor will look for this error type to check if it should retry the QUIC connection. These two operations are required because the supervisor does not look for a context canceled error when deciding to retry a connection. If a context canceled from the datagram handler were to be returned up to the supervisor on the initial connection, the cloudflared application would exit. We want to ensure that cloudflared maintains connection attempts even if any of the services on-top of a QUIC connection fail (datagram handler in this case).
Additional logging is also introduced along these paths to help with understanding the error conditions from the specific handlers on-top of a QUIC connection.
Related CUSTESC-53681
Closes TUN-9610
This commit adds support for FedRAMP environments. Cloudflared will
now dynamically configure the management hostname and API URL, switching
to FedRAMP-specific values like `management.fed.argotunnel.com` and `https://api.fed.cloudflare.com/client/v4`
when a FedRAMP endpoint is detected.
Key to this is an enhanced `ParseToken` function, which now includes an `IsFed()`
method to determine if a management token's issuer is `fed-tunnelstore`. This allows
cloudflared to correctly identify and operate within a FedRAMP context, ensuring
proper connectivity.
Closes TUN-9583
## Summary
This commit removes configurations and references for Debian-based releases that are no longer supported in the build and packaging processes.
For Ubuntu versions for most of them only PRO users still have support, so we might decide remove some of them as well. Information available in:
- Debian Releases: https://wiki.debian.org/LTS (we no longer support bullseye at Cloudflare)
- Ubuntu Releases: https://ubuntu.com/about/release-cycle
Closes TUN-9542
## Summary
This commit changes the USER instruction in our Dockerfiles from using
the string "nonroot" to its numeric ID "65532".
This change is necessary because Kubernetes does not support string-based
user IDs in security contexts, requiring numeric IDs instead. The nonroot
user maps to 65532 in distroless images.
Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences and add tests to verify that the advertised curves are the same as the curve preferences we set.
Closes TUN-9161
To help support users with environments that don't work well with the
DNS local resolver's automatic resolution process for local resolver
addresses, we introduce a flag to provide them statically to the
runtime. When providing the resolver addresses, cloudflared will no
longer lookup the DNS resolver addresses and use the user input
directly.
When provided with a list of DNS resolvers larger than one, the resolver
service will randomly select one at random for each incoming request.
Closes TUN-9473
Adds an OriginDialerService that takes over the roles of both DialUDP and DialTCP
towards the origin. This provides the possibility to leverage dialer "middleware"
to inject virtual origins, such as the DNS resolver service.
DNS Resolver service also gains access to the DialTCP operation to service TCP
DNS requests.
Minor refactoring includes changes to remove the needs previously provided by
the warp-routing configuration. This configuration cannot be disabled by cloudflared
so many of the references have been adjusted or removed.
Closes TUN-9470
Introduces a new `UDPOriginProxy` interface and `UDPOriginService`
to standardize how UDP connections are dialed to origins. Allows for
future overrides of the ingress service for specific dial destinations.
Simplifies dependency injection for UDP dialing throughout both datagram
v2 and v3 by using the same ingress service. Previous invocations called
into a DialUDP function in the ingress package that was a light
wrapper over `net.DialUDP`. Now a reference is passed into both datagram
controllers that allows more control over the DialUDP method.
Closes TUN-9469
## Summary
When bumping cloudflared to use go1.24, we no longer need cloudflare-go,
since most of the PQ and FIPS compliant curves are already available in go 1.24.
Therefore, we can remove everything related with installing our go toolchain.
João "Pisco" Fernandes
Gonçalo Garcia
chungthuang
Devin Carr
João Oliveirinha
Kyle Hiller
Kevin Marshall
Luis Neto