ssh/tailssh: fix path of "true" on Darwin (#16569)

This is a follow-up to #15351, which fixed the test for Linux but not for Darwin, which stores its "true" executable in /usr/bin instead of /bin. Try both paths when not running on Windows. In addition, disable CGo in the integration test build, which was causing the linker to fail. These tests do not need CGo, and it appears we had some version skew with the base image on the runners. In addition, in error cases the recover step of the permissions check was spuriously panicking and masking the "real" failure reason. Don't do that check when a command was not produced. Updates #15350 Change-Id: Icd91517f45c90f7554310ebf1c888cdfd109f43a Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
2025-08-05 21:57:18 +02:00 · 2025-07-16 08:08:59 -07:00 · 2025-07-16 08:08:59 -07:00 · 67514f5eb2
commit 67514f5eb2
parent cb7a0b1dca
2 changed files with 18 additions and 15 deletions
--- a/4
+++ b/4
@ -126,8 +126,8 @@ publishdevproxy: check-image-repo ## Build and publish k8s-proxy image to locati

 .PHONY: sshintegrationtest
 sshintegrationtest: ## Run the SSH integration tests in various Docker containers
-	@GOOS=linux GOARCH=amd64 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
-	GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
+	@GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
+	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
 	echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
 	echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
 	echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@ -51,6 +51,7 @@
 	darwin  = "darwin"
 	freebsd = "freebsd"
 	openbsd = "openbsd"
+	windows = "windows"
 )

 func init() {
@ -80,20 +81,22 @@ func tryExecInDir(ctx context.Context, dir string) error {
 	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()

-	// Assume that the following executables exist, are executable, and
-	// immediately return.
-	var name string
-	switch runtime.GOOS {
-	case "windows":
-		windir := os.Getenv("windir")
-		name = filepath.Join(windir, "system32", "doskey.exe")
-	default:
-		name = "/bin/true"
+	run := func(path string) error {
+		cmd := exec.CommandContext(ctx, path)
+		cmd.Dir = dir
+		return cmd.Run()
 	}

-	cmd := exec.CommandContext(ctx, name)
-	cmd.Dir = dir
-	return cmd.Run()
+	// Assume that the following executables exist, are executable, and
+	// immediately return.
+	if runtime.GOOS == windows {
+		windir := os.Getenv("windir")
+		return run(filepath.Join(windir, "system32", "doskey.exe"))
+	}
+	if err := run("/bin/true"); !errors.Is(err, exec.ErrNotFound) { // including nil
+		return err
+	}
+	return run("/usr/bin/true")
 }

 // newIncubatorCommand returns a new exec.Cmd configured with
@ -107,7 +110,7 @@ func tryExecInDir(ctx context.Context, dir string) error {
 // The returned Cmd.Env is guaranteed to be nil; the caller populates it.
 func (ss *sshSession) newIncubatorCommand(logf logger.Logf) (cmd *exec.Cmd, err error) {
 	defer func() {
-		if cmd.Env != nil {
+		if cmd != nil && cmd.Env != nil {
 			panic("internal error")
 		}
 	}()