coder
diff --git a/‎.github/actions/setup-tf/action.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/actions/setup-tf/action.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 38 additions & 11 deletions b/‎agent/agent.go
Lines changed: 38 additions & 11 deletions
diff --git a/‎cli/ssh_test.go
Lines changed: 4 additions & 1 deletion b/‎cli/ssh_test.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎docs/admin/networking/index.md
Lines changed: 58 additions & 0 deletions b/‎docs/admin/networking/index.md
Lines changed: 58 additions & 0 deletions
diff --git a/‎docs/admin/networking/workspace-proxies.md
Lines changed: 9 additions & 0 deletions b/‎docs/admin/networking/workspace-proxies.md
Lines changed: 9 additions & 0 deletions
diff --git a/‎docs/tutorials/best-practices/scale-coder.md
Lines changed: 2 additions & 2 deletions b/‎docs/tutorials/best-practices/scale-coder.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎dogfood/coder/Dockerfile
Lines changed: 2 additions & 2 deletions b/‎dogfood/coder/Dockerfile
Lines changed: 2 additions & 2 deletions
diff --git a/‎install.sh
Lines changed: 1 addition & 1 deletion b/‎install.sh
Lines changed: 1 addition & 1 deletion
diff --git a/‎provisioner/terraform/install.go
Lines changed: 1 addition & 1 deletion b/‎provisioner/terraform/install.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎provisioner/terraform/testdata/resources/presets/presets.tfplan.json
Lines changed: 2 additions & 2 deletions b/‎provisioner/terraform/testdata/resources/presets/presets.tfplan.json
Lines changed: 2 additions & 2 deletions
@@ -7,5 +7,5 @@ runs:
     - name: Install Terraform
       uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
-        terraform_version: 1.11.2
+        terraform_version: 1.11.3
         terraform_wrapper: false
@@ -1186,9 +1186,9 @@ func (a *agent) createOrUpdateNetwork(manifestOK, networkOK *checkpoint) func(co
 		network := a.network
 		a.closeMutex.Unlock()
 		if network == nil {
-			keySeed, err := WorkspaceKeySeed(manifest.WorkspaceID, manifest.AgentName)
+			keySeed, err := SSHKeySeed(manifest.OwnerName, manifest.WorkspaceName, manifest.AgentName)
 			if err != nil {
-				return xerrors.Errorf("generate seed from workspace id: %w", err)
+				return xerrors.Errorf("generate SSH key seed: %w", err)
 			}
 			// use the graceful context here, because creating the tailnet is not itself tied to the
 			// agent API.
@@ -1518,14 +1518,11 @@ func (a *agent) runCoordinator(ctx context.Context, tClient tailnetproto.DRPCTai
 	a.logger.Info(ctx, "connected to coordination RPC")
 
 	// This allows the Close() routine to wait for the coordinator to gracefully disconnect.
-	a.closeMutex.Lock()
-	if a.isClosed() {
-		return nil
+	disconnected := a.setCoordDisconnected()
+	if disconnected == nil {
+		return nil // already closed by something else
 	}
-	disconnected := make(chan struct{})
-	a.coordDisconnected = disconnected
 	defer close(disconnected)
-	a.closeMutex.Unlock()
 
 	ctrl := tailnet.NewAgentCoordinationController(a.logger, network)
 	coordination := ctrl.New(coordinate)
@@ -1547,6 +1544,17 @@ func (a *agent) runCoordinator(ctx context.Context, tClient tailnetproto.DRPCTai
 	return <-errCh
 }
 
+func (a *agent) setCoordDisconnected() chan struct{} {
+	a.closeMutex.Lock()
+	defer a.closeMutex.Unlock()
+	if a.isClosed() {
+		return nil
+	}
+	disconnected := make(chan struct{})
+	a.coordDisconnected = disconnected
+	return disconnected
+}
+
 // runDERPMapSubscriber runs a coordinator and returns if a reconnect should occur.
 func (a *agent) runDERPMapSubscriber(ctx context.Context, tClient tailnetproto.DRPCTailnetClient24, network *tailnet.Conn) error {
 	defer a.logger.Debug(ctx, "disconnected from derp map RPC")
@@ -2068,12 +2076,31 @@ func PrometheusMetricsHandler(prometheusRegistry *prometheus.Registry, logger sl
 	})
 }
 
-// WorkspaceKeySeed converts a WorkspaceID UUID and agent name to an int64 hash.
+// SSHKeySeed converts an owner userName, workspaceName and agentName to an int64 hash.
 // This uses the FNV-1a hash algorithm which provides decent distribution and collision
 // resistance for string inputs.
-func WorkspaceKeySeed(workspaceID uuid.UUID, agentName string) (int64, error) {
+//
+// Why owner username, workspace name, and agent name? These are the components that are used in hostnames for the
+// workspace over SSH, and so we want the workspace to have a stable key with respect to these.  We don't use the
+// respective UUIDs.  The workspace UUID would be different if you delete and recreate a workspace with the same name.
+// The agent UUID is regenerated on each build. Since Coder's Tailnet networking is handling the authentication, we
+// should not be showing users warnings about host SSH keys.
+func SSHKeySeed(userName, workspaceName, agentName string) (int64, error) {
 	h := fnv.New64a()
-	_, err := h.Write(workspaceID[:])
+	_, err := h.Write([]byte(userName))
+	if err != nil {
+		return 42, err
+	}
+	// null separators between strings so that (dog, foodstuff) is distinct from (dogfood, stuff)
+	_, err = h.Write([]byte{0})
+	if err != nil {
+		return 42, err
+	}
+	_, err = h.Write([]byte(workspaceName))
+	if err != nil {
+		return 42, err
+	}
+	_, err = h.Write([]byte{0})
 	if err != nil {
 		return 42, err
 	}
 
@@ -479,6 +479,9 @@ func TestSSH(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 		defer cancel()
 
+		user, err := client.User(ctx, codersdk.Me)
+		require.NoError(t, err)
+
 		inv, root := clitest.New(t, "ssh", "--stdio", workspace.Name)
 		clitest.SetupConfig(t, client, root)
 		inv.Stdin = clientOutput
@@ -490,7 +493,7 @@ func TestSSH(t *testing.T) {
 			assert.NoError(t, err)
 		})
 
-		keySeed, err := agent.WorkspaceKeySeed(workspace.ID, "dev")
+		keySeed, err := agent.SSHKeySeed(user.Username, workspace.Name, "dev")
 		assert.NoError(t, err)
 
 		signer, err := agentssh.CoderSigner(keySeed)
 
@@ -197,6 +197,64 @@ low-latency browser experiences for geo-distributed teams.
 
 To learn more, see [Workspace Proxies](./workspace-proxies.md).
 
+## Latency
+
+Coder measures and reports several types of latency, providing insights into the performance of your deployment. Understanding these metrics can help you diagnose issues and optimize the user experience.
+
+There are three main types of latency metrics for your Coder deployment:
+
+- Dashboard-to-server latency:
+
+  The Coder UI measures round-trip time to the Coder server or workspace proxy using built-in browser timing capabilities.
+
+  This appears in the user interface next to your username, showing how responsive the dashboard is.
+
+- Workspace connection latency:
+
+  The latency shown on the workspace dashboard measures the round-trip time between the workspace agent and its DERP relay server.
+
+  This metric is displayed in milliseconds on the workspace dashboard and specifically shows the agent-to-relay latency, not direct P2P connections.
+
+  To estimate the total end-to-end latency experienced by a user, add the dashboard-to-server latency to this agent-to-relay latency.
+
+- Database latency:
+
+  For administrators, Coder monitors and reports database query performance in the health dashboard.
+
+### How latency is classified
+
+Latency measurements are color-coded in the dashboard:
+
+- **Green** (<150ms): Good performance.
+- **Yellow** (150-300ms): Moderate latency that might affect user experience.
+- **Red** (>300ms): High latency that will noticeably affect user experience.
+
+### View latency information
+
+- **Dashboard**: The global latency indicator appears in the top navigation bar.
+- **Workspace list**: Each workspace shows its connection latency.
+- **Health dashboard**: Administrators can view advanced metrics including database latency.
+- **CLI**: Use `coder ping <workspace>` to measure and analyze latency from the command line.
+
+### Factors that affect latency
+
+- **Geographic distance**: Physical distance between users, Coder server, and workspaces.
+- **Network connectivity**: Quality of internet connections and routing.
+- **Infrastructure**: Cloud provider regions and network optimization.
+- **P2P connectivity**: Whether direct connections can be established or relays are needed.
+
+### How to optimize latency
+
+To improve latency and user experience:
+
+- **Deploy workspace proxies**: Place [proxies](./workspace-proxies.md) in regions closer to users, connecting back to your single Coder server deployment.
+- **Use P2P connections**: Ensure network configurations permit direct connections.
+- **Strategic placement**: Deploy your Coder server in a region where most users work.
+- **Network configuration**: Optimize routing between users and workspaces.
+- **Check firewall rules**: Ensure they don't block necessary Coder connections.
+
+For help troubleshooting connection issues, including latency problems, refer to the [networking troubleshooting guide](./troubleshooting.md).
+
 ## Up next
 
 - Learn about [Port Forwarding](./port-forwarding.md)
 
@@ -208,6 +208,15 @@ up to 60 seconds.
 
 ![Workspace proxy picker](../../images/admin/networking/workspace-proxies/ws-proxy-picker.png)
 
+## Multiple workspace proxies
+
+When multiple workspace proxies are deployed:
+
+- The browser measures latency to each available proxy independently.
+- Users can select their preferred proxy from the dashboard.
+- The system can automatically select the lowest-latency proxy.
+- The dashboard latency indicator shows latency to the currently selected proxy.
+
 ## Observability
 
 Coder workspace proxy exports metrics via the HTTP endpoint, which can be
 
@@ -126,10 +126,10 @@ Although Coder Server persists no internal state, it operates as a proxy for end
 users to their workspaces in two capacities:
 
 1. As an HTTP proxy when they access workspace applications in their browser via
-the Coder Dashboard.
+   the Coder Dashboard.
 
 1. As a DERP proxy when establishing tunneled connections with CLI tools like
-`coder ssh`, `coder port-forward`, and others, and with desktop IDEs.
+   `coder ssh`, `coder port-forward`, and others, and with desktop IDEs.
 
 Stopping a Coder Server instance will (momentarily) disconnect any users
 currently connecting through that instance. Adding a new instance is not
 
@@ -198,9 +198,9 @@ RUN apt-get update --quiet && apt-get install --yes \
 	# Configure FIPS-compliant policies
 	update-crypto-policies --set FIPS
 
-# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.11.2.
+# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.11.3.
 # Installing the same version here to match.
-RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.11.2/terraform_1.11.2_linux_amd64.zip" && \
+RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.11.3/terraform_1.11.3_linux_amd64.zip" && \
 	unzip /tmp/terraform.zip -d /usr/local/bin && \
 	rm -f /tmp/terraform.zip && \
 	chmod +x /usr/local/bin/terraform && \
 
@@ -273,7 +273,7 @@ EOF
 main() {
 	MAINLINE=1
 	STABLE=0
-	TERRAFORM_VERSION="1.11.2"
+	TERRAFORM_VERSION="1.11.3"
 
 	if [ "${TRACE-}" ]; then
 		set -x
 
@@ -22,7 +22,7 @@ var (
 	// when Terraform is not available on the system.
 	// NOTE: Keep this in sync with the version in scripts/Dockerfile.base.
 	// NOTE: Keep this in sync with the version in install.sh.
-	TerraformVersion = version.Must(version.NewVersion("1.11.2"))
+	TerraformVersion = version.Must(version.NewVersion("1.11.3"))
 
 	minTerraformVersion = version.Must(version.NewVersion("1.1.0"))
 	maxTerraformVersion = version.Must(version.NewVersion("1.11.9")) // use .9 to automatically allow patch releases