headscale preauth create writes warnings to stdout #654

New Issue

adam · 2025-12-29T02:21:39+01:00

adam commented

2025-12-29 02:21:39 +01:00

Originally created by @antifuchs on GitHub (Feb 27, 2024).

Bug description

When creating a preauth key in a configuration where headscale would log a warning, the auth key written to stdout is polluted by these warning log messages. This affects the human-readable output format, but also -o json.

Environment

Version of headscale used v0.22.3
Version of tailscale client: N/A
OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: NixOS 23.11
Kernel version 6.1.72
The relevant config parameters you used: see below; notice absence of ip_prefixes
Log output from running headscale preauth create --user basic --reusable -e 24h 2>/dev/null: see below
Headscale is behind a (reverse) proxy
Headscale runs in a container

To Reproduce

Generate a config like above, where ip_prefixes isn't set
Run headscale users create basic and headscale preauthkeys create --reusable -e 24h -u basic > /tmp/preauth-key
Observe that /tmp/preauth-key contains log messages, followed by the preauth key, like:

2024-02-27T15:21:33Z WRN 'ip_prefixes' not configured, falling back to default: [100.64.0.0/10]
2024-02-27T15:21:33Z WRN 'ip_prefixes' not configured, falling back to default: [100.64.0.0/10]
67ba496fdb8f7cda2bd3e682f976e7087bbbdd1844a6dcff

Logs and attachments

config file:

acl_policy_path: null
db_host: null
db_name: null
db_password_file: null
db_path: /var/lib/headscale/db.sqlite
db_port: null
db_type: sqlite3
db_user: null
derp:
  auto_update_enable: true
  paths: []
  update_frequency: 24h
  urls:
  - https://controlplane.tailscale.com/derpmap/default
disable_check_updates: true
dns_config:
  base_domain: ''
  domains: []
  magic_dns: true
  nameservers:
  - 1.1.1.1
  override_local_dns: false
ephemeral_node_inactivity_timeout: 30m
listen_addr: 127.0.0.1:8080
log:
  format: text
  level: info
noise:
  private_key_path: /var/lib/headscale/noise_private.key
oidc:
  allowed_domains: []
  allowed_users: []
  client_id: ''
  client_secret_path: null
  extra_params: {}
  issuer: ''
  scope:
  - openid
  - profile
  - email
  strip_email_domain: true
private_key_path: /var/lib/headscale/private.key
server_url: http://127.0.0.1:8080
tls_cert_path: null
tls_key_path: null
tls_letsencrypt_cache_dir: /var/lib/headscale/.cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_hostname: ''
tls_letsencrypt_listen: :http
unix_socket: /run/headscale/headscale.sock

Originally created by @antifuchs on GitHub (Feb 27, 2024). ## Bug description When creating a preauth key in a configuration where `headscale` would log a warning, the auth key written to stdout is polluted by these warning log messages. This affects the human-readable output format, but also `-o json`. ## Environment - Version of headscale used v0.22.3 - Version of tailscale client: N/A - OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: NixOS 23.11 - Kernel version 6.1.72 - The relevant config parameters you used: see below; notice absence of `ip_prefixes` - Log output from running `headscale preauth create --user basic --reusable -e 24h 2>/dev/null`: see below - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ## To Reproduce 1. Generate a config like above, where `ip_prefixes` isn't set 2. Run `headscale users create basic` and `headscale preauthkeys create --reusable -e 24h -u basic > /tmp/preauth-key` 3. Observe that `/tmp/preauth-key` contains log messages, followed by the preauth key, like: ```console 2024-02-27T15:21:33Z WRN 'ip_prefixes' not configured, falling back to default: [100.64.0.0/10] 2024-02-27T15:21:33Z WRN 'ip_prefixes' not configured, falling back to default: [100.64.0.0/10] 67ba496fdb8f7cda2bd3e682f976e7087bbbdd1844a6dcff ``` ## Logs and attachments config file: ```yml acl_policy_path: null db_host: null db_name: null db_password_file: null db_path: /var/lib/headscale/db.sqlite db_port: null db_type: sqlite3 db_user: null derp: auto_update_enable: true paths: [] update_frequency: 24h urls: - https://controlplane.tailscale.com/derpmap/default disable_check_updates: true dns_config: base_domain: '' domains: [] magic_dns: true nameservers: - 1.1.1.1 override_local_dns: false ephemeral_node_inactivity_timeout: 30m listen_addr: 127.0.0.1:8080 log: format: text level: info noise: private_key_path: /var/lib/headscale/noise_private.key oidc: allowed_domains: [] allowed_users: [] client_id: '' client_secret_path: null extra_params: {} issuer: '' scope: - openid - profile - email strip_email_domain: true private_key_path: /var/lib/headscale/private.key server_url: http://127.0.0.1:8080 tls_cert_path: null tls_key_path: null tls_letsencrypt_cache_dir: /var/lib/headscale/.cache tls_letsencrypt_challenge_type: HTTP-01 tls_letsencrypt_hostname: '' tls_letsencrypt_listen: :http unix_socket: /run/headscale/headscale.sock ```

adam added the bug label 2025-12-29 02:21:39 +01:00

adam closed this issue

2025-12-29 02:21:39 +01:00

adam commented

2025-12-29 02:21:40 +01:00

@sjansen1 commented on GitHub (Feb 28, 2024):

You have to define subnets in config.yaml like this:

ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10

@sjansen1 commented on GitHub (Feb 28, 2024): You have to define subnets in config.yaml like this: ``` ip_prefixes: - fd7a:115c:a1e0::/48 - 100.64.0.0/10 ```

adam commented

2025-12-29 02:21:40 +01:00

@antifuchs commented on GitHub (Feb 29, 2024):

You're right, there is a way to avoid having headscale print that warning. What I'm trying to get at is that whenever headscale used as a CLI program that is meant to emit machine-readable output logs a warning, that warning corrupts the machine-readable output (and the output doesn't go anywhere that a human could pick it up, like stderr).

@antifuchs commented on GitHub (Feb 29, 2024): You're right, there is a way to avoid having `headscale` print that warning. What I'm trying to get at is that whenever headscale used as a CLI program that is meant to emit machine-readable output logs a warning, that warning corrupts the machine-readable output (and the output doesn't go anywhere that a human could pick it up, like stderr).

adam commented

2025-12-29 02:21:40 +01:00

@zatricky commented on GitHub (Apr 8, 2024):

You have to define subnets in config.yaml like this:
ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10

The config-example.yaml in main gives prefixes rather than ip_prefixes ... that might explain it. The config example for v0.22.3 gives ip_prefixes appropriately however.

@zatricky commented on GitHub (Apr 8, 2024): > You have to define subnets in config.yaml like this: > > ``` > ip_prefixes: > - fd7a:115c:a1e0::/48 > - 100.64.0.0/10 > ``` The `config-example.yaml` in main gives `prefixes` rather than `ip_prefixes` ... that might explain it. The [config example](https://github.com/juanfont/headscale/blob/v0.22.3/config-example.yaml) for `v0.22.3` gives `ip_prefixes` appropriately however.

adam commented

2025-12-29 02:21:40 +01:00

@antifuchs commented on GitHub (Apr 8, 2024):

Thank you, again, I know why the warning gets written.

What I would like to see fixed is that if a (any!) warning gets written, that warning goes to stderr, which then pollutes the (otherwise usable) output.

@antifuchs commented on GitHub (Apr 8, 2024): Thank you, again, I know _why_ the warning gets written. What I would like to see fixed is that _if_ a (any!) warning gets written, that warning goes to stderr, which then pollutes the (otherwise usable) output.

adam commented

2025-12-29 02:21:41 +01:00

@kradalby commented on GitHub (May 1, 2024):

I think this was fixed in https://github.com/juanfont/headscale/pull/1524, have you given the last alpha a go?

@kradalby commented on GitHub (May 1, 2024): I think this was fixed in https://github.com/juanfont/headscale/pull/1524, have you given the last alpha a go?

adam referenced this issue

2025-12-29 02:30:33 +01:00

[PR #654] [MERGED] Add version info to binary in Docker container #1553

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#654

headscale preauth create writes warnings to stdout #654

Bug description

Environment

To Reproduce

Logs and attachments

`headscale preauth create` writes warnings to stdout #654