10 Releases 150 Tags

RSS Feed

• v0.27.0-beta.1 c87471136b

  Compare

  Pre-Release

  adam released this 2025-10-17 08:28:30 +02:00 | 133 commits to main since this release

  📅 Originally published on GitHub: Fri, 17 Oct 2025 07:24:08 GMT
  🏷️ Git tag created: Fri, 17 Oct 2025 06:28:30 GMT

  Minimum supported Tailscale client version: v1.64.0

  Database integrity improvements

  This release includes a significant database migration that addresses
  longstanding issues with the database schema and data integrity that has
  accumulated over the years. The migration introduces a schema.sql file as the
  source of truth for the expected database schema to ensure new migrations that
  will cause divergence does not occur again.

  These issues arose from a combination of factors discovered over time: SQLite
  foreign keys not being enforced for many early versions, all migrations being
  run in one large function until version 0.23.0, and inconsistent use of GORM's
  AutoMigrate feature. Moving forward, all new migrations will be explicit SQL
  operations rather than relying on GORM AutoMigrate, and foreign keys will be
  enforced throughout the migration process.

  We are only improving SQLite databases with this change - PostgreSQL databases
  are not affected.

  Please read the PR description for more technical details about the issues and solutions.

  SQLite Database Backup Example:

  # Stop headscale
  systemctl stop headscale
  
  # Backup sqlite database
  cp /var/lib/headscale/db.sqlite /var/lib/headscale/db.sqlite.backup
  
  # Backup sqlite WAL/SHM files (if they exist)
  cp /var/lib/headscale/db.sqlite-wal /var/lib/headscale/db.sqlite-wal.backup
  cp /var/lib/headscale/db.sqlite-shm /var/lib/headscale/db.sqlite-shm.backup
  
  # Start headscale (migration will run automatically)
  systemctl start headscale
  

  DERPMap update frequency

  The default DERPMap update frequency has been changed from 24 hours to 3 hours.
  If you set the derp.update_frequency configuration option, it is recommended
  to change it to 3h to ensure that the headscale instance gets the latest
  DERPMap updates when upstream is changed.

  Autogroups

  This release adds support for the three missing autogroups: self
  (experimental), member, and tagged. Please refer to the
  documentation for a detailed
  explanation.

  autogroup:self is marked as experimental and should be used with caution, but
  we need help testing it. Experimental here means two things; first, generating
  the packet filter from policies that use autogroup:self is very expensive, and
  it might perform, or straight up not work on Headscale installations with a
  large number of nodes. Second, the implementation might have bugs or edge cases
  we are not aware of, meaning that nodes or users might gain more access than
  expected. Please report bugs.

  Node store (in memory database)

  Under the hood, we have added a new datastructure to store nodes in memory. This
  datastructure is called NodeStore and aims to reduce the reading and writing
  of nodes to the database layer. We have not benchmarked it, but expect it to
  improve performance for read heavy workloads. We think of it as, "worst case" we
  have moved the bottle neck somewhere else, and "best case" we should see a good
  improvement in compute resource usage at the expense of memory usage. We are
  quite excited for this change and think it will make it easier for us to improve
  the code base over time and make it more correct and efficient.

  BREAKING

  • Remove support for 32-bit binaries
    #2692
  • Policy: Zero or empty destination port is no longer allowed
    #2606

  Changes

  • Database schema migration improvements for SQLite
    #2617
    • IMPORTANT: Backup your SQLite database before upgrading
    • Introduces safer table renaming migration strategy
    • Addresses longstanding database integrity issues
  • Add flag to directly manipulate the policy in the database
    #2765
  • DERPmap update frequency default changed from 24h to 3h
    #2741
  • DERPmap update mechanism has been improved with retry, and is now failing
    conservatively, preserving the old map upon failure.
    #2741
  • Add support for autogroup:member, autogroup:tagged
    #2572
  • Fix bug where return routes were being removed by policy
    #2767
  • Remove policy v1 code #2600
  • Refactor Debian/Ubuntu packaging and drop support for Ubuntu 20.04.
    #2614
  • Remove redundant check regarding noise config
    #2658
  • Refactor OpenID Connect documentation
    #2625
  • Don't crash if config file is missing
    #2656
  • Adds /robots.txt endpoint to avoid crawlers
    #2643
  • OIDC: Use group claim from UserInfo
    #2663
  • OIDC: Update user with claims from UserInfo before comparing with allowed
    groups, email and domain
    #2663
  • Policy will now reject invalid fields, making it easier to spot spelling
    errors #2764
  • Add FAQ entry on how to recover from an invalid policy in the database
    #2776
  • EXPERIMENTAL: Add support for autogroup:self
    #2789
  • Add healthcheck command #2659

  Changelog

  • 0512f7c57e .github/ISSUE_TEMPLATE: add node number to environment
  • 05996a5048 .github/workflow: only run a few selected postgres tests
  • f6c4b338fd .github/workflows: add generate check
  • 5ba7120418 .github/workflows: prettier
  • 4a8d2d9ed3 .github/workflows: reduce integration retry to 3
  • 7f8b14f6f3 .github/workflows: remove integration retry
  • e949859d33 Add DERP docs
  • bd35fcf338 Add FAQ entry about policy migration in the database
  • 30d12dafed Add FAQ entry about the recommended upgrade path
  • bcd80ee773 Add debugging and troubleshooting guide
  • 76ca7a2b50 Add headscale-console
  • 98fc0563ac Bump version in docs
  • 33e9e7a71f CLAUDE: split into agents
  • 3f72ee9de8 Clarify SIGHUP log message (#2661)
  • 51c6367bb1 Correctly document the default for dns.override_local_dns
  • 2f3c365b68 Describe how to remove a DERP region
  • 49b3468845 Do not ignore config-example.yml
  • c15aa541bb Document HEADSCALE_CONFIG
  • b50e10a1be Document breaking change for dns.override_local_dns
  • 30cec3aa2b Document ports in use
  • c04e17d82e Document valid log levels
  • cd704570be Drop support for Ubuntu 20.04
  • 43c9c50af4 Drop syslog.target and systemd-managed /var/run
  • be337c6a33 Enable derp.server.verify_clients by default
  • e73b2a9fb9 Ensure that a username starts with a letter (#2635)
  • fa619ea9f3 Fix CHANGELOG for autogroup:member and autogroup:tagged (#2733)
  • 086fcad7d9 Fix Internal server error on /verify (#2735)
  • bad783321e Fix /machine/map endpoint vulnerability (#2642)
  • 46c59a3fff Fix command in bug report template
  • a8f2eebf66 Fix config param name in TLS doc
  • e7fe645be5 Fix invocation of golangci-lint (#2703)
  • 3123d5286b Fix typos
  • 4e6d42d5bd Keycloak's group format is configurable
  • 30a1f7e68e Log registrationID to simplify interactive node registration
  • 2d680b5ebb Misc typos and spelling
  • 5d8a2c25ea OIDC: Query userinfo endpoint before verifying user
  • 4a941a2cb4 Refactor Debian/Ubuntu package
  • d461db3abd Refactor OpenID Connect documentation
  • a2a6d20218 Refactor to use reflect.TypeFor
  • 8ff5baadbe Refresh OIDC docs
  • b8044c29dd Replace magic-nix-cache-action (#2575)
  • a98d9bd05f The preauthkeys commands expect a user id instead of a username
  • 881a6b9227 The sequential prefix allocation uses a best-effort approach
  • 3fbde7a1b6 Update official.md
  • 860a8a597f Update tools.md
  • 4d61da30d0 Use an IPv4 address range suitable for documentation
  • c6427aa296 Use group id instead of group name for Entra ID
  • c07cc491bf add health command (#2659)
  • 7fce5065c4 all: remove 32 bit support (#2692)
  • 73023c2ec3 all: use immutable node view in read path
  • d41fb4d540 app: fix sigint hanging
  • 8e25f7f9dd bunch of qol (#2748)
  • 4668e5dd96 changelog: add entry for db
  • e7a28a14af changelog: prepare for 0.27.0 (#2797)
  • d29feaef79 chore(derp): allow nil regions in DERPMaps
  • 630bfd265a chore(derp): prioritize loading DERP maps from URLs
  • 022098fe4e chore: make reg cache expiry tunable
  • 081af2674b ci: fix golangci-lint flag for v2 compatibility (#2654)
  • 3950f8f171 cli: use gobuild version handling (#2770)
  • ea7376f522 cmd/hi: add integration test runner CLI tool (#2648)
  • afc11e1f0c cmd/hi: fixes and qol (#2649)
  • 3326c5b7ec cmd/hi: lint and format
  • 684239e015 cmd/mapresponses: add mini tool to inspect mapresp state from integration
  • 2b30a15a68 cmd: add option to get and set policy directly from database (#2765)
  • c6736dd6d6 db: add sqlite "source of truth" schema
  • 50ed24847b debug: add json and improve
  • 38be30b6d4 derp: allow override to ip for debug
  • 7056fbb63b derp: fix flaky shuffle test (#2772)
  • b87567628a derp: increase update frequency and harden on failures (#2741)
  • 3e3c72ea6f docs(acls): Add example for allow/deny all acl policy
  • ded049b905 don't crash if config file is missing (#2656)
  • df69840f92 feat(tools): Add Go client implementation
  • 6750414db1 feat: add autogroup:member, autogroup:tagged (#2572)
  • c2a58a304d feat: add autogroup:self (#2789)
  • d77874373d feat: add robots.txt
  • d325211617 feat: add verify client config for embedded DERP (#2260)
  • 1605e2a7a9 fix typo in TailSQL's log
  • efc6974017 fix typo in parseCapabilityVersion, and removed unused error (#2644) (#2644)
  • 43f90d205e fix: allow all traffic if acls field is omited from the policy
  • 3f6657ae57 fix: documentation
  • 4927e9d590 fix: improve mapresponses and profiles extraction in hi tool
  • c4a8c038cd fix: return valid AuthUrl in followup request on expired reg id
  • 3bad5d5590 flake.lock: Update (#2585)
  • 6220e64978 flake.lock: Update (#2669)
  • 1a7a2f4196 flake.lock: Update (#2699)
  • 40b3d54c1f flake.lock: Update (#2755)
  • d311d2e206 flake: dont override gopls
  • 4de56c40d8 flake: goreleaser doesnt follow go nix convention (#2779)
  • 39443184d6 gen: new proto version
  • 22e6094a90 golangci: disable varnamelen
  • 30525cee0e goreleaser: always do draft (#2595)
  • a975b6a8b1 hscontrol: remove go-grpc-middleware v1 dependency (#2653)
  • 9b962956b5 integration: Eventually, debug output, lint and format
  • 044193bf34 integration: Use Eventually around external calls (#2685)
  • c87471136b integration: eventually fixups (#2799)
  • 4893cdac74 integration: make timestamp const
  • c6d7b512bd integration: replace time.Sleep with assert.EventuallyWithT (#2680)
  • 3b16b75fe6 integration: rework retry for waiting for node sync
  • 9779adc0b7 integration: run headscale with delve and debug symbols (#2689)
  • 306d8e1bd4 integration: validate expected online status in ping
  • 233dffc186 lint and leftover
  • b6d5788231 mapper: produce map before poll
  • a058bf3cd3 mapper: produce map before poll (#2628)
  • ed3a9c8d6d mapper: send change instead of full update (#2775)
  • ccd79ed8d4 mcp: add some standard mcp server
  • bd6ed80936 policy/v2: error on missing or zero port (#2606)
  • ee0ef396a2 policy: fix ssh usermap, fixing autogroup:nonroot (#2768)
  • 2938d03878 policy: reject unsupported fields (#2764)
  • a52f1df180 policy: remove v1 code (#2600)
  • 01c1f6f82a policy: validate error message for asterix in ssh (#2766)
  • c91b9fc761 poll: add missing godoc (#2763)
  • b904276f2b poll: use nodeview everywhere
  • 0303b76e1f postgres uses more memory
  • 855c48aec2 remove unneeded check (#2658)
  • fddc7117e4 stability and race conditions in auth and node store (#2781)
  • 9d236571f4 state/nodestore: in memory representation of nodes
  • 476f30ab20 state: ensure netinfo is preserved and not removed
  • 1553f0ab53 state: introduce state
  • b4f7782fd8 support force flag for nodes backfillips
  • 4912769ab3 update dependencies (#2798)
  • 81b3e8f743 util: harden parsing of traceroute
  • d2879b2b36 web: change node registration parameter order (#2607)
  • 1b1c989268 {policy, node}: allow return paths in route reduction (#2767)

  Downloads

  • checksums.txt
    823 B

    2025-12-29 00:24:49 +01:00
  • headscale_0.27.0-beta.1.tar.gz
    55 MiB

    2025-12-29 00:24:55 +01:00
  • headscale_0.27.0-beta.1_darwin_amd64
    48 MiB

    2025-12-29 00:24:59 +01:00
  • headscale_0.27.0-beta.1_darwin_arm64
    46 MiB

    2025-12-29 00:25:03 +01:00
  • headscale_0.27.0-beta.1_freebsd_amd64
    46 MiB

    2025-12-29 00:25:10 +01:00
  • headscale_0.27.0-beta.1_linux_amd64
    55 MiB

    2025-12-29 00:25:15 +01:00
  • headscale_0.27.0-beta.1_linux_amd64.deb
    20 MiB

    2025-12-29 00:25:17 +01:00
  • headscale_0.27.0-beta.1_linux_arm64
    52 MiB

    2025-12-29 00:25:22 +01:00
  • headscale_0.27.0-beta.1_linux_arm64.deb
    18 MiB

    2025-12-29 00:25:24 +01:00
  • Source Code (ZIP)
  • Source Code (TAR.GZ)