Description
Is this a support request?
- This is not a support request
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Since v0.26 adding tags via CLI seems to invalidate advertised tags, removing them completely from the tag list. This only happens after a new node advertising the same tag is added.
This can be reproduced by adding a node advertising a tag to headscale, then add a forced tag to that same node. If you then register another node advertising the same tag, the first node loses its advertised tag (for more details see Steps to reproduce).
This basically causes all my ACLs to break, since several nodes have lost their advertised tags with the update. This might be due to another related issues, which, however, I cannot easily reproduce.
If I can do anything more to help debug this, let me know!
Expected Behavior
CLI-added tags and advertised tags should not influence each other.
Steps To Reproduce
- Configure two tags, e.g.,
tag:vmandtag:test - On machine 1 run:
sudo tailscale login --login-server=https://<...> --authkey=<..> --advertise-tags=tag:vm - Run
headscale nodes ls --tagson the headscale server
Result, as expected:
ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired | ForcedTags | InvalidTags | ValidTags
4 | test-vm-1 | test-vm-1 | [A5yrv] | [XuMNd] | vms | 100.64.0.2, fd7a:115c:a1e0::2 | false | 2025-05-19 13:17:35 | N/A | online | no | | | tag:vm
- On the server run
docker compose exec headscale headscale nodes tag -i 4 -t "tag:test"
Result, still as expected:
ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired | ForcedTags | InvalidTags | ValidTags
4 | test-vm-1 | test-vm-1 | [A5yrv] | [XuMNd] | vms | 100.64.0.2, fd7a:115c:a1e0::2 | false | 2025-05-19 13:17:35 | N/A | online | no | tag:test | | tag:vm
- On the second machine run:
sudo tailscale login --login-server=https://<...> --authkey=<..> --advertise-tags=tag:vm
Result:
ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired | ForcedTags | InvalidTags | ValidTags
4 | test-vm-1 | test-vm-1 | [A5yrv] | [XuMNd] | vms | 100.64.0.2, fd7a:115c:a1e0::2 | false | 2025-05-19 13:17:35 | N/A | online | no | tag:test | |
5 | test-vm-2 | test-vm-2 | [fQQNE] | [Blqu5] | vms | 100.64.0.3, fd7a:115c:a1e0::3 | false | 2025-05-19 13:19:20 | N/A | online | no | | | tag:vm
See that tag:vm is missing from test-vm-1.
Environment
- OS: Ubuntu 24.04
- Headscale version: 0.26
- Tailscale version: 1.82.5Runtime environment
- Headscale is behind a (reverse) proxy
- Headscale runs in a container
Debug information
Policy:
{
"groups": {
"group:admins": ["fabian@"],
"group:vms": ["vms@"]
},
"tagOwners": {
"tag:vm": ["group:admins", "group:vms"],
"tag:test": ["fabian@"],
"tag:exit-node": ["group:admins"]
},
// Servers with tag exit node can advertise exit nodes without further approval
"autoApprovers": {
"exitNode": ["tag:exit-node"]
},
"acls": [
// Allow admins full access to VMs
{
"action": "accept",
"src": ["group:admins"],
"dst": [
"tag:vm:*"
]
}
]
}