Releases: juanfont/headscale
v0.24.0-beta.2
Security fix: OIDC changes in Headscale 0.24.0
The following issue only affects Headscale installations which authenticate
with OIDC.
Headscale v0.23.0 and earlier identified OIDC users by the "username" part of
their email address (when strip_email_domain: true
, the default) or whole
email address (when strip_email_domain: false
).
Depending on how Headscale and your Identity Provider (IdP) were configured,
only using the email
claim could allow a malicious user with an IdP account to
take over another Headscale user's account, even when
strip_email_domain: false
.
This would also cause a user to lose access to their Headscale account if they
changed their email address.
Headscale v0.24.0 now identifies OIDC users by the iss
and sub
claims.
These are guaranteed by the OIDC specification to be stable and unique,
even if a user changes email address. A well-designed IdP will typically set
sub
to an opaque identifier like a UUID or numeric ID, which has no relation
to the user's name or email address.
Headscale v0.24.0 and later will also automatically update profile fields with
OIDC data on login. This means that users can change those details in your IdP,
and have it populate to Headscale automatically the next time they log in.
However, this may affect the way you reference users in policies.
Headscale v0.23.0 and earlier never recorded the iss
and sub
fields, so all
legacy (existing) OIDC accounts need to be migrated to be properly
secured.
What do I need to do to migrate?
Headscale v0.24.0 has an automatic migration feature, which is enabled by
default (map_legacy_users: true
). This will be disabled by default in a
future version of Headscale – any unmigrated users will get new accounts.
The migration will mostly be done automatically, with one exception. If your
OIDC does not provide an email_verified
claim, Headscale will ignore the
email
. This means that either the administrator will have to mark the user
emails as verified, or ensure the users verify their emails. Any unverified
emails will be ignored, meaning that the users will get new accounts instead
of being migrated.
After this exception is ensured, make all users log into Headscale with their
account, and Headscale will automatically update the account record. This will
be transparent to the users.
When all users have logged in, you can disable the automatic migration by
setting map_legacy_users: false
in your configuration file.
Please note that map_legacy_users
will be set to false
by default in v0.25.0
and the migration mechanism will be removed in v0.26.0.
What does automatic migration do?
What does automatic migration do?
When automatic migration is enabled (map_legacy_users: true
), Headscale will
first match an OIDC account to a Headscale account by iss
and sub
, and then
fall back to matching OIDC users similarly to how Headscale v0.23.0 did:
- If
strip_email_domain: true
(the default): the Headscale username matches
the "username" part of their email address. - If
strip_email_domain: false
: the Headscale username matches the whole
email address.
On migration, Headscale will change the account's username to their
preferred_username
. This could break any ACLs or policies which are
configured to match by username.
Like with Headscale v0.23.0 and earlier, this migration only works for users who
haven't changed their email address since their last Headscale login.
A successful automated migration should otherwise be transparent to users.
Once a Headscale account has been migrated, it will be unavailable to be
matched by the legacy process. An OIDC login with a matching username, but
non-matching iss
and sub
will instead get a new Headscale account.
Because of the way OIDC works, Headscale's automated migration process can
only work when a user tries to log in after the update.
Legacy account migration should have no effect on new installations where all
users have a recorded sub
and iss
.
What happens when automatic migration is disabled?
What happens when automatic migration is disabled?
When automatic migration is disabled (map_legacy_users: false
), Headscale will
only try to match an OIDC account to a Headscale account by iss
and sub
.
If there is no match, it will get a new Headscale account – even if there was
a legacy account which could have matched and migrated.
We recommend new Headscale users explicitly disable automatic migration – but it
should otherwise have no effect if every account has a recorded iss
and sub
.
When automatic migration is disabled, the strip_email_domain
setting will have
no effect.
Special thanks to @micolous for reviewing, proposing and working with us on
these changes.
Other OIDC changes
Headscale now uses
the standard OIDC claims
to populate and update user information every time they log in:
Headscale profile field | OIDC claim | Notes / examples |
---|---|---|
email address | email |
Only used when "email_verified": true |
display name | name |
eg: Sam Smith |
username | preferred_username |
Varies depending on IdP and configuration, eg: ssmith , ssmith@idp.example.com , \\example.com\ssmith |
profile picture | picture |
URL to a profile picture or avatar |
These should show up nicely in the Tailscale client.
This will also affect the way you
reference users in policies.
BREAKING
- Remove
dns.use_username_in_magic_dns
configuration option
#2020,
#2279- Having usernames in magic DNS is no longer possible.
- Remove versions older than 1.56
#2149- Clean up old code required by old versions
- User gRPC/API #2261:
- If you depend on a Headscale Web UI, you should wait with this update until
the UI have been updated to match the new API. GET /api/v1/user/{name}
andGetUser
have been removed in favour ofListUsers
with an ID parameterRenameUser
andDeleteUser
now require an ID instead of a name.
- If you depend on a Headscale Web UI, you should wait with this update until
Changes
- Improved compatibilty of built-in DERP server with clients connecting over
WebSocket #2132 - Allow nodes to use SSH agent forwarding
#2145 - Fixed processing of fields in post request in MoveNode rpc
#2179 - Added conversion of 'Hostname' to 'givenName' in a node with FQDN rules
applied #2198 - Fixed updating of hostname and givenName when it is updated in HostInfo
#2199 - Fixed missing
stable-debug
container tag
#2232 - Loosened up
server_url
andbase_domain
check. It was overly strict in some
cases. #2248 - CLI for managing users now accepts
--identifier
in addition to--name
,
usage of--identifier
is recommended
#2261 - Add
dns.extra_records_path
configuration option #2262 - Support client verify for DERP #2046
Changelog
- e270169 Add -race Flag to GitHub Action and Fix Data Race in CreateTailscaleNodesInUser (#2038)
- 47b405d Changelog: support client verify for DERP
- 7d937c6 Correct macOS GUI connect guide because there's no ALT key on a mac (#2306)
- 3269cfd Mention reload and SIGHUP when editing the ACL policy file
- 0acb2b5 Misc doc updates
- 65304a0 Remove sealos documentation
- bbc93a9 Set title for code listings
- 319ce67 Update DNS documentation for dns.extra_records_path
- af4508b bump deps (#2308)
- 5345f19 fix issue where some oidc claim bools are sent as string (#2297)
- ec8729b fix sighup issue with empty acl (#2296)
- 770f3dc fix tags not resolving to username if email is present (#2309)
- ccc895b fixes to extra-record file watcher (#2298)
- e00b9d9 flake.lock: Update (#2294)
v0.24.0-beta.1
Security fix: OIDC changes in Headscale 0.24.0
The following issue only affects Headscale installations which authenticate
with OIDC.
Headscale v0.23.0 and earlier identified OIDC users by the "username" part of
their email address (when strip_email_domain: true
, the default) or whole
email address (when strip_email_domain: false
).
Depending on how Headscale and your Identity Provider (IdP) were configured,
only using the email
claim could allow a malicious user with an IdP account to
take over another Headscale user's account, even when
strip_email_domain: false
.
This would also cause a user to lose access to their Headscale account if they
changed their email address.
Headscale v0.24.0 now identifies OIDC users by the iss
and sub
claims.
These are guaranteed by the OIDC specification to be stable and unique,
even if a user changes email address. A well-designed IdP will typically set
sub
to an opaque identifier like a UUID or numeric ID, which has no relation
to the user's name or email address.
Headscale v0.24.0 and later will also automatically update profile fields with
OIDC data on login. This means that users can change those details in your IdP,
and have it populate to Headscale automatically the next time they log in.
However, this may affect the way you reference users in policies.
Headscale v0.23.0 and earlier never recorded the iss
and sub
fields, so all
legacy (existing) OIDC accounts need to be migrated to be properly
secured.
What do I need to do to migrate?
Headscale v0.24.0 has an automatic migration feature, which is enabled by
default (map_legacy_users: true
). This will be disabled by default in a
future version of Headscale – any unmigrated users will get new accounts.
The migration will mostly be done automatically, with one exception. If your
OIDC does not provide an email_verified
claim, Headscale will ignore the
email
. This means that either the administrator will have to mark the user
emails as verified, or ensure the users verify their emails. Any unverified
emails will be ignored, meaning that the users will get new accounts instead
of being migrated.
After this exception is ensured, make all users log into Headscale with their
account, and Headscale will automatically update the account record. This will
be transparent to the users.
When all users have logged in, you can disable the automatic migration by
setting map_legacy_users: false
in your configuration file.
Please note that map_legacy_users
will be set to false
by default in v0.25.0
and the migration mechanism will be removed in v0.26.0.
What does automatic migration do?
What does automatic migration do?
When automatic migration is enabled (map_legacy_users: true
), Headscale will
first match an OIDC account to a Headscale account by iss
and sub
, and then
fall back to matching OIDC users similarly to how Headscale v0.23.0 did:
- If
strip_email_domain: true
(the default): the Headscale username matches
the "username" part of their email address. - If
strip_email_domain: false
: the Headscale username matches the whole
email address.
On migration, Headscale will change the account's username to their
preferred_username
. This could break any ACLs or policies which are
configured to match by username.
Like with Headscale v0.23.0 and earlier, this migration only works for users who
haven't changed their email address since their last Headscale login.
A successful automated migration should otherwise be transparent to users.
Once a Headscale account has been migrated, it will be unavailable to be
matched by the legacy process. An OIDC login with a matching username, but
non-matching iss
and sub
will instead get a new Headscale account.
Because of the way OIDC works, Headscale's automated migration process can
only work when a user tries to log in after the update.
Legacy account migration should have no effect on new installations where all
users have a recorded sub
and iss
.
What happens when automatic migration is disabled?
What happens when automatic migration is disabled?
When automatic migration is disabled (map_legacy_users: false
), Headscale will
only try to match an OIDC account to a Headscale account by iss
and sub
.
If there is no match, it will get a new Headscale account – even if there was
a legacy account which could have matched and migrated.
We recommend new Headscale users explicitly disable automatic migration – but it
should otherwise have no effect if every account has a recorded iss
and sub
.
When automatic migration is disabled, the strip_email_domain
setting will have
no effect.
Special thanks to @micolous for reviewing, proposing and working with us on
these changes.
Other OIDC changes
Headscale now uses
the standard OIDC claims
to populate and update user information every time they log in:
Headscale profile field | OIDC claim | Notes / examples |
---|---|---|
email address | email |
Only used when "email_verified": true |
display name | name |
eg: Sam Smith |
username | preferred_username |
Varies depending on IdP and configuration, eg: ssmith , ssmith@idp.example.com , \\example.com\ssmith |
profile picture | picture |
URL to a profile picture or avatar |
These should show up nicely in the Tailscale client.
This will also affect the way you
reference users in policies.
BREAKING
- Remove
dns.use_username_in_magic_dns
configuration option
#2020,
#2279- Having usernames in magic DNS is no longer possible.
- Remove versions older than 1.56
#2149- Clean up old code required by old versions
- User gRPC/API #2261:
- If you depend on a Headscale Web UI, you should wait with this update until
the UI have been updated to match the new API. GET /api/v1/user/{name}
andGetUser
have been removed in favour ofListUsers
with an ID parameterRenameUser
andDeleteUser
now require an ID instead of a name.
- If you depend on a Headscale Web UI, you should wait with this update until
Changes
- Improved compatibilty of built-in DERP server with clients connecting over
WebSocket #2132 - Allow nodes to use SSH agent forwarding
#2145 - Fixed processing of fields in post request in MoveNode rpc
#2179 - Added conversion of 'Hostname' to 'givenName' in a node with FQDN rules
applied #2198 - Fixed updating of hostname and givenName when it is updated in HostInfo
#2199 - Fixed missing
stable-debug
container tag
#2232 - Loosened up
server_url
andbase_domain
check. It was overly strict in some
cases. #2248 - CLI for managing users now accepts
--identifier
in addition to--name
,
usage of--identifier
is recommended
#2261 - Add
dns.extra_records_path
configuration option #2262
Changelog
- b6dc6eb #2140 Fixed reflection of hostname change (#2199)
- cc42fc3 #2177 Added conversion of 'Hostname' to 'givenName' in a node with FQDN rules applied (#2198)
- b3cda08 #2178 Fixed processing of fields in post request in MoveNode rpc (#2179)
- e367454 Add -it to docker exec (#2148)
- 75e7411 Add FAQ entry on which database to use
- 2345c38 Add a page for third-party tools (#2217)
- 1e61084 Add compatibility with only websocket-capable clients (#2132)
- 0602304 Add headplane
- 204a102 Add ouroboros to web ui list (#2154)
- 4445649 Add versioned documentation
- 380fcdb Add worker reading extra_records_path from file (#2271)
- 07b596d Allow nodes to use SSH agent forwarding (#2145)
- 7512e23 Bump deprecated github actions
- 24e7851 Changed all the html into go using go-elem (#2161)
- dc17b4d Documentation dependencies (#2252)
- 0089cea Feature tvos documentation (#2226)
- 0d3cf74 Fix README links to point to the stable version
- d2a86b1...
v0.23.0
This release was intended to be mainly a code reorganisation and refactoring, significantly improving the maintainability of the codebase. This should allow us to improve further and make it easier for the maintainers to keep on top of the project.
However, as you all have noticed, it turned out to become a much larger, much longer release cycle than anticipated. It has ended up to be a release with a lot of rewrites and changes to the code base and functionality of Headscale, cleaning up a lot of technical debt and introducing a lot of improvements. This does come with some breaking changes,
Please remember to always back up your database between versions
Here is a short summary of the broad topics of changes:
Code has been organised into modules, reducing use of global variables/objects, isolating concerns and “putting the right things in the logical place”.
The new policy and mapper package, containing the ACL/Policy logic and the logic for creating the data served to clients (the network “map”) has been rewritten and improved. This change has allowed us to finish SSH support and add additional tests throughout the code to ensure correctness.
The “poller”, or streaming logic has been rewritten and instead of keeping track of the latest updates, checking at a fixed interval, it now uses go channels, implemented in our new notifier package and it allows us to send updates to connected clients immediately. This should both improve performance and potential latency before a client picks up an update.
Headscale now supports sending “delta” updates, thanks to the new mapper and poller logic, allowing us to only inform nodes about new nodes, changed nodes and removed nodes. Previously we sent the entire state of the network every time an update was due.
While we have a pretty good test harness for validating our changes, the changes came down to 284 changed files with 32,316 additions and 24,245 deletions and bugs are expected. We need help testing this release. In addition, while we think the performance should in general be better, there might be regressions in parts of the platform, particularly where we prioritised correctness over speed.
There are also several bugfixes that has been encountered and fixed as part of implementing these changes, particularly
after improving the test harness as part of adopting #1460.
BREAKING
- Code reorganisation, a lot of code has moved, please review the following PRs accordingly #1473
- Change the structure of database configuration, see config-example.yaml for the new structure. #1700
- Old structure has been remove and the configuration must be converted.
- Adds additional configuration for PostgreSQL for setting max open, idle connection and idle connection lifetime.
- API: Machine is now Node #1553
- Remove support for older Tailscale clients #1611
- The oldest supported client is 1.42
- Headscale checks that at least one DERP is defined at start #1564
- If no DERP is configured, the server will fail to start, this can be because it cannot load the DERPMap from file or url.
- Embedded DERP server requires a private key #1611
- Add a filepath entry to
derp.server.private_key_path
- Add a filepath entry to
- Docker images are now built with goreleaser (ko) #1716 #1763
- Entrypoint of container image has changed from shell to headscale, require change from
headscale serve
toserve
/var/lib/headscale
and/var/run/headscale
is no longer created automatically, see container docs
- Entrypoint of container image has changed from shell to headscale, require change from
- Prefixes are now defined per v4 and v6 range. #1756
ip_prefixes
option is nowprefixes.v4
andprefixes.v6
prefixes.allocation
can be set to assign IPs atsequential
orrandom
. #1869
- MagicDNS domains no longer contain usernames
- This is in preperation to fix Headscales implementation of tags which currently does not correctly remove the link between a tagged device and a user. As tagged devices will not have a user, this will require a change to the DNS generation, removing the username, see #1369 for more information.
use_username_in_magic_dns
can be used to turn this behaviour on again, but note that this option will be removed when tags are fixed.- dns.base_domain can no longer be the same as (or part of) server_url.
- This option brings Headscales behaviour in line with Tailscale.
- YAML files are no longer supported for headscale policy. #1792
- HuJSON is now the only supported format for policy.
- DNS configuration has been restructured #2034
- Please review the new config-example.yaml for the new structure.
Changes
- Use versioned migrations #1644
- Make the OIDC callback page better #1484
- SSH support #1487
- State management has been improved #1492
- Use error group handling to ensure tests actually pass #1535 based on #1460
- Fix hang on SIGTERM #1492 taken from #1480
- Send logs to stderr by default #1524
- Fix TS-2023-006 security UPnP issue #1563
- Turn off gRPC logging #1640 fixes #1259
- Added the possibility to manually create a DERP-map entry which can be customized, instead of automatically creating it. #1565
- Add support for deleting api keys #1702
- Add command to backfill IP addresses for nodes missing IPs from configured prefixes. #1869
- Log available update as warning #1877
- Add
autogroup:internet
to Policy #1917 - Restore foreign keys and add constraints #1562
- Make registration page easier to use on mobile devices
- Make write-ahead-log default on and configurable for SQLite #1985
- Add APIs for managing headscale policy. #1792
- Fix for registering nodes using preauthkeys when running on a postgres database in a non-UTC timezone. #764
- Make sure integration tests cover postgres for all scenarios
- CLI commands (all except
serve
) only requires minimal configuration, no more errors or warnings from unset settings #2109 - CLI results are now concistently sent to stdout and errors to stderr #2109
- Fix issue where shutting down headscale would hang #2113
Changelog
v0.23.0-rc.1
This release is mainly a code reorganisation and refactoring, significantly improving the maintainability of the codebase. This should allow us to improve further and make it easier for the maintainers to keep on top of the project.
Please remember to always back up your database between versions
Here is a short summary of the broad topics of changes:
Code has been organised into modules, reducing use of global variables/objects, isolating concerns and “putting the right things in the logical place”.
The new policy and mapper package, containing the ACL/Policy logic and the logic for creating the data served to clients (the network “map”) has been rewritten and improved. This change has allowed us to finish SSH support and add additional tests throughout the code to ensure correctness.
The “poller”, or streaming logic has been rewritten and instead of keeping track of the latest updates, checking at a fixed interval, it now uses go channels, implemented in our new notifier package and it allows us to send updates to connected clients immediately. This should both improve performance and potential latency before a client picks up an update.
Headscale now supports sending “delta” updates, thanks to the new mapper and poller logic, allowing us to only inform nodes about new nodes, changed nodes and removed nodes. Previously we sent the entire state of the network every time an update was due.
While we have a pretty good test harness for validating our changes, we have rewritten over 10000 lines of code and bugs are expected. We need help testing this release. In addition, while we think the performance should in general be better, there might be regressions in parts of the platform, particularly where we prioritised correctness over speed.
There are also several bugfixes that has been encountered and fixed as part of implementing these changes, particularly
after improving the test harness as part of adopting #1460.
BREAKING
- Code reorganisation, a lot of code has moved, please review the following PRs accordingly #1473
- Change the structure of database configuration, see config-example.yaml for the new structure. #1700
- Old structure has been remove and the configuration must be converted.
- Adds additional configuration for PostgreSQL for setting max open, idle connection and idle connection lifetime.
- API: Machine is now Node #1553
- Remove support for older Tailscale clients #1611
- The oldest supported client is 1.42
- Headscale checks that at least one DERP is defined at start #1564
- If no DERP is configured, the server will fail to start, this can be because it cannot load the DERPMap from file or url.
- Embedded DERP server requires a private key #1611
- Add a filepath entry to
derp.server.private_key_path
- Add a filepath entry to
- Docker images are now built with goreleaser (ko) #1716 #1763
- Entrypoint of container image has changed from shell to headscale, require change from
headscale serve
toserve
/var/lib/headscale
and/var/run/headscale
is no longer created automatically, see container docs
- Entrypoint of container image has changed from shell to headscale, require change from
- Prefixes are now defined per v4 and v6 range. #1756
ip_prefixes
option is nowprefixes.v4
andprefixes.v6
prefixes.allocation
can be set to assign IPs atsequential
orrandom
. #1869
- MagicDNS domains no longer contain usernames
- This is in preperation to fix Headscales implementation of tags which currently does not correctly remove the link between a tagged device and a user. As tagged devices will not have a user, this will require a change to the DNS generation, removing the username, see #1369 for more information.
use_username_in_magic_dns
can be used to turn this behaviour on again, but note that this option will be removed when tags are fixed.- dns.base_domain can no longer be the same as (or part of) server_url.
- This option brings Headscales behaviour in line with Tailscale.
- YAML files are no longer supported for headscale policy. #1792
- HuJSON is now the only supported format for policy.
- DNS configuration has been restructured #2034
- Please review the new config-example.yaml for the new structure.
Changes
- Use versioned migrations #1644
- Make the OIDC callback page better #1484
- SSH support #1487
- State management has been improved #1492
- Use error group handling to ensure tests actually pass #1535 based on #1460
- Fix hang on SIGTERM #1492 taken from #1480
- Send logs to stderr by default #1524
- Fix TS-2023-006 security UPnP issue #1563
- Turn off gRPC logging #1640 fixes #1259
- Added the possibility to manually create a DERP-map entry which can be customized, instead of automatically creating it. #1565
- Add support for deleting api keys #1702
- Add command to backfill IP addresses for nodes missing IPs from configured prefixes. #1869
- Log available update as warning #1877
- Add
autogroup:internet
to Policy #1917 - Restore foreign keys and add constraints #1562
- Make registration page easier to use on mobile devices
- Make write-ahead-log default on and configurable for SQLite #1985
- Add APIs for managing headscale policy. #1792
- Fix for registering nodes using preauthkeys when running on a postgres database in a non-UTC timezone. #764
- Make sure integration tests cover postgres for all scenarios
- CLI commands (all except
serve
) only requires minimal configuration, no more errors or warnings from unset settings #2109 - CLI results are now concistently sent to stdout and errors to stderr #2109
- Fix issue where shutting down headscale would hang #2113
Changelog
v0.23.0-beta.5
This release is mainly a code reorganisation and refactoring, significantly improving the maintainability of the codebase. This should allow us to improve further and make it easier for the maintainers to keep on top of the project.
Please remember to always back up your database between versions
Here is a short summary of the broad topics of changes:
Code has been organised into modules, reducing use of global variables/objects, isolating concerns and “putting the right things in the logical place”.
The new policy and mapper package, containing the ACL/Policy logic and the logic for creating the data served to clients (the network “map”) has been rewritten and improved. This change has allowed us to finish SSH support and add additional tests throughout the code to ensure correctness.
The “poller”, or streaming logic has been rewritten and instead of keeping track of the latest updates, checking at a fixed interval, it now uses go channels, implemented in our new notifier package and it allows us to send updates to connected clients immediately. This should both improve performance and potential latency before a client picks up an update.
Headscale now supports sending “delta” updates, thanks to the new mapper and poller logic, allowing us to only inform nodes about new nodes, changed nodes and removed nodes. Previously we sent the entire state of the network every time an update was due.
While we have a pretty good test harness for validating our changes, we have rewritten over 10000 lines of code and bugs are expected. We need help testing this release. In addition, while we think the performance should in general be better, there might be regressions in parts of the platform, particularly where we prioritised correctness over speed.
There are also several bugfixes that has been encountered and fixed as part of implementing these changes, particularly
after improving the test harness as part of adopting #1460.
BREAKING
- Code reorganisation, a lot of code has moved, please review the following PRs accordingly #1473
- Change the structure of database configuration, see config-example.yaml for the new structure. #1700
- Old structure has been remove and the configuration must be converted.
- Adds additional configuration for PostgreSQL for setting max open, idle connection and idle connection lifetime.
- API: Machine is now Node #1553
- Remove support for older Tailscale clients #1611
- The oldest supported client is 1.42
- Headscale checks that at least one DERP is defined at start #1564
- If no DERP is configured, the server will fail to start, this can be because it cannot load the DERPMap from file or url.
- Embedded DERP server requires a private key #1611
- Add a filepath entry to
derp.server.private_key_path
- Add a filepath entry to
- Docker images are now built with goreleaser (ko) #1716 #1763
- Entrypoint of container image has changed from shell to headscale, require change from
headscale serve
toserve
/var/lib/headscale
and/var/run/headscale
is no longer created automatically, see container docs
- Entrypoint of container image has changed from shell to headscale, require change from
- Prefixes are now defined per v4 and v6 range. #1756
ip_prefixes
option is nowprefixes.v4
andprefixes.v6
prefixes.allocation
can be set to assign IPs atsequential
orrandom
. #1869
- MagicDNS domains no longer contain usernames
- This is in preperation to fix Headscales implementation of tags which currently does not correctly remove the link between a tagged device and a user. As tagged devices will not have a user, this will require a change to the DNS generation, removing the username, see #1369 for more information.
use_username_in_magic_dns
can be used to turn this behaviour on again, but note that this option will be removed when tags are fixed.- dns.base_domain can no longer be the same as (or part of) server_url.
- This option brings Headscales behaviour in line with Tailscale.
- YAML files are no longer supported for headscale policy. #1792
- HuJSON is now the only supported format for policy.
- DNS configuration has been restructured #2034
- Please review the new config-example.yaml for the new structure.
Changes
- Use versioned migrations #1644
- Make the OIDC callback page better #1484
- SSH support #1487
- State management has been improved #1492
- Use error group handling to ensure tests actually pass #1535 based on #1460
- Fix hang on SIGTERM #1492 taken from #1480
- Send logs to stderr by default #1524
- Fix TS-2023-006 security UPnP issue #1563
- Turn off gRPC logging #1640 fixes #1259
- Added the possibility to manually create a DERP-map entry which can be customized, instead of automatically creating it. #1565
- Add support for deleting api keys #1702
- Add command to backfill IP addresses for nodes missing IPs from configured prefixes. #1869
- Log available update as warning #1877
- Add
autogroup:internet
to Policy #1917 - Restore foreign keys and add constraints #1562
- Make registration page easier to use on mobile devices
- Make write-ahead-log default on and configurable for SQLite #1985
- Add APIs for managing headscale policy. #1792
- Fix for registering nodes using preauthkeys when running on a postgres database in a non-UTC timezone. #764
- Make sure integration tests cover postgres for all scenarios
- CLI commands (all except
serve
) only requires minimal configuration, no more errors or warnings from unset settings #2109 - CLI results are now concistently sent to stdout and errors to stderr #2109
- Fix issue where shutting down headscale would hang #2113
Changelog
v0.23.0-beta.4
This release is mainly a code reorganisation and refactoring, significantly improving the maintainability of the codebase. This should allow us to improve further and make it easier for the maintainers to keep on top of the project.
Please remember to always back up your database between versions
Here is a short summary of the broad topics of changes:
Code has been organised into modules, reducing use of global variables/objects, isolating concerns and “putting the right things in the logical place”.
The new policy and mapper package, containing the ACL/Policy logic and the logic for creating the data served to clients (the network “map”) has been rewritten and improved. This change has allowed us to finish SSH support and add additional tests throughout the code to ensure correctness.
The “poller”, or streaming logic has been rewritten and instead of keeping track of the latest updates, checking at a fixed interval, it now uses go channels, implemented in our new notifier package and it allows us to send updates to connected clients immediately. This should both improve performance and potential latency before a client picks up an update.
Headscale now supports sending “delta” updates, thanks to the new mapper and poller logic, allowing us to only inform nodes about new nodes, changed nodes and removed nodes. Previously we sent the entire state of the network every time an update was due.
While we have a pretty good test harness for validating our changes, we have rewritten over 10000 lines of code and bugs are expected. We need help testing this release. In addition, while we think the performance should in general be better, there might be regressions in parts of the platform, particularly where we prioritised correctness over speed.
There are also several bugfixes that has been encountered and fixed as part of implementing these changes, particularly
after improving the test harness as part of adopting #1460.
BREAKING
- Code reorganisation, a lot of code has moved, please review the following PRs accordingly #1473
- Change the structure of database configuration, see config-example.yaml for the new structure. #1700
- Old structure has been remove and the configuration must be converted.
- Adds additional configuration for PostgreSQL for setting max open, idle connection and idle connection lifetime.
- API: Machine is now Node #1553
- Remove support for older Tailscale clients #1611
- The oldest supported client is 1.42
- Headscale checks that at least one DERP is defined at start #1564
- If no DERP is configured, the server will fail to start, this can be because it cannot load the DERPMap from file or url.
- Embedded DERP server requires a private key #1611
- Add a filepath entry to
derp.server.private_key_path
- Add a filepath entry to
- Docker images are now built with goreleaser (ko) #1716 #1763
- Entrypoint of container image has changed from shell to headscale, require change from
headscale serve
toserve
/var/lib/headscale
and/var/run/headscale
is no longer created automatically, see container docs
- Entrypoint of container image has changed from shell to headscale, require change from
- Prefixes are now defined per v4 and v6 range. #1756
ip_prefixes
option is nowprefixes.v4
andprefixes.v6
prefixes.allocation
can be set to assign IPs atsequential
orrandom
. #1869
- MagicDNS domains no longer contain usernames
- This is in preperation to fix Headscales implementation of tags which currently does not correctly remove the link between a tagged device and a user. As tagged devices will not have a user, this will require a change to the DNS generation, removing the username, see #1369 for more information.
use_username_in_magic_dns
can be used to turn this behaviour on again, but note that this option will be removed when tags are fixed.- dns.base_domain can no longer be the same as (or part of) server_url.
- This option brings Headscales behaviour in line with Tailscale.
- YAML files are no longer supported for headscale policy. #1792
- HuJSON is now the only supported format for policy.
- DNS configuration has been restructured #2034
- Please review the new config-example.yaml for the new structure.
Changes
- Use versioned migrations #1644
- Make the OIDC callback page better #1484
- SSH support #1487
- State management has been improved #1492
- Use error group handling to ensure tests actually pass #1535 based on #1460
- Fix hang on SIGTERM #1492 taken from #1480
- Send logs to stderr by default #1524
- Fix TS-2023-006 security UPnP issue #1563
- Turn off gRPC logging #1640 fixes #1259
- Added the possibility to manually create a DERP-map entry which can be customized, instead of automatically creating it. #1565
- Add support for deleting api keys #1702
- Add command to backfill IP addresses for nodes missing IPs from configured prefixes. #1869
- Log available update as warning #1877
- Add
autogroup:internet
to Policy #1917 - Restore foreign keys and add constraints #1562
- Make registration page easier to use on mobile devices
- Make write-ahead-log default on and configurable for SQLite #1985
- Add APIs for managing headscale policy. #1792
- Fix for registering nodes using preauthkeys when running on a postgres database in a non-UTC timezone. #764
- Make sure integration tests cover postgres for all scenarios
- CLI commands (all except
serve
) only requires minimal configuration, no more errors or warnings from unset settings #2109 - CLI results are now concistently sent to stdout and errors to stderr #2109
- Fix issue where shutting down headscale would hang #2113
Changelog
- f368ed0 2068 AutoApprovers tests (#2105)
- 35bfe7c Add support for service reload and sync service file (#2102)
- 3101f89 Fix 764 (#2093)
- 60b94b0 Fix slow shutdown (#2113)
- aa0f3d4 Fix typo in example config (#2095)
- e43d6a0 Move flags after the command (#2100)
- 8a3a0fe Only load needed part of configuration (#2109)
- 1c34101 Remove outdated proposals (#2104)
- ed71d23 Remove references to tests/acls from the documentation (#2088)
- 5597eda Remove version and update setup instructions for Android (#2112)
- bac7ea6 Simplify windows setup instructions (#2114)
- d66c5e1 Update documentation for 0.23 (#2096)
- a9a1a07 Use dns: as config key (#2092)
- 6609f60 actually lint file on CI (#2018)
- adc084f add no stalebot exception (#2107)
- 99f18f9 chore: fix some comments (#2069)
- 7be8796 dont override golangci go (#2116)
- 42d2c27 fix goreleaser warnings (#2106)
- 976cbfa flake.lock: Update (#2078)
- c3b260a flake.lock: Update (#2111)
- f039caf...
v0.23.0-beta3
This release is mainly a code reorganisation and refactoring, significantly improving the maintainability of the codebase. This should allow us to improve further and make it easier for the maintainers to keep on top of the project.
Please remember to always back up your database between versions
Here is a short summary of the broad topics of changes:
Code has been organised into modules, reducing use of global variables/objects, isolating concerns and “putting the right things in the logical place”.
The new policy and mapper package, containing the ACL/Policy logic and the logic for creating the data served to clients (the network “map”) has been rewritten and improved. This change has allowed us to finish SSH support and add additional tests throughout the code to ensure correctness.
The “poller”, or streaming logic has been rewritten and instead of keeping track of the latest updates, checking at a fixed interval, it now uses go channels, implemented in our new notifier package and it allows us to send updates to connected clients immediately. This should both improve performance and potential latency before a client picks up an update.
Headscale now supports sending “delta” updates, thanks to the new mapper and poller logic, allowing us to only inform nodes about new nodes, changed nodes and removed nodes. Previously we sent the entire state of the network every time an update was due.
While we have a pretty good test harness for validating our changes, we have rewritten over 10000 lines of code and bugs are expected. We need help testing this release. In addition, while we think the performance should in general be better, there might be regressions in parts of the platform, particularly where we prioritised correctness over speed.
There are also several bugfixes that has been encountered and fixed as part of implementing these changes, particularly
after improving the test harness as part of adopting #1460.
BREAKING
- Code reorganisation, a lot of code has moved, please review the following PRs accordingly #1473
- Change the structure of database configuration, see config-example.yaml for the new structure. #1700
- Old structure has been remove and the configuration must be converted.
- Adds additional configuration for PostgreSQL for setting max open, idle connection and idle connection lifetime.
- API: Machine is now Node #1553
- Remove support for older Tailscale clients #1611
- The oldest supported client is 1.42
- Headscale checks that at least one DERP is defined at start #1564
- If no DERP is configured, the server will fail to start, this can be because it cannot load the DERPMap from file or url.
- Embedded DERP server requires a private key #1611
- Add a filepath entry to
derp.server.private_key_path
- Add a filepath entry to
- Docker images are now built with goreleaser (ko) #1716 #1763
- Entrypoint of container image has changed from shell to headscale, require change from
headscale serve
toserve
/var/lib/headscale
and/var/run/headscale
is no longer created automatically, see container docs
- Entrypoint of container image has changed from shell to headscale, require change from
- Prefixes are now defined per v4 and v6 range. #1756
ip_prefixes
option is nowprefixes.v4
andprefixes.v6
prefixes.allocation
can be set to assign IPs atsequential
orrandom
. #1869
- MagicDNS domains no longer contain usernames
- This is in preperation to fix Headscales implementation of tags which currently does not correctly remove the link between a tagged device and a user. As tagged devices will not have a user, this will require a change to the DNS generation, removing the username, see #1369 for more information.
use_username_in_magic_dns
can be used to turn this behaviour on again, but note that this option will be removed when tags are fixed.- dns.base_domain can no longer be the same as (or part of) server_url.
- This option brings Headscales behaviour in line with Tailscale.
- YAML files are no longer supported for headscale policy. #1792
- HuJSON is now the only supported format for policy.
- DNS configuration has been restructured #2034
- Please review the new config-example.yaml for the new structure.
Changes
- Use versioned migrations #1644
- Make the OIDC callback page better #1484
- SSH support #1487
- State management has been improved #1492
- Use error group handling to ensure tests actually pass #1535 based on #1460
- Fix hang on SIGTERM #1492 taken from #1480
- Send logs to stderr by default #1524
- Fix TS-2023-006 security UPnP issue #1563
- Turn off gRPC logging #1640 fixes #1259
- Added the possibility to manually create a DERP-map entry which can be customized, instead of automatically creating it. #1565
- Add support for deleting api keys #1702
- Add command to backfill IP addresses for nodes missing IPs from configured prefixes. #1869
- Log available update as warning #1877
- Add
autogroup:internet
to Policy #1917 - Restore foreign keys and add constraints #1562
- Make registration page easier to use on mobile devices
- Make write-ahead-log default on and configurable for SQLite #1985
- Add APIs for managing headscale policy. #1792
Changelog
- 34361c6 Fix FKs on sqlite migrations (#2083)
- 76515d1 Fix self notification on expiry update via oidc relogin (#2080)
- 827e3e8 Issue 2045, Feature Request (#2071)
- fffd9d7 Update ACLs file format docs (#2066)
- cf6a606 fix route table migration wiping routes 0.22 -> 0.23 (#2076)
- 9c4c286 fix warning errs from beta2 (#2075)
- f4427dd fix: correct a small spelling mistake (#2081)
- 1193a50 oldest client supported, not latest (#2086)
- a68854a upgrade go (1.23) and tailscale (1.72.1) (#2077)
- 2b5e52b validate policy against nodes, error if not valid (#2089)
- cb0e2e4 various doc updates in prep for 0.23 (#2091)
v0.23.0-beta2
This release is mainly a code reorganisation and refactoring, significantly improving the maintainability of the codebase. This should allow us to improve further and make it easier for the maintainers to keep on top of the project.
Please remember to always back up your database between versions
Here is a short summary of the broad topics of changes:
Code has been organised into modules, reducing use of global variables/objects, isolating concerns and “putting the right things in the logical place”.
The new policy and mapper package, containing the ACL/Policy logic and the logic for creating the data served to clients (the network “map”) has been rewritten and improved. This change has allowed us to finish SSH support and add additional tests throughout the code to ensure correctness.
The “poller”, or streaming logic has been rewritten and instead of keeping track of the latest updates, checking at a fixed interval, it now uses go channels, implemented in our new notifier package and it allows us to send updates to connected clients immediately. This should both improve performance and potential latency before a client picks up an update.
Headscale now supports sending “delta” updates, thanks to the new mapper and poller logic, allowing us to only inform nodes about new nodes, changed nodes and removed nodes. Previously we sent the entire state of the network every time an update was due.
While we have a pretty good test harness for validating our changes, we have rewritten over 10000 lines of code and bugs are expected. We need help testing this release. In addition, while we think the performance should in general be better, there might be regressions in parts of the platform, particularly where we prioritised correctness over speed.
There are also several bugfixes that has been encountered and fixed as part of implementing these changes, particularly
after improving the test harness as part of adopting #1460.
BREAKING
- Code reorganisation, a lot of code has moved, please review the following PRs accordingly #1473
- Change the structure of database configuration, see config-example.yaml for the new structure. #1700
- Old structure has been remove and the configuration must be converted.
- Adds additional configuration for PostgreSQL for setting max open, idle connection and idle connection lifetime.
- API: Machine is now Node #1553
- Remove support for older Tailscale clients #1611
- The latest supported client is 1.42
- Headscale checks that at least one DERP is defined at start #1564
- If no DERP is configured, the server will fail to start, this can be because it cannot load the DERPMap from file or url.
- Embedded DERP server requires a private key #1611
- Add a filepath entry to
derp.server.private_key_path
- Add a filepath entry to
- Docker images are now built with goreleaser (ko) #1716 #1763
- Entrypoint of container image has changed from shell to headscale, require change from
headscale serve
toserve
/var/lib/headscale
and/var/run/headscale
is no longer created automatically, see container docs
- Entrypoint of container image has changed from shell to headscale, require change from
- Prefixes are now defined per v4 and v6 range. #1756
ip_prefixes
option is nowprefixes.v4
andprefixes.v6
prefixes.allocation
can be set to assign IPs atsequential
orrandom
. #1869
- MagicDNS domains no longer contain usernames
- This is in preperation to fix Headscales implementation of tags which currently does not correctly remove the link between a tagged device and a user. As tagged devices will not have a user, this will require a change to the DNS generation, removing the username, see #1369 for more information.
use_username_in_magic_dns
can be used to turn this behaviour on again, but note that this option will be removed when tags are fixed.- dns.base_domain can no longer be the same as (or part of) server_url.
- This option brings Headscales behaviour in line with Tailscale.
- YAML files are no longer supported for headscale policy. #1792
- HuJSON is now the only supported format for policy.
- DNS configuration has been restructured #2034
- Please review the new config-example.yaml for the new structure.
Changes
- Use versioned migrations #1644
- Make the OIDC callback page better #1484
- SSH support #1487
- State management has been improved #1492
- Use error group handling to ensure tests actually pass #1535 based on #1460
- Fix hang on SIGTERM #1492 taken from #1480
- Send logs to stderr by default #1524
- Fix TS-2023-006 security UPnP issue #1563
- Turn off gRPC logging #1640 fixes #1259
- Added the possibility to manually create a DERP-map entry which can be customized, instead of automatically creating it. #1565
- Add support for deleting api keys #1702
- Add command to backfill IP addresses for nodes missing IPs from configured prefixes. #1869
- Log available update as warning #1877
- Add
autogroup:internet
to Policy #1917 - Restore foreign keys and add constraints #1562
- Make registration page easier to use on mobile devices
- Make write-ahead-log default on and configurable for SQLite #1985
- Add APIs for managing headscale policy. #1792
Changelog
- 022fb24 Fix command get policy works with relative policy path (#2051)
- 4ad3f3c Fix data race issues in EphemeralGarbageCollector tests (#2023)
- fdc034e Integrate GORM Logger with Zerolog and Add Configuration Options for Logging and Performance (#2040)
- ac8491e Redo DNS configuration (#2034)
- f994973 add coderabbit config (#2060)
- db7a435 config-example.yaml: Remove reference to yaml for policy files (#2022)
- 06f0705 flake.lock: Update (#2035)
- 948d53f flake.lock: Update (#2042)
- fcd1183 flake.lock: Update (#2052)
- 9bed76d flake.lock: Update (#2059)
- 84cb5d0 make acl_policy_path fatal if policy.path is not set (#2041)
- ece907d test embedded derp with derp updater, check client health (#2030)
v0.23.0-beta1
Changelog
This release is mainly a code reorganisation and refactoring, significantly improving the maintainability of the codebase. This should allow us to improve further and make it easier for the maintainers to keep on top of the project.
Please remember to always back up your database between versions
Here is a short summary of the broad topics of changes:
Code has been organised into modules, reducing use of global variables/objects, isolating concerns and “putting the right things in the logical place”.
The new policy and mapper package, containing the ACL/Policy logic and the logic for creating the data served to clients (the network “map”) has been rewritten and improved. This change has allowed us to finish SSH support and add additional tests throughout the code to ensure correctness.
The “poller”, or streaming logic has been rewritten and instead of keeping track of the latest updates, checking at a fixed interval, it now uses go channels, implemented in our new notifier package and it allows us to send updates to connected clients immediately. This should both improve performance and potential latency before a client picks up an update.
Headscale now supports sending “delta” updates, thanks to the new mapper and poller logic, allowing us to only inform nodes about new nodes, changed nodes and removed nodes. Previously we sent the entire state of the network every time an update was due.
While we have a pretty good test harness for validating our changes, we have rewritten over 10000 lines of code and bugs are expected. We need help testing this release. In addition, while we think the performance should in general be better, there might be regressions in parts of the platform, particularly where we prioritised correctness over speed.
There are also several bugfixes that has been encountered and fixed as part of implementing these changes, particularly
after improving the test harness as part of adopting #1460.
BREAKING
- Code reorganisation, a lot of code has moved, please review the following PRs accordingly #1473
- Change the structure of database configuration, see config-example.yaml for the new structure. #1700
- Old structure has been remove and the configuration must be converted.
- Adds additional configuration for PostgreSQL for setting max open, idle connection and idle connection lifetime.
- API: Machine is now Node #1553
- Remove support for older Tailscale clients #1611
- The latest supported client is 1.38
- Headscale checks that at least one DERP is defined at start #1564
- If no DERP is configured, the server will fail to start, this can be because it cannot load the DERPMap from file or url.
- Embedded DERP server requires a private key #1611
- Add a filepath entry to
derp.server.private_key_path
- Add a filepath entry to
- Docker images are now built with goreleaser (ko) #1716 #1763
- Entrypoint of container image has changed from shell to headscale, require change from
headscale serve
toserve
/var/lib/headscale
and/var/run/headscale
is no longer created automatically, see container docs
- Entrypoint of container image has changed from shell to headscale, require change from
- Prefixes are now defined per v4 and v6 range. #1756
ip_prefixes
option is nowprefixes.v4
andprefixes.v6
prefixes.allocation
can be set to assign IPs atsequential
orrandom
. #1869
- MagicDNS domains no longer contain usernames
- This is in preperation to fix Headscales implementation of tags which currently does not correctly remove the link between a tagged device and a user. As tagged devices will not have a user, this will require a change to the DNS generation, removing the username, see #1369 for more information.
use_username_in_magic_dns
can be used to turn this behaviour on again, but note that this option will be removed when tags are fixed.- This option brings Headscales behaviour in line with Tailscale.
- YAML files are no longer supported for headscale policy. #1792
- HuJSON is now the only supported format for policy.
Changes
- Use versioned migrations #1644
- Make the OIDC callback page better #1484
- SSH support #1487
- State management has been improved #1492
- Use error group handling to ensure tests actually pass #1535 based on #1460
- Fix hang on SIGTERM #1492 taken from #1480
- Send logs to stderr by default #1524
- Fix TS-2023-006 security UPnP issue #1563
- Turn off gRPC logging #1640 fixes #1259
- Added the possibility to manually create a DERP-map entry which can be customized, instead of automatically creating it. #1565
- Add support for deleting api keys #1702
- Add command to backfill IP addresses for nodes missing IPs from configured prefixes. #1869
- Log available update as warning #1877
- Add
autogroup:internet
to Policy #1917 - Restore foreign keys and add constraints #1562
- Make registration page easier to use on mobile devices
- Make write-ahead-log default on and configurable for SQLite #1985
- Add APIs for managing headscale policy. #1792
Commits
- 8823778 Add gofumpt to dev dependencies (#2010)
- 69c3365 Fix android docs (#1976)
- 51676c6 Make registration screen easier to use (#1975)
- 4a34cfc Make write-ahead-log default and configurable for sqlite (#1985)
- 8f8f469 Remove allocations of lists before use (#1989)
- 74d27ee Remove deprecated linters from golangci-lint (#2009)
- 51b56ba Update flake.lock (#1952)
- 3f60ab2 Update flake.lock (#2011)
- 99e91a9 Update reverse-proxy.md (#1986)
- 58bd38a feat: implements apis for managing headscale policy (#1792)
- 14a3f94 fix search domains and remove username from magicdns (#1987)
- 00ff288 fix(1996): Implement register method enum converter (#2013)
- 5f9c269 fixed typo and path (#1960)
- 1f4b595 flake.lock: Update (#1958)
- dfc089e flake.lock: Update (#1979)
- 89ada55 flake.lock: Update (#1991)
- eb1591d flake.lock: Update (#2000)
- b799245 flake.lock: Update (#2021)
- 9e523d4 move userprofiles into method on user struct (#2014)
- 8571513 reformat code (#2019)
- 11fde62 remove custom contains funcs for slices.Contains (#2015)
- 5a4e52b remove last_successful_update error check (#1959)
- 7e62031 replace ephemeral deletion logic (#2008)
- ca47d6f small cleanups (#2017)
v0.23.0-alpha12
Changes
This release is mainly a code reorganisation and refactoring, significantly improving the maintainability of the codebase. This should allow us to improve further and make it easier for the maintainers to keep on top of the project.
Please remember to always back up your database between versions
Here is a short summary of the broad topics of changes:
Code has been organised into modules, reducing use of global variables/objects, isolating concerns and “putting the right things in the logical place”.
The new policy and mapper package, containing the ACL/Policy logic and the logic for creating the data served to clients (the network “map”) has been rewritten and improved. This change has allowed us to finish SSH support and add additional tests throughout the code to ensure correctness.
The “poller”, or streaming logic has been rewritten and instead of keeping track of the latest updates, checking at a fixed interval, it now uses go channels, implemented in our new notifier package and it allows us to send updates to connected clients immediately. This should both improve performance and potential latency before a client picks up an update.
Headscale now supports sending “delta” updates, thanks to the new mapper and poller logic, allowing us to only inform nodes about new nodes, changed nodes and removed nodes. Previously we sent the entire state of the network every time an update was due.
While we have a pretty good test harness for validating our changes, we have rewritten over 10000 lines of code and bugs are expected. We need help testing this release. In addition, while we think the performance should in general be better, there might be regressions in parts of the platform, particularly where we prioritised correctness over speed.
There are also several bugfixes that has been encountered and fixed as part of implementing these changes, particularly
after improving the test harness as part of adopting #1460.
BREAKING
- Code reorganisation, a lot of code has moved, please review the following PRs accordingly #1473
- Change the structure of database configuration, see config-example.yaml for the new structure. #1700
- Old structure has been remove and the configuration must be converted.
- Adds additional configuration for PostgreSQL for setting max open, idle connection and idle connection lifetime.
- API: Machine is now Node #1553
- Remove support for older Tailscale clients #1611
- The latest supported client is 1.38
- Headscale checks that at least one DERP is defined at start #1564
- If no DERP is configured, the server will fail to start, this can be because it cannot load the DERPMap from file or url.
- Embedded DERP server requires a private key #1611
- Add a filepath entry to
derp.server.private_key_path
- Add a filepath entry to
- Docker images are now built with goreleaser (ko) #1716 #1763
- Entrypoint of container image has changed from shell to headscale, require change from
headscale serve
toserve
/var/lib/headscale
and/var/run/headscale
is no longer created automatically, see container docs
- Entrypoint of container image has changed from shell to headscale, require change from
- Prefixes are now defined per v4 and v6 range. #1756
ip_prefixes
option is nowprefixes.v4
andprefixes.v6
prefixes.allocation
can be set to assign IPs atsequential
orrandom
. #1869
Changes
- Use versioned migrations #1644
- Make the OIDC callback page better #1484
- SSH support #1487
- State management has been improved #1492
- Use error group handling to ensure tests actually pass #1535 based on #1460
- Fix hang on SIGTERM #1492 taken from #1480
- Send logs to stderr by default #1524
- Fix TS-2023-006 security UPnP issue #1563
- Turn off gRPC logging #1640 fixes #1259
- Added the possibility to manually create a DERP-map entry which can be customized, instead of automatically creating it. #1565
- Add support for deleting api keys #1702
- Add command to backfill IP addresses for nodes missing IPs from configured prefixes. #1869
- Log available update as warning #1877
- Add
autogroup:internet
to Policy #1917 - Restore foreign keys and add constraints #1562
Commits
- 30986c2 Bump github.com/docker/docker (#1947)
- faa57dd Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#1945)
- fff229f Bump github.com/jackc/pgx/v5 from 5.5.3 to 5.5.4 (#1946)
- 151f224 Bump golang.org/x/net from 0.22.0 to 0.23.0 (#1943)
- fd4f921 Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#1944)
- 8185a70 Fix typos (#1860)
- a9763c9 Initialize log config earlier to prevent trace messages being printed early on (#1939)
- 7fd2485 Restore foreign keys and add constraints (#1562)
- c8ebbed Simplify map session management (#1931)
- 93a915c Update OpenBSD installation docs for 2024 (#1915)
- 2bac80c [DOCS] Make linux installation instructions more clear (#1927)
- 622aa82 ensure expire routines are cleaned up (#1924)
- 723a040 flake.lock: Update (#1897)
- 2dc62e9 move debug image to distroless (#1950)
- 5ad0aa4 update tailscale go dep (#1948)