Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] "Could not get the create map update" #2073

Closed
3 of 4 tasks
yuri-so opened this issue Aug 22, 2024 · 9 comments · Fixed by #2089
Closed
3 of 4 tasks

[Bug] "Could not get the create map update" #2073

yuri-so opened this issue Aug 22, 2024 · 9 comments · Fixed by #2089
Labels
bug Something isn't working
Milestone
v0.23.0

Comments

@yuri-so
Copy link

yuri-so commented Aug 22, 2024

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When trying to register a node I get the following error from headscale:
ERR ../../../home/runner/work/headscale/headscale/hscontrol/poll.go:719 > Could not get the create map update error="invalid action" node=net.example.com node.id=1 omitPeers=false readOnly=false stream=true

The command I used:
tailscale up --login-server https://net.example.com --advertise-exit-node=true --hostname=net.example.com --accept-dns=true

However headscale node ls outputs:

ID | Hostname     | Name         | MachineKey | NodeKey | User  | IP addresses | Ephemeral | Last seen           | Expiration          | Connected | Expired
1  | net.example.com | net.example.com | [n04ss]    | [AWCgQ] | example | 100.64.0.1,  | false     | 2024-08-22 18:18:24 | 0001-01-01 00:00:00 | offline   | no

Expected Behavior

The node should register and connect to the tailnet (or headnet?) correctly

Steps To Reproduce

Unsure. Just try to register a node.

Environment

- OS: Debian 12
- Headscale version: v0.23.0-beta2
- Tailscale version: 1.72.1

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

I'm using caddy (version: 2.6.2) as a reverse proxy
@yuri-so yuri-so added the bug Something isn't working label Aug 22, 2024
@stblassitude
Copy link

I'm gettting these errors in the log for (some) of the existing clients:

headscale-1  | 2024-08-23T14:59:57Z INF home/runner/work/headscale/headscale/hscontrol/poll.go:699 > node has connected, mapSession: 0xc000731380, chan: 0xc0004ba2a0 node=bluebox node.id=6 omitPeers=false readOnly=false stream=true
headscale-1  | 2024-08-23T14:59:57Z ERR home/runner/work/headscale/headscale/hscontrol/poll.go:719 > Could not get the create map update error="invalid action" node=bluebox node.id=6 omitPeers=false readOnly=false stream=true
headscale-1  | 2024-08-23T14:59:57Z INF home/runner/work/headscale/headscale/hscontrol/poll.go:699 > node has disconnected, mapSession: 0xc000731380, chan: 0xc0004ba2a0 node=bluebox node.id=6 omitPeers=false readOnly=false stream=true

@stblassitude
Copy link

It turns out that I made a change to the acls just before upgrading, and that causes the Could not get the create map update error="invalid action" message. So the error handling for ACLs probably could use some improvements.

@stblassitude
Copy link

Specifcally, I spelled "acceept" incorrectly. It would be great if the ACL loader would do a sanity check on the contents.

@yuri-so
Copy link
Author

yuri-so commented Aug 23, 2024

I think I had a similar problem. I had deny as an action and haven't restarted headscale after changing the ACLs. The upgrade caused the service to restart and fail.

In addition to what @stblassitude mentioned, I think it would be great if the server would just ignore the ACL file, and notify the admin if the sanity check fails.
This would prevent that users/servers loose access to the tailnet.

@kradalby
Copy link
Collaborator

Is this issue present in beta1 and some of the latest alphas?

I'm gonna tag a new beta with some other fixes but won't be able to improve this until next week.

@stblassitude
Copy link

It's definitely in -beta2, I'm not sure if it was in -beta1.

@kradalby
Copy link
Collaborator

Would be great if I could have a couple of minimal reproducible example acls and if you can test some other version!

@stblassitude
Copy link

Both of the following ACLs trigger errors.

  • Could not get the create map update error="invalid action":
{
  "acls": [
    { "action": "acceept", "src": ["testb"], "dst": ["testb:*"]},
  ]
}
# headscale policy set -f /etc/headscale/broken-acceept.json
2024-08-23T18:00:22Z WRN 
WARN: The "dns.use_username_in_magic_dns" configuration key is deprecated and has been removed. Please see the changelog for more details.
  • Could not get the create map update error="failed to parse destination, tokens [testb]: invalid port format":
{
  "acls": [
    { "action": "accept", "src": ["testb"], "dst": ["testb"]},
  ]
}
# headscale policy set -f /etc/headscale/broken-missing-port.json
2024-08-23T18:02:31Z WRN 
WARN: The "dns.use_username_in_magic_dns" configuration key is deprecated and has been removed. Please see the changelog for more details.

Policy updated.

Also, I don't have dns.use_username_in_magic_dns in my config anymore, so the warning is confusing.

@stblassitude
Copy link

I think the main improvement would be to have an error message that mentions ACLs. And I'm happy to help test a newer version. I'm running the docker image.

@kradalby kradalby added this to the v0.23.0 milestone Aug 27, 2024
kradalby added a commit to kradalby/headscale that referenced this issue Aug 30, 2024
@kradalby
validate policy against nodes, error if not valid
4bd6936 
this commit aims to improve the feedback of "runtime" policy
errors which would only manifest when the rules are compiled to
filter rules with nodes.

this change will in;

file-based mode load the nodes from the db and try to compile the rules on
start up and return an error if they would not work as intended.

database-based mode prevent a new ACL being written to the database if
it does not compile with the current set of node.

Fixes juanfont#2073
Fixes juanfont#2044

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
@kradalby kradalby mentioned this issue Aug 30, 2024
Merged
kradalby added a commit that referenced this issue Aug 30, 2024
@kradalby
validate policy against nodes, error if not valid (#2089)
2b5e52b 
* validate policy against nodes, error if not valid

this commit aims to improve the feedback of "runtime" policy
errors which would only manifest when the rules are compiled to
filter rules with nodes.

this change will in;

file-based mode load the nodes from the db and try to compile the rules on
start up and return an error if they would not work as intended.

database-based mode prevent a new ACL being written to the database if
it does not compile with the current set of node.

Fixes #2073
Fixes #2044

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* ensure stderr can be used in err checks

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* test policy set validation

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* add new integration test to ghaction

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* add back defer for cli tst

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

---------

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v0.23.0
Development

Successfully merging a pull request may close this issue.

validate policy against nodes, error if not valid kradalby/headscale
3 participants
@kradalby @stblassitude @yuri-so