headscale preauth create writes warnings to stdout

[antifuchs]

Bug description

When creating a preauth key in a configuration where headscale would log a warning, the auth key written to stdout is polluted by these warning log messages. This affects the human-readable output format, but also -o json.

Environment

• Version of headscale used v0.22.3

• Version of tailscale client: N/A

• OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: NixOS 23.11

• Kernel version 6.1.72

• The relevant config parameters you used: see below; notice absence of ip_prefixes

• Log output from running headscale preauth create --user basic --reusable -e 24h 2>/dev/null: see below

• Headscale is behind a (reverse) proxy

• Headscale runs in a container

To Reproduce

1. Generate a config like above, where ip_prefixes isn't set
2. Run headscale users create basic and headscale preauthkeys create --reusable -e 24h -u basic > /tmp/preauth-key
3. Observe that /tmp/preauth-key contains log messages, followed by the preauth key, like:

2024-02-27T15:21:33Z WRN 'ip_prefixes' not configured, falling back to default: [100.64.0.0/10]
2024-02-27T15:21:33Z WRN 'ip_prefixes' not configured, falling back to default: [100.64.0.0/10]
67ba496fdb8f7cda2bd3e682f976e7087bbbdd1844a6dcff

Logs and attachments

config file:

acl_policy_path: null
db_host: null
db_name: null
db_password_file: null
db_path: /var/lib/headscale/db.sqlite
db_port: null
db_type: sqlite3
db_user: null
derp:
  auto_update_enable: true
  paths: []
  update_frequency: 24h
  urls:
  - https://controlplane.tailscale.com/derpmap/default
disable_check_updates: true
dns_config:
  base_domain: ''
  domains: []
  magic_dns: true
  nameservers:
  - 1.1.1.1
  override_local_dns: false
ephemeral_node_inactivity_timeout: 30m
listen_addr: 127.0.0.1:8080
log:
  format: text
  level: info
noise:
  private_key_path: /var/lib/headscale/noise_private.key
oidc:
  allowed_domains: []
  allowed_users: []
  client_id: ''
  client_secret_path: null
  extra_params: {}
  issuer: ''
  scope:
  - openid
  - profile
  - email
  strip_email_domain: true
private_key_path: /var/lib/headscale/private.key
server_url: http://127.0.0.1:8080
tls_cert_path: null
tls_key_path: null
tls_letsencrypt_cache_dir: /var/lib/headscale/.cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_hostname: ''
tls_letsencrypt_listen: :http
unix_socket: /run/headscale/headscale.sock

[sjansen1]

You have to define subnets in config.yaml like this:

ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10

[antifuchs]

You're right, there is a way to avoid having headscale print that warning. What I'm trying to get at is that whenever headscale used as a CLI program that is meant to emit machine-readable output logs a warning, that warning corrupts the machine-readable output (and the output doesn't go anywhere that a human could pick it up, like stderr).

[zatricky]

You have to define subnets in config.yaml like this:

ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10

The config-example.yaml in main gives prefixes rather than ip_prefixes ... that might explain it. The config example for v0.22.3 gives ip_prefixes appropriately however.

[antifuchs]

Thank you, again, I know why the warning gets written.

What I would like to see fixed is that if a (any!) warning gets written, that warning goes to stderr, which then pollutes the (otherwise usable) output.

[kradalby]

I think this was fixed in #1524, have you given the last alpha a go?