cmd: add option to get and set policy directly from database #2765
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
071368c to
729e306
Compare
juanfont
approved these changes
Sep 12, 2025
nblock
requested changes
Sep 12, 2025
cmd/headscale/cli/policy.go
Outdated
| ErrorOutput(err, fmt.Sprintf("Failed loading ACL Policy: %s", err), output) | ||
| var policy string | ||
| if bypass, _ := cmd.Flags().GetBool(bypassFlag); bypass { | ||
| if !prompt.YesNo("DO NOT run this command if an instance of headscale is running, are you sure headscale is not running?") { |
Collaborator
There was a problem hiding this comment.
Headscale crashes when answering the question with n:
$ headscale --force policy get --bypass-grpc-and-access-database-directly
DO NOT run this command if an instance of headscale is running, are you sure headscale is not running? [y/n] n
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x55d04da6fab9]
goroutine 1 [running]:
github.com/juanfont/headscale/cmd/headscale/cli.ErrorOutput({0x0?, 0x0?}, {0x55d04daf69e0, 0x10}, {0x0, 0x0})
/home/user/headscale/cmd/headscale/cli/utils.go:172 +0x39
github.com/juanfont/headscale/cmd/headscale/cli.init.func21(0x55d0501c3b20, {0x55d04dadff11?, 0x4?, 0x55d04dadfde1?})
/home/user/headscale/cmd/headscale/cli/policy.go:56 +0x50a
github.com/spf13/cobra.(*Command).execute(0x55d0501c3b20, {0xc00009ca20, 0x2, 0x2})
/home/user/go/pkg/mod/github.com/spf13/[email protected]/command.go:1019 +0xa91
github.com/spf13/cobra.(*Command).ExecuteC(0x55d0501c4ba0)
/home/user/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 +0x46f
github.com/spf13/cobra.(*Command).Execute(...)
/home/user/go/pkg/mod/github.com/spf13/[email protected]/command.go:1071
github.com/juanfont/headscale/cmd/headscale/cli.Execute()
/home/user/headscale/cmd/headscale/cli/root.go:103 +0x1a
main.main()
/home/user/headscale/cmd/headscale/headscale.go:42 +0x1fe| if err != nil { | ||
| ErrorOutput(err, fmt.Sprintf("Failed loading ACL Policy: %s", err), output) | ||
| var policy string | ||
| if bypass, _ := cmd.Flags().GetBool(bypassFlag); bypass { |
Collaborator
There was a problem hiding this comment.
The flag does not account for the --force flag.
Collaborator
There was a problem hiding this comment.
The interactive question is hidden when redirecting the output to a file:
$ headscale policy get --force --bypass-grpc-and-access-database-directly > dump-1.json
... [hangs and continues only when pressing `y`]Also the json output contains the question:
$ cat dump-1.json
DO NOT run this command if an instance of headscale is running, are you sure headscale is not running? [y/n] {
"acls": [
{
"action": "accept",
"src": [
"*"
],
"dst": [
"100.64.0.99"
]
}
]
}
Question should be written to stderr.
Collaborator
There was a problem hiding this comment.
Its possible to set an invalid ACL (or invalid JSON) via: headscale policy set --bypass-grpc-and-access-database-directly --file path/to/broken.json. Should it only allow valid ACLs?
this commit adds a new `--bypass-grpc-and-access-database-directly` flag to `headscale policy get|set` which allows the operator to directly get or set the policy from the database. This is useful if there is a broken policy in the database that prevents the server from starting. Fixes juanfont#2630 Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
729e306 to
2372827
Compare
shouryagautam
pushed a commit
to shouryagautam/headscale
that referenced
this pull request
Oct 13, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
this commit adds a new
--bypass-grpc-access-and-database-directlyflag toheadscale policy get|setwhich allows the operator to directly get or set the policy from the database. This is useful if there is a broken policy in the database that prevents the server from starting.Fixes #2630