[Bug] Invalid ACL stored in DB, crash on startup

[stblassitude]

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I've used headscale-admin to update te the ACL, then I restarted headscale. On startup, it complained about a host referenced in the ACLs that wasn't defined (I had just deleted it thinking that it wasn't needed anymore).

On startup, it complained about the missing host:

handshake-headscale-1  | 2025-05-27T09:18:31Z INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite
handshake-headscale-1  | 2025-05-27T09:18:31Z FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:24 > Error initializing error="creating new headscale: loading ACL policy: creating policy manager: parsing policy: Host \"siemens-distillery\" is not defined in the Policy, please define or remove the reference to it"

and then exited.

I patched the database manually using sqlite3 (I basically copied an older version to the currect version in the policies table, and that let me start up headscale again.

This is with docker.io/headscale/headscale:v0.26.0 and docker.io/goodieshq/headscale-admin:v0.25.6.

Expected Behavior

Headscale should either refuse to store the broken ACL, or ignore the broken (part of the) ACLs on startup, so users can fix it through the command line or the web interface.

Steps To Reproduce

1. Bring up headscale and headscale admin with docker-compose
2. Add a host to the policies
3. Add an ACL referencing that host
4. Save the config
5. Remove the host
6. Save the config; note that there is no error
7. Restart headscale and observe that it won't start.

Environment

- OS: docker compose
- Headscale version: v0.26.0
- Tailscale version: n/a
- Headscale Admin: v0.25.6

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Debug information

see above

[dulinux]

Similar issue here. Was working before pulling updated image.

[...]
headscale        | 2025-06-01T13:03:49-03:00 INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite
headscale        | 2025-06-01T13:03:49-03:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:24 > Error initializing error="creating new headscale: loading ACL policy: creating policy manager: parsing policy: parsing policy from bytes: Invalid Owner \"duli\". An alias must be one of the following types:\n- user (containing an \"@\")\n- group (starting with \"group:\")\n- tag (starting with \"tag:\")\n\nPlease check the format and try again."
[...]

duli@oc1:/opt/docker/headscale$ docker image list
REPOSITORY                           TAG        IMAGE ID       CREATED        SIZE
headscale/headscale                  stable     d70eeb8fb774   N/A            80.8MB
[...]

[malosaaa]

Just open the database in sqlbrowser in windows.
delete the last entry data in policy, just copy first the acls and modify. and insert it later with for example headplane UI, that works

For me the last update in acls broke everything and got annoyed to reconfigure everything.. however still having issue's