diff --git a/scripts/onboard/steps/00-access.sh b/scripts/onboard/steps/00-access.sh index abf2c24..eeab0ad 100755 --- a/scripts/onboard/steps/00-access.sh +++ b/scripts/onboard/steps/00-access.sh @@ -50,6 +50,9 @@ source "${REPO_ROOT}/scripts/onboard/lib/remote.sh" _FC_SSH_NOKEY=(-o StrictHostKeyChecking=accept-new -o ConnectTimeout=10) # BatchMode — used for all probes and post-key-install operations _FC_SSH=(-o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 -o BatchMode=yes) +# Tailscale verify — LogLevel=ERROR suppresses the "Permanently added" known-hosts +# INFO message that would otherwise leak into captured stdout on first connection +_TS_SSH=(-o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 -o BatchMode=yes -o LogLevel=ERROR) # ── tailscale state probe helper ────────────────────────────────────────────── # Always runs; returns BackendState or "unknown" on any SSH/parse failure. @@ -134,12 +137,17 @@ step "[$STEP_NAME] 3/3 verify SSH over Tailscale → ${ONBOARD_SSH_USER}@${TS_HO # Probe: always runs — on a node already joined this works even in dry-run. # On a fresh node in dry-run mode Tailscale isn't set up yet, so SSH will fail; # that is reported as a warning (not a fatal error) to keep dry-run informative. -if out=$(ssh "${_FC_SSH[@]}" "${ONBOARD_SSH_USER}@${TS_HOSTNAME}" \ - 'echo ok && uname -m' 2>&1); then - echo "$out" | grep -q '^ok' || warn "Unexpected verify output: ${out}" - arch=$(echo "$out" | grep -v '^ok' | head -1 | tr -d '[:space:]') - [[ "$arch" == "aarch64" ]] || warn "Unexpected arch '${arch}' — expected aarch64" - log "Verify OK: ${ONBOARD_SSH_USER}@${TS_HOSTNAME} reachable, arch=${arch}" +# stderr is NOT merged (no 2>&1) — _TS_SSH uses LogLevel=ERROR so the +# "Permanently added … to known hosts" INFO message is suppressed at source. +if arch=$(ssh "${_TS_SSH[@]}" "${ONBOARD_SSH_USER}@${TS_HOSTNAME}" 'uname -m'); then + # Take the last non-empty stdout line to skip any unexpected preamble + arch=$(printf '%s' "$arch" | grep -v '^[[:space:]]*$' | tail -1 | tr -d '[:space:]') + if [[ "$arch" == "aarch64" ]]; then + log "Verify OK: ${ONBOARD_SSH_USER}@${TS_HOSTNAME} reachable, arch=${arch}" + else + msg="Unexpected arch '${arch}' on ${TS_HOSTNAME} — expected aarch64" + [ "${DRY_RUN:-0}" = 1 ] && warn "$msg" || die "$msg" + fi else msg="Verify SSH to ${ONBOARD_SSH_USER}@${TS_HOSTNAME} failed (Tailscale not yet joined?)" [ "${DRY_RUN:-0}" = 1 ] && warn "$msg" || die "$msg"