From 471ba09c4a71782232ffca42e60eeba8bd4d4f6f Mon Sep 17 00:00:00 2001 From: Oskar Kapala Date: Mon, 8 Jun 2026 15:28:21 +0200 Subject: [PATCH] fix(onboard/00-access): suppress known-hosts warning in Tailscale verify MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On first SSH to a new mesh hostname, OpenSSH emits "Warning: Permanently added 'lustro' to the list of known hosts" on stderr. The previous code used 2>&1, merging it into the captured arch variable, which caused the arch assertion to fail with arch="Warning:Permanentlyadded...". Fix: - Add dedicated _TS_SSH opts array with -o LogLevel=ERROR, which suppresses INFO-level messages (known-hosts, banner) at source - Remove 2>&1 — stderr is no longer merged into the captured value - Run only `uname -m` instead of `echo ok && uname -m`; take the last non-empty stdout line to be robust against any remaining preamble - Change arch mismatch from warn to die in live mode (warn in dry-run) Co-Authored-By: Claude Sonnet 4.6 --- scripts/onboard/steps/00-access.sh | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/scripts/onboard/steps/00-access.sh b/scripts/onboard/steps/00-access.sh index abf2c24..eeab0ad 100755 --- a/scripts/onboard/steps/00-access.sh +++ b/scripts/onboard/steps/00-access.sh @@ -50,6 +50,9 @@ source "${REPO_ROOT}/scripts/onboard/lib/remote.sh" _FC_SSH_NOKEY=(-o StrictHostKeyChecking=accept-new -o ConnectTimeout=10) # BatchMode — used for all probes and post-key-install operations _FC_SSH=(-o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 -o BatchMode=yes) +# Tailscale verify — LogLevel=ERROR suppresses the "Permanently added" known-hosts +# INFO message that would otherwise leak into captured stdout on first connection +_TS_SSH=(-o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 -o BatchMode=yes -o LogLevel=ERROR) # ── tailscale state probe helper ────────────────────────────────────────────── # Always runs; returns BackendState or "unknown" on any SSH/parse failure. @@ -134,12 +137,17 @@ step "[$STEP_NAME] 3/3 verify SSH over Tailscale → ${ONBOARD_SSH_USER}@${TS_HO # Probe: always runs — on a node already joined this works even in dry-run. # On a fresh node in dry-run mode Tailscale isn't set up yet, so SSH will fail; # that is reported as a warning (not a fatal error) to keep dry-run informative. -if out=$(ssh "${_FC_SSH[@]}" "${ONBOARD_SSH_USER}@${TS_HOSTNAME}" \ - 'echo ok && uname -m' 2>&1); then - echo "$out" | grep -q '^ok' || warn "Unexpected verify output: ${out}" - arch=$(echo "$out" | grep -v '^ok' | head -1 | tr -d '[:space:]') - [[ "$arch" == "aarch64" ]] || warn "Unexpected arch '${arch}' — expected aarch64" - log "Verify OK: ${ONBOARD_SSH_USER}@${TS_HOSTNAME} reachable, arch=${arch}" +# stderr is NOT merged (no 2>&1) — _TS_SSH uses LogLevel=ERROR so the +# "Permanently added … to known hosts" INFO message is suppressed at source. +if arch=$(ssh "${_TS_SSH[@]}" "${ONBOARD_SSH_USER}@${TS_HOSTNAME}" 'uname -m'); then + # Take the last non-empty stdout line to skip any unexpected preamble + arch=$(printf '%s' "$arch" | grep -v '^[[:space:]]*$' | tail -1 | tr -d '[:space:]') + if [[ "$arch" == "aarch64" ]]; then + log "Verify OK: ${ONBOARD_SSH_USER}@${TS_HOSTNAME} reachable, arch=${arch}" + else + msg="Unexpected arch '${arch}' on ${TS_HOSTNAME} — expected aarch64" + [ "${DRY_RUN:-0}" = 1 ] && warn "$msg" || die "$msg" + fi else msg="Verify SSH to ${ONBOARD_SSH_USER}@${TS_HOSTNAME} failed (Tailscale not yet joined?)" [ "${DRY_RUN:-0}" = 1 ] && warn "$msg" || die "$msg"