trusted-execution-clusters: Verbose SSH attempt

[Jakob-Naucke]

Can ping but SSH times out, despite SSH being reachable from other hosts. Investigate.

Summary by CodeRabbit

• Enhancements
  • Improved SSH connectivity diagnostics with more detailed logging to aid troubleshooting.
  • Strengthened SSH security by disabling password authentication for connections.
  • Ensured SSH agent initialization and key availability to improve reliability of key-based access during provisioning.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4207cdcd-6b93-44ab-b3fb-a3720e61c2ba

📥 Commits

Reviewing files that changed from the base of the PR and between 12221f9 and 1195e53.

📒 Files selected for processing (1)

• ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh

---

Walkthrough

The provisioning script now hardens SSH usage: disables password auth, checks TCP reachability to the host, ensures an ssh-agent with the private key is running, and uses verbose SSH client output during the existing retry loop for connection tests.

Changes

Cohort / File(s)	Summary
SSH Connection Enhancement ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh	Disabled password authentication in SSH options, added TCP port 22 reachability probe, ensured ssh-agent is running and the private key is added, and switched the SSH connection test to use verbose SSH output within the existing retry loop.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding verbose SSH output to troubleshoot SSH connectivity issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only a bash shell script with no Ginkgo tests present, making this check not applicable.
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test code quality does not apply to this PR, which modifies only bash shell scripts for infrastructure provisioning with no Ginkgo test files.
Microshift Test Compatibility	✅ Passed	Pull request modifies only a shell script for CI infrastructure and does not add any Ginkgo e2e tests, making the MicroShift Test Compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only bash shell script for SSH provisioning in CI infrastructure; contains no Ginkgo e2e tests, so check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	The modified file is a bash CI provisioning script with no Kubernetes manifests, operator code, or pod scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	This PR modifies only a bash shell script for CI/CD provisioning and contains no Go test code subject to the OTE Binary Stdout Contract check.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only a bash provisioning script, not Ginkgo e2e tests. The check targets Ginkgo test code with patterns like It(), Describe(), Context(), and When(), which are absent here.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Jakob-Naucke]

/pj-rehearse

[openshift-merge-bot]

@Jakob-Naucke: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Jakob-Naucke]

/pj-rehearse

[openshift-merge-bot]

@Jakob-Naucke: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[alicefr]

/pj-rehearse network-access-allowed

[openshift-merge-bot]

@alicefr: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Jakob-Naucke]

/pj-rehearse

[openshift-merge-bot]

@Jakob-Naucke: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Jakob-Naucke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/OWNERS [Jakob-Naucke]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Jakob-Naucke]

/pj-rehearse

[openshift-merge-bot]

@Jakob-Naucke: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh (2)

166-170: ssh-agent setup is redundant with -i and leaves an orphan agent.

SSHOPTS already pins the identity via -i "${SSH_PKEY}", so ssh will use that key directly; starting an agent and ssh-add-ing the same key doesn't change authentication behavior — it just adds another thing that can fail silently (there is no set -e, so a broken ssh-agent/ssh-add would go unnoticed). The spawned agent is also never killed, so it lingers for the rest of the job.

wc -l "${SSH_PKEY}" is harmless but doesn't really add diagnostic value beyond checking the file is non-empty / well-formed; ssh-keygen -y -f "${SSH_PKEY}" >/dev/null would actually validate the key is parseable, which is a more useful signal for the symptom you're chasing.

Optional cleanup if you want to keep the agent path:

♻️ Alternative

-log_info "Testing SSH connection to ${BEAKER_USER}@${BEAKER_IP}..."
-eval "$(ssh-agent -s)"
-ssh-add "${SSH_PKEY}"
-
-log_info "SSH private key line count for checking"
-wc -l "${SSH_PKEY}"
+log_info "Testing SSH connection to ${BEAKER_USER}@${BEAKER_IP}..."
+log_info "Validating SSH private key is parseable..."
+if ! ssh-keygen -y -f "${SSH_PKEY}" >/dev/null; then
+  log_error "SSH private key at ${SSH_PKEY} failed to parse"
+  exit 1
+fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh`
around lines 166 - 170, The ssh-agent/ssh-add lines are redundant because
SSHOPTS already uses -i "${SSH_PKEY}", and they spawn an orphan agent; remove
the eval "$(ssh-agent -s)" and ssh-add "${SSH_PKEY}" calls and instead validate
the private key file referenced by SSH_PKEY (replace the wc -l check) by
invoking ssh-keygen -y -f "${SSH_PKEY}" >/dev/null to ensure the key is
parseable; if you must keep agent behavior, ensure you properly record and kill
the agent (SSH_AUTH_SOCK/PID) after use so it doesn't linger.

---

179-179: ssh -vvv is the right debug hammer — plan to walk it back.

Fine for the investigation this PR is opening, but a couple of things worth knowing so this doesn't become permanent noise:

• -vvv effectively overrides the LogLevel=ERROR that remains inside SSHOPTS, so once the root cause is understood you'll want to drop either the -vvv or the stale LogLevel=ERROR to keep the configuration coherent.
• Every retry now emits a full ssh -vvv trace to the job log (up to 15 of them), which on failure will produce a lot of output to sift through. If you plan to keep verbose output post-investigation, consider guarding it (e.g. SSH_VERBOSE=${SSH_VERBOSE:-} → ssh ${SSH_VERBOSE:+-vvv} ...) so normal runs stay readable.

Not blocking — just flagging so the diagnostic mode doesn't silently become the default.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh`
at line 179, The ssh call currently forces -vvv debug output ("ssh -vvv
${SSHOPTS[@]} ${BEAKER_USER}@${BEAKER_IP} ...") which overrides the
LogLevel=ERROR in SSHOPTS and will spam logs on retries; change it so verbose
debugging is opt-in (remove the hardcoded -vvv) and either use a guard like
SSH_VERBOSE to expand to -vvv only when set (e.g. ssh ${SSH_VERBOSE:+-vvv}
"${SSHOPTS[@]}" "${BEAKER_USER}@${BEAKER_IP}" ...) or remove the stale
LogLevel=ERROR from SSHOPTS so behavior is consistent; update the call that
references SSHOPTS, BEAKER_USER, and BEAKER_IP accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh`:
- Around line 156-160: The TCP probe using nc should be made defensive: first
test for availability of nc or ncat (e.g., via command -v) and log a clear
message if neither exists; when invoking nc/ncat in the if condition (the block
referencing BEAKER_IP and port 22), capture stderr by redirecting 2>&1 so
diagnostic output appears in logs; if no nc/ncat is found, fall back to a bash
/dev/tcp probe (using the BEAKER_IP variable) and use its exit status for the
same success/fail branch, ensuring the existing log_success/log_warn messages
are preserved and augmented with the captured diagnostic output when available.

---

Nitpick comments:
In
`@ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh`:
- Around line 166-170: The ssh-agent/ssh-add lines are redundant because SSHOPTS
already uses -i "${SSH_PKEY}", and they spawn an orphan agent; remove the eval
"$(ssh-agent -s)" and ssh-add "${SSH_PKEY}" calls and instead validate the
private key file referenced by SSH_PKEY (replace the wc -l check) by invoking
ssh-keygen -y -f "${SSH_PKEY}" >/dev/null to ensure the key is parseable; if you
must keep agent behavior, ensure you properly record and kill the agent
(SSH_AUTH_SOCK/PID) after use so it doesn't linger.
- Line 179: The ssh call currently forces -vvv debug output ("ssh -vvv
${SSHOPTS[@]} ${BEAKER_USER}@${BEAKER_IP} ...") which overrides the
LogLevel=ERROR in SSHOPTS and will spam logs on retries; change it so verbose
debugging is opt-in (remove the hardcoded -vvv) and either use a guard like
SSH_VERBOSE to expand to -vvv only when set (e.g. ssh ${SSH_VERBOSE:+-vvv}
"${SSHOPTS[@]}" "${BEAKER_USER}@${BEAKER_IP}" ...) or remove the stale
LogLevel=ERROR from SSHOPTS so behavior is consistent; update the call that
references SSHOPTS, BEAKER_USER, and BEAKER_IP accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5f765fc6-1bc3-461a-9b13-da08d521beee

📥 Commits

Reviewing files that changed from the base of the PR and between bfd29e8 and 12221f9.

📒 Files selected for processing (1)

• ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm whether `nc` is expected to exist in the image(s) used by this step.
# Look for any image/Dockerfile references or explicit nc installs in the repo.
fd -t f -e Dockerfile
rg -nP '\bnc(at)?\b' -g '!**/vendor/**' -C2

Repository: openshift/release

Length of output: 50373

---

🏁 Script executed:

# Find the metadata for the beaker-kind-provision step
find . -path "*trusted-execution-clusters*ref*operator*beaker-kind-provision*" -name "*.metadata.json" -o -path "*trusted-execution-clusters*ref*operator*beaker-kind-provision*" -name "*.yaml"

Repository: openshift/release

Length of output: 392

---

🏁 Script executed:

# Look for image references or base image specifications in the beaker-kind-provision step directory
find ci-operator/step-registry/trusted-execution-clusters -name "*beaker-kind-provision*" -type f -exec cat {} \;

Repository: openshift/release

Length of output: 35311

---

Guard the nc probe against a missing binary and stderr capture.

The TCP reachability check should be defensive:

• nc is not guaranteed in all Prow CI images. If it's absent, the command not found error will silently cause the if condition to fail, making the log message "does not accept on port 22" misleading when the real issue is a missing tool. Checking for nc availability upfront removes ambiguity.
• Both nc -zv and ncat -zv write their output to stderr, which gets lost unless redirected. Capturing 2>&1 ensures diagnostics stay together in logs.

Consider checking for nc availability and redirecting stderr for clarity. If nc is unavailable, use bash's /dev/tcp as a fallback so the probe still runs:

🛠 Suggested fix

-if nc -zv "${BEAKER_IP}" 22; then
-  log_success "Beaker machine ${BEAKER_IP} accepts on port 22"
-else
-  log_warn "Beaker machine ${BEAKER_IP} does not accept on port 22, trying SSH anyhow"
-fi
+if command -v nc >/dev/null 2>&1; then
+  if nc -zv "${BEAKER_IP}" 22 2>&1; then
+    log_success "Beaker machine ${BEAKER_IP} accepts on port 22"
+  else
+    log_warn "Beaker machine ${BEAKER_IP} does not accept on port 22, trying SSH anyhow"
+  fi
+else
+  if timeout 5 bash -c ">/dev/tcp/${BEAKER_IP}/22" 2>/dev/null; then
+    log_success "Beaker machine ${BEAKER_IP} accepts on port 22 (via /dev/tcp)"
+  else
+    log_warn "Beaker machine ${BEAKER_IP} does not accept on port 22, trying SSH anyhow"
+  fi
+fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if nc -zv "${BEAKER_IP}" 22; then
	log_success "Beaker machine ${BEAKER_IP} accepts on port 22"
	else
	log_warn "Beaker machine ${BEAKER_IP} does not accept on port 22, trying SSH anyhow"
	fi
	if command -v nc >/dev/null 2>&1; then
	if nc -zv "${BEAKER_IP}" 22 2>&1; then
	log_success "Beaker machine ${BEAKER_IP} accepts on port 22"
	else
	log_warn "Beaker machine ${BEAKER_IP} does not accept on port 22, trying SSH anyhow"
	fi
	else
	if timeout 5 bash -c ">/dev/tcp/${BEAKER_IP}/22" 2>/dev/null; then
	log_success "Beaker machine ${BEAKER_IP} accepts on port 22 (via /dev/tcp)"
	else
	log_warn "Beaker machine ${BEAKER_IP} does not accept on port 22, trying SSH anyhow"
	fi
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/trusted-execution-clusters/ref/operator/beaker-kind-provision/trusted-execution-clusters-ref-operator-beaker-kind-provision-commands.sh`
around lines 156 - 160, The TCP probe using nc should be made defensive: first
test for availability of nc or ncat (e.g., via command -v) and log a clear
message if neither exists; when invoking nc/ncat in the if condition (the block
referencing BEAKER_IP and port 22), capture stderr by redirecting 2>&1 so
diagnostic output appears in logs; if no nc/ncat is found, fall back to a bash
/dev/tcp probe (using the BEAKER_IP variable) and use its exit status for the
same success/fail branch, ensuring the existing log_success/log_warn messages
are preserved and augmented with the captured diagnostic output when available.

[Jakob-Naucke]

/pj-rehearse

[openshift-merge-bot]

@Jakob-Naucke: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Jakob-Naucke]

/pj-rehearse

[openshift-merge-bot]

@Jakob-Naucke: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Jakob-Naucke: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-trusted-execution-clusters-operator-main-operator-lifecycle-verify	trusted-execution-clusters/operator	presubmit	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[Jakob-Naucke]

/pj-rehearse

[openshift-merge-bot]

@Jakob-Naucke: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Jakob-Naucke]

Was able to connect in an upstream PR, i.e. without the changes proposed here. Closing. @alicefr lmk if you urgently want to change something here still

[Jakob-Naucke]

need more debugging after all, sorry for the noise

[Jakob-Naucke]

/pj-rehearse

[openshift-merge-bot]

@Jakob-Naucke: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@Jakob-Naucke: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/trusted-execution-clusters/operator/main/operator-lifecycle-verify	1195e53	link	unknown	/pj-rehearse pull-ci-trusted-execution-clusters-operator-main-operator-lifecycle-verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.