Fix clush group resolver error by moving SSH options to clush.conf (#2142)

berendt · web-flow · commit 6b7c2eb61897 · 2026-03-16T18:46:09.000+01:00
The previous commits added SSH options via clush's -o CLI flag, which
broke clush's argument parsing and caused "Group resolver error: Default
group source not found: ansible". Move all SSH options (IdentityFile,
StrictHostKeyChecking, UserKnownHostsFile, LogLevel) into clush.conf
where they belong. Add UserKnownHostsFile=/dev/null to clush.conf to
avoid known_hosts race conditions with fanout:64 concurrent connections.

AI-assisted: Claude Code

Signed-off-by: Christian Berendt &lt;berendt@osism.tech&gt;
diff --git a/files/clustershell/clush.conf b/files/clustershell/clush.conf
@@ -7,4 +7,4 @@ fd_max: 8192
 history_size: 100
 node_count: yes
 verbosity: 1
-ssh_options: -o IdentityFile=/ansible/secrets/id_rsa.operator -o StrictHostKeyChecking=no -o LogLevel=ERROR
+ssh_options: -o IdentityFile=/ansible/secrets/id_rsa.operator -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR
diff --git a/osism/commands/console.py b/osism/commands/console.py
@@ -1,12 +1,9 @@
 # SPDX-License-Identifier: Apache-2.0
 
 import json
-import os
 import shlex
-import shutil
 import socket
 import subprocess
-import tempfile
 from typing import Optional
 
 from cliff.command import Command
@@ -212,32 +209,17 @@ def take_action(self, parsed_args):
         if type_console == "ansible":
             subprocess.call(["/run-ansible-console.sh", host])
         elif type_console == "clush":
-            # Create a per-invocation known_hosts file to avoid race conditions
-            # with fanout:64 concurrent SSH connections while still persisting
-            # host keys during the session.
-            fd, tmp_known_hosts = tempfile.mkstemp(prefix="clush_known_hosts_")
-            try:
-                os.close(fd)
-                if os.path.exists(KNOWN_HOSTS_PATH):
-                    shutil.copy2(KNOWN_HOSTS_PATH, tmp_known_hosts)
-                subprocess.call(
-                    [
-                        "/usr/local/bin/clush",
-                        "-l",
-                        settings.OPERATOR_USER,
-                        "-o",
-                        "StrictHostKeyChecking=no",
-                        "-o",
-                        "LogLevel=ERROR",
-                        "-o",
-                        f"UserKnownHostsFile={tmp_known_hosts}",
-                        "-g",
-                        host,
-                    ]
-                )
-            finally:
-                if os.path.exists(tmp_known_hosts):
-                    os.unlink(tmp_known_hosts)
+            # SSH options (IdentityFile, StrictHostKeyChecking, LogLevel)
+            # are configured in clush.conf, no need to pass them here.
+            subprocess.call(
+                [
+                    "/usr/local/bin/clush",
+                    "-l",
+                    settings.OPERATOR_USER,
+                    "-g",
+                    host,
+                ]
+            )
         elif type_console == "ssh":
             # Try to resolve as an inventory group
             group_hosts = get_hosts_from_group(host)
