From 44aa4e95be648b24233a7671add569d596ac88db Mon Sep 17 00:00:00 2001 From: senke Date: Thu, 30 Apr 2026 15:02:35 +0200 Subject: [PATCH] fix(bootstrap): network auto-detect tries no-sudo first then sudo -n MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous detect always used `sudo`, but : * sudo via SSH has no TTY → asks for password → curl/ssh hangs * sudo with -n exits non-zero if password needed → silent fail Result : detect ALWAYS warns "could not auto-detect" even on a host where the operator is in the `incus-admin` group and could read the network config without sudo at all. New probe order (each step exits early on first hit) : 1. plain `incus config device get forgejo eth0 network` (works if operator is in incus-admin) 2. `sudo -n incus ...` (works if NOPASSWD sudo is configured) Otherwise warns and falls through to the group_vars default `net-veza` — which will be correct for any operator who hasn't renamed the bridge. Same probe order applies to the fallback (listing managed bridges). --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) --- scripts/bootstrap/bootstrap-local.sh | 37 ++++++++++++++++++---------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/scripts/bootstrap/bootstrap-local.sh b/scripts/bootstrap/bootstrap-local.sh index b93a09f30..701aa739c 100755 --- a/scripts/bootstrap/bootstrap-local.sh +++ b/scripts/bootstrap/bootstrap-local.sh @@ -441,28 +441,39 @@ phase_5_haproxy() { become_flag=(--ask-become-pass) fi - # Detect the Incus network actually present on the R720. The - # group_vars default is `veza-net` but the operator's R720 may - # already have a different bridge name (e.g. `incusbr0`). Probe - # via the existing forgejo container (whose network we know - # works) and fall back to `incus network list`. + # Detect the Incus network actually present on the R720. Try in + # order : + # 1. No sudo (operator in `incus-admin` group) + # 2. sudo -n (NOPASSWD sudo configured) + # 3. Give up and let the playbook use the group_vars default + # Probe is via the existing forgejo container (whose network we + # know is the right one) ; fall back to listing managed bridges. info "detecting Incus network on R720" local detected_net="" - detected_net=$(ssh "$ssh_target" \ - "sudo incus config device get forgejo eth0 network 2>/dev/null" \ - | tr -d '[:space:]' || true) + local _try_cmds=( + "incus config device get forgejo eth0 network 2>/dev/null" + "sudo -n incus config device get forgejo eth0 network 2>/dev/null" + ) + for cmd in "${_try_cmds[@]}"; do + detected_net=$(ssh "$ssh_target" "$cmd" 2>/dev/null | tr -d '[:space:]' || true) + [[ -n "$detected_net" && "$detected_net" != "None" ]] && break + done if [[ -z "$detected_net" || "$detected_net" == "None" ]]; then - # Pick the first managed bridge that incus knows about. - detected_net=$(ssh "$ssh_target" \ - "sudo incus network list -f csv 2>/dev/null | awk -F, '\$2==\"bridge\" && \$3==\"YES\" {print \$1; exit}'" \ - | tr -d '[:space:]' || true) + # Fallback : first managed bridge. + for cmd in \ + "incus network list -f csv 2>/dev/null | awk -F, '\$2==\"bridge\" && \$3==\"YES\" {print \$1; exit}'" \ + "sudo -n incus network list -f csv 2>/dev/null | awk -F, '\$2==\"bridge\" && \$3==\"YES\" {print \$1; exit}'" + do + detected_net=$(ssh "$ssh_target" "$cmd" 2>/dev/null | tr -d '[:space:]' || true) + [[ -n "$detected_net" ]] && break + done fi local extra_vars=() if [[ -n "$detected_net" ]]; then ok "Incus network detected : $detected_net" extra_vars+=("--extra-vars" "veza_incus_network=$detected_net") else - warn "could not auto-detect Incus network ; playbook will use the group_vars default" + warn "could not auto-detect Incus network ; playbook will use the group_vars default (net-veza)" fi info "running ansible-playbook playbooks/haproxy.yml (5–10 min)"