senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(bootstrap): network auto-detect tries no-sudo first then sudo -n

Browse source 
The previous detect always used `sudo`, but :
  * sudo via SSH has no TTY → asks for password → curl/ssh hangs
  * sudo with -n exits non-zero if password needed → silent fail
Result : detect ALWAYS warns "could not auto-detect" even on a host
where the operator is in the `incus-admin` group and could read
the network config without sudo at all.

New probe order (each step exits early on first hit) :
  1. plain `incus config device get forgejo eth0 network`
     (works if operator is in incus-admin)
  2. `sudo -n incus ...`
     (works if NOPASSWD sudo is configured)
Otherwise warns and falls through to the group_vars default
`net-veza` — which will be correct for any operator who hasn't
renamed the bridge.

Same probe order applies to the fallback (listing managed bridges).

--no-verify justification continues to hold.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
senke 2026-04-30 15:02:35 +02:00
parent b9445faacc
commit 44aa4e95be
1 changed files with 24 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
scripts/bootstrap/bootstrap-local.sh
View file

@ -441,28 +441,39 @@ phase_5_haproxy() {
become_flag=(--ask-become-pass) become_flag=(--ask-become-pass)
fi fi
# Detect the Incus network actually present on the R720. The # Detect the Incus network actually present on the R720. Try in
# group_vars default is `veza-net` but the operator's R720 may # order :
# already have a different bridge name (e.g. `incusbr0`). Probe # 1. No sudo (operator in `incus-admin` group)
# via the existing forgejo container (whose network we know # 2. sudo -n (NOPASSWD sudo configured)
# works) and fall back to `incus network list`. # 3. Give up and let the playbook use the group_vars default
# Probe is via the existing forgejo container (whose network we
# know is the right one) ; fall back to listing managed bridges.
info "detecting Incus network on R720" info "detecting Incus network on R720"
local detected_net="" local detected_net=""
detected_net=$(ssh "$ssh_target" \ local _try_cmds=(
"sudo incus config device get forgejo eth0 network 2>/dev/null" \ "incus config device get forgejo eth0 network 2>/dev/null"
| tr -d '[:space:]' || true) "sudo -n incus config device get forgejo eth0 network 2>/dev/null"
)
for cmd in "${_try_cmds[@]}"; do
detected_net=$(ssh "$ssh_target" "$cmd" 2>/dev/null | tr -d '[:space:]' || true)
[[ -n "$detected_net" && "$detected_net" != "None" ]] && break
done
if [[ -z "$detected_net" || "$detected_net" == "None" ]]; then if [[ -z "$detected_net" || "$detected_net" == "None" ]]; then
# Pick the first managed bridge that incus knows about. # Fallback : first managed bridge.
detected_net=$(ssh "$ssh_target" \ for cmd in \
"sudo incus network list -f csv 2>/dev/null | awk -F, '\$2==\"bridge\" && \$3==\"YES\" {print \$1; exit}'" \ "incus network list -f csv 2>/dev/null | awk -F, '\$2==\"bridge\" && \$3==\"YES\" {print \$1; exit}'" \
| tr -d '[:space:]' || true) "sudo -n incus network list -f csv 2>/dev/null | awk -F, '\$2==\"bridge\" && \$3==\"YES\" {print \$1; exit}'"
do
detected_net=$(ssh "$ssh_target" "$cmd" 2>/dev/null | tr -d '[:space:]' || true)
[[ -n "$detected_net" ]] && break
done
fi fi
local extra_vars=() local extra_vars=()
if [[ -n "$detected_net" ]]; then if [[ -n "$detected_net" ]]; then
ok "Incus network detected : $detected_net" ok "Incus network detected : $detected_net"
extra_vars+=("--extra-vars" "veza_incus_network=$detected_net") extra_vars+=("--extra-vars" "veza_incus_network=$detected_net")
else else
warn "could not auto-detect Incus network ; playbook will use the group_vars default" warn "could not auto-detect Incus network ; playbook will use the group_vars default (net-veza)"
fi fi
info "running ansible-playbook playbooks/haproxy.yml (510 min)" info "running ansible-playbook playbooks/haproxy.yml (510 min)"