=== frankban|afk is now known as frankban [13:47] random question of the day [13:47] has anyone seen juju ssh route them to the wrong box? [13:51] nope, and there's host key check to make sure it doesn't happen [13:52] something funky is happening because if i run juju ssh 0 [13:52] i go to a remote node [13:52] if i run juju ssh 1,2 or 3 [13:52] I loop back to my controller node [13:53] hrm [13:53] magicaltrout: what does juju --debug ssh 0 says? [13:54] s/0/1/ ofc [13:56] er well [13:56] using 1 didn't fail that time but 2 did [13:57] using target "2" address "172.17.0.1" [13:57] but thats a local docker interface [13:57] and juju status shows the #2 machine as being 10.10.1.81 [13:57] juju show-machine 2 ? [13:58] ip-addresses: 10.10.1.81, 10.1.100.0, 10.1.100.1.... 172.17.0.1 [13:58] instance-id: manual: 10.10.1.81 [13:59] With --debug enabled is it checking host keys? And finding a proper key? [14:00] https://gist.github.com/buggtb/04efdbd34493984069026810a23227ff [14:00] and that loops me right back to the machine i'm on [14:00] and logs me in [14:01] and if you ssh into the machine manually? [14:01] could you see how ip a looks like? [14:02] well its external ip is 10.10.1.81 [14:02] it also has a docker internal net on 172.17.0.1 [14:02] its just a manual CDK deployment [14:03] and 172.17.0.1 appears also on the machine you're on? [14:03] isn't 172.17.0.1 on ever machine docker is ever installed on? [14:03] its on my latop for example [14:06] magicaltrout: can you try newer juju? 2.2? [14:06] magicaltrout: in 2.2 we're checking for host keys on all the possible interfaces, and only connecting to the ones that provide the proper key [14:07] can i snap change it somehow? [14:07] magicaltrout: in 2.0 the machine is reporting 172.17.0.1 as its address, so we try to connect to it. And since it's localhost it's likely it's going to 'win the race'. [14:07] bonus [14:13] ah yeah 2.2 does work wpk [14:13] thanks [14:13] that had me utterly baffled [14:13] magicaltrout: could you paste juju --debug ssh 2 somewhere? I wonder how it looks like [14:13] new or old? [14:14] new one [14:14] https://gist.github.com/buggtb/5a9d1708dd0ee59ea11a806dbf1c6e8a [14:25] Thanks [15:15] wpk: i lied [15:15] check this treat [15:15] https://gist.github.com/buggtb/d85fbf00cd45c9e3b72251dd3fc619e4 [15:17] thats absolutely amazing :) [15:18] basically you can't run docker on the same machine as a juju controller [15:18] without it looping back in [15:18] fml [15:19] well [15:19] i can change the default docker0 ip i guess that'll stop it for now [15:31] magicaltrout: ok, that's a serious bug [15:35] magicaltrout: could you do ssh-keyscan 172.17.0.1 10.10.1.81 ? [15:37] wpk: https://gist.github.com/buggtb/6b9a4fd460aa2ba84284c3ec847808f5 [15:38] there's no output for 172.17.0.1? [15:38] try just ssh-keyscan 172.17.0.1 [15:40] i have realised part of the problem [15:40] there is an ubuntu user locally which allows ssh loopback access to the jujucontroller user I have [15:40] which is non-standard I accept :) [15:40] so usually you wouldn't be able to login to yourself [15:41] that said, its still a bit weird how the docker interface gets preferential treatment over the interfaces you've declared [15:42] it's the fastest one [15:42] since both 172.17.0.1 and 10.10.1.81 are in private space [15:43] we wouldn't know anything about docker, ip is an ip [15:48] hm, but still it shouldn't validate the host key on both IPs === frankban is now known as frankban|afk [20:59] Where can I find documentation for bootstrapping & adding units in an egress-restricted environment? [22:04] elasticsearch-peeps: http://paste.ubuntu.com/25825991/ [22:04] :0 [22:06] nice