From b6f65f461887c3b58854126850b229e3ca9e9ff2 Mon Sep 17 00:00:00 2001
From: juvdiaz <juvenal.diaz@oracle.com>
Date: Wed, 27 May 2026 17:23:49 -0600
Subject: [PATCH] Handle reused Pimox worker SSH host keys

---
 lab.sh | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/lab.sh b/lab.sh
index b8bd730..cfd7ea3 100755
--- a/lab.sh
+++ b/lab.sh
@@ -183,23 +183,43 @@ wait_for_pimox_guest_ssh() {
     local elapsed
     local guest_ip
     local ip_filter_description
+    local known_hosts_file="${REPO_ROOT}/.lab/pimox-worker-known_hosts"
     local last_guest_ip=""
+    local last_known_hosts_ip=""
     local last_ssh_output=""
     local next_log
+    local ssh_deadline=0
     local ssh_output
+    local ssh_timeout_seconds="${LAB_PIMOX_GUEST_SSH_TIMEOUT_SECONDS:-600}"
 
     ip_filter_description="matching prefix ${ip_prefix}"
     if [[ -z "${ip_prefix}" ]]; then
         ip_filter_description="that is not loopback or link-local"
     fi
+    if ! [[ "${ssh_timeout_seconds}" =~ ^[0-9]+$ ]] || ((ssh_timeout_seconds == 0)); then
+        echo "LAB_PIMOX_GUEST_SSH_TIMEOUT_SECONDS must be a positive integer." >&2
+        return 1
+    fi
+    mkdir -p "$(dirname "${known_hosts_file}")"
+    touch "${known_hosts_file}"
+    chmod 0600 "${known_hosts_file}"
 
     deadline=$((SECONDS + timeout_seconds))
     next_log="${SECONDS}"
     while ((SECONDS < deadline)); do
         guest_ip="$(pimox_guest_ipv4 "${host}" "${user}" "${key_path}" "${vmid}" "${ip_prefix}" "${qm_bin}" || true)"
         if [[ -n "${guest_ip}" ]]; then
+            if ((ssh_deadline == 0)); then
+                ssh_deadline=$((SECONDS + ssh_timeout_seconds))
+            elif ((SECONDS >= ssh_deadline)); then
+                break
+            fi
             last_guest_ip="${guest_ip}"
-            if ssh_output="$(ssh -i "${guest_key_path}" -o BatchMode=yes -o ConnectTimeout=8 -o StrictHostKeyChecking=accept-new "${guest_user}@${guest_ip}" true 2>&1)"; then
+            if [[ "${last_known_hosts_ip}" != "${guest_ip}" ]]; then
+                ssh-keygen -R "${guest_ip}" -f "${known_hosts_file}" >/dev/null 2>&1 || true
+                last_known_hosts_ip="${guest_ip}"
+            fi
+            if ssh_output="$(ssh -i "${guest_key_path}" -o BatchMode=yes -o ConnectTimeout=8 -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile="${known_hosts_file}" "${guest_user}@${guest_ip}" true 2>&1)"; then
                 printf '%s\n' "${guest_ip}"
                 return 0
             fi
@@ -210,6 +230,9 @@ wait_for_pimox_guest_ssh() {
             elapsed=$((timeout_seconds - (deadline - SECONDS)))
             if [[ -n "${last_guest_ip}" ]]; then
                 echo "Waiting for SSH to worker VM ${vmid} at ${last_guest_ip} as ${guest_user} (${elapsed}s elapsed)..." >&2
+                if [[ -n "${last_ssh_output}" ]]; then
+                    echo "Last SSH failure: ${last_ssh_output}" >&2
+                fi
             else
                 echo "Waiting for worker VM ${vmid} to report an IPv4 address ${ip_filter_description} through qemu-guest-agent (${elapsed}s elapsed)..." >&2
             fi