fix(iso): remove remaining real IPs, add -F robustness, prettier format, known_hosts note
This commit is contained in:
parent
dee76991de
commit
14dd2baa98
4 changed files with 27 additions and 17 deletions
|
|
@ -8,10 +8,10 @@ sent to mother, and stored in PostgreSQL `mother_hive.hive_nodes`.
|
|||
|
||||
## Hosts used in this guide
|
||||
|
||||
| Host | IP (Tailscale) | User for MCP | Role |
|
||||
| ---------------------- | ------------------------ | ------------ | ----------------------------------------------- |
|
||||
| `mother` (OSA) | `<mother-tailscale-ip>` | `colibri` | Mother — runs PostgreSQL, external MCP servers |
|
||||
| `clawdie-usb` (USB) | `<node-tailscale-ip>` | `clawdie` | Operator workstation — sends hw-probe to mother |
|
||||
| Host | IP (Tailscale) | User for MCP | Role |
|
||||
| ------------------- | ----------------------- | ------------ | ----------------------------------------------- |
|
||||
| `mother` (OSA) | `<mother-tailscale-ip>` | `colibri` | Mother — runs PostgreSQL, external MCP servers |
|
||||
| `clawdie-usb` (USB) | `<node-tailscale-ip>` | `clawdie` | Operator workstation — sends hw-probe to mother |
|
||||
|
||||
## How it works
|
||||
|
||||
|
|
@ -184,12 +184,12 @@ Once the daemon is restarted with `COLIBRI_AUTOSPAWN=YES` and
|
|||
|
||||
## Troubleshooting
|
||||
|
||||
| Symptom | Likely cause | Fix |
|
||||
| ----------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------- |
|
||||
| `ssh mother` hangs | Tailscale not up | `sudo tailscale up` on USB |
|
||||
| `Permission denied (publickey)` | Key not in authorized_keys on mother | Verify: `cat /var/db/colibri/.ssh/authorized_keys` on mother |
|
||||
| `Permission denied (publickey)` | Key permissions wrong on USB | `chmod 600 /var/db/colibri/.ssh/mother-mcp` (daemon user) or `~/.ssh/mother-mcp` (clawdie user) |
|
||||
| `daemon: open: Permission denied` | Log file ownership wrong | `chown clawdie: /var/log/colibri/daemon.log` |
|
||||
| Daemon starts but no external tools | `COLIBRI_MCP_EXTERNAL_CALL` not set | Check provider.env, restart daemon |
|
||||
| Daemon starts, external tools visible, but calls fail | SSH key path wrong in external-mcp.json | Baked path: `/var/db/colibri/.ssh/mother-mcp` |
|
||||
| `error: unrecognized subcommand` | SSH wrapper getting non-allowlisted command | Wrapper only allows `""` (stdio) and `"tools"`; `ssh mother tools` is correct |
|
||||
| Symptom | Likely cause | Fix |
|
||||
| ----------------------------------------------------- | ------------------------------------------- | ----------------------------------------------------------------------------------------------- |
|
||||
| `ssh mother` hangs | Tailscale not up | `sudo tailscale up` on USB |
|
||||
| `Permission denied (publickey)` | Key not in authorized_keys on mother | Verify: `cat /var/db/colibri/.ssh/authorized_keys` on mother |
|
||||
| `Permission denied (publickey)` | Key permissions wrong on USB | `chmod 600 /var/db/colibri/.ssh/mother-mcp` (daemon user) or `~/.ssh/mother-mcp` (clawdie user) |
|
||||
| `daemon: open: Permission denied` | Log file ownership wrong | `chown clawdie: /var/log/colibri/daemon.log` |
|
||||
| Daemon starts but no external tools | `COLIBRI_MCP_EXTERNAL_CALL` not set | Check provider.env, restart daemon |
|
||||
| Daemon starts, external tools visible, but calls fail | SSH key path wrong in external-mcp.json | Baked path: `/var/db/colibri/.ssh/mother-mcp` |
|
||||
| `error: unrecognized subcommand` | SSH wrapper getting non-allowlisted command | Wrapper only allows `""` (stdio) and `"tools"`; `ssh mother tools` is correct |
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ chmod 600 ~/.ssh/mother-mcp
|
|||
# SSH config for Tailscale hostname
|
||||
cat >> ~/.ssh/config << 'SSH'
|
||||
Host mother
|
||||
HostName 100.72.229.63
|
||||
HostName <mother-tailscale-ip>
|
||||
User colibri
|
||||
IdentityFile ~/.ssh/mother-mcp
|
||||
IdentitiesOnly yes
|
||||
|
|
@ -79,7 +79,7 @@ sudo tee /usr/local/etc/colibri/external-mcp.json << 'JSON'
|
|||
"args": [
|
||||
"-i", "/home/clawdie/.ssh/mother-mcp",
|
||||
"-o", "StrictHostKeyChecking=accept-new",
|
||||
"colibri@100.72.229.63",
|
||||
"colibri@<mother-tailscale-ip>",
|
||||
"colibri-mcp"
|
||||
],
|
||||
"env": {}
|
||||
|
|
|
|||
|
|
@ -109,8 +109,11 @@ Inside it, any of these are honored:
|
|||
/<agent>/ssh/known_hosts OUTBOUND: merged into ~/.ssh/known_hosts (0644),
|
||||
de-duplicated. Pin the mother server's host key
|
||||
here so the first node -> mother connection does
|
||||
not stop on an unknown-host prompt. Get the line
|
||||
with: ssh-keyscan osa.smilepowered.org
|
||||
not stop on an unknown-host prompt. Scan the
|
||||
TARGET that ssh/config actually connects to
|
||||
(the Tailscale IP in HostName, not necessarily
|
||||
the DNS name):
|
||||
ssh-keyscan <mother-tailscale-ip>
|
||||
|
||||
/<agent>/ssh/mother-mcp DUAL-PURPOSE OUTBOUND KEY. This private key
|
||||
serves two roles with a single identity:
|
||||
|
|
@ -136,6 +139,12 @@ Inside it, any of these are honored:
|
|||
destinations. No other key is needed for either
|
||||
purpose.
|
||||
|
||||
The importer installs this material to TWO homes:
|
||||
/home/clawdie/.ssh/ (operator) and
|
||||
/var/db/colibri/.ssh/ (daemon). The daemon
|
||||
spawns the external-MCP SSH connection to mother,
|
||||
so it needs its own copy of the key + config.
|
||||
|
||||
Agent directory names may contain only A-Z a-z 0-9 . _ - (no spaces or
|
||||
slashes). The name `ssh` is reserved for Layer 1.
|
||||
|
||||
|
|
|
|||
|
|
@ -146,6 +146,7 @@ cat > "${ETC_DIR}/external-mcp.json" <<'EOF'
|
|||
"command": "ssh",
|
||||
"args": [
|
||||
"-i", "/var/db/colibri/.ssh/mother-mcp",
|
||||
"-F", "/var/db/colibri/.ssh/config",
|
||||
"-o", "StrictHostKeyChecking=accept-new",
|
||||
"mother"
|
||||
],
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue