Revert "Revert "Disable host key checking in nodepool""
This reverts commit 1bf66605b7652f0cad5e63cb2294b4fa4a029d37.
Reason for revert: The Zuul executor should be updated to handle this case now. It has been restarted with https://review.opendev.org/739986 in place.
Change-Id: I401abf5ef55a9fcd455bce21ff56c2590f968e60
diff --git a/nodepool/nodepool.yaml b/nodepool/nodepool.yaml
index 2f7dfea..b2f3a6e 100644
--- a/nodepool/nodepool.yaml
+++ b/nodepool/nodepool.yaml
@@ -18,6 +18,18 @@
- name: main
max-servers: 4
use-internal-ip: True
+ # Host key checking is disabled because:
+ # 1) We're using the internal IP so it's slightly less
+ # valuable (fewer attack vectors).
+ # 2) The images we're using appear to have a key baked into
+ # them which is overwritten at boot. Because we're using the
+ # internal IP, nodepool can end up connecting to the instance
+ # very quickly and retrieving the original host key rather
+ # than the new one (which is likely to be written a couple of
+ # seconds later). By disabling this in nodepool, we let Zuul
+ # just use the first key it finds (and it's likely to take
+ # long enough that it will have been updated by then).
+ host-key-checking: False
labels:
- name: debian-stretch-8G
instance-type: n1-standard-2