Document jump host SSH key repair

2026-05-21 20:31:18 +08:00
parent b6de73a4a1
commit b7b12829f9
3 changed files with 34 additions and 0 deletions
--- a/docs/guides/deployment_sop.md
+++ b/docs/guides/deployment_sop.md
@@ -19,6 +19,21 @@ scp -o ProxyJump=wooo@192.168.0.110 app.py ollama@192.168.0.188:/home/ollama/mom
 scp -o ProxyJump=wooo@192.168.0.110 -r services/ ollama@192.168.0.188:/home/ollama/momo-pro/
 ```

+若部署時在 110 → 188 的內層 `scp` 遇到 `Host key verification failed`，先在 110 修正 `known_hosts`，不要用 `StrictHostKeyChecking=no` 硬跳過：
+```bash
+ssh wooo@192.168.0.110 \
+  "ssh-keygen -R 192.168.0.188 && ssh-keyscan -H 192.168.0.188 >> ~/.ssh/known_hosts"
+```
+
+修正後先做只寫 `/tmp` 的 smoke，確認 `scp` 與 `ssh` 都通再部署正式檔案：
+```bash
+ssh wooo@192.168.0.110 \
+  "printf smoke > /tmp/momo_scp_smoke.txt && \
+   scp /tmp/momo_scp_smoke.txt ollama@192.168.0.188:/tmp/momo_scp_smoke.txt && \
+   ssh ollama@192.168.0.188 'cat /tmp/momo_scp_smoke.txt && rm -f /tmp/momo_scp_smoke.txt' && \
+   rm -f /tmp/momo_scp_smoke.txt"
+```
+
 ### 3. 重啟容器
 檔案進入掛載目錄後，重啟容器以加載變更：
 ```bash
--- a/docs/guides/devops_handbook.md
+++ b/docs/guides/devops_handbook.md
@@ -64,6 +64,12 @@

 ## 🆘 故障排除 (Troubleshooting) - 2026-04-28 實戰總結

+### 0. 110 → 188 SCP 報 `Host key verification failed`
+- **原因**: 110 的 `~/.ssh/known_hosts` 保留了 188 的舊 host key 或缺少目前 key，導致部署檔案傳輸被 SSH 安全檢查擋下。
+- **修復**: 在 110 執行 `ssh-keygen -R 192.168.0.188 && ssh-keyscan -H 192.168.0.188 >> ~/.ssh/known_hosts`。
+- **驗證**: 先把 `/tmp/momo_scp_smoke.txt` 從 110 傳到 188 的 `/tmp`，再用 `ssh ollama@192.168.0.188 'cat /tmp/momo_scp_smoke.txt'` 確認可讀，最後刪除 smoke 檔。
+- **紅線**: 不要把正式部署指令改成長期 `StrictHostKeyChecking=no`；遇到 key 問題要修 known_hosts，而不是關閉驗證。
+
 ### 1. 網站 502 Bad Gateway (Nginx 找不到後端)
 - **原因**: 110 與 188 之間的 SSH 隧道中斷。
 - **檢查**: 在 110 執行 `curl -I http://127.0.0.1:5003/health`。
--- a/tests/test_phase3f_cleanup_contracts.py
+++ b/tests/test_phase3f_cleanup_contracts.py
@@ -292,3 +292,16 @@ def test_devops_handbook_uses_current_docker_runtime_commands():
    assert "docker compose up -d --no-deps --force-recreate momo-app" in handbook
    assert "--remove-orphans" in handbook
    assert "禁止" in handbook
+
+
+def test_deployment_docs_cover_jump_host_known_hosts_repair():
+    sop = (ROOT / "docs" / "guides" / "deployment_sop.md").read_text(encoding="utf-8")
+    handbook = (ROOT / "docs" / "guides" / "devops_handbook.md").read_text(encoding="utf-8")
+
+    for content in (sop, handbook):
+        assert "Host key verification failed" in content
+        assert "ssh-keygen -R 192.168.0.188" in content
+        assert "ssh-keyscan -H 192.168.0.188" in content
+        assert "StrictHostKeyChecking=no" in content
+        assert "不要" in content
+    assert "momo_scp_smoke.txt" in sop