r2286 breaks bootstrap with authorized-keys in env.yaml

Does the client machine still specify the identity to use in ~/.ssh/config? Maybe -i *does* override that, but not the defaults.

The jenkins users does not have an ,/ssh/config. Jenkins has two pairs of keys, the default key are used as jenkins to manages its access. The staging keys are used by juju and within tests.

How did that ever work? The staging key must be communicated to the ssh client somewhere (authorized-key only affects the server). Are the keys loaded into Jenkins, and Jenkins loads them into the ssh-agent before calling the build script?

authorized-key-path and id_rsa fallback will *always* work, provided the target host doesn't require proxying: authorized-key-path is combined with the ~/.juju/ssh public keys (whereas authorized-keys is taken verbatim), so one of the auto-generated ssh keys will be used as a fallback; id_rsa is always tried by ssh.

Forgot to add: I can't reproduce the problem. I can bootstrap Canonistack just fine. I have the identity specified in my ~/.ssh/config, and I put its public key in the authorized-keys attribute.

What workaround did you implement in lp:1257371? From the last two comments, I think you symlinked ~/.ssh/id_rsa to point to your staging key. Is that correct? If that's correct, then I think I know what the problem is.

I understood ssh to always attempt ~/.ssh/id_[dr]sa, but that's not true. The '-i' flag overrides the defaults, but ssh will also try whatever's held in the ssh-agent. In your case, there is no agent (or it doesn't have the keys loaded). In my testing, I always had my default keys loaded into the agent.

I'll have a fix ready shortly.

Thank you Andrew. your branch indeed fixed the CI issue.