hybrid_platforms_conductor 33.4.0 → 33.7.1

data/lib/hybrid_platforms_conductor/hpc_plugins/cmdb/host_keys.rb

@@ -24,7 +24,7 @@ module HybridPlatformsConductor
         # * Hash<Symbol, Symbol or Array<Symbol> >: The list of necessary properties (or single one) that should be set, per property name (:others can also be used here)
         def property_dependencies
           {
-            host_keys: %i[hostname host_ip]
+            host_keys: %i[hostname host_ip ssh_port]
           }
         end
 
@@ -41,19 +41,20 @@ module HybridPlatformsConductor
         #     Nodes for which the property can't be fetched can be ommitted.
         def get_host_keys(_nodes, metadata)
           updated_metadata = {}
-          # Get the list of nodes, per hostname (just in case several nodes share the same hostname)
-          # Hash<String, Array<String> >
+          # Get the list of nodes, per [hostname, port] (just in case several nodes share the same hostname and port)
+          # Hash<[String, Integer], Array<String> >
           hostnames = Hash.new { |hash, key| hash[key] = [] }
           metadata.each do |node, node_metadata|
+            ssh_port = node_metadata[:ssh_port] || 22
             if node_metadata[:host_ip]
-              hostnames[node_metadata[:host_ip]] << node
+              hostnames[[node_metadata[:host_ip], ssh_port]] << node
             elsif node_metadata[:hostname]
-              hostnames[node_metadata[:hostname]] << node
+              hostnames[[node_metadata[:hostname], ssh_port]] << node
             end
           end
           unless hostnames.empty?
-            host_keys_for(*hostnames.keys).each do |hostname, ip|
-              hostnames[hostname].each do |node|
+            host_keys_for(*hostnames.keys).each do |host_id, ip|
+              hostnames[host_id].each do |node|
                 updated_metadata[node] = ip
               end
             end
@@ -71,7 +72,7 @@ module HybridPlatformsConductor
         # Discover the host keys associated to a list of hosts.
         #
         # Parameters::
-        # * *hosts* (Array<String>): The hosts to check for
+        # * *hosts* (Array<[String, Integer]>): The hosts to check for ([hostname, port])
         # Result::
         # * Hash<String, Array<String> >: The corresponding host keys, per host name
         def host_keys_for(*hosts)
@@ -82,9 +83,9 @@ module HybridPlatformsConductor
             parallel: true,
             nbr_threads_max: MAX_THREADS_SSH_KEY_SCAN,
             progress: log_debug? ? 'Gather host keys' : nil
-          ) do |host|
+          ) do |(host, ssh_port)|
             exit_status, stdout, _stderr = @cmd_runner.run_cmd(
-              "ssh-keyscan #{host}",
+              "ssh-keyscan -p #{ssh_port} #{host}",
               timeout: TIMEOUT_SSH_KEYSCAN,
               log_to_stdout: log_debug?,
               no_exception: true
@@ -97,9 +98,9 @@ module HybridPlatformsConductor
                   found_keys << "#{type} #{key}"
                 end
               end
-              results[host] = found_keys.sort unless found_keys.empty?
+              results[[host, ssh_port]] = found_keys.sort unless found_keys.empty?
             else
-              log_warn "Unable to get host key for #{host}. Ignoring it. Accessing #{host} might require manual acceptance of its host key."
+              log_warn "Unable to get host key for #{host} (port #{ssh_port}). Ignoring it. Accessing #{host} might require manual acceptance of its host key."
             end
           end
           results

data/lib/hybrid_platforms_conductor/hpc_plugins/connector/local.rb

@@ -35,9 +35,11 @@ module HybridPlatformsConductor
         # [API] - @stderr_io can be used to send stderr output
         #
         # Parameters::
-        # * *bash_cmds* (String): Bash commands to execute
+        # * *bash_cmds* (String or SecretString): Bash commands to execute. Use #to_unprotected to access the real content (otherwise secrets are obfuscated).
         def remote_bash(bash_cmds)
-          run_cmd "cd #{workspace_for(@node)} ; #{bash_cmds}", force_bash: true
+          SecretString.protect("cd #{workspace_for(@node)} ; #{bash_cmds.to_unprotected}", silenced_str: "cd #{workspace_for(@node)} ; #{bash_cmds}") do |cmd|
+            run_cmd cmd, force_bash: true
+          end
         end
 
         # Execute an interactive shell on the remote node
@@ -75,8 +77,8 @@ module HybridPlatformsConductor
         def remote_copy(from, to, sudo: false, owner: nil, group: nil)
           # If the destination is a relative path, prepend the workspace dir to it.
           to = "#{workspace_for(@node)}/#{to}" unless to.start_with?('/')
-          if sudo
-            run_cmd "#{@nodes_handler.sudo_on(@node)} cp -r \"#{from}\" \"#{to}\""
+          if sudo && !@actions_executor.privileged_access?(@node)
+            run_cmd "#{@actions_executor.sudo_prefix(@node)}cp -r \"#{from}\" \"#{to}\""
           else
             FileUtils.cp_r from, to unless @cmd_runner.dry_run
           end

data/lib/hybrid_platforms_conductor/hpc_plugins/connector/my_connector.rb.sample

@@ -104,7 +104,7 @@ module HybridPlatformsConductor
         # [API] - @stderr_io can be used to send stderr output
         #
         # Parameters::
-        # * *bash_cmds* (String): Bash commands to execute
+        # * *bash_cmds* (String or SecretString): Bash commands to execute. Use #to_unprotected to access the real content (otherwise secrets are obfuscated).
         def remote_bash(bash_cmds)
           MyConnectLib.connect_to(@nodes_handler.get_host_ip_of(@node)).run_bash(bash_cmds)
         end

data/lib/hybrid_platforms_conductor/hpc_plugins/connector/ssh.rb

@@ -236,31 +236,40 @@ module HybridPlatformsConductor
         # [API] - @stderr_io can be used to send stderr output
         #
         # Parameters::
-        # * *bash_cmds* (String): Bash commands to execute
+        # * *bash_cmds* (String or SecretString): Bash commands to execute. Use #to_unprotected to access the real content (otherwise secrets are obfuscated).
         def remote_bash(bash_cmds)
-          ssh_cmd =
+          SecretString.protect(
             if @nodes_handler.get_ssh_session_exec_of(@node) == false
               # When ExecSession is disabled we need to use stdin directly
-              "{ cat | #{ssh_exec} #{ssh_url} -T; } <<'HPC_EOF'\n#{bash_cmds}\nHPC_EOF"
+              "{ cat | #{ssh_exec} #{ssh_url} -T; } <<'HPC_EOF'\n#{bash_cmds.to_unprotected}\nHPC_EOF"
             else
-              "#{ssh_exec} #{ssh_url} /bin/bash <<'HPC_EOF'\n#{bash_cmds}\nHPC_EOF"
-            end
-          # Due to a limitation of Process.spawn, each individual argument is limited to 128KB of size.
-          # Therefore we need to make sure that if bash_cmds exceeds MAX_CMD_ARG_LENGTH bytes (considering EOF chars) then we use an intermediary shell script to store the commands.
-          if bash_cmds.size > MAX_CMD_ARG_LENGTH
-            # Write the commands in a file
-            temp_file = "#{Dir.tmpdir}/hpc_temp_cmds_#{Digest::MD5.hexdigest(bash_cmds)}.sh"
-            File.open(temp_file, 'w+') do |file|
-              file.write ssh_cmd
-              file.chmod 0o700
-            end
-            begin
-              run_cmd(temp_file)
-            ensure
-              File.unlink(temp_file)
+              "#{ssh_exec} #{ssh_url} /bin/bash <<'HPC_EOF'\n#{bash_cmds.to_unprotected}\nHPC_EOF"
+            end,
+            silenced_str:
+              if @nodes_handler.get_ssh_session_exec_of(@node) == false
+                # When ExecSession is disabled we need to use stdin directly
+                "{ cat | #{ssh_exec} #{ssh_url} -T; } <<'HPC_EOF'\n#{bash_cmds}\nHPC_EOF"
+              else
+                "#{ssh_exec} #{ssh_url} /bin/bash <<'HPC_EOF'\n#{bash_cmds}\nHPC_EOF"
+              end
+          ) do |ssh_cmd|
+            # Due to a limitation of Process.spawn, each individual argument is limited to 128KB of size.
+            # Therefore we need to make sure that if bash_cmds exceeds MAX_CMD_ARG_LENGTH bytes (considering EOF chars) then we use an intermediary shell script to store the commands.
+            if bash_cmds.to_unprotected.size > MAX_CMD_ARG_LENGTH
+              # Write the commands in a file
+              temp_file = "#{Dir.tmpdir}/hpc_temp_cmds_#{Digest::MD5.hexdigest(bash_cmds.to_unprotected)}.sh"
+              File.open(temp_file, 'w+') do |file|
+                file.write ssh_cmd.to_unprotected
+                file.chmod 0o700
+              end
+              begin
+                run_cmd(temp_file)
+              ensure
+                File.unlink(temp_file)
+              end
+            else
+              run_cmd ssh_cmd
             end
-          else
-            run_cmd ssh_cmd
           end
         end
 
@@ -301,13 +310,14 @@ module HybridPlatformsConductor
         # * *owner* (String or nil): Owner to be used when copying the files, or nil for current one [default: nil]
         # * *group* (String or nil): Group to be used when copying the files, or nil for current one [default: nil]
         def remote_copy(from, to, sudo: false, owner: nil, group: nil)
+          need_sudo = sudo && !@actions_executor.privileged_access?(@node)
           if @nodes_handler.get_ssh_session_exec_of(@node) == false
             # We don't have ExecSession, so don't use ssh, but scp instead.
-            if sudo
+            if need_sudo
               # We need to first copy the file in an accessible directory, and then sudo mv
               remote_bash('mkdir -p hpc_tmp_scp')
               run_cmd "scp -S #{ssh_exec} #{from} #{ssh_url}:./hpc_tmp_scp"
-              remote_bash("#{@nodes_handler.sudo_on(@node)} mv ./hpc_tmp_scp/#{File.basename(from)} #{to}")
+              remote_bash("#{@actions_executor.sudo_prefix(@node)}mv ./hpc_tmp_scp/#{File.basename(from)} #{to}")
             else
               run_cmd "scp -S #{ssh_exec} #{from} #{ssh_url}:#{to}"
             end
@@ -323,7 +333,7 @@ module HybridPlatformsConductor
                 #{File.basename(from)} | \
               #{ssh_exec} \
                 #{ssh_url} \
-                \"#{sudo ? "#{@nodes_handler.sudo_on(@node)} " : ''}tar \
+                \"#{need_sudo ? @actions_executor.sudo_prefix(@node) : ''}tar \
                   --extract \
                   --gunzip \
                   --file - \
@@ -374,16 +384,18 @@ module HybridPlatformsConductor
 
           # Add each node
           # Query for the metadata of all nodes at once
-          @nodes_handler.prefetch_metadata_of nodes, %i[private_ips hostname host_ip description]
+          @nodes_handler.prefetch_metadata_of nodes, %i[private_ips hostname host_ip description ssh_port]
           nodes.sort.each do |node|
             # Generate the conf for the node
             connection, connection_user, gateway, gateway_user = connection_info_for(node, no_exception: true)
             if connection.nil?
               config_content << "# #{node} - Not connectable using SSH - #{@nodes_handler.get_description_of(node) || ''}\n"
             else
+              ssh_port = @nodes_handler.get_ssh_port_of(node)
               config_content << "# #{node} - #{connection} - #{@nodes_handler.get_description_of(node) || ''}\n"
               config_content << "Host #{ssh_aliases_for(node).join(' ')}\n"
               config_content << "  Hostname #{connection}\n"
+              config_content << "  Port #{ssh_port}\n" unless ssh_port.nil?
               config_content << "  User \"#{connection_user}\"\n" if connection_user != @ssh_user
               config_content << "  ProxyCommand #{ssh_exec} -q -W %h:%p #{gateway_user}@#{gateway}\n" unless gateway.nil?
               if @passwords.key?(node)
@@ -648,7 +660,7 @@ module HybridPlatformsConductor
             existing_users = File.exist?(control_master_users_file) ? File.read(control_master_users_file).split("\n") : []
             ssh_url = "hpc.#{node}"
             connection, connection_user, _gateway, _gateway_user = connection_info_for(node)
-            control_path_file = control_master_file(connection, '22', connection_user)
+            control_path_file = control_master_file(connection, @nodes_handler.get_ssh_port_of(node) || 22, connection_user)
             if existing_users.empty?
               # Make sure there is no stale one.
               if File.exist?(control_path_file)

data/lib/hybrid_platforms_conductor/hpc_plugins/log/remote_fs.rb

@@ -29,10 +29,9 @@ module HybridPlatformsConductor
         # Result::
         # * Array< Hash<Symbol,Object> >: List of actions to be done
         def actions_to_save_logs(node, services, deployment_info, exit_status, stdout, stderr)
-          # Create a log file to be scp with all relevant info
-          ssh_user = @actions_executor.connector(:ssh).ssh_user
-          sudo_prefix = ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} "
-          log_file = "#{Dir.tmpdir}/hpc_deploy_logs/#{node}_#{Time.now.utc.strftime('%F_%H%M%S')}_#{ssh_user}"
+          # Create a log file to be scp-ed with all relevant info
+          sudo_prefix = @actions_executor.sudo_prefix(node)
+          log_file = "#{Dir.tmpdir}/hpc_deploy_logs/#{node}_#{Time.now.utc.strftime('%F_%H%M%S')}_#{@actions_executor.connector(:ssh).ssh_user}"
           [
             {
               ruby: proc do
@@ -56,7 +55,7 @@ module HybridPlatformsConductor
             {
               scp: {
                 log_file => '/var/log/deployments',
-                :sudo => ssh_user != 'root',
+                :sudo => !@actions_executor.privileged_access?(node),
                 :owner => 'root',
                 :group => 'root'
               }
@@ -85,7 +84,7 @@ module HybridPlatformsConductor
         # Result::
         # * Array< Hash<Symbol,Object> >: List of actions to be done
         def actions_to_read_logs(node)
-          sudo_prefix = @actions_executor.connector(:ssh).ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} "
+          sudo_prefix = @actions_executor.sudo_prefix(node)
           [
             { remote_bash: "#{sudo_prefix}cat /var/log/deployments/`#{sudo_prefix}ls -t /var/log/deployments/ | head -1`" }
           ]

data/lib/hybrid_platforms_conductor/hpc_plugins/platform_handler/serverless_chef.rb

@@ -241,18 +241,24 @@ module HybridPlatformsConductor
             '--json-attributes', "nodes/#{node}.json"
           ]
           client_options << '--why-run' if use_why_run
+          # Force setting of TERM variable and usage of unbuffer to get colored output from chef-client even if executed through a non-interactive SSH session.
+          client_env = {
+            'SSL_CERT_DIR' => '/etc/ssl/certs',
+            'TERM' => 'xterm-256color'
+          }
           if @nodes_handler.get_use_local_chef_of(node)
             # Just run the chef-client directly from the packaged repository
-            sudo_prefix = @cmd_runner.root? ? '' : 'sudo '
+            sudo_prefix = @cmd_runner.root? ? '' : 'sudo -E '
             [
               {
                 bash: [
                   'set -e',
                   "cd #{package_dir}"
                 ] +
-                  gems_to_install.map { |(gem_name, gem_version)| "#{sudo_prefix}SSL_CERT_DIR=/etc/ssl/certs /opt/chef-workstation/bin/chef gem install #{gem_name} --version \"#{gem_version}\"" } +
+                  client_env.map { |var_name, value| "export #{var_name}=#{value}" } +
+                  gems_to_install.map { |(gem_name, gem_version)| "#{sudo_prefix}/opt/chef-workstation/bin/chef gem install #{gem_name} --version \"#{gem_version}\"" } +
                   [
-                    "#{sudo_prefix}SSL_CERT_DIR=/etc/ssl/certs /opt/chef-workstation/bin/chef-client #{client_options.join(' ')}"
+                    "#{sudo_prefix}/opt/chef-workstation/bin/chef-client #{client_options.join(' ')}"
                   ]
               }
             ]
@@ -263,14 +269,14 @@ module HybridPlatformsConductor
             raise "Missing file #{chef_versions_file} specifying the Chef Infra Client version to be deployed" unless File.exist?(chef_versions_file)
 
             required_chef_client_version = YAML.load_file(chef_versions_file)['client']
-            sudo = (@actions_executor.connector(:ssh).ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} -E ")
+            sudo = @actions_executor.sudo_prefix(node, forward_env: true)
             [
               {
                 # Install dependencies
                 remote_bash: [
                   'set -e',
                   'set -o pipefail',
-                  "if [ -n \"$(command -v apt)\" ]; then #{sudo}apt update && #{sudo}apt install -y curl build-essential ; else #{sudo}yum groupinstall 'Development Tools' && #{sudo}yum install -y curl ; fi",
+                  "if [ -n \"$(command -v apt)\" ]; then #{sudo}apt update && #{sudo}apt install -y curl build-essential expect ; else #{sudo}yum groupinstall 'Development Tools' && #{sudo}yum install -y curl expect ; fi",
                   'mkdir -p ./hpc_deploy',
                   'rm -rf ./hpc_deploy/tmp',
                   'mkdir -p ./hpc_deploy/tmp',
@@ -281,16 +287,19 @@ module HybridPlatformsConductor
               },
               {
                 scp: { package_dir => './hpc_deploy' },
-                remote_bash: [
-                  'set -e',
-                  "cd ./hpc_deploy/#{package_name}"
-                ] +
-                  gems_to_install.map { |(gem_name, gem_version)| "#{sudo}SSL_CERT_DIR=/etc/ssl/certs /opt/chef/embedded/bin/gem install #{gem_name} --version \"#{gem_version}\"" } +
-                  [
-                    "#{sudo}SSL_CERT_DIR=/etc/ssl/certs /opt/chef/bin/chef-client #{client_options.join(' ')}",
-                    'cd ..'
+                remote_bash: {
+                  commands: [
+                    'set -e',
+                    "cd ./hpc_deploy/#{package_name}"
                   ] +
-                  (log_debug? ? [] : ["#{sudo}rm -rf ./hpc_deploy/#{package_name}"])
+                    gems_to_install.map { |(gem_name, gem_version)| "#{sudo}/opt/chef/embedded/bin/gem install #{gem_name} --version \"#{gem_version}\"" } +
+                    [
+                      "#{sudo}unbuffer /opt/chef/bin/chef-client #{client_options.join(' ')}",
+                      'cd ..'
+                    ] +
+                    (log_debug? ? [] : ["#{sudo}rm -rf ./hpc_deploy/#{package_name}"]),
+                  env: client_env
+                }
               }
             ]
           end

data/lib/hybrid_platforms_conductor/hpc_plugins/provisioner/docker.rb

@@ -21,7 +21,7 @@ module HybridPlatformsConductor
             ::Docker.validate_version!
             docker_ok = true
           rescue
-            log_error "[ #{@node}/#{@environment} ] - Docker is not installed correctly. Please install it. Error: #{$ERROR_INFO}"
+            log_error "Docker is not installed correctly. Please install it. Error: #{$ERROR_INFO}"
           end
           docker_ok
         end

data/lib/hybrid_platforms_conductor/hpc_plugins/provisioner/proxmox.rb

@@ -2,6 +2,7 @@ require 'json'
 require 'proxmox'
 require 'digest'
 require 'hybrid_platforms_conductor/actions_executor'
+require 'hybrid_platforms_conductor/credentials'
 require 'hybrid_platforms_conductor/provisioner'
 
 module HybridPlatformsConductor
@@ -284,7 +285,7 @@ module HybridPlatformsConductor
               # cf https://pve.proxmox.com/wiki/Renaming_a_PVE_node
               URI.parse(url).host.downcase.split('.').first,
               user,
-              password,
+              password&.to_unprotected,
               ENV['hpc_realm_for_proxmox'] || 'pam',
               {
                 verify_ssl: false,
@@ -436,7 +437,7 @@ module HybridPlatformsConductor
                 {
                   proxmox_test_info[:sync_node] => {
                     remote_bash: {
-                      commands: "#{@actions_executor.connector(:ssh).ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(proxmox_test_info[:sync_node])} -E "}./proxmox/#{cmd}",
+                      commands: "#{@actions_executor.sudo_prefix(proxmox_test_info[:sync_node], forward_env: true)}./proxmox/#{cmd}",
                       env: {
                         'hpc_user_for_proxmox' => user,
                         'hpc_password_for_proxmox' => password,

data/lib/hybrid_platforms_conductor/hpc_plugins/secrets_reader/keepass.rb

@@ -90,7 +90,7 @@ module HybridPlatformsConductor
                   key_file = ENV['hpc_key_file_for_keepass']
                   password_enc = ENV['hpc_password_enc_for_keepass']
                   keepass_credentials = {}
-                  keepass_credentials[:password] = password if password
+                  keepass_credentials[:password] = password.to_unprotected if password
                   keepass_credentials[:password_enc] = password_enc if password_enc
                   keepass_credentials[:key_file] = key_file if key_file
                   KeepassKpscript.

data/lib/hybrid_platforms_conductor/hpc_plugins/test/check_deploy_and_idempotence.rb

@@ -26,7 +26,13 @@ module HybridPlatformsConductor
             # Check that we can connect with root
             ssh_ok = false
             begin
-              Net::SSH.start(instance.ip, 'root', password: 'root_pwd', auth_methods: ['password'], verify_host_key: :never) do |ssh|
+              Net::SSH.start(
+                instance.ip,
+                'root',
+                password: 'root_pwd',
+                auth_methods: ['password'],
+                verify_host_key: :never
+              ) do |ssh|
                 ssh_ok = ssh.exec!('echo Works').strip == 'Works'
               end
             rescue
@@ -53,14 +59,22 @@ module HybridPlatformsConductor
                 #   System is booting up. See pam_nologin(8)
                 #   Authentication failed.
                 instance.stop
-                instance.with_running_instance(port: 22) do
+                ssh_port = @nodes_handler.get_ssh_port_of(@node) || 22
+                instance.with_running_instance(port: ssh_port) do
 
                   unless @nodes_handler.get_root_access_allowed_of(@node)
                     # ===== Deploy removes root access
                     # Check that we can't connect with root
                     ssh_ok = false
                     begin
-                      Net::SSH.start(instance.ip, 'root', password: 'root_pwd', auth_methods: ['password'], verify_host_key: :never) do |ssh|
+                      Net::SSH.start(
+                        instance.ip,
+                        'root',
+                        password: 'root_pwd',
+                        auth_methods: ['password'],
+                        verify_host_key: :never,
+                        port: ssh_port
+                      ) do |ssh|
                         ssh_ok = ssh.exec!('echo Works').strip == 'Works'
                       end
                     rescue

data/lib/hybrid_platforms_conductor/hpc_plugins/test/deploy_removes_root_access.rb

@@ -18,7 +18,13 @@ module HybridPlatformsConductor
             # Check that we can connect with root
             ssh_ok = false
             begin
-              Net::SSH.start(instance.ip, 'root', password: 'root_pwd', auth_methods: ['password'], verify_host_key: :never) do |ssh|
+              Net::SSH.start(
+                instance.ip,
+                'root',
+                password: 'root_pwd',
+                auth_methods: ['password'],
+                verify_host_key: :never
+              ) do |ssh|
                 ssh_ok = ssh.exec!('echo Works').strip == 'Works'
               end
             rescue
@@ -29,17 +35,31 @@ module HybridPlatformsConductor
               deployer.nbr_retries_on_error = 3
               deployer.deploy_on @node
               # As sshd is certainly being restarted, start and stop the container to reload it.
-              deployer.restart @node
-              # Check that we can't connect with root
-              ssh_ok = false
-              begin
-                Net::SSH.start(instance.ip, 'root', password: 'root_pwd', auth_methods: ['password'], verify_host_key: :never) do |ssh|
-                  ssh_ok = ssh.exec!('echo Works').strip == 'Works'
+              # As it's possible sshd has to be restarted because of a change in its conf, restart the container.
+              # Otherwise you'll get the following error upon reconnection:
+              #   System is booting up. See pam_nologin(8)
+              #   Authentication failed.
+              instance.stop
+              ssh_port = @nodes_handler.get_ssh_port_of(@node) || 22
+              instance.with_running_instance(port: ssh_port) do
+                # Check that we can't connect with root
+                ssh_ok = false
+                begin
+                  Net::SSH.start(
+                    instance.ip,
+                    'root',
+                    password: 'root_pwd',
+                    auth_methods: ['password'],
+                    verify_host_key: :never,
+                    port: ssh_port
+                  ) do |ssh|
+                    ssh_ok = ssh.exec!('echo Works').strip == 'Works'
+                  end
+                rescue
+                  nil
                 end
-              rescue
-                nil
+                assert_equal ssh_ok, false, 'Root can still connect on the image after deployment'
               end
-              assert_equal ssh_ok, false, 'Root can still connect on the image after deployment'
             end
           end
         end