smart_proxy_remote_execution_ssh 0.4.0 → 0.5.2

data/lib/smart_proxy_remote_execution_ssh/net_ssh_compat.rb

@@ -0,0 +1,228 @@
+module Proxy::RemoteExecution
+  module NetSSHCompat
+    class Buffer
+      # exposes the raw content of the buffer
+      attr_reader :content
+
+      # the current position of the pointer in the buffer
+      attr_accessor :position
+
+      # Creates a new buffer, initialized to the given content. The position
+      # is initialized to the beginning of the buffer.
+      def initialize(content = +'')
+        @content = content.to_s
+        @position = 0
+      end
+
+      # Returns the length of the buffer's content.
+      def length
+        @content.length
+      end
+
+      # Returns the number of bytes available to be read (e.g., how many bytes
+      # remain between the current position and the end of the buffer).
+      def available
+        length - position
+      end
+
+      # Returns a copy of the buffer's content.
+      def to_s
+        (@content || "").dup
+      end
+
+      # Returns +true+ if the buffer contains no data (e.g., it is of zero length).
+      def empty?
+        @content.empty?
+      end
+
+      # Resets the pointer to the start of the buffer. Subsequent reads will
+      # begin at position 0.
+      def reset!
+        @position = 0
+      end
+
+      # Returns true if the pointer is at the end of the buffer. Subsequent
+      # reads will return nil, in this case.
+      def eof?
+        @position >= length
+      end
+
+      # Resets the buffer, making it empty. Also, resets the read position to
+      # 0.
+      def clear!
+        @content = +''
+        @position = 0
+      end
+
+      # Consumes n bytes from the buffer, where n is the current position
+      # unless otherwise specified. This is useful for removing data from the
+      # buffer that has previously been read, when you are expecting more data
+      # to be appended. It helps to keep the size of buffers down when they
+      # would otherwise tend to grow without bound.
+      #
+      # Returns the buffer object itself.
+      def consume!(count = position)
+        if count >= length
+          # OPTIMIZE: a fairly common case
+          clear!
+        elsif count.positive?
+          @content = @content[count..-1] || +''
+          @position -= count
+          @position = 0 if @position.negative?
+        end
+        self
+      end
+
+      # Appends the given text to the end of the buffer. Does not alter the
+      # read position. Returns the buffer object itself.
+      def append(text)
+        @content << text
+        self
+      end
+
+      # Reads and returns the next +count+ bytes from the buffer, starting from
+      # the read position. If +count+ is +nil+, this will return all remaining
+      # text in the buffer. This method will increment the pointer.
+      def read(count = nil)
+        count ||= length
+        count = length - @position if @position + count > length
+        @position += count
+        @content[@position - count, count]
+      end
+
+      # Writes the given data literally into the string. Does not alter the
+      # read position. Returns the buffer object.
+      def write(*data)
+        data.each { |datum| @content << datum.dup.force_encoding('BINARY') }
+        self
+      end
+    end
+
+    module BufferedIO
+      # This module is used to extend sockets and other IO objects, to allow
+      # them to be buffered for both read and write. This abstraction makes it
+      # quite easy to write a select-based event loop
+      # (see Net::SSH::Connection::Session#listen_to).
+      #
+      # The general idea is that instead of calling #read directly on an IO that
+      # has been extended with this module, you call #fill (to add pending input
+      # to the internal read buffer), and then #read_available (to read from that
+      # buffer). Likewise, you don't call #write directly, you call #enqueue to
+      # add data to the write buffer, and then #send_pending or #wait_for_pending_sends
+      # to actually send the data across the wire.
+      #
+      # In this way you can easily use the object as an argument to IO.select,
+      # calling #fill when it is available for read, or #send_pending when it is
+      # available for write, and then call #enqueue and #read_available during
+      # the idle times.
+      #
+      #   socket = TCPSocket.new(address, port)
+      #   socket.extend(Net::SSH::BufferedIo)
+      #
+      #   ssh.listen_to(socket)
+      #
+      #   ssh.loop do
+      #     if socket.available > 0
+      #       puts socket.read_available
+      #       socket.enqueue("response\n")
+      #     end
+      #   end
+      #
+      # Note that this module must be used to extend an instance, and should not
+      # be included in a class. If you do want to use it via an include, then you
+      # must make sure to invoke the private #initialize_buffered_io method in
+      # your class' #initialize method:
+      #
+      #   class Foo < IO
+      #     include Net::SSH::BufferedIo
+      #
+      #     def initialize
+      #       initialize_buffered_io
+      #       # ...
+      #     end
+      #   end
+
+      # Tries to read up to +n+ bytes of data from the remote end, and appends
+      # the data to the input buffer. It returns the number of bytes read, or 0
+      # if no data was available to be read.
+      def fill(count = 8192)
+        input.consume!
+        data = recv(count)
+        input.append(data)
+        return data.length
+      rescue EOFError => e
+        @input_errors << e
+        return 0
+      end
+
+      # Read up to +length+ bytes from the input buffer. If +length+ is nil,
+      # all available data is read from the buffer. (See #available.)
+      def read_available(length = nil)
+        input.read(length || available)
+      end
+
+      # Returns the number of bytes available to be read from the input buffer.
+      # (See #read_available.)
+      def available
+        input.available
+      end
+
+      # Enqueues data in the output buffer, to be written when #send_pending
+      # is called. Note that the data is _not_ sent immediately by this method!
+      def enqueue(data)
+        output.append(data)
+      end
+
+      # Sends as much of the pending output as possible. Returns +true+ if any
+      # data was sent, and +false+ otherwise.
+      def send_pending
+        if output.length.positive?
+          sent = send(output.to_s, 0)
+          output.consume!(sent)
+          return sent.positive?
+        else
+          return false
+        end
+      end
+
+      # Calls #send_pending repeatedly, if necessary, blocking until the output
+      # buffer is empty.
+      def wait_for_pending_sends
+        send_pending
+        while output.length.positive?
+          result = IO.select(nil, [self]) || next
+          next unless result[1].any?
+
+          send_pending
+        end
+      end
+
+      private
+
+      #--
+      # Can't use attr_reader here (after +private+) without incurring the
+      # wrath of "ruby -w". We hates it.
+      #++
+
+      def input
+        @input
+      end
+
+      def output
+        @output
+      end
+
+      # Initializes the intput and output buffers for this object. This method
+      # is called automatically when the module is mixed into an object via
+      # Object#extend (see Net::SSH::BufferedIo.extended), but must be called
+      # explicitly in the +initialize+ method of any class that uses
+      # Module#include to add this module.
+      def initialize_buffered_io
+        @input = Buffer.new
+        @input_errors = []
+        @output = Buffer.new
+        @output_errors = []
+      end
+    end
+  end
+end

data/lib/smart_proxy_remote_execution_ssh/plugin.rb

@@ -1,6 +1,7 @@
 module Proxy::RemoteExecution::Ssh
   class Plugin < Proxy::Plugin
-    SSH_LOG_LEVELS = %w[debug info warn error fatal].freeze
+    SSH_LOG_LEVELS = %w[debug info error fatal].freeze
+    MODES = %i[ssh async-ssh pull pull-mqtt].freeze
 
     http_rackup_path File.expand_path("http_config.ru", File.expand_path("../", __FILE__))
     https_rackup_path File.expand_path("http_config.ru", File.expand_path("../", __FILE__))
@@ -11,11 +12,13 @@ module Proxy::RemoteExecution::Ssh
                      :remote_working_dir      => '/var/tmp',
                      :local_working_dir       => '/var/tmp',
                      :kerberos_auth           => false,
-                     :async_ssh               => false,
                      # When set to nil, makes REX use the runner's default interval
                      # :runner_refresh_interval => nil,
-                     :ssh_log_level           => :fatal,
-                     :cleanup_working_dirs    => true
+                     :ssh_log_level           => :error,
+                     :cleanup_working_dirs    => true,
+                     # :mqtt_broker             => nil,
+                     # :mqtt_port               => nil,
+                     :mode                    => :ssh
 
     plugin :ssh, Proxy::RemoteExecution::Ssh::VERSION
     after_activation do
@@ -23,13 +26,16 @@ module Proxy::RemoteExecution::Ssh
       require 'smart_proxy_remote_execution_ssh/version'
       require 'smart_proxy_remote_execution_ssh/cockpit'
       require 'smart_proxy_remote_execution_ssh/api'
-      require 'smart_proxy_remote_execution_ssh/actions/run_script'
+      require 'smart_proxy_remote_execution_ssh/actions'
       require 'smart_proxy_remote_execution_ssh/dispatcher'
       require 'smart_proxy_remote_execution_ssh/log_filter'
       require 'smart_proxy_remote_execution_ssh/runners'
-      require 'smart_proxy_dynflow_core'
+      require 'smart_proxy_remote_execution_ssh/utils'
+      require 'smart_proxy_remote_execution_ssh/job_storage'
 
       Proxy::RemoteExecution::Ssh.validate!
+
+      Proxy::Dynflow::TaskLauncherRegistry.register('ssh', Proxy::Dynflow::TaskLauncher::Batch)
     end
 
     def self.simulate?
@@ -39,7 +45,7 @@ module Proxy::RemoteExecution::Ssh
     def self.runner_class
       @runner_class ||= if simulate?
                           Runners::FakeScriptRunner
-                        elsif settings[:async_ssh]
+                        elsif settings.mode == :'ssh-async'
                           Runners::PollingScriptRunner
                         else
                           Runners::ScriptRunner

data/lib/smart_proxy_remote_execution_ssh/runners/fake_script_runner.rb

@@ -1,5 +1,5 @@
 module Proxy::RemoteExecution::Ssh::Runners
-  class FakeScriptRunner < ForemanTasksCore::Runner::Base
+  class FakeScriptRunner < ::Proxy::Dynflow::Runner::Base
     DEFAULT_REFRESH_INTERVAL = 1
 
     @data = []

data/lib/smart_proxy_remote_execution_ssh/runners/polling_script_runner.rb

@@ -24,7 +24,7 @@ module Proxy::RemoteExecution::Ssh::Runners
       @callback_host = options[:callback_host]
       @task_id = options[:uuid]
       @step_id = options[:step_id]
-      @otp = ForemanTasksCore::OtpManager.generate_otp(@task_id)
+      @otp = Proxy::Dynflow::OtpManager.generate_otp(@task_id)
     end
 
     def prepare_start
@@ -40,7 +40,7 @@ module Proxy::RemoteExecution::Ssh::Runners
       control_script_finish = "#{@control_script_path} init-script-finish"
       <<-SCRIPT.gsub(/^ +\| /, '')
       | export CONTROL_SCRIPT="#{@control_script_path}"
-      | sh -c '#{main_script}; #{control_script_finish}' #{close_fds} &
+      | #{@user_method.cli_command_prefix} sh -c '#{main_script}; #{control_script_finish}' #{close_fds} &
       | echo $! > '#{@base_dir}/pid'
       SCRIPT
     end
@@ -90,7 +90,7 @@ module Proxy::RemoteExecution::Ssh::Runners
 
     def close
       super
-      ForemanTasksCore::OtpManager.drop_otp(@task_id, @otp) if @otp
+      Proxy::Dynflow::OtpManager.drop_otp(@task_id, @otp) if @otp
     end
 
     def upload_control_scripts
@@ -116,7 +116,7 @@ module Proxy::RemoteExecution::Ssh::Runners
 
     # Generates updates based on the callback data from the manual mode
     def load_event_updates(event_data)
-      continuous_output = ForemanTasksCore::ContinuousOutput.new
+      continuous_output = Proxy::Dynflow::ContinuousOutput.new
       if event_data.key?('output')
         lines = Base64.decode64(event_data['output']).sub(/\A(RUNNING|DONE).*\n/, '')
         continuous_output.add_output(lines, 'stdout')
@@ -132,8 +132,7 @@ module Proxy::RemoteExecution::Ssh::Runners
     def destroy_session
       if @session
         @logger.debug("Closing session with #{@ssh_user}@#{@host}")
-        @session.close
-        @session = nil
+        close_session
       end
     end
   end

data/lib/smart_proxy_remote_execution_ssh/runners/script_runner.rb

@@ -1,12 +1,5 @@
-require 'net/ssh'
 require 'fileutils'
-
-# Rubocop can't make up its mind what it wants
-# rubocop:disable Lint/SuppressedException, Lint/RedundantCopDisableDirective
-begin
-  require 'net/ssh/krb'
-rescue LoadError; end
-# rubocop:enable Lint/SuppressedException, Lint/RedundantCopDisableDirective
+require 'smart_proxy_dynflow/runner/command'
 
 module Proxy::RemoteExecution::Ssh::Runners
   class EffectiveUserMethod
@@ -21,7 +14,7 @@ module Proxy::RemoteExecution::Ssh::Runners
 
     def on_data(received_data, ssh_channel)
       if received_data.match(login_prompt)
-        ssh_channel.send_data(effective_user_password + "\n")
+        ssh_channel.puts(effective_user_password)
         @password_sent = true
       end
     end
@@ -96,12 +89,12 @@ module Proxy::RemoteExecution::Ssh::Runners
   end
 
   # rubocop:disable Metrics/ClassLength
-  class ScriptRunner < ForemanTasksCore::Runner::Base
+  class ScriptRunner < Proxy::Dynflow::Runner::Base
+    include Proxy::Dynflow::Runner::Command
     attr_reader :execution_timeout_interval
 
     EXPECTED_POWER_ACTION_MESSAGES = ['restart host', 'shutdown host'].freeze
     DEFAULT_REFRESH_INTERVAL = 1
-    MAX_PROCESS_RETRIES = 4
 
     def initialize(options, user_method, suspended_action: nil)
       super suspended_action: suspended_action
@@ -119,6 +112,7 @@ module Proxy::RemoteExecution::Ssh::Runners
       @local_working_dir = options.fetch(:local_working_dir, settings.local_working_dir)
       @remote_working_dir = options.fetch(:remote_working_dir, settings.remote_working_dir)
       @cleanup_working_dirs = options.fetch(:cleanup_working_dirs, settings.cleanup_working_dirs)
+      @first_execution = options.fetch(:first_execution, false)
       @user_method = user_method
     end
 
@@ -146,12 +140,13 @@ module Proxy::RemoteExecution::Ssh::Runners
     end
 
     def start
+      Proxy::RemoteExecution::Utils.prune_known_hosts!(@host, @ssh_port, logger) if @first_execution
       prepare_start
       script = initialization_script
       logger.debug("executing script:\n#{indent_multiline(script)}")
       trigger(script)
-    rescue StandardError => e
-      logger.error("error while initalizing command #{e.class} #{e.message}:\n #{e.backtrace.join("\n")}")
+    rescue StandardError, NotImplementedError => e
+      logger.error("error while initializing command #{e.class} #{e.message}:\n #{e.backtrace.join("\n")}")
       publish_exception('Error initializing command', e)
     end
 
@@ -177,12 +172,7 @@ module Proxy::RemoteExecution::Ssh::Runners
 
     def refresh
       return if @session.nil?
-
-      with_retries do
-        with_disconnect_handling do
-          @session.process(0)
-        end
-      end
+      super
     ensure
       check_expecting_disconnect
     end
@@ -206,32 +196,15 @@ module Proxy::RemoteExecution::Ssh::Runners
       execution_timeout_interval
     end
 
-    def with_retries
-      tries = 0
-      begin
-        yield
-      rescue StandardError => e
-        logger.error("Unexpected error: #{e.class} #{e.message}\n #{e.backtrace.join("\n")}")
-        tries += 1
-        if tries <= MAX_PROCESS_RETRIES
-          logger.error('Retrying')
-          retry
-        else
-          publish_exception('Unexpected error', e)
-        end
-      end
-    end
-
-    def with_disconnect_handling
-      yield
-    rescue IOError, Net::SSH::Disconnect => e
-      @session.shutdown!
-      check_expecting_disconnect
-      if @expecting_disconnect
-        publish_exit_status(0)
-      else
-        publish_exception('Unexpected disconnect', e)
-      end
+    def close_session
+      @session = nil
+      raise 'Control socket file does not exist' unless File.exist?(local_command_file("socket"))
+      @logger.debug("Sending exit request for session #{@ssh_user}@#{@host}")
+      args = ['/usr/bin/ssh', @host, "-o", "User=#{@ssh_user}", "-o", "ControlPath=#{local_command_file("socket")}", "-O", "exit"].flatten
+      pid, *, err = session(args, in_stream: false, out_stream: false)
+      result = read_output_debug(err)
+      Process.wait(pid)
+      result
     end
 
     def close
@@ -239,12 +212,13 @@ module Proxy::RemoteExecution::Ssh::Runners
     rescue StandardError => e
       publish_exception('Error when removing remote working dir', e, false)
     ensure
-      @session.close if @session && !@session.closed?
+      close_session if @session
       FileUtils.rm_rf(local_command_dir) if Dir.exist?(local_command_dir) && @cleanup_working_dirs
     end
 
     def publish_data(data, type)
-      super(data.force_encoding('UTF-8'), type)
+      super(data.force_encoding('UTF-8'), type) unless @user_method.filter_password?(data)
+      @user_method.on_data(data, @command_in)
     end
 
     private
@@ -254,38 +228,54 @@ module Proxy::RemoteExecution::Ssh::Runners
     end
 
     def should_cleanup?
-      @session && !@session.closed? && @cleanup_working_dirs
-    end
-
-    def session
-      @session ||= begin
-                     @logger.debug("opening session to #{@ssh_user}@#{@host}")
-                     Net::SSH.start(@host, @ssh_user, ssh_options)
-                   end
-    end
-
-    def ssh_options
-      ssh_options = {}
-      ssh_options[:port] = @ssh_port if @ssh_port
-      ssh_options[:keys] = [@client_private_key_file] if @client_private_key_file
-      ssh_options[:password] = @ssh_password if @ssh_password
-      ssh_options[:passphrase] = @key_passphrase if @key_passphrase
-      ssh_options[:keys_only] = true
-      # if the host public key is contained in the known_hosts_file,
-      # verify it, otherwise, if missing, import it and continue
-      ssh_options[:paranoid] = true
-      ssh_options[:auth_methods] = available_authentication_methods
-      ssh_options[:user_known_hosts_file] = prepare_known_hosts if @host_public_key
-      ssh_options[:number_of_password_prompts] = 1
-      ssh_options[:verbose] = settings[:ssh_log_level]
-      ssh_options[:logger] = Proxy::RemoteExecution::Ssh::LogFilter.new(SmartProxyDynflowCore::Log.instance)
-      return ssh_options
+      @session && @cleanup_working_dirs
+    end
+
+    # Creates session with three pipes - one for reading and two for
+    # writing. Similar to `Open3.popen3` method but without creating
+    # a separate thread to monitor it.
+    def session(args, in_stream: true, out_stream: true, err_stream: true)
+      @session = true
+
+      in_read, in_write = in_stream ? IO.pipe : '/dev/null'
+      out_read, out_write = out_stream ? IO.pipe : [nil, '/dev/null']
+      err_read, err_write = err_stream ? IO.pipe : [nil, '/dev/null']
+      command_pid = spawn(*args, :in => in_read, :out => out_write, :err => err_write)
+      in_read.close if in_stream
+      out_write.close if out_stream
+      err_write.close if err_stream
+
+      return command_pid, in_write, out_read, err_read
+    end
+
+    def ssh_options(with_pty = false)
+      ssh_options = []
+      ssh_options << "-tt" if with_pty
+      ssh_options << "-o User=#{@ssh_user}"
+      ssh_options << "-o Port=#{@ssh_port}" if @ssh_port
+      ssh_options << "-o IdentityFile=#{@client_private_key_file}" if @client_private_key_file
+      ssh_options << "-o IdentitiesOnly=yes"
+      ssh_options << "-o StrictHostKeyChecking=no"
+      ssh_options << "-o PreferredAuthentications=#{available_authentication_methods.join(',')}"
+      ssh_options << "-o UserKnownHostsFile=#{prepare_known_hosts}" if @host_public_key
+      ssh_options << "-o NumberOfPasswordPrompts=1"
+      ssh_options << "-o LogLevel=#{settings[:ssh_log_level]}"
+      ssh_options << "-o ControlMaster=auto"
+      ssh_options << "-o ControlPath=#{local_command_file("socket")}"
+      ssh_options << "-o ControlPersist=yes"
     end
 
     def settings
       Proxy::RemoteExecution::Ssh::Plugin.settings
     end
 
+    def get_args(command, with_pty = false)
+      args = []
+      args = [{'SSHPASS' => @key_passphrase}, '/usr/bin/sshpass', '-P', 'passphrase', '-e'] if @key_passphrase
+      args = [{'SSHPASS' => @ssh_password}, '/usr/bin/sshpass', '-e'] if @ssh_password
+      args += ['/usr/bin/ssh', @host, ssh_options(with_pty), command].flatten
+    end
+
     # Initiates run of the remote command and yields the data when
     # available. The yielding doesn't happen automatically, but as
     # part of calling the `refresh` method.
@@ -294,30 +284,9 @@ module Proxy::RemoteExecution::Ssh::Runners
 
       @started = false
       @user_method.reset
+      @command_pid, @command_in, @command_out = session(get_args(command, with_pty: true), err_stream: false)
+      @started = true
 
-      session.open_channel do |channel|
-        channel.request_pty
-        channel.on_data do |ch, data|
-          publish_data(data, 'stdout') unless @user_method.filter_password?(data)
-          @user_method.on_data(data, ch)
-        end
-        channel.on_extended_data { |ch, type, data| publish_data(data, 'stderr') }
-        # standard exit of the command
-        channel.on_request('exit-status') { |ch, data| publish_exit_status(data.read_long) }
-        # on signal: sending the signal value (such as 'TERM')
-        channel.on_request('exit-signal') do |ch, data|
-          publish_exit_status(data.read_string)
-          ch.close
-          # wait for the channel to finish so that we know at the end
-          # that the session is inactive
-          ch.wait
-        end
-        channel.exec(command) do |_, success|
-          @started = true
-          raise('Error initializing command') unless success
-        end
-      end
-      session.process(0) { !run_started? }
       return true
     end
 
@@ -325,36 +294,27 @@ module Proxy::RemoteExecution::Ssh::Runners
       @started && @user_method.sent_all_data?
     end
 
-    def run_sync(command, stdin = nil)
+    def read_output_debug(err_io, out_io = nil)
       stdout = ''
-      stderr = ''
-      exit_status = nil
-      started = false
-
-      channel = session.open_channel do |ch|
-        ch.on_data do |c, data|
-          stdout.concat(data)
-        end
-        ch.on_extended_data { |_, _, data| stderr.concat(data) }
-        ch.on_request('exit-status') { |_, data| exit_status = data.read_long }
-        # Send data to stdin if we have some
-        ch.send_data(stdin) unless stdin.nil?
-        # on signal: sending the signal value (such as 'TERM')
-        ch.on_request('exit-signal') do |_, data|
-          exit_status = data.read_string
-          ch.close
-          ch.wait
-        end
-        ch.exec command do |_, success|
-          raise 'could not execute command' unless success
-
-          started = true
-        end
+      debug_str = ''
+
+      if out_io
+        stdout += out_io.read until out_io.eof? rescue
+        out_io.close
       end
-      session.process(0) { !started }
-      # Closing the channel without sending any data gives us SIGPIPE
-      channel.close unless stdin.nil?
-      channel.wait
+      debug_str += err_io.read until err_io.eof? rescue
+      err_io.close
+      debug_str.lines.each { |line| @logger.debug(line.strip) }
+
+      return stdout, debug_str
+    end
+
+    def run_sync(command, stdin = nil)
+      pid, tx, rx, err = session(get_args(command))
+      tx.puts(stdin) unless stdin.nil?
+      tx.close
+      stdout, stderr = read_output_debug(err, rx)
+      exit_status = Process.wait2(pid)[1].exitstatus
       return exit_status, stdout, stderr
     end
 
@@ -371,7 +331,7 @@ module Proxy::RemoteExecution::Ssh::Runners
     end
 
     def local_command_file(filename)
-      File.join(local_command_dir, filename)
+      File.join(ensure_local_directory(local_command_dir), filename)
     end
 
     def remote_command_dir
@@ -453,15 +413,8 @@ module Proxy::RemoteExecution::Ssh::Runners
 
     def available_authentication_methods
       methods = %w[publickey] # Always use pubkey auth as fallback
-      if settings[:kerberos_auth]
-        if defined? Net::SSH::Kerberos
-          methods << 'gssapi-with-mic'
-        else
-          @logger.warn('Kerberos authentication requested but not available')
-        end
-      end
+      methods << 'gssapi-with-mic' if settings[:kerberos_auth]
       methods.unshift('password') if @ssh_password
-
       methods
     end
   end

data/lib/smart_proxy_remote_execution_ssh/utils.rb

@@ -0,0 +1,24 @@
+require 'open3'
+
+module Proxy::RemoteExecution
+  module Utils
+    class << self
+      def prune_known_hosts!(hostname, port, logger = Logger.new($stdout))
+        return if Net::SSH::KnownHosts.search_for(hostname).empty?
+
+        target = if port == 22
+                   hostname
+                 else
+                   "[#{hostname}]:#{port}"
+                 end
+
+        Open3.popen3('ssh-keygen', '-R', target) do |_stdin, stdout, _stderr, wait_thr|
+          wait_thr.join
+          stdout.read
+        end
+      rescue Errno::ENOENT => e
+        logger.warn("Could not remove #{hostname} from know_hosts: #{e}")
+      end
+    end
+  end
+end