fix: verify rescue in stateInstallTalos before installing

shtse8 · shtse8 · commit 987673968178 · 2026-03-31T19:45:09.000+01:00
Root cause of repeated installer failures: SSH reachable but server
running Debian (not rescue). stateCheckRescueActive had rescue
detection, but stateInstallTalos didn't — it trusted SSH=rescue.

Fix: Before installing, verify hostname=rescue or /etc/hetzner-build.
If not rescue, fix EFI boot order (delete non-PXE entries), reboot,
re-activate rescue. Server will PXE boot into rescue on next cycle.

This affected: node3, node5, node9, node1, storage-7 — all servers
with pre-existing OS (Debian from cephadm or old Talos).
diff --git a/controllers/hetznerrobotmachine_controller.go b/controllers/hetznerrobotmachine_controller.go
@@ -520,6 +520,44 @@ func (r *HetznerRobotMachineReconciler) stateInstallTalos(
 		return ctrl.Result{RequeueAfter: requeueAfterShort}, nil
 	}
 
+	// Verify the system is actually rescue before installing.
+	// A pre-existing OS (Debian from cephadm, old Talos, etc.) has SSH on port 22
+	// but is NOT rescue — installing Talos on a running OS fails silently (exit 1).
+	{
+		privateKey, keyErr := r.getSSHPrivateKey(ctx, hrc)
+		if keyErr == nil {
+			verifyClient := sshrescue.New(serverIP, privateKey)
+			if connErr := verifyClient.Connect(); connErr == nil {
+				out, _ := verifyClient.Run("([ \"$(hostname)\" = \"rescue\" ] || test -f /etc/hetzner-build) && echo RESCUE || echo NOT_RESCUE")
+				verifyClient.Close()
+				if strings.TrimSpace(out) != "RESCUE" {
+					logger.Info("SSH reachable but NOT rescue (existing OS), fixing EFI and rebooting into rescue",
+						"ip", serverIP, "hostname", strings.TrimSpace(out))
+					// Fix EFI boot order — delete non-PXE entries so next boot goes to PXE rescue
+					fixClient := sshrescue.New(serverIP, privateKey)
+					if fixErr := fixClient.Connect(); fixErr == nil {
+						_, _ = fixClient.Run(`
+							if command -v efibootmgr > /dev/null 2>&1; then
+								mount -o remount,rw /sys/firmware/efi/efivars 2>/dev/null || \
+								mount -t efivarfs efivarfs /sys/firmware/efi/efivars 2>/dev/null || true
+								for entry in $(efibootmgr 2>/dev/null | grep '^Boot[0-9A-Fa-f]' | grep -iv 'pxe\|network\|ipv4\|ipv6' | grep -o '^Boot[0-9A-Fa-f]*' | sed 's/Boot//'); do
+									efibootmgr -b "$entry" -B 2>/dev/null
+								done
+							fi
+							nohup bash -c 'sleep 1 && reboot' &>/dev/null &
+						`)
+						fixClient.Close()
+					}
+					// Re-activate rescue for the PXE boot
+					sshFingerprint, _ := r.getSSHKeyFingerprint(ctx, hrc)
+					_, _ = robotClient.ActivateRescue(ctx, serverID, sshFingerprint)
+					hrm.Status.ProvisioningState = infrav1.StateActivatingRescue
+					return ctrl.Result{RequeueAfter: 90 * time.Second}, nil
+				}
+			}
+		}
+	}
+
 	logger.Info("Installing Talos via rescue SSH", "ip", serverIP)
 
 	// Get private key
