osism · berendt · Mar 15, 2026 · sourcery-ai · Mar 15, 2026
diff --git a/osism/commands/console.py b/osism/commands/console.py
@@ -1,8 +1,11 @@
 # SPDX-License-Identifier: Apache-2.0
 
 import json
+import os
+import shutil
 import socket
 import subprocess
+import tempfile
 from typing import Optional
 
 from cliff.command import Command
@@ -201,10 +204,23 @@ def take_action(self, parsed_args):
         if type_console == "ansible":
             subprocess.call(f"/run-ansible-console.sh {host}", shell=True)
         elif type_console == "clush":
-            subprocess.call(
-                f"/usr/local/bin/clush -l {settings.OPERATOR_USER} -g {host}",
-                shell=True,
-            )
+            # Create a per-invocation known_hosts file to avoid race conditions
+            # with fanout:64 concurrent SSH connections while still persisting
+            # host keys during the session.
+            fd, tmp_known_hosts = tempfile.mkstemp(prefix="clush_known_hosts_")
+            try:
+                os.close(fd)
+                if os.path.exists(KNOWN_HOSTS_PATH):
+                    shutil.copy2(KNOWN_HOSTS_PATH, tmp_known_hosts)
+                subprocess.call(
+                    f'/usr/local/bin/clush -l {settings.OPERATOR_USER}'
+                    f' -o "-o UserKnownHostsFile={tmp_known_hosts}"'
+                    f' -g {host}',
+                    shell=True,
+                )
+            finally:
+                if os.path.exists(tmp_known_hosts):
+                    os.unlink(tmp_known_hosts)
         elif type_console == "ssh":
             # Try to resolve as an inventory group
             group_hosts = get_hosts_from_group(host)