$ juju kill-controller mymanual
WARNING! This command will destroy the "local.mymanual" controller.
This includes all machines, services, data and other resources.
Continue [y/N]? y
Unable to destroy controller through the API: failed to destroy model: manually provisioned machines must first be destroyed with `juju destroy-machine 1`. Destroying through provider.
^^^^^^^ note the error message, should be "remove-machine"
$ juju remove-machine 1
ERROR no model specified
$ juju list-models
error: controller local.mymanual not found
$ juju list-controllers
CONTROLLER MODEL USER SERVER
The text "must first be destroyed" implies that something needs to be done in order to kill the controller. But it then says "Destroying through provisioner" and goes ahead and removes the local yaml files. But the manual machines still have the jujud agents running on them, so stuff has been left behind and needs manual cleanup.
This is the problem with "kill-controller". It's roughly the same as "destroy- environment --force", but with scary warnings and, IMO, less clear intent in the command name. To me, kill-controller just sounds like an alias for destroy-controller.
The --force used to imply that you were giving consent to tear away everything that the provider manages in an unfriendly way. That makes units aren't stopped, and manually provisioned machines aren't tidied up.
So what should we do? We could add another flag (-yy, "yes yes, I'm really sure")? Or educate people better? I personally think we should do away with kill-controller, and reintroduce --force.