Bug #19520
closedHost keeps in "Installation pending" and SSL certificate gets revoked
Description
Since we upgraded to 1.15 to we see this behaviour that builded hosts stay in "Installation pending" mode also the certificate is getting revoked right after the build.
Steps to reproduce¶
- add host to foreman (Autosign record for host is added)
- Install the machine (after installation we see the hostname in the certificates as revoked)
Findings¶
- Puppet keeps working on the host until we restart foreman then Puppet will give us a revoked message
- The wget -q -O /dev/null --no-check-certificate http://foreman.host/unattended/provision?token=2b9b35c6-57ac-424f-a963-xxxxxxxxxx is being executed.But it's rendering the template instead of setting the host to finished state
Log¶
Although I have set logging to debug mode for both foreman and smartproxy. I don't see any exceptions. I also checked the upgrade log between 1.14 and 1.15-rc1, no errors/warning there.
When the build url is called from the template these are the logs (smartproxy / production.log:
D, [2017-05-10T15:55:24.106111 ] DEBUG -- : close: 185.67.xxx.xxx:53842 D, [2017-05-10T15:55:44.668351 ] DEBUG -- : accept: 185.67.xxx.xxx:53856 D, [2017-05-10T15:55:44.669586 ] DEBUG -- : Rack::Handler::WEBrick is invoked. D, [2017-05-10T15:55:44.670381 ] DEBUG -- : verifying remote client 185.67.xxx.xxx against trusted_hosts ["foreman.host"] D, [2017-05-10T15:55:44.671082 ] DEBUG -- : Found puppetca at /usr/bin/puppet D, [2017-05-10T15:55:44.671193 ] DEBUG -- : Found sudo at /usr/bin/sudo D, [2017-05-10T15:55:44.671256 ] DEBUG -- : Executing /usr/bin/sudo -S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --clean <host> D, [2017-05-10T15:55:46.626048 ] DEBUG -- : cleaned puppet certificate for <host> I, [2017-05-10T15:55:46.626848 ] INFO -- : 185.67.xxx.xxx - - [10/May/2017:15:55:46 +0200] "DELETE /puppet/ca/<host> HTTP/1.1" 200 - 1.9566 D, [2017-05-10T15:55:46.631194 ] DEBUG -- : close: 185.67.xxx.xxx:53856 D, [2017-05-10T15:55:46.677442 ] DEBUG -- : accept: 185.67.xxx.xxx:53858 D, [2017-05-10T15:55:46.678582 ] DEBUG -- : Rack::Handler::WEBrick is invoked. D, [2017-05-10T15:55:46.679394 ] DEBUG -- : verifying remote client 185.67.xxx.xxx against trusted_hosts ["foreman.host"] D, [2017-05-10T15:55:46.679707 ] DEBUG -- : Added <host> to autosign I, [2017-05-10T15:55:46.680011 ] INFO -- : 185.67.xxx.xxx - - [10/May/2017:15:55:46 +0200] "POST /puppet/ca/autosign/<host> HTTP/1.1" 200 - 0.0008
2017-05-10 15:55:44 251bc9a9 [app] [I] Started GET "/unattended/provision?token=2b9b35c6-57ac-424f-xxxxxxxxxxxxx" for 185.67.xxx.xxx at 2017-05-10 15:55:44 +0200 2017-05-10 15:55:44 251bc9a9 [app] [I] Processing by UnattendedController#host_template as TEXT 2017-05-10 15:55:44 251bc9a9 [app] [I] Parameters: {"token"=>"2b9b35c6-57ac-424f-xxxxxxxxxxxxx", "kind"=>"provision"} 2017-05-10 15:55:44 251bc9a9 [app] [I] Current user: foreman_api_admin (administrator) 2017-05-10 15:55:44 251bc9a9 [app] [D] Setting current user thread-local variable to foreman_api_admin 2017-05-10 15:55:44 251bc9a9 [app] [D] Found <host> 2017-05-10 15:55:46 251bc9a9 [templates] [I] Rendering template 'Default scheme' 2017-05-10 15:55:46 251bc9a9 [app] [D] Setting current organization thread-local variable to <organisation> 2017-05-10 15:55:46 251bc9a9 [app] [D] Setting current location thread-local variable to <location> 2017-05-10 15:55:46 251bc9a9 [app] [D] Setting current location thread-local variable to none 2017-05-10 15:55:46 251bc9a9 [app] [D] Setting current organization thread-local variable to none 2017-05-10 15:55:46 251bc9a9 [templates] [I] Rendering template 'Kickstart XXX default' 2017-05-10 15:55:46 251bc9a9 [app] [W] DEPRECATION WARNING: you are using deprecated @host.params in a template, it will be removed in 1.17. Use host_param instead. 2017-05-10 15:55:46 251bc9a9 [app] [W] DEPRECATION WARNING: you are using deprecated @host.params in a template, it will be removed in 1.17. Use host_param instead. 2017-05-10 15:55:46 251bc9a9 [app] [W] DEPRECATION WARNING: you are using deprecated @host.params in a template, it will be removed in 1.17. Use host_param instead. 2017-05-10 15:55:46 251bc9a9 [app] [W] DEPRECATION WARNING: you are using deprecated @host.info in a template, it will be removed in 1.17. Use host_enc instead. 2017-05-10 15:55:47 251bc9a9 [app] [W] DEPRECATION WARNING: you are using deprecated @host.params in a template, it will be removed in 1.17. Use host_param instead. 2017-05-10 15:55:47 251bc9a9 [templates] [I] Rendering template 'Default scheme' 2017-05-10 15:55:47 251bc9a9 [templates] [I] Rendering template 'Kickstart XXX post 1.1' 2017-05-10 15:55:47 251bc9a9 [templates] [I] Rendering template 'puppet.conf' 2017-05-10 15:55:47 251bc9a9 [app] [W] DEPRECATION WARNING: you are using deprecated @host.param_true? in a template, it will be removed in 1.17. Use host_param_true? instead. 2017-05-10 15:55:47 251bc9a9 [app] [W] DEPRECATION WARNING: you are using deprecated @host.params in a template, it will be removed in 1.17. Use host_param instead. 2017-05-10 15:55:47 251bc9a9 [app] [W] DEPRECATION WARNING: you are using deprecated @host.params in a template, it will be removed in 1.17. Use host_param instead. 2017-05-10 15:55:47 251bc9a9 [templates] [I] Rendering template 'Kickstart HPW post 1.2' 2017-05-10 15:55:47 251bc9a9 [app] [I] Rendered inline template (499.6ms) 2017-05-10 15:55:47 251bc9a9 [app] [I] Completed 200 OK in 2618ms (Views: 466.0ms | ActiveRecord: 57.1ms)
Updated by Dominic Cleal over 7 years ago
- Status changed from New to Feedback
The wget -q -O /dev/null --no-check-certificate http://foreman.host/unattended/provision?token=2b9b35c6-57ac-424f-a963-xxxxxxxxxx is being executed.But it's rendering the template instead of setting the host to finished state
This is correct, /provision is meant to return the provision template and start a build. The /built call marks the host as finished. If you call /provision again at the end of a build then it will do exactly as you describe, revoke the certificate ready for a new build.
Your logs look correct for calling provision. Please make sure you call the correct URL, i.e. using foreman_url('built')
in a template.
Updated by Gerwin Krist over 7 years ago
Hi Dominic,
Strange! We had "wget -q -O /dev/null --no-check-certificate <%= foreman_url %>" for ages in our templates and it finished build aways. I changed it in our template and at least the build status is correctly now. I presume this will fix the revoke certificate too?
Updated by Dominic Cleal over 7 years ago
- Status changed from Feedback to Resolved
Yes, it should do - the revocation is only done at the start of the build, not the end. This is likely to be a regression in Foreman, but one that's existed for a few releases IIRC (possibly for certain build types). It was the earlier intention that 'built' didn't need to be specified, but all default templates now use it I think.