Bug #5883


Host: provide user indication that the build token has expired

Added by Brad Buckingham over 9 years ago. Updated over 5 years ago.

Web Interface
Target version:
Fixed in Releases:
Found in Releases:


While setting up a new development environment, I needed to go through a few iterations on the configuration to get it to the point where I could successfully provision a host. During this process, I created a host in the UI and by the time I had everything set to provision the host, the build token had expired. This led to what appeared to be a provisioning loop. In the production log, there was a 404 on the 'built' request; however, it wasn't really that obvious what the issue was or how to resolve it.

We may want to consider possible solutions to help users that might encounter this scenario. For example,
1. provide some text or indication in the UI that the build token has expired and that the build should be cancelled & initiated to generate a new token
2. might want to re-consider if 60 minutes is a good default for the token, to minimize the frequency of the timeouts, while still providing the security intended
3+. ...

(Note: I was using bootdisk, so I created the host in foreman and then initiated the vm creation from virt-manager).

The following is an example of the error in the logs:

  Rendered /home/bbucking/.rvm/gems/ruby-1.9.3-p448@fortello/gems/actionpack-3.2.18/lib/action_dispatch/middleware/templates/rescues/routing_error.erb within rescues/layout (0.5ms)
Processing by UnattendedController#built as */*
  Parameters: {"token"=>"3d0a0855-db1c-4ee1-8880-6c4a95d4ca18"}
  ^[[1m^[[35mHost::Managed Load (0.5ms)^[[0m  SELECT hosts.* FROM "hosts" INNER JOIN "tokens" ON "tokens"."host_id" = "hosts"."id" WHERE "hosts"."type" IN ('Host::Managed') AND "tokens"."value" = '3d0a0855-db1c-4ee1-8880-6c4a95d4ca18' AND (expires >= '2014-05-22 16:20:01') LIMIT 1
  ^[[1m^[[36mHost::Managed Load (0.2ms)^[[0m  ^[[1mSELECT "hosts".* FROM "hosts" WHERE "hosts"."type" IN ('Host::Managed') AND "hosts"."ip" = '' LIMIT 1^[[0m
unattended: unable to find a host that matches the request from
Filter chain halted as :get_host_details rendered or redirected
Completed 404 Not Found in 3.7ms (ActiveRecord: 0.7ms)


fna100.png View fna100.png 7.43 KB Julien Pivotto, 02/29/2016 08:05 AM

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #14050: N+1 query on hosts#index from host's build tokenClosedTom Caspy03/04/2016Actions
Actions #1

Updated by Greg Sutcliffe over 9 years ago

+1 - from IRC:

<gwmngilfen> i think some small text on/near the Cancel Build button when build=true and token=expired would suit

Actions #2

Updated by David Schmitt over 9 years ago

See also #6247, another problem in this area.

Actions #3

Updated by David Schmitt about 9 years ago

Some more notes from IRC after I hit this problem again.

  • When the token is not valid anymore, the host is not in Build mode anymore. This is due to the fact that the host cannot be built anymore.
  • The node should be marked as erroneous if it is not built (correctly).
  • The /unattended/provision script can be fetched even if the token is not valid.

A few possibilities to go forward on this:

  • Make the token timeout configurable/infinite
    • Pro: easy to do
    • Con: makes unclaimed tokens a liability. Mitigation: mark unbuilt hosts with a separate out-of-sync state to make them discoverable.
    • This would probably imply tightening down /unattended/* to always require a token. (except for hosts that can only be authd by IP/MAC, e.g. because of booting from the generic bootimage iso)
  • refresh the token if /unattended/provision is called.
    • Pro: very localized change
    • Con: This requires authnz via IP/MAC on API call, and relies on this authnz to supersede the token lifetime.
  • use IP/MAC authnz for /unattended/built
    • Pro: makes built and provision work the same
    • Con: why have a token anyways?
Actions #4

Updated by The Foreman Bot over 7 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Julien Pivotto
  • Pull request added
Actions #5

Updated by Julien Pivotto over 7 years ago

I did use the new "global status" feature to address this ticket.

Actions #6

Updated by Julien Pivotto over 7 years ago

  • Assignee set to Julien Pivotto
Actions #7

Updated by Anonymous over 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #8

Updated by Dominic Cleal over 7 years ago

  • translation missing: en.field_release set to 136
Actions #9

Updated by Dominic Cleal over 7 years ago

  • Related to Bug #14050: N+1 query on hosts#index from host's build token added

Also available in: Atom PDF