Bug #5883
closedHost: provide user indication that the build token has expired
Description
While setting up a new development environment, I needed to go through a few iterations on the configuration to get it to the point where I could successfully provision a host. During this process, I created a host in the UI and by the time I had everything set to provision the host, the build token had expired. This led to what appeared to be a provisioning loop. In the production log, there was a 404 on the 'built' request; however, it wasn't really that obvious what the issue was or how to resolve it.
We may want to consider possible solutions to help users that might encounter this scenario. For example,
1. provide some text or indication in the UI that the build token has expired and that the build should be cancelled & initiated to generate a new token
2. might want to re-consider if 60 minutes is a good default for the token, to minimize the frequency of the timeouts, while still providing the security intended
3+. ...
(Note: I was using bootdisk, so I created the host in foreman and then initiated the vm creation from virt-manager).
The following is an example of the error in the logs:
Rendered /home/bbucking/.rvm/gems/ruby-1.9.3-p448@fortello/gems/actionpack-3.2.18/lib/action_dispatch/middleware/templates/rescues/routing_error.erb within rescues/layout (0.5ms) Processing by UnattendedController#built as */* Parameters: {"token"=>"3d0a0855-db1c-4ee1-8880-6c4a95d4ca18"} ^[[1m^[[35mHost::Managed Load (0.5ms)^[[0m SELECT hosts.* FROM "hosts" INNER JOIN "tokens" ON "tokens"."host_id" = "hosts"."id" WHERE "hosts"."type" IN ('Host::Managed') AND "tokens"."value" = '3d0a0855-db1c-4ee1-8880-6c4a95d4ca18' AND (expires >= '2014-05-22 16:20:01') LIMIT 1 ^[[1m^[[36mHost::Managed Load (0.2ms)^[[0m ^[[1mSELECT "hosts".* FROM "hosts" WHERE "hosts"."type" IN ('Host::Managed') AND "hosts"."ip" = '192.168.122.23' LIMIT 1^[[0m unattended: unable to find a host that matches the request from 192.168.122.23 Filter chain halted as :get_host_details rendered or redirected Completed 404 Not Found in 3.7ms (ActiveRecord: 0.7ms)
Files
Updated by Greg Sutcliffe over 10 years ago
+1 - from IRC:
<gwmngilfen> i think some small text on/near the Cancel Build button when build=true and token=expired would suit
Updated by David Schmitt over 10 years ago
See also #6247, another problem in this area.
Updated by David Schmitt over 10 years ago
Some more notes from IRC after I hit this problem again.
- When the token is not valid anymore, the host is not in Build mode anymore. This is due to the fact that the host cannot be built anymore.
- The node should be marked as erroneous if it is not built (correctly).
- The /unattended/provision script can be fetched even if the token is not valid.
A few possibilities to go forward on this:
- Make the token timeout configurable/infinite
- Pro: easy to do
- Con: makes unclaimed tokens a liability. Mitigation: mark unbuilt hosts with a separate out-of-sync state to make them discoverable.
- This would probably imply tightening down /unattended/* to always require a token. (except for hosts that can only be authd by IP/MAC, e.g. because of booting from the generic bootimage iso)
- refresh the token if /unattended/provision is called.
- Pro: very localized change
- Con: This requires authnz via IP/MAC on API call, and relies on this authnz to supersede the token lifetime.
- use IP/MAC authnz for /unattended/built
- Pro: makes built and provision work the same
- Con: why have a token anyways?
Updated by The Foreman Bot almost 9 years ago
- Status changed from New to Ready For Testing
- Assignee set to Julien Pivotto
- Pull request https://github.com/theforeman/foreman/pull/3251 added
Updated by Julien Pivotto almost 9 years ago
- File fna100.png fna100.png added
- Assignee deleted (
Julien Pivotto)
I did use the new "global status" feature to address this ticket.
Updated by Anonymous almost 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 5e1b787534cb4af70075640928edab5588b1c984.
Updated by Dominic Cleal almost 9 years ago
- Translation missing: en.field_release set to 136
Updated by Dominic Cleal almost 9 years ago
- Related to Bug #14050: N+1 query on hosts#index from host's build token added