Bug #5883

Host: provide user indication that the build token has expired

Added by Brad Buckingham about 8 years ago. Updated about 4 years ago.

Web Interface
Target version:
Bugzilla link:
Fixed in Releases:
Found in Releases:


While setting up a new development environment, I needed to go through a few iterations on the configuration to get it to the point where I could successfully provision a host. During this process, I created a host in the UI and by the time I had everything set to provision the host, the build token had expired. This led to what appeared to be a provisioning loop. In the production log, there was a 404 on the 'built' request; however, it wasn't really that obvious what the issue was or how to resolve it.

We may want to consider possible solutions to help users that might encounter this scenario. For example,
1. provide some text or indication in the UI that the build token has expired and that the build should be cancelled & initiated to generate a new token
2. might want to re-consider if 60 minutes is a good default for the token, to minimize the frequency of the timeouts, while still providing the security intended
3+. ...

(Note: I was using bootdisk, so I created the host in foreman and then initiated the vm creation from virt-manager).

The following is an example of the error in the logs:

  Rendered /home/bbucking/.rvm/gems/ruby-1.9.3-p448@fortello/gems/actionpack-3.2.18/lib/action_dispatch/middleware/templates/rescues/routing_error.erb within rescues/layout (0.5ms)
Processing by UnattendedController#built as */*
  Parameters: {"token"=>"3d0a0855-db1c-4ee1-8880-6c4a95d4ca18"}
  ^[[1m^[[35mHost::Managed Load (0.5ms)^[[0m  SELECT hosts.* FROM "hosts" INNER JOIN "tokens" ON "tokens"."host_id" = "hosts"."id" WHERE "hosts"."type" IN ('Host::Managed') AND "tokens"."value" = '3d0a0855-db1c-4ee1-8880-6c4a95d4ca18' AND (expires >= '2014-05-22 16:20:01') LIMIT 1
  ^[[1m^[[36mHost::Managed Load (0.2ms)^[[0m  ^[[1mSELECT "hosts".* FROM "hosts" WHERE "hosts"."type" IN ('Host::Managed') AND "hosts"."ip" = '' LIMIT 1^[[0m
unattended: unable to find a host that matches the request from
Filter chain halted as :get_host_details rendered or redirected
Completed 404 Not Found in 3.7ms (ActiveRecord: 0.7ms)

fna100.png View fna100.png 7.43 KB Julien Pivotto, 02/29/2016 08:05 AM

Related issues

Related to Foreman - Bug #14050: N+1 query on hosts#index from host's build tokenClosed2016-03-04

Associated revisions

Revision 5e1b7875 (diff)
Added by Julien Pivotto over 6 years ago

Fixes #5883 - Reflect token expiry in build status

The Global Status introduced in recent Foreman releases makes it easy to
mark the build status as erroneous if the token has expired. This drags
attention to the fact that the host will not be able to mark itself as
built anymore.


#1 Updated by Greg Sutcliffe about 8 years ago

+1 - from IRC:

<gwmngilfen> i think some small text on/near the Cancel Build button when build=true and token=expired would suit

#2 Updated by David Schmitt about 8 years ago

See also #6247, another problem in this area.

#3 Updated by David Schmitt almost 8 years ago

Some more notes from IRC after I hit this problem again.

  • When the token is not valid anymore, the host is not in Build mode anymore. This is due to the fact that the host cannot be built anymore.
  • The node should be marked as erroneous if it is not built (correctly).
  • The /unattended/provision script can be fetched even if the token is not valid.

A few possibilities to go forward on this:

  • Make the token timeout configurable/infinite
    • Pro: easy to do
    • Con: makes unclaimed tokens a liability. Mitigation: mark unbuilt hosts with a separate out-of-sync state to make them discoverable.
    • This would probably imply tightening down /unattended/* to always require a token. (except for hosts that can only be authd by IP/MAC, e.g. because of booting from the generic bootimage iso)
  • refresh the token if /unattended/provision is called.
    • Pro: very localized change
    • Con: This requires authnz via IP/MAC on API call, and relies on this authnz to supersede the token lifetime.
  • use IP/MAC authnz for /unattended/built
    • Pro: makes built and provision work the same
    • Con: why have a token anyways?

#4 Updated by The Foreman Bot over 6 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Julien Pivotto
  • Pull request added

#5 Updated by Julien Pivotto over 6 years ago

I did use the new "global status" feature to address this ticket.

#6 Updated by Julien Pivotto over 6 years ago

  • Assignee set to Julien Pivotto

#7 Updated by Anonymous over 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#8 Updated by Dominic Cleal over 6 years ago

  • Legacy Backlogs Release (now unused) set to 136

#9 Updated by Dominic Cleal over 6 years ago

  • Related to Bug #14050: N+1 query on hosts#index from host's build token added

Also available in: Atom PDF