Good evening together,
when provisioning server (Windows or CentOS) over foreman-vmware, the
"Build Token" expired after a while. I always have to "cancel build" on
each host if i want to change the red icon to a green icon, because in fact
the "build" of a new host - from compute resources to the last puppet apply
- works great. So i dont know what is the "Build Token" for and what takes
affect on it. The Foreman 1.15 documentation have 0 matches when searching
for "build token" and only a few matches on "token" where iam not sure if
its about the build token or something else, for example,
setting token_duration.
So my main questions is what is the build token for and how to configure it?
Iam thanksful for any help.
Best Regards
Hey! Great question.
The "Build Token" is (to my understanding) essentially there to keep your servers from boot-looping when you PXE/network boot them. At the end of your provisioning script (user data, kickstart, etc), there should be a bit that makes an HTTP request to your foreman server with the build token, essentially telling Foreman that you're not in build mode anymore! For example, if you're using CloudInit, the default userdata for it has these [1] lines to (as it says) "phone home" and inform Foreman the instance is built. If you were using Kickstart, it'd be a curl command to do the same thing.
If you're using custom userdata/kickstart scripts, I would bet you might've ommited this part, which is why you have to manually cancel the build on these machines. If you want, post your userdata/kickstart on something like github gist [2] or pastebin [3] and we can probably help you identify where you're missing it.
[1]
[2] https://gist.github.com/
[3] https://pastebin.com/
Best,
Neil
The "Build Token" is (to my understanding) essentially there to keep your servers from boot-looping when you PXE/network boot them. At the end of your provisioning script (user data, kickstart, etc), there should be a bit that makes an HTTP request to your foreman server with the build token, essentially telling Foreman that you're not in build mode anymore! For example, if you're using CloudInit, the default userdata for it has these [1] lines to (as it says) "phone home" and inform Foreman the instance is built. If you were using Kickstart, it'd be a curl command to do the same thing.
If you're using custom userdata/kickstart scripts, I would bet you might've ommited this part, which is why you have to manually cancel the build on these machines. If you want, post your userdata/kickstart on something like github gist [2] or pastebin [3] and we can probably help you identify where you're missing it.
[1]
[2] https://gist.github.com/
[3] https://pastebin.com/
Best,
Neil
···
On Thu, Nov 16, 2017 at 7:38 AM andpk <andpk@mailbox.org> wrote:Good evening together,
when provisioning server (Windows or CentOS) over foreman-vmware, the
"Build Token" expired after a while. I always have to "cancel build" on
each host if i want to change the red icon to a green icon, because in fact
the "build" of a new host - from compute resources to the last puppet apply
- works great. So i dont know what is the "Build Token" for and what takes
affect on it. The Foreman 1.15 documentation have 0 matches when searching
for "build token" and only a few matches on "token" where iam not sure if
its about the build token or something else, for example,
setting token_duration.
So my main questions is what is the build token for and how to configure
it?
Iam thanksful for any help.
Best Regards
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
Hey Neil, thanks for your answer and explanation of the build token.
i try just pasting the phone_home variable in my user_data template, but it seems that it has no affect on the build token.
After the last puppet apply it still said:
Status OK
Build Pending
installationConfiguration No changes
And after a while the Build changes in Token Expired.
Here is a copy of my user_data Template: https://pastebin.com/gkFpTMpN
It contains just VMware customization settings and in the end the phone_home.
Did i misunderstood something?
Thanks and best Regards
i try just pasting the phone_home variable in my user_data template, but it seems that it has no affect on the build token.
After the last puppet apply it still said:
Status OK
Build Pending
installationConfiguration No changes
And after a while the Build changes in Token Expired.
Here is a copy of my user_data Template: https://pastebin.com/gkFpTMpN
It contains just VMware customization settings and in the end the phone_home.
Did i misunderstood something?
Thanks and best Regards
Hey! Great question.Actually that's not quite true. Sending a GET to /unattended/built is what breaks the boot loop, but it'll work without a token (if you set token_duration to 0 they aren't added to the URL).
The "Build Token" is (to my understanding) essentially there to keep
your servers from boot-looping when you PXE/network boot them.
Tokens exist to identify hosts. In the past, we identified a host by the incoming request IP on the GET - but this doesn't work if you're on a NATed connection from another subnet. In that scenario you only see the incoming IP of the gateway machine. Tokens were added as a way to combat that, and eventually became the default because it's more reliable.
···
On 16/11/17 14:06, Neil Hanlon wrote:On 17/11/17 07:57, andpk wrote:
Hey Neil, thanks for your answer and explanation of the build token.It's worth knowing that VMWare customization-spec isn't a 1:1 mapping to userdata - it's extremely restrictive, and many people have had problems getting the phone-home bit to work. Searching the archive will find you some hits on the topic, but I don't know exactly home to make it work, sadly. Maybe someone else does.
i try just pasting the phone_home variable in my user_data template,
but it seems that it has no affect on the build token. After the last
puppet apply it still said:
It contains just VMware customization settings and in the end the
phone_home. Did i misunderstood something?
Some additional information:
if i review the user data template on host-edit, it resolves the http-url for changing the build token. If i paste it manually in the browser, the build status changes from pending installation to installed.
if i review the user data template on host-edit, it resolves the http-url for changing the build token. If i paste it manually in the browser, the build status changes from pending installation to installed.