Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2123835 - System build based on "PXELess Discovery" will always fail if the "Installation token lifetime" has been disabled in Satellite 6.12
Summary: System build based on "PXELess Discovery" will always fail if the "Installati...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Discovery Plugin
Version: 6.12.0
Hardware: All
OS: All
medium
medium
Target Milestone: 6.13.0
Assignee: Leos Stejskal
QA Contact: sganar
URL:
Whiteboard:
Depends On: 2161304
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-02 18:23 UTC by Sayan Das
Modified: 2023-05-03 13:21 UTC (History)
7 users (show)

Fixed In Version: foreman-3.5.1.5-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-03 13:21:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 36019 0 Normal New Pass URL parameters to foreman_url as hash 2023-01-30 11:25:59 UTC
Github theforeman foreman pull 9608 0 None open Fixes #36019 - Pass URL params to foreman_url as hash 2023-01-30 11:48:12 UTC
Red Hat Issue Tracker SAT-15061 0 None None None 2023-01-26 15:45:29 UTC
Red Hat Issue Tracker SAT-15293 0 None None None 2023-01-31 16:05:21 UTC
Red Hat Product Errata RHSA-2023:2097 0 None None None 2023-05-03 13:21:59 UTC

Description Sayan Das 2022-09-02 18:23:12 UTC 
Description of problem:

System build based on "PXELess Discovery" will always fail if the "Installation token lifetime" has been disabled in Satellite 6.12 ( even 6.10\6.11 ).

But every other type of deployment works fine under the same token disabled situation.


Version-Release number of selected component (if applicable):

Satellite 6.12
Satellite 6.11
Satellite 6.10


How reproducible:

Always


Steps to Reproduce:

1. Install a Satellite 6.12 

   --> Disable the "Installation token lifetime" from Satellite settings i.e.s et it to 0.

2. Set it up for "PXELess discovery" based deployments

3. Discover a system using foreman-discovery-image iso

4. Once discovered submit the "discovered host" for build

5. Observe the console of the host

6. Come back to Satellite UI --> Hosts --> All Hosts --> Open the Host entry --> go to Templates tab --> Review the "Discovery Kexec" template and look at the ks= url.


Actual results:

At step 5, The kexec happens successfully with following args :

~~
Sep 02 16:33:22 fdi foreman-proxy[1366]: Power API executing: ["/usr/sbin/kexec", "--debug", "--force", "--append=inst.ks=http://sat612.example.com/unattended/provision&static=yes inst.ks.sendmac ip=192.168.239.100::192.168.239.1:255.255.255.0:::none nameserver=192.168.239.2 ksdevice=bootif BOOTIF=01-00-50-56-b4-ca-49 nomodeset nokaslr nomodeset", "--initrd=/tmp/initrd.img", "/tmp/vmlinuz"]

Sep 02 16:33:22 fdi sudo[1595]: foreman-proxy : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/kexec --debug --force --append=inst.ks=http://sat612.example.com/unattended/provision&static=yes inst.ks.sendmac ip=192.168.239.100::192.168.239.1:255.255.255.0:::none nameserver=192.168.239.2 ksdevice=bootif BOOTIF=01-00-50-56-b4-ca-49 nomodeset nokaslr nomodeset --initrd=/tmp/initrd.img /tmp/vmlinuz
~~

But as soon as the host tries to fetch the kickstart file using the url http://sat612.example.com/unattended/provision&static=yes it fails to do so as it is an invalid URL. 



Expected results:


When token is disabled, The kexec should happen with this ks url only:

http://sat612.example.com/unattended/provision

but not 

http://sat612.example.com/unattended/provision&static=yes

or else it will get a 404 not found .


Additional info:


This happens as we don't consider the token situation but add "static=yes" at the end of the ks url for RedHat Discovery Kexec template.

https://github.com/theforeman/foreman/blob/develop/app/views/unattended/provisioning_templates/discovery/redhat_kexec.erb#L55

There are two ways to fix it while not breaking anything else and honoring the token_timeout values as well.

A) if token_timeout is disabled then don't add "&static=yes"

<% if (@host.operatingsystem.name == 'Fedora' and @host.operatingsystem.major.to_i > 16) or
    (@host.operatingsystem.name != 'Fedora' and @host.operatingsystem.major.to_i >= 7) -%>
    
<% if @host.token -%>
  "append": "inst.ks=<%= foreman_url('provision') + "&static=yes" %> inst.ks.sendmac <%= "ip=#{ip}::#{gw}:#{mask}:::none nameserver=#{dns} ksdevice=bootif BOOTIF=#{bootif} nomodeset nokaslr " + options.compact.join(' ') %>",
<% else -%>
  "append": "inst.ks=<%= foreman_url('provision') %> inst.ks.sendmac <%= "ip=#{ip}::#{gw}:#{mask}:::none nameserver=#{dns} ksdevice=bootif BOOTIF=#{bootif} nomodeset nokaslr " + options.compact.join(' ') %>",
<% end -%>

<% else -%>
  "append": "inst.ks=<%= foreman_url('provision') + "&static=yes" %> kssendmac nicdelay=5 <%= "ip=#{ip} netmask=#{mask} gateway=#{gw} dns=#{dns} ksdevice=#{mac} BOOTIF=#{bootif} nomodeset nokaslr " + options.compact.join(' ') %>",
<% end -%>


B) Don't add "&static=yes" for any scenarios as without or without it, The build happens and gets completed just fine whether the roken_timeout is enabled or disabled.


<% if (@host.operatingsystem.name == 'Fedora' and @host.operatingsystem.major.to_i > 16) or
    (@host.operatingsystem.name != 'Fedora' and @host.operatingsystem.major.to_i >= 7) -%>
  "append": "inst.ks=<%= foreman_url('provision') %> inst.ks.sendmac <%= "ip=#{ip}::#{gw}:#{mask}:::none nameserver=#{dns} ksdevice=bootif BOOTIF=#{bootif} nomodeset nokaslr " + options.compact.join(' ') %>",
<% else -%>
  "append": "inst.ks=<%= foreman_url('provision') + "&static=yes" %> kssendmac nicdelay=5 <%= "ip=#{ip} netmask=#{mask} gateway=#{gw} dns=#{dns} ksdevice=#{mac} BOOTIF=#{bootif} nomodeset nokaslr " + options.compact.join(' ') %>",
<% end -%>
Comment 2 Sayan Das 2022-09-02 18:52:52 UTC 
I forgot to add one data:

If token timeout is enabled i.e. set to 360, Then following is the kexec args:


Sep 02 16:43:22 fdi sudo[1595]: foreman-proxy : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/kexec --debug --force --append=inst.ks=http://sat612.example.com/unattended/provision?token=43f4ffbc-dd7f-4310-ae1d-112effcbbaa8&static=yes inst.ks.sendmac ip=192.168.239.100::192.168.239.1:255.255.255.0:::none nameserver=192.168.239.2 ksdevice=bootif BOOTIF=01-00-50-56-b4-ca-49 nomodeset nokaslr nomodeset --initrd=/tmp/initrd.img /tmp/vmlinuz

The KS url is: http://sat612.example.com/unattended/provision?token=43f4ffbc-dd7f-4310-ae1d-112effcbbaa8&static=yes

and this URL works because the token is there and The "&static=yes" part is completely ignored. And hence my second recommendation seems more suitable i.e. remove the "static=yes" part entirely unless there is any other reason to keep it.
Comment 3 Leos Stejskal 2023-01-30 11:25:59 UTC 
Created redmine issue https://projects.theforeman.org/issues/36019 from this bug
Comment 4 Bryan Kearney 2023-01-31 16:03:08 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/36019 has been resolved.
Comment 6 sganar 2023-02-28 11:52:52 UTC 
Verified.

Tested on Satellite 6.13.0 Snap 12.0

Steps followed: 
1. Goto Settings and Disable the "Installation token lifetime" from Satellite settings i.e. set it to 0
2. Set it up for "PXELess discovery" based deployments
3. Discover a system using foreman-discovery-image iso
4. Once discovered submit the "discovered host" for build.
5. Observe the console of the host
6. Come back to Satellite UI --> Hosts --> All Hosts --> Open the Host entry --> go to Templates tab --> Review the "Discovery Kexec" template and look at the ks= url

Observation: 
Discovery Kexec template :
{
"kernel": "http://sat613.example.com/pulp/content/IdkGUyai/Library/LsiGkBcmAZlV/content/dist/rhel8/8.7/x86_64/baseos/kickstart//images/pxeboot/vmlinuz",
"initram": "http://sat613.example.com/pulp/content/IdkGUyai/Library/LsiGkBcmAZlV/content/dist/rhel8/8.7/x86_64/baseos/kickstart//images/pxeboot/initrd.img",
  "append": "inst.ks=http://sat613.example.com:8000/unattended/provision?static=yes inst.ks.sendmac ip=::::::none nameserver= ksdevice=bootif BOOTIF= nomodeset nokaslr nomodeset",
"extra": []
}

I see `http://sat613.example.com:8000/unattended/provision?static=yes` is a valid URL used to fetch the kickstart file.
Comment 9 errata-xmlrpc 2023-05-03 13:21:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2097
Note You need to log in before you can comment on or make changes to this bug.