Foreman life cycle upgrade Puppet 3.x to 4.x

Michael_Hurn · October 24, 2016, 12:32am

I am still working on details for this idea:

On a CentOS 6 host: We have an all-in-one Foreman 1.12.3 / Puppet 3.8.x
with an external MySQL foreman database, that has been upgraded (OS,
Foreman & Puppet) a few times. We want to keep the configuration
information from the old server to the new server.

We know that we need to move from CentOS 6.x to CentOS 7.x and from Puppet
3.x to 4.x.

How can we best make the transition? Taking into account that it is
possible to scale up Foreman & Puppet to have multiple servers is this idea
valid?

Build a fresh Foreman 1.12.3 / Puppet 4.x Server on CentOS 7.x then point
it to the existing Foreman DB.

Initially leave the legacy puppet clients pointing to the old server.

As the existing Puppet 3 modules/classes are updated to run with the
'future' parser they are copied over to the new Puppet 4 server. To be
tested with Puppet 3 & 4 clients.

When sufficient Puppet modules/classes have been converted to Puppet 4.x
start moving the hosts to the new server.

I can see that there will be a few issues around DNS and certificates. At
the moment I can think of a few options including a new PuppetCA. The
legacy Foreman server was built with the FQDN of the host with the default
alt names in the cert. I plan to build the new server with a CNAME from the
outset, as this will give more options for expansion in the future. It is
also simple to switch a Puppet client to another Puppet server.

One safeguard I can think of is to always have the Puppet clients to only
connect to one of the Foreman / Puppet Servers.

As I stated above I am still working on this idea, my question is.

Is this approach valid, practical or even sensible?

Does anyone have any other suggestions?

Dominic_Cleal2 · October 24, 2016, 7:46am

> I am still working on details for this idea:
>
> On a CentOS 6 host: We have an all-in-one Foreman 1.12.3 / Puppet 3.8.x
> with an external MySQL foreman database, that has been upgraded (OS,
> Foreman & Puppet) a few times. We want to keep the configuration
> information from the old server to the new server.
>
> We know that we need to move from CentOS 6.x to CentOS 7.x and from
> Puppet 3.x to 4.x.
>
> How can we best make the transition? Taking into account that it is
> possible to scale up Foreman & Puppet to have multiple servers is this
> idea valid?

Sure, seems like a good idea.

> Build a fresh Foreman 1.12.3 / Puppet 4.x Server on CentOS 7.x then
> point it to the existing Foreman DB.

https://theforeman.org/manuals/1.13/index.html#5.8MultipleForemaninstances
has some notes about running multiple instances using the same database.
It's perfectly fine, you just need to ensure some private data is
present on all servers.

I would recommend using a shared cache too, else you may see odd
inconsistencies (the page recommends foreman_memcache).

> I can see that there will be a few issues around DNS and certificates.
> At the moment I can think of a few options including a new PuppetCA. The
> legacy Foreman server was built with the FQDN of the host with the
> default alt names in the cert. I plan to build the new server with a
> CNAME from the outset, as this will give more options for expansion in
> the future. It is also simple to switch a Puppet client to another
> Puppet server.
>
> One safeguard I can think of is to always have the Puppet clients to
> only connect to one of the Foreman / Puppet Servers.

Sure, then the different names don't matter. You can generate a
certificate for the new server from the existing CA (puppet cert generate new-server.example.com). The existing certificate doesn't have
to be transferred or used on both as they would be from the same CA.

Configure puppet.conf on your Puppet agents to have ca_server as the old
server, and server as either the old or new server. If the new server's
cert is signed by the old CA, you can switch it back and forwards
without even needing to resign the agent's certificate.

When you're done migrating, you can copy the CA files to the new server
too, and use that for CA functions.

(The CA is separate to the master's certificate with the hostname in the
cert subject. The CA does mention the original hostname, but it's not
used for anything.)

···

On 24/10/16 01:32, Michael Hurn wrote:

–
Dominic Cleal
dominic@cleal.org

mmoll · October 24, 2016, 3:28pm

Hi,

···

On Sun, Oct 23, 2016 at 05:32:51PM -0700, Michael Hurn wrote: > As the existing Puppet 3 modules/classes are updated to run with the > 'future' parser they are copied over to the new Puppet 4 server. To be > tested with Puppet 3 & 4 clients.

To minimize impact, I’d first update the existing Puppet environment to
Puppet 4, as outlined in
http://projects.theforeman.org/projects/foreman/wiki/Upgrading_from_Puppet_3_to_4

So you “only” have 2 migrations in a row instead of one change containing
two big migrations.

Regards

Michael Moll