TLDR;
Problem:
Reports not uploaded to Foreman via the Smart Proxy (SSL error) after an upgrade to Puppet Server 7.9.x (from 7.8.x). Nothing was changed in the Hiera config files other then the Puppet Server package version.
Expected outcome:
Reports available in Foreman, as per usual.
Foreman and Proxy versions:
Foreman 3.4 / Puppet Server 7.9 / Puppet Agent 7.21
Foreman and Proxy plugin versions:
N/A
Distribution and version:
Debian 11
Other relevant data:
Ask if you need anything, too much to add straight in.
Long version :
Hello everyone !
We are having a couple of trouble with our Foreman / Puppet installation and after several weeks of forensics, we are unable to pinpoint the source of our problems.
So we’re turning to you, the Community, for some advices.
Our platform is built as follow :
We have 2 datacenters in which we have the exact same infrastructure.
- 1 Foreman / Puppet CA (accessing a mutualized postgreSQL database on a network host)
- 3 Puppet Servers / Foreman SmartProxies
2 load balanced virtual IPs, one for the Foreman / Puppet CA host (let’s call it foreman.acme.com) and another one for the SmartProxies (smartproxy.acme.com).
Datacenter 1 has the main Foreman / Puppet CA and 3 active SmartProxies (serving the hosts in that datacenter), and Datacenter 2 has the (cold) backup Foreman / Puppet CA and 3 active SmartProxies (serving the hosts in that datacenter).
So, a total of 8 servers.
The software versions are :
- Foreman 3.4 branch, latest.
- Puppet 7 branch, version 7.9.
I can provide the version of other modules/packages if requested.
We “auto” deployed the entire infrastructure using Puppet, not using the foreman installer.
Our problem :
1/ Hosts reports no longer being uploaded to the Puppet Master with version 7.9 (SSL error)
We’ve tried to upgrade the Puppet Servers to 7.9 (we’re currently using Puppet Servers 7.8).
But when doing so all the hosts running on the upgraded SPs are not reporting correctly.
A SSL error can be seen in the servers’ logs but we are at a complete loss about why.
Downgrading the servers to version 7.8 restore the reporting and new reports are then available on Foreman.
From what we’ve seen, it has to do with the HTTPS check when the SPs are trying to upload the report but we’re unable to find which setting (or settings) have changed between the version 7.8 and 7.9.
All the config files stayed the same so why ?
Also…
2/ We are experiencing random CPU spikes (as it seems) on the SmartProxies.
One or two of them suddenly skyrocket to 100% CPU usage without anything in the error, puppetserver, smartproxy logs.
We have set up a cron job to automatically restart the SPs every morning, but we still get those random 100% CPU usage spikes during the day.
I must add that we are currently in the process of migrating hosts from our old Foreman / Puppet platform to this new platform and adding roughly 100 hosts a day.
I can provide sample of our configuration files for the SPs if needed.
If you have any question or need any configuration files, please let us know.
Best regards,
Alban.