Migrate Agents / Clients

Problem:
I have deployed a new version #3.4.1 recently. Our older version is running on version #2.0.3.
Now I am planning to migrate old Foreman clients to new one. Hence wanted a guidance in this regards.

Expected outcome:
I checked with freshly installed client with following command and registration works well.

curl -sS  'https://foreman.example.org/register?activation_keys=centos_uat&hostgroup_id=1&lifecycle_environment_id=1&location_id=2&operatingsystem_id=1&organization_id=1&update_packages=false' -H 'Authorization: Bearer <hash_truncated>' | bash

Distribution and version:
Older version is having CentOS7 & newer version is running on Rocky 8.

Other relevant data:

Request you to advise how to go with this. Happy to share more data if required.
Thank you!
-KS

Hi! The global registration template should help with this (Hosts > Register Host). You’ll want to go to the advanced tab and check the “Force” option - this will pass --force to subscription-manager when registering, meaning it will unregister the host from the old Foreman first before registering to the new one.

If the old Foreman no longer exists, you should run subscription-manager clean on the hosts, then run the global registration script without the force option.

(All this assumes you have Foreman with Katello.)

Thank you very much for your help!
Addition to your solution, just wanted to check if there are any packages needed to be removed belonging to old Foreman i.e. Katello CA / Agent / QPID rpms etc?!?!
Or the curl command will take care of this removal?

No, you don’t have to manually change any packages. The new server configuration in /etc/rhsm/rhsm.conf that you get from running the curl command will take care of everything you need.

Hi… Tried with one agent to test but something is looks weird. Somehow it is hitting old Foreman for consumer CA rather than querying the new Foreman & is preregistering from new Foreman instead of old Foreman.
oldforeman.ex.org > DNS Entry
newforeman.ex.org > Host File entry (DNS Entries not yet done)

Here is an output :

[root@agent1 ~]# curl -sS  'https://newforeman.ex.org/register?activation_keys=centos_uat&hostgroup_id=1&lifecycle_environment_id=1&location_id=2&operatingsystem_id=1&organization_id=1&update_packages=false' -H 'Authorization: Bearer <hash_truncated>' | bash
#
# Running registration
#
Unregistering from: newforeman.ex.org:443/rhsm
Unable to verify server's identity: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:618)
All local data removed
Loaded plugins: enabled_repos_upload, fastestmirror, package_upload, product-id, search-disabled-repos, subscription-manager, tracer_upload

This system is not registered with an entitlement server. You can use subscription-manager to register.

Resolving Dependencies
--> Running transaction check
---> Package katello-ca-consumer-oldforeman.ex.org.noarch 0:1.0-2 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================
 Package                                                          Arch                          Version                      Repository                                                  Size
==============================================================================================================================================================================================
Removing:
 katello-ca-consumer-oldforeman.ex.org                        noarch                        1.0-2                        @/katello-ca-consumer-latest.noarch                         16 k

Transaction Summary
==============================================================================================================================================================================================
Remove  1 Package

Installed size: 16 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : katello-ca-consumer-oldforeman.ex.org-1.0-2.noarch                                                                                                                     1/1 
Uploading Package Profile
Cannot upload package profile. Is this client registered?
Uploading Tracer Profile
Cannot upload tracer data, is this client registered?
  Verifying  : katello-ca-consumer-oldforeman.ex.org-1.0-2.noarch                                                                                                                     1/1 

Removed:
  katello-ca-consumer-oldforeman.ex.org.noarch 0:1.0-2                                                                                                                                    

Complete!
Uploading Enabled Repositories Report
Cannot upload enabled repos report, is this client registered?
Loaded plugins: enabled_repos_upload, fastestmirror, package_upload, product-id, search-disabled-repos, subscription-manager, tracer_upload

This system is not registered with an entitlement server. You can use subscription-manager to register.

Loading mirror speeds from cached hostfile
There are no enabled repos.
 Run "yum repolist all" to see the repos you have.
 To enable Red Hat Subscription Management repositories:
     subscription-manager repos --enable <repo>
 To enable custom repositories:
     yum-config-manager --enable <repo>
Uploading Enabled Repositories Report
Cannot upload enabled repos report, is this client registered?
HTTP error (500 - Internal Server Error): At least one activation key must have a lifecycle environment and content view assigned to it
[root@agent1 ~]# 

Am I doing something wrong or missing on some steps?

Thanks,

Check the activation key you’re using, and make sure it has a content view assigned

my bad! I did the modifications & now trying with freshly installed system. Here is the error I am getting:

[root@agent1 ~]# curl -sS  'https://newforeman.ex.org/register?activation_keys=centos_uat&hostgroup_id=1&lifecycle_environment_id=1&location_id=2&operatingsystem_id=1&organization_id=1&update_packages=false' -H 'Authorization: Bearer <hash_truncated>' | bash
#
# Running registration
#
Loaded plugins: fastestmirror
No Match for argument: katello-ca-consumer*
No Packages marked for removal
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock error was
14: curl#7 - "Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0: Network is unreachable"


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: base/7/x86_64
'/etc/rhsm/rhsm.conf' not found, cannot configure subscription-manager
[root@agent1 ~]# 

Note: My system is not connected to the internet.

Thanks,

How did rhsm.conf get deleted? Subscription manager needs this file.

Try running subscription-manager clean, then generate a new registration script from the new Foreman and run it. This will ensure that the sub-man config is correct, I think.

We usually carry out minimal installation of CentOS server. Per my understanding, subscription-manager does not get installed by default?!?!
Could that be a reason for this error? Though only following file is present on the client -

-rw-r--r--. 1 root root 2981 Jan 30 16:52 /etc/rhsm/ca/katello-server-ca.pem

Any workaround for this? Thanks,

Running the curl script provided on the Register Host page will install subscription-manager if needed.

Did you try my suggestion above? What happened?

Hi…
Yes, I tried subscription-manager clean but that did not work.
Could it be because agent could not installsubscription-manager package? If the curl command installs this package from the foreman, then it should have ideally worked. If it tries to install the package from internet, probably it should not work as there is no internet connectivity from the agent.

The client cannot connect to the centos repositories. To register a host it needs working access to repositories…

Are there any specific steps which are to be carried out for the systems with no internet access?
Is it possible to get list of packages which curl command installs so that I can have it stored on internal share drive from which it will wget and install first?
Thanks!

Yes, you’d have to have the content available on the disconnected Foreman instance. subscription-manager is provided by the RHEL BaseOS repository; not sure which other repos you may find it in. You can use the import/export process to get content from a connected Foreman to a disconnected one. But you may still have to install subscription-manager manually; I’m not sure.

You can view the registration template script in Hosts > Provisioning Templates > Global Registration. (Also, what I like to do is remove the | bash from the end of the generated curl command. This will allow you to see the rendered template.)

Thank you! I shall get it tested and update you accordingly.

Aside, had one more question -
Do we need to install katello-agent manually on the clients or how it is? I do not see curl command does that.

I’d recommend using remote execution instead of katello-agent, as katello-agent is deprecated. But if you do want to use it, and have already enabled it in the installer, you’ll next have to enable the Foreman Client repository on Foreman; katello-agent is provided there. Then you can just yum install it on the hosts.

update: I can’t remember exactly what the upstream repo is called… Foreman tools? Foreman client?

Thank you so much for the help!
Will it be possible for you to share document links where in I can study about this?
Looks like there are major changes happened in new version so would like to learn little more about it.
Something with reference to remote command, simple content, etc.

You can fine the Foreman Clients for EL and SLES here: Index of /client/latest/el8/x86_64
For Debian and Ubuntu, see http://apt.atix.de/

Thanks… I have those repos ready but if something is getting deprecated, I would rather think of going with future-ready setup. Hence wanted to know more about remote command, simple content, etc.

The linked repos also contain katello-host-tools-tracer which provides tracer uploads from your clients to your Foreman server. Not using katello-agent is definitely a good call.

For Rocky Linux 8, you’ll find subscription-manager in the basic OS repositories; a Foreman Client is IMHO stricly speaking not necessary then for basic registration.