Migrate VMs to another Foreman Host w/ new Puppetmaster


Hello altogether,
I am planning on moving hosts from my old Foreman to a new Foreman with Katello. The puppet master is also new. My question is now, how is the recommended action to do this?
I have the following environment:
Foreman 1.19 -> Foreman 1.20.2 (with Katello)
Puppet is 5.5 on both sides

My plan was to stop puppet agents on the hosts to be migrated and unmanage them from old foreman. In new foreman I will add them to be managed but I am not yet sure how to make them work with the new puppet master (certs …).
Also, is it sufficient to just subscribe the hosts to katello?

Thank you in advance!


I’ve done something similar. I used remote execution on the old Foreman server to move endpoints to the new one. Also with Puppet 5 from PuppetLabs.


  • you have pre-shared keys deployed for your smart-proxy on the endpoints, and a puppet profile that will update the keys when the hosts change.
  • remote execution via SSH already works.
  • Puppet auto-sign is turned on for the new server

Use remote execution with something like the following:

rm -rf /etc/puppetlabs/puppet/ssl/ && /opt/puppetlabs/bin/puppet config --section agent set server foreman.domain.ca && /opt/puppetlabs/bin/puppet config --section main set server foreman.domain.ca  && systemctl restart puppet

The puppet config --section agent and --section main were to ensure that there were no differences between systems that were manually added to puppet, and others having the puppet config managed by puppet. Puppet gets confused when main refers to one server, and agent refers to a different one.

You could use remote execution to also register hosts with subscription-manager using something similar and activation keys…

Hope that helps!


Thanks for your reply!
Some of your points really helped me out but in my case I did not have remote execution on my old Foreman instance. Yet, the shell commands did work out, here is what I did:

  1. Stop puppet agent
  2. remove /etc/puppetlabs/puppet/ssl && /opt/puppetlabs/bin/puppet (just as you told me to)
  3. change values for “ca_server” and “server” in /etc/puppetlabs/puppet/puppet.conf to new puppet master
  4. Start puppet Agent and make a puppetrun. The host is now visible in new Foreman instance.
  5. In Smart Proxy settings I validated the new host (autosign was not enabled)
  6. In Foreman I clicked manage to make the host manageable
  7. Subscribe to katello with activation key

Worked very smoothly! Thanks for your advice. The case can be closed.