Migrate VMs to another Foreman Host w/ new Puppetmaster

Hello altogether,
I am planning on moving hosts from my old Foreman to a new Foreman with Katello. The puppet master is also new. My question is now, how is the recommended action to do this?
I have the following environment:
Foreman 1.19 -> Foreman 1.20.2 (with Katello)
Puppet is 5.5 on both sides

My plan was to stop puppet agents on the hosts to be migrated and unmanage them from old foreman. In new foreman I will add them to be managed but I am not yet sure how to make them work with the new puppet master (certs …).
Also, is it sufficient to just subscribe the hosts to katello?

Thank you in advance!

I’ve done something similar. I used remote execution on the old Foreman server to move endpoints to the new one. Also with Puppet 5 from PuppetLabs.


  • you have pre-shared keys deployed for your smart-proxy on the endpoints, and a puppet profile that will update the keys when the hosts change.
  • remote execution via SSH already works.
  • Puppet auto-sign is turned on for the new server

Use remote execution with something like the following:

rm -rf /etc/puppetlabs/puppet/ssl/ && /opt/puppetlabs/bin/puppet config --section agent set server foreman.domain.ca && /opt/puppetlabs/bin/puppet config --section main set server foreman.domain.ca  && systemctl restart puppet

The puppet config --section agent and --section main were to ensure that there were no differences between systems that were manually added to puppet, and others having the puppet config managed by puppet. Puppet gets confused when main refers to one server, and agent refers to a different one.

You could use remote execution to also register hosts with subscription-manager using something similar and activation keys…

Hope that helps!

1 Like

Thanks for your reply!
Some of your points really helped me out but in my case I did not have remote execution on my old Foreman instance. Yet, the shell commands did work out, here is what I did:

  1. Stop puppet agent
  2. remove /etc/puppetlabs/puppet/ssl && /opt/puppetlabs/bin/puppet (just as you told me to)
  3. change values for “ca_server” and “server” in /etc/puppetlabs/puppet/puppet.conf to new puppet master
  4. Start puppet Agent and make a puppetrun. The host is now visible in new Foreman instance.
  5. In Smart Proxy settings I validated the new host (autosign was not enabled)
  6. In Foreman I clicked manage to make the host manageable
  7. Subscribe to katello with activation key

Worked very smoothly! Thanks for your advice. The case can be closed.


I’m trying something similar.
Migrating my hosts from foreman 1.12 and puppet 3 towards foreman 1.23 and puppet 5.
I’ve done the steps above and the host seems migrated however it’s not showing in the dashboard on 1.23.

I also upgraded my local puppet client version from version 3 to 5 but the result remains the same.
When performing “puppet agent -t” it complains that my local environment acceptance is not matching environment production on the master.
But because it’s not in the interface I can not modify this.
It’s also not executing the proper code due to this.
I checked on the interface of 1.23 and found that the host that I want to migrate is showing in the smart-proxy Puppat CA tab under Certificates.
The certificate is there and valid and looks OK.

The server logs only show "Puppet Compiled catalog for host-xxx in environment production in 0.04 seconds

So I have no error to check further, really at a loss here on where to look next.

Did you check if the host wasn’t correctly assigned to the location and organization? You can select the “Any” context in the top dropdowns to see if that’s the case

Yes I did, my view is set to Any Organization and Any Location.
Also checked the dashboard but it’s no where to be found.

When I go in the webinterface to Monitor - Facts and search for any hosts that is normal, it has the option to show a chart.
In that chart my migrated host is included.
However when I search the facts for the hostname of my migrated host, it returns an empty result.

Is it possible you may have some leftover facts in the database from the old instance that refer to that host but it doesn’t actually exist in the foreman database?

Do you mean old data on the host that I want to migrate ?
How would I be able to check this ?
It looks clean, I removed the old /etc/puppet folder as well and migrated all settings that were in /etc/puppet/puppet.conf towards /etc/puppetlabs/puppet/puppet.conf

Also I started with a fresh build of Foreman 1.23 so no data from my virtual machines could have been migrated to this new build.
The fact that the machine I want to migrate is visible in the new host is not because of some old data, it has been recently added.

I tried all steps again, but the result remains the same.
I don’t have any error logs anywhere, I don’t find any official documentation in the manual about it either.
Above is the foreman log after I added the host again.

Any help is much appreciated as I’m totally stuck at this point.

1 Like

Still facing the same issue and awaiting feedback.
I tried another thing, disabling the autosign for my domain and revoked the clients certificate on the master and removed the local certificates on the client.
Afterwards I added the host again to my new server and signed the certificate manually.
The result is the same now, the client is visible in the foreman interface and the client certificate is signed like it should. However in the hosts overview it is still not visible and the puppetrun on the clients still shows “Notice: Local environment: ‘acceptance’ doesn’t match server specified node environment ‘production’, switching agent to ‘production’.”

I found one thing however, the folder /etc/puppetlabs/puppet/ssl on the client I want to migrate to the new host always changes user rights while executing puppet agent -t.
It should be set to user and group root looking at other clients but when I execute the puppet run the folder changes to user puppet.
Could this be the issue ? I’m going to try and figure out what is causing this user rights change.

I’ve removed the user puppet from my OS and cleaned all the old folders from the old puppet 3 agent.
When I run the puppet agent on the client now it doesn’t modify the ssl folder anymore to user puppet but it remains on user root.
However still not visible in the hosts tab.

Since I have no other options to try, I decided to upgrade foreman.
So I went from 1.23.1 to 1.24.2.
But the issue is still present.

My colleague helped out and checked out the database.
Turns out for the migrated host the organization and location were empty.
When filling in those fields manually in the database the host is visible in the interface and I’m able to set the other details so my puppet run works now.

This is a major bug in the foreman no ?
Is it because I’m migrating hosts from version 1.12 ?

Organizations and locations are always enabled since Foreman 1.21. There are settings for default organization and default location that will be set for new hosts reporting in, these should be set to the defaults created during the install but might be empty for some reason in your case. You can also send a custom puppet fact containing which organization/location a host should be added to. If your old hosts send these custom facts as empty, they may end up with no organization and location.
However, they should still be displayed when the “any organization/any location” context is selected from the top menu. Were the location_id and organization_id fields for the host empty or NULL in the database?


They are indeed empty in my case for each host I’m adding to my new foreman.
Here is a select statement after adding a host from my old foreman.


They are not visible in the interface when selecting “any organization/any location”.
After running an update statement on the table by filling in the desired organization and location it’s visible.
That’s the way I’m moving forward at the moment.

This is very odd. Are you checking this as an admin user?

Yes my account has all available roles there are available to assign.
However I logged in as local default admin user.

I am able to see a newly migrated host now but the details page provides this error:

While editing the host I"m not able to set either location or organization via the interface.

My personal user didn’t have the administrator option checked, so that’s probably why it was not visible to me at first.
However the edit issue remains.

This is Bug #28891: All hosts showing "Failure: undefined method `title' for nil:NilClass" in Properties pane - Foreman which will be fixed in 1.24.3 and already is fixed in 2.0.0

1 Like