Puppet 6 support?


probably a bit early to ask but… has anyone tried puppet 6 with foreman (1.19) ?
Anyone knows if that’s expected to work, or to break ?


1 Like

Puppet 6 changes the CA handling so that’ll break. There is one open PR for the proxy:

I haven’t had a look at our theforeman-puppet module in the installer. I expect it to need some changes but the other puppet modules probably don’t need changes.

We will need Puppet 6 support for Foreman as soon as possible. There are some pretty bad CVE’s that affect Puppets Jetty Server and according to Puppet, the only current fix is to upgrade to Puppet 6… boooo

To be honest I was caught off guard with how fast Puppet 6 was suddenly there. There are 2 ways forward now: a quick & dirty fix that modifies the command line implementation vs using the CA REST API. The latter would be a much more forward compatible implementation and much less invasive on the proxy server (because you don’t need sudo). It also allows splitting the proxy from the puppet services.

Since 1.19 the Puppet CA module has pluggable so we can write a standalone implementation and switch at install time though configuration. That means we could choose either implementation (or both).


Yesterday we had a hack day and @TimoGoebel wrote a provider for the smart proxy that uses the HTTP CA API that’s present since Puppet 4. It does lack some fields (serial, not_before and not_after) which means you will miss them in the overview but otherwise it looks very good:

This will need a patch for puppet-foreman_proxy to support the new config options.

Speaking of modules; I started with changing our testing template:

There are 2 open PRs using this functionality:

Once those pass and I know what to expect, I’ll open more PRs for the other modules. When those are up, it’s time to do some end to end testing but I’m confident we can finish it soon.


Since Timo’s puppet6 change was merged, does it mean that foreman 1.21 will support puppet6 completely?

1 Like

It’s not merged yet, but I still fully intend to get all support in. Perhaps we’ll merge it and mark it as experimental.

We are planning to install a new foreman server (our old one is still version 1.12.4) together with a big rollout of puppetserver 6.
In which timeframe can we expect foreman support for this (experimental or not) ?
Thanks for your great support.

This thread does indeed deserve an update. During cfgmgmtcamp I tried to get closer.

I poked the Puppet team to do a puppetlabs-xinetd release. We also switched puppet-pulp to use the Voxpupuli squid module which is maintained and supports Puppet 6.

We need a release of camptocamp/systemd. metadata.json in git does list the right supported version so it shouldn’t be hard.

Now that I’m back from cfgmgmtcamp I plan on doing tests with nightly installations so see if there are other installer issues.

There is https://tickets.puppetlabs.com/browse/SERVER-2370 to add missing fields to the REST API. @afisher found someone to implement this. There is a WIP PR open which will make sure we have full feature parity with Puppet 6. Without it we can still do the provisioning operations but we can’t show the expiration dates of certs in the UI.

The smart-proxy support can be merged even without that. When testing the installer I should be able to test this as well.

Once that’s done, we should be able to officially support Puppet 6. My aim is Foreman 1.22.


Latest update is that the smart-proxy and installer side were merged. There is a known issue when using the installer with the progress bar. Using foreman-installer --verbose does work. There’s a PR open to disable the progress bar until it’s properly fixed (along with fixes to remove deprecation warnings).

Hi, I’m not sure if this is still an active issue or not, but what is the proper method for installing Foreman from scratch with Puppet 6.latest?

I have attempted to do this today for the first time and found that there is an error message about puppet legacy functions. Unfortunately, the network we’re doing this on is isolated and I can’t bring log data / screen out put across the gap.

This isolated network has an established RootCA and we want to use puppet6 so that we can have that RootCA issue an Intermediate that Foreman/PuppetCA/Puppet can use, instead of introducing a 2nd RootCA.

At this moment I’m working on the final touches for the installer part in nightly. It should be in good shape for Foreman 1.22. If you’re branch, you can install a (separate) nightly smart-proxy and that should work with Puppet 6.

Is a better process to get foreman installed with puppet 5, then upgrade to puppet 6 and redo my CA Certs before I put enroll any nodes?

I don’t have the ability to easily pull repos into this isolated network, so I’m kinda stuck with what I have, and we’ve got to get this can rolling down the road, so I can’t wait for 1.22 to hit the streets and get pushed through our repo migration process.

The problem isn’t in the installer. The smart proxy doesn’t support Puppet 6 for the CA part because it relied on the puppet cert command. As long as you don’t need that part, it should work.

The proxy has two separate features for this (Puppet and Puppet CA) so you can set the latter to disabled (--foreman-proxy-puppeca false). This may make provisioning harder.

Another workaround is to write a wrapper script that emulates the old puppet cert command.

Those are the options I can think of.

Ok, I thought Puppet 6 support was in the 1.21 release, I guess I missed your comment (Puppet 6 support?) in this thread earlier referring to pushing out to 1.22.

I had hoped to complete it as part of 1.21 but it was more work than anticipated.

Hi there!

Is there a possibility to install foreman on the newest puppet version?
Or doesn’t it work?

I’ve tried it with “root@puppet-master:~# foreman-installer --foreman-admin-username admin --foreman-admin-password “testpassword” --skip-puppet-version-check” and I got the following error:

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:92:in walk' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:inblock in walk’
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:in each' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:inwalk’
In /var/log/foreman-installer/foreman.log I can see the following:

[DEBUG 2019-04-03T13:38:38 main] importing ‘/usr/lib/ruby/vendor_ruby/kafo/modules/kafo_configure/manifests/init.pp’ in environment production
[DEBUG 2019-04-03T13:38:38 main] Automatically imported kafo_configure from kafo_configure into production
[ERROR 2019-04-03T13:38:38 main] Could not run: Illegal method definition of method ‘is_interesting?’ on line 12’ in legacy function. See https://puppet.com/docs/puppet/latest/functions_refactor_legacy.html for more information
[ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:92:in walk' [ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:inblock in walk’
[ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:in each' [ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:inwalk’
[ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:in `block in walk’

Puppet 6 support is planned for Foreman 1.22. Branching is planned for next week.

Aah, thanks for your reply! Do you have an Link for an documentation for installing foreman on puppet 6 which will work then?
Thanks a lot for your reply :slight_smile:

Not yet. We’ll be updating the manual but the short version is “install Puppet 6 and run the 1.22+ installer”. Nothing special should be required.