Puppet 6 support?

SCHAER_Frederic · October 9, 2018, 11:57am

Hi,

probably a bit early to ask but… has anyone tried puppet 6 with foreman (1.19) ?
Anyone knows if that’s expected to work, or to break ?

Regards

ekohl · October 9, 2018, 12:07pm

Puppet 6 changes the CA handling so that’ll break. There is one open PR for the proxy:

https://github.com/theforeman/smart-proxy/pull/610

I haven’t had a look at our theforeman-puppet module in the installer. I expect it to need some changes but the other puppet modules probably don’t need changes.

Jeff_Sparrow · October 9, 2018, 1:18pm

We will need Puppet 6 support for Foreman as soon as possible. There are some pretty bad CVE’s that affect Puppets Jetty Server and according to Puppet, the only current fix is to upgrade to Puppet 6… boooo

ekohl · October 9, 2018, 1:47pm

To be honest I was caught off guard with how fast Puppet 6 was suddenly there. There are 2 ways forward now: a quick & dirty fix that modifies the command line implementation vs using the CA REST API. The latter would be a much more forward compatible implementation and much less invasive on the proxy server (because you don’t need sudo). It also allows splitting the proxy from the puppet services.

Since 1.19 the Puppet CA module has pluggable so we can write a standalone implementation and switch at install time though configuration. That means we could choose either implementation (or both).

ekohl · October 18, 2018, 8:54pm

Yesterday we had a hack day and @TimoGoebel wrote a provider for the smart proxy that uses the HTTP CA API that’s present since Puppet 4. It does lack some fields (serial, not_before and not_after) which means you will miss them in the overview but otherwise it looks very good:

https://github.com/theforeman/smart-proxy/pull/615

This will need a patch for puppet-foreman_proxy to support the new config options.

Speaking of modules; I started with changing our testing template:

https://github.com/theforeman/foreman-installer-modulesync/pull/92

There are 2 open PRs using this functionality:

https://github.com/theforeman/puppet-foreman/pull/678
https://github.com/theforeman/puppet-puppet/pull/642

Once those pass and I know what to expect, I’ll open more PRs for the other modules. When those are up, it’s time to do some end to end testing but I’m confident we can finish it soon.

Bernhard_Suttner · December 14, 2018, 3:30pm

Since Timo’s puppet6 change was merged, does it mean that foreman 1.21 will support puppet6 completely?

ekohl · December 14, 2018, 4:32pm

It’s not merged yet, but I still fully intend to get all support in. Perhaps we’ll merge it and mark it as experimental.

oliware · February 11, 2019, 8:36am

We are planning to install a new foreman server (our old one is still version 1.12.4) together with a big rollout of puppetserver 6.
In which timeframe can we expect foreman support for this (experimental or not) ?
Thanks for your great support.

ekohl · February 11, 2019, 10:55am

This thread does indeed deserve an update. During cfgmgmtcamp I tried to get closer.

I poked the Puppet team to do a puppetlabs-xinetd release. We also switched puppet-pulp to use the Voxpupuli squid module which is maintained and supports Puppet 6.

We need a release of camptocamp/systemd. metadata.json in git does list the right supported version so it shouldn’t be hard.

Now that I’m back from cfgmgmtcamp I plan on doing tests with nightly installations so see if there are other installer issues.

There is https://tickets.puppetlabs.com/browse/SERVER-2370 to add missing fields to the REST API. @afisher found someone to implement this. There is a WIP PR open which will make sure we have full feature parity with Puppet 6. Without it we can still do the provisioning operations but we can’t show the expiration dates of certs in the UI.

https://github.com/puppetlabs/puppetserver/pull/1967

The smart-proxy support can be merged even without that. When testing the installer I should be able to test this as well.
https://github.com/theforeman/smart-proxy/pull/615

Once that’s done, we should be able to officially support Puppet 6. My aim is Foreman 1.22.

ekohl · February 26, 2019, 4:40pm

Latest update is that the smart-proxy and installer side were merged. There is a known issue when using the installer with the progress bar. Using foreman-installer --verbose does work. There’s a PR open to disable the progress bar until it’s properly fixed (along with fixes to remove deprecation warnings).

https://github.com/theforeman/kafo/pull/232

Sean · March 15, 2019, 6:37pm

Hi, I’m not sure if this is still an active issue or not, but what is the proper method for installing Foreman from scratch with Puppet 6.latest?

I have attempted to do this today for the first time and found that there is an error message about puppet legacy functions. Unfortunately, the network we’re doing this on is isolated and I can’t bring log data / screen out put across the gap.

This isolated network has an established RootCA and we want to use puppet6 so that we can have that RootCA issue an Intermediate that Foreman/PuppetCA/Puppet can use, instead of introducing a 2nd RootCA.

ekohl · March 15, 2019, 6:41pm

At this moment I’m working on the final touches for the installer part in nightly. It should be in good shape for Foreman 1.22. If you’re branch, you can install a (separate) nightly smart-proxy and that should work with Puppet 6.

Sean · March 15, 2019, 7:33pm

Is a better process to get foreman installed with puppet 5, then upgrade to puppet 6 and redo my CA Certs before I put enroll any nodes?

I don’t have the ability to easily pull repos into this isolated network, so I’m kinda stuck with what I have, and we’ve got to get this can rolling down the road, so I can’t wait for 1.22 to hit the streets and get pushed through our repo migration process.

ekohl · March 15, 2019, 7:47pm

The problem isn’t in the installer. The smart proxy doesn’t support Puppet 6 for the CA part because it relied on the puppet cert command. As long as you don’t need that part, it should work.

The proxy has two separate features for this (Puppet and Puppet CA) so you can set the latter to disabled (--foreman-proxy-puppeca false). This may make provisioning harder.

Another workaround is to write a wrapper script that emulates the old puppet cert command.

Those are the options I can think of.

Sean · March 15, 2019, 7:54pm

Ok, I thought Puppet 6 support was in the 1.21 release, I guess I missed your comment (Puppet 6 support?) in this thread earlier referring to pushing out to 1.22.

ekohl · March 15, 2019, 7:55pm

I had hoped to complete it as part of 1.21 but it was more work than anticipated.

maze-m · April 3, 2019, 1:35pm

Hi there!

Is there a possibility to install foreman on the newest puppet version?
Or doesn’t it work?

I’ve tried it with “root@puppet-master:~# foreman-installer --foreman-admin-username admin --foreman-admin-password “testpassword” --skip-puppet-version-check” and I got the following error:

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:92:in walk' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:inblock in walk’
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:in each' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:inwalk’
.
.
.
In /var/log/foreman-installer/foreman.log I can see the following:

[DEBUG 2019-04-03T13:38:38 main] importing ‘/usr/lib/ruby/vendor_ruby/kafo/modules/kafo_configure/manifests/init.pp’ in environment production
[DEBUG 2019-04-03T13:38:38 main] Automatically imported kafo_configure from kafo_configure into production
[ERROR 2019-04-03T13:38:38 main] Could not run: Illegal method definition of method ‘is_interesting?’ on line 12’ in legacy function. See https://puppet.com/docs/puppet/latest/functions_refactor_legacy.html for more information
[ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:92:in walk' [ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:inblock in walk’
[ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:in each' [ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:inwalk’
[ERROR 2019-04-03T13:38:38 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/ruby_legacy_function_instantiator.rb:98:in `block in walk’
.
.
.
.

ekohl · April 4, 2019, 8:34am

Puppet 6 support is planned for Foreman 1.22. Branching is planned for next week.

maze-m · April 10, 2019, 8:42am

Aah, thanks for your reply! Do you have an Link for an documentation for installing foreman on puppet 6 which will work then?
Thanks a lot for your reply

ekohl · April 10, 2019, 8:43am

Not yet. We’ll be updating the manual but the short version is “install Puppet 6 and run the 1.22+ installer”. Nothing special should be required.