Problem:
Now that Puppet 8 is officially supported with Foreman 3.12/Katello 4.14 and Puppet 7 is EOL soon, I wonder what I have to do exactly to switch my existing foreman servers and proxies with puppet 7 to puppet 8.
I haven’t really found anything in the docs for the switch, only for a new installation. Is there a guide somewhere how to switch to puppet 8 without breaking everything?
Yepp, just update the packages to the puppet 8 ones and run installer, you should be good.
(that’s also what our pipelines do when they test upgrades from 3.11 to 3.12+)
Thanks for all the answers. Switching the puppet repository to puppet8 was really everything needed. Updated packages and ran foreman-installer to make sure everything is correctly configured.
Of course, a few puppet8 changes hit some of our own modules, e.g. the deprecation of $::fqdn…
Noticed I also was using the puppet 7 repo so switched to 8. I however does not use puppet on my Foreman server and seen that the only package that was updated was puppet-agent.
Do I even need that package from the yum.puppet.com repo?
If you don’t use the puppet server, then the repository is only used by foreman-installer itself. foreman-installer is puppet. Thus you always need the puppet-agent packaged installed because that is needed to run foreman-installer and install foreman. The puppet.service doesn’t need to run if you don’t use puppet for your configuration management.
I followed the same and today upgraded foreman from 3.11 to 3.12 along with puppet from 7 to 8
But the puppet agent runs fail as it’s now unable to recognize the foreman location variables. Any idea how to fix it?
# puppet agent -tv
Info: Using environment 'development'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from XXX:8140 (x.x.x.x)
Notice: Catalog compiled by XXX
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, uninitialized constant Puppet::Parser::Functions::PSON (file: /etc/puppetlabs/code/environments/development/manifests/002_dns.pp, line: 5, column: 17) on node XXX
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Puppet manifest
# cat /etc/puppetlabs/code/environments/development/manifests/002_dns.pp
# Enforce local DNS resolver configuration based on host's location set in Puppet "$location" variable
# This code uses module "saz-resolv_conf" module
class {'resolv_conf':
nameservers => [ "$dns1", "$dns2"],
searchpath => parsejson($dns_search_path),
options => [ "rotate" ],
}
And dns_search_path is a location parameter defined in Foreman.
The stdlib version is 6.5.0 so I don’t think it’s a problem with Foreman.
I need to work on updating all the puppet modules so they are compatible with Puppet 8.
I had some odd issues that I believe I have now fixed. This was when I was upgrading Puppet from 7 to 8 on Oracle Linux 9 while upgrading Foreman from 3.11 to 3.12.
SSL validation became a bit of an issue. Puppet agents were receiving “Error 500 no valid config available”. Puppet server log was complaining about CA certs not being trusted.
# Previous Steps I used to installed from the Foreman Manual
foreman-installer \
--foreman-server-ssl-cert /etc/pki/tls/cert.pem \
--foreman-server-ssl-key /etc/pki/tls/privat.key \
--foreman-server-ssl-chain /etc/pki/tls/cert.bundle.pem
# Copy Cert Bundle to Puppet ca to Ensure Sign Certs are known/trusted to Puppet
cat /etc/pki/tls/cert.bundle.pem >> /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
These rough steps generally worked in the past, SSL validated as expected and config pushed out. However something changed in the newer version of Puppet 8 and and the steps to allow Puppet to trust certs no longer worked. A vanilla installed instance of Foreman/Puppet worked fine, but as soon as custom signed SSL certs were configured, everything stopped working.
The Fix
After trial and error and finding the following Doc, I managed to get the system working again:
Rather than use the cert bundle that incorporated the signed cert and ca trust chain, the following configuration separates the signed cert from the chain and they configured to respective options.
Update the following file paths in: /etc/httpd/conf.d/05-foreman-ssl.conf
As always, it’s a bad idea to modify those configuration files by hand. The next run of foreman-installer will revert your changes. Always use foreman-installer command line options… Then foreman-installer writes the correct information into the right places.
Ideally would prefer to use the config options that go along with the foreman-install command. Unfortunately, after a lot of banging my head against the wall this was the only thing that seemed to work.
When I get some time, I’ll try adapting the working config above and transpose to the options for foreman-install.