Problem:
Now that Puppet 8 is officially supported with Foreman 3.12/Katello 4.14 and Puppet 7 is EOL soon, I wonder what I have to do exactly to switch my existing foreman servers and proxies with puppet 7 to puppet 8.
I haven’t really found anything in the docs for the switch, only for a new installation. Is there a guide somewhere how to switch to puppet 8 without breaking everything?
Hi,
I only replaced the puppet7 repo for puppet8 repo, ran dnf update and foreman-installer and that was all.
Yepp, just update the packages to the puppet 8 ones and run installer, you should be good.
(that’s also what our pipelines do when they test upgrades from 3.11 to 3.12+)
Commands should be (assuming a connected installation):
dnf -y install https://yum.puppet.com/puppet8-release-el-8.noarch.rpm
dnf -y --refresh update
foreman-maintain service stop
foreman-installer --scenario katello
After that, sync the repos and repeat on clients and capsules.
Thanks for all the answers. Switching the puppet repository to puppet8 was really everything needed. Updated packages and ran foreman-installer to make sure everything is correctly configured.
Of course, a few puppet8 changes hit some of our own modules, e.g. the deprecation of $::fqdn…
Noticed I also was using the puppet 7 repo so switched to 8. I however does not use puppet on my Foreman server and seen that the only package that was updated was puppet-agent.
Do I even need that package from the yum.puppet.com repo?
[root@foreman ~]# systemctl status puppet
○ puppet.service - Puppet agent
Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; preset: disabled)
Active: inactive (dead)
Docs: man:puppet-agent(8)
[root@foreman ~]# dnf list installed| grep -i puppet
puppet-agent.x86_64 8.10.0-1.el9 @puppet8
puppet-agent-oauth.noarch 0.5.10-1.el9 @foreman
puppet8-release.noarch 1.0.0-9.el9 @@commandline
Tried to remove it and is hit by a few dependencies so I guess I need to keep it:
[root@foreman ~]# dnf remove puppet-agent
Dependencies resolved.
============================================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================================
Removing:
puppet-agent x86_64 8.10.0-1.el9 @puppet8 116 M
Removing dependent packages:
foreman-installer-katello noarch 1:3.12.1-1.el9 @System 433 k
katello noarch 4.14.1-1.el9 @System 378
puppet-agent-oauth noarch 0.5.10-1.el9 @foreman 41 k
Removing unused dependencies:
candlepin noarch 4.4.20-1.el9 @System 99 M
foreman-installer noarch 1:3.12.1-1.el9 @System 7.3 M
katello-certs-tools noarch 2.10.0-1.el9 @System 208 k
katello-common noarch 4.14.1-1.el9 @System 26 k
rubygem-activerecord-import noarch 1.7.0-1.el9 @System 95 k
rubygem-angular-rails-templates noarch 1:1.1.0-2.el9 @System 9.5 k
rubygem-ansi noarch 1.5.0-3.el9 @System 78 k
rubygem-faraday noarch 1.10.2-1.el9 @System 113 k
rubygem-faraday-em_http noarch 1.0.0-1.el9 @System 13 k
rubygem-faraday-em_synchrony noarch 1.0.0-1.el9 @System 10 k
rubygem-faraday-excon noarch 1.1.0-1.el9 @System 7.2 k
rubygem-faraday-httpclient noarch 1.0.1-1.el9 @System 8.6 k
rubygem-faraday-multipart noarch 1.0.4-1.el9 @System 12 k
rubygem-faraday-net_http noarch 1.0.1-1.el9 @System 10 k
rubygem-faraday-net_http_persistent noarch 1.2.0-1.el9 @System 7.4 k
rubygem-faraday-patron noarch 1.0.0-1.el9 @System 7.8 k
rubygem-faraday-rack noarch 1.0.0-1.el9 @System 5.9 k
rubygem-faraday-retry noarch 1.0.3-1.el9 @System 11 k
rubygem-foreman_maintain noarch 1:1.7.6-1.el9 @System 438 k
rubygem-fx noarch 0.8.0-1.el9 @System 39 k
rubygem-kafo noarch 7.4.0-1.el9 @System 186 k
rubygem-kafo_parsers noarch 1.2.1-1.el9 @System 15 k
rubygem-kafo_wizards noarch 0.0.2-2.el9 @System 19 k
rubygem-katello noarch 4.14.1-1.el9 @System 99 M
rubygem-multipart-post noarch 2.2.3-1.el9 @System 22 k
rubygem-pulp_ansible_client noarch 0.21.7-1.el9 @System 1.8 M
rubygem-pulp_certguard_client noarch 3.49.17-1.el9 @System 138 k
rubygem-pulp_container_client noarch 2.20.2-1.el9 @System 1.0 M
rubygem-pulp_deb_client noarch 3.2.1-1.el9 @System 1.1 M
rubygem-pulp_file_client noarch 3.49.17-1.el9 @System 625 k
rubygem-pulp_ostree_client noarch 2.3.2-1.el9 @System 649 k
rubygem-pulp_python_client noarch 3.11.2-1.el9 @System 586 k
rubygem-pulp_rpm_client noarch 3.26.1-1.el9 @System 1.2 M
rubygem-pulpcore_client noarch 1:3.49.17-1.el9 @System 1.8 M
rubygem-spidr noarch 0.7.1-1.el9 @System 95 k
rubygem-stomp noarch 1.4.10-1.el9 @System 171 k
tomcat noarch 1:9.0.87-2.el9 @System 322 k
yum-utils noarch 4.3.0-16.el9 @System 23 k
Transaction Summary
============================================================================================================================================
Remove 42 Packages
Freed space: 332 M
Is this ok [y/N]:
If you don’t use the puppet server, then the repository is only used by foreman-installer itself. foreman-installer is puppet. Thus you always need the puppet-agent packaged installed because that is needed to run foreman-installer and install foreman. The puppet.service doesn’t need to run if you don’t use puppet for your configuration management.
I followed the same and today upgraded foreman from 3.11 to 3.12 along with puppet from 7 to 8
But the puppet agent runs fail as it’s now unable to recognize the foreman location variables. Any idea how to fix it?
You’ll have to post the exact error messages…
Here is the output of puppet agent -tv
# puppet agent -tv
Info: Using environment 'development'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from XXX:8140 (x.x.x.x)
Notice: Catalog compiled by XXX
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, uninitialized constant Puppet::Parser::Functions::PSON (file: /etc/puppetlabs/code/environments/development/manifests/002_dns.pp, line: 5, column: 17) on node XXX
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Puppet manifest
# cat /etc/puppetlabs/code/environments/development/manifests/002_dns.pp
# Enforce local DNS resolver configuration based on host's location set in Puppet "$location" variable
# This code uses module "saz-resolv_conf" module
class {'resolv_conf':
nameservers => [ "$dns1", "$dns2"],
searchpath => parsejson($dns_search_path),
options => [ "rotate" ],
}
And dns_search_path is a location parameter defined in Foreman.
If you need more info please let me know.
The puppet server sends a 500 error code. Thus you have to post the error from the puppetserver log.
What version of puppetlabs/stdlib are you using? PSON is not supported anymore in Puppet 8 and stdlib switched to a native JSON parser in 8.5.0: Switch parsejson() from PSON to JSON parsing · puppetlabs/puppetlabs-stdlib@53a8ccf · GitHub
The stdlib version is 6.5.0 so I don’t think it’s a problem with Foreman.
I need to work on updating all the puppet modules so they are compatible with Puppet 8.
Thanks for your help. Appreciate it!
Yepp, I am also quite sure it’s not the Foreman part that’s broken for you, but “just” general incompatibility of some modules with Puppet 8.
There should be no reason why you couldn’t downgrade back to Puppet 7, validate all your modules against a test setup, and then re-upgrade to 8.
I had some odd issues that I believe I have now fixed. This was when I was upgrading Puppet from 7 to 8 on Oracle Linux 9 while upgrading Foreman from 3.11 to 3.12.
SSL validation became a bit of an issue. Puppet agents were receiving “Error 500 no valid config available”. Puppet server log was complaining about CA certs not being trusted.
# Previous Steps I used to installed from the Foreman Manual
foreman-installer \
--foreman-server-ssl-cert /etc/pki/tls/cert.pem \
--foreman-server-ssl-key /etc/pki/tls/privat.key \
--foreman-server-ssl-chain /etc/pki/tls/cert.bundle.pem
# Copy Cert Bundle to Puppet ca to Ensure Sign Certs are known/trusted to Puppet
cat /etc/pki/tls/cert.bundle.pem >> /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
These rough steps generally worked in the past, SSL validated as expected and config pushed out. However something changed in the newer version of Puppet 8 and and the steps to allow Puppet to trust certs no longer worked. A vanilla installed instance of Foreman/Puppet worked fine, but as soon as custom signed SSL certs were configured, everything stopped working.
After trial and error and finding the following Doc, I managed to get the system working again:
Rather than use the cert bundle that incorporated the signed cert and ca trust chain, the following configuration separates the signed cert from the chain and they configured to respective options.
/etc/httpd/conf.d/05-foreman-ssl.confSSLCertificateFile " /etc/pki/tls/cert.pem"
SSLCertificateKeyFile " /etc/pki/tls/private.key"
SSLCertificateChainFile " /etc/pki/tls/chain.pem"
foreman_ssl_ca is not defined in: /etc/foreman-proxy/settings.ymlssl_ca, do not change ssl_cert or ssl_key in file: /etc/puppetlabs/puppet/foreman.yamlHope this helps someone who suffering with this issue.
As always, it’s a bad idea to modify those configuration files by hand. The next run of foreman-installer will revert your changes. Always use foreman-installer command line options… Then foreman-installer writes the correct information into the right places.
Ideally would prefer to use the config options that go along with the foreman-install command. Unfortunately, after a lot of banging my head against the wall this was the only thing that seemed to work.
When I get some time, I’ll try adapting the working config above and transpose to the options for foreman-install.