On 24/10/16 01:32, Michael Hurn wrote: > I am still working on details for this idea: > > On a CentOS 6 host: We have an all-in-one Foreman 1.12.3 / Puppet 3.8.x > with an external MySQL foreman database, that has been upgraded (OS, > Foreman & Puppet) a few times. We want to keep the configuration > information from the old server to the new server. > > We know that we need to move from CentOS 6.x to CentOS 7.x and from > Puppet 3.x to 4.x. > > How can we best make the transition? Taking into account that it is > possible to scale up Foreman & Puppet to have multiple servers is this > idea valid?
Sure, seems like a good idea. > Build a fresh Foreman 1.12.3 / Puppet 4.x Server on CentOS 7.x then > point it to the existing Foreman DB. https://theforeman.org/manuals/1.13/index.html#5.8MultipleForemaninstances has some notes about running multiple instances using the same database. It's perfectly fine, you just need to ensure some private data is present on all servers. I would recommend using a shared cache too, else you may see odd inconsistencies (the page recommends foreman_memcache). > I can see that there will be a few issues around DNS and certificates. > At the moment I can think of a few options including a new PuppetCA. The > legacy Foreman server was built with the FQDN of the host with the > default alt names in the cert. I plan to build the new server with a > CNAME from the outset, as this will give more options for expansion in > the future. It is also simple to switch a Puppet client to another > Puppet server. > > One safeguard I can think of is to always have the Puppet clients to > only connect to one of the Foreman / Puppet Servers. Sure, then the different names don't matter. You can generate a certificate for the new server from the existing CA (`puppet cert generate new-server.example.com`). The existing certificate doesn't have to be transferred or used on both as they would be from the same CA. Configure puppet.conf on your Puppet agents to have ca_server as the old server, and server as either the old or new server. If the new server's cert is signed by the old CA, you can switch it back and forwards without even needing to resign the agent's certificate. When you're done migrating, you can copy the CA files to the new server too, and use that for CA functions. (The CA is separate to the master's certificate with the hostname in the cert subject. The CA does mention the original hostname, but it's not used for anything.) -- Dominic Cleal domi...@cleal.org -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to foreman-users@googlegroups.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
