updating puppetserver 6.x -> 7.x fails without manual intervention

[jhoblitt]

It appears that something akin to the puppetlabs/transition mod may be needed in order to allow the puppserver process to be temporarily stopped to run the puppet7 ca migration:

Notice: /Stage[main]/Puppet::Server::Config/Exec[migrate Puppetserver cadir]/returns: Puppetserver service is running. Please stop it before attempting to run this command.
Error: '/opt/puppetlabs/bin/puppetserver ca migrate' returned 1 instead of one of [0]
Error: /Stage[main]/Puppet::Server::Config/Exec[migrate Puppetserver cadir]/returns: change from 'notrun' to ['0'] failed: '/opt/puppetlabs/bin/puppetserver ca migrate' returned 1 instead of one of [0] (corrective)
Notice: /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]: Dependency Exec[migrate Puppetserver cadir] has failures: true
Warning: /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]: Skipping because of failed dependencies

The fix is to manually stop puppetserver and run the ca migration:

[root@foreman ~]# systemctl stop puppetserver
[root@foreman ~]# /opt/puppetlabs/bin/puppetserver ca migrate
CA dir successfully migrated to /etc/puppetlabs/puppetserver/ca. Symlink placed at /etc/puppetlabs/puppet/ssl/ca
for backwards compatibility. The puppetserver can be safely restarted now.
[root@foreman ~]# systemctl start puppetserver

[ekohl]

Yes, we worked around this in our installer using a hook combined with code here:

puppet-puppet/manifests/server/config.pp

Lines 168 to 179 in 9421bd4

	# In Puppet 7 the cadir was changed from $ssldir/ca to $puppetserver_dir/ca
	# This migrates the directory if it was in the old location
	# The migration command leaves a symlink in place
	if versioncmp($puppet::server::real_puppetserver_version, '7.0') > 0 {
	exec { 'migrate Puppetserver cadir':
	command => "${puppet::puppetserver_cmd} ca migrate",
	creates => $puppet::server::cadir,
	onlyif => "test -d '${puppet::server::ssl_dir}/ca' && ! test -L '${puppet::server::ssl_dir}'",
	path => $::path,
	before => Exec['puppet_server_config-generate_ca_cert'],
	}
	}

I was a bit scared to automate too much here. For example, if the puppetserver is down, will the agent continue correctly? In our installer it's safe because it's essentially "just" a serverless Puppet agent run, but in complex environments it often isn't so clear.

I'd love to hear some more suggestions on how to deal with this.

[jhoblitt]

I am trying to do the upgrade as part of a regular agent run, not using the foreman-installer, which means puppet is managing puppet. What I can state for sure is that as-is, this results in puppetserver breaking. I am not sure if solving that needs to be automated. I think the only way for this to work is for the puppetserver to be stopped during the agent run with the transition module. This should be acceptable as puppetserver doesn't generally need to be accessible by the agent after the catalog has been downloaded. I suppose it might result in the agent report being lost if the puppetserver is still down at the end of the agent run.

[ekohl]

So you're advocating for something like:

transition { 'stop puppetserver service':
  resource   => Service['puppetserver'],
  attributes => { ensure => stopped },
  prior_to   => Exec['migrate Puppetserver cadir'],
}

We've used puppetlabs-transition in the past and I'd be ok with that. However, I am currently quite busy so I have little time to work it out. PRs are welcome.

[ekohl]

In #873 we're dropping Puppet 6 support, including the migration. I don't think we're going to get to this anymore.