MASS-MIGRATION OF
5000 SERVERS TO
FOREMAN/KATELLO
WITH BOOTSTRAP.PY
Evgeni Golov
1
$ WHOAMI
Evgeni Golov
Software Engineer at Red Hat
ex-Consultant at Red Hat
Debian and Grml Developer
♥ FOSS ♥
♥ automation ♥
2
SITUATION
10k RHEL (5k RHEL5, 4k RHEL6, 1k RHEL7)
most of them subscribed to
Satellite5/Spacewalk
want to move to Satellite6/Foreman
this requires a plan
3
TOOLING
Satellite 6.1 (Foreman 1.7, Katello 2.2)
this was done about a year ago
the learnings also apply to Foreman itself
bootstrap.py
script for registration of machines to
Foreman/Katello
at that time not even part of the Katello
project
mimicks the idea of bootstrap.sh from
Spacewalk
4
BOOTSTRAP.PY
install katello-ca-consumer RPM
subscribe the machine using subscription-
manager or rhn-migrate-classic-to-
rhsm
con gure katello-agent
con gure Puppet
5
STEP 1: EL5?!
ain't nobody got time for that
just let it bit-rot on the old infra
there is an migration to EL6/7 planned
anyways
(guess who is still up and running today?)
no need to care for the old content
but also no insight if there are any gotchas
6
STEP 2: SIZE THE
INFRASTRUCTURE
main VM: 12vCore, 32GB RAM, 1TB ash
6 proxies: 8vCore, 24GB RAM, 500G ash
rough setup:
no machines connect directly to Foreman
no more than 1000 clients per proxy
most machines don't do Puppet
7
STEP 3: WAIT FOR FIREWALLS
there is always a rewall somewhere
and it for sure will make you unhappy
request the new rewall rules early and
broadly (allow ALL the networks!)
8
STEP 4: DESIGN CONTENT
the old setup provided almost only RHEL, apps
were delivered from other sources
this makes an easy setup with one CCV per
RHEL release, containing CVs for:
RHEL + SatTools
admin software (backup, monitoring, etc)
9
STEP 5: REGISTER ALL THE
MACHINES
piece of cake, right?
10
STEP 5.1: FIND THE RIGHT PROXY
most machines are subscribed to Spacewalk
nd the old Spacewalk proxy in
/etc/sysconfig/rhn/up2date
have a map of old proxy to new proxy
machine is not subscribed?
try guessing based on host/domainname
try guessing based on IPv4 subnet
if everything fails, use a "default" proxy
11
STEP 5.2: FIND AN EXECUTOR
you need to run a script on every single
machine
Spacewalk has a function for that, but it was
disabled
when a problem occurs during migration,
Spacewalk might not be able to control the
machine anymore
today everybody would have used Ansible
we had BMC BladeLogic, as that was what the
customer had for all platforms
12
STEP 5.3: CHECK THAT FIREWALL
nobody wants to schedule 5000 jobs that will
fail
run a quick pre-check job before doing the
actual work
can the host resolve itself (and get a FQDN?)
can the host reach the old proxy
can the host reach the new proxy (on 80,
443, 5671)
13
STEP 5.4: WAIT FOR EVERYBODY
the previous step will identify a lot machines
as "broken"
enjoy your co ee while waiting for the
rewalls, machine owners, etc
14
STEP 5.5: TEST WHILE WAITING
gure out which bootstrap.py parameters
you need
gure out which patches for bootstrap.py
you need
submit everything upstream
become the de-facto maintainer of
bootstrap.py upstream
15
STEP 5.6: REGISTER!
we run batches of 1000 per day, so we would
not a ect too many departments
--skip foreman as we did not care for
Foreman/Puppet, just content
--force as we sometimes just re-run the
same machine multiple times
--legacy-purge to remove the machine
from Spacewalk
16
STEP 5.7: COLLECT THE PIECES
sometimes rhsmcertd would hang, blocking
subscription-manager, blocking yum
some machines have broken clocks, SSL
terribly fails
yes, we served "wrong" content to a couple
boxes, but that was found quickly (missing
repos)
(broken) proxies in yum.conf make it hard to
fetch packages
17
RANDOM FINDINGS
BMC BladeLogic injects an own libssl using
LD_LIBRARY_PATH, breaking yum
EL6.4 (and older) has a nasty Python bug,
making all syslog calls EMERG
People hate monitoring lesystems
It is considered OK to leave a machine with
broken dependencies
18
THANKS!






evgeni@golov.de
die-welt.net
@zhenech
+EvgeniGolov
@evgeni
zhenech
19

More Related Content

PDF
Refactoring Katello Installer modules - Ewoud Kohl van Wijngaarden
PDF
Foreman - Advanced use cases - Timo Goebel
PPTX
Puppet Availability and Performance at 100K Nodes - PuppetConf 2014
PDF
A user's perspective on SaltStack and other configuration management tools
PDF
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
PDF
The SaltStack Pub Crawl - Fosscomm 2016
PDF
Experiences from Running Masterless Puppet - PuppetConf 2014
PPT
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
Refactoring Katello Installer modules - Ewoud Kohl van Wijngaarden
Foreman - Advanced use cases - Timo Goebel
Puppet Availability and Performance at 100K Nodes - PuppetConf 2014
A user's perspective on SaltStack and other configuration management tools
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
The SaltStack Pub Crawl - Fosscomm 2016
Experiences from Running Masterless Puppet - PuppetConf 2014
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments

What's hot (20)

PDF
SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...
PDF
JavaCro'15 - Conquer the Internet of Things with Java and Docker - Johan Jans...
PDF
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...
PDF
Foreman presentation
PDF
SaltConf14 - Forrest Alvarez, Choice Hotels - Salt Formulas and States
PDF
OpenNebula and SaltStack - OpenNebulaConf 2013
ODP
Foreman in Your Data Center :OSDC 2015
PDF
Capistrano
PDF
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
PDF
Modern Infrastructure from Scratch with Puppet
PDF
Managing Puppet using MCollective
PDF
SaltConf14 - Eric johnson, Google - Orchestrating Google Compute Engine with ...
PDF
Salt conf 2014 - Using SaltStack in high availability environments
PPTX
Deployment with capistrano
PDF
CPAN Training
PDF
Steve Singer - Managing PostgreSQL with Puppet @ Postgres Open
PDF
Using SaltStack to orchestrate microservices in application containers at Sal...
PDF
Setup Kubernetes with flannel on ubuntu platform
PPT
Capistrano
PPTX
Toolbox of a Ruby Team
SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...
JavaCro'15 - Conquer the Internet of Things with Java and Docker - Johan Jans...
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...
Foreman presentation
SaltConf14 - Forrest Alvarez, Choice Hotels - Salt Formulas and States
OpenNebula and SaltStack - OpenNebulaConf 2013
Foreman in Your Data Center :OSDC 2015
Capistrano
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
Modern Infrastructure from Scratch with Puppet
Managing Puppet using MCollective
SaltConf14 - Eric johnson, Google - Orchestrating Google Compute Engine with ...
Salt conf 2014 - Using SaltStack in high availability environments
Deployment with capistrano
CPAN Training
Steve Singer - Managing PostgreSQL with Puppet @ Postgres Open
Using SaltStack to orchestrate microservices in application containers at Sal...
Setup Kubernetes with flannel on ubuntu platform
Capistrano
Toolbox of a Ruby Team
Ad

Similar to Mass-Migration of 5000 Servers to Foreman/Katello with bootstrap.py - Evgeni Golov (20)

PDF
Fabric8 - Being devOps doesn't suck anymore
PPTX
A Fabric/Puppet Build/Deploy System
PDF
Supercomputing by API: Connecting Modern Web Apps to HPC
KEY
Capistrano, Puppet, and Chef
PDF
SHARE.ORG Orlando 2015
PDF
OpenNebula, the foreman and CentOS play nice, too
PDF
PuppetConf 2014 Killer R10K Workflow With Notes
PDF
Iteratively introducing Puppet technologies in the brownfield; Jeffrey Miller
PDF
DevOps in PHP environment
PDF
PUG Romagna - Pipeline + Deployer PHP
PDF
Owasp AppSecEU 2015 - BeEF Session
PPTX
Practical Operation Automation with StackStorm
PPTX
Install MariaDB on IBM i - Tips, troubleshooting, and more
ODT
Kioptrix 2014 5
PDF
All the Laravel things: up and running to making $$
PDF
utf.pdf
PDF
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
PDF
How to deploy a Java application on Google App engine Flexible environment
KEY
Ruby and Rails Packaging to Production
PDF
Linux Foundation Mentorship Sessions - Kernel Livepatch: An Introduction
Fabric8 - Being devOps doesn't suck anymore
A Fabric/Puppet Build/Deploy System
Supercomputing by API: Connecting Modern Web Apps to HPC
Capistrano, Puppet, and Chef
SHARE.ORG Orlando 2015
OpenNebula, the foreman and CentOS play nice, too
PuppetConf 2014 Killer R10K Workflow With Notes
Iteratively introducing Puppet technologies in the brownfield; Jeffrey Miller
DevOps in PHP environment
PUG Romagna - Pipeline + Deployer PHP
Owasp AppSecEU 2015 - BeEF Session
Practical Operation Automation with StackStorm
Install MariaDB on IBM i - Tips, troubleshooting, and more
Kioptrix 2014 5
All the Laravel things: up and running to making $$
utf.pdf
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
How to deploy a Java application on Google App engine Flexible environment
Ruby and Rails Packaging to Production
Linux Foundation Mentorship Sessions - Kernel Livepatch: An Introduction
Ad

Recently uploaded (20)

PDF
Coding with GPT-5- What’s New in GPT 5 That Benefits Developers.pdf
PPTX
Bandicam Screen Recorder 8.2.1 Build 2529 Crack
PPTX
HackYourBrain__UtrechtJUG__11092025.pptx
PPTX
Chapter_05_System Modeling for software engineering
PDF
MAGIX Sound Forge Pro CrackSerial Key Keygen
PDF
Top 10 Project Management Software for Small Teams in 2025.pdf
DOCX
Industrial Bio-Lynx: Advanced Biometric Solution for Workforce Management
PDF
Mobile App for Guard Tour and Reporting.pdf
PDF
Building an Inclusive Web Accessibility Made Simple with Accessibility Analyzer
PDF
IT Consulting Services to Secure Future Growth
PDF
Bright VPN Crack Free Download (Latest 2025)
PPTX
Swiggy API Scraping A Comprehensive Guide on Data Sets and Applications.pptx
PDF
SOFTWARE ENGINEERING Software Engineering (3rd Edition) by K.K. Aggarwal & Yo...
PPTX
Plex Media Server 1.28.2.6151 With Crac5 2022 Free .
PPTX
Foundations of Marketo Engage: Nurturing
PPTX
SmartGit 25.1 Crack + (100% Working) License Key
PDF
Odoo Construction Management System by CandidRoot
PPTX
Lesson-3-Operation-System-Support.pptx-I
PPTX
Folder Lock 10.1.9 Crack With Serial Key
PDF
Engineering Document Management System (EDMS)
Coding with GPT-5- What’s New in GPT 5 That Benefits Developers.pdf
Bandicam Screen Recorder 8.2.1 Build 2529 Crack
HackYourBrain__UtrechtJUG__11092025.pptx
Chapter_05_System Modeling for software engineering
MAGIX Sound Forge Pro CrackSerial Key Keygen
Top 10 Project Management Software for Small Teams in 2025.pdf
Industrial Bio-Lynx: Advanced Biometric Solution for Workforce Management
Mobile App for Guard Tour and Reporting.pdf
Building an Inclusive Web Accessibility Made Simple with Accessibility Analyzer
IT Consulting Services to Secure Future Growth
Bright VPN Crack Free Download (Latest 2025)
Swiggy API Scraping A Comprehensive Guide on Data Sets and Applications.pptx
SOFTWARE ENGINEERING Software Engineering (3rd Edition) by K.K. Aggarwal & Yo...
Plex Media Server 1.28.2.6151 With Crac5 2022 Free .
Foundations of Marketo Engage: Nurturing
SmartGit 25.1 Crack + (100% Working) License Key
Odoo Construction Management System by CandidRoot
Lesson-3-Operation-System-Support.pptx-I
Folder Lock 10.1.9 Crack With Serial Key
Engineering Document Management System (EDMS)

Mass-Migration of 5000 Servers to Foreman/Katello with bootstrap.py - Evgeni Golov

  • 1. MASS-MIGRATION OF 5000 SERVERS TO FOREMAN/KATELLO WITH BOOTSTRAP.PY Evgeni Golov 1
  • 2. $ WHOAMI Evgeni Golov Software Engineer at Red Hat ex-Consultant at Red Hat Debian and Grml Developer ♥ FOSS ♥ ♥ automation ♥ 2
  • 3. SITUATION 10k RHEL (5k RHEL5, 4k RHEL6, 1k RHEL7) most of them subscribed to Satellite5/Spacewalk want to move to Satellite6/Foreman this requires a plan 3
  • 4. TOOLING Satellite 6.1 (Foreman 1.7, Katello 2.2) this was done about a year ago the learnings also apply to Foreman itself bootstrap.py script for registration of machines to Foreman/Katello at that time not even part of the Katello project mimicks the idea of bootstrap.sh from Spacewalk 4
  • 5. BOOTSTRAP.PY install katello-ca-consumer RPM subscribe the machine using subscription- manager or rhn-migrate-classic-to- rhsm con gure katello-agent con gure Puppet 5
  • 6. STEP 1: EL5?! ain't nobody got time for that just let it bit-rot on the old infra there is an migration to EL6/7 planned anyways (guess who is still up and running today?) no need to care for the old content but also no insight if there are any gotchas 6
  • 7. STEP 2: SIZE THE INFRASTRUCTURE main VM: 12vCore, 32GB RAM, 1TB ash 6 proxies: 8vCore, 24GB RAM, 500G ash rough setup: no machines connect directly to Foreman no more than 1000 clients per proxy most machines don't do Puppet 7
  • 8. STEP 3: WAIT FOR FIREWALLS there is always a rewall somewhere and it for sure will make you unhappy request the new rewall rules early and broadly (allow ALL the networks!) 8
  • 9. STEP 4: DESIGN CONTENT the old setup provided almost only RHEL, apps were delivered from other sources this makes an easy setup with one CCV per RHEL release, containing CVs for: RHEL + SatTools admin software (backup, monitoring, etc) 9
  • 10. STEP 5: REGISTER ALL THE MACHINES piece of cake, right? 10
  • 11. STEP 5.1: FIND THE RIGHT PROXY most machines are subscribed to Spacewalk nd the old Spacewalk proxy in /etc/sysconfig/rhn/up2date have a map of old proxy to new proxy machine is not subscribed? try guessing based on host/domainname try guessing based on IPv4 subnet if everything fails, use a "default" proxy 11
  • 12. STEP 5.2: FIND AN EXECUTOR you need to run a script on every single machine Spacewalk has a function for that, but it was disabled when a problem occurs during migration, Spacewalk might not be able to control the machine anymore today everybody would have used Ansible we had BMC BladeLogic, as that was what the customer had for all platforms 12
  • 13. STEP 5.3: CHECK THAT FIREWALL nobody wants to schedule 5000 jobs that will fail run a quick pre-check job before doing the actual work can the host resolve itself (and get a FQDN?) can the host reach the old proxy can the host reach the new proxy (on 80, 443, 5671) 13
  • 14. STEP 5.4: WAIT FOR EVERYBODY the previous step will identify a lot machines as "broken" enjoy your co ee while waiting for the rewalls, machine owners, etc 14
  • 15. STEP 5.5: TEST WHILE WAITING gure out which bootstrap.py parameters you need gure out which patches for bootstrap.py you need submit everything upstream become the de-facto maintainer of bootstrap.py upstream 15
  • 16. STEP 5.6: REGISTER! we run batches of 1000 per day, so we would not a ect too many departments --skip foreman as we did not care for Foreman/Puppet, just content --force as we sometimes just re-run the same machine multiple times --legacy-purge to remove the machine from Spacewalk 16
  • 17. STEP 5.7: COLLECT THE PIECES sometimes rhsmcertd would hang, blocking subscription-manager, blocking yum some machines have broken clocks, SSL terribly fails yes, we served "wrong" content to a couple boxes, but that was found quickly (missing repos) (broken) proxies in yum.conf make it hard to fetch packages 17
  • 18. RANDOM FINDINGS BMC BladeLogic injects an own libssl using LD_LIBRARY_PATH, breaking yum EL6.4 (and older) has a nasty Python bug, making all syslog calls EMERG People hate monitoring lesystems It is considered OK to leave a machine with broken dependencies 18