Mass-Migration of 5000 Servers to Foreman/Katello with bootstrap.py - Evgeni Golov
0 likes872 views
The document outlines a detailed plan for migrating 5000 servers from Satellite 5/Spacewalk to Satellite 6/Foreman. Key steps in the migration process include sizing the infrastructure, configuring proxies, registering machines using a bootstrap.py script, and managing firewall rules. It highlights various challenges and considerations, such as dealing with machine dependencies and ensuring successful communication between old and new systems.
Mass-Migration of 5000 Servers to Foreman/Katello with bootstrap.py - Evgeni Golov
- 1. MASS-MIGRATION OF 5000 SERVERS TO FOREMAN/KATELLO WITH BOOTSTRAP.PY Evgeni Golov 1
- 2. $ WHOAMI Evgeni Golov Software Engineer at Red Hat ex-Consultant at Red Hat Debian and Grml Developer ♥ FOSS ♥ ♥ automation ♥ 2
- 3. SITUATION 10k RHEL (5k RHEL5, 4k RHEL6, 1k RHEL7) most of them subscribed to Satellite5/Spacewalk want to move to Satellite6/Foreman this requires a plan 3
- 4. TOOLING Satellite 6.1 (Foreman 1.7, Katello 2.2) this was done about a year ago the learnings also apply to Foreman itself bootstrap.py script for registration of machines to Foreman/Katello at that time not even part of the Katello project mimicks the idea of bootstrap.sh from Spacewalk 4
- 5. BOOTSTRAP.PY install katello-ca-consumer RPM subscribe the machine using subscription- manager or rhn-migrate-classic-to- rhsm con gure katello-agent con gure Puppet 5
- 6. STEP 1: EL5?! ain't nobody got time for that just let it bit-rot on the old infra there is an migration to EL6/7 planned anyways (guess who is still up and running today?) no need to care for the old content but also no insight if there are any gotchas 6
- 7. STEP 2: SIZE THE INFRASTRUCTURE main VM: 12vCore, 32GB RAM, 1TB ash 6 proxies: 8vCore, 24GB RAM, 500G ash rough setup: no machines connect directly to Foreman no more than 1000 clients per proxy most machines don't do Puppet 7
- 8. STEP 3: WAIT FOR FIREWALLS there is always a rewall somewhere and it for sure will make you unhappy request the new rewall rules early and broadly (allow ALL the networks!) 8
- 9. STEP 4: DESIGN CONTENT the old setup provided almost only RHEL, apps were delivered from other sources this makes an easy setup with one CCV per RHEL release, containing CVs for: RHEL + SatTools admin software (backup, monitoring, etc) 9
- 10. STEP 5: REGISTER ALL THE MACHINES piece of cake, right? 10
- 11. STEP 5.1: FIND THE RIGHT PROXY most machines are subscribed to Spacewalk nd the old Spacewalk proxy in /etc/sysconfig/rhn/up2date have a map of old proxy to new proxy machine is not subscribed? try guessing based on host/domainname try guessing based on IPv4 subnet if everything fails, use a "default" proxy 11
- 12. STEP 5.2: FIND AN EXECUTOR you need to run a script on every single machine Spacewalk has a function for that, but it was disabled when a problem occurs during migration, Spacewalk might not be able to control the machine anymore today everybody would have used Ansible we had BMC BladeLogic, as that was what the customer had for all platforms 12
- 13. STEP 5.3: CHECK THAT FIREWALL nobody wants to schedule 5000 jobs that will fail run a quick pre-check job before doing the actual work can the host resolve itself (and get a FQDN?) can the host reach the old proxy can the host reach the new proxy (on 80, 443, 5671) 13
- 14. STEP 5.4: WAIT FOR EVERYBODY the previous step will identify a lot machines as "broken" enjoy your co ee while waiting for the rewalls, machine owners, etc 14
- 15. STEP 5.5: TEST WHILE WAITING gure out which bootstrap.py parameters you need gure out which patches for bootstrap.py you need submit everything upstream become the de-facto maintainer of bootstrap.py upstream 15
- 16. STEP 5.6: REGISTER! we run batches of 1000 per day, so we would not a ect too many departments --skip foreman as we did not care for Foreman/Puppet, just content --force as we sometimes just re-run the same machine multiple times --legacy-purge to remove the machine from Spacewalk 16
- 17. STEP 5.7: COLLECT THE PIECES sometimes rhsmcertd would hang, blocking subscription-manager, blocking yum some machines have broken clocks, SSL terribly fails yes, we served "wrong" content to a couple boxes, but that was found quickly (missing repos) (broken) proxies in yum.conf make it hard to fetch packages 17
- 18. RANDOM FINDINGS BMC BladeLogic injects an own libssl using LD_LIBRARY_PATH, breaking yum EL6.4 (and older) has a nasty Python bug, making all syslog calls EMERG People hate monitoring lesystems It is considered OK to leave a machine with broken dependencies 18