Upgrading and Updating Foreman

1. Upgrade Overview

This chapter details the prerequisites and available upgrade paths to Foreman 2.5. Review this information before upgrading your current Foreman installation.

In this guide, the terms update, upgrade, and migrate have the following meanings:

Upgrading: The process of advancing your Foreman server and Smart Proxy server installations from a y-stream release to the next, for example Foreman 2.4 to Foreman 2.5.
Updating: The process of advancing your Foreman server and Smart Proxy server installations from a z-stream release to the next, for example Foreman 2.5.0 to Foreman 2.5.1.
Migrating: The process of moving an existing Foreman installation to another Red Hat Enterprise Linux server.

For interactive upgrade instructions, you can also use the Foreman Upgrade Helper on the Red Hat Customer Portal. This application provides you with an exact guide to match your current version number. You can find instructions that are specific to your upgrade path, as well as steps to prevent known issues. For more information, see Foreman Upgrade Helper on the customer portal.

Note that you can upgrade Smart Proxies separately from Foreman. For more information, see Upgrading Smart Proxies Separately from Foreman.

1.1. Prerequisites

Upgrading to Foreman 2.5 affects your entire Foreman infrastructure. Before proceeding, complete the following:

Read the Foreman 2.5 Release Notes.
Review this guide so that you are aware of the upgrade process and its impact.
Plan your upgrade path. For more information, see Upgrade Paths.
Plan for the required downtime. Foreman services are shut down during the upgrade. The upgrade process duration might vary depending on your hardware configuration, network speed, and the amount of data that is stored on the server.

Upgrading Foreman takes approximately 1 - 2 hours.

Upgrading Smart Proxy takes approximately 10 - 30 minutes.

However, upgrading from 2.4 to 2.5 also migrates Pulp content, this step can take some considerable time. For more information on preparing for Pulp migration and the upgrade process, see Upgrading Foreman server.
Ensure that you have sufficient storage space on your server. For more information, see Preparing your Environment for Installation in Installing Foreman server from a Connected Network and Preparing your Environment for Installation in Installing Smart Proxy server.
Back up your Foreman server and all Smart Proxy servers. For more information, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman 6.9 guide.
Plan for updating any scripts you use that contain Foreman API commands because some API commands differ between versions of Foreman.

Warning

If you customize configuration files, manually or use a tool such as Hiera, these customizations are overwritten when the installation script runs during upgrading or updating. You can use the --noop option with the foreman-installer script to test for changes. For more information, see the Red Hat Knowledgebase solution How to use the noop option to check for changes in Foreman config files during an upgrade.

1.2. Upgrade Paths

You can upgrade to Foreman 2.5 from Foreman 2.4. Foreman servers and Smart Proxy servers on earlier versions must first be upgraded to Foreman 2.4. For more details, see the Foreman 2.4 Upgrade documentation.

Overview of Foreman 2.5 Upgrade Paths

The high level steps in upgrading to Foreman 2.5 are as follows.

Upgrade Foreman server and all Smart Proxy servers to Foreman 2.5. For more information, see Upgrading Foreman server.
Upgrade to https://yum.theforeman.org/client/2.5/ on all Foreman clients. For more information, see Upgrading Foreman Clients.

1.3. Following the Progress of the Upgrade

Because of the lengthy upgrade time, use a utility such as screen to suspend and reattach a communication session. You can then check the upgrade progress without staying connected to the command shell continuously. For more information about using the screen command, see How do I use the screen command? article in the Red Hat Knowledge Base. You can also see the screen manual page for more information.

If you lose connection to the command shell where the upgrade command is running you can see the logs in /var/log/foreman-installer/katello.log to check if the process completed successfully.

1.4. Upgrading Smart Proxies Separately from Foreman

You can upgrade Foreman to version 2.5 and keep Smart Proxies at version 2.4 until you have the capacity to upgrade them too.

All the functionality that worked previously works on 2.4 Smart Proxies. However, the functionality added in the 2.5 release will not work until you upgrade Smart Proxies to 2.5.

Upgrading Smart Proxies after upgrading Foreman can be useful in the following example scenarios:

If you want to have several smaller outage windows instead of one larger window.
If Smart Proxies in your organization are managed by several teams and are located in different locations.
If you use a load-balanced configuration, you can upgrade one load-balanced Smart Proxy and keep other load-balanced Smart Proxies at 1 version lower. This allows you to upgrade all Smart Proxies one after another without any outage.

2. Upgrading Foreman

Use the following procedures to upgrade your existing Foreman to Foreman 2.5:

Upgrading Foreman server
Upgrading Smart Proxy servers
Upgrading Foreman Clients

Before upgrading, see Prerequisites.

2.1. Upgrading Foreman server

This section describes how to upgrade Foreman server from 2.4 to 2.5.

Before You Begin

Note that you can upgrade Smart Proxies separately from Foreman. For more information, see Upgrading Smart Proxies Separately from Foreman.
Review and update your firewall configuration prior to upgrading your Foreman server. For more information, see Preparing your environment for installation in Installing Foreman server.
Ensure that you do not delete the manifest from the Customer Portal or in the Foreman web UI because this removes all the entitlements of your content hosts.
Back up and remove all Foreman hooks before upgrading. Restore any hooks only after Foreman is known to be working after the upgrade is complete.
If you have edited any of the default templates, back up the files either by cloning or exporting them. Cloning is the recommended method because that prevents them being overwritten in future updates or upgrades. To confirm if a template has been edited, you can view its History before you upgrade or view the changes in the audit log after an upgrade. In the Foreman web UI, navigate to Monitor > Audits and search for the template to see a record of changes made. If you use the export method, restore your changes by comparing the exported template and the default template, manually applying your changes.

Smart Proxy Considerations

If you use Content Views to control updates to a Smart Proxy server’s base operating system, or for Smart Proxy server repository, you must publish updated versions of those Content Views.
Note that Foreman server upgraded from 2.4 to 2.5 can use Smart Proxy servers still at 2.4.

Warning

If you implemented custom certificates, you must retain the content of both the /root/ssl-build directory and the directory in which you created any source files associated with your custom certificates.

Failure to retain these files during an upgrade causes the upgrade to fail. If these files have been deleted, they must be restored from a backup in order for the upgrade to proceed.

FIPS mode

You cannot upgrade Foreman server from a RHEL base system that is not operating in FIPS mode to a RHEL base system that is operating in FIPS mode.

To run Foreman server on a Red Hat Enterprise Linux base system operating in FIPS mode, you must install Foreman on a freshly provisioned RHEL base system operating in FIPS mode. For more information, see Preparing your environment for installation in Installing Foreman server.

2.1.1. Preparing to Migrate Content to Pulp 3

The time to prepare content for Pulp 3 depends on the amount of content and the number of Content Views. For large systems, this can mean several days of downtime. To prevent this, pre-migrate Pulp content while running the latest version of Foreman server 2.4. This reduces the overall upgrade downtime.

During migration to Pulp 3, the amount of data stored in the /var/lib/pulp/published/ directory can double in size. Ensure that there is enough space on the /var/lib/pulp volume. If the user runs foreman-maintain prep-6.10-upgrade, the content in /var/lib/pulp/content does not need to be duplicated. After Pulp 2 is removed, the extra space can be claimed back. However, shrinking of XFS volumes is not possible. Copying data to a different partition might be necessary in order to bring volume size down to the previous value.

During migration to Pulp 3, the amount of data stored in the PostgreSQL data directory can grow significantly. Ensure that you have enough space for the migration. A rough estimation of the space you require is 2-3 times the size of the MongoDB Pulp 2 database.

Pre-Migration Checks

The sequence should always be if you have any Composite Content Views, take action on those first, and then work on the Content Views.

Ensure that all enabled repositories complete the synchronization process.
If any repositories are synced with a Warning or Error state, fix the underlying problem and resync the repository.
If the Pulp 2 to Pulp 3 migration fails with the error NoMethodError: undefined method `link?' for nil:NilClass, see the Red Hat Knowledgebase solution The Pulp 2 to Pulp 3 migration fails with error "NoMethodError: undefined method `link?' for nil:NilClass" in Red Hat Satellite 6.9 on the customer portal.
Ensure that no paused tasks in the system are related to any repositories or Content Views.
If some Content View or Composite Content View versions are not required anymore, please consider performing a cleanup of them.
For more information about how to perform the cleanup of older Content View or Composite Content View versions using hammer_cli, see How to remove old content view versions in Red Hat Satellite 6 using CLI/hammer?.
If you no longer require or use certain repositories, disable those specific repositories.
When the cleanup process finishes, ensure that you clean up the orphan data by following the steps in How to delete orphaned content in /var/lib/pulp on Capsule?.
Ensure that you can enter the following command on Foreman without error:
```
# foreman-rake katello:correct_repositories COMMIT=true --trace
```

Use this procedure to begin migrating content from Pulp 2 to Pulp 3.

Procedure

Update the file permissions before upgrading Foreman server using the following command:
```
# foreman-maintain prep-6.10-upgrade
```
This might take some time on high latency systems.

View details of the content you are pre-migrating using the following command:

# foreman-maintain content migration-stats

Use this command as often as necessary during the migration process to determine how long the process will take. It also identifies corrupted or missing content that might cause the migration to fail. Output is similar to the following:

Running Retrieve Pulp 2 to Pulp 3 migration statistics
============================================
Retrieve Pulp 2 to Pulp 3 migration statistics:
============Migration Summary================
Migrated/Total RPMs: 0/367633
Migrated/Total errata: 0/20780140
Migrated/Total repositories: 0/33924
Estimated migration time based on yum content: 47 hours, 23 minutes
Note: ensure there is sufficient storage space for /var/lib/pulp/published to
double in size before starting the migration process.
Check the size of /var/lib/pulp/published with 'du -sh /var/lib/pulp/published/'
Note: ensure there is sufficient storage space for postgresql.
You will need additional space for your postgresql database.
The partition holding '/var/opt/rh/rh-postgresql12/lib/pgsql/data/' will need
additional free space equivalent to the size of your Mongo db database (/var/lib/mongodb/).
[OK]

Prepare your content for Pulp migration using the following command:

# foreman-maintain content prepare

As part of its final step, foreman-maintain content prepare checks whether any content units are unmigrated. If it identifies corrupted or missing content, you might see something similar to the following:

============Missing/Corrupted Content Summary================
  WARNING: MISSING OR CORRUPTED CONTENT DETECTED
  Corrupted or Missing Rpm: 1000/104583
  Corrupted or missing content has been detected, you can examine the list of content in /tmp/unmigratable_content-20211025-74422-16cxfae and take action by either:
  1. Performing a 'Verify Checksum' sync under Advanced Sync Options, let it complete, and re-running the migration
  2. Deleting/disabling the affected repositories and running orphan cleanup (foreman-rake katello:delete_orphaned_content) and re-running the migration.
  3. Manually correcting files on the filesystem in /var/lib/pulp/content/ and re-running the migration
  4. Mark currently corrupted or missing content as skipped (foreman-rake katello:approve_corrupted_migration_content). This will skip migration of missing or corrupted content.

There are several causes of corrupted or missing content:

A Repository synchronization or Content View publish or promotion occurred during the migration.
Files on disk in /var/lib/pulp/content/ became corrupted due to disk rot.
Files in /var/lib/pulp/content/ are missing due to past events such as disk loss with a partial restore.

There is some mismatch between subsystems in Foreman such as Katello and Pulp. This can happen if a repository or content view is improperly deleted by skipping steps in a paused Foreman Task. Running foreman-rake katello:correct_repositories COMMIT=true can correct this.

You can review the list of corrupt or missing RPMs written to disk as part of the foreman-maintain content migration-stats command, /tmp/unmigratable_content-20211025-74422-16cxfae20211120-2149-1j4pmfae in the example above.

For more information about determining which repository the unmigratable contents belong to, see How to determine the repository to run Verify Checksum on for reported corrupted RPMs.

In most cases, where repositories with unmigratable contents are configured on Foreman with the On-demand download policy and the number of missing or corrupt RPMs are low, you can mark these as skipped using the command:

# foreman-rake katello:approve_corrupted_migration_content

If you approve corrupted or missing content and proceed with the upgrade, that content will not appear in the repositories or content view versions after upgrade.

If these packages exist in the upstream repositories, they are added again when you re-synchronize the repositories after upgrade. They are not restored to the Content Views unless you republish those Content Views. As these packages are likely unusable, the upgrade process only detects that fact.

If you suspect a Repository synchronization or Content View publish or promotion occurred during the migration, re-running foreman-maintain content prepare migrates the remaining content. If this is the first time you have run foreman-maintain content prepare, Foreman developers recommends running it as often as necessary to try to reduce the number of corrupt or missing RPMs. Migrating the remaining content then takes less time.

Note

You cannot use Ctrl + C to terminate the foreman-maintain content prepare process. If you attempt to halt the process using Ctrl + C or by disconnecting your SSH session, the process does not terminate but continues in the background. You can use the following command to terminate the process gracefully, whenever necessary, so that you can continue later.

# foreman-maintain content prepare-abort

Note that foreman-maintain content prepare-abort can take several minutes to terminate the process. You can continue the migration process using foreman-maintain content prepare whenever it is convenient.

The process does not confirm that migration is complete. You can determine how near to completion the process is by using the following command:
```
# foreman-maintain content migration-stats
```
at intervals until the indicated migration time is at or near zero.
The final steps of Pulp content migration are completed when upgrading Foreman server from 2.4 to 2.5.
Note

If problems occur, you must restart the pre-migration process from the beginning using the following command:

# foreman-maintain content migration-reset
The final steps of Pulp content migration are completed when upgrading Foreman server from 2.4 to 2.5.

2.1.2. Upgrading a Connected Foreman server

Use this procedure for a Foreman server with access to the public internet

Warning

If you customize configuration files, manually or using a tool such as Hiera, these changes are overwritten when the installation script runs during upgrading or updating. You can use the --noop option with the foreman-installer script to test for changes. For more information, see the Red Hat Knowledgebase solution How to use the noop option to check for changes in Foreman config files during an upgrade.

Upgrade Foreman server

Create a backup.
- On a virtual machine, take a snapshot.
- On a physical machine, create a backup.
  
  For more information about backups, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman 2.4 guide.
Optional: If you made manual edits to DNS or DHCP configuration in the /etc/zones.conf or /etc/dhcp/dhcpd.conf files, back up the configuration files because the installer only supports one domain or subnet, and therefore restoring changes from these backups might be required.
Optional: If you made manual edits to DNS or DHCP configuration files and do not want to overwrite the changes, enter the following command:
```
# foreman-installer --foreman-proxy-dns-managed=false \
--foreman-proxy-dhcp-managed=false
```
Optional: If you use PostgreSQL as an external database, on the PostgreSQL server, install the rh-postgresql12-postgresql-evr package, which is available from the rhel-7-server-satellite-6.10-rpms repository:
```
# yum install rh-postgresql12-postgresql-evr
```
In the Foreman web UI, navigate to Hosts > Discovered hosts. On the Discovered Hosts page, power off and then delete the discovered hosts. From the Select an Organization menu, select each organization in turn and repeat the process to power off and delete the discovered hosts. Make a note to reboot these hosts when the upgrade is complete.
Check for running tasks
```
# foreman-rake katello:upgrade_check
```
Update operating system packages
```
# yum update -y
```

Update repositories

For Centos 7 or Red Hat Enterprise Linux Users:

# yum update -y https://yum.theforeman.org/releases/2.5/el7/x86_64/foreman-release.rpm
# yum update -y https://yum.theforeman.org/katello/4.1/katello/el7/x86_64/katello-repos-latest.rpm
# yum install -y centos-release-scl-rh

Update packages Clean the yum cache and update the required packages:
```
# yum clean all
# yum -y update
```
Stop all services:
```
# foreman-maintain service stop
```
Run the installer
```
# foreman-installer
```
Check when the kernel packages were last updated:
```
# rpm -qa --last | grep kernel
```
Optional: If a kernel update occurred since the last reboot, reboot the system:
```
# reboot
```
If using a BASH shell, after a successful or failed upgrade, enter:
```
# hash -d foreman-maintain service 2> /dev/null
```
If you have migrated content from Pulp 2 to Pulp 3, remove all Pulp 2 content.
```
# foreman-maintain content remove-pulp2
```
This removes Pulp 2 RPMs, content in /var/lib/pulp/content/, the mongo database, and migration content in the Pulp 3 database.

2.2. Upgrading Smart Proxy servers

This section describes how to upgrade Smart Proxy servers from 2.4 to 2.5.

Before You Begin

You must upgrade Foreman server before you can upgrade any Smart Proxy servers. Note that you can upgrade Smart Proxies separately from Foreman. For more information, see Upgrading Smart Proxies Separately from Foreman.
If you use Content Views to control updates to the base operating system of Smart Proxy server, update those Content Views with new repositories and publish their updated versions. For more information, see Managing Content Views in the Content Management Guide.
Ensure the Smart Proxy’s base system is registered to the newly upgraded Foreman server.
Ensure the Smart Proxy has the correct organization and location settings in the newly upgraded Foreman server.
Review and update your firewall configuration prior to upgrading your Smart Proxy server. For more information, see Preparing Your Environment for Smart Proxy Installation in Installing Smart Proxy server.
Ensure you create a backup of the /etc/puppetlabs/code/environments file.

Warning

Failure to retain these files during an upgrade causes the upgrade to fail. If these files have been deleted, they must be restored from a backup in order for the upgrade to proceed.

Upgrading Smart Proxy servers

Create a backup.
- On a virtual machine, take a snapshot.
- On a physical machine, create a backup.
  
  For information on backups, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman 2.4 guide.

Regenerate certificates. On the main Foreman/Katello server:

# foreman-proxy-certs-generate --foreman-proxy-fqdn "myproxy.example.com" \
                       --certs-update-all \
                       --certs-tar    "~/myproxy.example.com-certs.tar"

Copy the resulting tarball to your Smart Proxy, for this example we will use /root/myproxy.example.com-certs.tar

Update repositories for EL7

# yum update -y https://yum.theforeman.org/katello/4.1/katello/el7/x86_64/katello-repos-latest.rpm \
                https://yum.theforeman.org/releases/2.5/el7/x86_64/foreman-release.rpm

Update repositories for EL8

# yum update -y https://yum.theforeman.org/katello/4.1/katello/el8/x86_64/katello-repos-latest.rpm \
                https://yum.theforeman.org/releases/2.5/el8/x86_64/foreman-release.rpm

Clean yum cache:
```
# yum clean metadata
```
Update Packages:
```
# yum update -y
```

Run the installer:

# foreman-installer --certs-tar-file /root/myproxy.example.com-certs.tar \
                  --certs-update-all --certs-regenerate true --certs-deploy true

If you have migrated content from Pulp 2 to Pulp 3, remove all Pulp 2 content.
```
# foreman-maintain content remove-pulp2
```
This removes Pulp 2 RPMs, content in /var/lib/pulp/content/, the mongo database, and migration content in the Pulp 3 database.
Check when the kernel packages were last updated:
```
# rpm -qa --last | grep kernel
```
Optional: If a kernel update occurred since the last reboot, reboot the system:
```
# reboot
```
Optional: If you made manual edits to DNS or DHCP configuration files, check and restore any changes required to the DNS and DHCP configuration files using the backups made earlier.
Optional: If you use custom repositories, ensure that you enable these custom repositories after the upgrade completes.

On Foreman server, perform a complete synchronization of the upgraded Smart Proxy as the MongoDB and RPM repositories are not automatically migrated with Foreman.

# hammer capsule content synchronize --name ${Smart Proxy} --skip-metadata-check true --async

Note	If you did not synchronize your repositories before upgrading your Foreman server, running this command fails to synchronize your content with Smart Proxy servers. In this case, follow Synchronizing Smart Proxy servers Through {ProjectWebUITitle} to synchronize your Smart Proxy servers.

Upgrading Smart Proxy Servers Using Remote Execution in the Foreman web UI

Create a backup.
- On a virtual machine, take a snapshot.
- On a physical machine, create a backup.
  
  For information on backups, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman 2.4 guide.
Optional: If you made manual edits to DNS or DHCP configuration in the /etc/zones.conf or /etc/dhcp/dhcpd.conf files, back up the configuration files because the installer only supports one domain or subnet, and therefore restoring changes from these backups might be required.
Optional: If you made manual edits to DNS or DHCP configuration files and do not want to overwrite the changes, enter the following command:
```
# {foreman-installer} --foreman-proxy-dns-managed=false \
--foreman-proxy-dhcp-managed=false
```
In the Foreman web UI, navigate to Monitor > Jobs.
Click Run Job.
From the Job category list, select Maintenance Operations.
From the Job template list, select Capsule Upgrade Playbook.
In the Search Query field, enter the host name of the Smart Proxy.
Ensure that Resolves to shows 1 host.
In the target_version field, enter the target version of the Smart Proxy.
In the whitelist_options field, enter the whitelist options.
For Type of query, click Static Query or Dynamic Query depending on the type of query.
Select the schedule for the job execution in Schedule.

2.3. Synchronizing Smart Proxy servers Through {ProjectWebUITitle}

Use this procedure if you did not synchronize your repositories before upgrading your Foreman server.

Procedure

In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
Click on the name of Smart Proxy server you wish to synchronize.
Click Synchronize.
Select Complete Sync.

2.4. Upgrading Foreman Clients

The https://yum.theforeman.org/client/2.5/ repository provides katello-agent and katello-host-tools, which provide communication services for managing Errata.

Note	The Katello agent is deprecated and will be removed in a future Foreman version. Migrate your workloads to use the remote execution feature to update clients remotely. For more information, see Migrating from Katello Agent to Remote Execution in the Managing Hosts Guide.

For deployments using katello-agent and goferd, update all clients to the new version of katello-agent. For deployments not using katello-agent and goferd, update all clients to the new version of katello-host-tools. Complete this action as soon as possible so that your clients are fully compatible with Foreman server.

Prerequisites

You must have upgraded Foreman server.
You must have enabled the new https://yum.theforeman.org/client/2.5/ repositories on the Foreman.
You must have synchronized the new repositories in the Foreman.
If you have not previously installed katello-agent on your clients and you want to install it, use the manual method. For more information, see Upgrade Foreman Clients Manually.

Warning

Failure to retain these files during an upgrade causes the upgrade to fail. If these files have been deleted, they must be restored from a backup in order for the upgrade to proceed.

Upgrade Foreman Clients Using the Bulk Repository Set UI:

In the Foreman web UI, navigate to Hosts > Content Hosts and select the Content Hosts that you want to upgrade.
From the Select Action list, select Manage Repository Sets.
From the Repository Sets Management list, select the Foreman Tools 2.4 check box.
From the Select Action list, select Override to Disabled, and click Done.
When the process completes, on the same set of hosts from the previous steps, from the Select Action list, select Manage Repository Sets.
From the Repository Sets Management list, select the Red Hat https://yum.theforeman.org/client/2.5/ check box.
From the Select Action list, select Override to Enabled, and click Done.
When the process completes, on the same set of hosts from the previous steps, from the Select Action list, select Manage Packages.
In the Package search field, enter one of the following options depending on your configuration:
- If your deployment uses katello-agent and goferd, enter katello-agent.
- If your deployment does not use katello-agent and goferd, enter katello-host-tools.
From the Update list, you must select the via remote execution option. This is required because if you update the package using the Katello agent, the package update disrupts the communication between the client and Foreman or Smart Proxy server, which causes the update to fail. For more information, see Configuring and Setting Up Remote Jobs in the Managing Hosts guide.

Upgrade Foreman Clients Manually

Log into the client system.

Disable the repositories for the previous version of Foreman.

# subscription-manager repos \
--disable rhel-7-server-satellite-tools-2.4-rpms

Enable the https://yum.theforeman.org/client/2.5/ repository for this version of Foreman.

# subscription-manager repos \
--enable=https://yum.theforeman.org/client/2.5/el7/x86_64/foreman-client-release.rpm

Depending on your configuration, complete one of the following steps:
- If your deployment uses katello-agent and goferd, enter the following command to install or upgrade katello-agent:
  # yum install katello-agent
- If your deployment does not use katello-agent and goferd, enter the following command to install or upgrade katello-host-tools:
  # yum install katello-host-tools

3. Post-Upgrade Tasks

Some of the procedures in this section are optional. You can choose to perform only those procedures that are relevant to your installation.

If you use the PXE-based discovery process, then you must complete the discovery upgrade procedure on Foreman and on any Smart Proxy server with hosts that you want to be listed in Foreman on the Hosts > Discovered hosts page.

The katello-agent is disabled with a new installation of Foreman 2.5, making both the qpidd and qdroutered services unavailable.
If Foreman 2.4 is upgraded to Foreman 2.5, the katello-agent, as well as the qpidd and qdroutered services, remain enabled.
If you are not using katello-agent and transitioned to remote execution, you can optionally disable the katello-agent as a post-upgrade task for both Foreman 2.5 and Smart Proxy 2.5:

# satellite-installer --foreman-proxy-content-enable-katello-agent false

3.1. Upgrading Discovery

This section describes updating the PXELinux template and the boot image passed to hosts that use PXE booting to register themselves with Foreman server.

From Foreman 1.22, provisioning templates now have a separate association with a subnet, and do not default to using the TFTP Smart Proxy for that subnet. If you create subnets after the upgrade, you must specifically enable the Foreman or a Smart Proxy to provide a proxy service for discovery templates and then configure all subnets with discovered hosts to use a specific template Smart Proxy.

During the upgrade, for every subnet with a TFTP proxy enabled, the template Smart Proxy is set to be the same as the TFTP Smart Proxy. After the upgrade, check all subnets to verify this was set correctly.

These procedures are not required if you do not use PXE booting of hosts to enable Foreman to discover new hosts.

3.1.1. Upgrading Discovery on Foreman server

Update the Discovery template in the Foreman web UI:
1. Navigate to Hosts > Provisioning templates.
2. On the PXELinux global default line, click Clone.
3. Enter a new name for the template in the Name field, for example ACME PXE global default.
4. In the template editor field, change the line ONTIMEOUT local to ONTIMEOUT discovery and click Submit.
5. Navigate to Administer > Settings.
6. Locate Global default PXELinux template and click on its Value.
7. Select the name of the newly created template from the menu and click the tick button.
8. Navigate to Hosts > Provisioning templates.
9. Click Build PXE Default, then click OK.
In the Foreman web UI, go to Configure > Discovery Rules and associate selected organizations and locations with discovery rules.

3.1.2. Upgrading Discovery on Smart Proxy servers

Verify that the Foreman Discovery package is current on Foreman server.
```
# yum install tfm-rubygem-foreman_discovery
```
If an update occurred in the previous step, restart the foreman-maintain services.
```
# foreman-maintain service restart
```
Upgrade the Discovery image on the Foreman Smart Proxy that is either connected to the provisioning network with discovered hosts or provides TFTP services for discovered hosts.
```
# yum install foreman-discovery-image
```
On the same instance, install the package which provides the Proxy service, and then restart foreman-proxy service.
```
# yum install tfm-rubygem-smart_proxy_discovery
# service foreman-proxy restart
```
In the Foreman web UI, go to Infrastructure > Smart Proxies and verify that the relevant Smart Proxy lists Discovery in the features column. Select Refresh from the Actions drop-down menu if necessary.
Go to Infrastructure > Subnets and for each subnet on which you want to use discovery:
1. Click the subnet name.
2. On the Smart Proxies tab, ensure the Discovery Smart Proxy is set to a Smart Proxy you configured above.

3.1.3. Verifying Subnets have a Template Smart Proxy

Ensure all subnets with discovered hosts have a template Smart Proxy:

In the Foreman web UI, navigate to Infrastructure > Subnets.
Select the subnet you want to check.
On the Smart Proxies tab, ensure a Template Smart Proxy has been set for this subnet.

For more information about configuring subnets with template Smart Proxies, see Configuring the Discovery Service in the Provisioning Guide

3.2. Upgrading virt-who

If virt-who is installed on Foreman server or a Smart Proxy server, it will be upgraded when they are upgraded. No further action is required. If virt-who is installed elsewhere, it must be upgraded manually.

Before You Begin

If virt-who is installed on a host registered to Foreman server or a Smart Proxy server, first upgrade the host to the latest packages available in the https://yum.theforeman.org/client/2.5/ repository. For information about upgrading hosts, see Upgrading Foreman Clients.

Upgrade virt-who Manually

Upgrade virt-who.
```
# yum upgrade virt-who
```
Restart the virt-who service so the new version is activated.
```
# systemctl restart virt-who.service
```

3.3. Removing the Previous Version of the Foreman Tools Repository

After completing the upgrade to Foreman 2.5, the Foreman Tools 2.4 repository can be removed from Content Views and then disabled.

Disable Version 2.4 of the Foreman Tools Repository:

In the Foreman web UI, navigate to Content > Red Hat Repositories.
In the Enabled Repositories area, locate Foreman Tools 2.4 for RHEL 7 Server RPMs x86_64.
Click the Disable icon to the right.

If the repository is still contained in a Content View then you cannot disable it. Packages from a disabled repository are removed automatically by a scheduled task.

3.4. Reclaiming PostgreSQL Space

The PostgreSQL database can use a large amount of disk space especially in heavily loaded deployments. Use this procedure to reclaim some of this disk space on Foreman.

Procedure

Stop all services, except for the postgresql service:

# foreman-maintain service stop --exclude postgresql

Switch to the postgres user and reclaim space on the database:
```
# su - postgres -c 'vacuumdb --full --dbname=foreman'
```
Start the other services when the vacuum completes:
```
# foreman-maintain service start
```
Confirm that the files exist in the /var/lib/pgsql/ directory:
```
# ls -l /var/lib/pgsql/

# du -sh /var/lib/pgsql/
```
Delete the data from the /var/lib/pgsql/ directory:
```
# rm -rf /var/lib/pgsql/*
```

3.5. Updating Templates, Parameters, Lookup Keys and Values

During the upgrade process, Foreman attempts to locate macros that are deprecated for Foreman 2.5 and converts old syntax to new syntax for the default Foreman templates, parameters, and lookup keys and values. However, Foreman does not convert old syntax in the custom templates that you have created and in the cloned templates.

The process uses simple text replacement, for example:

@host.params['parameter1'] -> host_param('parameter1')
@host.param_true?('parameter1') -> host_param_true?('parameter1')
@host.param_false?('parameter1') -> host_param_false?('parameter1')
@host.info['parameters'] -> host_enc['parameters']

Warning

If you use cloned templates in Foreman, verify whether the cloned templates have diverged from the latest version of the original templates in Foreman. The syntax for the same template can differ between versions of Foreman. If your cloned templates contain outdated syntax, update the syntax to match the latest version of the template.

To ensure that this text replacement does not break or omit any variables in your files during the upgrade, check all templates, parameters, and lookup keys and values for the old syntax and replace manually.

The following error occurs because of old syntax remaining in files after the upgrade:

 undefined method '#params' for Host::Managed::Jail

Fixing the outdated subscription_manager_registration snippet

Foreman 6.4 onwards uses the redhat_register snippet instead of the subscription_manager_registration snippet.

If you upgrade from Foreman 6.3 and earlier, ensure to replace the subscription_manager_registration snippet in your custom templates as follows:

<%= snippet "subscription_manager_registration" %>
               ↓
<%= snippet 'redhat_register' %>

3.6. Tuning Foreman server with Predefined Profiles

If your Foreman deployment includes more than 5000 hosts, you can use predefined tuning profiles to improve performance of Foreman.

Note that you cannot use tuning profiles on Smart Proxies.

You can choose one of the profiles depending on the number of hosts your Foreman manages and available hardware resources.

The tuning profiles are available in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes directory.

When you run the foreman-installer command with the --tuning option, deployment configuration settings are applied to Foreman in the following order:

The default tuning profile defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml file
The tuning profile that you want to apply to your deployment and is defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/ directory
Optional: If you have configured a /etc/foreman-installer/custom-hiera.yaml file, Foreman applies these configuration settings.

Note that the configuration settings that are defined in the /etc/foreman-installer/custom-hiera.yaml file override the configuration settings that are defined in the tuning profiles.

Therefore, before applying a tuning profile, you must compare the configuration settings that are defined in the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml, the tuning profile that you want to apply and your /etc/foreman-installer/custom-hiera.yaml file, and remove any duplicated configuration from the /etc/foreman-installer/custom-hiera.yaml file.

default: Number of managed hosts: 0-5000

RAM: 20G

Number of CPU cores: 4
medium: Number of managed hosts: 5001-10000

RAM: 32G

Number of CPU cores: 8
large: Number of managed hosts: 10001-20000

RAM: 64G

Number of CPU cores: 16
extra-large: Number of managed hosts: 20001-60000

RAM: 128G

Number of CPU cores: 32
extra-extra-large: Number of managed hosts: 60000+

RAM: 256G

Number of CPU cores: 48+

Procedure

Optional: If you have configured the custom-hiera.yaml file on Foreman server, back up the /etc/foreman-installer/custom-hiera.yaml file to custom-hiera.original. You can use the backup file to restore the /etc/foreman-installer/custom-hiera.yaml file to its original state if it becomes corrupted:
```
# cp /etc/foreman-installer/custom-hiera.yaml \
/etc/foreman-installer/custom-hiera.original
```
Optional: If you have configured the custom-hiera.yaml file on Foreman server, review the definitions of the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml and the tuning profile that you want to apply in /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/. Compare the configuration entries against the entries in your /etc/foreman-installer/custom-hiera.yaml file and remove any duplicated configuration settings in your /etc/foreman-installer/custom-hiera.yaml file.
Enter the foreman-installer command with the --tuning option for the profile that you want to apply. For example, to apply the medium tuning profile settings, enter the following command:
```
# foreman-installer --tuning medium
```

3.7. Validating Puppet Environments on the External Smart Proxy server

After upgrading the Smart Proxy server to 2.5, ensure the puppet environments are available on the Smart Proxy server.

Procedure

To view the Puppet environments, open the /etc/puppetlabs/code/environments file.
```
# vim /etc/puppetlabs/code/environments
```
If any of the puppet environments are missing, copy them back from the Foreman server or the backup taken prior to upgrade.
Ensure to have the right permissions and ownership of the missing contents inside the /etc/puppetlabs/code/environments/ file after they have been restored back.
Save and close the file.

4. Updating Foreman server and Content Hosts

Use this chapter to update your existing Foreman server, Smart Proxy server, and Content Hosts to a new minor version, for example, from 2.5.0 to 2.5.1.

Updates patch security vulnerabilities and minor issues discovered after code is released, and are often fast and non-disruptive to your operating environment.

Before updating, back up your Foreman server and all Smart Proxy servers. For more information, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman guide.

4.1. Updating Foreman server

Prerequisites

Ensure that you have synchronized Foreman server repositories for Foreman, Smart Proxy, and https://yum.theforeman.org/client/2.5/.
Ensure each external Smart Proxy and Content Host can be updated by promoting the updated repositories to all relevant Content Views.

Warning

Updating Foreman server to the Next Minor Version

To Update Foreman server:

Ensure the Foreman Maintenance repository is enabled:

# subscription-manager repos --enable \
rhel-7-server-satellite-maintenance-6-rpms

Check the available versions to confirm the next minor version is listed:
```
# foreman-maintain upgrade list-versions
```
Use the health check option to determine if the system is ready for upgrade. On first use of this command, foreman-maintain prompts you to enter the hammer admin user credentials and saves them in the /etc/foreman-maintain/foreman-maintain-hammer.yml file.
```
# foreman-maintain upgrade check --target-version 6.10.z
```
Review the results and address any highlighted error conditions before performing the upgrade.
Because of the lengthy update time, use a utility such as screen to suspend and reattach a communication session. You can then check the upgrade progress without staying connected to the command shell continuously. For more information about using the screen command, see How do I use the screen command? article in the Red Hat Knowledge Base.

If you lose connection to the command shell where the upgrade command is running, you can see the logged messages in the /var/log/foreman-installer/katello.log file to check if the process completed successfully.

Perform the upgrade:

# foreman-maintain upgrade run --target-version 6.10.z

Check when the kernel packages were last updated:
```
# rpm -qa --last | grep kernel
```
Optional: If a kernel update occurred since the last reboot, stop the foreman-maintain services and reboot the system:
```
# foreman-maintain service stop
# reboot
```