In this guide, the terms upgrade, update, and migrate have the following meanings:
- Upgrading
-
The process of advancing your Foreman server and Smart Proxy server installations from a y-stream release to the next, for example Foreman 3.0 to Foreman 3.1. For more information, see Upgrading Overview.
- Updating
-
The process of advancing your Foreman server and Smart Proxy server installations from a z-stream release to the next, for example Foreman 3.1.0 to Foreman 3.1.1. For more information, see Updating Foreman server.
- Migrating
-
The process of moving an existing Foreman installation to a new instance. For more information, see Migrating Foreman to a New Enterprise Linux System.
1. Upgrading Overview
Review prerequisites and available upgrade paths below before upgrading your current Foreman installation to Foreman 3.1.
Note that you can upgrade Smart Proxies separately from Foreman. For more information, see Upgrading Smart Proxies Separately from Foreman.
1.1. Prerequisites
Upgrading to Foreman 3.1 affects your entire Foreman infrastructure. Before proceeding, complete the following:
-
Read the Foreman 3.1 Release Notes.
-
Plan your upgrade path. For more information, see Upgrade Paths.
-
Plan for the required downtime. Foreman services are shut down during the upgrade. The upgrade process duration might vary depending on your hardware configuration, network speed, and the amount of data that is stored on the server.
Upgrading Foreman takes approximately 1 – 2 hours.
Upgrading Smart Proxy takes approximately 10 – 30 minutes.
-
Ensure that you have sufficient storage space on your server. For more information, see Preparing your Environment for Installation in Installing Foreman server from a Connected Network and Preparing your Environment for Installation in Installing Smart Proxy server.
-
Back up your Foreman server and all Smart Proxy servers. For more information, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman guide.
-
Plan for updating any scripts you use that contain Foreman API commands because some API commands differ between versions of Foreman.
Warning
|
If you customize configuration files, manually or use a tool such as Hiera, these customizations are overwritten when the installation script runs during upgrading or updating.
You can use the --noop option with the foreman-installer script to test for changes.
For more information, see the Red Hat Knowledgebase solution How to use the noop option to check for changes in Foreman config files during an upgrade.
|
1.2. Upgrade Paths
You can upgrade to Foreman 3.1 from Foreman 3.0.
Foreman servers and Smart Proxy servers on earlier versions must first be upgraded to Foreman 3.0. For more information, see the Foreman 3.0 Upgrade documentation.
The high-level steps in upgrading Foreman to 3.1 are as follows:
-
Upgrade Foreman server and all Smart Proxy servers to Foreman 3.1. For more information, see Upgrading Foreman server.
-
Upgrade all Smart Proxy servers to 3.1. For more information, see Upgrading Smart Proxy servers.
-
Upgrade to https://yum.theforeman.org/client/3.1/ on all content hosts. For more information, see Upgrading Content Hosts.
-
Optional: After you upgrade your Foreman, you can also upgrade the operating system on your Foreman servers and Smart Proxies to Enterprise Linux 8. There are two ways of upgrading your OS:
-
Continue with Performing Post-Upgrade Tasks.
1.3. Following the Progress of the Upgrade
Because of the lengthy upgrade time, use a utility such as tmux
to suspend and reattach a communication session.
You can then check the upgrade progress without staying connected to the command shell continuously.
For more information, see the tmux
manual page.
If you lose connection to the command shell where the upgrade command is running you can see the logs in /var/log/foreman-installer/katello.log
to check if the process completed successfully.
1.4. Upgrading Smart Proxies Separately from Foreman
You can upgrade Foreman to version 3.1 and keep Smart Proxies at version 3.0 until you have the capacity to upgrade them too.
All the functionality that worked previously works on 3.0 Smart Proxies. However, the functionality added in the 3.1 release will not work until you upgrade Smart Proxies to 3.1.
Upgrading Smart Proxies after upgrading Foreman can be useful in the following example scenarios:
-
If you want to have several smaller outage windows instead of one larger window.
-
If Smart Proxies in your organization are managed by several teams and are located in different locations.
-
If you use a load-balanced configuration, you can upgrade one load-balanced Smart Proxy and keep other load-balanced Smart Proxies at one version lower. This allows you to upgrade all Smart Proxies one after another without any outage.
2. Upgrading Foreman
Use the following procedures to upgrade your existing Foreman to Foreman 3.1:
2.1. Upgrading Foreman server
This section describes how to upgrade Foreman server from 3.0 to 3.1. You can upgrade from any minor version of Foreman server 3.0.
-
Note that you can upgrade Smart Proxies separately from Foreman. For more information, see Upgrading Smart Proxies Separately from Foreman.
-
Review and update your firewall configuration prior to upgrading your Foreman server. For more information, see Preparing your environment for installation in Installing Foreman server.
-
Ensure that you do not delete the manifest from the Customer Portal or in the Foreman web UI because this removes all the entitlements of your content hosts.
-
If you have edited any of the default job or provisioning templates, back up the files either by cloning or exporting them. Cloning is the recommended method because that prevents them being overwritten in future updates or upgrades. To confirm if a template has been edited, you can view its History before you upgrade or view the changes in the audit log after an upgrade. In the Foreman web UI, navigate to Monitor > Audits and search for the template to see a record of changes made. If you use the export method, restore your changes by comparing the exported template and the default template, manually applying your changes.
-
If you use Content Views to control updates to a Smart Proxy server’s base operating system, or for Smart Proxy server repository, you must publish updated versions of those Content Views.
-
Note that Foreman server upgraded from 3.0 to 3.1 can use Smart Proxy servers still at 3.0.
Warning
|
If you implemented custom certificates, you must retain the content of both the Failure to retain these files during an upgrade causes the upgrade to fail. If these files have been deleted, they must be restored from a backup in order for the upgrade to proceed. |
You cannot upgrade Foreman server from a RHEL base system that is not operating in FIPS mode to a RHEL base system that is operating in FIPS mode.
To run Foreman server on a Red Hat Enterprise Linux base system operating in FIPS mode, you must install Foreman on a freshly provisioned RHEL base system operating in FIPS mode. For more information, see Preparing your environment for installation in Installing Foreman server.
2.1.1. Upgrading a Connected Foreman server
Use this procedure for a Foreman server with access to the public internet
Warning
|
If you customize configuration files, manually or using a tool such as Hiera, these changes are overwritten when the installation script runs during upgrading or updating.
You can use the --noop option with the foreman-installer script to test for changes.
For more information, see the Red Hat Knowledgebase solution How to use the noop option to check for changes in Foreman config files during an upgrade.
|
-
Stop all Foreman services:
# foreman-maintain service stop
-
Take a snapshot or create a backup:
-
On a virtual machine, take a snapshot.
-
On a physical machine, create a backup.
-
-
Start all Foreman services:
# foreman-maintain service start
-
Optional: If you made manual edits to DNS or DHCP configuration in the
/etc/zones.conf
or/etc/dhcp/dhcpd.conf
files, back up the configuration files because the installer only supports one domain or subnet, and therefore restoring changes from these backups might be required. -
Optional: If you made manual edits to DNS or DHCP configuration files and do not want to overwrite the changes, enter the following command:
# foreman-installer --foreman-proxy-dns-managed=false \ --foreman-proxy-dhcp-managed=false
-
Optional: If you use PostgreSQL as an external database, on the PostgreSQL server, install the
rh-postgresql12-postgresql-evr
package:# yum install rh-postgresql12-postgresql-evr
-
In the Foreman web UI, navigate to Hosts > Discovered hosts. On the Discovered Hosts page, power off and then delete the discovered hosts. From the Select an Organization menu, select each organization in turn and repeat the process to power off and delete the discovered hosts. Make a note to reboot these hosts when the upgrade is complete.
-
Check for running tasks
# foreman-rake katello:upgrade_check
-
Update operating system packages
# yum update -y
-
Update repositories
For Centos 7 or Red Hat Enterprise Linux Users:# yum update -y https://yum.theforeman.org/releases/3.1/el7/x86_64/foreman-release.rpm # yum update -y https://yum.theforeman.org/katello/4.3/katello/el7/x86_64/katello-repos-latest.rpm # yum install -y centos-release-scl-rh
-
Update packages Clean the yum cache and update the required packages:
# yum clean all # yum -y update
-
Stop all services:
# foreman-maintain service stop
-
Run the installer
# foreman-installer
-
Determine if the system needs a reboot:
-
Check the version of newest installed kernel:
# rpm --query --last kernel | head -n 1
-
Compare this to the version of currently running kernel:
# uname --kernel-release
-
-
Optional: If the newest kernel differs from the currently running kernel, reboot the system:
# reboot
-
If using a BASH shell, after a successful or failed upgrade, enter:
# hash -d foreman-maintain service 2> /dev/null
2.2. Upgrading Smart Proxy servers
This section describes how to upgrade Smart Proxy servers from 3.0 to 3.1.
-
You must upgrade Foreman server before you can upgrade any Smart Proxy servers. Note that you can upgrade Smart Proxies separately from Foreman. For more information, see Upgrading Smart Proxies Separately from Foreman.
-
If you use Content Views to control updates to the base operating system of Smart Proxy server, update those Content Views with new repositories, publish, and promote their updated versions. For more information, see Managing Content Views in the Content Management Guide.
-
Ensure the Smart Proxy’s base system is registered to the newly upgraded Foreman server.
-
Ensure the Smart Proxy has the correct organization and location settings in the newly upgraded Foreman server.
-
Review and update your firewall configuration prior to upgrading your Smart Proxy server. For more information, see Preparing Your Environment for Smart Proxy Installation in Installing Smart Proxy server.
Warning
|
If you implemented custom certificates, you must retain the content of both the Failure to retain these files during an upgrade causes the upgrade to fail. If these files have been deleted, they must be restored from a backup in order for the upgrade to proceed. |
-
Create a backup.
-
On a virtual machine, take a snapshot.
-
On a physical machine, create a backup.
For information on backups, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman 3.0 guide.
-
-
Regenerate certificates on your Foreman server:
-
Regenerate certificates for Smart Proxies that use default certificates:
-
For Smart Proxy servers that do not use load balancing:
# foreman-proxy-certs-generate --foreman-proxy-fqdn "_smartproxy.example.com_" \ --certs-update-all \ --certs-tar "~/_smartproxy.example.com-certs.tar_"
-
For Smart Proxy servers that are load-balanced:
# foreman-proxy-certs-generate --foreman-proxy-fqdn "_smartproxy.example.com_" \ --certs-update-all \ --foreman-proxy-cname "_load-balancer.example.com_" \ --certs-tar "~/_smartproxy.example.com-certs.tar_"
-
-
Regenerate certificates for Smart Proxies that use custom certificates:
-
For Smart Proxy servers that do not use load balancing:
# foreman-proxy-certs-generate --foreman-proxy-fqdn "_smartproxy.example.com_" \ --certs-tar "~/_smartproxy.example.com-certs.tar_" \ --server-cert "/root/foreman-proxy_cert/_foreman-proxy_cert.pem_" \ --server-key "/root/foreman-proxy_cert/_foreman-proxy_cert_key.pem_" \ --server-ca-cert "/root/foreman-proxy_cert/_ca_cert_bundle.pem_" \ --certs-update-server
-
For Smart Proxy servers that are load-balanced:
# foreman-proxy-certs-generate --foreman-proxy-fqdn "_smartproxy.example.com_" \ --certs-tar "~/_smartproxy.example.com-certs.tar_" \ --server-cert "/root/foreman-proxy_cert/_foreman-proxy_cert.pem_" \ --server-key "/root/foreman-proxy_cert/_foreman-proxy_cert_key.pem_" \ --server-ca-cert "/root/foreman-proxy_cert/_ca_cert_bundle.pem_" \ --foreman-proxy-cname "_load-balancer.example.com_" \ --certs-update-server
For more information on custom SSL certificates signed by a Certificate Authority, see Deploying a Custom SSL Certificate to Smart Proxy server in Installing an External Smart Proxy Server 3.1.
-
-
-
Copy the resulting tarball to your Smart Proxy. For this example, we will use
/root/smartproxy.example.com-certs.tar
. -
Update repositories for EL7
# yum update -y https://yum.theforeman.org/katello/4.3/katello/el7/x86_64/katello-repos-latest.rpm \ https://yum.theforeman.org/releases/3.1/el7/x86_64/foreman-release.rpm
-
Update repositories for EL8
# yum update -y https://yum.theforeman.org/katello/4.3/katello/el8/x86_64/katello-repos-latest.rpm \ https://yum.theforeman.org/releases/3.1/el8/x86_64/foreman-release.rpm
-
Clean yum cache:
# yum clean metadata
-
Update Packages:
# yum update -y
-
Run the installer:
# foreman-installer --certs-tar-file /root/_smartproxy.example.com-certs.tar_ \ --certs-update-all --certs-regenerate true --certs-deploy true
-
Check when the kernel packages were last updated:
# rpm -qa --last | grep kernel
-
Optional: If a kernel update occurred since the last reboot, reboot the system:
# reboot
-
Optional: If you made manual edits to DNS or DHCP configuration files, check and restore any changes required to the DNS and DHCP configuration files using the backups made earlier.
-
Optional: If you use custom repositories, ensure that you enable these custom repositories after the upgrade completes.
-
Create a backup.
-
On a virtual machine, take a snapshot.
-
On a physical machine, create a backup.
For more information on backups, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman 3.0 guide.
-
-
Optional: If you made manual edits to DNS or DHCP configuration in the
/etc/zones.conf
or/etc/dhcp/dhcpd.conf
files, back up the configuration files. The installer only supports one domain or subnet, and therefore restoring changes from these backups might be required. -
Optional: If you made manual edits to DNS or DHCP configuration files and do not want to overwrite the changes, enter the following command:
# {foreman-installer} --foreman-proxy-dns-managed=false \ --foreman-proxy-dhcp-managed=false
-
In the Foreman web UI, navigate to Monitor > Jobs.
-
Click Run Job.
-
From the Job category list, select Maintenance Operations.
-
From the Job template list, select Smart Proxy Upgrade Playbook.
-
In the Search Query field, enter the host name of the Smart Proxy.
-
Ensure that Resolves to shows 1 host.
-
In the target_version field, enter the target version of the Smart Proxy.
-
In the whitelist_options field, enter the whitelist options.
-
For Type of query, click Static Query.
-
Select the schedule for the job execution in Schedule.
2.3. Upgrading Content Hosts
The https://yum.theforeman.org/client/3.1/ repository provides katello-agent
and katello-host-tools
, which provide communication services for managing Errata.
Note
|
The Katello agent is deprecated and will be removed in a future Foreman version. Migrate your workloads to use the remote execution feature to update clients remotely. For more information, see Migrating from Katello Agent to Remote Execution in the Managing Hosts Guide. |
For deployments using katello-agent
and goferd, update all clients to the new version of katello-agent
.
For deployments not using katello-agent
and goferd, update all clients to the new version of katello-host-tools
.
Complete this action as soon as possible so that your clients are fully compatible with Foreman server.
-
You must have upgraded Foreman server.
-
You must have enabled the new https://yum.theforeman.org/client/3.1/ repositories on the Foreman.
-
You must have synchronized the new repositories in the Foreman.
-
If you have not previously installed
katello-agent
on your clients and you want to install it, use the manual method. For more information, see CLI Procedure.
Warning
|
If you implemented custom certificates, you must retain the content of both the Failure to retain these files during an upgrade causes the upgrade to fail. If these files have been deleted, they must be restored from a backup in order for the upgrade to proceed. |
-
Log into the client system.
-
Enable the https://yum.theforeman.org/client/3.1/ repository for this version of Foreman.
# yum install https://yum.theforeman.org/client/3.1/el7/x86_64/foreman-client-release.rpm
-
Depending on your configuration, complete one of the following steps:
-
If your deployment uses
katello-agent
and goferd, enter the following command to install or upgradekatello-agent
:# yum install katello-agent
-
If your deployment does not use
katello-agent
and goferd, enter the following command to install or upgradekatello-host-tools
:# yum install katello-host-tools
-
2.4. Upgrading the External Database
You can upgrade an external database from Enterprise Linux 7 to Enterprise Linux 8 while upgrading Foreman from 3.0 to 3.1.
-
Create a new Enterprise Linux 8 based host for PostgreSQL server that follows the external database on Enterprise Linux 8 documentation. For more information, see Using External Databases with Foreman.
-
Create a backup.
-
Restore the backup on the new server.
-
If Foreman reaches the new database server via the old name, no further changes are required. Otherwise reconfigure Foreman to use the new name:
# foreman-installer \ --foreman-db-host newpostgres.example.com \ --katello-candlepin-db-host newpostgres.example.com \ --foreman-proxy-content-pulpcore-postgresql-host newpostgres.example.com
2.5. Performing Post-Upgrade Tasks
Some of the procedures in this section are optional. You can choose to perform only those procedures that are relevant to your installation.
2.5.1. Upgrading Discovery
If you use the PXE-based discovery process, then you must complete the discovery upgrade procedure on Foreman and on any Smart Proxy server with hosts that you want to be listed in Foreman on the Hosts > Discovered hosts page.
This section describes updating the PXELinux template and the boot image passed to hosts that use PXE booting to register themselves with Foreman server.
From Foreman 1.22, provisioning templates now have a separate association with a subnet, and do not default to using the TFTP Smart Proxy for that subnet. If you create subnets after the upgrade, you must specifically enable the Foreman or a Smart Proxy to provide a proxy service for discovery templates and then configure all subnets with discovered hosts to use a specific template Smart Proxy.
During the upgrade, for every subnet with a TFTP proxy enabled, the template Smart Proxy is set to be the same as the TFTP Smart Proxy. After the upgrade, check all subnets to verify this was set correctly.
These procedures are not required if you do not use PXE booting of hosts to enable Foreman to discover new hosts.
For information about configuring the Discovery service, see Configuring the Discovery Service in Provisioning Hosts.
Upgrading Discovery on Foreman server
-
Update the Discovery template in the Foreman web UI:
-
In the Foreman web UI, navigate to Hosts > Provisioning templates.
-
On the
PXELinux global default
line, click Clone. -
Enter a new name for the template in the Name field, for example
ACME PXE global default
. -
In the template editor field, change the line
ONTIMEOUT local
toONTIMEOUT discovery
and click Submit. -
In the Foreman web UI, navigate to Administer > Settings.
-
On the Provisioning tab, set
Default PXE global template entry
to a custom value for your environment. -
Locate
Global default PXELinux template
and click on its Value. -
Select the name of the newly created template from the menu and click Submit.
-
In the Foreman web UI, navigate to Hosts > Provisioning templates.
-
Click Build PXE Default, then click OK.
NoteIf the template is modified, a Foreman upgrade overrides it to its default version. Once the PXE Default configuration is built, the template configured in the Settings is deployed to the TFTP. This can result in deploying the default template if the new template is correctly set in the Settings.
-
-
In the Foreman web UI, go to Configure > Discovery Rules and associate selected organizations and locations with discovery rules.
2.5.2. Upgrading Discovery on Smart Proxy servers
-
Verify that the Foreman Discovery package is current on Foreman server.
# yum install tfm-rubygem-foreman_discovery
-
If an update occurred in the previous step, restart the
foreman-maintain
services.# foreman-maintain service restart
-
Upgrade the Discovery image on the Foreman Smart Proxy that is either connected to the provisioning network with discovered hosts or provides TFTP services for discovered hosts.
# yum install foreman-discovery-image
-
On the same instance, install the package which provides the Proxy service, and then restart
foreman-proxy
service.# yum install tfm-rubygem-smart_proxy_discovery # service foreman-proxy restart
-
In the Foreman web UI, go to Infrastructure > Smart Proxies and verify that the relevant Smart Proxy lists Discovery in the features column. Select Refresh from the Actions drop-down menu if necessary.
-
Go to Infrastructure > Subnets and for each subnet on which you want to use discovery:
-
Click the subnet name.
-
On the Smart Proxies tab, ensure the Discovery Smart Proxy is set to a Smart Proxy you configured above.
-
Verifying Subnets have a Template Smart Proxy
If the Templates feature is enabled in your environment, ensure all subnets with discovered hosts have a template Smart Proxy:
-
In the Foreman web UI, navigate to Infrastructure > Subnets.
-
Select the subnet you want to check.
-
On the Smart Proxies tab, ensure a Template Smart Proxy has been set for this subnet.
For more information about configuring subnets with template Smart Proxies, see Configuring the Discovery Service in the Provisioning guide.
2.5.3. Upgrading virt-who
If virt-who is installed on Foreman server or a Smart Proxy server, it will be upgraded when they are upgraded. No further action is required. If virt-who is installed elsewhere, it must be upgraded manually.
If virt-who is installed on a host registered to Foreman server or a Smart Proxy server, first upgrade the host to the latest packages available in the https://yum.theforeman.org/client/3.1/ repository. For information about upgrading hosts, see Upgrading Content Hosts.
-
Upgrade virt-who.
# yum upgrade virt-who
-
Restart the virt-who service so the new version is activated.
# systemctl restart virt-who.service
2.5.4. Migrating Ansible Content
The upgrade from Enterprise Linux 7 to Enterprise Linux 8 includes an upgrade from Ansible Engine 2.9 to Ansible Core 2.12.
If you have custom Ansible content such as playbooks, job templates inside REX, roles and collections on disk, and you rely on modules being delivered by the Ansible RPM on Foreman, you have to take additional steps to adapt your Ansible installation or migrate your Ansible content.
Ansible Core contains only essential modules.
In terms of FQCN notation namespace.collection.module
, you can continue to use ansible.builtin.*
, but everything else is missing in Ansible Core.
That means you will be no longer able to use non-builtin Ansible modules as you were used to and you have to get them from another source, eventually.
You have the following options to handle your Ansible content after the upgrade:
-
You can obtain additional community-maintained collections that provide the non-essential functionality from Ansible Galaxy. For more information, see Installing collections in the Galaxy User Guide.
-
You can rewrite your Ansible roles, templates and other affected content.
Note
|
If you want to download and install Ansible content on Smart Proxy that does not have a connection to an external Ansible Galaxy server, then you must pass the content through Foreman server instead of using the URL of the Ansible Galaxy server in the configuration on the Smart Proxy directly:
|
To find out what content is affected after the upgrade, you can run:
# ansible-lint --enable-list only-builtins -p path/to/your/playbook/play.yml
You need ansible-lint
6.1.0 or newer.
You can install it from pypi.org.
2.5.5. Reclaiming PostgreSQL Space
The PostgreSQL database can use a large amount of disk space especially in heavily loaded deployments. Use this procedure to reclaim some of this disk space on Foreman.
-
Stop all services, except for the
postgresql
service:# foreman-maintain service stop --exclude postgresql
-
Switch to the
postgres
user and reclaim space on the database:# su - postgres -c 'vacuumdb --full --all'
-
Start the other services when the vacuum completes:
# foreman-maintain service start
2.5.6. Updating Templates, Parameters, Lookup Keys and Values
During the upgrade process, Foreman attempts to locate macros that are deprecated for Foreman 3.1 and converts old syntax to new syntax for the default Foreman templates, parameters, and lookup keys and values. However, Foreman does not convert old syntax in cloned templates and in custom job or provisioning templates that you have created.
The process uses simple text replacement, for example:
@host.params['parameter1'] -> host_param('parameter1') @host.param_true?('parameter1') -> host_param_true?('parameter1') @host.param_false?('parameter1') -> host_param_false?('parameter1') @host.info['parameters'] -> host_enc['parameters']
Warning
|
If you use cloned templates in Foreman, verify whether the cloned templates have diverged from the latest version of the original templates in Foreman. The syntax for the same template can differ between versions of Foreman. If your cloned templates contain outdated syntax, update the syntax to match the latest version of the template. |
To ensure that this text replacement does not break or omit any variables in your files during the upgrade, check all templates, parameters, and lookup keys and values for the old syntax and replace manually.
The following error occurs because of old syntax remaining in files after the upgrade:
undefined method '#params' for Host::Managed::Jail
Foreman 6.4 onwards uses the redhat_register
snippet instead of the subscription_manager_registration
snippet.
If you upgrade from Foreman 6.3 and earlier, you must replace the subscription_manager_registration
snippet in your custom job or provisioning templates as follows:
<%= snippet "subscription_manager_registration" %> ↓ <%= snippet 'redhat_register' %>
2.5.7. Tuning Foreman server with Predefined Profiles
If your Foreman deployment includes more than 5000 hosts, you can use predefined tuning profiles to improve performance of Foreman.
Note that you cannot use tuning profiles on Smart Proxies.
You can choose one of the profiles depending on the number of hosts your Foreman manages and available hardware resources.
The tuning profiles are available in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes
directory.
When you run the foreman-installer
command with the --tuning
option, deployment configuration settings are applied to Foreman in the following order:
-
The default tuning profile defined in the
/usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml
file -
The tuning profile that you want to apply to your deployment and is defined in the
/usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/
directory -
Optional: If you have configured a
/etc/foreman-installer/custom-hiera.yaml
file, Foreman applies these configuration settings.
Note that the configuration settings that are defined in the /etc/foreman-installer/custom-hiera.yaml
file override the configuration settings that are defined in the tuning profiles.
Therefore, before applying a tuning profile, you must compare the configuration settings that are defined in the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml
, the tuning profile that you want to apply and your /etc/foreman-installer/custom-hiera.yaml
file, and remove any duplicated configuration from the /etc/foreman-installer/custom-hiera.yaml
file.
- default
-
Number of managed hosts: 0 – 5000
RAM: 20G
Number of CPU cores: 4
- medium
-
Number of managed hosts: 5001 – 10000
RAM: 32G
Number of CPU cores: 8
- large
-
Number of managed hosts: 10001 – 20000
RAM: 64G
Number of CPU cores: 16
- extra-large
-
Number of managed hosts: 20001 – 60000
RAM: 128G
Number of CPU cores: 32
- extra-extra-large
-
Number of managed hosts: 60000+
RAM: 256G
Number of CPU cores: 48+
-
Optional: If you have configured the
custom-hiera.yaml
file on Foreman server, back up the/etc/foreman-installer/custom-hiera.yaml
file tocustom-hiera.original
. You can use the backup file to restore the/etc/foreman-installer/custom-hiera.yaml
file to its original state if it becomes corrupted:# cp /etc/foreman-installer/custom-hiera.yaml \ /etc/foreman-installer/custom-hiera.original
-
Optional: If you have configured the
custom-hiera.yaml
file on Foreman server, review the definitions of the default tuning profile in/usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml
and the tuning profile that you want to apply in/usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/
. Compare the configuration entries against the entries in your/etc/foreman-installer/custom-hiera.yaml
file and remove any duplicated configuration settings in your/etc/foreman-installer/custom-hiera.yaml
file. -
Enter the
foreman-installer
command with the--tuning
option for the profile that you want to apply. For example, to apply the medium tuning profile settings, enter the following command:# foreman-installer --tuning medium
3. Upgrading Foreman or Smart Proxy to Enterprise Linux 8 In-Place Using Leapp
Use this procedure to upgrade your Foreman or Smart Proxy installation from Enterprise Linux 7 to Enterprise Linux 8.
-
Foreman 3.1 or Smart Proxy 3.1 running on Enterprise Linux 7.
-
Foreman or Smart Proxy installations running on CentOS 7 can be upgraded to CentOS Stream 8 or a Red Hat Enterprise Linux rebuild.
-
Foreman or Smart Proxy installations running on Red Hat Enterprise Linux 7 can be upgraded to Red Hat Enterprise Linux 8.
-
If you previously upgraded Foreman or Smart Proxy from an earlier version, and the
/var/lib/pgsql
contained the PostgreSQL database content before the migration from PostgreSQL 9 to PostgreSQL 12 from the SCL, empty/var/lib/pgsql
before proceeding. -
During the upgrade, the PostgreSQL data is moved from
/var/opt/rh/rh-postgresql12/lib/pgsql/data/
to/var/lib/pgsql/data/
. If these two paths reside on the same partition, no further action is required. If they reside on different partitions, ensure that there is enough space for the data to be copied over. You can move the PostgreSQL data on your own and the upgrade will skip this step if/var/opt/rh/rh-postgresql12/lib/pgsql/data/
does not exist. -
Access to available repositories or a local mirror of repositories.
-
Configure the repositories to obtain Leapp.
On CentOS, configure the @theforeman/leapp COPR Repository, which contains newer Leapp packages than those shipped by AlmaLinux/ELevate, and support Foreman or Smart Proxy upgrades:
# curl -o /etc/yum.repos.d/theforeman-leapp.repo https://copr.fedorainfracloud.org/coprs/g/theforeman/leapp/repo/epel-7/group_theforeman-leapp-epel-7.repo
On Red Hat Enterprise Linux, enable the
rhel-7-server-extras-rpms
repository:# subscription-manager repos --enable=rhel-7-server-extras-rpms
-
Install required packages:
# yum install leapp leapp-repository
-
Install additional OS specific packages (
leapp-data-almalinux
for AlmaLinux,leapp-data-centos
for CentOS Stream, orleapp-data-rocky
for Rocky Linux). Note that this is not required for Red Hat Enterprise Linux based installations.# yum install leapp-data-centos
-
Add Foreman specific repositories to
/etc/leapp/files/leapp_upgrade_repositories.repo
:[leapp-foreman] name=Foreman 3.1 baseurl=https://yum.theforeman.org/releases/3.1/el8/$basearch gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman enabled=1 gpgcheck=1 module_hotfixes=1 [leapp-katello] name=Katello 4.3 baseurl=https://yum.theforeman.org/katello/4.3/katello/el8/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman enabled=1 gpgcheck=1 module_hotfixes=1 [leapp-katello-candlepin] name=Candlepin: an open source entitlement management system. baseurl=https://yum.theforeman.org/katello/4.3/candlepin/el8/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman enabled=1 gpgcheck=1 module_hotfixes=1 [leapp-pulpcore] name=pulpcore: Fetch, Upload, Organize, and Distribute Software Packages. baseurl=https://yum.theforeman.org/pulpcore/3.16/el8/$basearch/ gpgkey=https://yum.theforeman.org/pulpcore/3.16/GPG-RPM-KEY-pulpcore enabled=1 gpgcheck=1 module_hotfixes=1 [leapp-foreman-plugins] name=Foreman plugins 3.1 baseurl=https://yum.theforeman.org/plugins/3.1/el8/$basearch enabled=1 gpgcheck=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman module_hotfixes=1 [leapp-foreman-client] name=Foreman client 3.1 baseurl=https://yum.theforeman.org/client/3.1/el8/$basearch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman-client [leapp-puppet7] name=Puppet 7 Repository el 8 - $basearch baseurl=http://yum.puppetlabs.com/puppet7/el/8/$basearch gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet7-release file:///etc/pki/rpm-gpg/RPM-GPG-KEY-2025-04-06-puppet7-release enabled=1 gpgcheck=1
-
If you are using Puppet 6 instead of Puppet 7, replace the
7
with a6
in theleapp-puppet7
entry. -
You need a Puppet repository for the Puppet agent that the installer is using.
-
-
We do not support Enterprise Linux 8 installations with EPEL 8 enabled, so remove
epel-release
:# yum remove epel-release
-
Remove
centos-release-scl
andcentos-release-scl-rh
repositories:# yum remove centos-release-scl centos-release-scl-rh
-
Configure Leapp to keep Tomcat packages to ensure the upgrade does not fail:
# echo tomcat >> /etc/leapp/transaction/to_keep # echo tomcat-lib >> /etc/leapp/transaction/to_keep
-
Let Leapp analyze your system:
# leapp preupgrade
The first run is expected to fail but report issues and inhibit the upgrade. Examine the report in the
/var/log/leapp/leapp-report.txt
file, answer all questions (usingleapp answer
), and manually resolve the other reported problems.The following commands show the most common steps required:
# rmmod pata_acpi # echo PermitRootLogin yes | tee -a /etc/ssh/sshd_config # leapp answer --section remove_pam_pkcs11_module_check.confirm=True
leapp preupgrade
might fail with a dependency resolution error such as:-
"package rubygem-fx-0.5.0-2.el8.noarch requires rubygem(railties) >= 4.0.0, but none of the providers can be installed"
-
"package rubygem-railties-6.0.4.7-1.el8.noarch requires rubygem(thor) < 2.0, but none of the providers can be installed"
If this happens, do the following to clean up packages that cannot automatically upgrade (
rubygem(thor)
andrubygem(railties)
in the example above):# yum remove rubygem-thor rubygem-railties
If
leapp preupgrade
inhibits the upgrade with Unsupported network configuration because there are multiple legacy named network interfaces, follow the instructions shown by Leapp to rename the interfaces, followed by an installer run to reconfigure Foreman or Smart Proxy to use the new interface names:# foreman-installer --help |grep 'interface.*eth' --foreman-proxy-dhcp-interface DHCP listen interface (current: "eth0") --foreman-proxy-dns-interface DNS interface (current: "eth0")
If
eth0
was renamed toem0
, call the installer to use the new interface name with:# foreman-installer --foreman-proxy-dhcp-interface=em0 --foreman-proxy-dns-interface=em0
-
-
Ensure
leapp preupgrade
has no issues. -
Run:
# leapp upgrade
-
Reboot the system.
After the system reboots, a live system conducts the upgrade, reboots to fix SELinux labels, then reboots into the final Enterprise Linux 8 system.
-
Leapp finishes the upgrade, watch it with:
# journalctl -u leapp_resume -f
-
Reindex the databases:
# runuser -u postgres -- reindexdb -a
-
Enable the Katello and Pulpcore modules:
# dnf module enable katello:el8 pulpcore:el8
-
For Foreman only and not Smart Proxy, if you require SELinux to be in enforcing mode, run the following command before changing SELinux to enforcing mode:
# dnf reinstall foreman-selinux katello-selinux --disableplugin=foreman-protector
Note
|
If you install the system and need to use |
4. Migrating Foreman to a New Enterprise Linux System
When you migrate your Foreman, you create a backup of your Foreman server and your Smart Proxy, install a fresh instance, and restore your backup on the new instance. After your migration is complete, you can then decommission the earlier instance of Foreman server and Smart Proxy.
Ensure that you understand the following terms:
- Source server
-
The origin of migration on which you create a backup.
- Target server
-
The new server on which you restore the backup.
To migrate your Foreman to new hardware, follow these high-level steps:
-
Create a backup of the Foreman server or Smart Proxy server on the source server.
-
Perform a fresh installation of the Foreman server or Smart Proxy server on a target server.
-
Install a minimal Enterprise Linux 8 instance with the capacity to store backup files.
-
Do not install any operating system software groups or third-party applications.
-
-
Restore the backup on the target server.
4.1. Creating a Backup of a Server on Enterprise Linux 7
Before you perform a fresh installation of the Foreman server or Smart Proxy server on the Enterprise Linux 8 system, back up your Foreman server or Smart Proxy server data on the Enterprise Linux 7 system by creating an offline backup.
If you recently created an offline backup, you can perform an incremental backup to update the existing backup.
-
Perform a backup on the source server:
-
To perform a full backup, see Backing Up Foreman server and Smart Proxy server in Administering Foreman.
-
To perform an incremental backup, see Performing an Incremental Backup in Administering Foreman.
-
4.2. Performing a Fresh Installation of a Server on Enterprise Linux 8
After you have created a backup of the Foreman server or Smart Proxy server on the source server, you can install Foreman server or Smart Proxy server on the target server.
-
To install connected Foreman server, see Installing Foreman 3.1 Server with Katello 4.3 Plugin on RHEL/CentOS.
-
To install Smart Proxy server, see Installing an External Smart Proxy Server 3.1.
4.3. Restoring a Backup of a Server on Enterprise Linux 8
After you perform a fresh installation of Foreman server or Smart Proxy server on the target server, you can restore the backup you previously created.
-
Restore a backup on the target server:
-
To restore a full backup, see Restoring From a Full Backup in Administering Foreman.
-
To restore an incremental backup, see Restoring From Incremental Backups in Administering Foreman.
-
-
Reindex the databases:
# runuser -u postgres -- reindexdb -a
5. Updating Foreman server
Use this chapter to update your existing Foreman server and Smart Proxy server to a new patch version, for example, from 3.1.0 to 3.1.1.
Updates patch security vulnerabilities and minor issues discovered after code is released, and are often fast and non-disruptive to your operating environment.
Before updating, back up your Foreman server and all Smart Proxy servers. For more information, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman guide.