1. Headline Features

1.1. Greatly decreased JavaScript size for plugins

Previously, Foreman’s whole JavaScript bundle was duplicated in every plugin. Now a separate bundle is generated that Foreman and each plugin can reuse. In most plugins, we saw a 2 to 3 MB reduction in size. Depending on the number of plugins, this can save a significant amount in transfer size. While Foreman does compress and cache these JavaScript bundles, they still had to be loaded all the time.

1.2. Running Foreman on Enterprise Linux 9 is fully supported

Foreman 3.10 only supported Enterprise Linux 9 as experimental, but with this release it is fully supported.

1.3. Running Foreman on Debian 12 is supported

Packages for Debian 12 were built with 3.11.0, but our automated pipelines rely on Puppetserver. Now that Puppetserver packages for Debian 12 are available, with Foreman 3.11.4 Debian 12 is considered a supported platform.

2. Upgrade Warnings

2.1. keycloak-httpd-client-install dropped from Enterprise Linux 9

Foreman has shipped its own keycloak-httpd-client-install package because initially the version shipped in Enterprise Linux 7 was too old to support ODIC. Recently it was noticed that the version in Enterprise Linux 8 contains the required features but still contains a packaging bug. The version in Enterprise Linux 9 contains all the required features but is older than what Foreman has shipped. Foreman 3.10 was the first release on Enterprise Linux 9 and it was marked as experimental. As a result, the decision has been made to remove it from Foreman’s Enterprise Linux 9 packaging. Users who have this package installed should downgrade it using dnf downgrade keycloak-httpd-client-install.

3. Deprecations

3.1. Running Foreman on Enterprise Linux 8 removal in Foreman 3.13

Now that running on Enterprise Linux 9 is fully supported, running on Enterprise Linux 8 is deprecated. Foreman 3.13 will drop this support so users are encouraged to plan their upgrade.

Note this is for running Foreman itself. Clients will remain supported.

3.2. Running Foreman on Debian 11 removal in Foreman 3.14

Users are encouraged to upgrade to Debian 12.

Note this is for running Foreman itself. Clients will remain supported.

4. Foreman 3.11.5

A full list of changes is available on Redmine

4.1. Foreman

4.1.1. Templates

  • Update remote_execution_pull_setup to generate a yggdrasil-version-agnostic yggdrasil configuration file - #37877

4.2. Installer

4.2.1. Foreman modules

  • Installer fails with OpenJDK 17 on missing keyalg parameter to keytool - #38010

4.2.2. foreman-installer script

  • Katello-certs-check no longer works on EL8 - #38027

5. Foreman 3.11.4

Packages for Debian 12 were built with 3.11.0, but our automated pipelines rely on Puppetserver. Now that Puppetserver packages for Debian 12 are available, this can be considered a supported platform.

A full list of changes is available on Redmine

5.1. Installer

  • Checks don’t disable the default CA path which means openssl will use the default system CA path by default - #37828

  • PostgreSQL 13 upgrade aborts when user locale doesn't match cluster locale - #37797

5.1.1. Foreman modules

  • Custom certificates will override server CA with default CA on foreman-proxy-content scenario - #37817

5.1.2. foreman-installer script

  • Disconnected upgrade fails to switch postgresql dnf module - #37874

6. Foreman 3.11.3

Foreman 3.11.3 was accidentally tagged without any changes. Please refer to the latest version 3.11.4 when wanting to upgrade.

7. Foreman 3.11.2

A full list of changes is available on Redmine

7.1. Foreman

7.1.1. API

  • Host Creation via GraphQL only as Admin - #37765

7.1.2. Inventory

  • Invalid MAC address error message appears twice while editing interface - #37651

7.1.3. JavaScript stack

  • not all webpack assets are properly invalidated on change - #37775

7.1.4. Packaging

  • FFI 1.17.0+ requires Rubygems 3.3.22+ for installation, breaking Ruby 2.7 source installs - #37607

7.1.5. Plugin integration

  • Plugins are finalized before seeds are executed - #37503

7.1.6. Security

  • Connection reset by peer - SSL_connect when access to content/product menu - #37713

7.1.7. Tests

  • intermittent host_js integeration test failure: test_0002_correctly override global params " Expected false to be truthy." - #37774

  • nic_managed factory can create an IP outside of its subnet - #37711

7.1.8. Web Interface

  • Template render error when host has .ics domain name - #37623

  • Help page should not link libera chat anymore after the migration to matrix - #37086

7.2. Installer

7.2.1. Foreman modules

  • CVE-2024-7923: Authentication bypass in Pulpcore - #37787

  • CVE-2024-7012: Authentication bypass in Foreman - #37786

8. Katello 4.13.1

A full list of changes is available on Redmine

8.1. Katello

8.1.1. Container

  • Create Katello push repositories as needed at container push time - #37455

8.1.2. Content Views

  • CV promote fails with undefined method `get_status' for nil:NilClass when deleting a Host in the CV during Finalize phase of the Promote task - #37543

8.1.3. Foreman Proxy Content

  • Slow smart proxy sync in 4.11 - #37356

8.1.4. Hosts

  • Katello should be able to handle subscription-manager environments --set - #37618

  • RHEL Lifecycle Status tests failing because RHEL8 full support is now ended - #37533

  • Trace_status = reboot_needed not working after upgrade to 4.12 - #37354

8.1.5. Repositories

  • Migrate sha1 repos only at the next edit time - #37609

  • Pulp never purge the completed tasks - #37521

  • Registry doesn't 404 for v2 clients trying to search - #37504

8.1.6. Subscriptions

  • 'Bind entitlements to an allocation' task fails with wrong number of arguments (given 1, expected 0) (ArgumentError) - #37571

8.1.7. Tooling

  • Upgrade pulp-rpm to 3.26 - #37622

8.1.8. Web UI

  • load js correctly in smart_proxies - #37539

  • Remove 'query-string' JS dependency - #37112

9. Foreman 3.11.1

A full list of changes is available on Redmine

9.1. Foreman

9.1.1. Tests

  • Report renderer tests fail depending on the libyaml version - #37613

9.1.2. Unattended installations

  • HostCommon.crypt_passwords reencrypts Base64 based passwords for Grub, leading to errors - #37610

  • Change Linux password hashing default from sha256 to sha512 - #36650

9.2. Smart Proxy

9.2.1. DHCP

  • Invalid value for Integer(): “#Resolv::DNS::Resource::IN::A:0x00007fnnnnnnnnn” - #37621

10. Katello 4.13.0

A full list of changes is available on Redmine

10.1. Katello

  • Package rubygem-dynflow not listed in a list of packages - #37457

  • Cannot update packages on non-EL hosts - #37340

  • Fix upstream lint issues - #37331

  • It is possible to end up with the wrong remote type (uln vs. normal) for yum content - #37279

  • Default Organization View is not listed first on the CV select screen in Change Content Source - #37229

  • It should be possible to upload a package / repos profile from UI - #37191

  • content_view_components is not preloaded in content_view controller - #37108

10.1.1. API

  • --content-view-filter-id only works for ID-type filters - #37394

  • API endpoint for activation_keys/:id/product_content should be TRUE by default - #37350

10.1.2. Activation Key

  • Change the default setting for "Limit to environment" on the activationkey and content host pages to true - #37214

10.1.3. Alternate Content Sources

  • Fix ACS randomly failing VCR tests - #37277

10.1.4. Container

  • Allow pushing container images to Pulp without indexing - #37302

  • `podman login` against the container registry returns 500 intermittently - #37218

10.1.5. Content Credentials

  • asterisk symbol is missing for required field - #37482

10.1.6. Content Views

  • Content view publish failing with katello_repository_rpms_id_seq reached maximum value error - #37403

  • Content view repositories link points to broken link on composite view UI - #37269

  • Newly imported content views show as needs publish - #37254

  • Allow repairing content view versions - #37237

  • [RFE Block content view publishing during repository publication tasks] - #37139

  • Very slow content view list loading - #36976

  • Python content not getting published to versions - #36611

10.1.7. Foreman Proxy Content

  • Container gateway needs to send ACCEPT headers from podman to Pulp - #37399

  • Allow granular repair functionality for capsules - #37258

  • SmartProxy Content Sync should offer Verify Content Checksum - #36803

10.1.8. Hammer

  • Improve displayed filter rules info in hammer - #37181

10.1.9. Host Collections

  • Fetching Host's details does not scale wrt Hosts Collections - #37346

10.1.10. Hosts

  • Add Setting to disable validation of host/lifecycle environment/content source coherence - #37400

  • Add bulk CV/LCE assignment to new All Hosts page - #37336

  • Add Katello column(s) to new host index page - #37309

  • katello:clean_backend_objects false alarms on systems with >1500 clients when PUTing customer facts - #37283

  • Error undefined method `repository_url' when trying to use composed images for system deployments - #37268

  • Link of Upgradable Content for Debian/Ubuntu is misaligned on Hosts page - #37267

  • Hostgroup not showing associated Kickstart Repository in edit - #37197

  • Remove the setting 'upload_profiles_without_dynflow' - #37195

  • undefined method `family' for nil:NilClass after cloning a rhel8 host - #37178

  • Managing a Hosts Repository Sets does not behave as expected - #37169

  • Update Checkin time for ESXi hypervisors from virt-who report - #37162

  • Postgresql logs contain PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "katello_available_module_streams_name_stream_context" - #37137

  • Offer a hint in the UI about how to get 'Synced Content' available - #36992

  • When cloning a hostgroup the fields content source content view and lifecycle are empty - #35215

10.1.11. Inter Server Sync

  • content export actions are failing in ruby 3 - #37381

  • cdn_ssl_version Setting enforces at most TLS1.0 version - #36979

10.1.12. Notifications

  • Use with_enabled_email scope instead of handcrafting the query all over the place - #37192

10.1.13. Reporting

  • Cannot create report "Host - All Installed Packages" for hosts running Debian/Ubuntu - #37198

  • SCA-Only: Remove Subscription-Entitlement notification - #37170

10.1.14. Repositories

  • Repository synchronization progress does not get updated in real time on Satellite Web UI's "Content ---> Sync Status" page - RHEL8 Satellite 6.16 - #37442

  • Upgrade pulp-container bindings to 2.20 - #37414

  • Fix typo for container_repository_name in metadata_generate_needed? - #37408

  • Create a rake script that reindexes manifests with label information - #37407

  • Add Include Refs and Exclude Refs options for OSTree repository type - #37383

  • Container push can fail with a different JSON error - #37380

  • Index Pulp manifest annotations, labels, is_bootable, is_flatpak and expose them via API - #37379

  • Fix Katello (or maybe BATS) -- orphan cleanup tries deleting distributed repo versions - #37371

  • Product level Verify checksum action spawns unessasary checksum tasks for cloned repositories of the root repository - #37259

  • Registry Service Accounts token is not accepted in "Upstream Authentication Token" of a docker repo - #37238

  • Red Hat products that were never synced are reporting last synced time - #31318

10.1.15. Roles and Permissions

  • Content Exporter role is missing the create_content_views permission - #37430

10.1.16. Subscriptions

  • Org still holds stale cached manifest expiration date after manifest import/refresh - #37481

  • subscription-manager release --unset doesn't reset the client information on foreman - #37358

  • As a user I want to be warned before the manifest (upstream consumer identity certificate) will expire, and have a notification to refresh the manifest. - #37271

  • As a user, when I refresh my manifest the expiration date of the identity certificate will get renewed, so that I am never caught with an expired manifest. - #37266

  • Remove SCA-related API endpoints and params - #37226

10.1.17. Tests

  • Update tests to stop using https://fixtures.pulpproject.org/rpm-zchunk/ - #37187

10.1.18. Upgrades

  • Upgrade pulpcore to 3.49 - #37301

10.1.19. Web UI

  • update ak results in hostgroup - #37476

  • Update TableWrapper to comply with changes in SelectAllCheckbox - #37378

  • refactor ak in hostgroups to react - #37370

  • Change content source screen is still confusing coming from host edit - #37313

  • Invalid PropType errors when selecting a content source on Change Content Source form - #37303

  • Duplicate repositories in content view versions warning is always active - #37240

10.1.20. katello-tracer

  • Use dnf needs-restarting to collect tracer information - #36973

11. Foreman 3.11.0

A full list of changes is available on Redmine

11.1. Foreman

11.1.1. API

  • API 'build_pxe_default' is broken when a taxonomy is passed - #37439

11.1.2. Compute resources - VMware

  • Provide hardware versions for VMWare VSphere 8.0 and 8.0U2 - #37244

  • VMWare Guest OS list is outdated - #36023

11.1.3. Database

  • Upgrade to PostgreSQL 13 on EL8 - #37208

11.1.4. Development tools

  • Fix Style/GlobalStdStream cop - #37432

  • rake snapshots:generate is broken - #37422

  • Generate Rocky 8 & 9 snapshots for provisioning templates - #37337

11.1.5. Facts

  • drop bookworm/sid workaround now that bookworm is released - #37484

11.1.6. Host creation

  • Creating a host without a comment and then editing it and submitting without any changes creates an update audit record for the nil->'' transition of comment - #37224

11.1.7. Host groups

  • Hostgroup facets are not cloned when cloning hostgroup - #37179

11.1.8. Host registration

  • Provide multiple repositories when you want to register a host - #37440

  • Domain is not removed in the details page when the DNS is not configured/enabled in the installer - #37231

  • Provide registration before & after snippets - #37189

  • Use subscription-manager for Debian-based hosts - #33664

11.1.9. Internationalization

  • Incorrect translation in registration command validation - #37490

  • Update fast_gettext to ~> 2.1 - #36574

11.1.10. Inventory

  • Edit comment from host details - #37443

  • Implement customizable columns to display on the new All Hosts page - #37293

  • New hosts index - Change content source link has no href - #37248

  • results.map should appear directly in HostsIndex index.js - #37247

11.1.11. JavaScript stack

  • use host_details_ui in React context - #37489

  • Prevent XSS issue for katello angular pages - #37437

  • Webpack - Prevent react duplicates in core - #37391

  • Drop unused typeToIcon function - #37387

  • Drop toggleRowGroup and filter_permissions functions - #37386

  • Drop check_all_roles and uncheck_all_roles event handlers - #37385

  • always use cached manifest json to find webpack chunks, not only for JS - #37353

  • Webpack assets not compressed after Webpack 5 migration - #37344

  • @redhat-cloud-services/frontend-components-utilities@4.0.8 breaks compatibility with NodeJS 14 - #37312

  • remove unused typeAheadSelect - #37280

  • _victoryCore.Helpers.isFunction is not a function - #37255

  • Webpack - Prevent foreman core duplicates in plugins - #37252

  • Add main action button to PermissionDenied component - #37236

  • Generic table on TableIndexPage always shows actions kebab, even if empty - #37233

11.1.12. Packaging

  • Allow rdoc 6.4 on Ruby 3.1 - #35463

11.1.13. Performance

  • Iterate on hashes when both key and value are used - #37287

11.1.14. Plugin integration

  • Facets with hostgroup inherit override host-specific facet values - #37043

11.1.15. Rails

  • A lot of dynflow deprecation warning because of sidekiq config.options usage - #37444

  • Remove timed_cache_store.rb - #37436

11.1.16. Reporting

  • Drop Host - Vulnerabilities report - #37515

  • Execution interface is not resepected in in Ansible Inventory report template - #37374

  • Getting "undefined method '#id' for NilClass::Jail (NilClass)" error when generating Ansible inventory report - #37215

  • Remove Subscription-Entitlement report - #37167

11.1.17. Settings

  • default_$taxonomy setting descriptions only mention Puppet instead of all facts - #37488

11.1.18. Templates

  • foreman_bootdisk templates not seeded - #37421

  • Add current time macro - #37282

11.1.19. Tests

  • Use PostgreSQL 13 in tests - #37241

11.1.20. Unattended installations

  • Don't use the Kickstart rhsm for RHEL 9 - #37461

  • Foreman and Anaconda are not in sync when deploying RHEL9: both keyfiles/snippets and ifcfg-xxx files are generated - #37367

  • kickstart_kernel_options deprecation warning - ks param on rhel8 - #37343

  • Ubuntu 22.04.3 needs adaption user-data template - #37011

  • Add Clevis/Tang disk encryption template - #36885

  • Debian boot_file_sources uses transform_vars but preseed_path does not - #36830

  • Enable connectefi scsi for grub2 by default - #36691

  • kickstart's RHSM line only works on RHEL hosts - #36525

11.1.21. Users, Roles and Permissions

  • Unable to modify "manage column" in path "hosts -> all hosts" while using custom roles - #37463

  • Allow pagelets on User and Usergroups edit page - #37002

  • Provide a scope for email-notification-eligible users - #36891

11.1.22. Web Interface

  • Use nightly for links to manual in Foreman develop - #37434

  • Add more control over SelectAllCheckbox - #37307

11.1.23. foreman-debug

  • Drop upload functionality from foreman-debug - #37406

11.2. Installer

  • Drop setup plugin - #37298

  • Ensure correct Java is used with Puppetserver 8 - #37291

  • Getting http 500 internal server error due to "ActiveRecord::ConnectionTimeoutError: could not obtain a connection from the pool within 5.000 seconds" - #33974

11.2.1. Foreman modules

  • During upgrade to Katello 4.11 issues are seen with Candlepin keystore when using FIPS - #37384

  • Support PostgreSQL database for smart_proxy_container_gateway - #37325

  • REMOTE_USER is unset by Apache for Pulpcore Registry when it shouldn't be - #37308

  • Retire foreman-hooks from installer - #37296

  • Support for Avatars broken by ProxyPass - #37211

11.2.2. foreman-installer script

  • Use rubocop cmdline parameters according to version 0.80.1 - #37393

  • Exclude all subdirectories for vendor in .rubocop.yaml - #37392

  • Puppet server ciphers updated in 2.0 but old ciphers can remain in answers - #37306

  • Default PostgreSQL password encryption to SCRAM - #37297

  • Add gitlab CI config - #37261

  • Upgrade to PostgreSQL 13 on EL8 - #37177

  • Make katello-certs-check verify if the CA bundle has any certificates with trust rules - #37063

11.3. Packaging

  • Retire foreman-hooks - #37295

  • Retire foreman_setup plugin - #37212

11.3.1. RPMs

  • Patch puma to fix chunked upload issue - #37419

  • Drop keycloak-httpd-client-install from EL9 - #37334

  • Katello::Errors::Pulp3Error: module 'createrepo_c' has no attribute 'SHA1' - #37332

  • Use PostgreSQL 13 module in Foreman's modular metadata on EL8 - #37210

11.4. Smart Proxy

11.4.1. DHCP

  • Creating a DHCP host can cause an IPv6 address to be looked up - #37355

11.4.2. DNS

  • Free IPs service is not started for MS DHCP - #37450

11.4.3. TFTP

  • Smart Proxy TFTP fetching writes out broken files on HTTP errors - #37147

11.4.4. Tests

  • Tests fail inside docker container - #37413

Appendix A: Foreman Contributors

We’d like to thank the following people who contributed to the Foreman 3.11 release:

Adam Hosek, Adam Lazik, Adam Růžička, Alexander Olofsson, Aneta Šteflová Petrová, Archana Kumari, Bastian Schmidt, Beat Gaetzi, Bernhard Suttner, Chris Roberts, Cole Higgins, Dirk Götz, Eric Helms, Evgeni Golov, Ewoud Kohl van Wijngaarden, Girija Soni, Gordon Bleux, Greg Cox, Griffin Sullivan, Hao Yu, Ian Ballou, Jan Löser, Jeremy Lenz, Joniel Pasqualetto, Laurent Bigonville, Lennart Betz, Leos Stejskal, Marek Hulán, Maria Agaphontzev, Markus Bucher, Martin Alfke, Matěj Mudra, Maximilian Kolb, Nadja Heitmann, Mike Massonnet, Nofar Alfassi, Oleh Fedorenko, Pat Riehecky, Patrick Creech, Quinn James, Samir Jha, Sayan Das, Sebastian Bublitz, Shimon Shtein, Thorben Denzer, Tim Meusel, Zach Huntington-Meath, cocker-cc, Waldirio M Pinheiro, William Bradford Clark, dosas, jmott85, Et7f3, gardar, omahs

As well as all users who helped test releases, report bugs and provide feedback on the project.