1. Foreman 3.11 Release Notes

1.1. Headline Features

1.1.1. Greatly decreased JavaScript size for plugins

Previously, Foreman’s whole JavaScript bundle was duplicated in every plugin. Now a separate bundle is generated that Foreman and each plugin can reuse. In most plugins, we saw a 2 to 3 MB reduction in size. Depending on the number of plugins, this can save a significant amount in transfer size. While Foreman does compress and cache these JavaScript bundles, they still had to be loaded all the time.

1.1.2. Running Foreman on Enterprise Linux 9 is fully supported

Foreman 3.10 only supported Enterprise Linux 9 as experimental, but with this release it is fully supported.

1.1.3. Running Foreman on Debian 12 is supported

Packages for Debian 12 were built with 3.11.0, but our automated pipelines rely on Puppetserver. Now that Puppetserver packages for Debian 12 are available, with Foreman 3.11.4 Debian 12 is considered a supported platform.

1.2. Upgrade Warnings

1.2.1. keycloak-httpd-client-install dropped from Enterprise Linux 9

Foreman has shipped its own keycloak-httpd-client-install package because initially the version shipped in Enterprise Linux 7 was too old to support ODIC. Recently it was noticed that the version in Enterprise Linux 8 contains the required features but still contains a packaging bug. The version in Enterprise Linux 9 contains all the required features but is older than what Foreman has shipped. Foreman 3.10 was the first release on Enterprise Linux 9 and it was marked as experimental. As a result, the decision has been made to remove it from Foreman’s Enterprise Linux 9 packaging. Users who have this package installed should downgrade it using dnf downgrade keycloak-httpd-client-install.

1.3. Deprecations

1.3.1. Running Foreman on Enterprise Linux 8 removal in Foreman 3.13

Now that running on Enterprise Linux 9 is fully supported, running on Enterprise Linux 8 is deprecated. Foreman 3.13 will drop this support so users are encouraged to plan their upgrade.

Note this is for running Foreman itself. Clients will remain supported.

1.3.2. Running Foreman on Debian 11 removal in Foreman 3.14

Users are encouraged to upgrade to Debian 12.

Note this is for running Foreman itself. Clients will remain supported.

2. Katello 4.13 Release Notes

2.1. Headline Features

2.1.1. New All Hosts index page improvements

On the experimental new All Hosts index page, you can now click 'Manage Columns' and add Katello-provided columns, including

  • RHEL Lifecycle status

  • Installable updates

  • Last seen

  • Lifecycle environment

  • Content view

  • Content source

  • Registered at

Also, you can now change the content view and lifecycle environment of multiple hosts. Select some hosts, click the vertical ellipsis, then click 'Change content view environments.'

2.1.2. New manifest expiration warnings

Users will now be notified before their subscription manifest expires. The number of days of notice is configured by the expire_soon_days setting.

If a manifest is expired or expiring soon, you’ll see new alert banners on the Manage Manifest screen.

The expiration date of the manifest is now displayed on the Manage Manifest screen.

Refreshing your manifest will now extend the expiration date of the manifest to 1 year from the current date.

2.1.3. Repair content view versions

New actions have been introduced to facilitate repairs on the CV version repositories. These actions involve identifying and fixing missing or corrupted content units within the published repository. The action is available on hammer as "verify-checksum" sub-command for content-view version command.

2.1.4. Content View Publish

Users will not be allowed to publish a content view if a child repository is syncing and vice-versa to avoid any data integrity issues.

2.1.5. Other enhancements

Subscription expiration information has now moved from the Subscription - Entitlement report to the Subscription - General report. This report now accepts the expiring_in_days input, so you can see when your subscriptions will expire.

The activation keys selection on the Hostgroup Edit page has been refactored from jquery to React, providing a more modern look and user experience.

Katello now indexes metadata for container manifests, including annotations, labels, and identifiers for Flatpak and bootable images.

Container Gateway database migrated from SQLite to PostgreSQL for increased smart proxy container registry performance.

2.2. Upgrade Warnings

Container content users will want to run 'foreman-maintain advanced procedure run pulpcore-container-handle-image-metadata' to pre-migrate data to avoid a lengthy migration in the future. There will be multiple releases to allow this before it is mandatory.

2.3. Deprecations

Deprecated certain SCA-related API and Hammer endpoints and parameters. These are likely non-functional and will be removed in the future.

Removed the 'Upload profiles without Dynflow' config setting.

3. Foreman 3.11.5

A full list of changes is available on Redmine

3.1. Foreman

3.1.1. Templates

  • Update remote_execution_pull_setup to generate a yggdrasil-version-agnostic yggdrasil configuration file - #37877

3.2. Installer

3.2.1. Foreman modules

  • Installer fails with OpenJDK 17 on missing keyalg parameter to keytool - #38010

3.2.2. foreman-installer script

  • Katello-certs-check no longer works on EL8 - #38027

4. Foreman 3.11.4

A full list of changes is available on Redmine

4.1. Installer

  • Checks don’t disable the default CA path which means openssl will use the default system CA path by default - #37828

  • PostgreSQL 13 upgrade aborts when user locale doesn't match cluster locale - #37797

4.1.1. Foreman modules

  • Custom certificates will override server CA with default CA on foreman-proxy-content scenario - #37817

4.1.2. foreman-installer script

  • Disconnected upgrade fails to switch postgresql dnf module - #37874

5. Foreman 3.11.3

Foreman 3.11.3 was accidentally tagged without any changes. Please refer to the latest version 3.11.4 when wanting to upgrade.

6. Foreman 3.11.2

A full list of changes is available on Redmine

6.1. Foreman

6.1.1. API

  • Host Creation via GraphQL only as Admin - #37765

6.1.2. Inventory

  • Invalid MAC address error message appears twice while editing interface - #37651

6.1.3. JavaScript stack

  • not all webpack assets are properly invalidated on change - #37775

6.1.4. Packaging

  • FFI 1.17.0+ requires Rubygems 3.3.22+ for installation, breaking Ruby 2.7 source installs - #37607

6.1.5. Plugin integration

  • Plugins are finalized before seeds are executed - #37503

6.1.6. Security

  • Connection reset by peer - SSL_connect when access to content/product menu - #37713

6.1.7. Tests

  • intermittent host_js integeration test failure: test_0002_correctly override global params " Expected false to be truthy." - #37774

  • nic_managed factory can create an IP outside of its subnet - #37711

6.1.8. Web Interface

  • Template render error when host has .ics domain name - #37623

  • Help page should not link libera chat anymore after the migration to matrix - #37086

6.2. Installer

6.2.1. Foreman modules

  • CVE-2024-7923: Authentication bypass in Pulpcore - #37787

  • CVE-2024-7012: Authentication bypass in Foreman - #37786

7. Katello 4.13.1

A full list of changes is available on Redmine

7.1. Katello

7.1.1. Container

  • Create Katello push repositories as needed at container push time - #37455

7.1.2. Content Views

  • CV promote fails with undefined method `get_status' for nil:NilClass when deleting a Host in the CV during Finalize phase of the Promote task - #37543

7.1.3. Foreman Proxy Content

  • Slow smart proxy sync in 4.11 - #37356

7.1.4. Hosts

  • Katello should be able to handle subscription-manager environments --set - #37618

  • RHEL Lifecycle Status tests failing because RHEL8 full support is now ended - #37533

  • Trace_status = reboot_needed not working after upgrade to 4.12 - #37354

7.1.5. Repositories

  • Migrate sha1 repos only at the next edit time - #37609

  • Pulp never purge the completed tasks - #37521

  • Registry doesn't 404 for v2 clients trying to search - #37504

7.1.6. Subscriptions

  • 'Bind entitlements to an allocation' task fails with wrong number of arguments (given 1, expected 0) (ArgumentError) - #37571

7.1.7. Tooling

  • Upgrade pulp-rpm to 3.26 - #37622

7.1.8. Web UI

  • load js correctly in smart_proxies - #37539

  • Remove 'query-string' JS dependency - #37112

8. Foreman 3.11.1

A full list of changes is available on Redmine

8.1. Foreman

8.1.1. Tests

  • Report renderer tests fail depending on the libyaml version - #37613

8.1.2. Unattended installations

  • HostCommon.crypt_passwords reencrypts Base64 based passwords for Grub, leading to errors - #37610

  • Change Linux password hashing default from sha256 to sha512 - #36650

8.2. Smart Proxy

8.2.1. DHCP

  • Invalid value for Integer(): “#Resolv::DNS::Resource::IN::A:0x00007fnnnnnnnnn” - #37621

9. Katello 4.13.0

A full list of changes is available on Redmine

9.1. Katello

  • Package rubygem-dynflow not listed in a list of packages - #37457

  • Cannot update packages on non-EL hosts - #37340

  • Fix upstream lint issues - #37331

  • It is possible to end up with the wrong remote type (uln vs. normal) for yum content - #37279

  • Default Organization View is not listed first on the CV select screen in Change Content Source - #37229

  • It should be possible to upload a package / repos profile from UI - #37191

  • content_view_components is not preloaded in content_view controller - #37108

9.1.1. API

  • --content-view-filter-id only works for ID-type filters - #37394

  • API endpoint for activation_keys/:id/product_content should be TRUE by default - #37350

9.1.2. Activation Key

  • Change the default setting for "Limit to environment" on the activationkey and content host pages to true - #37214

9.1.3. Alternate Content Sources

  • Fix ACS randomly failing VCR tests - #37277

9.1.4. Container

  • Allow pushing container images to Pulp without indexing - #37302

  • `podman login` against the container registry returns 500 intermittently - #37218

9.1.5. Content Credentials

  • asterisk symbol is missing for required field - #37482

9.1.6. Content Views

  • Content view publish failing with katello_repository_rpms_id_seq reached maximum value error - #37403

  • Content view repositories link points to broken link on composite view UI - #37269

  • Newly imported content views show as needs publish - #37254

  • Allow repairing content view versions - #37237

  • [RFE Block content view publishing during repository publication tasks] - #37139

  • Very slow content view list loading - #36976

  • Python content not getting published to versions - #36611

9.1.7. Foreman Proxy Content

  • Container gateway needs to send ACCEPT headers from podman to Pulp - #37399

  • Allow granular repair functionality for capsules - #37258

  • SmartProxy Content Sync should offer Verify Content Checksum - #36803

9.1.8. Hammer

  • Improve displayed filter rules info in hammer - #37181

9.1.9. Host Collections

  • Fetching Host's details does not scale wrt Hosts Collections - #37346

9.1.10. Hosts

  • Add Setting to disable validation of host/lifecycle environment/content source coherence - #37400

  • Add bulk CV/LCE assignment to new All Hosts page - #37336

  • Add Katello column(s) to new host index page - #37309

  • katello:clean_backend_objects false alarms on systems with >1500 clients when PUTing customer facts - #37283

  • Error undefined method `repository_url' when trying to use composed images for system deployments - #37268

  • Link of Upgradable Content for Debian/Ubuntu is misaligned on Hosts page - #37267

  • Hostgroup not showing associated Kickstart Repository in edit - #37197

  • Remove the setting 'upload_profiles_without_dynflow' - #37195

  • undefined method `family' for nil:NilClass after cloning a rhel8 host - #37178

  • Managing a Hosts Repository Sets does not behave as expected - #37169

  • Update Checkin time for ESXi hypervisors from virt-who report - #37162

  • Postgresql logs contain PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "katello_available_module_streams_name_stream_context" - #37137

  • Offer a hint in the UI about how to get 'Synced Content' available - #36992

  • When cloning a hostgroup the fields content source content view and lifecycle are empty - #35215

9.1.11. Inter Server Sync

  • content export actions are failing in ruby 3 - #37381

  • cdn_ssl_version Setting enforces at most TLS1.0 version - #36979

9.1.12. Notifications

  • Use with_enabled_email scope instead of handcrafting the query all over the place - #37192

9.1.13. Reporting

  • Cannot create report "Host - All Installed Packages" for hosts running Debian/Ubuntu - #37198

  • SCA-Only: Remove Subscription-Entitlement notification - #37170

9.1.14. Repositories

  • Repository synchronization progress does not get updated in real time on Satellite Web UI's "Content ---> Sync Status" page - RHEL8 Satellite 6.16 - #37442

  • Upgrade pulp-container bindings to 2.20 - #37414

  • Fix typo for container_repository_name in metadata_generate_needed? - #37408

  • Create a rake script that reindexes manifests with label information - #37407

  • Add Include Refs and Exclude Refs options for OSTree repository type - #37383

  • Container push can fail with a different JSON error - #37380

  • Index Pulp manifest annotations, labels, is_bootable, is_flatpak and expose them via API - #37379

  • Fix Katello (or maybe BATS) -- orphan cleanup tries deleting distributed repo versions - #37371

  • Product level Verify checksum action spawns unessasary checksum tasks for cloned repositories of the root repository - #37259

  • Registry Service Accounts token is not accepted in "Upstream Authentication Token" of a docker repo - #37238

  • Red Hat products that were never synced are reporting last synced time - #31318

9.1.15. Roles and Permissions

  • Content Exporter role is missing the create_content_views permission - #37430

9.1.16. Subscriptions

  • Org still holds stale cached manifest expiration date after manifest import/refresh - #37481

  • subscription-manager release --unset doesn't reset the client information on foreman - #37358

  • As a user I want to be warned before the manifest (upstream consumer identity certificate) will expire, and have a notification to refresh the manifest. - #37271

  • As a user, when I refresh my manifest the expiration date of the identity certificate will get renewed, so that I am never caught with an expired manifest. - #37266

  • Remove SCA-related API endpoints and params - #37226

9.1.17. Tests

  • Update tests to stop using https://fixtures.pulpproject.org/rpm-zchunk/ - #37187

9.1.18. Upgrades

  • Upgrade pulpcore to 3.49 - #37301

9.1.19. Web UI

  • update ak results in hostgroup - #37476

  • Update TableWrapper to comply with changes in SelectAllCheckbox - #37378

  • refactor ak in hostgroups to react - #37370

  • Change content source screen is still confusing coming from host edit - #37313

  • Invalid PropType errors when selecting a content source on Change Content Source form - #37303

  • Duplicate repositories in content view versions warning is always active - #37240

9.1.20. katello-tracer

  • Use dnf needs-restarting to collect tracer information - #36973

10. Foreman 3.11.0

A full list of changes is available on Redmine

10.1. Foreman

10.1.1. API

  • API 'build_pxe_default' is broken when a taxonomy is passed - #37439

10.1.2. Compute resources - VMware

  • Provide hardware versions for VMWare VSphere 8.0 and 8.0U2 - #37244

  • VMWare Guest OS list is outdated - #36023

10.1.3. Database

  • Upgrade to PostgreSQL 13 on EL8 - #37208

10.1.4. Development tools

  • Fix Style/GlobalStdStream cop - #37432

  • rake snapshots:generate is broken - #37422

  • Generate Rocky 8 & 9 snapshots for provisioning templates - #37337

10.1.5. Facts

  • drop bookworm/sid workaround now that bookworm is released - #37484

10.1.6. Host creation

  • Creating a host without a comment and then editing it and submitting without any changes creates an update audit record for the nil->'' transition of comment - #37224

10.1.7. Host groups

  • Hostgroup facets are not cloned when cloning hostgroup - #37179

10.1.8. Host registration

  • Provide multiple repositories when you want to register a host - #37440

  • Domain is not removed in the details page when the DNS is not configured/enabled in the installer - #37231

  • Provide registration before & after snippets - #37189

  • Use subscription-manager for Debian-based hosts - #33664

10.1.9. Internationalization

  • Incorrect translation in registration command validation - #37490

  • Update fast_gettext to ~> 2.1 - #36574

10.1.10. Inventory

  • Edit comment from host details - #37443

  • Implement customizable columns to display on the new All Hosts page - #37293

  • New hosts index - Change content source link has no href - #37248

  • results.map should appear directly in HostsIndex index.js - #37247

10.1.11. JavaScript stack

  • use host_details_ui in React context - #37489

  • Prevent XSS issue for katello angular pages - #37437

  • Webpack - Prevent react duplicates in core - #37391

  • Drop unused typeToIcon function - #37387

  • Drop toggleRowGroup and filter_permissions functions - #37386

  • Drop check_all_roles and uncheck_all_roles event handlers - #37385

  • always use cached manifest json to find webpack chunks, not only for JS - #37353

  • Webpack assets not compressed after Webpack 5 migration - #37344

  • @redhat-cloud-services/frontend-components-utilities@4.0.8 breaks compatibility with NodeJS 14 - #37312

  • remove unused typeAheadSelect - #37280

  • _victoryCore.Helpers.isFunction is not a function - #37255

  • Webpack - Prevent foreman core duplicates in plugins - #37252

  • Add main action button to PermissionDenied component - #37236

  • Generic table on TableIndexPage always shows actions kebab, even if empty - #37233

10.1.12. Packaging

  • Allow rdoc 6.4 on Ruby 3.1 - #35463

10.1.13. Performance

  • Iterate on hashes when both key and value are used - #37287

10.1.14. Plugin integration

  • Facets with hostgroup inherit override host-specific facet values - #37043

10.1.15. Rails

  • A lot of dynflow deprecation warning because of sidekiq config.options usage - #37444

  • Remove timed_cache_store.rb - #37436

10.1.16. Reporting

  • Drop Host - Vulnerabilities report - #37515

  • Execution interface is not resepected in in Ansible Inventory report template - #37374

  • Getting "undefined method '#id' for NilClass::Jail (NilClass)" error when generating Ansible inventory report - #37215

  • Remove Subscription-Entitlement report - #37167

10.1.17. Settings

  • default_$taxonomy setting descriptions only mention Puppet instead of all facts - #37488

10.1.18. Templates

  • foreman_bootdisk templates not seeded - #37421

  • Add current time macro - #37282

10.1.19. Tests

  • Use PostgreSQL 13 in tests - #37241

10.1.20. Unattended installations

  • Don't use the Kickstart rhsm for RHEL 9 - #37461

  • Foreman and Anaconda are not in sync when deploying RHEL9: both keyfiles/snippets and ifcfg-xxx files are generated - #37367

  • kickstart_kernel_options deprecation warning - ks param on rhel8 - #37343

  • Ubuntu 22.04.3 needs adaption user-data template - #37011

  • Add Clevis/Tang disk encryption template - #36885

  • Debian boot_file_sources uses transform_vars but preseed_path does not - #36830

  • Enable connectefi scsi for grub2 by default - #36691

  • kickstart's RHSM line only works on RHEL hosts - #36525

10.1.21. Users, Roles and Permissions

  • Unable to modify "manage column" in path "hosts -> all hosts" while using custom roles - #37463

  • Allow pagelets on User and Usergroups edit page - #37002

  • Provide a scope for email-notification-eligible users - #36891

10.1.22. Web Interface

  • Use nightly for links to manual in Foreman develop - #37434

  • Add more control over SelectAllCheckbox - #37307

10.1.23. foreman-debug

  • Drop upload functionality from foreman-debug - #37406

10.2. Installer

  • Drop setup plugin - #37298

  • Ensure correct Java is used with Puppetserver 8 - #37291

  • Getting http 500 internal server error due to "ActiveRecord::ConnectionTimeoutError: could not obtain a connection from the pool within 5.000 seconds" - #33974

10.2.1. Foreman modules

  • During upgrade to Katello 4.11 issues are seen with Candlepin keystore when using FIPS - #37384

  • Support PostgreSQL database for smart_proxy_container_gateway - #37325

  • REMOTE_USER is unset by Apache for Pulpcore Registry when it shouldn't be - #37308

  • Retire foreman-hooks from installer - #37296

  • Support for Avatars broken by ProxyPass - #37211

10.2.2. foreman-installer script

  • Use rubocop cmdline parameters according to version 0.80.1 - #37393

  • Exclude all subdirectories for vendor in .rubocop.yaml - #37392

  • Puppet server ciphers updated in 2.0 but old ciphers can remain in answers - #37306

  • Default PostgreSQL password encryption to SCRAM - #37297

  • Add gitlab CI config - #37261

  • Upgrade to PostgreSQL 13 on EL8 - #37177

  • Make katello-certs-check verify if the CA bundle has any certificates with trust rules - #37063

10.3. Packaging

  • Retire foreman-hooks - #37295

  • Retire foreman_setup plugin - #37212

10.3.1. RPMs

  • Patch puma to fix chunked upload issue - #37419

  • Drop keycloak-httpd-client-install from EL9 - #37334

  • Katello::Errors::Pulp3Error: module 'createrepo_c' has no attribute 'SHA1' - #37332

  • Use PostgreSQL 13 module in Foreman's modular metadata on EL8 - #37210

10.4. Smart Proxy

10.4.1. DHCP

  • Creating a DHCP host can cause an IPv6 address to be looked up - #37355

10.4.2. DNS

  • Free IPs service is not started for MS DHCP - #37450

10.4.3. TFTP

  • Smart Proxy TFTP fetching writes out broken files on HTTP errors - #37147

10.4.4. Tests

  • Tests fail inside docker container - #37413

Appendix A: Foreman Contributors

We’d like to thank the following people who contributed to the Foreman 3.11 release:

Adam Hosek, Adam Lazik, Adam Růžička, Alexander Olofsson, Aneta Šteflová Petrová, Archana Kumari, Bastian Schmidt, Beat Gaetzi, Bernhard Suttner, Chris Roberts, Cole Higgins, Dirk Götz, Eric Helms, Evgeni Golov, Ewoud Kohl van Wijngaarden, Girija Soni, Gordon Bleux, Greg Cox, Griffin Sullivan, Hao Yu, Ian Ballou, Jan Löser, Jeremy Lenz, Joniel Pasqualetto, Laurent Bigonville, Lennart Betz, Leos Stejskal, Marek Hulán, Maria Agaphontzev, Markus Bucher, Martin Alfke, Matěj Mudra, Maximilian Kolb, Nadja Heitmann, Mike Massonnet, Nofar Alfassi, Oleh Fedorenko, Pat Riehecky, Patrick Creech, Quinn James, Samir Jha, Sayan Das, Sebastian Bublitz, Shimon Shtein, Thorben Denzer, Tim Meusel, Zach Huntington-Meath, cocker-cc, Waldirio M Pinheiro, William Bradford Clark, dosas, jmott85, Et7f3, gardar, omahs

As well as all users who helped test releases, report bugs and provide feedback on the project.

Appendix B: Katello Contributors

Adam Růžička Aneta Šteflová Petrová Bernhard Suttner Chris Roberts Evgeni Golov Ian Ballou Jeremy Lenz Joniel Pasqualetto Lukas Magauer Manisha Singhal Maria Agaphontzev Markus Bucher Matěj Mudra Maximilian Kolb Michael Yoder Oleh Fedorenko Partha Aji Quinn James Quirin Pamp Samir Jha Sayan Das Stejskal Leos Thorben Denzer William Bradford Clark