1. Headline Features

1.1. IPv6 Support

Deployment and operation in IPv6-only networks is now fully supported.

Provisioning over IPv6 is supported on bare metal hosts. For compute resources, you can define the machine outside Foreman on the compute resource and then you can provision the machine as bare metal in Foreman.

1.2. Secure Boot provisioning

Provisioning with Secure Boot is now supported on bare-metal, VMware vSphere and Libvirt across multiple operating systems. New virtual machines with Secure Boot enabled will be created with the default keys enrolled.

1.3. Invalidate JWT for global registration

Users can now invalidate their own tokens for global registration. Users with the edit_users permission can also invalidate all tokens for all users in a single action.

2. Upgrade Warnings

2.1. EL 7 client repositories dropped

RHEL 7 is out of maintenance since June 2024 and at the same time CentOS Linux 7 went end of life. With Foreman 3.14, the client repository is no longer built for EL 7. This primarily affects Katello and OpenSCAP users.

For more details, see the removal RFC.

2.2. AWX Parameter Change

The ansible_tower_fqdn parameter has been removed and replaced with ansible_tower_api_url. This new parameter includes both the previous ansible_tower_fqdn value and the required API path for AWX.

By default, the API path is set to /api/controller/v2. If you are using an older AWX version, update the API path manually to /api/v2. If you’re unsure which version you have, check your instance’s API endpoints to confirm the correct path.

3. Deprecations

There are no deprecations with Foreman 3.14.

4. Foreman 3.14.0

A full list of changes is available on Redmine

4.1. Foreman

4.1.1. API

  • Hide organization-id and location-id options from api documentation of unscoped resources - #37824

4.1.2. Authentication

  • NameError: undefined local variable or method `logger' for JwtToken - #38122

4.1.3. Compute resources

  • Fields in OS tab don't populate until after failed host import and the network details are incorrect - #37855

4.1.4. Compute resources - EC2

  • Remove EC2 subnet from compute profiles - #38193

4.1.5. Compute resources - VMware

  • Missing CentOS stream 10 and RHEL10 GuestOS for VMware compute-resource - #38121

  • Add VMware SecureBoot & Virtual TPM support - #37823

4.1.6. Compute resources - libvirt

  • Add Libvirt UEFI & SecureBoot support - #37566

4.1.7. DNS

  • Fix DNS orchestration conflict detection to take IPv6 filed into account - #37990

4.1.8. Development tools

  • apipie cache generation command fails on a centos9 katello devel stable machine - #38159

  • update theforeman-rubocop gem - #37429

4.1.9. Facts

  • Make sure an IPv6 interface is suggested as primary - #38046

4.1.10. Host registration

  • Registering bootc host fails to set up ssh keys - #38095

  • Pull provider template renders OS-specific error message for all OS types - #38082

  • The template "Linux host_init_config default" has an unwanted single quote - #38002

4.1.11. Internationalization

  • Do not try to translate ruby-symbol - #38106

4.1.12. Inventory

  • host_edit when no inherit button creates error - #38223

  • page scroll freeze in host edit unselect architecture - #38220

  • New All hosts: Delete host redirects to old hosts list regardless of setting - #37758

  • 'Manage Columns' does not appear on new Hosts Index page - #37573

4.1.13. JavaScript stack

  • CardTemplate should allow customizing ouidId - #38289

  • datatables pagination not working - #38282

  • remove select2('destroy') for non select2 item - #38177

  • Allow generic table children outside of tbody - #38154

  • Remove @theforeman/vendor-dev - #37830

  • add js-cookie - #37664

  • drop jquery-ui - #37390

  • Update to jQuery 3 - #37382

4.1.14. Logging

  • Password from HTTP(S) proxy Setting is logged in plaintext to production.log - #38185

4.1.15. Network

  • Pagelet for HTTP Proxy form - #38000

4.1.16. Packaging

  • Drop NodeJS 14 support - #38125

  • Increase foreman.socket's Backlog option to INT_MAX - #37964

4.1.17. Performance

  • PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "index_operatingsystems_on_title" DETAIL: Key (title)=(RedHat 9.2) already exists. - #38169

4.1.18. Proxy gateway

  • Test connection for HTTP proxy errors out - #38208

4.1.19. Rails

  • In-browser password manager may pop up when editing name fields of various resources - #38217

  • Switch Foreman to Rails 7.0 - #37825

4.1.20. Reporting

  • Show host's IPv6 in the 'host built' mail - #38153

  • Host - Installed Products report should handle multiCV hosts - #38145

4.1.21. Settings

  • String type settings with nil default cannot be unset - #38197

  • Need to add lxc* pattern to IGNORED_INTERFACES list - #38036

4.1.22. Tests

  • Incorrect settings test uncovered by mocha 2.7 - #38078

  • Tests fail with fog-libvirt 0.13.1 - #38017

4.1.23. Unattended installations

  • Can't provision using image + SSH - #38272

  • AAP 2.5 support in Ansible Callback - #38219

  • Anaconda is not setting up the host name correctly during the setup - #38168

  • Kickstart template generates interfaces with --ipv6=dhcp - #38155

  • Replace deprecated wget "-Y off" parameter in templates - #38067

  • Use IPv6 address for SSH provisioning, if available - #38057

  • References to syspurpose addons still remain in Foreman - #38053

  • Remove NicIpResolver class - #38052

  • Unattended controller should accept IPv6 address as part of the built request - #38051

  • Make sure host_finder knows to find hosts given an IPv6 address - #38050

  • Major version accepts negative values while creating operating system - #38044

  • Allow the remote execution user to become any user when creating sudoers drop-ins - #38030

  • Provisioning uses wrong URLs for subscription-manager when a load balanced smart proxy is involved - #38029

  • Support Windows deployment with UEFI - #37862

  • Clevis/Tang disk encryption broken for Ubuntu/multiple disks - #37857

  • New PXE loader "Grub2 UEFI SecureBoot (target OS)" - #36834

4.1.24. Users, Roles and Permissions

  • As a user or admin, I want to invalidate JWTs for all users - #38138

  • As a user I want to invalidate my own JWT tokens via the UI - #38108

  • User last login time is not updated when login with external authentication - #38037

  • As a user or admin, I want to invalidate JWTs for a specific user. - #37936

4.1.25. Web Interface

  • Failure occurs after selecting the correct value while creating an Ansible variable. - #38281

  • select2 search not working in modals - #38237

  • select 2 not showing placeholders - #38211

  • vmware Create controller select freezes the page - #38209

  • form_select_f auto selects first option - #38183

  • Hide search submit button when not submittable - #38141

4.2. Installer

  • New PXE loader "Grub2 UEFI SecureBoot (target OS)" - #36940

4.2.1. External modules

  • Stop managing postgresql-evr extension - #37680

4.2.2. Foreman modules

  • Enabling DHCP with HTTPBoot on HTTPS-only Foreman Proxy fails on unknown variable https_port - #38259

  • use lowercase FQDN in SSL CN comparison for pulpcore auth - #38110

  • On large deployments puma auto tuning results in too many workers for PostgreSQL connections - #38085

4.2.3. foreman-installer script

  • Halt installer run if the evr extension in remote DBs has the wrong permissions before upgrade - #37883

  • Change evr extension ownership to foreman via installer - #37717

4.3. Packaging

4.3.1. RPMs

  • Drop EL7 client support - #38034

4.4. SELinux

4.4.1. Packaging

  • Remove dependency on unconfined selinux module - #37968

4.4.2. Smart proxy

  • allow smart-proxy with PuppetCA to read some etc files - #37999

4.5. Smart Proxy

4.5.1. Realm

  • rexml is not a default gem on ruby 3 anymore - #38157

4.5.2. TFTP

  • New PXE loader "Grub2 UEFI SecureBoot (target OS)" - #36833

5. Katello 4.16.0

A full list of changes is available on Redmine

5.1. Katello

  • Humanize Resource Type for flatpak permissions - #38161

  • Label option is removed while creating new Organization in UI - #38025

  • Use #add instead of #<< for ActiveModel::Errors - #38023

  • Empty Error Pop Up related to structured APT on the RepositorySets page - #38011

  • deb type content host with structured APT enabled throws errors on repository sets tab - #37998

  • As a user, I can expect container repo names to follow the latest standard - #37988

  • Upload deb package through hammer results in an invalid package being included when it's uploaded for the first time - #37864

  • add jquery-ui dependency - #37402

5.1.1. API

  • Flatpak remote returns auth_token on the API - #38102

5.1.2. Activation Key

  • Unable to an create activation key when no content-view is selected - #38251

  • hammer activation-key create false positive when passing in only --content-view - #38170

  • FakeActivationKey doesn't respond to #organization method - #38147

  • [RFE Hint to enable settings 'allow_multiple_content_views' in hammer ak command] - #38143

  • Can't remove a version from an environment if it is being used by a multi-CV activation key. - #37895

5.1.3. Container

  • Container push should hide expected 404 message from pulp when looking up blobs - #38212

  • OSP Authenticated Pull fails from Satellite with error 422 Client Error: Unprocessable Content for url - #38206

  • As a user, I can see an overview of container images used with image-mode systems in the UI - #38107

  • "hammer repository upload-content" not long working for docker repository - #38103

5.1.4. Content Views

  • Old CV versions may contain deb repos without structure content - #38231

  • CV with depsolving and filters on selected repos is broken at orhpan cleanup - #38218

  • Update web UI wording for multiCV - #38194

  • Content views list duplicate relations for multiCV hosts and activation keys - #38179

  • Use new host page setting to link to hosts index from content view details page - #38160

  • To convert "Got multiple version_hrefs for pulp task" error into a warning or suppress it - #38150

  • Reassigning host content views when removing Content view version/environment in multi-CV hosts - #38116

  • As a client, I should have access to all flatpaks available via registered Content View/Environment - #38105

  • The content view APIs will pass repository_ids to the code both as a list of int or a list of strings - #38076

  • Scoped search is broken for for content views if the search parameter is boolean - #38062

  • Deleting a CV version does not scale when a product has too many repos (cloned in CVs) - #38003

5.1.5. Errata Management

  • 'Select all' on errata page attempts installing extra errata on host - #38175

  • Argument list too long in "Install errata by search query - Katello Ansible Default" when applying multiple errata - #38163

  • Content view with include errata filter has fewer package count than expected - #37946

5.1.6. Foreman Proxy Content

  • Smart proxy sync is not updating package count for repos inside content view. - #38117

  • APT repos using flat repo format cannot be synced to smart proxy - #38096

  • Refresh content counts action on Smart proxy fails when content_counts is set to {} - #38056

  • LCE id is not passed on Refresh counts trigger from WebUI - #38042

  • Update smart proxy url methods for load balancer compatibility - #38028

  • Smart proxy content page console error when count is {} - #38015

  • Ansible collection capsule sync doesn't respect optimized:false value - #37959

  • podman login via smart proxy fails on GMT+x timezones - #37925

5.1.7. HTTP Proxy

  • Set HTTP proxy as default after creating - #37923

5.1.8. Hosts

  • When nesting hostgroups, CV/LCE do not populate upon changing the content source - #38265

  • Registering a host with non-admin user with "Register hosts" role doesn't move the host in specified location - #38243

  • Job template "Set up Flatpak remote" fails when /run/containers/0/auth.json is missing - #38236

  • in host edit, unselecting media causes page freeze - #38230

  • Image mode all hosts column title should be 'Type' - #38226

  • Extra tbody left inside booted containers table causes automation issues - #38225

  • Add unset feature in set release version bulk action on the content host - #38215

  • Should hide Change content source task when permissions are missing - #38214

  • RHEL 10 support policy + EOL info is added to hosts - #38152

  • content_view_environments methods need to be added to Safemode - #38142

  • Job: Resolve Traces - Katello Ansible Default - fails to reboot machine - #38140

  • Do not double-escape "*" during package update - #38137

  • Image mode digests should be allowed to be empty - #38128

  • Add a link to the new REX bootc action on the image mode details card - #38113

  • Change content source & REX Pull provider - #38111

  • In host/groups media should not be visible when Synced Content is selected - #38104

  • New "All Hosts Page" should show Package Updates for Debian/Ubuntu - #38097

  • Add new job templates for bootc upgrade/switch/rollback via REX - #38084

  • As a user, I can see an overview of container images used with image-mode systems via API & hammer - #38072

  • A new card on Host details tab for image information - #38013

  • Gather bootc-related facts and populate content facet fields - #37994

  • Improve restart services job - #37918

5.1.9. Inter Server Sync

  • Importing into a repository that already exists on the importing instance broken - #38156

5.1.10. Lifecycle Environments

  • Hammer should provide the option to add an environment after Library to an existing path - #38114

  • Display LCEs in order of LCE Path in GUI CV Page and hammer for Content View - #38112

5.1.11. Localization

  • generic content units controller api translation broken - #37981

5.1.12. Reporting

  • Failed to genereate report using "Host - Applied Errata" template. - #38058

5.1.13. Repositories

  • flatpak-remote create writes the token string to production.log in plaintext - #38273

  • Update Recommeneded Repositories Page to modify Satellite, Capsule and Maintainance repository from 6.16 to 6.17 for RHEL 9 - #38261

  • APT repos using flat repo format with a distribution other than "/" are broken - #38221

  • Http proxy is referenced in postgres even after being removed from the Satellite server - #38204

  • Sync Status page Select None not working - #38196

  • The "Synchronize Now" button within Sync Status page of Satellite WebUI does not perform any visible action when the associated Content View is being published - #38188

  • Flatpak rex templates don't appear in order - #38180

  • Repository > New form doesn't render properly - #38162

  • Add RHEL 10 to repo version restriction logic. - #38158

  • Add a job template for flatpak setup on hosts and possibly install a flatpak image - #38109

  • Products index page is slow for products that have no synced repositories - #38086

  • Filter Deb Packages by repository - #38083

  • Migrate to using type field in container manifests and lists - #38071

  • Using deb content filters with structured APT enabled breaks repo publications - #38061

  • Error Mirroring Policy: Additive -> Complete Mirroring - #38040

  • Show URL to GPG Key - #38038

  • Upload deb package through hammer may not add it publication - #38035

  • [DEV Add RHEL 10 repos to recommended repositories (after 4.15 branching)] - #38020

  • As a user I can interact with remote repositories and manifests via API and mirror remote repositories in Katello - #37989

  • Remove Client2 repos from Recommended Repositories on Sat6.16 - #37985

  • Update recommend repositories on Satellite GUI to add Capsule, Utils and Maintenance repos for 6.16. - #37984

  • Add API endpoints with permissions for Flatpak remotes - #37976

  • Add keep-latest-packages from pulp python backend to UI - #37974

  • Add option to not sync dependencies of Ansible collections - #37958

  • Ostree repo creation fails if Depth is not set to a value - #37951

  • Support on-demand for file repos - #37929

  • Errors while deleting repository from Katello: Unable to find content with the ID "XXXX" - #37600

  • Python Package Types don't filter out whitespace - #35676

  • Make sure debian repositories support incremental-updates in pulpcore - #31257

5.1.14. Subscriptions

  • Product.all doesn't return future-dated subscriptions due to recent Candlepin change - #38055

  • Remove syspurpose addons from Katello - #37983

5.1.15. Tooling

  • Remove redundant require calls - #38026

  • Update angular-rails-templates to a Rails 7 compatible version - #38018

  • Get rid of evr extension and recreate evr_t in katello - #37859

  • Support Rails 7.0 - #37852

5.1.16. Web UI

  • Deb Packages page shows empty on Content Views tab - #38069

  • Do not tranlsate links in toasts - #38047

Appendix A: Foreman Contributors

We’d like to thank the following people who contributed to the Foreman 3.14 release:

Adam Lazik, Adam Růžička, Aneta Šteflová Petrová, Archana Kumari, Bastian Schmidt, Ben Erickson, Bernhard Suttner, Brenden Wood, Chris Roberts, Cole Higgins, Eric Helms, Evgeni Golov, Ewoud Kohl van Wijngaarden, Francesco Di Nucci, Gaurav Talreja, Girija Soni, Hao Yu, Ian Ballou, Jan Löser, Jeremy Lenz, Leos Stejskal, Lucy Fu, Maria Agaphontzev, Markus Bucher, Markus Reisner, Martin Alfke, Martin Spiessl, Matthew Davis, Maximilian Kolb, Nadja Heitmann, Nofar Alfassi, Oleh Fedorenko, Partha Aji, Patrick Creech, PopiBrossard, Samir Jha, Sayan Das, Shimon Shtein, Takashi Kajinami, Tim Meusel, VHS, dosas,

As well as all users who helped test releases, report bugs and provide feedback on the project.