In this guide, the terms upgrade, update, and migrate have the following meanings:

Upgrading

The process of advancing your Foreman server and Smart Proxy server installations from a y-stream release to the next, for example Foreman 3.3 to Foreman nightly. For more information, see Upgrading Overview.

Updating

The process of advancing your Foreman server and Smart Proxy server installations from a z-stream release to the next, for example Foreman nightly.0 to Foreman nightly.1. For more information, see Updating Foreman server and Content Hosts.

Migrating

The process of moving an existing Foreman installation to a new instance. For more information, see Migrating Foreman to a New Enterprise Linux System.

1. Upgrading Overview

Review prerequisites and available upgrade paths below before upgrading your current Foreman installation to Foreman nightly.

Note that you can upgrade Smart Proxies separately from Foreman. For more information, see Upgrading Smart Proxies Separately from Foreman.

1.1. Prerequisites

Upgrading to Foreman nightly affects your entire Foreman infrastructure. Before proceeding, complete the following:

  • Read the Foreman nightly Release Notes.

  • Plan your upgrade path. For more information, see Upgrade Paths.

  • Plan for the required downtime. Foreman services are shut down during the upgrade. The upgrade process duration might vary depending on your hardware configuration, network speed, and the amount of data that is stored on the server.

    Upgrading Foreman takes approximately 1 – 2 hours.

    Upgrading Smart Proxy takes approximately 10 – 30 minutes.

  • Ensure that you have sufficient storage space on your server. For more information, see Preparing your Environment for Installation in Installing Foreman server from a Connected Network and Preparing your Environment for Installation in Installing Smart Proxy server.

  • Back up your Foreman server and all Smart Proxy servers. For more information, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman guide.

  • Plan for updating any scripts you use that contain Foreman API commands because some API commands differ between versions of Foreman. For more information about changes in the API, see the Red Hat Knowledgebase article API Changes Between Foreman Versions on the Red Hat Customer Portal.

Warning
If you customize configuration files, manually or use a tool such as Hiera, these customizations are overwritten when the installation script runs during upgrading or updating. You can use the --noop option with the foreman-installer script to test for changes. For more information, see the Red Hat Knowledgebase solution How to use the noop option to check for changes in Foreman config files during an upgrade.

1.2. Upgrade Paths

You can upgrade to Foreman nightly from Foreman 3.3.

Foreman servers and Smart Proxy servers on earlier versions must first be upgraded to Foreman 3.3. For more information, see the Foreman 3.3 Upgrade documentation.

1.2.1. High-Level Upgrade Steps

The high-level steps in upgrading Foreman to nightly are as follows.

  1. Upgrade Foreman server to nightly. For more information, see Upgrading Foreman server.

  2. Upgrade all Smart Proxy servers to nightly. For more information, see Upgrading Smart Proxy servers.

  3. Optional: After you upgrade your Foreman, you can also upgrade the operating system on your Foreman servers and Smart Proxies to Enterprise Linux 8. There are two ways of upgrading your OS:

1.2.2. Post Upgrade

Depending on your requirements, you can continue with the following:

1.3. Following the Progress of the Upgrade

Because of the lengthy upgrade time, use a utility such as screen to suspend and reattach a communication session. You can then check the upgrade progress without staying connected to the command shell continuously. For more information about using the screen command, see How do I use the screen command? article in the Red Hat Knowledge Base. For more information, see the screen manual page.

If you lose connection to the command shell where the upgrade command is running you can see the logs in /var/log/foreman-installer/foreman.log to check if the process completed successfully.

1.4. Upgrading Smart Proxies Separately from Foreman

You can upgrade Foreman to version nightly and keep Smart Proxies at version 3.3 until you have the capacity to upgrade them too.

All the functionality that worked previously works on 3.3 Smart Proxies. However, the functionality added in the nightly release will not work until you upgrade Smart Proxies to nightly.

Upgrading Smart Proxies after upgrading Foreman can be useful in the following example scenarios:

  1. If you want to have several smaller outage windows instead of one larger window.

  2. If Smart Proxies in your organization are managed by several teams and are located in different locations.

  3. If you use a load-balanced configuration, you can upgrade one load-balanced Smart Proxy and keep other load-balanced Smart Proxies at one version lower. This allows you to upgrade all Smart Proxies one after another without any outage.

2. Upgrading Foreman

Use the following procedures to upgrade your existing Foreman to Foreman nightly:

Before upgrading, see Prerequisites.

2.1. Upgrading Foreman server

This section describes how to upgrade Foreman server from 3.3 to nightly. You can upgrade from any minor version of Foreman server 3.3.

Before You Begin
  • Note that you can upgrade Smart Proxies separately from Foreman. For more information, see Upgrading Smart Proxies Separately from Foreman.

  • Review and update your firewall configuration prior to upgrading your Foreman server. For more information, see Preparing your environment for installation in Installing Foreman server.

  • If you have edited any of the default templates, back up the files either by cloning or exporting them. Cloning is the recommended method because that prevents them being overwritten in future updates or upgrades. To confirm if a template has been edited, you can view its History before you upgrade or view the changes in the audit log after an upgrade. In the Foreman web UI, navigate to Monitor > Audits and search for the template to see a record of changes made. If you use the export method, restore your changes by comparing the exported template and the default template, manually applying your changes.

Smart Proxy Considerations
  • Note that Foreman server upgraded from 3.3 to nightly can use Smart Proxy servers still at 3.3.

FIPS mode

You cannot upgrade Foreman server from a RHEL base system that is not operating in FIPS mode to a RHEL base system that is operating in FIPS mode.

To run Foreman server on a Red Hat Enterprise Linux base system operating in FIPS mode, you must install Foreman on a freshly provisioned RHEL base system operating in FIPS mode. For more information, see Preparing your environment for installation in Installing Foreman server.

2.1.1. Upgrading a Connected Foreman server

Use this procedure for a Foreman server with access to the public internet

Warning
If you customize configuration files, manually or using a tool such as Hiera, these changes are overwritten when the installation script runs during upgrading or updating. You can use the --noop option with the foreman-installer script to test for changes. For more information, see the Red Hat Knowledgebase solution How to use the noop option to check for changes in Foreman config files during an upgrade.
Upgrade Foreman server
  1. Create a backup.

  2. Optional: If you made manual edits to DNS or DHCP configuration in the /etc/zones.conf or /etc/dhcp/dhcpd.conf files, back up the configuration files because the installer only supports one domain or subnet, and therefore restoring changes from these backups might be required.

  3. Optional: If you made manual edits to DNS or DHCP configuration files and do not want to overwrite the changes, enter the following command:

    # foreman-installer --foreman-proxy-dns-managed=false \
    --foreman-proxy-dhcp-managed=false
  4. In the Foreman web UI, navigate to Hosts > Discovered hosts. On the Discovered Hosts page, power off and then delete the discovered hosts. From the Select an Organization menu, select each organization in turn and repeat the process to power off and delete the discovered hosts. Make a note to reboot these hosts when the upgrade is complete.

  5. Check when the kernel packages were last updated:

    # rpm -qa --last | grep kernel
  6. Optional: If a kernel update occurred since the last reboot, reboot the system:

    # reboot
  7. If using a BASH shell, after a successful or failed upgrade, enter:

    # hash -d foreman-maintain service 2> /dev/null

2.2. Upgrading Smart Proxy servers

This section describes how to upgrade Smart Proxy servers from 3.3 to nightly.

Before You Begin
  • You must upgrade Foreman server before you can upgrade any Smart Proxy servers. Note that you can upgrade Smart Proxies separately from Foreman. For more information, see Upgrading Smart Proxies Separately from Foreman.

  • If you use Content Views to control updates to the base operating system of Smart Proxy server, update those Content Views with new repositories and publish their updated versions. For more information, see Managing Content Views in the Content Management Guide.

  • Ensure the Smart Proxy’s base system is registered to the newly upgraded Foreman server.

  • Ensure the Smart Proxy has the correct organization and location settings in the newly upgraded Foreman server.

  • Review and update your firewall configuration prior to upgrading your Smart Proxy server. For more information, see Preparing Your Environment for Smart Proxy Installation in Installing Smart Proxy server.

Upgrading Smart Proxy servers
  1. Create a backup.

  2. Check when the kernel packages were last updated:

    # rpm -qa --last | grep kernel
  3. Optional: If a kernel update occurred since the last reboot, reboot the system:

    # reboot
  4. Optional: If you made manual edits to DNS or DHCP configuration files, check and restore any changes required to the DNS and DHCP configuration files using the backups made earlier.

  5. Optional: If you use custom repositories, ensure that you enable these custom repositories after the upgrade completes.

2.2.1. Post-Upgrade Tasks

Some of the procedures in this section are optional. You can choose to perform only those procedures that are relevant to your installation.

If you use the PXE-based discovery process, then you must complete the discovery upgrade procedure on Foreman and on any Smart Proxy server with hosts that you want to be listed in Foreman on the Hosts > Discovered hosts page.

2.3. Upgrading Discovery

This section describes updating the PXELinux template and the boot image passed to hosts that use PXE booting to register themselves with Foreman server.

From Foreman nightly, provisioning templates now have a separate association with a subnet, and do not default to using the TFTP Smart Proxy for that subnet. If you create subnets after the upgrade, you must specifically enable the Foreman or a Smart Proxy to provide a proxy service for discovery templates and then configure all subnets with discovered hosts to use a specific template Smart Proxy.

During the upgrade, for every subnet with a TFTP proxy enabled, the template Smart Proxy is set to be the same as the TFTP Smart Proxy. After the upgrade, check all subnets to verify this was set correctly.

These procedures are not required if you do not use PXE booting of hosts to enable Foreman to discover new hosts.

2.3.1. Upgrading Discovery on Foreman server

  1. Update the Discovery template in the Foreman web UI:

    1. In the Foreman web UI, navigate to Hosts > Provisioning templates.

    2. On the PXELinux global default line, click Clone.

    3. Enter a new name for the template in the Name field, for example ACME PXE global default.

    4. In the template editor field, change the line ONTIMEOUT local to ONTIMEOUT discovery and click Submit.

    5. In the Foreman web UI, navigate to Administer > Settings.

    6. Locate Global default PXELinux template and click on its Value.

    7. Select the name of the newly created template from the menu and click the tick button.

    8. In the Foreman web UI, navigate to Hosts > Provisioning templates.

    9. Click Build PXE Default, then click OK.

  2. In the Foreman web UI, go to Configure > Discovery Rules and associate selected organizations and locations with discovery rules.

2.3.2. Verifying Subnets have a Template Smart Proxy

Ensure all subnets with discovered hosts have a template Smart Proxy:
  1. In the Foreman web UI, navigate to Infrastructure > Subnets.

  2. Select the subnet you want to check.

  3. On the Smart Proxies tab, ensure a Template Smart Proxy has been set for this subnet.

For more information about configuring subnets with template Smart Proxies, see Configuring the Discovery Service in the Provisioning guide.

2.4. Upgrading virt-who

If virt-who is installed on Foreman server or a Smart Proxy server, it will be upgraded when they are upgraded. No further action is required. If virt-who is installed elsewhere, it must be upgraded manually.

Before You Begin

If virt-who is installed on a host registered to Foreman server or a Smart Proxy server, first upgrade the host to the latest packages available in the https://yum.theforeman.org/client/nightly/ repository.

Upgrade virt-who Manually
  1. Upgrade virt-who.

    # yum upgrade virt-who
  2. Restart the virt-who service so the new version is activated.

    # systemctl restart virt-who.service

2.5. Reclaiming PostgreSQL Space

The PostgreSQL database can use a large amount of disk space especially in heavily loaded deployments. Use this procedure to reclaim some of this disk space on Foreman.

Procedure
  1. Stop all services, except for the postgresql service:

    # foreman-maintain service stop --exclude postgresql
  2. Switch to the postgres user and reclaim space on the database:

    # su - postgres -c 'vacuumdb --full --dbname=foreman'
  3. Start the other services when the vacuum completes:

    # foreman-maintain service start

3. Upgrading Foreman to Enterprise Linux 8 In-Place Using Leapp

Use this procedure to upgrade your Foreman installation from Enterprise Linux 7 to Enterprise Linux 8.

Prerequisites
  • Foreman nightly running on Enterprise Linux 7.

  • Access to available repositories or a local mirror of repositories.

  • Foreman installations running on CentOS 7 can be upgraded to CentOS Stream 8 or a Red Hat Enterprise Linux rebuild.

  • Foreman installations running on Red Hat Enterprise Linux 7 can be upgraded to Red Hat Enterprise Linux 8.

Procedure
  1. Configure the repositories to obtain Leapp.

    On CentOS, configure the @theforeman/leapp COPR Repository, which contains newer Leapp packages than those shipped by AlmaLinux/ELevate, and support Foreman upgrades:

    # curl -o /etc/yum.repos.d/theforeman-leapp.repo https://copr.fedorainfracloud.org/coprs/g/theforeman/leapp/repo/epel-7/group_theforeman-leapp-epel-7.repo

    On Red Hat Enterprise Linux, enable the rhel-7-server-extras-rpms repository:

    # subscription-manager repos --enable=rhel-7-server-extras-rpms
  2. Install required packages:

    # yum install leapp leapp-repository
  3. Install additional OS specific packages (leapp-data-almalinux for AlmaLinux, leapp-data-centos for CentOS Stream, or leapp-data-rocky for Rocky Linux). Note that this is not required for Red Hat Enterprise Linux based installations.

    # yum install leapp-data-centos
  4. Add Foreman specific repositories to /etc/leapp/files/leapp_upgrade_repositories.repo:

    [leapp-foreman]
    name=Foreman nightly
    baseurl=https://yum.theforeman.org/releases/nightly/el8/$basearch
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman
    enabled=1
    gpgcheck=1
    module_hotfixes=1
    
    
    
    
    [leapp-foreman-plugins]
    name=Foreman plugins nightly
    baseurl=https://yum.theforeman.org/plugins/nightly/el8/$basearch
    enabled=1
    gpgcheck=0
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman
    module_hotfixes=1
    
    [leapp-foreman-client]
    name=Foreman client nightly
    baseurl=https://yum.theforeman.org/client/nightly/el8/$basearch
    enabled=1
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman-client
    
    [leapp-puppet7]
    name=Puppet 7 Repository el 8 - $basearch
    baseurl=http://yum.puppetlabs.com/puppet7/el/8/$basearch
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet7-release
           file:///etc/pki/rpm-gpg/RPM-GPG-KEY-2025-04-06-puppet7-release
    enabled=1
    gpgcheck=1
    • If you are using Puppet 6 instead of Puppet 7, replace the 7 with a 6 in the leapp-puppet7 entry.

    • You need a Puppet repository for the Puppet agent that the installer is using.

  5. We do not support Enterprise Linux 8 installations with EPEL 8 enabled, so remove epel-release:

    # yum remove epel-release
  6. Remove centos-release-scl and centos-release-scl-rh repositories:

    # yum remove centos-release-scl centos-release-scl-rh
  7. Let Leapp analyze your system:

    # leapp preupgrade

    The first run is expected to fail but report issues. Continue to the next step for remediation.

  8. Examine the report in the /var/log/leapp/leapp-report.txt file, answer all questions (using leapp answer) and manually resolve the other reported problems. The following commands show the most common steps required:

    # rmmod pata_acpi
    # echo PermitRootLogin yes | tee -a /etc/ssh/sshd_config
    # leapp answer --section remove_pam_pkcs11_module_check.confirm=True

    The preupgrade might fail with a dependency resolution error such as:

    • "package rubygem-fx-0.5.0-2.el8.noarch requires rubygem(railties) >= 4.0.0, but none of the providers can be installed"

    • "package rubygem-railties-6.0.4.7-1.el8.noarch requires rubygem(thor) < 2.0, but none of the providers can be installed"

      If this happens, do the following to clean up packages that cannot automatically upgrade (rubygem(thor) and rubygem(railties) in the example above):

    # yum remove rubygem-thor rubygem-railties
  9. Ensure leapp preupgrade has no issues.

  10. Run:

    # leapp upgrade
  11. Reboot the system.

    After the system reboots, a live system conducts the upgrade, reboots to fix SELinux labels, then reboots into the final Enterprise Linux 8 system.

  12. Leapp finishes the upgrade, watch it with:

    # journalctl -u leapp_resume -f
Note

If you install the system and need to use --disable-system-checks, the last step of the upgrade is going to fail, and you need to call foreman-installer --disable-system-checks manually once the system reboots.

4. Migrating Foreman to a New Enterprise Linux System

When you migrate your Foreman, you create a backup of your Foreman server and your Smart Proxy, install a fresh instance, and restore your backup on the new instance. After your migration is complete, you can then decommission the earlier instance of Foreman server and Smart Proxy.

Terminology

Ensure that you understand the following terms:

Source server

The origin of migration on which you create a backup.

Target server

The new server on which you restore the backup.

High-Level Procedure

To migrate your Foreman to new hardware, follow these high-level steps:

  1. Create a backup of the Foreman server or Smart Proxy server on the source server.

  2. Perform a fresh installation of the Foreman server or Smart Proxy server on a target server.

    • Install a minimal Enterprise Linux 8 (CentOS Stream, Red Hat Enterprise Linux or a Red Hat Enterprise Linux rebuild) instance with the capacity to store backup files.

    • Do not install any operating system software groups or third-party applications.

  3. Restore the backup on the target server.

4.1. Creating a Backup of a Server on Enterprise Linux 7

Before you perform a fresh installation of the Foreman server or Smart Proxy server on the Enterprise Linux 8 system, back up your Foreman server or Smart Proxy server data on the Enterprise Linux 7 system by creating an offline backup.

If you recently created an offline backup, you can perform an incremental backup to update the existing backup.

Procedure

4.2. Performing a Fresh Installation of a Server on Enterprise Linux 8

After you have created a backup of the Foreman server or Smart Proxy server on the source server, you can install Foreman server or Smart Proxy server on the target server.

4.3. Restoring a Backup of a Server on Enterprise Linux 8

After you perform a fresh installation of Foreman server or Smart Proxy server on the target server, you can restore the backup you previously created.

Procedure

5. Updating Foreman server and Content Hosts

Use this chapter to update your existing Foreman server, Smart Proxy server, and Content Hosts to a new minor version, for example, from nightly.0 to nightly.1.

Updates patch security vulnerabilities and minor issues discovered after code is released, and are often fast and non-disruptive to your operating environment.

Before updating, back up your Foreman server and all Smart Proxy servers. For more information, see Backing Up Foreman server and Smart Proxy server in the Administering Foreman guide.

5.1. Updating Foreman server

Prerequisites
  • Ensure that you have synchronized Foreman server repositories for Foreman, Smart Proxy, and https://yum.theforeman.org/client/nightly/.

  • Ensure each external Smart Proxy and Content Host can be updated by promoting the updated repositories to all relevant Content Views.

Warning
If you customize configuration files, manually or use a tool such as Hiera, these customizations are overwritten when the installation script runs during upgrading or updating. You can use the --noop option with the foreman-installer script to test for changes. For more information, see the Red Hat Knowledgebase solution How to use the noop option to check for changes in Foreman config files during an upgrade.

Updating Foreman server to the Next Minor Version

To Update Foreman server:
  1. Ensure the Foreman Maintenance repository is enabled:

    # subscription-manager repos --enable \
    {RepoRHEL7ServerSatelliteMaintenanceProductVersion}
  2. Check the available versions to confirm the next minor version is listed:

    # foreman-maintain upgrade list-versions
  3. Use the health check option to determine if the system is ready for upgrade. On first use of this command, foreman-maintain prompts you to enter the hammer admin user credentials and saves them in the /etc/foreman-maintain/foreman-maintain-hammer.yml file.

    # foreman-maintain upgrade check --target-version nightly.z

    Review the results and address any highlighted error conditions before performing the upgrade.

  4. Because of the lengthy update time, use a utility such as screen to suspend and reattach a communication session. You can then check the upgrade progress without staying connected to the command shell continuously. For more information about using the screen command, see How do I use the screen command? article in the Red Hat Knowledge Base.

    If you lose connection to the command shell where the upgrade command is running, you can see the logged messages in the /var/log/foreman-installer/foreman.log file to check if the process completed successfully.

  5. Perform the upgrade:

    # foreman-maintain upgrade run --target-version nightly.z
  6. Check when the kernel packages were last updated:

    # rpm -qa --last | grep kernel
  7. Optional: If a kernel update occurred since the last reboot, stop the foreman-maintain services and reboot the system:

    # foreman-maintain service stop
    # reboot