Best practice regarding OS updates and foreman/katello minor updates

Problem:
Im wondering how to best handle OS updates and foreman/katello minor version updates.

For OS updates ive seen some places that we need to lock packages to prevent errors, and ive seen recommendations to always run foreman-installer after doing OS updates. But what is everyone else doing? How does your patching day look like?
(Needless to say i will take snapshot before doing any updates)

For minor updates i read that i should use
foreman-maintain list-versions
and
foreman-maintain upgrade check --target-version TARGET_VERSION
before running
foreman-maintain upgrade run --target-version TARGET_VERSION

Expected outcome:
Safely install OS updates and foreman/katello minor version updates.
Foreman and Proxy versions:
3.10
Foreman and Proxy plugin versions:
N/A
Distribution and version:
RHEL 8

Hi @nem ,

Are you coming from a Satellite background by chance? The minor version upgrade process is a bit different between the product Satellite and Foreman. I’m asking since the process you’re talking with foreman-maintain is the Satellite-style.

For Foreman, assuming you have the correct repositories enabled (i.e. no EPEL, and no other weird ones that’ll pull in extra packages), you can just dnf update and then run foreman-installer. Running foreman-installer is important in case there were fixes to any of our Puppet modules or any database migrations.

Snapshots are always great to take of course beforehand.