Candlepin RPM missing

chatlow · March 16, 2026, 3:48pm

Problem:
Ran a check across our 1 master and 4 proxies. 2 of the proxies do not have the candlepin RPM installed
Curious how this can be as everything has been up and running for years and stepped upgrades have taken place at the same time for all. Will this be causing any problems?

Foreman and Proxy versions:
3.17, w/ katello 4.19

ehelms · March 16, 2026, 5:34pm

The candlepin RPM should only be present on the main Foreman server. Candlepin is not used on proxies.

chatlow · March 16, 2026, 5:51pm

Thanks, I’m stumped as to why it’s on 2 of our proxies then. Very strange. Presume it’s OK to remove from them via DNF?

gvde · March 16, 2026, 7:38pm

Well, before you remove it you should probably check if it’s running, i.e. if tomcat is running. If it is, you should check why it’s running.

To know, why it has been installed, run

# dnf history list candlepin
Updating Subscription Management repositories.
subscription-manager plugin disabled 6 system repositories with respect of configuration in /etc/dnf/plugins/subscription-manager.conf
ID     | Command line                                                                                                               | Date and time    | Action(s)      | Altered
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   568 | -y update                                                                                                                  | 2026-01-09 07:50 | Upgrade        |    2  <
   557 | -y update --cacheonly                                                                                                      | 2025-12-15 07:38 | I, U           |   61 ><
   404 | -y update --cacheonly                                                                                                      | 2024-11-27 07:18 | Upgrade        |   15 >E
   403 | -y update                                                                                                                  | 2024-11-22 07:22 | C, E, I, U     |   18 E<
   375 | -y update                                                                                                                  | 2024-10-04 15:20 | Upgrade        |    2 ><
   353 | update                                                                                                                     | 2024-08-07 16:23 | I, O, U        |  217 ><
   304 | -y update --cacheonly                                                                                                      | 2024-03-12 14:05 | I, O, U        |  332 ><
   243 | update                                                                                                                     | 2023-10-13 15:14 | I, O, U        |   81 ><
   168 | -y update                                                                                                                  | 2023-02-25 17:02 | Upgrade        |    6 ><
   125 | update                                                                                                                     | 2022-11-02 09:34 | I, U           |  150 ><
    51 | -d 0 -e 1 -y install katello-selinux                                                                                       | 2022-07-13 17:33 | Install        |   89 >

to see a list of dnf transaction which installed/updated the candlepin package. The earliest one would be the one which installed it initially (unless you have removed it again later). In my example above which I ran on my main foreman server where I have candlepin installed it would be ID 51.

# dnf history info 51
...

This would give you more details on the specific transaction or run

# dnf history info candlepin
...

to see the details of all transactions involving candlepin.

Dirk · March 17, 2026, 8:03am

Also this parameters are a good hint for an automated installation as you will likely not add them manually, but Puppet uses it to silence the install while being able to catch an error.

chatlow · March 17, 2026, 10:03am

Thanks, yeah I ran this yesterday and found that it got installed in 2023
Just katello-4.8.2-1.el8.noarch was installed

I can only assume this was part of some install testing by someone before I followed the setup guide.

Anyway, it sounds like not needed on the proxies, so will remove

This while thing came about because Qualys has detected a vulnerability in the version of Apache Artemis which is part of Candlepin, see my other thread.

Unfortunately that thread hasn’t had a response yet

gvde · March 17, 2026, 10:08am

Well in that case you should remove katello instead of candlepin. That should remove it with all dependencies which are not required. But if you remove candlepin instead it should also remove katello and the dependent packages.

chatlow · March 17, 2026, 10:14am

Yup, thanks, will sort that on the 3 proxies today. Just glad to have confirmation that only the master instance requires the package

chatlow · March 17, 2026, 2:54pm

Looked at this and attempts to remove Candlepin also includes katello, foreman, tomcat, java and rubygem from the proxy.

I can run it with --noautoremove so it ignores the “unwanted” dependencies and just removes katello/Candlepin but still a bit worried, given we installed foreman with --scenario katello on all servers, so I’m paranoid it’s needed

gvde · March 17, 2026, 3:22pm

That can’t be right. You don’t install that scenario on proxies, only on the main server. Are you sure?

That is about right. It would be helpful, if you posted the exact output instead of listing a few packages…

chatlow · March 17, 2026, 3:37pm

Yup certain, it’s how we installed it years ago and works fine. The upgrade notes also confirm katello RPM is on the proxies

Create a backup of your Smart Proxy server. The backup can be a virtual machine (VM) snapshot or a regular full backup. For more information, see Backing up Foreman server and Smart Proxy server in Administering Foreman.
Update repositories:

dnf upgrade https://yum.theforeman.org/releases/3.18/el9/x86_64/foreman-release.rpm \ https://yum.theforeman.org/katello/4.20/katello/el9/x86_64/katello-repos-latest.rpm

Anyway, I have now removed Candlepin and just Katello (not the other dependencies otherwise it would break)

Here’s the full list just FYI

Removing:
katello noarch 4.19.0.1-1.el9 @katello 378
Removing unused dependencies:
bluez-libs x86_64 5.83-2.el9 @ol9_baseos_latest 214 k
candlepin noarch 4.6.4-2.el9 @candlepin 95 M
candlepin-selinux noarch 4.6.4-2.el9 @candlepin 566 k
dynflow-utils x86_64 1.6.3-1.el9 @System 1.9 M
ecj noarch 1:4.20-17.el9 @System 2.1 M
fdk-aac-free x86_64 2.0.0-8.el9 @ol9_appstream 588 k
foreman noarch 3.17.1-1.el9 @foreman 189 M
foreman-postgresql noarch 3.17.1-1.el9 @foreman 129
foreman-selinux noarch 3.17.1-1.el9 @foreman 97 k
java-11-openjdk-headless x86_64 1:11.0.25.0.9-7.0.1.el9 @System 169 M
java-17-openjdk x86_64 1:17.0.18.0.8-1.0.1.el9 @ol9_appstream 1.1 M
java-17-openjdk-headless x86_64 1:17.0.18.0.8-1.0.1.el9 @ol9_appstream 185 M
javapackages-tools noarch 6.4.0-1.el9 @System 72 k
katello-selinux noarch 5.2.0-1.el9 @katello 56 k
libldac x86_64 2.0.2.3-10.el9 @ol9_appstream 79 k
libsbc x86_64 1.4-9.el9 @ol9_appstream 81 k
net-tools x86_64 2.0-0.64.20160912git.el9 @System 906 k
pipewire x86_64 1.0.1-1.el9 @ol9_appstream 351 k
pipewire-alsa x86_64 1.0.1-1.el9 @ol9_appstream 173 k
pipewire-jack-audio-connection-kit x86_64 1.0.1-1.el9 @ol9_appstream 30
pipewire-jack-audio-connection-kit-libs x86_64 1.0.1-1.el9 @ol9_appstream 548 k
pipewire-libs x86_64 1.0.1-1.el9 @ol9_appstream 7.6 M
pipewire-pulseaudio x86_64 1.0.1-1.el9 @ol9_appstream 427 k
postfix x86_64 2:3.5.25-1.el9 @System 4.4 M
rtkit x86_64 0.11-29.el9 @ol9_appstream 146 k
rubygem-actioncable noarch 7.0.10-1.el9 @foreman 169 k
rubygem-actionmailbox noarch 7.0.10-1.el9 @foreman 59 k
rubygem-actionmailer noarch 7.0.10-1.el9 @foreman 88 k
rubygem-actionpack noarch 7.0.10-1.el9 @foreman 825 k
rubygem-actiontext noarch 7.0.10-1.el9 @foreman 348 k
rubygem-actionview noarch 7.0.10-1.el9 @foreman 717 k
rubygem-activejob noarch 7.0.10-1.el9 @foreman 111 k
rubygem-activemodel noarch 7.0.10-1.el9 @foreman 233 k
rubygem-activerecord noarch 7.0.10-1.el9 @foreman 1.9 M
rubygem-activerecord-import noarch 2.2.0-1.el9 @katello 95 k
rubygem-activerecord-session_store noarch 2.2.0-1.el9 @foreman 23 k
rubygem-activestorage noarch 7.0.10-1.el9 @foreman 240 k
rubygem-addressable noarch 2.8.7-1.el9 @System 270 k
rubygem-algebrick noarch 0.7.5-1.el9 @System 65 k
rubygem-ancestry noarch 4.3.3-1.el9 @System 40 k
rubygem-angular-rails-templates noarch 1:1.3.1-1.el9 @foreman-plugins 9.7 k
rubygem-apipie-dsl noarch 2.6.2-1.el9 @System 404 k
rubygem-apipie-params noarch 0.0.5-6.el9 @foreman 14 k
rubygem-apipie-rails noarch 1.5.0-1.el9 @foreman 552 k
rubygem-audited noarch 5.8.0-1.el9 @foreman 47 k
rubygem-bcrypt x86_64 3.1.20-1.el9 @System 39 k
rubygem-builder noarch 3.3.0-1.el9 @System 33 k
rubygem-concurrent-ruby-edge noarch 1:0.6.0-4.fm3_16.el9 @foreman 217 k
rubygem-crass noarch 1.0.6-2.el9 @System 43 k
rubygem-css_parser noarch 1.21.1-1.el9 @foreman 63 k
rubygem-daemons noarch 1.4.1-1.el9 @System 64 k
rubygem-deacon noarch 1.0.0-5.el9 @System 615 k
rubygem-deep_cloneable noarch 3.2.1-1.el9 @foreman 12 k
rubygem-deface noarch 1.9.0-1.el9 @System 65 k
rubygem-domain_name noarch 0.6.20240107-1.el9 @System 260 k
rubygem-dynflow noarch 1.9.3-1.el9 @foreman 1.3 M
rubygem-erubi noarch 1.13.1-1.el9 @foreman 18 k
rubygem-et-orbi noarch 1.2.7-1.el9 @System 29 k
rubygem-facter noarch 4.10.0-1.el9 @foreman 865 k
rubygem-faraday noarch 1.10.2-1.el9 @System 113 k
rubygem-faraday-em_http noarch 1.0.0-1.el9 @System 13 k
rubygem-faraday-em_synchrony noarch 1.0.0-1.el9 @System 10 k
rubygem-faraday-excon noarch 1.1.0-1.el9 @System 7.2 k
rubygem-faraday-httpclient noarch 1.0.1-1.el9 @System 8.6 k
rubygem-faraday-multipart noarch 1.0.4-1.el9 @System 12 k
rubygem-faraday-net_http noarch 1.0.1-1.el9 @System 10 k
rubygem-faraday-net_http_persistent noarch 1.2.0-1.el9 @System 7.4 k
rubygem-faraday-patron noarch 1.0.0-1.el9 @System 7.8 k
rubygem-faraday-rack noarch 1.0.0-1.el9 @System 5.9 k
rubygem-faraday-retry noarch 1.0.3-1.el9 @System 11 k
rubygem-fast_gettext noarch 2.4.0-2.el9 @foreman 66 k
rubygem-fog-core noarch 2.6.0-1.el9 @foreman 118 k
rubygem-foreman-tasks noarch 11.0.6-1.fm3_17.el9 @foreman-plugins 4.5 M
rubygem-foreman_remote_execution noarch 16.3.1-1.fm3_17.el9 @foreman-plugins 5.0 M
rubygem-formatador noarch 1.2.2-1.el9 @foreman 10 k
rubygem-friendly_id noarch 5.5.1-1.el9 @System 74 k
rubygem-fugit noarch 1.8.1-1.el9 @System 55 k
rubygem-fx noarch 0.9.0-1.el9 @katello 38 k
rubygem-get_process_mem noarch 1.0.0-1.el9 @System 6.3 k
rubygem-gettext_i18n_rails noarch 1.13.0-1.el9 @System 24 k
rubygem-globalid noarch 1.3.0-1.el9 @foreman 31 k
rubygem-graphql noarch 1.13.25-1.el9 @foreman 1.4 M
rubygem-graphql-batch noarch 0.6.1-1.el9 @foreman 11 k
rubygem-hocon noarch 1.4.0-1.el9 @System 367 k
rubygem-http-accept noarch 1.7.0-1.el9 @System 27 k
rubygem-http-cookie noarch 1.1.0-1.el9 @foreman 72 k
rubygem-irb noarch 1.3.5-165.el9_5 @System 206 k
rubygem-jquery-ui-rails noarch 6.0.1-2.el9 @foreman 687 k
rubygem-katello noarch 4.19.0.1-1.el9 @katello 82 M
rubygem-ldap_fluff noarch 0.9.0-1.el9 @foreman 25 k
rubygem-loofah noarch 2.24.1-1.el9 @foreman 74 k
rubygem-mail noarch 2.9.0-1.el9 @foreman 3.6 M
rubygem-marcel noarch 1.1.0-1.el9 @foreman 196 k
rubygem-method_source noarch 1.1.0-1.el9 @System 17 k
rubygem-mime-types noarch 3.7.0-1.el9 @foreman 61 k
rubygem-mime-types-data noarch 3.2025.0924-1.el9 @foreman 1.1 M
rubygem-mini_mime noarch 1.1.5-1.el9 @System 222 k
rubygem-msgpack x86_64 1.8.0-1.el9 @foreman 118 k
rubygem-multipart-post noarch 2.2.3-1.el9 @System 22 k
rubygem-net-ldap noarch 0.20.0-1.el9 @foreman 183 k
rubygem-net-ping noarch 2.0.8-1.el9 @System 32 k
rubygem-net-scp noarch 4.1.0-1.el9 @foreman 39 k
rubygem-net-ssh noarch 7.3.0-1.el9 @foreman 452 k
rubygem-netrc noarch 0.11.0-7.el9 @foreman 9.1 k
rubygem-nio4r x86_64 2.7.5-1.el9 @foreman 114 k
rubygem-nokogiri x86_64 1.15.7-1.el9 @foreman 964 k
rubygem-oauth noarch 1.1.3-1.el9 @foreman 86 k
rubygem-oauth-tty noarch 1.0.6-1.el9 @foreman 32 k
rubygem-polyglot noarch 0.3.5-3.el9 @System 4.2 k
rubygem-promise.rb noarch 0.7.4-3.el9 @System 16 k
rubygem-public_suffix noarch 6.0.2-1.el9 @foreman 345 k
rubygem-pulp_ansible_client noarch 0.28.0-1.el9 @katello 1.9 M
rubygem-pulp_certguard_client noarch 3.85.1-1.el9 @katello 154 k
rubygem-pulp_container_client noarch 1:2.26.2-1.el9 @katello 1.2 M
rubygem-pulp_deb_client noarch 3.7.0-1.el9 @katello 1.3 M
rubygem-pulp_file_client noarch 3.85.1-1.el9 @katello 679 k
rubygem-pulp_ostree_client noarch 1:2.5.0-2.el9 @katello 751 k
rubygem-pulp_python_client noarch 3.19.1-1.el9 @katello 704 k
rubygem-pulp_rpm_client noarch 3.32.2-1.el9 @katello 1.4 M
rubygem-pulpcore_client noarch 1:3.85.1-1.el9 @katello 2.5 M
rubygem-raabro noarch 1.4.0-1.el9 @System 16 k
rubygem-rabl noarch 0.17.0-1.el9 @foreman 56 k
rubygem-rack-cors noarch 1.1.1-1.el9 @System 16 k
rubygem-rack-jsonp noarch 1.3.1-11.el9 @foreman 5.1 k
rubygem-rack-test noarch 2.2.0-1.el9 @foreman 34 k
rubygem-rails noarch 7.0.10-1.el9 @foreman 4.1 k
rubygem-rails-dom-testing noarch 2.3.0-1.el9 @foreman 34 k
rubygem-rails-html-sanitizer noarch 1.6.2-1.el9 @foreman 26 k
rubygem-rails-i18n noarch 7.0.10-1.el9 @foreman 733 k
rubygem-railties noarch 7.0.10-1.el9 @foreman 524 k
rubygem-rainbow noarch 2.2.2-1.el9 @System 16 k
rubygem-responders noarch 3.2.0-1.el9 @foreman 40 k
rubygem-rest-client noarch 2.1.0-1.el9 @System 84 k
rubygem-roadie noarch 5.2.1-1.el9 @System 60 k
rubygem-roadie-rails noarch 3.4.0-1.el9 @foreman 15 k
rubygem-ruby2ruby noarch 2.5.2-1.el9 @foreman 33 k
rubygem-ruby_parser noarch 3.21.1-1.el9 @System 7.1 M
rubygem-safemode noarch 1.5.0-1.el9 @System 30 k
rubygem-scoped_search noarch 4.3.1-1.el9 @foreman 83 k
rubygem-secure_headers noarch 7.1.0-1.el9 @foreman 76 k
rubygem-sexp_processor noarch 4.17.4-1.el9 @foreman 188 k
rubygem-snaky_hash noarch 2.0.3-1.el9 @foreman 22 k
rubygem-spidr noarch 0.7.2-1.el9 @katello 95 k
rubygem-sprockets noarch 4.2.2-1.el9 @foreman 268 k
rubygem-sprockets-rails noarch 3.5.2-1.el9 @System 32 k
rubygem-sshkey noarch 2.0.0-1.el9 @System 16 k
rubygem-statsd-instrument noarch 2.9.2-1.el9 @System 116 k
rubygem-stomp noarch 1.4.10-1.el9 @System 171 k
rubygem-thor noarch 1.3.0-1.el9 @System 188 k
rubygem-validates_lengths_from_database noarch 0.8.0-1.el9 @System 7.9 k
rubygem-version_gem noarch 1.1.9-1.el9 @foreman 14 k
rubygem-websocket-driver x86_64 0.8.0-1.el9 @foreman 57 k
rubygem-websocket-extensions noarch 0.1.5-2.el9 @System 9.1 k
rubygem-will_paginate noarch 3.3.1-1.el9 @System 50 k
rubygem-zeitwerk noarch 2.6.18-1.el9 @foreman 65 k
tomcat noarch 1:9.0.87-6.el9_7.1 @ol9_appstream 322 k
tomcat-el-3.0-api noarch 1:9.0.87-6.el9_7.1 @ol9_appstream 229 k
tomcat-jsp-2.3-api noarch 1:9.0.87-6.el9_7.1 @ol9_appstream 143 k
tomcat-lib noarch 1:9.0.87-6.el9_7.1 @ol9_appstream 6.8 M
tomcat-native x86_64 1.2.35-1.el8 @oel8-epel 223 k
tomcat-servlet-4.0-api noarch 1:9.0.87-6.el9_7.1 @ol9_appstream 610 k
webrtc-audio-processing x86_64 0.3.1-8.el9 @ol9_appstream 734 k
wireplumber x86_64 0.4.14-1.el9 @ol9_appstream 301 k
wireplumber-libs x86_64 0.4.14-1.el9 @ol9_appstream 1.2 M

gvde · March 17, 2026, 3:50pm

That’s the repository package for katello, not the katello rpm. The katello repository packages contains the repository configuration for pulpcore which is needed for the content proxy. You install katello-repos-latest (i.e. katello-repos) but not the katello rpm from the katello repository.

I can only ask again: are you sure you have installed the proxy with foreman-installer --scenario katello? That is not how you install a proxy. That would install a fully functioning main server.

The dependency list of the packages to be removed looks about right to me. The developers probably can confirm but most of those packages are part of the main server. You may want to keep some packages like postfix or net-tools if you use them. But otherwise, all those should go, if you have installed the proxy with the foreman-proxy-content scenario.

chatlow · March 17, 2026, 4:38pm

Ah you are right- I’ve just checked - it was foreman-installer --scenario foreman-proxy-content (which is the output from the master instance to use on the proxy during setup. Sorry, long day

As for the depencies it doesn’t matter too much - we just need to get rid of candlepin and katello as Qualys shows them containing an Apache Aertemis vulnerability (see other thread). Removing the rpm’s on the 2 proxies clears them, but the master server still flags vulnerable. need to prove this is a false positive or hear from the devs about a fix

gvde · March 17, 2026, 6:17pm

Then I would highly recommend to clean up all the dependencies which are not required. There is no purpose leaving all those rpms around which are not used. Worst, more of them are flagged vulnerable in the future.

Clean up all the unnecessary packages. dnf autoremove should do that if you have already removed katello and candlepin. As long as foreman-proxy-content.noarch remains installed everything the proxy requires is there.

Run foreman-installer after that. If anything is actually missing, foreman-installer will install it again.

Then you should have a system which only contains the rpms necessary to operate the proxy.