Foreman server and auto updates

We usually configure our hosts to get and install updates with dnf-automatic (and then we don’t use puppet). Is it a problem for the main foreman server (version 3.7 with katello 4.9.1) ? May an upgrade break the server ?


upgrades of certain packages (like httpd) will in fact break you Foreman. The reason for this is: foreman-installer uses Puppet in the background to configure all kinds of services, and in most cases deletes all the stock config that comes with the packages. Updating those packages will re-deploy some of those config files and restart the service, which will leave you with things like httpd not starting.
Best practice would be to always do a foreman-installer after any package upgrades. This should be doable in an automated fashion if you did not tinker with any foreman-installer managed configs by hand. I don’t know if dnf-automatic supports post commands or something alike.

Hope this helps


You could abuse the command emitter or reboot_command to run the foreman-installer automatically afterwards, not sure if it is a good idea, but it should work.

Thanks for the answers. I think it will be safe to stop auto-updates on the server, and manage them manually when (and if) we will use foreman in production environment.

I recall we’ve had problems with that in the past. One problem is that if you remove a config file that rpm will happily place it back, but I thought we fixed this by replacing the files with empty content instead. Can you share where you did see a problem?

I have not personally encountered this problem, we always just run foreman-installer after an OS upgrade.
But I have seen this being reported/asked a few times here on the forum in the past, and the answer has always been “run foreman-installer afterwards, otherwise it will break”.
If this is fixed in current versions, I’m happy to be wrong :wink:


I run the upgrade on my nightly box regularly followed with the foreman-installer command. The process is driven from outer Foreman (repeated REX job) and it seems to work fine. The process causes shorter downtime, especially if the new version has some migration, I need to wait till the installer finishes.

1 Like