How to handle Erratas when clients are locked to kernel versions

Hi there,

we’ve got a number of Rocky8 clients which are enrolled into Foreman/Katello for content subscriptions. Those clients are locked to a specific kernel version using dnf versionlock. This is unfortunately necessary due to storage client requirements.

When I check these hosts in the foreman gui all of them are reporting some Erratas available. For example there’s a bug fix for package kmod-kvdo which requires a newer kernel-modules version. However due to the dnf versionlock on the kernel-modules package, trying to install/apply the Errata will result in a failure.

Is there a way to tell either the client, subscription manager or foreman/katello to ignore certain packages? I know it’s a long shot but I’d prefer to not have all clients in the foreman gui showing error-statuses.


Foreman and Proxy versions:
foreman: 3.8.0

Foreman and Proxy plugin versions:
foreman-tasks 8.2.0
foreman_puppet 6.0.1
foreman_remote_execution 11.0.0
katello 4.10.0

Distribution and version:
Rocky Linux release 8.8 (Green Obsidian)

Well, I guess the short answer is “the feature works as intended” as you do have outstanding errata on those hosts and you really should be yelling at that storage client vendor. But while being technically correct, this answer is not really helpful, so let’s see.

The upload of package lists happens via subscription-manager, and you probably could adjust their code to filter out certain packages:

If a package is not reported as installed, it can’t have errata, right? :wink:
But that would require a patch to sub-man on every host, as there is today no way to locally configure an exclude list.

I don’t see a way to achieve the same on the @katello side, but maybe someone knows batter :wink:

Hey @MajorNickle

Maybe Using the KernelCare Plug-in in Managing Hosts helps with your use case?

Thanks @evgeni and @maximilian. I know it’s an edge case and more a cosmetic/reporting thing I’m trying to achieve here. I’ll checkout your both suggestions :slight_smile: Thanks!

Another possibility is a content view filter, which could filter out packages and/or errata by date. The errata then would show as applicable, but not installable. And you could set the setting “Generate errata status from directly-installable content” to Yes, which would avoid the negative host status.

1 Like

That’s a very great idea! Let me try that right now. I might create a separate content view for those hosts and exclude the package group. Thanks @jeremylenz

1 Like

@jeremylenz I create a seperate content view and applied the below filters. When publishing a new version which includes the filters the task just sits there and doesn’t progress. Looking at the running steps it seems to attempt to poll some data. It’s not failing but attempting over and over again as I can see the counter going up every couple of seconds. Any idea what would cause that?

 "poll_attempts"=>{"total"=>91, "failed"=>0}}

Does hammer ping or foreman-maintain service status show all services running?

You can also see what Pulp is up to with journalctl -u *pulp*

hammer ping and foreman-maintain service status show all services are running.

I don’t see any errors being thrown looking at journalctl. But below is an example what’s currently being logged.

Nov 09 07:31:23 foreman pulpcore-api[450624]: pulp [95a2bbe0-83b5-44e9-8f6c-83b375b10b82]:  - - [09/Nov/2023:15:31:23 +0000] "GET /pulp/api/v3/tasks/018bb4ad-635e-729a-82ee-d4aa3b43b2e0/ HTTP/1.1" 200 1394 "-" "OpenAPI-Generator/3.28.11/ruby"
Nov 09 07:31:23 foreman pulpcore-api[443853]: pulp [95a2bbe0-83b5-44e9-8f6c-83b375b10b82]:  - - [09/Nov/2023:15:31:23 +0000] "GET /pulp/api/v3/tasks/018bb4ad-68bf-7f0d-8c4b-ff1a0c122cb6/ HTTP/1.1" 200 1394 "-" "OpenAPI-Generator/3.28.11/ruby

Looking at the dynflow console its sitting at step 50. I was able to publish a version without filters just fine but as soon as I add a filter its not getting past this step.

Hey @MajorNickle ,

Since I see MultiCopyContent there that means you’re using dependency solving – it dramatically slows down content view publishes. We have some warnings in the UI about it, but I would say to use it only if you really must.

Edit: also make sure that you’re using the latest Pulp packages, there was a bug fixed recently that might’ve caused slower than usual Pulp content copying.


@jeremylenz alright I think I got it working. Good old selinux was preventing /usr/bin/rpm from getattr access on /var/lib/rpm/Packages. After running restorecon -v '/var/lib/rpm/Packages' it’s now progressing.


Awesome! I’d expect pulp to tell us that and fail if it’s not doing so instead of appearing to hang…Debugging nightmare… :smiley:

1 Like

Yeah, I only noticed it when looking at the foreman.service output.

Thanks everyone for the input and suggestions. Much appreciated!

I’m still fairly new to Katello, could you tell me how to check? I’m on foreman: 3.8.0 and katello 4.10.0. On the about page I have following pulp packages installed.


To check you just need to run a yum update and see if there’s an available Pulpcore update :+1:

Ah gotcha. I’m on the latest then. I think as you mentioned before the dependency solving I had enabled contributed to the slow publishing. I’ve disabled it as I noticed it does seem to interfere with the content view filters. I’m all good now :slight_smile:

Thanks again everyone!

1 Like

When I need to exclude newer kernels (for out-of-tree kmod reasons), I do something like

pattern arch version
bpftool All architectures Greater than version 4.18.0-425.3.1.el8
kernel* All architectures Greater than version 4.18.0-425.3.1.el8
*perf All architectures Greater than version 4.18.0-425.3.1.el8
kmod-kvdo All architectures Greater than version

I don’t know if this is relevant to your use case, but if you exclude the package group you may have trouble using the CV to Kickstart.

I would also suggest you make sure you are only applying filters to BaseOS if that’s where all the packages you need to exclude are from, since in my experience that is (a) faster to publish and (b) in the past I’ve lost modulemd_defaults by applying even non-matching filters to AppStream or other repositories.

1 Like

Right now I have individuals packages excluded just like you in your example. But I didn’t know or see that you can apply it to only a subset of repositories. That’s a very great tip! Thanks a lot :slight_smile:

RPM name Architecture
kernel All architectures
kernel-core All architectures
kernel-devel All architectures
kernel-headers All architectures
kernel-modules All architectures
kernel-tools All architectures
kernel-tools-libs All architectures
kernel-tools-libs-devel All architectures
kmod All architectures
kmod-devel All architectures
gcc All architectures
elfutils-libelf-devel All architectures
kmod-kvdo All architectures