When To Upgrade Foreman/Katello

Hi all,

I have a very simple question (though the answer may naturally be more complex). When or how often should one go about updating Foreman/Katello to the next version?

I can think of a few reasons why one would upgrade:

  • The new version either fixes a bug that has been an annoyance or adds an additional feature one could use.
  • The new version “patches” important security vulnerabilities. Not sure how often this happens and just how far back these patches are backported? That may have some relation to my next point.
  • The version currently running will soon fall out of community support. Not too sure how that works, I’m sure there is some kind of support lifecycle? I’d imagine at some point the community would deem a particular version (and its predecessors) to be too old to assist with issues on.
  • Upgrading for the sake of keeping future upgrades quick, as it would be painful to fall far behind and need to do many individual point upgrades.

I would love to hear the community’s recommendation on this!


1 Like

Hello @fresh-pie ,

There are various considerations when upgrading Foreman, and different environments have different ones. Let me outline the way our release process works which may help you understand how to make the right decision for your environment.

Every 3 months we branch for the next release. Shortly after branching, we begin releasing release candidates of the upcoming release, usually once every couple of weeks, until we feel fairly confident that the release is stable enough to go out to production usage. Users who are able to test out release candidates in their environment help us immensely in identifying any serious issues - while we have fairly good test coverage, Foreman is a huge beast and covering every path and every possible plugin combination is impossible.
We continue to maintain the latest two releases, with the latest normally getting bug fixes and the older release only getting fixes for security issues or very severe bugs. When a new release goes out, that means it’s the end of life for the previous “old” release.
All security issues are reported on our website, and in the case of serious ones we also mention them when announcing a release fixing them. The frequency of security vulnerability fixes varies greatly, sometimes we have several fixes in one release while other times we can go a couple of releases without any.

As for upgrade frequency - some users will upgrade every time a new major or minor release comes out, others only upgrade once for every major one and some may prefer to wait a few before taking a long outage window to upgrade several versions at once. The decision depends on your environment’s requirements with regards to availability, stability, security, new features etc.

We do recommend regularly upgrading to make sure you are at least on a supported version in case of security issues, and to avoid running into issues when upgrading many versions in one go. Most single-version upgrades are fairly quick and hopefully painless to run, other than a short outage while the upgrade process is running. It is also recommended to take a VM snapshot or backup before upgrading, in case something goes wrong during upgrade and you need to revert to the previous version.

If you require a more stable environment with less frequent upgrades, there are also a couple of commercial offerings based on Foreman that have a different release cadence and support SLAs - Red Hat Satellite and ATIX Orcharhino.


Thank you so much tbrisker for your awesome reply. It answered all my questions and then some!

Be well!

1 Like

@tbrisker Great answer which is perhaps worth to be pinned somewhere. Especially because I see very often very old versions when someone has issues or needs assistance on upgrade.

Only thing I would have to add is that Katello is always some weeks behind (is this a fix value?) and you can only upgrade when both have a new version released if you are a Katello user, but this is mentioned in the manual.


Thanks @Dirk for the note about Katello - indeed usually Katello is released a bit after Foreman, we’re aiming to make the gap as short as possible but in some cases there are various issues causing an additional delay. Some users choose to go ahead and upgrade to a Katello release candidate instead of waiting for the GA release, but that again depends on their usecase’s requirements.
Looking at the history, in the recent Katello versions we saw quite a bit longer delay related to the Pulp 3 work, with Katello GA coming about 2-3 week later than Foreman, but just a year ago we even managed to release Katello 3.14 on the same day as Foreman 1.24 :slight_smile: I hope that once Katello 4 is released and we are done with the Pulp migration we’ll be able to get back on track with releasing Katello closer to Foreman.


Hi all, thanks for the info! I was just looking for it :slight_smile:

I think this can be a good addition to the upgrade section of the manual, it already mentions viable upgrade paths. So perhaps it’s a good to mention that only the last 2 releases are supported. (also for the Katello manual then :wink: )


Good idea, @Thulium-Drake
Added to my to-do list!

1 Like